The kennitala — Iceland’s personal identification number — has been getting a bad rap lately.
Persónuvernd (the Icelandic Data Protection Authority) suggested late in 2004 that Icelandic kennitölur are too often used and too easily accessible.
Persónuvernd proposed that Icelanders instead carry multiple ID numbers, each for use in a different context. *1
Oddur Benediktsson, professor of computer science at the University of Iceland and member of the group Mannvernd, is the latest critic. In June 2005, Oddur sent a letter to the Icelandic constitutional revision committee suggesting that the use of the kennitala outside the national registry and the health system should be forbidden, and that public access to the national registry should be closed. Oddur worried that Iceland’s “overuse” of the kennitala could put Icelanders in danger of sinister actions akin to the Nazi use of punch cards to tabulate information on Jews. *2 (Mannvernd is an organization whose main activity has been to draw attention to the separate and very important question of whether Icelanders’ medical records should be used in research studies without their consent.)
My guess is that Persónuvernd and Mannvernd are acting with good intentions in what they believe to be the public interest. But they have misunderstood the nature of the kennitala.In fact, it is the very openness of the kennitala system that contributes to Iceland’s high degree of identity security. Iceland’s kennitala system is far from a problem. It is a strength. It is a model that other countries should consider following — Britain and America in particular.
Here’s Why the System Works So Well
Everyone has one.
No one who lives here can claim that they don’t have a kennitala.
The link between your name and your kennitala is publicly accessible.
The þjóðskrá, or national registry, is still public. Well, not completely public — but anyone with Internet access to their Icelandic bank account, which means the majority of Icelandic adults, can search the þjóðskrá on the Internet. The search feature works in two ways. You can find the kennitala that corresponds to any person’s name, or the name that corresponds to any kennitala. The results pages also list the street address of the person involved.
Any official act or transaction in Iceland results in a letter being sent to the address listed in the þjóðskrá.
Open a bank account, for example, and you will get a letter in the mail about it. If someone tries to open a bank account or take out a credit card in your name, there is no way that you will not find out about it — unless they managed to change your address as well.
You control your address.
You can change the address listed for you in the þjóðskrá, and indeed you are supposed to change it when you move. This is perhaps the weakest link in the system: I don’t think I have been asked to prove my identity when I have submitted a change of address form to the þjóðskrá office. However, even if someone did change your address without your permission, you would soon notice that you weren’t receiving official mail, and could instantly see in the þjóðskrá what your address had been changed to.
What the kennitala really is is an alternative name.
When Icelanders rarely left their farms and knew everyone they saw, names were enough to label each person uniquely. But now it is much more handy for everyone to bear a label that, one can be sure, will not be confused with anyone else’s. Hence the kennitala, which also has the advantage of a predictable length, useful for form and database designers.
Just as we can call an Icelandic woman Margrét or Magga, or a British man John or Mr. Smith, in Iceland we use names in some contexts (friendship, newspaper reporting) and kennitölur in other contexts (the video store, newspaper subscriptions). Linguists call this a difference in register. Aside from the difference in register and the fact that the kennitala is made up of numbers instead of words, referring to yourself by kennitala is really no different from referring to yourself by name. It need not have any greater “Big Brother” connotations. And the þjóðskrá is nothing more than a tool that allows people to convert back and forth between the labels for the same person in the two different registers.
Blame the Database Manager, Not the Kennitala
Some people argue against the kennitala system by saying “Well, there’s this person who doesn’t like me, and they could go to the video store, and take out a video using my kennitala, and never return it, and I’d get hit with the overdue charges.” (Video stores routinely ask for a customer’s kennitala, but the transaction is not substantial enough to result in a letter of confirmation being sent to the renter’s home address.) Another commonly heard argument is that someone could use your kennitala to look up your private medical records.
But the problem in these and other similar contexts is identity confirmation and database security procedures, not the kennitala system. Someone could just as easily take out a video in your name, or use your name to look up your private medical records. If we need to guard against identity fraud in video stores, a better strategy would be to make video stores require photo identification from all renters. Forcing video stores to use names instead of kennitölur would actually make things worse, because it would complicate the process of unique identification without reducing the possibility of fraud.
The Birthday Problem
There is one truly controversial and problematic aspect to the Icelandic kennitala. The first six digits (as well as the final digit) of the kennitala reflect the holder’s birthdate. Using the birthdate to form the kennitala is not essential for the purpose of identifying people uniquely.
There are advantages to having the birthdate in the kennitala. It reduces mistakes, helps make the distinction between personal and corporate ID
numbers obvious, and makes the kennitala easier to remember (psychologists have shown that we memorize identification labels more easily when they are meaningful *3). The disadvantage of having the birthdate in the kennitala is that it forces people to reveal their birthdates even if they do not want to.
The kennitala’s form could easily be more arbitrary, and Liberal Party MP Sigurjón Þórðarson proposed in March 2004 that people should be given the choice of having a kennitala which does not disclose their birthdate. *4 However, Iceland is far from unique in encoding personal information in its identification numbers. The issue boils down to a judgement about delicacy and vanity, and whether Icelanders, collectively, are comfortable with birthdays being public information. In some other cultures, older women in particular regard their age as a private matter. Another concern is that forcing people to reveal their birthdays might promote age discrimination in job hiring.
