How 10 digits will end privacy as we know it

Editors' note: This is a guest column. See Ari Juels' bio below.

Internet denizens and urban dwellers alike need to recognize that an era of anonymity is ending.

The population of the world stands at about 7 billion. So it takes only 10 digits to label each human being on the planet uniquely.

This simple arithmetic observation offers powerful insight into the limits of privacy. It dictates something we might call the 10-Digit Rule: just 10 digits or so of distinctive personal information are enough to identify you uniquely. They're enough to strip away your anonymity on the Internet or call out your name as you walk down the street. The 10-Digit Rule means that as our electronic gadgets grow chattier, and databases swell, we must accept that in most walks of life, we'll soon be wearing our names on our foreheads.

A study of 1990 U.S. Census data revealed that 87 percent of the people in the United States were uniquely identifiable with just three pieces of information (PDF): five-digit ZIP code, gender, and date of birth. Internet surfers today spew considerably more information than that. Web sites can pinpoint our geographical locations, computer models, and browser types, and they can silently track us using cookies. Banking sites even confirm our identities by verifying that our log-ins take place at consistent times of day.

Database dossiers, too, carry surprising amounts of identifying information, even when specifically anonymized for privacy. Researchers at the University of Texas at Austin last year studied a set of movie-rating profiles from about 500,000 unnamed Netflix subscribers (PDF).

Knowing just a little about a subscriber--say, six to eight movie preferences, the type of thing you might post on a social-networking site--the researchers found that they could pick out your anonymous Netflix profile, if you had one in the set. The Netflix study shows that those 10 deanonymizing digits can hide in surprising places.

Our physical belongings also betray our anonymity by silently calling out identity-betraying digits. Small wireless microchips--often called radio frequency identification, or RFID, tags--reside in car keys, credit cards, passports, building entrance badges, and transit passes. They emit unique serial numbers.

Once linked to our names--when we make credit card purchases, for instance--these microchips enable us to be tracked without our realizing it. One popular book inflames imaginations with the lurid title, "Spychips: How Major Corporations and Government Plan to Track your Every Move with RFID."

There's little point in hiding the serial numbers of chips when your mobile phone squeals on you.

But wireless microchips also highlight the futility of anonymity protections. To begin with, concerns about RFID tracking miss the forest for the trees. After all, mobile phones are ubiquitous and can be tracked at much longer ranges than standalone chips. Many people have GPS receivers in their phones and are signing up for location-based services, voluntarily (if selectively) disclosing their movements. There's little point in hiding the serial numbers of chips when your mobile phone squeals on you.

Many scientists (including me) have developed antitracking techniques for mobile phones and microchips. Instead of fixed serial numbers, wireless devices can call out changing pseudonyms, such as the rotating license plate numbers on spies' cars in the movies. The problem is that the plates may change, but the car always looks the same. In this regard, chips are like cars.

Scientists at ETH Zurich recently showed how to identify microchips uniquely using radio waves (PDF)--and consequently to see through the disguise of pseudonyms. Their experiments showed that thanks to manufacturing variations, microchips, laptop Wi-Fi cards, and other devices can't help but emit physical "fingerprints"--essentially God-given serial numbers. More digits that we radiate unknowingly.

In the end, we probably won't need to carry anything at all to see our identities betrayed in public spaces. There are already tens of millions of surveillance cameras in public spaces in the United States.

Face recognition software is crude today, but it will improve. Cameras will eventually recognize faces as well as people do. Unlike people, though, they'll have the backing of databases containing millions of faces--or the headshots that so many of us already post online.

Thankfully, despite proliferating sources of those 10 digits that are fatal to anonymity on the Internet and the sidewalk, we can still prevent the world of the film "Minority Report." There are many defensible facets to privacy beyond identity. Even if our names are blazoned forth to all and sundry, we still have the opportunity to safeguard health care and financial data, entertainment preferences, purchase histories, and social interactions.

In this battle, identity theft is a key challenge for technologists and policymakers. The only way to prevent unauthorized access to personal data is to ensure that even when criminals learn the digital constituents of your identity, they can't steal it. Strong authentication will need to fill the gap as the privacy of identities crumbles.

Perhaps the world will be friendlier when in-store advertisements greet you personally, criminals wear "Hello, My Name Is" badges, and the people you meet at parties already have your bio in hand. Facebook, Twitter, and pervasive blogging already augur a society of reflexive exhibitionism and voyeurism. But the technologies that advance us into a world of omniscience will also bring us a step backward.

For years, people aspired to escape small towns for the big city, for the fresh start of an identity without history. The Internet offered similar horizons of freedom. But the society of the small town will soon have us back in its clutches, for good and bad. And on the Internet, everyone will know if you're a dog.

