AT&T Got Hacked, Again.
The latest data breach from AT&T is a perfect illustration of how our lack of digital infrastructure creates intractable problems.
I don’t normally laugh out loud at tweets, at least not literally, but this one by Joe Stocker really got me:
It’s a perfect illustration of an issue I’ve been talking about for a while: our lack of digital infrastructure creates intractable problems for everyone.
In this case, the issue at hand is a a recent data breach at AT&T. About 51 million people had their personal information stolen, apparently all the way back in 2021 (AT&T tried to avoid responsibility for several years). According to Joe, AT&T responded by asking people to verify their identities using the same information that was stolen. It doesn’t take a genius to figure out why this is a bad idea.
To be fair to AT&T though, they’re in a tough spot. A tough spot of their own making, but a tough spot nonetheless. After the breach AT&T took the (appropriate) step of resetting effected customer passcodes, so that hackers couldn’t use compromised credentials to gain access to accounts. This is a good idea, but it begs the question: how do you provide a secure way to identify 51 MILLION people so they can reset their accounts, especially when their personal information has just been compromised? You could send them to physical stores, but that many people would be overwhelming to store clerks. At this scale the only feasible path is to conduct the reset process online. Unfortunately, this requires identifying people at a distance over the internet, and the US has no infrastructure to support this.
Identifying people is a fundamentally public endeavor. Your identity is primarily defined, for most purposes, by documents that the government grants you. Your social security number, drivers license, birth certificate, and most other credentials that allow you to prove your identity are all granted by various levels of government. Unfortunately, our government has long ignored the important work of transitioning these systems into the digital age.
This is why AT&T finds itself in a nearly impossible bind: conducting in-person identity verification at scale is not feesible for private sector actors, but identifying people over the internet would require they have some form of ID that can be securely verified online. We do not have this, and it creates problems for every level of our society. We sometimes try and circumvent this by taking pictures of physical ID’s, but especially in the age of AI this is laughably easy to fake. We could try and do video calls, but that runs into the same scaling issue as in-person interactions (try and schedule 51 million zoom calls and see what chaos ensues).
The Solution: Digital Native Credentials
What we need is versions of our identifying documents that are built from the ground up for the digital world. I refer to these as “Digital Native Credentials”. Digitally Native Credentials differ from traditional physical credentials in a few important ways:
They can leverage cryptography to enhance security. This allows them to be verified as authentic over the internet, provided some necessary infrastructure is in place.
They can be composable, meaning multiple documents can be combined into one in order to prove complex things about their subjects.
They can be selectively disclosed, meaning that individual elements of the document could be shared without disclosing anything else (think, like, only showing the birthday on your drivers license).
There are a bunch of other benefits, but going into them would require a MUCH longer post. The point is that Digitally Native Credentials would solve the issue of identifying people online. There are some efforts to move in this direction, most notably the Mobile Drivers Licenses that many states are piloting, but this effort is both late and too limited. What we need is wholesale digital transformation of our identity systems. Until we get to that point, we’re going to be stuck giving AT&T the same information it just leaked.
If you liked this post, consider subscribing! I’m a Softwar Engineer and former Congressional Policy Advisor on Trade and Technology issues, and I blog about a variety of topics including international trade, privacy, digital transformation, and more.