ID fields defined as just a String32 is insufficient

[TomNUSDS]

Problem: This specification (and the CSV spec) simply define IDs as "up to 32 character strings".

This is problematic because:

1. ID collisions across systems if an auto-incrementing database ID are used. "Collisions" here mean two rows could end up with the same ID if data is pushed from two different systems.
   
   
2. Some systems may decided to put PII into the IDs (like "LastName SS#") since there's no guidance NOT to do this. This will likely leak PII into logs since API requests put IDs into the URLs.

Proposal:

1. Define the ID to be a UUID. Without the - characters, it is exactly 32 characters long (128 bits).
   
   
2. Possibly add an opaque "ExternalID" field to all individual models that have an ID. This is like a cookie and can be used by syncing to re-associate data.

Issues with this proposal:

• Existing data may already have IDs, remapping them is problematic. (ExternalID may help here)

NOTES

• Client ID is probably a unique case. See #26

[TomNUSDS]

Closing #26 is a more detailed feature request.

[TomNUSDS]

Oh, but it might apply to OTHER ID fields, so going to reopen and rework the title/description.