Something I would have liked to see - but perhaps this letter wasn't the right place.
Let's talk about how the ubiquitous use of SSN and credit reports puts a massively unfair burden on every US citizen.
Right now, it's all on me. I need to safeguard everything related to my government-issued nine digit ID that I never asked for - yet is somehow accepted as my financial identity, well beyond its intended scope.
If I fail to do so, or if I fail to aggressively identify fraudulent use of it by monitoring reports from 3-4 different agencies, it's on me. It's my credit that's screwed.
It's hard to emphasize enough how unreasonable that is. This isn't a house or other peace of real property that's in my control - it's 4 bytes of data that is assigned to me, but that I fundamentally have no control over.
In spite of that, I am accountable for any and all uses of that data. It's hours of my life each time a breach occurs - more if it's actually misused. The assumption of 'bad credit risk unless and until you convince the reporting agencies that fraud has happened' is a fundamentally flawed one.
I can't opt out. I can only keep spending my time and money to play the game - because it's the only one in town.
Indeed! I have recently been trying to come up with a new term to use instead of "identity theft" (open to suggestions). As the term itself seems almost Orwellian to me.
My identity wasn't stolen! You gave a loan/credit card/whatever to someone and didn't verify who they were. How is your organization not doing the proper work a "theft" of my identity? I'm not involved and I don't want to be!
"Identity theft" isn't real. It's a term the banks et al. use so that they can have less responsibility.
Example: Someone opens a bank account using your information. That's fraud. Someone lied to the bank, and the bank believed them. That's the bank's problem. But by pointing at you and saying "Your identity was stolen" (using the term "stolen" to make it seem like this is similar to the theft of a physical object), it suddenly seems like it's your problem.
> It's a term the banks et al. use so that they can have less responsibility.
I agree that it's misleading, but have to concede that whoever first came up with that term must have been an expert in framing and spin. There are few words that so effectively distort the discussion as "identity theft".
Indeed. When one thinks of "identity theft victims", one doesn't think of a bank.
But it is the bank, it should be! When a bank is robbed, its clients aren't the victims. The bank is. The clients aren't giving money to the bank for nothing in return; what they get in return is assurance of safety and availability (otherwise, that would be a loan, not a deposit). Spinning the failure to deliver on that obligation as the client's problem is indeed great PR work.
I like the term "bank slander"[1]. The company that gave a loan to fraudster (a bank) lies to the credit bureau (slander) and now you have to spend a bunch of time trying (and usually failing) to get those lies off your credit report.
If the credit agency is harming your reputation with an incorrect credit report then the proper term for what they're doing is libel and you can sue them for it.
I'd like to see a startup or non-profit that automates libel civil lawsuits against the reporting agencies. At least then maybe we'd get some responsibility from them.
IANAL but banks have a lot of cash to throw at legal teams. AFAIK you’d have to show evidence of material damages. Seems very hard to automate...might be better for class-action.
Ya I agree. It seems these firms are relying on the fact that each individual suing them would have to put up considerable time and money, and so most don't .
But if some economy of scale could be provided in filing these lawsuits, like those boilerplate will in a box products, then the business of credit reporting in its current form may be made non-viable.
I wonder how many of the major US banks have binding arbitration clauses? I don't claim to know one way or the other, though I thought I heard that one major bank did & it had been standing up in court recently, but I may be mistaken. I also have no idea if they'd hold up in general -- but I'd be curious how many of the T&Cs that you sign have these clauses...
Probably all of them. So you would just have to find someone who had never opened a legitimate line of credit, but for whom a fraudulent line of credit had been opened.
> Indeed! I have recently been trying to come up with a new term to use instead of "identity theft" (open to suggestions). As the term itself seems almost Orwellian to me.
I'll have a stab at coining the new word.
The concept is referring to attempted or successful deceit of the bank. Let's take the Latin word for deceit, fraudem, and modernize it so it won't sound so quaint. I think that "fraud" would do.
It's frustrating enough to see private enterprises using SSN as a form of identification, e.g. getting a lease on my apartment I had to provide my SSN.
What's worse is when government agencies themselves use it, knowing full well the number of recent data breaches. I recently went to the DMV in Colorado to obtain a driver's license (since I moved here from another state). They turned me away because I didn't have my physical social security card with me. I did have my U.S. Passport, which has far more security than a blue card with a number printed on the front of it. And sadly the Colorado DMVs will continue using SSN to identify people, even after hearing about the Equifax breach.
