Featured Article

Social Security Numbers jeopardize personal privacy

National Identifiers like Social Security Numbers (SSNs) were introduced to administer benefits, not as a universal proof of identity. However, over time they have come to represent the backbone of personal verification across countless services. If those who developed it had known they would be used for everything from healthcare enrollment to job and loan applications, they might have chosen a different approach. Although many people consider SSNs to be “just fine,” the reality is that they suffer from three major flaws: the uniformity problem, the predictability problem, and the overexposure problem.

While this article is written with a US perspective, it applies equally to SINs in Canada, NI Numbers in the UK and similarly to most countries around the world.

The uniformity problem

Relying on the same identifier in all scenarios - from setting up a bank account to registering for medical coverage - creates unnecessary vulnerability. This “one ID fits all” method forces individuals to use a single number in every domain of life, regardless of differing security and privacy requirements. Ideally, your hospital should not require the same exact identifier you hand over at a new job. Importantly, using the same identifier across worldwide websites would be a huge privacy intrusion and security risk. But that doesn't mean we shouldn't identify ourselves online. And before you say it; using Linkedin or Facebook or a phone number as my proxy-identifier are also similarly bad ideas. A modern system would allow multiple context-specific IDs, all tied to the same person yet never repeated across different platforms.

The predictability (secrecy) problem

Although SINs look random, a clever adversary can sometimes guess them more easily than you might expect. In one study, researchers identified patterns based on birth regions and dates, using that data to predict a significant share of SINs in surprisingly few attempts. This vulnerability arises because the numeric structure and assignment method of SINs were not designed for security, making them far too guessable for something intended to stay secret. Even a single successful guess can wreak havoc, as attackers can then exploit that compromised identifier across multiple systems.

Some countries realized this early on and didn't even bother with trying to keep it secret or hard to guess. Many Nordic countries for example include the birthdate in their identifiers, and make the identifiers public knowledge. But USA, Canada and many other countries still encourage secrecy around semi-public SIN numbers, despite the well-documented security vulnerabilities that make this approach increasingly outdated in today's digital landscape.

The exposure problem

Another pitfall is that people must reveal their SIN whenever they need to verify their identity. Sharing that number, even once, whether with an employer or a creditor, means losing exclusive control over it. In the event of a breach, any organization storing those details could accidentally expose them. One breach is enough to compromise a vast number of individuals at once - a reality underscored by repeated headlines about hacked databases. A single secret distributed anywhere outside your managed secure environment becomes an irresistible target for attackers. Just one slip-up leaves an individual perpetually at risk.

Moving toward a better solution

Technologies such as asymmetric (public-key) cryptography and zero-knowledge (ZK) cryptography offer compelling alternatives. Rather than distributing the same personal code to every party, individuals hold a secret that never needs to be shared. Interactions involve mathematical proofs that confirm ownership, eliminating the need to hand over a vulnerable identifier. Even when additional data - like age or citizenship - must be verified, zero-knowledge proofs allow for disclosure of only the necessary facts while keeping other personal details hidden. Imagine proving you are of legal drinking age without revealing your birth date or your SIN. With ZK you can even prove that you are a resident of a city or citizen of a country  without disclosing your exact address.

Overcoming resistance to change

Many governments and industries remain tied to SINs out of habit. Updating laws, procedures, and software systems is no small endeavor. Nonetheless, the risks of clinging to an outdated identifier continue to rise. By transitioning to cryptographic methods, we can conquer the uniformity, predictability, and exposure issues. Protecting people’s personal information shouldn’t demand that they share a guessable, widely repeated code every time they apply for a job or open a bank account. We already have access to technology that lets you identify yourself a million times without even coming close to the risk you expose yourself to by sharing your Social Security number just once.

Welcome to CUBID Protocol

CUBID is the new solution to the problems of verifying yourself online, entirely free to use. 

• For users and citizens, CUBID is an identity solution that works across many sites. It's a proof-of-personhood site that let's you build, strengthen and manage your one and only reusable online identity. And it's the place that will work the hardest to secure and protect your identity for you.

• CUBID for developers, founders and website owners is an API-based solution to easily identify your users, and also to prevent them from creating a second or third account. You can bot-proof your site with CUBID. You can prevent Sybil-attacks with CUBID. You can create web3 accounts for your users with CUBID.

Beyond simple identity, CUBID also enables new and creative solutions that were not possible to build without proof-of-personhood. CUBID securely enables the ability to vote online and across borders, to receive universal basic income, and even to earn income anonymously by playing games or participate in surveys.

Click on one of the two CUBEs below to learn more.