The Kennitala in Icelandic law
Iceland has a law (2000/77) that specifies how the kennitala may be used. It restricts usage to contexts in which the kennitala is necessary to ensure certain personal reference. The law charges Persónuvernd (a valuable and important institution with many other roles) with standing guard over proper use of the kennitala.
The law is open to interpretation, and Persónuvernd has interpreted it strictly. Persónuvernd has spoken out against the use of the kennitala in cases where it judged name and address to be a sufficient means of identification. One case, closed in March 2005, involved a person who returned a book to a bookstore but did not have the original receipt. The store clerk accepted the return, but asked for the person’s name and kennitala. The customer complained to Persónuvernd, whose response conveys the clear opinion that the customer’s name was sufficient identifying information and that the store’s request for the kennitala was unnecessary. *5
To me, Persónuvernd interprets the law too strictly, and takes an unfortunate step in the American direction. I would suggest that kennitala usage should be routinely encouraged in any context in which it makes a personal identification more secure. Persónuvernd’s approach sanctions people for failing to ponder whether they could make do with just name and address. The only convincing argument I see for Persónuvernd’s position is that it protects people from having to disclose their birthdates. If the form of the kennitala were changed, Persónuvernd’s reasoning would cease to hold any water for me at all.
Open Registries Are More Secure
The country with a real personal identification number problem is the United States. Identity theft is a huge problem in America. The Federal Trade Commission was notified of 542,000 cases of identity theft in 2003 and 635,000 cases in 2004. *6 The city of Chicago’s police department has twenty detectives on staff just to handle identity theft cases.
Why is identity theft such a problem in America? Largely because the United States does not have a publicly accessible national registry. If you take out a mortgage in Iceland, you will receive mail about it from the bank and the tax office at the address listed for you in the þjóðskrá. But in America — where there is no national registry — if a person gives you a name, social security number, and home address, there is no way to be sure that they really go together, and that mail to that home address will really reach the bearer of that social security number. Private companies in America maintain identity databases and sell identity verification services, but using them costs money, and one has only their word that their data is correct. Since verification isn’t reliable, people often don’t bother to check.
So if an American identity thief uses someone’s social security number to get a credit card, and puts a fake address on the application, there is no guarantee that the victim will find out anytime soon. Sometimes it takes years for American victims of identity theft to learn about car loans and mortgages that have been taken out in their name. *7
To make things worse, in America, one normally has to list one’s social security number on bank account and membership applications. It is then up to the bank or institution to try to verify that you are who you say you are, or not. But once you have an account with an American bank, if you call their telephone service line, simply being able to state your address and social security number correctly over the phone is often taken as at least partial confirmation of your identity.
Since simple knowledge of one’s social security number helps constitute proof of identity in America, and since institutions are not always careful about verifying customer details, Americans tend to keep their social security number secret. Social security numbers belong to the private sphere in America (just like one’s PIN number for the cash machine) rather than the public sphere (like one’s home address). Americans think of their social security number as a secret code rather than as a name. This makes them afraid to use it to identify themselves. News media articles in America routinely warn people not to give out their social security number unless they are required to do so by law.
The American consumer experience is full of trivial confrontations between sales clerks (asking for information) and customers (invoking nineteenth-century frontier libertarianism to say that it’s none of their business). The American reluctance to divulge information verges on downright paranoia. It colours daily life and hinders basic transactions. And despite it all, there is still really no way in America to assure someone that you are who you say you are.
Where else besides America is identity theft also a problem? Britain. Why? Because it has also resisted instituting a national registry. The Anglo-Saxon libertarian tradition makes Americans instinctively reject the idea of a national registry, even though it would now probably have more pluses than minuses.
The Kennitala Ain’t Broke, So Don’t Fix It
Do we want Iceland to be like this? Of course not. If, like America, Iceland shut down access to the þjóðskrá and moved personal identification numbers into the private sphere, it would make our problems worse, not better. After all, it is exactly the privateness of the American social security number that makes it valuable to identity thieves. There is very little identity theft in Iceland. In order to keep it that way, we must not use America as a model for personal identification number design. We must make sure to keep the kennitala public.
It sometimes seems that everyone considers him/herself an expert on the kennitala (just because we all know what it’s like to have one). As a result, few of the journalists who write about personal identification issues have any real expertise with them. But there is actually a community of scholars who study this stuff. I’m not an expert on personal identification numbers specifically. But I did recently write a doctoral dissertation about the design of labeling systems. I know just enough about the personal identification number field to recommend that anyone interested in learning more start with the Roger Clarke’s website at the Australian National University. *8
Ultimately, concerns with the overuse of the kennitala system are about as rational as fears of the Year 2000 computer bug: they are driven by primitive myths rather than solid facts and research. Paradoxically, the more open the kennitala system, the harder it is to compromise it. Icelanders’ casual attitude towards giving out their kennitala is not a problem to be fixed: rather it’s a sign of strength and sensible planning. However the birthday debate is resolved, Iceland has reason to be proud of its people-numbering scheme. The real threat to Icelanders’ privacy is not the kennitala system, but uncritical alarmism about it.
See Benton J. Underwood and Rudolph W. Schulz, Meaningfulness and verbal learning (Chicago: Lippincott, 1960).
Tom Zeller, “For Victims, Repairing ID Theft Can Be Grueling,” New York Times, 1 October 2005.