
White House wants to end Social Security numbers as a national ID - rbanffy
https://arstechnica.com/tech-policy/2017/10/white-house-wants-to-end-social-security-numbers-as-a-national-id/
======
mwnivek
Prior discussion:
[https://news.ycombinator.com/item?id=15393298](https://news.ycombinator.com/item?id=15393298)

------
praveenster
This might be an interesting avenue for the tech community to come up with a
solution similar to digital certificates and apply it to SSN numbers with an
RFC of sorts that gets whetted by security experts and submitted to the
government as a proposal to fix the problem long term.

~~~
s73ver_
The thing is, it has to work completely offline. Not everyone uses computers.

~~~
jaunkst
Sure, but a public key could still be stored in the case of a security audit.
And I don’t think the majority of mass breaching are on the paper level. We
need a solution to allow a new revision of an identity to be issued, possible
something block chain like.

~~~
snuxoll
Why does the block chain have to be applied to every problem? We already have
a solution for this, many businesses and the US military use it - smart cards.

Generate a private key on the card, have the government sign it, keep it
locked up with a PIN/password (and self destruct after X number of invalid
attempts). You can verify authenticity offline as long as you can request the
card to sign a response and verify the signature, problem solved.

~~~
jaunkst
It doesn't but it would be more ideal to have a decentralized identification
system.

------
mhandley
Just publish them all. Give the country a couple of years warning that all
social security numbers will become a matter of public record, and then
publish them all. Any organization that still treats them as a secret could
then be sued into oblivion.

------
namelost
In the UK there is no such thing as an SSN, only "national insurance numbers"
which are used for transactional purposes with the government, but are
otherwise not part of daily life.

Society seems to function just fine. It's totally not necessarily to give each
person an identifier.

------
Overtonwindow
Return the identity division to the states. No more SSN for everyday use.
Every state will provide an ID, and most people already have one, and each
identification has a serial number. That number is how you identify yourself
to private companies. The only people who should be using your SSN is the
federal government.

Problems may arise:

1) What if you don't want an ID? Ok give them the number, skip the ID and
photo, and go forth. 2) What about people who don't want to be know and forego
identification? I'd say you have little choice, it's extremely hard to remain
off of SOME database. 3) ID's cost money. Whose going to pay? That's a good
federal grant question. Each state gets refunded for the trouble.

~~~
jsmthrowaway
The thrust of your comment already exists: it’s called a driver’s license or
state ID for those who do not drive. The problem is identifying an _American_
, not a resident of Massachusetts or Kansas. Comcast operates everywhere.
State Farm operates everywhere. They want socials to identify _you_ no matter
where you live (for a number of reasons). How do you tie a Michigan license to
a Nevada license to identify _you_? It’s intractable and already fails for the
cases where it is used.

You’d be asking businesses to get set up with every single state and territory
for the purposes of identity management, and giving fraudulent folks fifty-
four opportunities to defraud national businesses rather than N social
security numbers. I can do the OMB analysis on your bill: 54x growth in
consulting fees, billions in lost productivity forcing every system to switch
to a new fifty-four jurisdiction unique identifier, etc. etc.

Ideal would be a number that fits in the same space as an SSN but can be
rotated. This limits significant changes to national company systems, but
means you only have a billion not-so-secure numbers to play with, so you’d
have to strongly disincentivize rotations to about 2 or 3 per lifetime modulo
American death rate. If we are going to disrupt extensively, let’s focus on
one American system rather than fifty-four systems for no net benefit; if
state-level identification was useful for this purpose, we would already be
using the ones we have. We don’t.

~~~
klipt
Passport number? A US passport card doesn't cost much, and non-citizen
residents generally already have a foreign passport.

~~~
freehunter
>A US passport card doesn't cost much

That's the problem. It doesn't cost much, but a Social Security number costs
_nothing_ and takes nothing to get. Something is infinitely more than nothing.
Passports also require a lot of paperwork and identification to get that
people may not have.

~~~
jsmthrowaway
And passports are cancelled and taken after a felony conviction. Not many know
this.

------
jaunkst
Private / Public Key Identification needs to be revisionable. Public keys need
to be accessible. In the case of a breach new keys should be generated against
some sort of public / private block chain. When a enitity requires your data
they should be granted a revocable public key to it. If there is a breach we
generate a new pair and the private key is stored on a sort of IIA server, and
a new key is immutably added to the person. Or something more.

------
msla
Replacing it with something more closely approximating a national ID number
will run up against religious beliefs that such IDs are Satanic and portend
the End Times.

Just because you do not share such beliefs does not mean they do not exist, or
can be dismissed.

~~~
krapp
People believed Social Security numbers were the Mark of the Beast too, but
that didn't stop anything.

------
s73ver_
I mean, it's a good idea. But given how well this administration has done with
implementing things, I don't think it'll happen anytime soon.

------
BatFastard
I am no so keen on the government issuing us other numbers either, but there
has got to be a better way.

As for UUID, so now I need to remember a 64 character UUID?

~~~
snuxoll
A UUID would be just as bad at the end of the day and be more of a pain in the
butt. There's nothing necessarily wrong with having a short-ish identifier,
like what we already have on state-issued ID's for referencing a certain
individual - but ideally we should move on from this number being a password
to being equivalent to a actual identifier. Smart cards are ubiquitous these
days (you probably have one in your wallet, assuming you have a debit or
credit card on you) - that identifier should be associated a public key and
your ID card holds the private key, if your card is stolen the key is revoked
and a new one issued.

~~~
s73ver_
Homeless people have SSNs, too, and likely aren't carrying around wallets.

~~~
snuxoll
Not to dismiss the point entirely, but this is still an edge case - and one
that doesn't justify the continued use of an identifier as a password.

People on HN make jabs at things like fingerprint / facial recognition as
passwords all the time, but if you have something you need to keep private
it's easy to forgo them and use a proper password instead (even if it's more
inconvenient). Even if we replace SSN's with a 1024-character identifier leaks
will still happen, because we continue to use the wrong tool for the job -
leaving us no better off and just more inconvenienced.

We need a national ID system, ID numbers need to be no more than identifiers,
if you need to validate your identity proper two-factor authentication -
possession of your national ID card with your private key, and a password only
you know - is the only safe way to do so.

~~~
BatFastard
I know that SS is not a national ID, but it effectively is. But its an ID with
no password, someone thought this was a good idea?

~~~
s73ver_
They thought, "Hey, we need an ID number for this national social insurance
program." Then later, someone else thought, "Hey, I need an identifier to
check this person's Identity. Oh, they have a taxpayer ID number. I'll use
that." And it just kind of piled on and on and on.

------
transverse
I call for a three-letter agency, the Individual Identity Agency (IIA).

------
misterbowfinger
that's why we have uuids ;)

