There's been enough leaks from DMVs, credit bureaus, credit cards, and a myriad of businesses that require an SSN for verification checks by now that if every SSN wasn't already in the hands of attackers I would be surprised.
Don't forget the federal government itself. I've still got 1 year remaining from the 10 years of monitoring I got from the OPM breach wayyy back when.
Related, any company offering monitoring should be required to pay for a serialized version. The 10-20 or so settlements that require monitoring in my lifetime have been useless because I already have it for a longer period.
Same. It works out every time there's some class action over a spill because I can show that I have the credit monitoring and ask for the $3 or whatever from the lawsuit. A few more years of leaks and I'll have enough to buy a lego set for all the trouble.
Yes, this is actually a common way of getting out of debt. Often times the "proof" for a debt is lost in the tangled web of debt collection, and by the time someone comes around to collect, there's no tangible evidence the debt was valid.
It's a best practice to request proof of any outstanding debt before paying collections, and I've personally seen cases where friends have gotten out of a debt that went to collections simply by asking for proof, and when it wasn't provided, poof it went away.
I'm a sucker, and don't take advantage of this, but I don't blame anyone who does. Keep good records, and it won't be a problem!
I'm not a lawyer, but I'd imagine that claiming that for cards that are legitimately yours would be considered fraud and would probably land you in more hot water than the initial debt would.
Do you really think it's that easy? Any junior investigator could examine the purchases and tie them to you. If the card was really opened fraudulently it would be easy to show that the goods were shipped somewhere completely isolated from the cardholder.
It's not that easy when there's 2 or 3 degrees of separation between the source of debt and the collector. And also, what collections agency is going to go through that sort of trouble unless it's for maybe tens/hundreds of thousands of dollars?
You don't think is possible to have an accomplice to ship the goods too? PO box under a fraudulent ID? Ship to random locations and pick it up before the home owner gets it?
I wrote my comment on the premise that "why can't a cardholder lie and claim they never accrued the debt [on a specific card]". If an investigator analyzes all purchases from the card and finds many of the purchases were things you took possession of, or hotels you stayed at, etc, that's evidence against the liar who falsely claimed to be a victim of so-called 'identity theft'. It's very hard to launder purchases without some trail leading back to you.
by the time it gets sold once and you are 5 years in, the evidence is vapor. if its tied to assets, or large enough, they will come for them tho because bounties.
I’m not sure specifically what context we’re talking about. In court, sure. Talking to debt collectors? They aren’t the police, in the very least you aren’t under any obligation to answer any questions you don’t want to, right?
I don’t recall, I’d have to look in my records, why don’t you send me whatever proof you have and I’ll if I can find anything?
These are pretty slimy businesses, they should be treated as such.
> I’m not sure specifically what context we’re talking about. In court, sure. Talking to debt collectors? They aren’t the police, in the very least you aren’t under any obligation to answer any questions you don’t want to, right?
As far as the question of if something is or isn't fraud, why would the context matter? As far as I know fraud has nothing to do with perjury or being under oath. If you intentionally lie to a debt collector in order to get out of a legitimate debt, I think that would fit the definition of fraud.
> credit bureau industries are obviously impossible to run safely and should be destroyed
I am not sure I agree with that premise.
I would say there are literally no incentives to secure that data and no penalty for leaking it. Hence for profit businesses will never operate this securely.
I think it’s the same conclusion but a worthy distinction
There's no way for someone to make an identifier that's also a secret secure. You could have huge penalties, give the corporate death penalty, and you'd simply see old insecure companies replaced with new insecure companies. Add a real death penalty for the CEO, and you'd just find all the new companies are run by people who have nothing left to lose (or death row inmates suddenly find they have a bunch of new opportunities).
Secure identification is a solved problem, you have a public part and a hidden secret part. Everyone knows your public part, but the companies never knows your secret part so they can't impersonate you.
This is what other countries are doing, this is a solved problem so identify theft shouldn't happen any more in any competently run country.
That doesn't solve the whole problem. Identity is fundamentally about what you are. What you have, or what you know, are merely proxies, and they need to be connected to you in a trusted way, which is hard to do in a robust and efficient way.
