Since yesterday, when Alessandro Acquisti and Ralph Gross of Carnegie Mellon University released a study demonstrating that it is relatively easy to predict an individual’s Social Security Number (SSN) using data from readily available public records, the security world has been buzzing. As someone who was given a draft copy of the paper to read last year by the researchers, yesterday’s release of the paper was an eagerly awaited announcement.
Neither the researchers nor those of us who had read the paper or participated in discussions of its implications last year really expected the government and those who insist on demanding our SSN to suddenly say, “Oh well, now that we see this study, we’ll stop using SSN immediately.” But I didn’t expect a government spokesperson to immediately try to downplay the significance of the study.
Mark Lassiter, a spokesperson for the Social Security Administration, is quoted in a New York Times article as saying:
“The public should not be alarmed by this report because there is no foolproof method for predicting a person’s Social Security number. The method by which Social Security assigns numbers has been a matter of public record for years. The suggestion that Mr. Acquisti has cracked a code for predicting an S.S.N. is a dramatic exaggeration.”
This site didn’t suggest that the researchers cracked a code, although certainly one of the more popular headlines repeated elsewhere did use that phrase. But even if Acquisti and Gross didn’t crack a code, what the government needs to acknowledge is that the study has shone a very bright light on the elephant in the room and the government and everyone else needs to stop ignoring that elephant and needs to stop approaching it without any sense of urgency.
Everyone has known for a long time that the use of SSN as an authenticator is broken. But it’s clear that it’s even more broken than anyone acknowledged. Will the government at least acknowledge that and take immediate steps? One can only hope.
Acquisti will be in Washington D.C. this week to discuss the report and its implications with representatives of some agencies. I hope that they do not minimize the importance of the study and recognize it as the call to action that it clearly is. As Acquisti wrote to me, “Let’s hope that these results can help finally change this system and move to something truly secure and private.”
Photo: Alessandro Acquisti, from CMU