
White House Looks at Replacing Social Security Numbers - chollida1
https://www.bloomberg.com/news/articles/2017-10-03/white-house-looking-at-replacing-social-security-numbers
======
linsomniac
Generally I am for a smaller government rather than larger. But in this case,
the private sector has demonstrated that without regulation specifying
otherwise, they will do nothing to protect our identities.

The Social Security Administration's official policy on SSNs is that consumers
don't have to give their SSN to businesses with the exception of tax-related
things like employment and banks. But, they also say that businesses can
choose to not do business with you if you are unwilling to give out your SSN.

And businesses have done nothing to help people secure their identities. In
fact, they've done the opposite.

Starting around 20 years ago, I refused to give my SSN out except where it was
specifically required by the govt. The insurance companies seemed to be the
ones who had the hardest time of it, it required hours of effort with my
insurance company to let me not have my SSN as my identifier. They ended up
putting all zeroes in. But then every time I used my insurance I had to work
with them ("What is your SSN?" "The insurance company doesn't use my SSN, they
use all 0s." Blank stare).

Around 10 years ago it got to the point where there was even more push back
and the effort was more than it was worth.

It really wasn't helping, being "the one guy who wouldn't give out his SSN".
Pretty much every time I explained it to a doctors office they would say "I've
never heard of that before, but it makes sense." That sort of pushback only
really works if, you know, at least a few people do it. :-)

~~~
larrik
I've always left it blank on doctor forms, and no one's ever said a word to
me...

~~~
avn2109
Just say you were born abroad, are not a US citizen etc and therefore don't
have an SSN, you just happen to speak good English because you went to
American school.

But you're happy to give them your national ID number from your home country.
Bonus points if you actually have another passport to waive around while
claiming this.

This doesn't work all the time, but it's surprisingly effective in like 90% of
cases.

~~~
bhhaskin
That would be fraud. Don't do this.

~~~
whathaschanged
Doesn't a party have to claim damages for there to be fraud? How could your
doctor possibly do so in this case?

------
ballenf
Let's be careful not to underestimate the value of deniability. Any change in
policy needs to maintain the ability of the citizen to challenge actions taken
with a private key (opening an account or borrowing money) and the burden
should not shift to the consumer.

I fear that financial institutions will use the change as an opportunity to
offload their due diligence onto consumers.

Someone having my private key should not have any greater ability to implicate
or permanently damage me than someone having my SSN.

~~~
maerF0x0
Because private keys are a far greater tool of proving identity than a SSN, I
would argue one should have much greater culpability in an "unauthorized"
action.

SSNs are lost for good on breaches of companies' infrastructures, but nothing
should be lost in a Pub/Priv key scheme. What we'll need is a good key
revocation process. So when my identity is compromised (say, malware on a
device) then I can be me again.

~~~
random023987
> Because private keys are a far greater tool of proving identity than a SSN,
> I would argue one should have much greater culpability in an "unauthorized"
> action.

If you have the technical know-how to protect your private key, and you're
immune from rubber hose attacks, and there's no mechanism for key recovery
outside your control, I'd agree.

However, people.

~~~
sliverstorm
You wouldn't depend on technical know-how, you'd roll it into a card or
something like that. Chip & pin cards already do all of this.

And I'm not aware of any system suitable to replace SSN that can withstand
rubber hose attacks. That's where law enforcement & the justice department
will have to step in, as always.

~~~
random023987
> You wouldn't depend on technical know-how, you'd roll it into a card or
> something like that. Chip & pin cards already do all of this.

[https://arstechnica.com/tech-policy/2015/10/how-a-
criminal-r...](https://arstechnica.com/tech-policy/2015/10/how-a-criminal-
ring-defeated-the-secure-chip-and-pin-credit-cards/)

~~~
snuxoll
This attack doesn’t work with smart cards that basically do nothing but act as
a HSM. The MITM attack works with a loophole in some EMV cards because the
card isn’t signing a transaction request but just saying “PIN is good!”

If your card holds a private key and won’t sign anything without also being
fed a correct PIN you’d need a proper exploit of the application on the card
to defeat it.

------
athenot
This is long overdue.

In France, the privacy watchog CNIL was founded in _1978_ when the idea of
using the social security number for all sorts of other purposes got proposed
(and rejected), prompting for some safeguards.

In the US, we've been so allergic to a "national ID card" that we just re-
purposed the SSN into the very same thing. But then we decided to make it both
a unique ID and a password, despite it being a terrible way to perform
authentication (and an even worse way to do authorization).

