--- John Denker <[EMAIL PROTECTED]> wrote: [...] > It's only a problem if somebody uses that _identifying_ > information to spoof the _authorization_ for some > transaction. [...] > > Identifying information cannot be kept secret. There's > no point in trying to keep it secret. Getting a new > SSN because the old one is no longer secret is like > bleeding with leeches to cure scurvy ... it's completely > the wrong approach. The only thing that makes any sense > is to make sure that all relevant systems recognize the > difference between identification and authorization.
See, that's precisely where the problems lies: I could not agree more with you but the fact that you are completely, 100% right doesn't help me one bit if T-Mobile's computer system requires that I give them my SSN (which, by the way, may no longer be the case). And there's no point in arguing with the store manager because he likely doesn't have the power to do anything about it anyway and probably just doesn't care. The fact of the matter is that you're making entirely too much sense. ;) SSNs were never intended to be used for authorization. That's why it explicitly said "For Social Security Purposes. Not for Identification" on the bottom of old social security cards. These days, federal law says quite the opposite. USC 405 [C] and subsequent sections state that it's okay for any state or government agency to require an individual to provider their SSN "[...] for the purpose of establishing the identification of individuals affected by such law [...]". In the Greate State of California, you can, for instance, not even get a driver's license without telling the DMV your SSN. Since I don't see a connection between said (semi-)randomly assigned number and my ability to operate a motor vehicle, I'd have to wager a guess and say that the CA DMV does indeed use social security numbers for identification purposes. Fortunately, they don't just go ahead and use your SSN as your driver's license number, too (IL, I believe, used to do that). And the fact that many private businesses and schools still use SSNs as unique identifiers and often display them quite prominently for the world to see (eg. to people working in call centers half-way around the world) makes matters even worse. Because you will often find that people treat you like you're going out of your way to be a PITA if you refuse to give them your SSN. And that's all fine and well as long as we're talking about the likes of T-Mobile. Just use a different carrier, right? Well, they all (used to) require that you give them your SNN. And so do most telcos, utility companies, landlords, banks, public schools, community colleges, DMVs, credit card companies, car dealerships (financing, etc.), cable companies and pretty much any government agency (state and federal) that issues any kind of license. The answer to this dilemma? I'm afraid this time it really is legislation. Frankly, I'm not even sure if that would work but, at this time, it's our best shot. Congress won't do anything about this unless a few representatives have their identities stolen and experience first-hand what a PITA it is to have to deal with the fallout. -Jörn __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