Or, in other words, when you misplace your private key, you don't want to irrecoverably lose everything you have. Fortunately, the world isn't some nightmarish cryptocurrency dystopia - there are ways to prove you owned the lost credentials and keep the ownership of what you had. The flip side of it is that someone else can prove they own your stuff too, with enough effort.
It solves the problem of having to give the company enough information for them to steal your identity in order to do business with them. That isn't a power companies should have over you, and those who do should be extremely heavily regulated to ensure their data protection is top level quality.
This way it isn't a big deal if small businesses leak data, since they don't have the important parts, so they don't need to be regulated that hard.
You may be taking a narrow view of "the problem". Stella Rimington,
head of British (internal) intelligence (MI5) courageously spoke some
clear truth a couple of decades ago. She said there isn't and cannot
be a reliable connection between information and an active body in the
world with agency. In other words, she thought "identity" is a weak
idea and forcefully opposed the idea of "ID cards".
Individuals may occasionally be of interest in intelligence, but less
than you think. Identity really comes from banking, law and medicine
so that we don't give the wrong person money, drugs or put the wrong
person in jail. It's low-level, procedural, civic stuff.
Beyond that there's a lot more dark, unwanted applications of identity
and we forget how much it is a cultural artefact of the
individualistic society we presently inhabit.
We do have plenty of nearly-good ways of _re_cognising_ a living
person, if we have previously "cognised" them. Images, voices, faces,
and various biological scans are all limited and likely to be defeated
with coming technology.
So separating "trust" (as expected behaviour) from identity is a major
challenge, and a most fascinating one. They are not the same thing.
Could you share a quote or source for others to check out what she said? It sounds very interesting, I'd love to read or listen to what she had to say there.
These [0,1,2] are press opinions on her opposition to ID back then.
The woman behind all that is far more interesting, but I can't find
you more direct sources. She's a writer (fiction) too and may have
expressed more in her autobiography or stories after coming out.
No I don't think she would approve of any zealous solutionism. Not
that I personally drink tea with her, but from what I've read SR
occupies that class of intellect that deals in philosophical
fundamentals of human affairs high above the 'technician' who says "Oh
we've solved this with new fangled thing X now". And I'd bet my
comfiest boots on some "certificate authority" being compromised
before the ink is dry on this comment. I mean... look at what the
title of this thread is about. :)
I think it is not theoretically impossible, but it is we live in a world where these services are offered by race-to-the-bottom-of-the barrel providers (to merge a couple expressions).
Then it's called "Identity Theft", and deflected back to you as your problem to resolve. But, it's no big deal. I'm sure everyone everywhere qualifies for a year's worth of free credit monitoring.
> it's called "Identity Theft", and deflected back to you as your problem to resolve
Not really. At that point it becomes an open question that both sides will furiously try to resolve in their favour.
What you're advocating (and I agree with) is biasing the odds in favour of the allegedly defrauded. For example, if you file an affadavit of identity theft with a credit bureau (or court), collections on that item are suspended for a fixed amount of time.
When someone uses my SSN to set up a loan, I'm not the victim, the bank is. There's no such thing as identity theft. That's just good marketing and a genius slight-of-hand to move the responsibility and blame away from the entity that allowed itself to be defrauded.
> When someone uses my SSN to set up a loan, I'm not the victim, the bank is
If someone steals your car and uses it to run over a pedestrian, both you and the pedestrian are victims. They're far more damaged. And you aren't at any fault, even if you e.g. didn't lock it or even left it with the keys in. It's still going to create a mess for you.
Fraud involving a stolen identity is similar. The defrauded is most damaged. But the person whose identity was used is also in a mess. Obviously, if a bank has a loan in your name it's going to need to talk to you to straighten things out. And the way it would prefer things be straightened out is also, obviously, that the loan be paid versus poofed. (And on the other side, there are also going to be people who borrowed money who claim they never did.)
If someone steals my car and kills someone with it, I'm not liable for murder. I just had a car stolen.
If someone who looks nothing like me steals my passport and convinces someone to loan them a bunch of money, I'm not liable for that money, the person who loaned money to someone without checking the photo is just out of luck.
If the bank does the above, suddenly it's my problem for "getting my identity stolen".