[jaguar717]

Wait, so the over-watched, over-tracked, over-surveilled, over-crimed, over-regulated, over-controlled, over-governmented world is the "society of the small town"?

Last I checked, it was the megaurban slums where all those failures occur. Outside those overgrown islands is where people enjoy a far greater degree of freedom.

Perhaps the good news is that all this interference will finally convince people to leave the dependence of urban life for the freedom of the real world.

[T543212345]

no, his point was that in a town of 400, say, everybody knows everybody's business...and people have traditionally moved to the "big city" to regain their anonymity. But now (because of the various technologies he was talking about in the article) this is not possible (or more difficult...).

[Lerianis3]

Well, the question is do you REALLY need anonymity outside of your personal dealings in your home anymore? Most people don't. The only people who do really are protesters against laws that they find irrelevant or distasteful. I don't bring criminals into this because any criminal worth his salt would know about encryption on the internet and pay everything in cash, have multiple accounts in multiple names, etc.

[zyxxy]

I see you posted your full name, address and telephone number in your response.
Not.

[jimmith]

actually, it is not just governments that we need to fear.
as http://www.provacymatters.nl describes (animation documentary about electronic privacy issues) it is the threat of being
a) labelled and prejudged, which can seriously erode choice and freedom within our digital barrier/emoney society
b) being exposed to crime via careless and unregulated storage of your personal data. there are a phenomanal amount of data theft, leading to identity theft and the resulting fraud.
c) falling foul of future governments that shift societies values beyond your own current thresholds: eg Iran's rounding up ­hundreds of activists, journalists and intellectuals, via logging and tracking of their opposing beliefs (esp revolutionists)

[Random_Walk]

"So it takes only 10 digits to label each human being on the planet uniquely. "

We have those already (count the digits in your SSN).

re: "Perhaps the good news is that all this interference will finally convince people to leave the dependence of urban life for the freedom of the real world."

This planet could not support 6bn human beings in a purely agrarian (or even semi-agrarian) society. Most of us would starve to death.

[eccesignum]

Last I checked, a SSN has 9 digits.

[cougar888]

Did the SSN format change?

My SSN only has 9 digits. (3,486,784,401 unique people). The SSN works for our country, but not the entire planet.

[Random_Walk]

D'oh!

Heh... s'what I get for typing before I had coffee... :)

[DukeW]

U.S. telephone numbers have ten digits. My home phone is not unique to me, but my personal cell phone certainly is (and the work cell as well, though that may not be permanent). The privacy ship sailed long ago. Get used to people knowing whether you have on clean underwear (and what style, for that matter).

[ChadMacA]

Obviously I'm no math whiz, but how can there be more than 999,999,999 unique combinations using 9 digits?

[Michichael]

Chad: 10 different positions in the number, 10 (0-9) possible values for each position. 10^10 = 10,000,000,000

9 different positions in the number, 10 (0-9) possible values gives you: 9^10 = 3,486,784,401.

Now that's if we use a straight incremental system. The SSN system does not: see http://www.searchbug.com/peoplefinder/invalid-social-security-numbers.aspx for more info on SSN's.

[markFromTexas]

cougar888 & Michichael: you have that backwards, with nine digits it's not 9^10, it's 10^9. Think about smaller numbers, with one digit, you have 10 unique ids: 10^1, not 1^10. With 2 digits, you have 100 unique ids: 10^2, not 2^10.

[Michichael]

Mark, yeah. 10^10 is the same either way, but yeah. We had it backwards. I knew something seemed a bit funky about it for a sec there...

[FellowConspirator]

The foundation of information theory is that, given a stream of information sent through a channel, there's a measurable frequency with which the bits come through switched (1 becomes 0, or 0 becomes 1). If that probability is 0% OR 100%, the transmitted information can be recreated with 100% fidelity. If, however, the probability is 50%, you can never reproduce the original information.

The moral of the story: make sure that the information channel is as noisy and random as possible, and the ability to separate useful information from useless simply disappears. People should simply respond by taking steps to produce more noise.

[Been_there_Saw_it_before]

Noise is an old problem, recognized 100 years ago. Now we have check sums, parity bits, cyclic redundancy checks, error correcting codes, handshaking, store and forward but hold until you get an acknowledgement, and so on.

Sorry Mr. Conspirator, you data is going to be transmitted error free. It may take two or three attempts, but it will get through.

[sparrowhyperion]

Who knows. Maybe the sun will flare and send out a massive wave of magnetic energy, strong enough to fry every computer on the planet, no matter how well shielded... No, we don't get that lucky...

