This is Naked Capitalism fundraising week. 597 donors have already invested in our efforts to combat corruption and predatory conduct, particularly in the financial realm. Please join us and participate via our donation page, which shows how to give via check, credit card, debit card, or PayPal. Read about why we’re doing this fundraiser, what we’ve accomplished in the last year and our current goal, supporting the comments section.
By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She now spends much of her time in Asia and is currently working on a book about textile artisans.
Former Equifax CEO Richard Smith is halfway through four days of testimony before various Congressional committees– and he is “deeply sorry” about the data breach that compromised the identities of more than 140 million Americans, as CNN reports.
The magnitude of the leak, the company’s cack-handed response, and the massive publicity that’s ensued has convinced the serious people that SOMETHING must be done.
Now, we might think that this might lead our Congresscritters to a sober and sane assessment of cybersecurity defects, or the consequences of centralizing information collection without due care and oversight (whether it’s collected by a company, or a government agency).
Alternatively, dare we hope that the hack might spur a full rethink of the current regulatory realm– in which our personal financial data are available, 24/7, more or less for the asking, so that financial firms can grift us, safeguarded by firms such as Equifax who cannot be bothered to install a basic software patch to protect said data from being compromised.
(And, I might mention in passing, such personal financial data are often linked to other confidential personal data: e.g. medical records, purchasing history.)
Some members of Congress, such as Janet Schakowsky have proposed a radical break from the current system: shifting credit reporting from a universal system over which a consumer has no control, to one where you could opt out or even, have to opt in for companies to use your data.
Depending on how extensive the responses are, such a change would essentially trash the business models of the three major credit reporting agencies, by preventing them from selling your data without your consent. As Bloomberg reports in These Five Data-Security Ideas Emerged in the Equifax Hearing:
Schakowsky also said she’d like lawmakers to start a broader discussion about the role of credit-reporting firms. Consumers don’t have the ability to remove their information from Equifax’s databases because it’s furnished by banks and telecommunications companies. “Most Americans really don’t know how much information” the companies have, Schakowsky said. “I don’t want you to have my information anymore. I want to be in control of my information.”
Seems sensible, yes?
Which is why the Serious People have to mount a full court press to make sure that something so sensible doesn’t get implemented.
Let No Crisis Go to Waste: Opportunity for Grifting
Rahm Emanuel once famously said, “You never want a serious crisis to go to waste. And what I mean by that is an opportunity to do things you think you could not do before.”
Their response to the Equifax hack: replacing Social Security numbers with a system that might include a universal biometric identity system, plus further numeric verification, as Bloomberg reports in The White House and Equifax Agree: Social Security Numbers Should Go.
Big mistake. Although I admit, it would create ample opportunities for grifting.
First, Do No Harm: Biosecurity Fairy Delusion
One of the reasons put forward for replacing Social Security numbers is that these cannot be changed. So, once a database is hacked– and a number is compromised– you’re still stuck with that number, and must cope with the consequences. As per Bloomberg, in The White House and Equifax Agree: Social Security Numbers Should Go:
The failure of the Social Security number is that there’s only one for each person, “once it’s compromised one time, you’re done,” Bob Stasio, a fellow at the Truman National Security Project and former chief of operations at the National Security Agency’s Cyber Operations Center.
Well, why’s that? These numbers are a man-made construct. They’re neither god given, tattooed into our foreheads, or embedded within us at birth– or at least not yet.
If problem is that once compromised the numbers cannot be changed, let’s change that. Rather than create an entirely new system, assuming that the form of the identifier solves the problem.
Stick with me as I lay out the alternative and point out the obvious– your biometric data: your DNA, your eyeball, your fingerprints. Now, that really cannot be changed. If those data are the means by which you’re known to a database and those are hacked or compromised, what would be your recourse? You can’t replace your eyes, or your fingers, or acquire completely different DNA.
Using a biometric system when the basic problem of securing and safeguarding data have yet to be solved will only worsen, not address, the hacking problem.
