An article in today’s New York Times reports that “the Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database”.
Almost there folks! But tens of thousands is not enough, we need to cover everyone. The simplest effective way to dent the “identity-theft” (or more exactly “impersonation”) wave is to go beyond this first step and publish on a publicly accessible web site all social security numbers ever issued and the associated names. And get rid once and for all of the hypocritical assumption that SSN have any authentication value. We need a reliable authentication infrastructure (either publicly-run as a government service or privately-run, that’s a topic for another day) and this SSN-based comedy is preventing its emergence by giving credit issuers (and others) a cheap and easy way to pretend that they have authenticated their customers.
Over the last couple of years, I have received two alerts that my SSN and other data have been “compromised” (one when Fidelity lost a laptop containing data about everyone enrolled in HP’s retirement plan and one from a university) and my wife has received three. Doesn’t this sound like a bad joke going on for too long (and I should know about bad jokes going on for too long, they are my specialty)? And of course this doesn’t count the thousands of employees at dentist, medical offices, and many other businesses that have at some point had access to my data (and anybody else’s).
So, to the IT people at the Census Bureau I say “keep going”! But of course that’s not the reaction they had. The rest of the NY Times articles goes on with the usual hypocritical (or uninformed) lamentations about putting people’s identities at risk. “We took swift action when this was brought to our attention, and took the information down.” says an Agriculture Department spokeswoman. And of course there is the usual “credit report monitoring” offer (allowing the credit report agencies to benefit from both sides of the SSN-for-authentication debacle). Oblivious to the reality even though it manifests itself further down in the article: “The database […] is used by many federal and state agencies, by researchers, by journalists and by other private citizens to track government spending. Thousands of copies of the database exist.”
Another quote from the article: “Federal agencies are under strict obligations to limit the use of Social Security numbers as an identifier”. The SSN is a fine identifier. It’s using it as a mean of authentication that’s the problem.
[UPDATE] This is now a Slashdot thread. The comments are pouring in. Some get it (like here, and here). This one seems to get it too but then goes on to advocate dismantling the social security system which at this point is only connected by name to the issue at hand.
[UPDATED 2008/7/2: Sigh, sigh and more sigh while reading this article. The cat is so far out of the bag that a colony of mice has taken residency in it. The goal shouldn’t be to try to make the SSN hard to get, it should be to make it useless to criminals. That approach isn’t even mentioned in the article.]