While I don't disagree with you on how bad things are now, good luck with the idea of not giving your SSN to your employer or university. At a certain point people will ask if your intention is to move to a wood shack in Montana and write a manifesto.

Come a few hundred clicks north to Saskatchewan where wood shacks and manifestos are something of a local past-time.

If they have high-speed fiber, it’s a date!

That's why StarLink is a thing!

I have high speed fiber to the home. SaskTel Infinet is great. It's a socialist organization too! Check it out! Saskatchewan has a lot of socialism in its history, mostly because of the intense agriculture history where farmers would pool all their grain together to negotiate better prices.

Sorry to disappoint.

It's honestly pretty tempting but the border is closed.

Set up a corporation, employ yourself, and send invoices from the corporation to the people who wish you to perform services for them.

I've been doing this for over a dozen years. My customers don't need to have a single piece of my PII.

To be honest, the thought of sending even a single piece of my PII to a customer or vendor gives me the heebie-jeebies, given what we know about data breaches. I don't even let my personal services people handle my data in Google Apps until and unless I've shipped them a chromebook and walked them through setting up hardware 2FA and enabling Advanced Protection.

I'm waiting for a national bank chain or AmEx to get popped; thanks to the legally mandated total lack of financial privacy in the United States there's no way to insulate oneself from those vendors.

Isn't this pretty expensive?

Not in my experience.

Giving my SSN to my employer seems reasonable because that’s how I pay in to social security.

SSNs are fine as IDs (with time bound assumptions), the problem is using them for authentication.

They are in fact not great IDs and the Social Security Administration asked very nicely for the rest of the country to not use them as a form of identification: https://www.youtube.com/watch?v=Erp8IAUouus

A few reasons why SSNs are bad as IDs:

1. There are a number of situations where people will not have a SSN.

2. SSNs are "secrets" that need to be broadly shared to participate in many parts of business and government in the US.

3. SSNs lack many security and authentication mechanisms most forms of ID have (e.g. photo ID)

There are folks in the US who rally against the idea of a national ID, but I've always thought it was a silly argument considering how pervasive and problematic SSNs are as a form of identification.

If a living person has a SSN they can be identified by it [1]. That does not imply any individual can be identified by a SSN or that any SSN identifies an individual. The suitability of an SSN is situational for ID purposes.

The video conflates identification and authentication to its detriment.

Social Security Numbers are very good identifiers, that’s literally their purpose.

Social Security Cards are poor authentication tokens because they contain no validation to prove the card holder is the person associated with the number. Or said another way, you cannot prove your identity (authenticate) with a social security card.

I don’t see what built in validation of the number has to do with the security of the identifier.

So again, the problem is using a Social Security Number or card for authentication. It’s fine as an identifier.

[1]: Social Security Numbers can be reissued but this should only happen when the number is no longer in use.

Too late to edit but apparently SSNs are not reused: https://www.ssa.gov/history/hfaq.html

Q20: Are Social Security numbers reused after a person dies?

A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 453 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

I wonder how this is possible when there are only one billion combinations of digits.

There are only around 330 million Americans and about 5 million born/immigrated each year. 1 billion possibilities will be enough for about 100 more years. Presumably sometime before then we can replace or update the system (or worst case add one more digit).

Somewhat tangential, but I've always found it weird when I read about strong opposition of some in the US to government ID, framing it as something that jeopardizes the indivdiual's rights. My perspective from a European point of view is different, a government system that provides some ID (which is good both for identification and authentication) is a crucial protection of my rights. I don't want anybody to be able to impersonate me, which means I want a universally accepted system of strong authentication. That's what government ID is to me, it's like a PGP keyring where the government is the introducer in the web of trust.

In the absence of such a system, various ad-hoc systems emerge, and that's IMO why identity theft is so staggeringly common in the US - it's easy, and it's easy because very poor systems are routinely used for authentication. If I understand correctly, you can do a lot in the US with one-factor knowledge authentication, where the "something you know" are things like your name, address, DOB or SSN, all of which are exceptionally poor as authentication.

While there is no Federal ID every state in the Union (to my knowledge) provides ID cards to citizens. These vary slightly from place to place but all contain verifiable identity (authentication).