What we’re being asked to do is to turn over our biometric information, and then trust those to whom we do so to safeguard that data.
Given the current status of database security, corporate and governmental accountability, etc.: How do you think that is going to play out?
Especially as, Bloomberg quotes one of the principal advocates for change, Rob Joyce, special assistant to the president and White House cybersecurity coordinator, on what really concerns him:
“It’s really clear, there needs to be a change, but we’ll have to look at the details of what’s being proposed,” Joyce said. In the response to the Equifax hack, though, he said, “we need to be careful of Balkanizing the regulations. It’s really hard on companies today” facing local, state and federal regulators as well as international rules, he added.
Imagine that! In the face of this widespread data breach, what exercises Joyce is the regulatory burden companies must confront in securing your data. Is this for real?
Mangling Identification and Authentication
One basic problem is a confusion between the use of the identifier– whether it be a number, or biometric– for identification and authentication. Merely switching to a biometric system doesn’t address this, because if the database gets hacked, now the hackers have your biometric information too! Whereas currently, they only had access to numeric data.
Permit me to quote at length from an email from our own Naked Capitalism Richard Smith on this issue, as he understands these issues far better than I do. I do want to point out the spectacular opportunity for confusion in that our Richard shares a name with the former Equifax CEO.
So I want to underline that all quotations that follow are from the Naked Capitalism Richard Smith:
If one swaps an old number for a new:
the old compromised identifier is just as good for identifying a person as the new post hack one. The new number is redundant. Neither the old number nor the new number can authenticate and that is the nub of the issue.
In principle there are lots of ways to identify yourself to a computer system. but they all have to satisfy a uniqueness requirement. I assume the Social Security number does this in the US. Elsewhere one can do it by providing name address and date of birth. Admittedly this relies on there not being twins, triplets quads etc all with the same name and cohabiting, but AFAIK, so far so good.
So one way or another one has one’s unique identifier. All good. Uses can say who they are, and not get mixed up with someone else by the blind machine. But they still can’t prove that they are who they say they are. What a Social Security number or name/address/date of birth combo does not and cannot do, is prove that the person presenting the identification details is who he claims to be. Anyone can make up a name and address and even without data leaks or hacks, a genuine Social Security number can be fabricated. So it doesn’t matter if the Social Security number you produce is the original one or its post-hack replacement. Neither is trustworthy.
It’s particularly easy to fabricate ID if there’s no flesh and blood human in the loop. Since eliminating flesh and blood humans from the process is the whole name of the computing game, authentication is a big unsolved problem. Without authentication, there can be no trust. Without trust, the whole human social enterprise takes a fatal hit (see unauthenticated Twitterbots for a recently pervasive and obvious example). This is why people are saying ‘we need a whole new system’. They’re right, but until we build hackproof systems, it ain’t gonna happen. There now follows a shorter version of the previous sentence. It ain’t gonna happen.
Jerri-Lynn here: The basic problem with what the grifters propose to do is take your biometric information and use that to replace the Social Security number. But, does that really solve the authentication problem? And, if it does not, we end up in a worse situation than if we were to make the Social Security number system more robust and changeable (although admittedly, it would still not be perfec)t. Because biometrics, once hacked, cannot be changed.
Permit me to turn to Naked Capitalism’s Richard Smith again:
Biometrics illustrates the difficulty a different way. A biometric (fingerprint, retina scan or DNA sample) is also a unique identifier, but, (ignoring data breaches for a moment) it does two things at once:
It uniquely identifies you
It proves that you are who you say you are. An SSN or name/address/DoB cannot do this, not even in principle.
I should point out that even without data breaches, there are other ways to compromise biometric information– difficult, but doable, if the stakes are high enough. Steal a finger (or a fingerprint, for that matter), steal an eyeball, or supply someone else’s DNA swab to the unattended DNA scanner. The stuff of many gruesome scenes in recent action movies.
To be sure, not likely to be employed frequently, but the sort of thing that might come into play if the stakes are high enough.
