(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

Although it should be common knowledge that using the SSN for identification is a bad idea, companies are not prohibited from asking for your SSN [1] and using it as part of an identifier. And some still do.

For example, I recently set up cable service for a bundled TV and Internet package. The phone sales rep insisted that all customers had to provide a valid SSN; I spent a good ten minutes trying to elucidate why. The final reason seemed to be that the cable company (call them Comwarner) still uses the SSN as the primary customer identifier and have no plans to change this. The reason I was given for the actual use was to combine it with the customer name and check for deadbeat ex-customers trying to sign up again. I also assume that Comwarner’s actual database schema probably includes some auto-generated customer identification string, and either the sales rep never sees it (instead, he claimed the system only displays the last 4 digits) or didn’t care to tell me that such a number existed when I asked.

It seems as if signing up a new customer would be the perfect time to switch over to a new ID system in which unique customer identifiers are generated. Unfortunately, nobody has a really good system for helping customers manage all these new unique identification numbers.

I could have easily supplied a fake SSN at that point, but I did not, because I had a sneaking suspicion of what would happen next…

Part of the TV service was the option to have DVR instead of a regular cable box. In order not to pay a hefty deposit, however, they run an “instant credit check” on you. Had I supplied a fake SSN or one that didn’t gel with my name, I would be out a chunk of change, or not be able to automatically record the entire season of…whatever I don’t actually watch anyway.

Private companies are not the Social Security Administration. Doctors, dentists, and utilities do not need a string issued for a specific government retirement program in order to provide service. They might think they do, and the folks on the front lines charged with the responsibility of asking you for this information
are not the ones that created the policy.

The Protect America Act (PAA) was passed in August of 2007. In effect, this ill-considered law re-purposes an existing NSA data collection and surveillance framework to observe domestic conversations. In a succinct article (”Risking Communications Security: Potential Hazards of the Protect America Act”) in the next issue of IEEE Security & Privacy magazine, Steve Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter G. Neumann, and Jennifer Rexford write about the security aspects (as opposed to the civil liberties concerns) involved in permitting the NSA to spy on US persons. A preprint is available on Steve’s website and from Matt Blaze’s blog entry. The authors are pretty adamant about making sure such a powerful capability is just as powerfully justified and protected: “If security cannot be assured, then any surveillance performed using that system will be inherently fraught with risks that are fundamentally unacceptable.” Note that “fundamentally unacceptable” is pretty direct language (for example, they did not say the system was “unreasonable”, “ill-advised”, or merely “risky”); this type of phrase is as close to harsh criticism that an academic might come in a professional publication.

The ball on this topic got rolling when Susan wrote an op-ed piece for the Washington Post in August 2008 on why it was a bad idea to re-purpose a system built to spy on external entities to begin spying on domestic entities.

The bottom line: the unintended consequence is that such a system is now a really juicy target for foreign entities to spy on domestic entities. It is also ripe for abuse by insiders. The underlying problem is that domestic data will be captured; it is simply too hard to filter out domestic data given the limits of current networking technology. The IEEE S&P article also has a pointer to a very well-written article about the Greek cell phone system compromise; these threats are not theoretical. Asking the NSA to do something that it has no experience (presumably) doing is a bad technical policy, especially since the technology cannot simultaneously meet the demands of the new law and the expectation of privacy derived from, among other things, the 4th Amendment. I suspect that many in the NSA rank & file might agree; this seems to be a situation where everything looks like a nail when all you have is a hammer.