[logfromblammo]

I recently encountered an advertisement advising people to keep their Medicare card number secret.

So if the SSN stops being considered as a combination identifier/authenticator, other government agencies stand eager and ready to plunge headlong into the same mistake.

The way around it is to pass a law that requires government agents and agencies to consider identifiers to be public, and authenticators to be secret, and that nothing can ever be both. The government could require itself to publish indexes of names to SSNs and SSNs to names, such that no stretch of anyone's imagination would ever generate a presumption that knowing the number proves you are the person to whom it is assigned.

The ridiculous assumptions made in the credit and credit reporting industry that are held out to be reasonable should never be allowed to hold up in court.

[acdha]

Is the problem really government agencies or the many companies which tried to cut costs by misusing an identifier as an authentication secret? The law you propose seems like it would have no effect whatsoever unless it applied to the private companies which created and perpetuate this problem.

[jessaustin]

If SSN didn't exist then some equivalent (perhaps driver's license number and state? that would be convenient for non-drivers!) would be used, because the problem is actually at a different level. The way the laws governing banks and the credit industry are structured, it's possible to be on the hook for debt without a reliable proof of having agreed to that debt. If the laws changed to require that proof (e.g. creditors must have a video of the debtor stating "I am Alice Smith my birthday is July 1 1970 I live at 123 Main St in Springfield and I agree to pay $100 on or before January 1" or something similarly difficult to fake at scale), nobody would care about SSNs anymore. Of course that would introduce friction to the process, but with consumer debt at its current levels maybe that would be a good thing?

[acdha]

The point is that SSNs are perfectly good for what they were designed for. The problem arose when companies decided to treat a username as a password but weren't forced to absorb the cost of their negligence.

[bithive123]

The point is these private companies are loathe to do anything that makes fraud harder or takes liability off the victims so yes, making laws is not only helpful it's the only thing that will ever work.