Honestly, a social security card may as well be a post-it-note with the number written in crayon or finger paint.
The EU practice of shifting the practical risks from the impersonated person to the defrauded lender means that lenders are less eager to accept risks and more careful with verification.
Usually, you get loans from your bank - and since you have a preexisting relationship and secure authentication methods, you generally can do it remotely. However, establishing your identity to a new organization usually requires a visit in person and verifying official ID; the lenders who don't require this (e.g. various companies offering small payday loans) have a much higher rate of fraud and thus charge high interest rates to cover those risks. A popular measure that I've seen used is that they require you to wire them 1 cent from the account to which they'll pay out the loan, which can remotely show that you most likely own that account.
That's exactly what Troy is talking about in the section on KBA (Knowledge Based Authentication)
>Knowledge-based authentication (KBA) is predicated on the assumption that an individual holds certain knowledge that can be used to prove their identity. It’s assumed that this knowledge is either private or not broadly known thus if the individual can correctly relay it then, with a high degree of confidence, they can prove their identity. KBA is typically dependent on either static or dynamic “secrets” with the former being the immutable data attributes mentioned earlier (date of birth, mother’s maiden name, etc.) and the latter being mutable such as a password.
Do the banks talk to each other about their customers? So if you don't pay a loan to bank A does bank B know about it and make their lending decisions based on that information? If so, it's functionally identical to the credit reporting agencies in the US.
Is the same type of credit with the same interest rates available just as easily in France as in the US?
In Germany life is also not dominated by the credit agencies like in the US but there is a thing called "Schufa" that does some credit reporting. Not sure how it works though.
Banks will usually not give you an account and shops won't give you credit if your rating is bad. For example, you are so late to pay your bills that the creditor has involved collection agencies or the courts to get their money.
Landlords will more often than not demand a document from the Schufa (supplied at your own expense) to consider you eligible for renting a flat or a house.
> Landlords will more often than not demand a document from the Schufa (supplied at your own expense) to consider you eligible for renting a flat or a house.
Not just landlords, employers do Schufa checks too, same for phone/mobile contracts, cable TV, and for what its worth even power/gas companies. The latter is really bad because it locks poor people into the highly expensive "Grundversorgung" tarriff (regulated, the local utility MUST offer it) by the local utility, thus taking away even more of their money.
Some of the replies really touch upon what can go wrong with government regulation.
That said, I do really want something done about this:
> An attitude of “data maximisation” is causing services to request extensive personal information well beyond the scope of what is needed to provide that service
Stop collecting information which is not required. Most of this information ends up in some form of advertisers/advertisement in guise of creating "more engagement with users".
IMO there should be expensive data breach bond/insurance requirements for any company storing data about people, scaled by how much and possibly which kinds of data are stored. Discourage holding a bunch of stuff "just in case".
And FFS, at least outlaw the required arbitration BS for data breaches. Let the bond or insurer pay out when it happens, then jack up their prices on the breached company until they cry.
By "until they cry" I assume you mean "until they can no longer continue passing the costs directly to the consumer, at which point they simply go into bankruptcy and reincorporate 6 months later at the lower insurance rate?"
If the data you hold as a business is so valuable that the insurable risk of loss is too expensive for your business, then ask, "do we really need to hold that data?" If your business needs to pass that on to consumers because you can't afford the hit to your margins, then consumers need to ask, "is [service/product] really worth that much to me?"
The downside is that the most critical components of information which tie to identity itself, are the ones that businesses most commonly need to hold to verify identity. More challenging is that without a way to modify identity data (i.e. change your SSN), the insurable risk is huge because it needs to include a discounted cost of identity monitoring forever, and the cost of the individual losses that someone might encounter for the loss of that data. Then of course, if a person's identity is compromised more than once, how do you discount the responsibility across multiple careless parties?
IMO it all comes down to never using immutable information (Name, DOB, etc) to firmly define identity online. That information should be for display purposes only. At the backend, we need an identity that is tolerant of change, and can easily be updated if it is ever lost. In reality this will probably mean that instead of an ID, we have ID probability, which would include photos, addresses, ID numbers, Credit card account access, and companies that needed to verify it would be able to evaluate how certain they were the identity was real, and to insure against mishandling of the individual components of information.
> The downside is that the most critical components of information which tie to identity itself, are the ones that businesses most commonly need to hold to verify identity. More challenging is that without a way to modify identity data (i.e. change your SSN), the insurable risk is huge because it needs to include a discounted cost of identity monitoring forever, and the cost of the individual losses that someone might encounter for the loss of that data. Then of course, if a person's identity is compromised more than once, how do you discount the responsibility across multiple careless parties?
If it gets expensive enough, maybe banks and CC companies and such will finally get off their asses and fix the whole "identity theft" issue. That's a feature, not a bug.
I think the US is too allergic to anything with even a whiff of "secure national ID" for us to let the government fix it, so this is the next best (or, better, depending on your perspective) option. I frankly don't care how we do it, but it's really stupid this is still a thing people have to worry about, and making it cheaper for the banks to fix it than not to fix it seems like the most politically viable solution.
Agree completely. Personally, I was hoping that Visa, MC, and Amex together could just create a new standard "financial ID number" or "Credit ID Number" that they could collectively agree on and we could all just kind of ignore the government. CC numbers themselves are almost good enough in the first place, they just need to get a little more self-referential.
Hell, maybe they could even use a distributed ledger to do it and bring in the credit reporting agencies too.
What you haven't addressed is the fact that so much of SV, yc included, is now based off a business model of selling that data to third parties such as but not limited to advertisers. The same applies to the tech around banking and credit, with data selling and sharing going on all over the place.
This is the elephant in the room I don't see anyone addressing, but be warned, we can see the effect caving to this model had on the journalism industry. If tech doesn't free itself from this, it will likely have similar consequences.
SV may mometoze the data, but Credit rating companies monetize identity and the protection of it. SV knows about you, but credit agencies can define who you are.
Of course, identity theft is a mortal wound and is hard to ignore. Casual mometization of every private action is death by 1000 cuts.
One would hope that insurers would start proactively setting the rates for their policies based on several factors and not just in response to breaches and payouts. For instance, an insurers exposure would be greatly affected by the types of information collected, so they could offer a lower costs to a business that was only collecting email addresses than to one that collected many more types of PII. You'd also hope that insurers would start to give preferential rates to companies that complete (and resolve) periodic security audits from trusted auditors.
The benefits of insurers getting involved is that they can de facto mandate these kinds of security audits and practices by making insurance policies unaffordable without them. And, unlike government regulation, the requirements from insurers can evolve rapidly over time in a way that's difficult for laws to evolve. Insurers will hire security experts to advise on best practices and each have their own ideas of what security means. If a business finds a single security practice onerous, they can shop for an insurer that doesn't require it.
1) if they have competitors, they can't do much "passing along to consumers" to begin with, and 2) I thought insurance companies were supposed to be really good at assessing risk, and markets are magically efficient and all that, so shouldn't the better insurers unravel such schemes? Plus it's not like losing, you know, brand recognition and such is nothing. Point is it should hurt a lot to leak personal data, and it's this or directly regulate (this sort of thing used to be the right-wing way of doing things, but now doing anything at all about these problems, no matter the mechanism, is "left", at least in the US—see also health care)
The information has already been collected and breached, or will be breached eventually. Data minimalism isn't going to put the horse back in the barn, so to speak. (It may help anyone too young to have a credit card, and younger generations.) So we need to do something about identification not relying on knowledge factors for everyone currently over 16.
"Troy, to your point "Data breaches can take years to discover," I think it's helpful to put in layman's terms that breaches are closer to making photocopies where there are now two people in possession rather than a theft where the owner is deprived of access. How do you detect that a document has been photocopied?"
In the final (this link):
"However, unlike a physical commodity, the trading of data breaches replicates the asset as each party retains their original version, just like making a perfectly reproduced photocopy."
:)
To expand on my point and
> We Often Don’t Know Until Years Later
You notice someone's stolen physical property from you, because you are deprived of it.
You don't notice someone's stolen digital property from you, because now there are more copies of it.
(maybe "stolen" and "property" aren't the correct terms to use for digital assets?)
> (maybe "stolen" and "property" aren't the correct terms to use for digital assets?)
Stolen is rarely the right word (that is, it's possible to steal digital assets, notably if also stealing the physical medium on which they are stored, but usually the term is used in only a loosely figurative sense), but “property” is often correct; there are all kinds of nonphysical property that share important features with physical property, and there are equally important distinctions within classes of tangible property as between tangible and intangible property.
