|Received:||8/6/2007 1:44:20 PM|
|Organization:||Mid Atlantic Safety Council|
|Agency:||Federal Trade Commission|
|Rule:||Private Sector Use of SSNs|
Comments:Most use of the SSN is as an identifier, analogous to a user name. A small minority of use is as a secret, analogous to a password. Obviously, attempting to use the same piece of data as both username and password will cause considerable difficulties. Within our organization (industrial safety training) we use the SSN merely to tell one John Smith from another. If the SSN were turned into a non-secret public identifier, then a new secret number (or 128-bit hash, whatever the security and crypto guys settle on) could be issued as needed that could be used to initiate important transactions. And whether that ever happens or not, perhaps financial institutions shouldn't pretend they've verified someone's identity just because the person in question knows a nine digit number that's trivially easy to find? Even our facility won't accept a faxed driver's license or authenticate a person over the phone; why shouldn't someone issuing credit also understand the basics of security and the limitations of trust?