~~~
adventured
It's a rare circumstance where there's an allergy to national ID cards on both
sides of the political aisle. On the Republican side they (supposedly) fear
greater Federal Government power, tracking, etc. On the Democrat side, they're
afraid of national ID cards being required at voting locations.

~~~
kmicklas
Why would Democrats be afraid of IDs being required for voting if everyone got
one? I thought the whole Republican opposition to voting rights stuff from the
Democrats was because they know there's a bunch of poor would-be-Democrats who
don't currently have the required IDs.

~~~
srdev
We’re not. The problem is with the “everyone got one” part. Every time I’ve
discussed this issue personally with a republican they act indignant when I
assert that the ids need to be free and trivially obtainable. Usually grousing
about the cost and “laziness”.

------
specialist
#1 -

Privacy minded and anti-government types opposed RealID.

[https://en.wikipedia.org/wiki/REAL_ID_Act](https://en.wikipedia.org/wiki/REAL_ID_Act)

Ironically, globally unique identifiers are required to protect our
demographic data. Otherwise all records must be stored as plaintext
(unencrypted). I was very chagrined when I finally figured this out, causing
me to support RealID.

[https://www.amazon.com/Translucent-Databases-2Nd-
Authenticat...](https://www.amazon.com/Translucent-Databases-2Nd-
Authentication-Steganography/dp/1441421343)

Source: Me. I worked on both voter privacy and electronic medical records.

#2 -

The government, thru contracts with services like Lexis/Nexus (nee Seisent)
have already created globally unique identifiers for pretty much every person,
living or dead. Replacing SSN would just formalize, simplify, daylight such
matters.

Alas, wedge issues like voter registration databases (assessing eligibility to
vote) and immigration status, in near real-time, would become trivial and
nearly error free, so I doubt this commonsense, practical effort will happen
any time soon.

------
simplicio
Eh, I still think the best thing for the gov't to do in regards to SS numbers
is just publish them all in an open database accessible to anyone. That would
put an end to banks and such trying to use them as a way to verify identity.

SS are useful as a unique identifier for Americans. But the weird process by
which they've become some sort of "password" for accessing credit and such in
someones name is crazy, and pretty obviously not working.

~~~
cjbarber
> Eh, I still think the best thing for the gov't to do in regards to SS
> numbers is just publish them all in an open database accessible to anyone.

They basically are available to any business that needs them. Just takes a few
months to go through the compliance process for an identity verification
company. See [https://cognitohq.com/docs](https://cognitohq.com/docs)

Regarding it being a password, yeah that is pretty bad. Some friends of mine
are working on Bloom ([https://hellobloom.io/](https://hellobloom.io/)) which
is trying interesting things that hook into the real world (necessary) while
also trying to create a better system eventually. Basically, an ID you control
with a private key is approved by identity verification services. Your friends
basically vouch for the ID being correct. Your identity is tied to that ID. If
you lose the private key then you have your friends invalidate the old ID and
transfer their vouch to your new ID. Way better than just a secret number.

~~~
simplicio
I suspect just requiring people seeking credit to just have to come personally
to a bank with a photo-ID, a pay-stub and have to confirm they have access to
the postal address they have on their ID would solve it. This wouldn't by any
means be foolproof (after all, half the highschool students in the US manage
to get passable fake IDs), but the fact that it would increase the effort to
open lines of credit, slow down the rate at which you could open new lines and
increase the risk of getting arrested when you tried would, I think, shift the
risk and reward balance on most scams to the extent that it wouldn't be worth
it to the scammers anymore

------
alex_young
The cards used to have "Not For Identification" printed right on them. This
has been a known bad idea for decades but we just decided to do it anyway.

