Shostack + Friends Blog Archive


Publishing a List of SSNs Will Not Fix Anything

Pete Lindstrom suggests:

My proposal: List SSNs publicly. The Social Security Agency can notify all of its intent to publish all SSNs at some point in the future – enough time for organizations to absorb and react to this news.

The net result is to eliminate the notion that perhaps SSNs are “secure enough” for some purposes given that they are at least slightly less-widely distributed than other identity demographics.

Firstly, banks already know that SSNs make lousy identifiers and authenticators. They won’t admit that to you as a customer, but talk to bank security experts at a conference, and they’re all searching for something that’s better, as easy to use, hard to lose, and lets them transfer risk elsewhere.

Lets continue considering the banker’s perspective. They could try to use something other than an SSN as an identifier. But then they have to staff a help desk to recover lost passwords. The security of the system may go down because of the recovery mechanism, as it did with Paris Hilton using her dog’s name as a password. So the banker’s costs have gone up, and his security hasn’t. Now let’s say the SSN is public, and the banker chooses to not change his procedures.

What’s going to happen to the banker? Is the fact that an SSN is public going to change anything? Will courts suddenly start ruling differently on it? The bankers will close ranks, and describe this as “standard industry practice.” They will announce that, net of all the options, they all stink, and go home.

I remember a conversation at the first Financial Crypto with Michael Froomkin, about US crypto export controls. At some point, he said “All the neat technology demos in the world won’t change the judge’s mind.” Publishing a list of SSNs is no different than publishing the source code to PGP. The courts will defer to Congress the creation of new liabilities.

Thus the right focus for reform is to ensure that the law Congress shall pass includes elements of California’s 1386 (requiring disclosure of breaches), 116 (forbidding the use of SSNs as identifiers), and a new provision, forbidding the use of birthday, mother’s maiden name, or social security number as an identifier or authenticator. The law should impose strict liability on anyone who does either of the latter two, or fails to disclose in a timely manner.

10 comments on "Publishing a List of SSNs Will Not Fix Anything"

  • alt-ctrl-del says:

    More on the Prohibition on Using Social Security

    Looks like EmergentChaos, who was originally skeptical of my idea to forbid the use of SSNs as identifiers, may have come around. He posts today that:
    [T]he right focus for reform is to ensure that the law Congress shall pass includes elements…

  • Pete says:

    I am not sure why you feel it is necessary to use an SSN for both an identifier and authenticator. It is ideally suited for the former and completely useless for the latter. That is why we can clarify the difference between the two by making the SSN public.
    It is ironic to read what you say about SSNs – almost seems like you want them to remain as secret as possible and that somehow we can turn back time and close Pandora’s box to make them reasonable authenticators. I disagree.
    Re: The “paris hilton dog” scenario – sure it is possible that people will come up with something worse. I guess I have more faith that everyone is better off with a good solution. Btw, I don’t see how your solution solves this “paris hilton dog” problem, either.
    I see most of your suppositions as pretty far-fetched. SSNs like PGP? Not. Closing ranks? Not. Legislation that does more good than harm? Not. (In fact, if legislation gets passed, I guarantee you in 2007 you will be complaining about how useless it is in this very blog).
    I don’t understand how you can trust the government with legislative control over this type of thing but then don’t trust them to issue national ID cards.
    (And on a side note: rewrite your comments and replace SSNs with vulnerabilities. An interesting parallel.)

  • adam says:

    “It is ideally suited for the former and completely useless for the latter.”
    No, actually, it is poorly suited for an identifier: It has no check digit, it is outside the control of the relying parties, and 99% of the world doesn’t have one.

  • Cypherpunk says:

    The point is that SSN as an identifier is not a privacy problem, any more than names as identifiers are a privacy problem. The issue is banks using SSN’s as authenticators, as if they were secret information when they are actually widely known. This is what Pete’s suggestion would aim to fix, by a dramatic demonstration that this information is not actually secret. Sounds like a good idea to me.
    Wouldn’t it be great to be able to opt out of the whole identity-theft system, by publishing a notice somewhere (maybe in your credit report!) that says, you do not want money to be loaned to someone in your name, solely on the basis of their knowledge about you? When you do need credit, you can go into the bank physically and identify yourself in other ways. Most people don’t need or want the ability to get credit through the mail, by phone, or on the net. I’ll bet a substantial majority would opt out if they had the option.

