Better Way to Stop a Thief

To counter the rise in identity theft, Congress is considering precisely the wrong response: making Social Security numbers more private. To see why that response is wrong, one must distinguish the two roles that these numbers play in the identification process.

An identity thief begins by discovering the name and Social Security number of a potential victim and using it to open credit accounts in that person’s name. The creditors accept the thief’s assertion of identity principally because the thief knows the victim’s number. In this transaction, the Social Security number serves as a password--knowledge of the number is accepted as proof of identity.

The proposed legislation acquiesces in this use of Social Security numbers and seeks to protect the passwords from theft. That approach is futile.

After full implementation of all proposed restrictions, (and a lot of expense and inconvenience), millions of people will still have access to our numbers. These people are the employees of the Internal Revenue Service and other federal, state and local agencies, credit bureaus and the tens of thousands of businesses that are members of credit bureaus or that issue IRS Form 1099 for payments they make to individuals. Those employees may already be the source of most of the Social Security numbers used in identity theft.

Trying to keep one’s Social Security number secret is a fool’s errand. Even supporters of the legislation, such as Rep. Jim McDermott (D-Wash.), admit that “at this point it is impossible to maintain the confidentiality of Social Security numbers.”

That Social Security numbers serve as passwords is the reason for stealing them. Businesses that make such use of them are willing to recognize anyone who knows your number as you. They will let a thief who knows your Social Security number see the balance in your bank account, change your mailing address on their records, get a duplicate of your credit card or even withdraw money from your account. (And then they will blame you for not keeping your number more secure!)

Passwords should be changed periodically, and it is critical that they be changed when they have been compromised. Social Security numbers don’t work well as passwords because they are nearly impossible to change. Congress should bar businesses and agencies from using them as passwords. That would free the numbers to perform their second role: providing an unambiguous means of referring to a particular person. Names are not sufficient for finding a particular file among the 180 million or so on the computers of each major credit bureau, so in the world of credit reporting one’s name effectively includes one’s Social Security number.

If Social Security numbers were to be made more secret, they could perform this second role only privately. To see the problem this creates, consider the case in which a thief claims your identity in opening a charge account. The creditor--with whom you may never have dealt--would like to get in touch with you to check the thief’s claim to your identity. But the creditor can’t because he doesn’t have your contact information. The thief is giving incorrect contact information for you (the thief’s own), and the information on your credit file might be out of date or might have been changed by the thief. Your name alone is not enough to distinguish you from others with similar names.

If we use Social Security numbers just as identification and not as passwords to confidential files, each person could publicly establish his or her identity by registering name, Social Security number and a secure means of contact--selected by you--on a government-operated, publicly accessible site. Such a system could operate without compromising the registrant’s privacy in any way, and make identity theft virtually impossible.

The public display of Social Security numbers may at first seem shocking. But in a world in which Social Security numbers are not used as passwords, the number would not be the key unlocking sensitive personal information. The alternative is to live permanently in fear of identity theft, vainly trying to make a lifelong secret of an unchangeable number that lots of people already know and that we are forced to disclose dozens of times each year.