[Lerianis3]

That isn't lucky. That is stupidity coming from a stupid person who is 'afraid' of not being anonymous anymore, when the truth is that you NEVER REALLY WERE for the past 100 years or more.

[attack333]

10 digit individual IDs already exist and are known as EDIPIs (Electronic Data Interchange Personal Identifier).

For anyone who has been a member of the military or worked for DoD it's the identifier embedded in your CAC (Common Access Card). It's also your ID in the DEERS system. These IDs are assigned for life and can be looked up online provided you are on a Government workstation.

[Lerianis3]

Assigned for life? What if someone manages to 'counterfeit' that CAC card? No, I don't think that having them assigned for LIFE is a good idea, they should be ROTATED every so often to make some randomness to discourage counterfeiters.

[setjeff15081947]

"Can you say 'George Orwell'? I knew you could."

[Lerianis3]

I don't, because the HUGE FREAKING VOLUME of information out there, along with open wireless connections at homes, libraries, banks, etc....... is too much for ANYONE to be monitored well if at all.

[The_happy_switcher]

Theoooorgeeee Othweeeeell.

-Buckwheat

[libertyforall1776]

All interested in this topic need to watch the documentary America: Freedom to Fascism -- http://freedomtofascism.com

[eastmanweb]

Great article. Thanks.

[biffhenerson]

We would need a larger number as we wouldn't want to reuse the digits of a dead person so perhaps start with 10 digits and work our way up from there. However, if the number gets too long if will start to look trashy when tatooed above our eyes. Perhaps using a base(16) or base(36) "number" would help keep the length down. The government could also offer the purchase of certain cool numbers such as 777 if your lucky or 8675309 if your Jenny or even 666 if your evil.

[JasonHLS]

Great article, Ari. I agree with all of your points, but the issue with respect to healthcare is not as straight forward as it might seem. Yes, there is opportunity, but our existing concepts of data privacy and identity management are not able to strike the right balance between the benefits of attributable health information vs. the benefits of anonymity. I've written a more detailed response on my blog if you or others are interested: http://blogs.sas.com/hls/index.php?/archives/49-The-Death-of-John-Doe.html

Again, great article!

[shycelticwitch]

I find a rather intriguing set of responses here. I have no reservations about anyone knowing who I am, where I am or what I am doing at any given time. Probably because I have nothing to hide. Give me a number or a name, who cares as long as it's an identity. If you are afraid of government, then you have something to hide. As for an all agrarian society? Let's do it! The only people who would starve to death are those who never learned how to do anything for themselves. That particular group would most likely include those CEOs with the large bonus checks. Does that make me sad? NOT.

LOL

In a few years a great number of people in this world are going to have to learn to live a whole new way. THAT will be an interesting bit of history to watch unfold.

[gefitz]

Would you have reservations if you had no control or knowledge of those who know about you?

How about if I was hiring for a position as an accountant, and you were a finalist. Through various and sundry sources, I was able to pretty easily put together that you, over the past ten years, had filed 5 claims against your employers for issues varying from OSHA violations to harassment.

Do you think that would be a strike against you? Maybe. Do you think you would EVER know that I knew about the claims? Heck no, not in a million years. But the fact that I was able to gather that information at all and put a definite identity behind it WITHOUT YOU EVEN KNOWING ABOUT IT should make you at least wonder.

[Seaspray0]

We will be the borg? Are you sure you would want that?

[shycelticwitch]

First of all, you obviously did not read the entire post. I said I have nothing to hide. Which means I don't have ANYTHING to hide. I don't waste time filing stupid lawsuits, I don't do drugs, I lead a healthy life and I obey the laws. If they want to know what color underwear I have SO WHAT!? The people who are against information technology are the ones who have something to hide. And the biggest objections are coming from the upper floors of the corporate world. I was delighted to see that my local power company has been ordered by the government to disclose CEO salaries to the public... after raising rates by 12% just 2 months ago.

[i-arman]

shycelticwitch - everyone has something to hide. Or do you mind sharing your bank account number? I'll only need to know your date of birth, your mother's maiden name, and your first pet's name (or maybe the color of your first car).

What I want to hide isn't something illegal, or even something embarassing. It's my checkbook, my bank account, my computer password, my work ID and PIN. Even details I don't mind giving out to friends and family, I don't want the world knowing. Imagine if every telemarketer on the planet knew your home, work, and cell phone numbers? Or if every junk mailer knew your home address? Imagine getting swamped with thousands of junk mailings every day!

Or if that doesn't faze you, then how about the guy who wants to get a credit card, and happily attach the unpaid bill to your personal identification number? He's left with a new entertainment center, and you're left with an unpaid credit card bill that leaves you sunk in debt...