> If someone steals my car and kills someone with it, I'm not liable for murder. I just had a car stolen.
Right. You're a victim. And you'll probably be involved in the process of investigating and resolving the manslaughter.
> If someone who looks nothing like me steals my passport and convinces someone to loan them a bunch of money, I'm not liable for that money
Right. But you're obviously going to be involved in sorting out that mess, even if that begins and ends with "fuck off."
> If the bank does the above, suddenly it's my problem for "getting my identity stolen"
How? If someone opens a credit line in my name in a foreign country, and I'm never contacted about it, it's not my problem. It only becomes my problem if they try to take my stuff.
Identity theft is in the same category, from the victim's perspective, as a bank error. If a bank mistakenly initiates foreclosure proceedings against me, that's their mistake. But it's my problem. That's the basic reality of the situation. (For a lower-level analog, if you accuse the wrong person of a crime to a police officer, that's your mistake. But it's their problem.)
What you're recognising is how much more powerful the bank is than you or me. Given how common identity theft is, they shouldn't be given the benefit of doubt they (or anyone else) would if they had a piece of paper purporting to promise something from us to them. But we have to recognise this isn't a return to the status quo; we're creating an exception.
> point is that if the bank gives someone a loan in my name, I'll have to prove it wasn't me, it's not the bank who has to prove it was me
They do. When they file for e.g. foreclosure, they're submitting proof to competent authorities. You're disputing that proof because it's bad proof. But they--and the authorities--don't know that. It looks like regular proof. It's a conventional adversarial set-up. It's just incredibly unequal.
What I'm getting at is this isn't some weird switcheroo. It's how contracts work in general.
I think you two don’t really disagree, one of you is describing what ought to be and the other is describing how the system is currently rigged, unfortunately.
> If someone steals your car and uses it to run over a pedestrian, both you and the pedestrian are victims. They're far more damaged. And you aren't at any fault, even if you e.g. didn't lock it or even left it with the keys in. It's still going to create a mess for you.
The degree of which the individual is victimized is a direct result of the bank's efforts to push all fault and responsibility to the person who had their information used for the fraud. I would argue that the bank is victimized by the fraudster and the bank chooses to transfer the fallout of the victimization to the individual.
Of course, the difference in your example and the identity use is that one is tangible and the other is not. If someone steals your car, you've lost your car. If someone 'steals' your identity, you haven't lost it.
> Obviously, if a bank has a loan in your name it's going to need to talk to you to straighten things out. And the way it would prefer things be straightened out is also, obviously, that the loan be paid versus poofed. (And on the other side, there are also going to be people who borrowed money who claim they never did.)
True, but it shouldn't be my responsibility to prove I didn't take a loan, but instead the bank's responsibility to prove that I did once I make the claim. If they don't like the work involved, then they should perform better due diligence before giving out money, or accept this risk as a cost of doing business.
> If someone steals your car, you've lost your car. If someone 'steals' your identity, you haven't lost it.
Valid. Imagine it's a car you never use, didn't care for and won't replace. The inconvenience of being proximate to a crime is what I'm getting at.
> it shouldn't be my responsibility to prove I didn't take a loan, but instead the bank's responsibility to prove that I did once I make the claim
I know only one person who went through full-blow identity theft. Most of the consequence was in halting creditor actions. They weren't proving they didn't take out the loan as much as disqualifying attempts to seize their stuff. What made it stressful was there being no way to know when you're out of the woods.
> If someone steals your car and uses it to run over a pedestrian, both you and the pedestrian are victims. They're far more damaged. And you aren't at any fault, even if you e.g. didn't lock it or even left it with the keys in. It's still going to create a mess for you.
A more fitting analogy: Imagine a bad actor buying a car that strongly resembles your own (same make, model, year, and color), then they convince the DMV to give them a duplicate of your license plate. In this analogy, the DMV is the bank.
The bad actor runs over a pedestrian. Sure, it may be a headache to prove that it wasn't actually your car, but once you do so, how much of the responsibility should you hold?
> may be a headache to prove that it wasn't actually your car, but once you do so, how much of the responsibility should you hold?
This is a good analogy. You shouldn’t hold any responsibility. But you’ll still have a problem that takes a lot of work to resolve. The impetus of resolving that falls to you.