But, here’s the key point, and I turn to Naked Capitalism’s Richard Smith again:
Unfortunately, as soon as you stop ‘ignoring data breaches for a moment’, and get real, this whole biometric idea dies miserably too. So it’s all a big waste of time until Internet-connected systems can be made verifiably hackerproof. And that is a ridiculously remote prospect.
Meaning that biometrics boils down to just a BS “solution”, which doesn’t solve the basic problem. In fact, one of the options discussed in the Bloomberg article would be to use biometrics and then provide you a super duper card with a fancy-sounding PIN:
Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology in Washington, said one possibility could be giving individuals a private key, essentially a long cryptographic number that’s embedded in a “physical token” that then requires users to verify that the number belongs to them. It could work like the chip in a credit card that requires the owner to enter a pin allowing use. He pointed to Estonia where they have deployed such cards that people use to validate their identity.
“Your pin unlocks your ability to use that big number,” he said. The challenge is how to create the identifiers and how to distribute the keys. “It’s very promising” and “it’s possible to technically design something like this” but it could be expensive to design and disseminate such material to each American, he said. “This is a pretty big endeavor.”
So someone holds you up, gets your new, improved, super duper identity card, and makes you give them your PIN. Or hacks the database with the biometric ID and gets the info loaded onto your super duper card. Now they have your biometric info from a system that provides no greater security than if a more sophisticated Social Security number system were created, reinforced by the same cryptographic PIN.
But the logical problems here aren’t the point.
Replacing Social Security numbers with a new biometric system would provide spectacular opportunities for grift.
And, as regular readers know, that’s almost certainly not a bug, but a feature.
Centralization Draws Hackers
It should be apparent that part of the problem is that the centralization of so much valuable information is what draws hackers. And the more we centralize, the more precious the prize will be. I’m not by any means conversant on the ins and outs of cybersecurity.
But as a starting point, maybe should rethink the whole impulse to centralize such data collection, for starters.
And, after such a thought experiment, then further focus on obvious measures to safeguard such information– such as installing regular software patches that have prevented the Equifax hack– should be the priority.
And, how about bringing back a concept in rather short supply in C-suites– that of accountability? Perhaps measures to increase that might be a better idea than gee whiz misdirected techno-wizardry.
Do we really want to move to a world where all personal data are collected, and can be surveilled? I know, we’re far further along that path than most of us as willing to admit. But at the moment, in the United States, biometric data haven’t been fully integrated into the mess. Shouldn’t we figure out better ways to secure databases before we consider shovelling even more information into them?
Aadhar is No Model
Let me close by discussing obvious and well-reported problems with a system that relies heavily on biometric identification– so we can see some of the practical problems that have emerged with this seeming panacea.
India has rolled out the Aadhar identity system, a unique 12 digit identification number, which also incorporates biometric data. One of the experts quoted by Bloomberg, Bruce Schneier, a fellow at Harvard’s Kennedy School of Government, mentioned this as a possible model:
He pointed to India’s wide-scale rollout of the Aadhaar card, a unique number provided to citizens after collecting their biometric information — fingerprints and an iris scan — along with demographic details, to almost 1.2 billion people. In the U.S., a more secure system could be designed, “but magic math costs money,” he said.
Not a great idea.
I’ll only discuss three points here. First, the move to make the Aadhar number a universal identifier means that when it is compromised (as has already occurred and I discuss further below), that kicks off considerable potential knock-on effects for the person whose identity has been hacked.
Just one example: SIM cards are more tightly controlled in India than many other places– in part due to concerns about terrorism– and the process for applying for a SIM is highly bureaucratic. A recent Indian court decision mandated mobile users link their mobile accounts to their Aadhar number. The more functions are loaded onto the Aadhar, the more things might need to change in the light of a potential data hack. So, say your Aadhar number is hacked– that means you may need to change your mobile too. Big bummer.
It also means that people who are not Indian citizens but spend considerable time in the country– resident foreigners, various categories of Indians who visit India but reside outside of the country– find it considerably more difficult to get access to services that require Aadhar identification.
