BACKGROUND
THE UNIVERSAL IDENTIFIER (UID)
AND THE GLOBAL AND NATIONAL
COMMERCE (ELECTRONIC
DIGITIZED SIGNATURE) ACT of 2000
The main tradeoffs in the use of any identifier are between privacy on the one hand, and convenience in use and in tracking an individual’s electronic interactions on the other. Security can be increased or decreased by a Universal Identifier (UID) depending on its implementation.
The nearly ubiquitous use of Social Security Numbers (SSNs) as what have come to be called, Universal Identifiers (UIDs), has played a prominent role in recent horror stories about “identity theft” traumatic to a number of individuals and threatening to all. The misuse of Social Security Numbers as proof of identity and authority to take certain actions sets the stage for these and other potential violations of privacy and security. These concerns have led to a new focus on the meaning, role, and use of Universal Identifiers (UIDs) as we discuss further below. The Electronic Signatures in Global and National Commerce Act, that requires vendors to accept electronic means of identification by a party as sufficient to bind that party to a proposed contract, greatly raises the stakes in this discussion.
There are a number of functions that an “identifier” can perform. It can be used as:
The fact that a single identifier, e.g., the SSN, is often used for all three of these stages in establishing a contract helps to explain the growing ease with which a thief can assume the identity of a target person (hopefully neither you nor me). Further, court precedents have established that if an individual “voluntarily” gives a third party access to this particular, widely used identifier, his or her SSN, then information accessed through the use of the SSN (often through the web) is legally assumed to be “true”: the burden of proof has been shifted. This has further complicated problems resulting from “identity theft.” For example, a recent report from the Social Security Administration shows that identity theft victims spend approximately two years removing an average of $18,000 in fraudulent charges from their credit reports.
The vulnerability to fraud of all approaches to “electronic signature” makes this an area urgently requiring analysis. Truly effective legal safeguards for privacy and security must be enacted and in place, however, before legislation on even a limited-form-of-UID (note the contradiction in terms) is attempted.
The movement to accepting electronic signatures and electronic contracts raises an additional, related set of issues: the concept of “validation” (error control: providing confidence that information available electronically is a true copy of relevant information that is sought). This is an important, broad arena of scholarship and best practice that we just touch on here. Bit-errors introduced in storage or transmission of data are routinely taken care of by existing error detection and correction techniques that are standard and in place. We recommend that robust error detection be included with any form of identifier or electronic signature so that if one digit in a string is invalid, it can be corrected to avoid its matching some other real identifier. (See Conclusions below.)
The Need for Definitions: Unique, Universal (Which meaning?), Both? (or All?)
It is important to distinguish the differences between two meanings of the word “universal” as applied to an identifier, the UID, and a “unique” identifier. As we see below, their meaning, even from opposite sides of a given transaction, often is quite different. Let us illustrate this with the SSN.
The SSN is intended to be a universal identifier: every actual and potential participant in the workforce should have one.
The SSN is intended to be unique to an individual: only one person should have a given SSN.
(As we see below, the SSN fails on both counts.)
The meaning of the term “universal” in the context of the SSN is different from that in common parlance. In common parlance, universal has taken on the meaning of, “always used.” That is, if a given individual uses a particular identifier in all transactions and interactions with various aspects of his or her daily life: for identification of the individual in banking and other financial transactions; in employment interactions; in medical transactions and interactions, etc.; then the identifier would be considered “universal.” In the context of a “UID” the term “universal” implies this meaning of “universally-used” by an individual, not a credential-universal-to-all members of a population. This example suggests that it is important to distinguish whether one is looking at a given situation from the point of view of an individual or from the point of view of society interacting with an individual. It illustrates further that under neither focus would the universal identifier necessarily be unique to the individual.
Some Obvious Problems with the SSN
The SSN is intended to be unique. That is, it is intended that only one person would have a given SSN. In fact, this is not the case. Through misadvertence, there are multiple instances of more than one person with the same SSN.
Under the strictest meaning of a unique identifier, a given SSN would be the only such identifier used by a given individual. In fact, in practice it is possible for an individual legally to be provided with more than one SSN.
It would be possible to overcome these two flaws to establish a UID different from the SSN. Were that to be done, the concomitant potential for identity-theft and loss of privacy would still remain. They are inherent in any true UID.
Powerful Tradeoffs
If an individual has used his or her UID in the “always used” sense of the term, “universal,” then this would provide convenience to that individual in pulling together an integrated picture of his or her transactions and interactions with society from all the sites of interaction. If the UID was not unique, however, the given individual might also pull in the transactions of others when seeking to aggregate only his or her own and/or miss his or her transactions made under a different identifier. At the same time, the individual would be vulnerable to invasions of privacy and security.
Convenience to Whom?
Clearly a universal identifier (layman’s meaning) that is unique to the individual may provide great convenience to multiple organizations attempting to assemble a broad profile of the interaction of the individual with his or her society. That convenience includes threats and opportunities for misuse. Such an aggregation of information in the hands of others is likely to be less-than-warmly received by an individual seeking privacy. The (unauthorized) discovery and use (or misuse) of that individual’s true UID would permit: marketers to converge on a personalized strategy for pricing and selling their wares to the individual, governments to easily track the activities of the individual, a thief to assume the identity of that individual, etc.