Technically, there is legal precedent in Canada that concluded unsolicited credit services are not legally binding. i.e. unless you personally asked/signed a request for some service, it is illegal to issue a bill for that service. These laws were a consequence of early credit-cards mass-mailing campaigns that just issued debt products to random people. Today, many legal cons still issue bogus invoices to companies everyday for things no one asked for... and sometimes you have to be careful how you handle the response (ahem, Google appliances... cough cough...)
Accordingly, up North an individual is only responsible for a few hundred dollar fee under fraudulent use of a credit card situation. i.e. even if you don't catch the billing errors fast enough to lock your card, you are generally not responsible for a criminals use of credit services without your knowledge.
When we were starting out, I made the mistake of paying for our IP lawyers dubious Lexis Nexsus subscription for a year, and then was hit 4 years later with a collection agents bill (initially we thought it was a scam)... because the former employee just kept using the service. Note, because I had initially agreed to pay for the journal subscription, my lawyer said it was cheaper to just pay them the $14k to get the matter settled (we were displeased as you could imagine.)
The lesson here, is be very careful about saying "yes" to things when you don't fully understand the consequences. There are unethical people that make their income from legal shenanigans pulled on new businesses.
The small private college I attended in the early aughts used your SSN as your student ID and it was printed on everything. Transcripts, official records, basically any piece of paper with your name on it. You'd even speak it aloud to the worker at the book store to pick up your books for the semester. It was everywhere.
As a kid twenty years ago, I was mildly bothered by it but imagined they must know what they are doing.
Looking back at near 40, with the hindsight of years, I'm flummoxed. Like, what the hell, who's absolutely terrible idea was this?
I would have sworn I've read the opposite but found this history [1] outlining usage of SSNs:
> Private sector use of the SSN is neither specifically authorized nor restricted. People are asked for an SSN at banks, video rental outlets, hospitals, etc., and may refuse to give it. However, the provider may, in turn, decline to furnish the product or service, leaving some to conclude they have no real choice.
> Throughout the history of the Social Security program, the SSN, originally intended to be used only to record Social Security earnings, has been adopted for other purposes, both governmental and private. The broad-based coverage of the Social Security program makes the SSN widely available and a convenient common data element for all record-keeping systems and data exchanges.
IMHO, as the name suggests, the intended usage is for social security. We're not supposed to have Citizen ID numbers which is why the number has been shoe-horned into this role.
In the 1980s, professors used to print out the list of exam scores and tape it on their office door so students could check their score (something younger generations would find quaint, I'd imagine). Because people might be embarrassed by their score, they were "anonymized" by student ID rather than by name. As in your case, our student IDs were our SSNs and nobody saw a problem with it yet (I'm a bit surprised that in your school's case they were still doing it in the early 21st century, but institutional inertia, I suppose).
Had basically the same experience at a large public college. I had classes which would print out a list of SSN and test scores for everyone in the room to look at.
Before the Internet SSN was "presumed secret" but it became a tragedy of the commons. By 2000 it was the equivalent of your public key and should have been treated as such by institutions, never used as password like that bookstore did.
Student ID card would have been the right way to verify identity at a college; I'd forgotten the SID defaulted to SSN, which was also really lazy decision!
It was also my first DL number. Both colleges and VA DMV changed to calculated serial numbers around the same time (late 90s, IIRC).
But, to me, using SSN as a unique serial number feels correct. As somebody else mentioned, that's what it is - a serial number, not a shared secret. "Which John Smith are you?" is very similar to the VIN on a car answering "which Honda Civic?" SSN never proves that you are actually the John Smith you claim.
My dad etched his SSN on his tools back in the day. It was my student ID as well. Wasn't the SSN not considered secret until later when more transactions happened online instead of IRL where it was harder to impersonate someone?
The bad idea was to try to convert a semi-public number into a secret identifier.
Back in the 80's, NYC had a program where the local police stations would lend you engravers so you could engrave your SSN on your TV, stereo, etc., so they could be returned if they were stolen and found. Probably also made pawn shops more reluctant to take them.
