Schneier on Security
A blog covering security and security technology.
« An RFID-Blocking Wallet |
| ID Cards and ID Fraud »
December 30, 2005
DOJ Privacy Breach
The U.S. Department of Justice is no better than anyone else at protecting individual privacy.
Posted on December 30, 2005 at 7:50 AM
• 10 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The real problem is that somehow it has become accepted practice for the financial industry to abuse SSN as a pre-selected shared password. This is stupid beyond belief and shouldn't be tolerated. SSN shouldn't need to be a big honking secret--no more than the checking account number that is printed on the face of every check you write. It's an account number with SSA; that's all. It is by no means suitable key material--it is known by too many people and it is even highly predictable from other personal information (go read up on area and group numbers). It is also difficult (but not impossible) to change, which no key should be. But since it /is/ possible to change, it is also not a suitable unique identifier for any individual.
The obvious solution is for everyone to publish his or her SSN everywhere possible--put it in your .signature, post it on blogs, take out an ad in the newspaper, write it on a bumper sticker, etc. If everyone published SSN, mother's maiden name, and any other lame excuse for a password that lazy corporate idiots have decided to use to protect access to our livelihoods, the problem would go away because the banks and corporate office drones would have to get off their fat asses and actually come up with a secure system for us to establish real passwords (or other authenticators).
An alternative would be a law requiring SSA to publicly disclose all SSNs. I'm afraid it will be a long time, however, before enough people realize what a state of total moronitude we've become enmeshed in. Until then, we're all looking over our shoulders because we let the greedy corporate banking people (and to a lesser extent human resources bozos) implement vast systems without the fundamental security measure of password management.
I think we need to be a little realistic about what is going to be private. I never think fro one second that my online life is private. Too many countries, too many laws and far too many evil empires ;). But i would expect govt to have clear standards and be resonably secure. Its early in the IT game and a lot of people have a lot of catching up to do as far as the tech and the security go. Reminds me a bit of the early days of cheque books.
Seeing as how SSN's have been overly abused as 'identification' by just about every local, state, and federal agency, not to mention banks, insurance companies, credit card companies, retail stores, etc., etc., would it not make sense for the Feds to issue a new unique ID number to US citizens and rely on that for "security"?
A number that everyone knows needs to stay secure and private? More private than, lets say, your Mother's maiden name? Your SSN? Your D.L. #?
Or would it just be a matter of time before ID thieves get their hands on the new # (or the master list) and the point would be moot? Perhaps we all should be carrying RSA tokens...
The DoJ is a bureaucracy, largely self-serving as every bureaucracy is. I don't know why we should expect its staff to go out of their way to protect anyone's privacy but their own (and the people they depend on, such as lawyers). To DoJ bureaucrats, plaintiffs and defendants are like customers to a corporation - their privacy is less important than the organisation's convenience.
Yeah, that's the id *I* would want to steal -- one from someone who is under investigation/prosecution by the DoJ.
I wonder how many people have stolen Ken Lay's / Andrew Fastow's ID lately? ;-)
Using something as an identifier is not the worst problem. Using something as an identifier _and_ as a password is more of a problem. See http://www.cpsr.org/prevsite/cpsr/privacy/ssn/...
In some cases, i.e. educational institutions, it is possible to get an alternative ID number issued. This number is used as an ID number instead of using an SSN as such. The procedures for doing so may not always be well documented, though.
It is not clear as to how soon an SSN is required before someone starts earning income. However, the SSA encourages obtaining SSNs for newborns as being "near the top of the list" for parents. See http://www.ssa.gov/kids/parent2.htm and http://www.ssa.gov/kids/...
A SSN is required for a child if you wish to claim the dependent deduction on your income taxes. This was changed back in the late 80's (approximately; my memory is hazy) to cut down on tax fraud.
"Hey, Bruce, maybe you should offer Counterpane services to DHS."
We have bunch of government customers.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.