White House wants to end Social Security numbers as a national ID [telecom]

+--------------- | White House wants to end Social Security numbers as a national ID | | US government is examining the use of a "modern cryptographic | identifier." +---------------

As noted in the comments of the referenced URL, a large part of the problem is that people try to use the SSN as an *authenticator* (e.g., like a password) when it's actually only an identifier (e.g., user name). Hence such oxymoronic phrases as "cryptographic identifier". The *identifier* doesn't need any cryptography [except perhaps a MAC], but the *authenticator* certainly does!

+--------------- | "I believe the Social Security number has outlived its usefulness," | said Joyce... +---------------

Note that Medicare, which has historically uses SSNs[1] as identifiers, is already [well, early next year] rolling out a new format for Medicare account numbers:

... New Medicare cards are coming

Medicare will mail new Medicare cards between April 2018 and April 2019. Your new card will have a new Medicare Number that's unique to you, instead of your Social Security Number. This will help to protect your identity. See an example of the new Medicare card. ==>

[Shows example new form ID: "1EG4-TE5-MK72".]

It's nice that they're decoupling from the SSN, but note that this is still only an "identifier", with no additional authentication added.[2]

-Rob

[1] Historically one's Medicare ID number was one's SSN, suffixed with a single letter that encoded a few bits of your account status. E.g., if you started Medicare at age 65 but did not "retire" yet [that is, did not start taking SSA benefits], your Medicare number was of the form "000-00-0000-T". If you then later "retired", your Medicare ID number would *change* from "000-00-0000-T" to "000-00-0000-A" [assuming you were the primary SSA beneficiary]. [Yes, this happened to me!]

Other suffix letters encode other possible status:

What Do Those Extra Letters on Your Medicare Card Mean?

[2] That I can tell... There might be a check digit or two in there.(?)

+--------------------------------------------------------------+ Rob Warnock

627 26th Avenue San Mateo, CA 94403

I'd like to suggest a few objectives for a replacement for a Social Security Number.

The number should be long enough and confusing enough that dictating a NewSSN over the phone without error should take more time, on average, than the average lifetime of a person who holds one. (This will hopefully stop scammers from asking for it over the phone, or banks from trying to use it as a default password.) This might mean, for example, a 100,000-character NewSSN consisting of the following base-23 alphabet:

The digit 1 Capital I Lower-case i Lower-case l Vertical bar Left bracket Right bracket Capital I with acute accent Capital I with grave accent Lower-case i with acute accent Lower-case i with grave accent Lower-case l with acute accent Lower-case l with grave accent

The digit 0 Capital O Capital O with acute accent Capital O with grave accent Capital Q Capital Q with acute accent Capital Q with grave accent Lower-case o Lower-case o with acute accent Lower-case o with grave accent

(Someone once wrote a program that generated random Microsoft Product Keys with a similar alphabet, but limited to ASCII, as a joke and complaint about how it was difficult to accurately type them. To Microsoft's credit, they avoided characters that looked alike, and they only required 25 characters, not counting the -'s which you didn't have to type, the form would do that for you.)

Note: as far as I know, no existing Unicode character is a capital Q with any kind of accent.

Or, you could just dispense with a human-readable representataion of it at all, so asking someone for their NewSSN will get a blank stare after they get the card out and look at it and find no number or bunch of characters.

There should be *NO* personal information encoded within the SSN itself, unlike the current SSN which seems to have state of registration (which often implies state of birth) and year of birth within a few years for a fairly good percentage of the numbers.

The Social Security numbers of families registering for numbers at the same time should be unrelated (e.g. *NOT* consecutive). Now, this probably applies to immigrants and multiple births only, but back in the 1950's or so when kids started needing one because of laws going into effect, it was not uncommon for all the kids in the family to get SSNs at once, and possibly end up with consecutive SSNs.

Also, there should be *NO* changeable personal information encoded, (marital status, weight, current GPS coordinates, firearm license, awake/asleep status, citizenship, etc.) unlike current Medicare claim numbers which consist of the SSN followed by a single letter. T indicates you have Medicare but you are not receiving Social Security (yet). Since people usually enter Medicare at age 65 and the standard retirement age (for getting Social Security) is 66 for people going to retire around 2017, a lot of people will have T for a year and then change to something else a year later when they will start getting Social Security also.

The NewSSN card needs to be *READ ONLY* and machine-readable (and preferably NOT human-readable) but it may *NOT* be readable from a distance of more than 0.5 mm (no RFID) from the card.

NewSSNs must not be re-used until all previous holders of that number have been dead for at least 100 million years.

The chance of guessing a NewSSN (issued in the past, active now, or issuable in the future) by generating random characters in the appropriate alphabet must be less than one in the number of particles in the universe (estimated as 1.e+78 to 1.e+82). If you're using digits as an alphabet, that means at least 82 check digits. The design should avoid dividing the NewSSN into "check digits" and "the real number", where the check digits can be calculated from "the real number". There probably should be several levels of check digits - some public, some classified. The ultimate check is against the database which will indicate whether the number has been issued.

NewSSNs should be treated as "private medical information" under HIPAA laws. The minimum damages for a data breach is $100,000 payable by the holder of the data to each owner of the NewSSNs involved, or double actual damages, whichever is higher, plus 1 year of jail time per NewSSN. This amount doubles every 30 days after the first breach until it is paid. So, if you don't admit to the breach for 6 months, that raises the penalty to $6,400,000.00 per number.

NewSSNs must not be revealed to Equifax, current Equifax employees, or former Equifax employees who worked for Equifax after Jan 1,

2016. This means that Equifax and its employees or former employees must not have access to THEIR OWN NewSSNs (or NewTINs).

Including a NewSSN in a credit report when that credit report was requested using search criteria that didn't include the entire NewSSN is a data breach, even if the recipient of the report is the subject of the NewSSN. Including two NewSSNs in a credit report on a couple when that credit report was requested using search criteria that didn't include both NewSSNs is a data breach by the credit reporting agency, and it may be a data breach by one of the couple against the other if the one whose NewSSN wasn't included in the search criteria wants to press the issue.

Being the parent, guardian, or spouse of someone is *NOT* a defense against giving out their NewSSN without their permission.

[snip]

[snip much]

[snip] They already did that, six years ago:

Unfortunately, some people born (or immigrated) before 2011 are still alive, and some of us have fond hopes remaining alive in the future.