  • adam says:

    SSNs are a problematic identifier because they enable easier linking between databases without my consent.

  • @Adam
    It sounds like you are against any identifier than can help identify you. That is a privacy issue and requires a different solution set. It should not prevent the adoption of a robust identification mechanism which can be used at will.
    I think I know the arguments but it seems to come to the question of whether people should be able to avoid responsibility for their actions. People that have wanted to avoid being identified have used ‘anonymous’ and pseudonyms for works which don’t really require authentication.

  • adam says:

    The US Supreme court has recognized over a great many decisions, such as NAACP vs. Alabama, or McIntyre v. Ohio, that anonymity is an important and protected part of freedom. I am against mandatory authenticators. I am against government issued identifiers that I can be effectively compelled to show under secret law. I am against government issued identifiers that prevent me from using different names for different activities.
    That people sometimes use anonymity to avoid responsibility for their actions is ok.

  • Pete says:

    Adam –
    You don’t respond to any of my comments except for how poor an identifier it is (“99%”), which you then negate by saying how successful it is as an identifier (“enable linking”), albeit with no check digit that you don’t want (I think ;-)).
    I am no expert on SSNs, but as far as I know, there are very, very few times when you are *actually* compelled (as opposed to the what-I-really-really-want-for-my-birthday-style “effectively compelled”) against your will to use it – to pay taxes, to register for the draft, maybe health care, perhaps some other circumstances.
    If you want to avail yourself of the benefits of society (i.e. credit/loans, banks, flying, telephones, etc..) then you may have to provide more information about yourself so that the person you are entering into a contract with can trust you. (This is that “effectively compelled” thing you don’t want, except how the heck would anyone know whether they can trust you? Remember, trust is defined by the second party, just as you decide for yourself whether to trust them).
    If you don’t want to – power to you, you don’t have to. Go live large and anonymous. But don’t think you can have your cake and eat it, too. And don’t try to force me to pay for it (higher prices/rates/costs everywhere would be inevitable if we all elected anonymity).

  • adam says:

    Your comments were of the form “not,” not arguments.
    If you want to construct an identifier, you should construct one that’s designed to work as an identifier. A lack of check digits makes for a bad identifier, because it will get miskeyed. That I don’t want a well-constructed national ID number doesn’t mean I can’t comment on the difference between good ones and bad ones.
    I see credit as very different from all those other benefits of society you list. Why does an airline need to trust me? I give them money, they grope me and then let me fly. Why does my bank need to trust me? I give them my money, and a password, and then get my money back. It works great. See, eg, Swiss numbered accounts. Sure, you can construct a world in which “knowing your customer” is seen as a good idea. And then you’ve constucted a world in which ID theft will be rampant, because the payoff is so high.
    I simply dont see prices uniformly moving because of anonymity. Anonymity prevents price discrimination by companies (raising prices on those who would pay.) It provides a base negotiating point that would allow you to trade your privacy, if you choose to. In a world without privacy, companies will customize their prices to the very highest level you’ll pay. See Odlyzko’s work on this.

  • Pete says:

    You mean my “nuh uhs” aren’t debate-worthy material? (Don’t tell my brother – they still work with him ;).
    Here’s one for you: Anonymous financial transactions feed terrorist units who hijack planes and crash into buildings, forcing anyone who wants to prevent it from re-occurring from evaluating alternatives and ultimately increasing costs which get redistributed to everyone.
    Airlines and banks need to trust you because violations of trust are bad for business and historically that trust has been violated. In another sense, airlines and banks need to trust you because they’ve decided they need to, and it is their right to know who they are doing business with, at least as far as I am concerned.

Comments are closed.