This may seem strange to outsiders but makes more sense when you consider the United States is a federation of sovereign states. The system is built on the idea of limited federal power with states sharing but retaining much of their own sovereignty. This has many of the benefits of any federated system and makes for a robust democracy.

There’s very little of consequence you can do in the United States with single factor knowledge. If identity theft is more common here than elsewhere (citation needed) I would guess it has more to do with a lack of consequences (consumer protection) than a Federal ID.

I'm familiar with the US federal system, but as far as I know, the individual state IDs still have the same problem. In particular, they're apparently difficult to obtain for poor or disadvantaged people, so there are enough people without an ID to let the insecure ad-hoc systems exist in parallel. So something like knowing the SSN, or displaying an utility bill (trivially faked) exists as a parallel ID form.

European government-issued IDs don't work well just because they are accepted, they work well because no other ID is accepted, and that's only possible when 99% or more of the population has such an ID (and the rest can be handled in a somewhat more convoluted but uncommon procedure).

Of course I have no good insight into how feasible it is for a US state / federal government to ensure that everyone (for sufficiently large values of everyone) in the state / country has an ID, without disadvantaging anyone.

It's the same as the EU but with way more federal power and way less local democracy.

One dimension to this is that racism and xenophobia is so nakedly tolerated including in the political class in the US, that many are fear that any governmental ID would only be half-heartedly rolled out to inconvenient and undesirable people in an effort to suppress their voice.

To be fair most systems in the EU is exactly the same.

4. SSN’s are not unique, nor were they designed to be, but people think they are.

> SSNs are fine as IDs

No, they actually are NOT fine for ID or authentication. They contain no security features and if an attacker knows their victim's birth location can often determine the first set of digits of an SSN.

SSN are not fine as IDs.

My name + address is fine for ID, everyone knows it, but it's unique. There are no security features on my name.

I could claim my name is Joe Biden and I live at 1600 Pennsylvania Avenue, just like I could go onto HN and claim my userid is urda, that isn't a problem.

The next step would be to authenticate - and that's where the problem comes -- SSNs and names are no good for authentication. They're a userid.

In colloquial use, you are right.

In rigorous use in security, identification just means unambiguously referring to a specific identity. This is as simple as providing an identifier. Which the social security number roughly does (they can be re-used after death apparently).

Actually proving the provided identity is your identity is authentication. SSNs come with no decent authentication method. Hence, the identifier of an SSN is not very good in situations where authentication is required.

For an example where authentication of identifiers is not required. Consider the following: "Dear business please identify all your employees so we can correctly give them benefits". In this case, having identifiers for people is sufficient.

Heck, any case where you are asked to identify a 3d party cannot require authentication.

Strictly speaking "please identify yourself" means please give me your name. If this is spoken by someone with authority they may want prove of that claim. In that case, it is great if authentication of your given identifier is possible.

> they can be re-used after death apparently

They aren’t, I was wrong! https://www.ssa.gov/history/hfaq.html

The only one of those things that has any claim to being a secret is SSN. And that ship has sailed - at this point it would be a public service to publish all SSNs so we’re all forced to stop treating it like knowing an SSN means something.

The rest belong in public directories, where they have been for decades.

If you are a prospective student, are you going to risk your future by using your college application to make a point about privacy?

There's a strong argument to be made that one risks their future in general by taking on the substantial debt usually involved in attending a US university. There are worse things one can do with regards to their future than keeping their private data private.

This is putting a bandaid on a rotten leg. What is needed is a way to stop businesses from calling you if you haven't given them permission. It is a huge problem in the US but it isn't like this everywhere. The underlying problems should be fixed instead: Laws that actually prevent this (enforced laws) and the opportunity to block non-local calls from places not as functional (like calls from the US).

I have had the same mobile phone number for decades and I get maybe one call a year from a business that I haven't specifically allowed or requested calling me and it is always international because local laws actually work.

Yes, it is a band aid, or one solution out of many needed ones, and yes, probably not highest priority in terms of needs. But it doesn't have to be a either...or...

And I wouldn't derive from your lack of need from a lack of need for others!! Independently from the country. Stealing is allowed in no country, and it still happens in every country. Laws and enforcement is great, but it won't stop 100% cases, and if I like to have a door lock on my door (or two), then let me do... I don't care if some don't feel a need for it (and stealing is just an example... the same for so many illegal things).