Critical Social Infrastructure: Responding to Attacks on National ID Systems

Short thesis

Design vulnerabilities, inadequate security measures, targeted attacks, and flawed engineering have compromised some of the most sensitive national databases from the US to India, Estonia and South Korea. In this session, panelists will reframe personal data such as national ID numbers and biometric records as a form of critical social infrastructure; in doing so we will discuss what failure of these systems, and accountability, mean at a public and national scale, as well as at the human-level.


Over the last year the world has witnessed a series of security breaches that have compromised massive repositories for personal information: the Equifax hack that compromised the should-be-secret social security numbers of over 140 million Americans; a breach of India’s Aadhaar biometric ID database of  1.2 billion citizens; the hack of the South Korean ID database; the 2015 US Office of Personnel Management hack; the effects of WannaCry on the British National Health Service; of vulnerabilities in Estonia’s ID chip card. And there is no guarantee there won’t be more in the future.

The breaches and hacks of these databases tend to be discussed in terms of implications for personal privacy, and cybersecurity since data is viewed as a commodity to be bought and sold. Many of these databases are in fact public assets. How does the notion of ‘critical infrastructure’ scale beyond physical assets like bridges and roads or water supply systems? How do we rethink design, ownership, liability and security when large national databases are viewed as critical social and public infrastructure?

As a national ID number is used to access a variety of services, we seek to show how this layer of ‘social infrastructure’ creates challenges for a variety of industries, social and public systems. We will parse tensions - and competing interests - at different levels of the infrastructure stack. Panelists will map the technical, social and personal impacts of database compromise, and in doing so will look at the role of various stakeholders and response strategies, as well as address what governments and individuals can do to take preemptive security measures.  As these systems do not offer citizens a way to ‘opt-out’, discussion will discuss philosophical notions of privacy and security, and try to rethink ethics and accountability in these contexts. The panel will also  assess the new challenges these large hacks have for digital security trainings and infosec best practices at the individual and organizational level given the increasingly asymmetrical power dynamics between citizens, states, corporations, and large digital artifacts like databases