Frontiers of Data Disclosure
Howard Schmidt made a glib suggestion that made me laugh, but he has a point. He asked why don’t we just take names, social security numbers, and everyone’s mother’s maiden name and put it in a huge searchable database, so everyone knows that it’s not security information and we can once and for all stop using SSNs for anything.
I’m still chuckling over it, but you know — it’s not a bad idea.
This sounds like Pete Lindstrom’s “Modest Proposal”:
http://spiresecurity.typepad.com/spire_security_viewpoint/2005/02/a_modest_propos.html
And it is a bad idea. The fact that it’s public won’t prevent people from using it for authentication. Second, publishing it would require a change in the law. So why not change the law to forbid the use of such data for authentication purposes, rather than publishing it all?
Because we already have such a law, at least for SSNs? The original laws that set up the Social Security Administration forbid the use of an SSN as an identifier.
It’s a great intention, but it didn’t work.
Did it? I thought that was just PR, and the law didn’t actually forbid anything.
I don’t think there are penalties.
I have relatives who worked at the SSA, and as a child when I made dark comments about national ID and SSNs was lectured up one side and down the other.
I did the typical kid response (eye-rolling, smartass comment) and said relative backed down some and admitted that in practice this law is not followed. History has shown my skepticism warranted.
However, it’s important to remember that the legislators and the SSA were sincere in their work to keep SSNs from being a de-facto ID, they were just unsuccessful.
Consider this a corollary to your law that all privacy fears come true, or perhaps merely an early implementation of your rule. It makes a much better cautionary tale if we recognize the sincerity and diligence of the SSA as we recognize the failure. You can’t just make privacy the law.
I seem to recall the law stated the circumstances where you had to fork over your SSN and didn’t limit where it could be used…
So the SSA history of the SSN page says the 1935 act doesn’t mention the number at all, but provides for a record-keeping scheme.
Later laws changed this.
Based on what I read at SSA.gov earlier today, Arthur and Adam are right. We are legally required to cough up the number under certain circumstances, the govt is required to tell us when we must and when it is purely voluntary, and we can refuse private requests but we can then be turned away by those private parties.
i’ve met pete lindstrom, I know pete lindstrom. howard schmidt is no pete lindstrom. anyhow pete’ point is that this data is ALREADY published to databases that are searchable by plimus 100,000 people
“The fact that it’s public won’t prevent people from using it for authentication.”
True enough – as is the case today, which makes it funny every time someone tries to put that genie back in its bottle.
However, if the SSA made the information *explicitly* public, then at the very least people would stop ridiculously calling for “secrecy” of their SSNs. In addition, alternative authentication options would become available. Finally, it would make legal action more viable.