[mfoy_]

It is, and is related to some of the discussion in the main Equifax hack threads.

The idea is that this information shouldn't be so sensitive because it isn't really secret in the first place. It also cannot be changed, so it doesn't really meet any reasonable criteria for authenticating information.

To quote the relevant top-level comment I had in mind:

>mikeash 2 hours ago [-]

>If we're lucky, this will be the best leak of personal info ever. The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations. I've long thought that we should phase this out by committing to publish all SSNs (and the associated info, obviously, so it's not just a list of most 9-digit numbers...) which would force all these companies to stop treating it as confidential. The system is dumb and works poorly, but worked will enough that there was no impetus to fix it. Some people got affected by breaches, and it sucked for them, but it was always a small enough group that most people didn't care. Now that a majority of people's "secret" info is no longer confidential, maybe they'll realize they can't rely on it anymore. OK, the odds of this actually coming to pass are not great. But I can hope.

[logfromblammo]

I recently encountered an advertisement advising people to keep their Medicare card number secret.

So if the SSN stops being considered as a combination identifier/authenticator, other government agencies stand eager and ready to plunge headlong into the same mistake.

The way around it is to pass a law that requires government agents and agencies to consider identifiers to be public, and authenticators to be secret, and that nothing can ever be both. The government could require itself to publish indexes of names to SSNs and SSNs to names, such that no stretch of anyone's imagination would ever generate a presumption that knowing the number proves you are the person to whom it is assigned.

The ridiculous assumptions made in the credit and credit reporting industry that are held out to be reasonable should never be allowed to hold up in court.

[acdha]

Is the problem really government agencies or the many companies which tried to cut costs by misusing an identifier as an authentication secret? The law you propose seems like it would have no effect whatsoever unless it applied to the private companies which created and perpetuate this problem.

[jessaustin]

If SSN didn't exist then some equivalent (perhaps driver's license number and state? that would be convenient for non-drivers!) would be used, because the problem is actually at a different level. The way the laws governing banks and the credit industry are structured, it's possible to be on the hook for debt without a reliable proof of having agreed to that debt. If the laws changed to require that proof (e.g. creditors must have a video of the debtor stating "I am Alice Smith my birthday is July 1 1970 I live at 123 Main St in Springfield and I agree to pay $100 on or before January 1" or something similarly difficult to fake at scale), nobody would care about SSNs anymore. Of course that would introduce friction to the process, but with consumer debt at its current levels maybe that would be a good thing?

[acdha]

The point is that SSNs are perfectly good for what they were designed for. The problem arose when companies decided to treat a username as a password but weren't forced to absorb the cost of their negligence.

[bithive123]

The point is these private companies are loathe to do anything that makes fraud harder or takes liability off the victims so yes, making laws is not only helpful it's the only thing that will ever work.

[sillysaurus3]

CGP has a good video on this: https://www.youtube.com/watch?v=Erp8IAUouus

[dboreham]

Also note that other countries don't have this insanity.

[smnrchrds]

Canada does unfortunately. It's called a Social Insurance Number (SIN) or Numéro d'assurance sociale (NAS) but other than the name, it is mostly the same. And Canada is on the list of the countries suffering from the breach. This should be interesting.

[mfoy_]

Indeed. I wanted to see if I was on the list, but the site they set up to check looked pretty sketchy.

They've clearly demonstrated I shouldn't trust them with my SIN (not that I ever willingly did in the first place!) so why should I enter it again? Into a different domain, no less?!

[gbarc888]

Which countries do you mean? How do they manage their credit scores?

[jstarfish]

Using much more nebulous and unreliable forms of PII as identifiers, in my experience, which leads to situations where you could query someone's report if you know their name and street address.

[gbarc888]

Well that sounds just as bad...