[shycelticwitch]

You are completely missing my point. In a few years there will be no privacy of any kind. I will be able to get your bank account info, credit card numbers and SS number with a few clicks of my mouse and a stolen credit card from somebody else. Not long after that, NONE of that information will be worth anything because our current financial system will have been replaced by a simple cash for goods and services. Why do I think this? It is a simple answer. Look at just the last few years. Millions of people have had their personal information stolen. Soon no one will completely own their own identity, UNLESS they eliminate all electronic traces of themselves. Don't think that could happen? Better come out of the dark ages. What goes up must come down. Technology has reached the point where it is uncontrollable.

[DevinCurrie]

@shycelticwitch: I suggest that you read Daniel J. Solove's report:
?I?ve Got Nothing to Hide? and Other Misunderstandings of Privacy

[tradejunky]

What if they don't hire you because of your feelings about CEO's?
Or, what if they don't hire you because they find out you're naive?

[chash360]

Privacy is an illusion (or delusion) purpetuated by the lack of perception to the contrary. Everything you do leaves some kind of evidence, of its occurance. This has been so since the beginning of time, it is only our awareness that has changed. I have nothing to hide, yet I do believe there are abusive laws out there that would give many justifiable reason to hide. I think that most concerns about privacy could be appeased, provided that people that truly are doing no intentional harm are simply left in peace, even if their private concerns are known. Nearly all real crimes can be summed up under the wording of the second amendment, to deprive someone of life, liberty or property without due process of law, is the essence of a crime. Victimless crimes are the begining of facism. The shear volume of information available out there on everyone, makes it difficult to actually track, to the level of detail described above, everyone. When it does occur, as I am certain it does, there is someone specifically doing it for a reason, and should they deprive you of life, liberty or property without due process of law, with the information they obtain, then they too can be tracked and convicted.

my socrates note ------ too many secrets

[siberianmetal]

People don't realize how important privacy is because we have been able to take it for granted. But without privacy, everything changes. To cite just one simple example, without privacy, you can't have a bank account. On a broader scale, a country without privacy is a country that is ready to be divided and conquered.

[fokkwp]

This isn't about small towns. Quite the opposite of a small town, where a) everyone knows everyone else and b) people interact with each other face-to-face in complex ways.

Instead, this is about a) a very small handful of people "knowing" a very large number of other people who do not know each other and b) interacting with them in remote, simplified, steretyping ways (eg, he's a terrorist; he's an ordinary guy).

[ronpadz]

It never ceases to amaze me how upset people get about the perceived new lack of privacy.
1. There's nothing new about people having the ability to find out information about you if they really want to.
2. You're paranoid. There are 7 billion people in the world. If there are indeed entities with the power to track your every move they will only do so only if you have given them a reason to (i.e. run afoul of the law). Then you deserve to be observed if not outright removed from society.
3. Most of the means of tracking mentioned in the article provide no connection back to a person's identity. A clever person MAY be able to track the whereabouts of cell phone ID 8223009685144478932 but connecting it to my name requires a completely different set of knowledge and connecting that to my identity (i.e. personal information such as SSN) is an even greater challenge.
4. There are many things you can do to minimize your exposure to an entity that wants to track you but those things require a partial withdrawal from the conveniences of modern society, the value of which usually outweigh the risk of exposure.

[pixelpusher220]

@ronpadz:
The issue is never what is illegal now. It's what the powers that be might decide to make illegal in the future. And how they could use 24/7 tracking to find someone and 'remove them from society' less for legal reasons but for the person being 'inconvenient' to the powers that be.
.
Is it paranoid? Not really, it's happened many times in history that over zealous police decide they don't like someone and make up a crime to detain them. At least then you have the made up crime to disprove and claim innocence. In these cases though, they change the law to label a persecuted group as criminals and make them disappear with no recourse. 'Enemy Combatants' come to mind. The last administration just made people disappear. No judge no jury. It's taken the rule of law to slowly start bringing justice back into the equation but it's an example of what could happen.

[HOWIE1947]

GEE I count 9 numbers in my social security number...daaaaaaaah

[Some_Crazy_Guy]

So.......if you use a VPN or something like Ultrasurf you're safe on a computer.... right? Regardless of what people's intentions are, it's just not a real comfortable feeling to know that you're being watched.... online or offline....

[BrainiacV]

We need more than 10 digits, there has to be some self checking properties to the numbers. Otherwise, that underpaid clerk mis-entering my number now has me tagged with the ID of an ax murder.

[jimmith]

www.privacymatter.nl

great documentary/animation about this very subject by XS4ALL (a large ISP in holland). also available with english subs at youtube

[freebird1974]

Big Brother is everywhere