The bad idea was to have a secret identifier in the first place. Who thought that "a ten digit number printed on a bunch of documents" was a good thing to use as sole proof of someone's identity?
Slightly related, my uni id was a prefix for the campus + year
of admission + serial number
the serial number was sequential based on last name, you could essentially guess anyones student id if you had a couple of data points of last name : serial number
As far as I know no one used it for nefarious purposes, but it was a cool party trick to guess someone’s number.
They are a very useful identifier. However they only prove that someone with such a name exists. They are not enough to prove that the given person with that number is the unique person they say they are.
I agree, but what makes it hard shouldn't be having access to that number, it is verifying the number belongs to the person you are trying to impersonate. There is great need for an impersonal unique id for everyone - there are doesn't of people in the world who share the same name as me. It is possible that some of those people share the same birthday as me as well. For most purposes I want to go by my name, but when you need to be sure you need a unique ID.
They were never meant to be a ubiquitous identifier/authentication token.
But they de facto are and have been for longer than they haven’t. At some point, it becomes an abdication of responsibility by the SSA, no matter how much they kvetch about it being “not their problem”.
I've never really understood why it's supposed to be considered secret but also has to be given out sometimes and also can't be changed unless in witness protection.
(Information all from Hollywood.)
Other countries don't seem to have this problem? You can have my bank account number, driving licence number, passport number, national insurance number if you want?
It's because Americans have a libertarian streak and instinctively mistrust the government, so we've historically resisted any sort of federal ID program. Because the federal government has to keep track of you somehow, and every American (more or less) already had a unique identifying number, the government started using those unique identifying numbers to identify us for tax purposes. This started being a convenient way for private corporations to ask the government "Wait, who's supposed to be identified by this number?" for employment and loans, and then people decided that it would be better to use this instead of any sort of, you know, online ID, to identify people for credit card applications.
I'm British, we've also resisted it, which is why the closes thing to a national identity document I listed was a driving licence or passport. It's not uncommon to have a provisional driving licence (learners' permit to you I think) purely for the purpose of being IDd for alcohol or whatever.
For tax I would use my national insurance number and any form of photo ID to register for an online account, or you can do a paper form but I don't know how they verify identity if you're claiming a refund in that case.
A credit card application would similarly want a copy of photo ID and probably a proof of address (like a bank statement or utility bill).
There's nothing wrong with having the number, I have a national insurance number, I have Self-Assessment Tax Return numbers (I think it's unique each year), it's the secret bit I don't get.
Remember, our drivers licenses are issued by the states, not the feds. That means there's 51 competing standards, and not allot them conform to the requirements of the feds (hence the slow, partial roll-out of RealID)
The lack of a federal ID is almost irrelevant at this point. Most states have moved to "Real ID" which requires almost as much if not the same to get as a passport (federal ID). Requirement to have that has been coming (and admittedly pushed back several times) for a long time.
It was also heavily rejected as a "number of the beast" by far right Christians -- who are consistently able to get guys like GW Bush and Trump elected.
No one on the left really cares that much -- they have their own sacred cows and causes of the year -- so nothing really changes.
Unlikely. We have terrible, dangerous, expensive, painful de facto national ID, none of which bad elements hinder use of it (with associated government and private databases) for the purposes people worry about, but a huge segment of the right and a fair amount of the left won’t let us fix it because they fear a good version would be misused, and/or that it’s the “mark of the beast”. Never mind that the horse is already out of the barn I guess. So we’re stuck with a bunch of extra lost time and money for no reason.
> because they fear a good version would be misused, and/or that it’s the “mark of the beast”
I'm aware of and share the concerns about misuse (it has happened, see the tax ID debate in Germany), but what the fuck is that with "mark of the beast" relating to ID cards?!
I know it seems crazy but it’s a real thing. There’s been litigation related to it over social security numbers, even. I’ve known people IRL who are sure any ID improvements are a move toward the rise of the Antichrist, and these were otherwise “normal” Christian folks. It’s fairly widespread, as nutty concerns go.
Well, there's a Venn diagram where there is overlap of legitimate concern over tracking people and these religious beliefs. OTOH SSNs are like the least of problems compared to how tracking is all over our digital lives.
Why couldn't the government use SSN to track people? There is no way to avoid tracking in situations where you need to identify yourself, regardless how you identify yourself, so why not make a robust way to identify yourself?
They think that a unique number for each person would let the government oppress people. Basically they think it makes it easier for the government to track you, even though current usage of social security number gets the exact same effect without any of the advantages of a mandatory national id number.
That, yes, but a surprisingly-large-to-rational-bubbled-HNers set of Americans actually worry that any kind of national ID program is part of the rise of the Antichrist to power and that having one puts them under, or will in the future put them under, the Antichrist’s power. Seriously.
Oh I certainly have. I've seen this quoted by my crazy family members:
Revelation 13:16-17
King James Version
16 And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
17 And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.
Yeah, the first one is kind of nothing (as long as the mark location is taken figuratively and not literally, it could even mean something like a phone number), but the second one kinda came to the forefront around 2022 when governments started talking about vaccine passports and the possibility of using them to deny access based on vaccination status.
It's an extremist argument that has at times been used in fundamentalist Christian circles. It's not a widespread refrain, but there are people who don't want any kind of government tracking and use that argument to persuade some Christians.
Issued by who? The states vs federal ID is still a very polarizing conversation. I see no way that all 50 states will ever agree on the exact same system. Look at the RealID situation.
Most of my life my SSN was also my drivers license number. Then my state a few years ago changed the numbers. Great! Now some hotels want to copy both sides of your license before renting you a room. My doctors office and local hospitals copy them too.
A few years ago, Capital One credit cards wouldn't let us pay our bill online, which we had done for several years, unless we sent them a copy of both sides of our DL's! I called them and said no thanks and they said I would have to began paying through the mail. We paid off both cards and canceled them.
Have said all this, it's prob just a matter of time before my DL number is hacked by someone through some weakly secured site.
Now? None. I believe they've all done away with it. In the past, quite a number of states. Mine was originally; but, I was able to change it in 1995, when Virginia began offering people the choice of SSN or a DMV number. (It was the result of efforts by the ACLU and others.)
Many states have done all or part of the social security number on drivers licenses. Thankfully not ones I've lived in, but a Google search will yield lists.
Back in the 80s, University of Illinois at Chicago used SSNs as student ID numbers. Until you memorized your five-digit userid (I was U10754) you could login with your social security number, so I would type [just kidding].
It's fine to use them for disambiguation purposes. It's not fine to assume that just because I know someone's SSN (and maybe their DOB) I am that person.
A few weeks ago I started receiving notices that my SSN was detected online by the identity monitoring company I use. I guess this is the source of that.
Around a year ago my identity was stolen (new CCs opened in my name). At that time I froze my credit on all 3 of the agencies. It's easy to turn it off/on with a switch so I have left it frozen. Its a good feeling knowing that no one can open a new CC in my name.
Have been reluctant to use the nuclear option of freezing my credit, but since it’s likely my name, social security, and address are available from at least 1 or cross referenced between leaked and OSINT sources. It would make it trivial to open new lines of credit.
I had mine frozen and after a few years they seemed to forget my keys to unfreeze it. I use a password manager so maybe I messed it up, but it is very fragile.
Another credit bureau says I don’t exist despite dozens of credit cards, 4 mortgages, and student debt. They need me to fax a copy of my license to prove I’m a real person.
Unfortunately, you have to make accounts on each agency. You need to find the way to "freeze" on each site. They will try to sell you a "lock" option, but the "freeze" option is free (federally mandated).
That may stop someone from opening a CC in your name, but not someone impersonating you to get a driver's license or sign up for government benefits or rent an apartment (not all of them run a credit check).
Sadly, financial institutions will continue to use knowledge of your SSN and DOB as proof that you are who you claim you are. And if you're not, that's the problem of the sucker whose identity got stolen.
Financial institutions in America prioritize convenience over security.
What's better is congress wants to tackle piracy (which will never be stopped) by frivolous bills like SOPA, and make backdoors for encryption to "catch the terrorists / bad people" but nobody wants to fix identity theft. Heck, now we're all having to have stupid cookie dialogs on every website.
