Thirty years ago, a lot of US states thought it would be a good idea to compute someone’s drivers license number (DLN) from their personal information [1]. In 1991, fifteen states simply used your Social Security Number as your DLN. Eleven other states computed DLNs by applying a hash function to personal information such as name, birth date, and sex. A few other states based DLNs in part but not entirely on personal information.
Presumably things have changed a lot since then. If you know of any states that still do this, please let me know in the comments. Even if states have stopped computing DLNs from personal data, I’m sure many organizations still compute IDs this way.
The article I stumbled on from 1991 gave no hint perhaps encoding personal information into an ID number could be a problem. And at the time it wasn’t as much of a problem as it would be now.
Why is it a problem if IDs are computed from personal data? People don’t realize what information they’re giving away. Maybe they would be willing to give someone their personal information, but not their DLN, or vice versa, not realizing that the two are equivalent. They also don’t realize what information about them someone may already have; a little bit more info may be all an attacker needs. And they don’t realize the potential consequences of their loss of privacy.
In some cases the hashing functions were complicated, but not too complicated to carry out by hand. And even if states were applying a cryptographic hash function, which they certainly were not, this would still be a problem for reasons explained here. If you have a database of personal information, say from voter registration records, you could compute the hash value of everyone in the state, or at least a large enough portion that you stand a good chance of being able to reverse a hashed value.
Related posts
- May I have the last four digits of your social?
- Simulating identification by zip code, birth date, and sex
- You do not want to be an edge case
[1] Joseph A. Gallian. Assigning Driver’s License Numbers. Mathematics Magazine, Vol. 64, No. 1 (Feb., 1991), pp. 13-22.
This (Internet) article suggests, with plenty of disclaimers, the Illinois, Wisconsin, and Florida compute the driver’s license number from personal data, and show how it’s done:
http://www.highprogrammer.com/alan/numbers/dl_us_shared.html
It also has links for Maryland, Michigan, New Hampshire, New Jersey, and Washington, as well as the former calculations for Minnesota, Nevada, and New York:
http://www.highprogrammer.com/alan/numbers/index.html
Washington no longer does that. Since this spring/summer they are random.
In the wrong historical direction, but I had to photoshop out my (1976) graduate student ID number (which was my SS number) to put this up on my family photos page:
https://pbase.com/davidjl/image/151837214
I guess we were all more innocent back then…