White House wants to end Social Security numbers as a national ID [telecom]

[Monty Solomon]

White House wants to end Social Security numbers as a national ID

US government is examining the use of a "modern cryptographic
identifier."

Rob Joyce, the White House cybersecurity czar, said on Tuesday that
the government should end using the Social Security number as a
national identification method.

"I believe the Social Security number has outlived its usefulness,"
said Joyce, while speaking at The Washington Post's Cybersecurity
Summit. "Every time we use the Social Security number, you put it at
risk."

https://arstechnica.com/tech-policy/2017/10/white-house-wants-to-end-social-security-numbers-as-a-national-id/

***** Moderator's Note *****

When I was in the Army, they used my SSN as my Army serial number. I
still have my Army duffel bag, and it's stenciled on the side.

Bill Horne
Moderator

[Rob Warnock]

Monty Solomon <mo...@roscom.com> wrote:
+---------------

| White House wants to end Social Security numbers as a national ID
|
| US government is examining the use of a "modern cryptographic
| identifier."

+---------------

As noted in the comments of the referenced URL, a large part of the
problem is that people try to use the SSN as an *authenticator* (e.g.,
like a password) when it's actually only an identifier (e.g., user
name). Hence such oxymoronic phrases as "cryptographic identifier".
The *identifier* doesn't need any cryptography [except perhaps a MAC],
but the *authenticator* certainly does!

+---------------

| "I believe the Social Security number has outlived its usefulness,"

| said Joyce...
+---------------

Note that Medicare, which has historically uses SSNs[1] as
identifiers, is already [well, early next year] rolling out a new
format for Medicare account numbers:

https://www.medicare.gov/forms-help-and-resources/your-medicare-card.html
...
New Medicare cards are coming

Medicare will mail new Medicare cards between April 2018 and April
2019. Your new card will have a new Medicare Number that's unique
to you, instead of your Social Security Number. This will help to
protect your identity. See an example of the new Medicare card.
==>

https://www.medicare.gov/medicare-images/JohnSmithWatermarkCards.jpg
[Shows example new form ID: "1EG4-TE5-MK72".]

It's nice that they're decoupling from the SSN, but note that this is
still only an "identifier", with no additional authentication
added.[2]


-Rob

[1] Historically one's Medicare ID number was one's SSN, suffixed with
a single letter that encoded a few bits of your account status.
E.g., if you started Medicare at age 65 but did not "retire" yet
[that is, did not start taking SSA benefits], your Medicare number
was of the form "000-00-0000-T". If you then later "retired", your
Medicare ID number would *change* from "000-00-0000-T" to
"000-00-0000-A" [assuming you were the primary SSA beneficiary].
[Yes, this happened to me!]

Other suffix letters encode other possible status:

https://www.medicaremall.com/senior-living/2013/05/23/extra-letters-medicare-card-mean/
What Do Those Extra Letters on Your Medicare Card Mean?

[2] That I can tell... There might be a check digit or two in there.(?)

+--------------------------------------------------------------+
Rob Warnock <rp...@rpw3.org>
627 26th Avenue <http://rpw3.org/>
San Mateo, CA 94403

[Gordon Burditt]

> White House wants to end Social Security numbers as a national ID
>
> US government is examining the use of a "modern cryptographic
> identifier."
>
> Rob Joyce, the White House cybersecurity czar, said on Tuesday that
> the government should end using the Social Security number as a
> national identification method.

I'd like to suggest a few objectives for a replacement for a
Social Security Number.

The number should be long enough and confusing enough that dictating
a NewSSN over the phone without error should take more time, on
average, than the average lifetime of a person who holds one. (This
will hopefully stop scammers from asking for it over the phone, or
banks from trying to use it as a default password.) This might mean,
for example, a 100,000-character NewSSN consisting of the following
base-23 alphabet:

The digit 1
Capital I
Lower-case i
Lower-case l
Vertical bar
Left bracket
Right bracket
Capital I with acute accent
Capital I with grave accent
Lower-case i with acute accent
Lower-case i with grave accent
Lower-case l with acute accent
Lower-case l with grave accent

The digit 0
Capital O
Capital O with acute accent
Capital O with grave accent
Capital Q
Capital Q with acute accent
Capital Q with grave accent
Lower-case o
Lower-case o with acute accent
Lower-case o with grave accent

(Someone once wrote a program that generated random Microsoft Product
Keys with a similar alphabet, but limited to ASCII, as a joke and
complaint about how it was difficult to accurately type them. To
Microsoft's credit, they avoided characters that looked alike, and
they only required 25 characters, not counting the -'s which you
didn't have to type, the form would do that for you.)

