Comments on: The SSN Is Also A Poor Identifier

By: Ryan Russell

Ryan Russell — Wed, 31 May 2006 15:43:15 +0000

Very good. Thanks to everyone for their attempts, and thanks to David for succeeding. :)

By: David Brodbeck

David Brodbeck — Wed, 31 May 2006 13:59:40 +0000

Ryan, think of it by analogy to a computer login. You have a username, which is the identifier. You have a password, which is used for authentication. The situation with the SSN is equivalent to your username and password being the same — using the same piece of information as both identification and authentication. You’re in the catch-22 of having to sometimes give out your username, so that people can email you, while also trying to keep it secret from people who might want to hack into your account. This is obviously unworkable.

By: Allan Friedman

Allan Friedman — Tue, 30 May 2006 21:29:55 +0000

Identity is a conceptualization of an individual–as a customer, a citizen, a friend on myspace, etc. Note that individuals have multiple identities: the Allan known to his thesis committee is different than the Allan known to his students.
An identifier is a property of an identity. A name is an identifier, as is a face. A firm can use an identifier (SSN) to
map an action (order) to an identity (customer profile). The use of an identifier can be termed with the verb “identify”. The process of identification is matching an identifier with an identity.
Identifiers may need to be authenticated. This can consist of determining that the presented identifier is valid (e.g. checksum computation, biometrics, etc)
The identification process may also need to be authenticated. That is, does the presented identifier really correspond to a specific identity. A company can use your name to find information that you need, but demand your SSN before telling you that info. In that case, the SSN is an authenticator, but not an explicit identifier. Alternatively, a company can just ask for your SSN to begin a transaction: by serving as both a key to the database (identifier) and verification of identity (authentication). Finally, a company could insist on using an SSN as a login, but require a password as well; here the SSN is an identifier but not an authenticator.
Some one can probably explain this more clearly….

By: Ryan Russell

Ryan Russell — Tue, 30 May 2006 18:34:37 +0000

I mean, I understand the difference between “identity” (noun), and “authentiacate” (verb) as parts of language… but the article(s) are getting at something different than that, or maybe I’m just reading too much into it. I’m not seeing the difference between the SSN representing me the noun vs. using the SSN to verb as me to some institution. How are they two different problems?

By: Allan Friedman

Allan Friedman — Tue, 30 May 2006 18:17:25 +0000

I think it’s important to tease out the harms from using SSN as an authenticator and an identifier. I would be hard-pressed to defend a widely-circulated and even published secret as a valid “something you know.” Adam is spot-on in arguing that this practice should be banned for any serious authentication (and if it’s not serious, why do you need authenticated identities?).
An interesting question for any lawyer types is how you would go about statutorily labeling a certain action as an authentication, as opposed to a mere identification. The difference is clear to me (see the NAS study “Who Goes There” or Jean Camp’s “Identity in Digital Government” Report) but is it equally clear in legislation and enforcement?
Adam’s points about the weakness of SSN as an identifier are good. Except, of course, my SSN already is an identifier, to the Soc Sec Administration at very least. Various other gov’t orgs use SSN/name tuples to verify to some degree, and I’m curious how much error at various levels is caused by digit-swapping, etc.
THe point about external issuance bears further exploration. The flip side of doing things inhouse is liability. If I use SSN as an identifier for my clients, I have to protect my own databases, of course, but the underlying system of issuance, documentation, etc is backed by the full faith & credit of Uncle Sam. If something goes wrong there, everything is FUBAR anyway. If my own system all kinds of fun protections turn out to be vulnerable to some evil-doer, a big ol’ class action will shortly follow.
So firms and institutions have an incentive to piggy-back on any handy federal system. And we have ourselves an externality…

By: Nikita

Nikita — Tue, 30 May 2006 17:02:17 +0000

Last I checked on the laws for collecting SSN information, they are very lax. They only apply to governmental organizations, so the private-sector can do what it pleases with SSNs, and even there, the government merely has to explain to you why it’s collecting the information.

By: Ryan Russell

Ryan Russell — Tue, 30 May 2006 16:40:16 +0000

Identity is who you are. Eg, I’m Adam. If I tell people I’m Ryan, I may or may not be able to pull of the impersonation. Authentication is ways of showing you are who you are. Many people could identify us by face or voice, or because we know various secrets. Authorization is the tie of “Ryan may (“is authorized to”) close bugs in the database.
I’m not sure there’s a good, lifelong way to “look up a persons financial rating,” as useful as it is to be able to do so. Biometrics fail, people lose body parts in accidents, etc.

By: Ryan Russell

Ryan Russell — Tue, 30 May 2006 16:09:17 +0000

I don’t get it. What’s the difference between authentication and identity? Is someone confusing the words “authentication” and “authorization” again?
Also, don’t we already have a law that says that SSNs aren’t to be used for anything but government taxes and social security? You know, the one we ignore all the time? The publishing them all idea, I assume, is supposed to make them so untrustworthy as to be useless for anything but their original purpose. And then everyone voluntarily quits using them for other things. I don’t have that much faith in people.
Another law which provides for criminal penalties would probably be neccessary. But that would just migrate the problem away from SSNs proper, to private-sector replacement(s). Maybe that helps, I’m not sure. I do believe that the need for some way to look up a person’s financial rating exists, so that need will be met, somehow. And that “somehow” will have similar problems.