Comment by NoMoreNicksLeft
1 year ago
Can't the SSA just issue 330 million new social security numbers, and tell people to be more careful with them from this point forward?
1 year ago
Can't the SSA just issue 330 million new social security numbers, and tell people to be more careful with them from this point forward?
The SSA specifically told people not to misuse SSNs this way and it seems like a poor use of taxpayer funding to spend billions bailing out businesses’ bad decisions, even if that was legal (Congress would have to specifically authorize it), since we’d be back to the same problem with five years.
If we were going to do something, we’d make government ID include an NFC token for PKI purposes since public keys can’t be compromised in the same way, but nobody is jumping to pay for that, especially in a country where you have so many people prone to wild conspiracy theories (I am especially amazed by the guys who freak about a national ID as big brother but never say a word about the credit reporting industry) and the enduring “Mark of The Beast” religious fears.
> If we were going to do something, we’d make government ID include an NFC token for PKI purposes
Another alternative would be to go the other way: Pass a law prohibiting the use of social security numbers for any purpose other than social security. Don't provide any globally unique identifier for companies to use.
Instead each institution would issue their own identifier which would have no value outside of that institution. If they get breached or you lose your ID, they mail a new one to the address they have on file or some similar recovery method and you don't have to worry about someone using your ID somewhere else because the breached one gets disabled and you get a replacement.
The obvious advantage here is that companies can't use it to correlate your activity across institutions without your knowledge or consent.
> If we were going to do something, we’d make government ID include an NFC token for PKI purposes since public keys can’t be compromised in the same way, but nobody is jumping to pay for that, especially in a country where you have so many people prone to wild conspiracy theories (I am especially amazed by the guys who freak about a national ID as big brother but never say a word about the credit reporting industry) and the enduring “Mark of The Beast” religious fears.
Login.gov gets us pretty far until NFC can get baked into credentials. Would love to see passport cards evolve into this [2], but again, lots of work and political will to make that happen. In the meantime, remote and in person proofing to bind IRL gov credentials to digital identity must do.
(As of December 31, 2023, over 111 million people have signed up to use Login.gov to date, with over 324 million sign-ins in 2023; this is ~1/3rd US population; no affiliation)
[1] https://login.gov/
[2] https://travel.state.gov/content/travel/en/passports/need-pa...
I still don't get why people are calling these "religious fears". The parable from the book is because the problem is very old, but the problem is exactly the same as it ever was: If a central authority gives everyone a serial number then it will be used to track them by powerful institutions, which is a tool of oppression. This is the massive mistake we made with social security numbers, and their inherent insecurity is actually mitigating the damage there because it makes people much more hesitant to divulge it.
You do not want to make it easier for every carnivorous for-profit corporation and wannabe apparatchik to pressure every citizen to cough up an identifier that can be used to track their every move.
7 replies →
The problem with login.gov is that nobody can use it outside of the US government. I can't use my login.gov account to attest my identity to my bank.
So my bank will continue to use my SSN as proof of identity for loans.
1 reply →
Yeah, I love login.gov and especially how they embraced things like WebAuthn faster than entire industries like finance but I can only imagine how much screaming there would be if usage became a requirement outside of government.
Painting those of us concerned with privacy as "people prone to wild conspiracy theories" is a very bad faith take.
Please do not give the government any more power over me than they already have, thanks.
> Painting those of us concerned with privacy as "people prone to wild conspiracy theories" is a very bad faith take.
Fortunately that’s not what I’m doing. I suggest reading more carefully and trying to come up with a scenario where the government having standard identifiers meaningfully harms your privacy but a mess of identifiers and a huge private industry linking them does not.
The SSA has shown absolutely no urgency on this issue. Their existing policy is that having your SSN compromised is not enough to issue a new number. You have to actually be a victim of a financial or identity crime that abused your SSN for them to consider a new number. In reality what they should be doing is giving everyone accounts that can generate tokens for use with each transaction, to maintain a trail of where leaks originate and also to expire these temporary tokens. Instead they’ve stuck to this archaic system.
They can't issue new numbers in bulk without revamping the system because they'd run out. The urgent fix wouldn't work.
If the system needs to be revamped, then step one should be pressure/force so that companies stop treating the numbers as secret. And if we do that we don't need new numbers anymore.