|Received:||8/2/2007 10:28:46 AM|
|Agency:||Federal Trade Commission|
|Rule:||Private Sector Use of SSNs|
Comments:Please make all SSN's public as they should not be used for authentication and only for identification (thanks to http://spiresecurity.typepad.com/spire_security_viewpoint/2007/03/ssns_rerererevi.html for making this obvious) 1. For as long as we continue to pretend that SSNs are secret and therefore may be used as authenticators, they will be. 2. There are over 150,000 people (my estimate) with "defendable" access to your SSN right now. They aren't secret. 3. You are more likely by a factor of 10 to be a victim of identity fraud via one of these "authorized" folks. 4. The real problem is not how easy it is to get your SSN, but how creditors et.al. allow the SSN to be used as an authenticator (See #1). 5. The SSN is fine as an identifier. No, it is not perfect, but its main benefit is that it is already used in so many places.