I spend some amount of my time working on the problem of identity systems for the Internet. It is a complex problem with Citizens, and Firms, and Goverments, and Non-profits, and Criminals, and Platform vendors, and Incompetent people all messing about.
All those parties are attempting to find solutions in the face of very powerful forces. Forces making storage, computing, and communication rush toward vanishingly cheap. Forces that are dragging more an more info about your personal, employement, financial, travel, etc. etc. life out onto the web – in a rush to make things more efficent for you and the organizations you interact with.
Bad guys can do bad things with that data, and it’s getting easier and easier for them to search it out. Most systems protect the data by demanding that you provide a little info about yourself to prove to them your who you claim to be (or at least somebody who knows you well). For example they might ask for your birthday or your social security number, maybe your place of birth. It’s just random personal stuff and as privacy breaks down that stuff becomes easier for a bad guy to figure out.
For example the University of Texas had a web site which let you get access to your info by providing a little info – in this case your social security number. Well that was a mistake. A bad guy proceeded to try one number at a time. Searching the entire space of social security numbers? With 9 digits in the social security number that’s a billion tests – a pretty big number even today for trying one at a time over the web.
Lucky bad guy! Turns out the social security numbers handed out in one geographic region come from the same block of numbers. So he focused his attention on the Texas blocks.
A sad irony that “social security” is creating one of the more common ways to create insecurity for people’s identity.
This is a hard problem. It’s going to be very hard to fix!