Possible Alternative Forms and Uses of Identifiers
The three terms that were introduced above:
A) Identification,
B) Authentication, and
C) Authorization,
can be seen to represent increasing levels of trust in communicating and contracting with others, and different data elements are sometimes used for each different function.
As noted, the SSN has come to be used for all three purposes. As with one’s name, the SSN is often used for identification of an individual. As with one’s birth certificate, picture, or fingerprint, the SSN has been used as a form of authentication: “it’s really me.” As with one’s personal signature, the SSN has been used to provide authorization. And as noted above, the personal “signature in electronic form” could become ever more important and potentially dangerous.
To the extent that an SSN or any other identifier is associated with all types of transactions between the individual and his or her society, only its use for the first function (A), would appear to be rational. It would appear not to be rational, also to use it for authentication or authorization, except in the most trivial circumstances.
The Electronic Signatures in Global and National Commerce Act
The Electronic Signatures in Global and National Commerce Act, which took effect on October 1, 2000, says that contracts in interstate or foreign commerce, … “may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.” The act does not discuss the possible forms that electronic signatures might take, raising the possibility that SSNs might be interpreted as legally binding signatures.
Approaches to Reducing the Likelihood of Theft
Privacy and security are likely to be greatly enhanced if different data elements or approaches are used for each respective function, (A), (B) and (C) above. For situations requiring increased privacy and/or security or truly unique identification of an individual, biometric factors have often been used: the baby’s footprint and the mother’s fingerprint are recorded at the birth of the child; the photo-ID is used along with one or more numerical identifiers, for many purposes. A retina-scan is another form of unique identifier. Each of these biometric approaches provides a unique ID. Each appears to have significant advantages over a mere number for this purpose, but in fact they share many of the problems of a number as an identifier. In our digital age, to use a biometric identifier in authentication and/or authorization generally requires comparison to a digital image of that biometric feature. Once captured digitally, such features are equally subject to compromise as are numbers as identifiers.
Biometric identifiers also have disadvantages not shared by numerical identifiers. One cannot change one’s retina if its image happens to have been compromised. The retina persists through the life of the individual. And because they are unique to the individual, they may be too readily accepted as valid forms of authentication and authorization (as well as identification). We hasten to add that the use of obscure but publicly available personal facts (such as SSN or mother’s maiden name) are even less desirable for authentication and authorization. Both are becoming easily available on the web.
Where privacy and security become a higher order of preference, the user must, and often does, invoke encryption. Where a given encryption key may be compromised, it can readily be changed, thus providing an advantage over biometric identifiers. The particular form and function of encryption appropriate to various layers and aspects of discussions of identifiers, forms the basis of a further separate, involved, area of scholarship. We incorporate these discussions by reference only.
One conclusion we do reach on the basis of our general familiarity with the arena of encryption is: interactive exchanges of encrypted “handshakes” that appear to offer the highest degree of security feasible under today’s technologies have been developed. As noted below, we of CCIP heartily endorse these approaches. As noted above, they have an additional advantage over biometric identifiers: where a given encryption key may have been compromised, it can readily be changed.
General Comments
The desirability and feasibility of using universal identifiers and/or unique identifiers clearly is situationally determined. The characteristics of a given transaction or interaction between the individual and the society will determine the values in the tradeoffs among privacy, security, and convenience. The values of the society will determine the attractiveness of one resolution of these tensions as compared to others.
Conclusions
We conclude that individuals the society will be best served by a family of identifiers, with each identifier appropriate to trade-offs implicit in the facts of a given transaction. The maturity of both the society and the individual will influence the weighing of these tradeoffs. In any case, in selecting a particular identifier, all parties would benefit from a careful review of history and the experience-base in the creation, use, and evaluation of various identifiers under widely differing circumstances.
Two quick examples can suggest the value of such an approach. First, in Sweden there is overlap between the personal identifier and the concept of validation. There, the SSN is widely used across multiple forms of transactions. To prevent inadvertent errors in the transcription or transmission of the SSN, the Swedes have introduced a “check bit” for error correction. The check bit is used to validate as a particular SSN, the number that is being transcribed or transferred. A second illustration is found in the evolution of the tracking of individual users of cell phones. The “phone number” for a particular cell phone is used to track the user of that phone nationwide—and increasingly worldwide—across multiple forms of infrastructure, government and telephone systems.
Sophisticated techniques for ensuring that the phone number is a (limited) UID in this context, and that misuse is prevented, can provide powerful guidance for use of (limited) UID’s in other contexts. One must note, however, that depending on the technology used, cell-phone conversations themselves may be far from secure.
For the highest level of security under today’s technologies we endorse the use of approaches that incorporate the interactive exchange of encrypted “handshakes” for authentication of identity in the context of authorization for participation in significant contracts.
This paper was prepared by IEEE-USA to expand upon their policy position paper “Against Use of Universal Identifiers (UIDs)”.