Protecting Identity: Recommended Practices

TL;DR

Guard your biometrics. Create accounts with data brokers that hold your information like government organizations and credit bureaus. Take control of your digital footprint by managing mobile device unique identifiers. Secure your email using the strongest protections available.

Terms & Tech

Identity is an umbrella term. Identification is something you possess. Attributes associated uniquely with you make you identifiable.

One form of identification is your unchanging genetics that includes your DNA, your fingerprint, iris pattern, the pattern your blood vessels make on the back of your retina, or your voice. These are known as biometrics. Governments use DNA and fingerprints to uniquely identify you. Modern mobile devices and some non-government organizations enable biometrics as a password alternative. Both Apple and Google analyze fingerprint data in a secure manner using computational algorithms and the data never leaves the device. Apple’s Touch ID uses an onboard chip and the Secure Enclave to compute and encrypt fingerprint data. Google’s Pixel phones use a Trusted Execution Environment (TEE) to cryptographically authenticate fingerprint data. Both organizations also use facial imaging, too. Apple’s Face ID information is also stored in the Secure Enclave and Google’s Face Unlock uses the camera to scan your face and compares it to the data model stored securely on the phone. US Customs and Border Protection (CBP) and some private organizations like Clear use your fingerprint to confirm your identity.

Another form of Identification stems from documentation that a government entity acknowledges you’re a member of a community and you have a uniquely identifiable set of assigned attributes. In the US, the most commonly used unique identifier is the Social Security Number (SSN). US citizens under 12 only need a certified copy of a birth certificate to apply for a SSN. If you’re older than 12 or not a US citizen, you’ll need additional documentation. A driver’s license and passport both request the SSN as part of their application process. The driver’s license and passport add your picture and they’ve become the de facto standard for proving identity. Records are held at both the state and federal level. Each state offers their own online portal and offices for driver’s licensing. Federal interactions occur with the Social Security Administration (SSA), US Customs and Border Protection (CBP), the Internal Revenue Service (IRS), and the State Department. State doesn’t have an online portal for passport requests, but the SSA, CBP, and IRS do have portals. Logins to them are available natively and/or through login.gov or id.me, both of which thankfully support FIDO2-compliant keys for Multi-Factor Authentication (MFA).

Identity is also a term used when you’re identifiable. Examples of attributes that identify you that aren’t your name or social security number are your phone number or email address. These are so unique that they’re often synonymous with the term Personally Identifiable Information (PII). A more complex example is a mobile device unique identifier (UDIDs) such as Apple’s Identifier for Advertisers (IDFA), Apple’s ad network API, or Android’s Advertising Identifier (AAID). Another complex example is the HTTP cookie, a small text file that helps websites track your engagements.

The biggest difference between all these is how often these things change over the course of a lifetime. Your biometrics will not change. Your social security number will likely never change after it’s issued. Your name might change, but probably won’t change more than a few times. Your phone number might change a few times but not a lot, and it’s unlikely you’ll hold more than a few concurrently. Your email addresses may or may not change, but you’re likely to have several over your lifetime. You’re almost certain to have many internet connected devices and each will have at least one unique device identifier (more if you reset them). Cookies are generally only important to the site that issued them, so while they are uniquely identifiable, it’s not always possible to correlate these to your state or federal identity.

The important thing to know about identity is the less the attribute is likely to change, the more you must do to safeguard it from fraudulent use. To that end, the most important things you can do to protect your identity is limit who has access to your biometrics and claim your login via the online government portals. This is partly so no one else can beat you to it and partly to be sure you can stay ahead of expirations.

Recommendations

1. Secure your credit information at the five bureaus.
2. Limit enrollments of biometrics to devices you control and/or organizations you trust. Giving your biometrics to a hotel or a bank is not at all the same type of risk as providing biometrics to a government agency. Some banks offer voice-based authentication. Don’t enroll.
3. Create a login with SSA. One, this prevents someone else from claiming they’re you and two, you can confirm the data held there is correct. Social Security’s login supports FIDO2-compliant keys for MFA. The site only provides you two attempts to successfully confirm your identity when creating the account and they lock you out if your data doesn’t match their files. It’s worth noting your last known address is probably from December of last year and/or when you filed taxes. If you moved since either, they may not know. You may have to use a former address to successfully register if you find you’re locked out for 24 hours. Social Security also offers (at this time of this writing) two additional login methods: ID.me and login.gov.
4. Create an account with Customs and Border Protection if you travel by air or travel internationally. This organization runs the pre-check, trusted traveler, and global entry programs. CBP’s login supports FIDO2-compliant keys for MFA (via login.gov). Long time account holders might realize the original Global Entry system (GOES) was hosted at a dhs.gov site. That site is gone and has been replaced by a shared login at login.gov. Migrating an account feels like you’re applying from scratch, but the last piece asks for your PASSID or former GOES login, then seeks to validate your identity from your previous account. Once registered, return to the login.gov account to add more U2F keys.
5. Delete Ad Tracking on your devices. There’s a long history about what was once intended to be anonymous mobile device unique identifiers (UDIDs). Organizations found ways to leverage these identifiers and tie them back to individual users. Apple and Google responded over the years and the UDID has morphed into Apple’s Identifier for Advertisers (IDFA) and Android’s Android Advertising Identifier (AAID). Both are now something you can and should delete. The Electronic Frontier Foundation posted a May 2022 article describing their history, how to delete them, and how to prevent your phone from generating new ones. The EFF followed up with a September 2022 press release warning about how these identifiers are used not just by advertisers but by law enforcement and possibly government agencies for what are effectively warrantless searches that provide history about your physical location. Why does this matter; you’re not doing anything wrong, right? Properly executed warrants require a judge and at least some explanation justifying them. A warrant would be about you. The data brokers that sell this data make it possible to start with a geofenced area and see everyone who’s been inside it. You may coincidentally visit the same grocery store as a bad actor and now you’re a person of interest (thanks to that guilty-by-association clause your parents cited when you were in high school about your fun, but questionable friend). Worse, some organization that isn’t a government agency may be able to see the same data and use it however they want to, which could even mean using data patterns to predict when/where you’re going to be without ever actually putting eyes on you. Just delete these IDs!
6. Use Google Advanced Protection on your Google accounts. Enrolling in this no cost program adds phishing protection, flags or blocks malicious applications from downloading, and restricts third party access to your Google account, including Contacts and Drive. It’s important to understand that adding and using FIDO2-compliant keys to a Google account is not quite the same as enabling Advanced Protection. That definitely helps combat phishing attempts, but Advanced Protection offers additional benefits. This program is used by those who have a very visible or impactful role in elections or the press, and/or consider themselves to be high risk targets based on their industry or activism.