Outside Source
Hundreds of millions of SSNs have been leaked online already, but a privacy-focused identity solution could help fix the problem.
Opinion
Opinion by: Nanak Nihal, president of Holonym Foundation
Social Security started like any form of identity — not identity for its own sake but to solve a specific problem that needs an identity solution. Social Security numbers (SSNs) were created to distribute benefits. If those creating them knew they would be used for identity and security as they are today, they would have designed them very differently. While some may think Social Security numbers are good enough, we should actively strive for better.
SSNs are terrible identifiers. They suffer from two problems: the entropy problem and the symmetry problem. The entropy problem is that they are not random, so they’re pretty easy to guess, which is undesirable for something you are supposed to keep secret. The symmetry problem is one where you need to prove you’re legitimate. When you give someone your Social Security Number to prove your legitimacy, you’re no longer keeping it a secret, when it should be.
A study trained a simple machine learning model to guess someone’s Social Security number using simple facts about the person. For people born in certain states in specific years, 5% of SSNs could be guessed in 10 or fewer tries. A better identity system would not be guessable.
The symmetry problem is simple to comprehend: You are supposed to create unique passwords for different websites, as each can be hacked. When one is hacked, it should not impact your login credentials for the others.
Yet, you are expected to give the same SSN to every place that asks for it. If any one is compromised, your SSN will be compromised, too. They are worse than passwords, and high-profile server breaches have leaked hundreds of millions of SSNs. A better identity system would not have so many points of failure whose compromise is sufficient to leak your SSN.
A private, secure future
Technology exists to create a better identity system, and the only thing holding it back is the inertia of the existing SSN system and the people who rely on it. Just about any modern identity system using public key cryptography would be better and mitigate both of these issues.
Public key cryptography involves randomly generated secrets, so entropy is not an issue, and it does not reveal the secrets to anyone, so symmetry is not an issue. There is no single point of failure at every place you submit an ID because the submission does not share anything sensitive — it just proves you own the ID.
If you want to include more data in a credential than just a single secret number, like a government ID does — such as name, date of birth, address and photograph — then public key cryptography can only take us so far. Zero-knowledge cryptography should be used for more complex uses like these.
Recent: Why some see blockchain privacy as a right
This eliminates the symmetry issue when needing to prove facts about yourself, ensuring the proofs reveal nothing more than what they are trying to prove. For example, with zero knowledge cryptography, you can prove you’re above 18 or a United States resident without revealing your name or anything else about who you are.
This article first appeared at Cointelegraph.com News
