This is what we use here in Sweden as well. The reason it works is that all inhabitants are given a personal identification number upon birth, that consists of our birthday + 4 digits which are loosely based on where we are born and if we are male/female. This number is unique for every person and is used to register to the BankID service (among other things) and ensures that it is connected to a single individual.
In Sweden, we were at some point running out of numbers as when there were an unprecedented number of applicants due to the immigration a while back.
Someone was interviewed on the subject and said that if they built the system today, they would totally go for randomly generated number sequences rather than relying on a system based on birth date etc.
US SSNs used to be that way. The initial prefix was based on where you applied, and the last four were shown like it was nothing (Boeing used my last 4 as part of my UNIX account ID). Instead of 5-9 digits of entropy, you're down to just 2.
I still don't get why anyone would ever want to treat SSN / national ID numbers as private information. They're usernames, you give them to so many people all the time and they're printed in so many places plain that it's ridiculous to think they should be used as a secret for authentication.
> The reason it works is that all inhabitants are given a personal identification number upon birth
Isn’t that the same as the Social Security/National Insurance number you get in various countries? In France you have a unique number that depends on your sex, where you’re born, 3 more digits to differentiate you from all other people of the same sex that were born the same day at the same place and then a final digit for a checksum.
You are probably right, I added that part in because I read somewhere that not all countries maintain lists of personal identities as comprehensive but that might have been a long time ago, in that case my mistake.
The key bit is that it (sounds like) they use it only for identification, whereas the SSN in the US is treated as a "secret" which can be used for authentication (!?). Thus a weird legal limbo where it's officially not supposed to be shared around, as it can prove who you are... yet all kinds of businesses are required to record it to identify their employees :|
Not quite the same thing, but ID Analytics claimed that "6.1 percent of Americans have at least two SSNs associated with their name," and "more than 15 percent of SSNs are associated with two or more people" in commercial records.
Right, that goes along with "20% of credit reports have errors." (which was found in an FTC study). Example errors are misspellings and number transposing and both versions end up in the database. The correct report can be pulled up 99.9999% of the time even if it has errors because usually a bunch of data is used to pull up the report (name, address, birthday, social), not just a single number.
I know someone with misspellings of their name on one bureau's credit report and its never caused a problem (he's too lazy to ask them to fix it). The misspelling is listed as his name and the right spelling is listed as "other name" (or something like that).
The keyspace is also shared with the larger "TIN" (Tax ID Number) pool, though the pretty-print format is different:
SSN and ITIN: nnn-nn-nnnn
EIN: nn-nnnnnnn
So it covers not only all the individual taxpayers but also all the employers and businesses that are taxable separately from individual income tax payers.
So ... how can it not be exhausted yet, or at least close enough that it's irresponsible for officials to offer blanket denials regarding reuse of defuncts?
What if you have more than 10,000 people who have the same birthday? Let alone people with similar birthplaces/gender/etc. If that's all there is to it it seems like you'd run up against a combinatorical ceiling pretty soon.
There will never be a problem with that in Sweden. They're averaging 328 births per day. They'd need to increase their population from 10 million to the size of the United States to bump up against that limit.
Sweden has added two million people in the last half century. In net terms, essentially all of those two million have been immigrants rather than born in Sweden. They're de-populating when you exclude immigration, because their birth rate is so low.
10,000 people per day would be like Sweden adding 1/3 to its population in the next year. That's never going to happen. They're #166 when it comes to birth rate. Based on their population gain rate, they'll need to worry about the four digit limit in about 2,000 to 3,000 years give or take.
Actually, it already is a problem. According to this article, around 2,500 people have been assigned a personal number which differs from their birthdate. [1]
The last digit is just a checksum digit, so we're left with 3 digits per day. But that still would give some leeway for each day. The problem seems to be that some immigrants have been assigned a default birth date (Jan 1 and Jul 1) as their exact birth date is unknown.
Another issue which is not mentioned in the article is that we're only using two digits to encode the year (i.e. YYMMDD-XXXX), which causes problems now that many live to be 100+ years. Most banks and other places now requires you to enter a four digit year, even though that technically is incorrect. The correct way to annotate that someone is over a hundred years old is that the dash changes to a plus sign (i.e. YYMMDD+XXXX), although I've never seen that implemented anywhere.