Second, Aadhar information has already been hacked. Just a couple of examples to illustrate this is not just some imaginary scenario. As reported by the Economic Times in Reliance Jio data leak: Tech gets smarter but your safety gets dumber in July, “a website called ‘magicapk’ leaked details such as email addresses, names and Aadhar ID details (in some cases) of Reliance Jio smartphone users”.
And, another: a graduate of one prestigious Indian Institute of Technology (IIT) committed more serious and sustained hack, stealing Aadhar data to verify the identities of people who used his app. As reported in The Indian Express, in IIT Kharagpur graduate hacked Aadhaar data through Digital India app: Police, in August:
an IIT Kharagpur graduate who has been accused of hacking into the central identities data repository of the Unique Identification Development Authority of India’s (UIDAI) Aadhaar project gained access to the repository through the Digital India e-hospital initiative of the Ministry of Electronics and Information Technology, police investigation has revealed. Bengaluru Police on Thursday formally announced the arrest of Abhinav Srivastava — a 31-year-old hailing from Uttar Pradesh — in connection with a complaint of unauthorised access of the central identities data repository filed by the UIDAI on July 26.
The complaint to the police stated said that Srivastava had accessed UIDAI data without authorisation between January 1 and July 26 for an app called ‘eKYC Verification’. The app delivered demographic data like name, address, phone number of individuals from the central identities data depository of Aadhaar to authenticate unique identity numbers. It was placed on Google Play Store with the claim that it was developed by an entity called myGov linked to the start-up Qarth Technologies, which had been acquired by the taxi hailing service Ola in 2016.
And a final, particularly controversial Aadhar issue: Wikileaks last month released material related to Expresslane malware— suggesting that the CIA had hacked the Aadhar database (see, for example, CIA SPIES INDIA’S BIOMETRIC AADHAAR DATABASE IN REAL TIME in myhacker.net or Aadhaar security: WikiLeaks hints at CIA access to India’s national ID card database in DNA).
Now, to be fair, I should acknowledge that the in response to this Wikileaks claim– “In another tweet, they published an article that says “Aadhaar in the hand of spies”” DNA reported:
However, the official sources in India have denied any such claims, say media reports.
Earlier, defending its decision to make Aadhaar a necessary document for availing benefits of government schemes, the Union Law Minister Ravi Shankar Prasad informed the Supreme Court that the government has formed a high-level committee for Aadhaar data protection. However, the Supreme Court refused to pass any interim order against the Central government notification for making Aadhaar mandatory. The Supreme Court was hearing a petition that said making Aadhaar compulsory would violate the right to privacy of an individual.
I do wish to point out that concerns that security of the Aadhar database was compromised from the get go have long dogged the program, as reported in The Sunday Guardian.com, Foreign agencies can access Aadhar data:
The biometric and demographic data collected for Aadhar may be extremely vulnerable to access by foreign intelligence services, defence services and multinationals interested in the commercial use of the data.
The three private entities contracted by the Unique Identification Authority of India (UIDAI) for biometric solutions for Aadhar, have strong ties with the US and the French intelligence or defence establishments.
There are myriad other problems with the Aadhar system– which alas, I lack space to discuss here. I do want to emphasize that Aadhar is so riddled with problems that I think it’s a very poor model the US to follow.
The Equifax hack has revealed the sad and sorry state of cybersecurity. But inviting the biometric ID fairy drop by and replace the existing Social Security number is not the solution.
It would only mean turning over your biometric information, as another source of data to be mined by corporations, and surveilled by those who want to do so. And it would ultimately not foil identity theft.
Let me close with a further snippet reported by Bloomberg on what the real target is here:
Joyce’s comments helped take some of the focus off Equifax’s blunders, analysts at Cowen Inc. said in a note Tuesday.
The “White House may be indirectly coming to Equifax’s rescue,” they wrote. “This reduces the risk of business-model-busting legislation such as a requirement that consumers opt-in to a credit bureau collecting their data.”
This research report thinks this sleight of hand is unintended. I don’t think so.