by Daniel J. Solove
Identity theft is terrible crime, and it can wreak havoc on victims’ lives. In an identity theft, the thief uses a victim’s personal information to improperly access accounts, obtain credit in the victim’s name, or impersonate the victim for other purposes.
But there is an effective way to stop a lot of identity theft, and the legal framework is already in place to do it. In a relatively short time, the Federal Trade Commission (FTC) could prevent a significant amount of identity theft – perhaps even a majority of it – and no new laws need to be passed.
I know that it might be hard to believe – as hard to believe as a suitcase filled with a million dollars just sitting abandoned on the sidewalk – but it is quite true.
Before I explain how, I need to provide some background.
Social Security Numbers and the Scourge of Identity Theft
One of the most major causes of identity theft is the misuse of Social Security Numbers (SSNs). SSNs were originally designed for the Social Security program to make sure that data about people with the same name wouldn’t get mixed up.
But over time, many other government agencies as well as businesses, schools, and other organizations found the SSN to be valuable. The problem, however, is that the SSN began to be misused as a means to verify identity.
The Misuse of the SSN Is Partly the Government’s Fault
The federal government created the SSN and then sat idly by as it was misused. In 1974, when Congress passed the Privacy Act, there was a provision in the bill that would have restricted organizations from misusing SSNs. But that got knocked out of the bill before it was passed.
As a result, the misused of the SSN continued. So thanks, Uncle Sam, for forcing us to have a SSN and not protecting us from its misuse!
The SSN Is a Terrible Password and an Identity Thief’s Best Tool
SSNs are used by organizations akin to passwords to obtain access to accounts or to sign up for a credit card. How do I know whether you’re really who you say you are? Passwords work because only you are supposed to know your password. But you’re not the only one who knows your SSN.
As Jason Cronk has put it, “Just because someone knows an SSN does not mean that they should be authorized as the owner of that SSN.” Anyone can readily find out anyone else’s SSN. SSNs can be bought and sold online. Any database company can sell a SSN. SSNs can be found in public records too. And with all the data leaks, SSNs are widely out there. They are easy for identity thieves to obtain.
It would take great imagination to design a poorer security mechanism than the use of SSNs. This is akin to using a password that anyone can readily obtain in an instant.
As I argued back in 2004 in my book, The Digital Person, “the SSN functions as a magic key that can unlock vast stores of records as well as financial accounts, making it the identity thief’s best tool. . . . [T]he government has created an identification number without affording adequate precautions against its misuse.”
Why We Need to Guard Our SSNs and Why Data Breaches Cause So Much Harm
We need to guard our SSNs because they are misused as passwords. Imagine if SSNs weren’t used in this way. What would leaking a SSN really reveal about us? The SSN isn’t inherently sensitive data, because it says nothing about us. It is just a number. The SSN is sensitive only because it is misused as a password to provide access to accounts or authenticate identity.
We hear constantly of data breaches involving SSNs, increasing people’s vulnerability to identity theft by increasing the ease at which identity thieves can obtain SSNs. But without their misuse as passwords, what harm would the disclosure of SSNs cause? Not much. The SSN would be neutralized.
Thus, the harm from many data breaches could be reduced significantly if SSNs weren’t misused. If businesses and other private sector organization were restricted from using SSNs as passwords, improper access to people’s SSNs would not put people in such peril of identity theft and fraud.
How the FTC Can Stop the Misuse of SSNs
The FTC can readily stop the misuse of SSNs. And no new laws need to be passed!
How? Can it really be this easy?
Yes, it can. It’s amazingly simple, and it can be summed up with these two points:
1. The FTC already has the authority under several laws to require that organizations have reasonable data security protections.
2. The misuse of a SSN as a password or a way to authenticate identity is clearly unreasonable.
The Use of SSNs as Passwords or to Authenticate Identity Is Unreasonable
No rational being could contend that using SSNs as passwords or to authenticate identity is a reasonable security practice.
The SSN is a bad password because it can be readily guessed. Identity thieves know it is used this way and can find a person’s SSN.
If compromised, SSNs are also very hard for people to change.
So people have a fixed password for life that is hard to change if compromised and that is readily known to be their password. Moreover, SSNs are widely available, so they aren’t that secret.
This is bad on so many levels.
It is patently unreasonable to assume that knowledge of a SSN is a valid means of verifying identity.
The FTC Has the Authority to Enforce Against Unreasonable Data Security Practices
The FTC can enforce against unreasonable data security practices under the Gramm-Leach-Bliley Act (GLBA) of 1999. That Act regulates financial institutions. The FTC should conclude that the use of SSNs as passwords or to authenticate identity is a violation of the GLBA.
The FTC has even broader authority under Section 5 of the FTC Act. For the past 15 years, the FTC has been one of the leading regulators of data security. The FTC has claimed that inadequate data security violates the FTC Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The basic standard that the FTC uses here is whether data security practices are reasonable. In my article with Professor Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014), we reviewed all of the FTC’s cases on data security and compiled a list of the specific data security practices that the FTC found fault with (see pp. 651-655). Many of these bad practices are far less egregious than the misuse of SSNs as authenticators of identity.
If the FTC were to take the step I recommend, one of the best tools for identity thieves would be neutralized. Without this easy tool, and many of the less sophisticated thieves will be out of luck. Of course, the more sophisticated thieves will try something else. But most identity thieves aren’t very sophisticated. They do the crime because it is very easy.
The result, I predict, would be a significant reduction in identity theft.
So, yes, there sometimes can be a suitcase with a million dollars just lying abandoned in the street. Actually, the savings in money to people and to the economy would not just be a million dollars, but tens of millions of dollars. Countless people won’t be victimized and put through a harrowing, time-consuming, and costly ordeal.
The suitcase is still sitting there. It’s time for the FTC to pick it up.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter