Sometimes I think Janus, the Roman god typically depicted as having two faces should declared the official deity of Identity. I don’t mean that for the obvious reasons such that two (and sometimes four) faces is an obvious metaphor for multiple personas. I am also not referring the Roman belief that Janus was the god of gates, doors, and doorways.
No, I am proposing Janus because those of us who work in Identity are some of the most two-faced people you’ll ever meet. Take SSNs for instance. We simultaneously preach SSNs as the sacred crown jewels of your identity while giving away our SSN whenever asked for it. Just the other day I had to give my SSN and my dental insurance number to the secretary of an orthodontist that we are trying to schedule an appointment with.
Which leads me to ask the question, why do I consider my SSN so sensitive that I believe it must be protected, yet I am willing to divulge it when requested? It’s because the SSN has evolved over time from being an accounting artifact to being a shared secret used for authentication, a role for which it was not intended and is not suited.
So how then could you change the rules of the game? One person trying to change the rules of the game is Todd Davis the CEO of LifeLock. He publishes his SSN openly in the LifeLock adds and on their web site. He claims to be so confident in their identity theft protection service that he can give the world his SSN without worry.
But I have half-Swiftian Modest Proposal to change the game without needing the LifeLock or similar services. The government could announce a date on which they will start publishing a complete list of names and SSNs. Companies would have until that time to stop using SSNs as an authentication mechanism. Once the SSN is public domain there would be no reason to worry about protecting it. And no one would ask you for it. In fact it would no longer be needed for anything that did not involve tax information.