You don't need to change the core identifiers. You just need to stop treating (at an institutional and broader system level) mere knowledge of those identifiers alone as sufficient proof of a user's authenticity. For the most part, the 50-year-old hard-to-change code is already surrounded by other systems which can be adapted more easily anyway.
This is the real and hard problem to solve. As far as I know, there are identity-verification services using other, semi-publicly-available data, which can still be spoofed for a lot of people, and some that use just-in-time photography (of your face, driver's license, passport, etc.), but that relies on more on-device security (and thus less end-user ownership of their devices).
It ultimately falls to the government to provide a more robust solution.
Well, then these institutions can take more responsibility when their weak auth is exploited to defraud innocent people, vs "sucks to have your 'identity' stolen!"
What else is new? It seems every week there is some massive data dump of private information. Until people/CEOs start going to jail for lapses in security, that allow these hacks to happen, things will not improve.
or, we could stop using the SS number that you are required to give to people like employers as a de-facto national ID, and credit ID, and also a secret that just knowing seems to authenticate you.
We'd almost certainly have to write a new one, but there are several straightforward ways to do it if we had the political will. An off the cuff example that could certainly be improved:
Definitions:
Government Identification Data includes Social Security Number. Bulk Extraction means any removal of data more than element by element. Unauthorized Third party means any person who the Company does not intend to grant access to. Intentionally Retaining means that a company chooses to ask clients to supply information which is then saved in a way accessible to the company for any reason in the future.
Law:
Any company maintaining Government Identification Data must select someone as personally liable for the security of said data. If the company does not have a person who accepts personally liability, this liability transfers to the Chief Executive Officer of the company. In order for the liability to be considered transferred, the Company most keep on file a notarized copy of an affidavit accepting such liability
Any company intentionally retaining any Government Identification Data must do so in a system that does not allow for Bulk Extraction by any Unauthorized Third Party. Failure to do so is considered Willful Negligence on the part of the company.
Any company guilty of Willful Negligence herein described must forfeit the greater of 15% of their previous yearly revenue or 5 times the Gross Annual Compensation of the most compensated employee. In addition, whomever the company has selected as outlined above shall be incarcerated for no less than 12 months and no more than 60 months.
The "fall guy" problem strikes me as nontrivial. Even if you add to the law that the CEO always has liability for any data leak, a sufficiently well capitalized company run by someone aware of the liability would simply create a shell company that owns all of that data. You could disallow company transmission of said data at all but that is going to cause problems when trying to actually verify said information . . .
Well the plebs are all in debt and have no cash to steal. They are already being exploited to the hilt by every mindless over optimizing corporate robot.
Its how the Elite are reacting to their data floating around is what should be focused on.
They aren't calling for changes in companies, cause companies are proactively running to them with "new services" to protect them and their families and well paid servant class (ie the exec class) who are all quite clueless and constantly get into all kinds of cyber trouble. Google "cyber concierge" services.
The distribution of SSN numbers in the US is well known including the special use for railroad and US territories with sequential numbers. I dissected much of that through historical publication of the death master database and made a lookup for it at https://numchk.com/ as a fun side project.
I'm from the USA so I don't have great perspective here. Don't other countries have basic secure chips in their cards? Don't they attenuate or whatever similar to how NFC works?
I mention it because I have little hope in going after the scammers legally or playing cleanup later.
I do not care. My SSN has been leaked for a decade at least. I have freezes on all my credit history. I file my taxes with a PIN. I need photo ID to get medical treatment and get it billed to my insurance. SSN is not the secret thing it once seemed to be (but never really was).
What’s interesting to me is that the company, “National Public Data” is a wholly owned subsidiary of a company called Jerico Pictures (yes without the h)
What the heck business model explains a video production company owning personal data for practically every American? I feel like there is a lot more than meets the eye on this one.
I agree that there's probably more to it than meets the eye. But a lot of companies are basically just holding companies that don't actually do anything economically useful on their own, eg IAC (the CEO of which is now lobbying for the removal of the FTC chairman).
> Hackers may have leaked the Social Security Numbers of every American
...thus making them available to the the only group left without easy access.
My larger point being that it's time to shift our concern from privacy - to disproportionate privacy.
It isn't randos who routinely harm/exploit us with our own data but those in power.