Note: as far as I know, no existing Unicode character is a
capital Q with any kind of accent.


Or, you could just dispense with a human-readable representataion
of it at all, so asking someone for their NewSSN will get a blank
stare after they get the card out and look at it and find no number
or bunch of characters.

There should be *NO* personal information encoded within the SSN
itself, unlike the current SSN which seems to have state of
registration (which often implies state of birth) and year of birth
within a few years for a fairly good percentage of the numbers.

The Social Security numbers of families registering for numbers at
the same time should be unrelated (e.g. *NOT* consecutive). Now,
this probably applies to immigrants and multiple births only, but
back in the 1950's or so when kids started needing one because of
laws going into effect, it was not uncommon for all the kids in the
family to get SSNs at once, and possibly end up with consecutive
SSNs.

Also, there should be *NO* changeable personal information encoded,
(marital status, weight, current GPS coordinates, firearm license,
awake/asleep status, citizenship, etc.) unlike current Medicare
claim numbers which consist of the SSN followed by a single letter.
T indicates you have Medicare but you are not receiving Social
Security (yet). Since people usually enter Medicare at age 65 and
the standard retirement age (for getting Social Security) is 66 for
people going to retire around 2017, a lot of people will have T for
a year and then change to something else a year later when they
will start getting Social Security also.

The NewSSN card needs to be *READ ONLY* and machine-readable (and
preferably NOT human-readable) but it may *NOT* be readable from a
distance of more than 0.5 mm (no RFID) from the card.

NewSSNs must not be re-used until all previous holders of that
number have been dead for at least 100 million years.

The chance of guessing a NewSSN (issued in the past, active now,
or issuable in the future) by generating random characters in the
appropriate alphabet must be less than one in the number of particles
in the universe (estimated as 1.e+78 to 1.e+82). If you're using
digits as an alphabet, that means at least 82 check digits. The
design should avoid dividing the NewSSN into "check digits" and
"the real number", where the check digits can be calculated from
"the real number". There probably should be several levels of
check digits - some public, some classified. The ultimate check
is against the database which will indicate whether the number
has been issued.

NewSSNs should be treated as "private medical information" under
HIPAA laws. The minimum damages for a data breach is $100,000
payable by the holder of the data to each owner of the NewSSNs
involved, or double actual damages, whichever is higher, plus 1
year of jail time per NewSSN. This amount doubles every 30 days
after the first breach until it is paid. So, if you don't admit
to the breach for 6 months, that raises the penalty to $6,400,000.00
per number.

NewSSNs must not be revealed to Equifax, current Equifax employees,
or former Equifax employees who worked for Equifax after Jan 1,
2016. This means that Equifax and its employees or former employees
must not have access to THEIR OWN NewSSNs (or NewTINs).

Including a NewSSN in a credit report when that credit report was
requested using search criteria that didn't include the entire
NewSSN is a data breach, even if the recipient of the report is the
subject of the NewSSN. Including two NewSSNs in a credit report
on a couple when that credit report was requested using search
criteria that didn't include both NewSSNs is a data breach by the
credit reporting agency, and it may be a data breach by one of the
couple against the other if the one whose NewSSN wasn't included
in the search criteria wants to press the issue.

Being the parent, guardian, or spouse of someone is *NOT* a defense
against giving out their NewSSN without their permission.

[David Thompson]

On Sat, 07 Oct 2017 23:18:05 -0500, gordon...@burditt.org (Gordon
Burditt) wrote:

[snip]

> I'd like to suggest a few objectives for a replacement for a
> Social Security Number.

[snip much]

> There should be *NO* personal information encoded within the SSN
> itself, unlike the current SSN which seems to have state of
> registration (which often implies state of birth) and year of birth
> within a few years for a fairly good percentage of the numbers.
>
> The Social Security numbers of families registering for numbers at
> the same time should be unrelated (e.g. *NOT* consecutive).

[snip]

They already did that, six years ago:
https://www.ssa.gov/employer/randomization.html

Unfortunately, some people born (or immigrated) before 2011 are still
alive, and some of us have fond hopes remaining alive in the future.