[lxgr]

Fuzzy primary keys might have been a deterrent in the past century, but I seriously doubt that they'd stop anyone today from creating detailed user profiles. Not having reliable primary keys is a technical non-solution for a regulatory problem.

The much more effective solution here is to regulate businesses in when they can request/use somebody's primary key and/or other PII, and to simply not allow it in any case where a pseudonymous identifier or partial information (e.g. only somebody's approximate age rather than their full date of birth) would do just as well.

[usr1106]

I live in a country where a unique identify number exists (social security number). People that understand something about information security would know that knowledge of a primary key is not authentication. It has not deterred the government or the courts to accept that knowledge of the social security number makes any contract valid. Example: If someone takes a loan with your number, you pay it back. You could argue that's not the fault of they key, that's the fault of the government and the courts. I have seen so much stupidity here that I am convinced that the traditional West German standpoint that a unique identifier violates human dignity makes sense. That Germany forgets their history is a pity.

[lxgr]

So your actual objection to SSN-like numbers isn’t that they’re bad for privacy but rather that they’re a poor bearer token authentication mechanism? I think nobody was ever arguing that.

And Germans arguably aren’t “forgetting their history”, they are just regulating to achieve desired outcomes (no government and corporate privacy invasion; strong authentication where necessary), not mechanisms (no unique identifiers).

Times and technology change, so why uphold an old (interpretation of) law that is neither necessary nor sufficient to achieve the desired outcome in the present day?