Pete Lindstrom suggests:
My proposal: List SSNs publicly. The Social Security Agency can notify all of its intent to publish all SSNs at some point in the future – enough time for organizations to absorb and react to this news.
The net result is to eliminate the notion that perhaps SSNs are “secure enough” for some purposes given that they are at least slightly less-widely distributed than other identity demographics.
Firstly, banks already know that SSNs make lousy identifiers and authenticators. They won’t admit that to you as a customer, but talk to bank security experts at a conference, and they’re all searching for something that’s better, as easy to use, hard to lose, and lets them transfer risk elsewhere.
Lets continue considering the banker’s perspective. They could try to use something other than an SSN as an identifier. But then they have to staff a help desk to recover lost passwords. The security of the system may go down because of the recovery mechanism, as it did with Paris Hilton using her dog’s name as a password. So the banker’s costs have gone up, and his security hasn’t. Now let’s say the SSN is public, and the banker chooses to not change his procedures.
What’s going to happen to the banker? Is the fact that an SSN is public going to change anything? Will courts suddenly start ruling differently on it? The bankers will close ranks, and describe this as “standard industry practice.” They will announce that, net of all the options, they all stink, and go home.
I remember a conversation at the first Financial Crypto with Michael Froomkin, about US crypto export controls. At some point, he said “All the neat technology demos in the world won’t change the judge’s mind.” Publishing a list of SSNs is no different than publishing the source code to PGP. The courts will defer to Congress the creation of new liabilities.
Thus the right focus for reform is to ensure that the law Congress shall pass includes elements of California’s 1386 (requiring disclosure of breaches), 116 (forbidding the use of SSNs as identifiers), and a new provision, forbidding the use of birthday, mother’s maiden name, or social security number as an identifier or authenticator. The law should impose strict liability on anyone who does either of the latter two, or fails to disclose in a timely manner.