This morning on Fox News Channel as they were discussing the Bank of America information loss one of the pundits bluntly declared that we are living in an information society and there just isn't good information security. He is right.
Pete Lindstrom has a great idea on his blog which is to publicly publish social security numbers. At first blush it seems like an insane idea... think of all of the identity theft! But that is the beauty of his idea - social security numbers are not an adequate mechanism to prevent identity theft since they really aren't secret. Neither are credit card numbers nor drivers' licenses nor passport numbers.
Today is was just announced that Bank of America lost backup tapes containing personal information for a million customers. Last week Choice Point sold personal information of 145,000 people to crooks. T-Mobile allowed unauthorized access to its customer databases over the last year (although it wasn't until Paris Hilton was put out that it made the headlines).
And unless we change our model it is only going to get worse. New strains of spyware are motivated by profit - expect less obvious and more insidious techniques for obtaining your personal information since it yields financial gain right now.
So we need to get to a place where knowing my personal information such as social security number, credit card numbers, etc. gets a stranger nowhere. How do we do that? First we should consider a national identity system that is designed for authentication. But to overcome the cultural hurdle let's make it optional - let people opt in when they are ready. Let businesses support it at their option - but as we discover that the system reduces identity theft risks their will be a lot of incentive to opt in to this system. I imagine that the system would include a physical token such as a credit card sized smart card that can be used as identity at everything from airports to grocery stores. Embedded on this identity card would be one or several digital certificates issued by various Certificate Authorities of the person's choosing. This might include employers and governments. You would also use these certificates for online transactions without necessarily having to use the card. For your personal computer you would safely store the certificates, on public systems we might have a smart card reader.
Bottom line - my social security number would only ensure that my taxes go to the right account once I am authenticated. Think of this like my phone number or street address - having them doesn't get you my mail or phone calls. If you don't want to move to the new system... fine... get in line and fill out the paperwork.
Do you want to get a free personal digital certificate right now? Go to Thawte and see if you have some local notaries in your area if you want to have an authenticated certificate. (The biggest flaw in the system right now is the lack of a good US identity card to authenticate to - I always require a driver's license and some other acceptable ID card.)