by Gregory Conti, Dominic Larkin, David Raymond, and Edward Sobiesk
Download the Full Article: The Military's Cultural Disregard for Personal Information
Identity theft is not simply an inconvenience; it can lead to long-term financial and legal difficulties for individuals and families. In forward-deployed locations such as Iraq and Afghanistan, the distraction caused by identify theft can directly affect combat readiness as service members attempt to recover from these crimes. What makes matters worse it that Soldiers, Sailors, Airmen, and Marines face an increased likelihood of being targeted due to the manner that many military organizations treat individuals' Social Security numbers, dates of birth, and other Personally Identifiable Information (PII). There are numerous recent examples of deployed service members being victims of identity theft.
The time has come for the United States military to enforce a culture that respects PII and to discontinue use of the Social Security number as the primary means of tracking its personnel. We advocate the return to a service number system. The military previously used a service number system, but began replacing it in the late 1960's with Social Security numbers. The impetus for the change stemmed from Executive Order 9397 which directed Federal agencies to use the Social Security number as an identifier to provide a single numerical identification system for Federal employees [ , ]. What authorities failed to envision at the time was how using the Social Security number as both a unique identifier for the Internal Revenue Service, which led to the use of SSNs across the financial spectrum to include banks, mortgage lenders, credit reporting agencies, etc., and as an employee identifier would lead to easy access to, and potentially widespread abuse of, this critical piece of PII. The result was a well-intentioned, but misguided, policy. In an era when an individual's Social Security number and date of birth have become the keys to identity theft, the ubiquitous use of the Social Security number by the military services is reckless. The problem is compounded by an uninformed, sometimes cavalier, culture and attitude surrounding the protection of PII that is common in the military.
While recently updated policy documents created at the most senior levels of the military services do exist, there is a significant disconnect between this high level policy and the requisite culture required for proper protection of PII in practice. As a result, the military services lag a decade or more behind best practices found in other sectors of government, industry, and academia in the proper use and handling of PII. While positive progress has been made by the services, such progress is slow, ad-hoc, frequently ignored, and overshadowed by the common usage of the Social Security number as a way of tracking and identifying individuals. The systemic leakage of personal information in day to day operations, and a pervasive attitude of disregard for personal privacy is unsettling. Such issues are not tolerated outside the military - the time for substantive change within the military has arrived.
The problem of PII use has broad implications because the impact is felt by uniformed service members as well as government civilians, family members, and contractors, all of whom are compelled to disclose their Social Security number and incur the risk that it will be further disclosed, intentionally or unintentionally, without their knowledge or consent. The Federal Trade Commission, the United States Government's lead agency in preventing identity theft, states "Don't carry your Social Security card in your wallet or write your Social Security number on a check. Give your Social Security number only when absolutely necessary, and ask to use other types of identifiers." This guidance is impossible to follow within the military given the pervasive and compulsory use of the Social Security number.
There are some who believe that disclosing one's Social Security number or birth date is harmless, however, this view is patently incorrect. An individual's Social Security number combined with their date of birth provides access to one's identity. Scammers, identity thieves, and other criminals can use this information to commit a wide variety of crimes including opening new credit card accounts, generating credit reports, taking over existing accounts, or as a way to shield their true identity when arrested for a crime. There is even a recent trend where criminals will use the Social Security number of children as a means of stealing an untainted credit history.
Fixing the damage caused by identity theft is imperfect, stressful, expensive, and time consuming. Accounts must be closed and credit reports fixed through long and painful processes. Innocent individuals are subject to harassment by collection agencies. The cost is high in terms of time and frustration. The problem is magnified when an individual is deployed, allowing much damage to occur without their knowledge, or if known, serves to place additional stress on already strained families. Unlike a password which can be routinely changed, our Social Security number and date of birth are meant to be with us for life. Thus, disclosure of this information places us at risk for life; in fact some identity theft even occurs after death, creating immense problems for surviving family members.
This article outlines the problem by illustrating the common use of the Social Security number as a unique identifier and pseudo-password in the military services. We illustrate the many ways, both large and small, that PII continues to be abused, as well as common misperceptions. We conclude with actionable solutions that will help correct the problem.
Download the Full Article:The Military's Cultural Disregard for Personal Information
Lieutenant Colonel Gregory Conti is a Military Intelligence Officer and Director of West Point's Cyber Security Research Center. He holds a BS from West Point, an MS from Johns Hopkins University and a PhD from the Georgia Institute of Technology, all in Computer Science. He is the author of Security Data Visualization (No Starch Press) and Googling Security (Addison-Wesley) as well as numerous articles covering information security, online privacy, and cyber warfare. He has deployed in support of Operations Desert Shield, Desert Storm and Iraqi Freedom.
Major Dominic Larkin is a Field Artillery Officer and Instructor in West Point's Department of Electrical Engineering and Computer Science. He holds a BS from Troy State University and an MS from the Georgia Institute of Technology. His research interests include computer science education, robotics, digital security and electronic privacy. He deployed in support of Operation Just Cause and Operation Iraqi Freedom.
Lieutenant Colonel David Raymond is an Armor Officer and Assistant Professor in West Point's Department of Electrical Engineering and Computer Science. He holds a BS from West Point, an MS in Computer Science from Duke University, and a PhD in Computer Engineering from Virginia Polytechnic and State University. LTC Raymond's research interests include wireless sensor and mobile ad hoc networks, wireless network security, and online security and privacy. He has deployed in support of Operations Desert Shield, Desert Storm and Iraqi Freedom.
Colonel Edward Sobiesk is an Armor Officer and Director of West Point's Information Technology Program. He holds a BS in Computer Science from Winona State University, and an MS and a PhD in Computer and Information Sciences from the University of Minnesota. COL Sobiesk's research interests include electronic privacy, computer science & information technology education, computing ethical and legal considerations, and artificial intelligence. He has deployed in support of Operations Desert Shield and Desert Storm.
The views expressed in this article are those of the authors and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense, or the United States Government.
Editor's Note: This essay runs in conjuction with a New York Times investigative report.