About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

22 July 2009

ID Numbers, ID theft and Privacy

There has been a lot of talk recently on the rise of identity theft in South Africa. Popular press has recently jumped on the bandwagon, and there are articles talking about how ID numbers should not be disclosed to anyone and that there is a need to keep the ID numbers secret.

In addition, there is the new privacy bill (which I still haven't read) - but since it is based on the EU privacy directives, I am very confident that it will list the ID number as private information and ask that it should be protected.

The problem is, we are trying to shut the gate once the horse has already bolted. The need to supply ID numbers is ubiquitous - and in many cases it does not make sense. Some buildings require you to provide a number (not any supporting documentation, just the number) to enter. Interact with a bank or any personal business relationships (credit applications, phone applications, post box etc.) you need an ID number. Need a job - you need an ID book. The numbers are everywhere, in multitude of systems, and they are also published online with no regards to data sanitisation. For example, here is a PDF I found detailing ID numbers of restaurant owners who applied for liquor licenses in Gauteng. I was looking for the address of one of the listed restaurants ... Oh, and Government gazettes are public documents, and the bylaws require that the information should be published.

The problem is that we use ID numbers for things we are not supposed to be using it for; namely authentication of persons. To illustrate, let's examine the definition of authentication (as a process) in RFC 2828.

An authentication process consists of two steps:

  1. Identification step: Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service.)

  2. Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier.

The ID number is an identifier. It is a 13 digit numeric string that is unique to all legal South African permanent residents (citizens and non-citizens). The verification step rests solely with the Department of Home Affairs. However, companies never make that leap - the Identity number and the associated Identity book has become a one stop authentication solution which it was not designed to be (or it would have other built in verification steps). Since business rely solely on the ID book and the ID number, the verification step is incomplete and thus ID fraud takes place.

The ID number does not necessarily need to be private. it is after all an unique identifier for persons - a more unique name. What is required is an easier, usable and secure verification service. That is the answer to identity theft resulting from "stolen" identity numbers. As for privacy of identity numbers - the number itself does not need to be private - it is after all an identifier. However, that does not mean that every one should collect the numbers. There should still be a reason to collect information, and should it be collected, there needs to be secure storage of the data. In these regards the EU privacy directive is absolutely correct.


Anonymous said...

I recently came across your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.



Dave said...

The interesting thing is how ignorant consumers of ID numbers are. Case in point - a buddy of mine was trying to get a visa to the US, and discovered he was wanted for two major crimes - a hit 'n run involving a fatality, and a robbery. In both cases, the suspect had been arrested by the police, and they had given their ID number, which turned out to be my friend's. The amazing thing is, in both cases the people involved were way older than he was - but the police writing the docket obviously did not know that the first two numbers are the year of birth, because that would have immediately told them that the numbers were fake.

In the US, the problem is worse, because social security numbers often have collisions (they are only 9 digits). Even worse, your social security card only has your name and the number. So it should be easy to fake. Fortunately, people here have gotten smart about consuming them - only a few places ask them, and those that do require you to present two other independent forms of photo ID to link your face to your name to your social security number.