[http://www.nytimes.com/1998/07/26/weekinreview/the-nation-
no...](http://www.nytimes.com/1998/07/26/weekinreview/the-nation-not-for-
identification-purposes-just-kidding.html)

------
ProAm
So little faith in the US government to do this with the least bit of
efficacy. It will be contracted out to a big firm, for a ton of money, with
project overruns, budget overruns, and in 20 years will probably still be
using SSNs while they continue to fix this new system.

~~~
Kluny
The US Digital Service is supposed to be pretty good these days. It might turn
out better than expected.

------
test6554
This is simple, I just need a government issued public/private key, a
government username/password, a government OAuth servuce and a government
mobile authentication app.

Most people won't even need to know the public/private key exists, but techies
can leverage it to automate their lives some day.

Let's say I want to open a bank account with bank X. So I go to bank X's
website and click open an account. Select my country and it redirects me to an
oauth login page for my government. I log in and authorize the bank to view my
basic identity info. Now the bank knows who I am and I can finish opening the
account.

For in-person interactions, I could have my phone scan some person/company's
public key in the form of a QR code and generate a qr code of my own that will
let that company instantly authenticate me (airline, cruise line, police
officer, etc.) with the government, but that same qr code will not do anything
with any other person who sees my code because it is encrypted with the
company's public key.

My government password can be reset if compromised and I never have to give
out to anybody which puts it miles ahead of social security numbers from day
1. My phone is secure if lost, because it requires my government password to
unlock the app as well as some biometric information.

~~~
ChrisBland
What about those who do not own a mobile device, or those not comfortable with
technology. We live in a large country, and we must have support for ALL of
our citizens, not just our younger tech-savy ones. Go to a community of 65+
year olds and explain this to them. You'll get back blank stares. its a non
starter.

~~~
anindha
Make it opt-in. Anyone who isn’t comfortable with the change can continue to
use their SSN.

~~~
Godel_unicode
Every business will then continue to just use social security numbers since
everyone is guaranteed to have one. Half measures won't work, that's how we
got here in the first place.

~~~
anindha
Opt-in for the customer not the business.

~~~
Godel_unicode
I got that. So everyone will have a SSN and only some people will have the new
thing. My point stands. We have lots of evidence in security that this type of
suggestion leads to problems, see for example export-grade crypto.

------
vangale
OT but can be filed under "Falsehoods programmers believe about Social
Security Numbers": SSN's are unique per person.

A friend of mine worked on a shareholder database for AT&T back in 70/80's and
discovered this when they tried to make their SSN column unique.

~~~
walshemj
Why does AT&T need to store SSN's at BT improper use of NI numbers was a gross
misconduct case.

~~~
toast0
AT&T issues dividends to shareholders. Dividends are taxable, and must be
reported to the IRS with the shareholders' tax ID.

Now, AT&T also asks for account holders' tax ids, which the use to pull credit
reports, and to report on credit activity.

------
turc1656
SSN's were never meant to be used for identification purposes like they are
used today. They were designed only to be able to make a SS benefit claim when
you came of age to help prove you are entitled to the benefit. That's why they
gave you a physical card. Combined with your other, regular identification (if
requested), you can prove that you are the person you say you are and the
benefits available to you have already been recorded. The SSN itself should
never have been used in lieu of proper identification.

------
mywittyname
Does everyone really need an unique digital identifier?

My feeling is, "this is probably you" is good enough for nearly every
transaction people will perform. And we've long had a system in place to deal
with the special cases in which this is not good enough: notaries.

Financial companies need to come to terms with this fact and accept insurance
against its exploitation as a cost of doing business.

For taxes and other government documents, we should all move to a tax id
system, like businesses use.

~~~
dredmorbius
Absolutely not _for each and every transaction_. There are a certain set of
activities for which a 1:1 association is highly preferable, though voting is
about the most extreme case. For various reasons, there are both problems with
trying to create a voter-ID system, political resistance to this, and
relatively limited call to do so in the first place (in-person fraud is
expensive, risks elsehere are far greater).

Much of the remaining argument revolves around credit and risk, and around
advertising and tracking. I'd argue that the first does not _require_ single-
ID tracking, and the second should _under no circumstances_ be allowed to
institute it.

Much of the remaining space is national accounts types stuff: tax, pension,
and medical authorities, passport/border control, some licensing (much of that
at the state/local level).

But yes, at the national level, there _is_ a call for 1:1 account assignments,
though those need not be unified across all services.

------
koolba
This would be amazing if done correctly. With modern crypto there's a world of
options to enable things like identity validation, attestation, and delegation
without giving the keys to your entire identity. It'd also be a perfect
candidate for an RFC style process.

Unfortunately this is the Federal government we're talking about so the chance
of it being completed in any timely fashion are slim.

~~~
maxerickson
Has the UX been worked out so that disinterested people can successfully and
reliably do all that stuff without leaking their private keys?

There will be roughly 300 million disinterested users, making it work reliably
in that scenario is important.

~~~
Ajedi32
The key will obviously need to be stored in a physical token of some kind
that's designed to prevent the key from being extracted. Kinda like how U2F
and Smart Cards work.

~~~
aaomidi
And somehow you're going to have to accept that fact that people are going to
lose their keys. You're going to want to make sure you can properly reissue
one to the correct person.

~~~
Kluny
This is already a completely solved problem in Scandinavia. You get a key card
in the mail full of single use codes. If you lose the card, you call a number
and they void the old card and send a new one. If you use all your codes, they
send you a new one. It works fine.

~~~
ptman
The mailed code list is being phased out since there's no guarantee somebody
hasn't opened your mail, taken a picture of it, and put it back.

~~~
dredmorbius
Being replaced by what?

------
Ajedi32
So what _should_ we replace SSNs with? Obviously some kind of system based on
asymmetric cryptography would be ideal, but what system, specifically?

There are a lot of competing concerns here, not the least among them being
privacy. For example, if a system based on public key cryptography becomes
commonplace in the US, will websites start using that same system for
authentication? There are some rather significant privacy issues associated
with having a government issued, globally unique ID associated with your
account on random websites.

Maybe this is something the tech industry in the US should be involved in? I
imagine lots of companies would jump at the chance to be involved in a
standards group designing a unified method for citizen authentication in the
US.

~~~
vpeters25
Maybe we don't need a unique id at the federal level after all. Financial
institutions are already required to follow KYC (Know Your Customer) laws. For
this they need a way to validate the identity of the customers they do
business with. I guess they already have enough ways to do this without
relying on SSN or a potential national id card.

BTW, after the Equifax hack, financial institutions should be mandated to stop
trusting SSN as proof of identity.

~~~
dredmorbius
I'm thinking of the number of government-level identifiers which might be
needed / used:

* Tax authority (TIN).

* Pensions system (e.g., SSN)

* Possibly a voting ID, though that's fraught.

* Military or national service ID.

* State tax ID.

* Drivers registration.

* Real estate / property ID.

* Medical records ID.

* Social benefits ID.

* Other registrations, e.g., weapons, broadcast licenses, etc.

------
kiddico
I see talk in this thread that uses the term 'private key'. Which makes me
think about using a literal cryptographic private / public key combo for this
sort of thing.

Say I have a private key, and I want a business to have a way to ID me. They
give me a key associated with me in their database, and I encrypt it with my
private key, and give the results back. Now when someone wants to do business
with them in my name they must turn those results back into what the business
has in their database. So long as I keep my key safe the business can leak
data all they want.

This would shift all the work for security over to the citizens though, which
could have mixed results...

~~~
simonsarris
And what happens when someone's private key leaks? Do they have to get issued
a new one somehow? If someone has gone through 7 private keys, how do you know
that the one person-claiming-to-be-someone is giving you the most up to date
one vs an older one, etc.

There would be a lot of non-trivial considerations by pushing all this on
average joes (both as individuals and as people attempting to verify
individuals).

A system that appears secure but isn't is more dangerous. I can hear a 60 year
old now: "Aunt Claire is stuck in london and needs money! We know its her,
here's her [expired key] encrypted message!"

~~~
dredmorbius
To prevent re-use of old keys, a key-revocation protocol should exist. There's
an existing (though pretty crufty) version of this in PGP, though it relies on
keeping your _revocation_ key safe, which is a bit of a stretch as that's
something you need ... _once_.

A "bad keys" registry might be a useful / necessary thing.

Enforcing a regular expiry might also be an option, though ... you'd have to
think through that. Keep in mind that technology is continuously improving (or
at least has been to date), and there might be a circumstance in which All
Keys Suddenly Go Bad, which would have to be dealt with.

(Figuring out ways in which to make such situations Less Obviously a Shitfest
could be ... useful.)

When I've _very_ roughly scoped things out at Google Scale (> 3 billion
registered Android profiles), and made modest assumptions such as 1% of users
lose their token annually, you're looking at ~10,000 resets _per day_. So
you'll _have_ to have provisions for doing this in any system that's intended
to be in the least part useful.

As for attacks, I'd strongly suggest finding a good reference of 19th century
financial frauds and reading through it. The fundamentals _do not_ (generally)
change.

[http://www.npr.org/sections/npr-history-
dept/2015/02/12/3853...](http://www.npr.org/sections/npr-history-
dept/2015/02/12/385310877/how-scams-worked-in-the-1800s)

------
clairity
replace it? SSN has one purpose, and that is to identify our national social
benefits account. that's it, and it works for that.

but we don't need a national ID. at all. the tracking that will most certainly
accompany that is diametrically opposed to the concept of a free people.

banks take a risk with every account and every transaction. it's up to those
institutions to figure out how to manage that risk, without obligating all
americans to give up their hard fought and valuable constitutional right to
privacy to make it easy for them.

~~~
dredmorbius
SSN in fact does _not_ work well for that.

There are fewer than 1 billion unique SSNs. Yes, there are 8 digits, but there
are significant ranges of invalid values. _The Social Security Administration
will run out of numbers within a few decades, at most._

It's one thing to have enough values to assign everybody. It's another for the
namespace to be so densely populated that any randomly-chosen value is likely
to be valid. This ... creates problems.

There are no check or validity values within SSNs. There's a _structure_ to
the digits (Area, Group, and Serial numbers), but even those are at best
vague, there've been three regimes of assignment (< 1972, 1972-2011, and
2011+), and other than "this value isn't within a validly assigned range",
there are, again, no validity checks.

Provisions for being issued a new SSN are at best cumbersome.

That's just off the top of my head. I've worked in large-scale data analysis
and processing, though years ago, and there are long and detailed discussions
of the limitations and failures of SSNs _even just as account identifiers_.

Using them _outside_ the SSA only compounds those issues.

~~~
clairity
you make good points. in my head, i had simply equated "works for that" with
"good enough for now".

it seems even for just social security, the SSN numbering system could use an
update, integrating everything we've learned about identity schemes in the
last 100 years.

------
OrwellianChild
Am I crazy, or is this backwards? Keep SSN for retirement benefits, and _only_
retirement benefits.

Ban SSNs as identifiers with private companies not affiliated with providing
retirement benefits.

Problem solved.

~~~
dredmorbius
There's still the question of a standard for financial identifiers.

And as I've commented elsewhere on this thread, SSNs themselves actually _do_
have numerous problems and deficiencies, even if confined to the SSA.

------
mmcconnell1618
Is anyone else suspicious that this could be a backdoor into identifying
undocumented workers in the country? Could this be used as another way to
purge certain classes of voters from the roles? Social security numbers are
fairly easy to "borrow" but if they are no longer accepted for employment
documentation or voter registration, it leaves the door open to a much
stricter set of rules to obtain whatever new ID is created.

~~~
specialist
Everyone, including undocumented workers, are already thoroughly, completely,
exhaustively tracked.

Replacing SSN would daylight this fact, exposing an inconvenient truth.

~~~
anindha
Can you explain this? If I apply for a lease how does the Fedral government
know or block me?

If I need to authenticate through their system the Federal government will
definitely know.

~~~
specialist
I didn't follow the leap from undocumented workers reusing SSNs to applying
for a lease.

------
eximius
The Keybase folks should seriously consider getting in on this. There are not
many groups I'd trust to design something cryptographically sound and friendly
enough to be useable (both for citizens and the government - you need at least
two tiers so WHEN the inevitable private key leak happens on the government's
part, it isn't the master key kept in cold storage).

------
neilellis
Now all they need to do is replace birthdays and past addresses.

~~~
saalweachter
You gotta love the idea of personally identifying information, known only to
you and three large corporations.

------
V2hLe0ThslzRaV2
Core issue is not that solutions do not exist, but that the average person
simply does not care about security.

~~~
jakelarkin
the average corporation does not care about security as long as someone else
is paying the price. moreover they actively drag on security best-practices if
they increase costs or introduce any friction whatsoever into consumer
purchases. one of the reasons why we don't have CHIP+PIN in the US

------
ben_jones
I have plenty of reservations about Big Tech, but why can't Google bid on
this? Sure we'd get ads on the ID card but at least they'd get the math right.

~~~
mbroshi
You've just rediscovered the premise of David Eggers's _The Circle_

[https://en.wikipedia.org/wiki/The_Circle_(Eggers_novel)](https://en.wikipedia.org/wiki/The_Circle_\(Eggers_novel\))

~~~
phjesusthatguy3
We're already a lot closer to George Saunders' My Flamboyant Grandson[0] than
that.

[https://www.newyorker.com/magazine/2002/01/28/my-
flamboyant-...](https://www.newyorker.com/magazine/2002/01/28/my-flamboyant-
grandson)

------
32days8kd
The timing of login.gov (www.login.gov;
[https://fcw.com/articles/2017/01/19/login-dot-gov-
mazmanian....](https://fcw.com/articles/2017/01/19/login-dot-gov-
mazmanian.aspx)) going online is convenient...

------
mankash666
The world's moving towards a biometrically backed public-private key pair.
Hope this is considered

~~~
jakelarkin
you can't rotate biometry if its compromised

~~~
archgoon
May be worth it for in-person reclamation of identity. Use biometrics only
when acquired in person.

Beats having to dreg up my high school year book, social security card, birth
certificate, and high school transcript (None of which are actually inspected
of course).

~~~
dredmorbius
How do you defend against / defeat replay attacks?

~~~
archgoon
In person? When you're actually seeing that it's their thumb and eyes that are
being scanned?

~~~
dredmorbius
How do you, as a third party, know that the validation occurred _in person_?

How do you defend against replay attacks?

~~~
archgoon
So you agree that if it is done in person, it'd be difficult to fake?

------
tareqak
Techmeme summary: _Rob Joyce, the White House cybersecurity czar, says it
wants to end use of Social Security numbers for identification and is
examining modern alternatives_

------
peterjlee
Federal government buys Twitter and makes your twitter handle your national
identifier. I'm sure Trump is fine with that.

------
pc2g4d
In practice, doing public/private key instead of SSN would likely work like
the EMV cards, right?

~~~
hannasanarion
It would require having a central authority that holds, or at least
authenticates, all the keys, which many might not like.

~~~
dredmorbius
That's actually a really good, and complex, question.

It might be sufficient to have an authority which ensures there are no
_duplicate_ numbers issued, though that doesn't get around the problem of a
single individual with multiple assigned numbers.

In practice, there are methods of determining with a fairly high degree of
accuracy whether or not two or more identifiers might indicate the same
individual (or at least two very closely related individuals). But if you're
looking for a 1:1 signifier-subject relation, you'd want that system to be
quite good.

------
bradknowles
Hmm. Almost makes you wonder if maybe the people who hacked Equifax work for
some secret branch of the US govt, just so that they could force some sort of
change like this down our throats.

You know, the situation is really bad when the people you used to think were
conspiracy nuts now seem to be people who weren’t thinking in big enough
terms.

------
msla
Replacing it with something more closely approximating a national ID number
will run up against religious beliefs that such IDs are Satanic and portend
the End Times.

Just because you do not share such beliefs does not mean they do not exist, or
can be dismissed.

------
RandVal30142
"Great anger" -The damned President, encouraging his people into further
divisiveness.

Yea no fucking way I'm supporting this admin in cataloging anyone.

------
luckydata
No mention of blockchain anywhere in the comments. Color me surprised.

~~~
rkuykendall-com
"Make the stupid comment you expect to see in the world" \- Mahatma Gandhi

