[jsymolon]

> SSNs should be treated ...

As someone who dealt with identity theft, SSN should only be collected if contact with the SSA is needed. I.E. payment of social security benefits.

Any and ALL other "ID", nope. Use some other number.

[inetknght]

> As someone who dealt with identity theft, SSN should only be collected if contact with the SSA is needed.

You wanna tell that to phone carriers, internet service providers, electricity providers, and even water providers?

[gzer0]

You are not legally required to provide your SSN to businesses or other entities, however, their policies may impact whether they choose to work with you.

So unfortunately... they will decline to do business with you if you decline to provide your SSN.

The only logical solution: Government needs to mandate a no SSN requirement and make it illegal to refuse service even if no SSN is provided.

[spicybright]

I definitely agree, but in america it's impossible to be legally employed without your employer having your SS# on record.

[inetknght]

Well, yes. Employers need to talk to the Social Security Administration regarding your social security withholdings...

[nybble41]

It's also your tax ID, unless you've filed for a separate one. While the original intent may have been that the SSN would only be used for Social Security, by now various places are required by law to collect your SSN even if they have nothing to do with the Social Security Administration. But that isn't even the real problem here. SSNs are an identifier (username). Merely knowing someone's SSN shouldn't grant you any extra privileges. It's not a secret—lots of people know it, and it isn't even hard to guess from age and birthplace—and yet people treat it as if it were something akin to a password, as if knowledge of a person's SSN were enough to establish identity. By this point in time we should very well know to use only zero-knowledge proofs for authentication and not even share the secret with the entity one is authenticating to, so they can't turn around and impersonate you to someone else.

The same goes for credit card and bank account numbers. As anyone you've ever paid with your card or by check has access to these they can't be considered particularly secret. The problem is that the system barely has any authentication built in. 4-digit PINs and hastily handwritten signatures only an expert can verify do not offer reasonable security. Chip cards are a bit better (non-clonable, require physical possession) but only work for in-person transactions.

[AnthonyMouse]

You say things that are true, and yet they are inconsistent with existing practice. Is there a word for this?

[aspenmayer]

Not even wrong.

https://en.wikipedia.org/wiki/Not_even_wrong

[ldoughty]

"I'm sorry, we can't put you in the system without it.. it wont let us"....

I always omit SSN, but often can't get away with it.

[panarky]

My dentist said I couldn't leave the SSN field blank so I filled in 867-53-0909.

[amatecha]

It always surprises me how many signup forms on the web require a phone number but still accept a "555" prefix :) If you're not familiar: https://en.wikipedia.org/wiki/555_(telephone_number)