I suggest that equal privacy would serve us far better than privacy laws that target us and few else.
For equal privacy, the default starts out somewhere near: If you can see mine, I can see yours. If you're going to restrict just us, 1) you need to openly+clearly justify it and 2) the restrictions need to sunset.
No, that's just giving up and is, respectfully, silly. How about some kind a right to privacy instead? Maybe I should have the ability to control who can sell my data instead of giving the same data I don't want shared to everyone?
Privacy equality applies permanent pressure to the powerful to protect everyone's data, instead of just their own.
We presently go law by law, and we have a bloody fight for each one with the final result typically varying between ineffective and counterproductive.
Eventually the system works as intended; we get exhausted and give up. This is the present state of affairs pretty much all over - and has been for a very long time. There's little reason to believe a different result is soon to manifest.
leaking all SSNs makes relying on SSNs as authentication unfeasible,
the only way to stop SSNs being authentication token is to give everyone access to them, but yes that can cause short term troubles
The concept of having SSN is de facto wrong, there are situations where one needs to identify oneself unambiguously
I went to another country, and what I found is that to get a monthly bus pass I had to fill out a form that asked for:
Full Name + Gender + Date of birth + Place of birth + Mother's Maiden name + Mother's DOB + Mother's place of birth
(and so on) I forgot the exact details, but it was ludicrously intrusive. Mother's maiden name? Really??? I did not even know some of that info and filled it out with educated guesses. It is not like they were able to check ...
when i went to jail in boston (peaceful protest), BPD wouldn't release us until we gave them our social security numbers. when we showed up to court, they gave everyone a packet that contained the name, home address, mugshot, and social security number of everyone that was arrested. half of the time of the court proceedings was the NLG saying hey, what the fuck are you doing? can you please redact this?
Good! When Congress Critter's little blond granddaughter gets pwned (someone takes her identity), maybe Congress will get real serious about really punishing these Companies when a breach happens.
But we know what will really happen in this scenario, the Company will get funding (bailout) from the Feds, the CEO will resign with millions of USD, the CEO will become a lobbyist.
And in reality, the granddaughter will get special treatment from the Company due to who she is.
People are more sensitive to the pain of others when the victim is perceived as cute. See cute animals vs not so cute animals. We're instinctively wired to think that cute means innocent, helpless and deserving of help and protection. Obviously what is considered cute is subjective and culturally influenced to some extent.
While that's true, there are two sides to crime. Prevention and Punishment. One happens before, and the other happens after. People are generally fine with punishment. The prevention part is where we disagree. This then poses the question: how many of your children are you willing to sacrifice on the alter of anti-prevention?
So while a punishment might exist for something, that doesn't preclude trying to prevent the crime form occurring in the first place. This isn't easy work, and of course, it won't work 100% of the time, but it doesn't mean we stop trying to reduce the number.
Identity "theft" is corporate responsibility laundering. It is not "theft" it is "lack of safeguards on PII" plus "lack of meaningful, protected PII" combined with "A complete lack of proper vetting of loan / credit applicants"
Someone put the right 10 digits into a webform? What could we do! They stole your identity!
No, you just didn't want to force someone to walk into a bank to apply in person because that would cost more and reduce your new applicant rate.
This has been a right wing walking point for a long time (or more charitably and recently an anti-SJW talking point): Mentioning race is itself racist.
I can appreciate the superficial aspect of it - if we're going to overcome racism, we should stop focusing on race. This of course is ignorant to the reality that if we stop talking about race and racism, racism will just go unchecked. Which is of course what (some/many/most?) of those people want.
It is actually even worse, I can't read. Skin color wasn't actually mentioned, just hair color.
Unfortunately, I don't think we will overcome racism until everyone wants to overcome racism. More unfortunately, I don't think everyone wants to overcome racism, this seems obvious.
The bigger tragedy is, trying to force-feed "don't be racist" to society just makes some people dig their heels in more, making things worse instead of better. Finally, the biggest tragedy of all is how predictable this outcome is, using force and anger as a tool to change the thoughts and actions of a person/group is generally quite ineffective.
Doesnt the US have like 17 clandestine agencies, I am sure many of which could engage in covert overseas activities that send a message to future actors about what could happen to them.
