The headline reads, "Professor charged with stealing students' IDs." At first glance this appears to be a case of misplaced trust. The professor asks his students to sign into his class by signing their name and placing their social security numbers on the sign-in sheet. The professor then uses the information to open up a bunch of department store credit cards. I submit that this incident happened because students don't know what their social security number is supposed to be used for and the federal government has not done enough to discourage the use of the SSN for non-social security matters.

This whole thing raises some questions. Does the organization--the community college in this case--even know what the SSN is supposed to be used for? What is the student to think? How does the student know whether it's safe to provide the information or not? What could the students have been told in advance that would have prevented this situation? Who should have told them; the college, their high school, their parents, the governemt, who? What is the SSN supposed to be used for anyway?

The Social Security Administration has an article called Identity Theft And Your Social Security Number. The first point they make is,

"Your Social Security number and our records are confidential. We do not give your number to anyone, except when authorized by law. You should be careful about sharing your number with anyone who asks for it (even when you are provided with a benefit or service)."

Merriam-Webster's Dictionary of Law defines the word "condifential" as:

1) known or conveyed only to a limited number of people ; 2) marked by or indicative of intimacy, mutual trust, or willingness to confide esp. between parties one of whom is in a position of superiority
; 3) containing information whose unauthorized disclosure could be prejudicial to the national interest

Is our SSN really conveyed to a limited number of people? It certainly isn't of national interest, unless the government uses it as both an identifier and authenticator of confidential employees. Can we, as consumers, really believe that our social security number is a secret?

The Social Security Administration also has a congressional testimony that declares, "The SSN is a national identifier." This is true, like it or not.

Why is an identifier (social security number) being used as an authenticator in the first place? Providing an identifier or any combination of non-secret information should never be used to authenticate someone. Why do we allow this? Why do we design systems and processes that use identifiers from a different domain--that were devised for a different purpose--in our domains? I think to some extent it's because we do not evaluate the implications of our decisions well enough. Many organizations lack the expertise and infrastructure to design and deploy better systems and processes.

Why do creditors allow people to open accounts so easily? Because the trade-off between the hassle of a few fraudulent accounts versus the many valid accounts is still worth it to the creditors. Bottom line, they still make money. Why doesn't Wal-mart post armed guards at the exists and double check that everything in your bag is reflected on your itemized receipt? Because the cost of shoplifting is low compared to the cost of security guards and lost customers due to hassle.

Look, I'm not a fan of big government and the passing of many laws. It's hard to say whether the government got us into this mess or not. But somehow we need to stop placing so much emphasis on the SSN. How about making a clear statement that the SSN should not be used for anything other than social security benefits? How about mandating that the SSN is only an identifier and the fact that someone can write a nine digit number on a piece of paper does not mean that the number is theirs? How about fining organizations for using the SSN?

Ah, but even if these things were done we would still have a problem of identifying people when we establish an identity for them in our domain. Wouldn't we? How would a national ID help or hurt our situation? That's a whole new blog entry.

• EPIC Social Security Number (SSN) Privacy Page
• What To Do When They Ask For Your Social Security Number