While he presents a great overview of all the problems with static knowledge based authentication, I get the feeling that the very fact that this hearing was called for implies there is already a strong consensus that the current status quo is a big problem. To me it falls a bit short because he primarily elaborates on the details of the problem without offering any suggestions on how to move forward towards a solution. I mean, the details may help understanding which could inform improved policy, but these politicians also need guidance on what actions to consider.
From the article: "I've had some great suggestions around tackling the root cause of data breaches and I'd love to have another opportunity in the future to talk about that, but it goes beyond the specific focus of this hearing. That said, who knows what I'll be asked by congressmen and congresswomen on the day and they may well question what can be done to combat the alarming rise in these incidents. I've now got a lot of great references on hand to go to should that happen so once again, thank you!"
Indeed, and if impartial security experts won't offer them, the politicians will have to rely on corporate lobbyists to write their own rules and penalties affecting those companies.
I believe the scope of what he was asked to address might not have included suggested solutions, beyond the obvious "don't suggest all the stuff I'm saying is causing a problem."
He does specifically go out of his way to say, in bold and isolated text, Do keep in mind that the context here is the impact on identity verification in "a post-breach world".
Many politicians still believe that secret backdoors are the silver bullet to the encryption "problem", after how many experts keep saying security and backdoors are incompatible?
I don't believe it's nearly as black-and-white as you would make it out to be. There is a middle ground where our industry has a responsibility to not only "give the facts", but also provide guidance, especially when explicitly asked for.
Nice overview, but more importantly, what will Troy say when members ask him for solutions. Notably absent are details on whom to hold accountable, how to hold them accountable, and what penalties should be in-place.
I don't mean to sound cynical (as in, this is a genuine question) but do these hearings amount to anything more than political grandstanding so that the relevant Congresspersons can claim to have been 'tough' on whatever topic was discussed?
Hearings like this are part of the process towards actual action, and if the process continues, then it's not grandstanding. However if they do hearings and no more, it's worthless. We can't tell from the hearings themselves whether they will lead to action... which is why it's such effective way to grandstand!
There isn't a damn thing wrong with being cynical. Cynicism (at whatever level) is a very valid philosophy and no one should have to apologize for having it.
^^ For proof of cynicism's legitimacy see downvotes.
Some people think motive and human nature should be viewed with rose colored glasses. Many people urging others to hold this viewpoint stand to gain by advocating it. But not me. I expected.
Back to the original off topic point. Don't apologize for being cynical. It's a mental model that is quite often accurate.
<edit because I really have to get this off my chest as it's so annoying>
Here's what I think. I think you have observed a pattern of hearings that appeared to be little more than political grandstanding. And maybe you haven't ever observed a hearing that was anything different, as in, designed to get to the bottom of something and produce results. If the above is true you understandably expect a continuation of the same pattern. Yet you feel the need to apologize for this perfectly intelligent and rational expectation. Why? Possibly because you have been conditioned against being "negative" and led to believe that cynicism is somehow evil? Well I just have to say... Fuck That! You are right from what I can see.
I'm of the opinion that the US is irretrievably lost in the hole of plutocracy / oligarchy. Recall during the election Donald Trump bragging he can buy politicians [1].
I'm finding "hero politicians" to be less and less common, and dare they raise their head, the establishment usually does everything in their power to mow the lawn. See - Bernie Sanders, alongside a couple other rare US Federal politicans, an actual good egg that appears to not be bought and paid for by corporate lobbyists.
There's lots of people trying to paint in black in white how obvious it is you can pay a politician to pass laws to protect you - we can go on for hours about Big Telecom minging about in local jurisdictions to prevent new providers, Big Oil essentially preventing a nuclear revolution in the USA, etc, but this site[2] paints a pretty clear picture in my opinion: Given that a corporation is expected to generate profit on dollars spent, why would BlueCross BlueShield and UnitedHealthcare be dumping money onto politicians? What reason could there possibly be other than to protect their profits?
I dunno man, other people are better than espousing the problem of money in politics than me, I just am cynical as hell after seeing time and time again obviously anti-WeThePeople votes bought for mere thousands.
So, to answer your question, in my un-professional opinion, the reason these hearings are good is they can inform the media and general public. They can get something on the record. We still reference hearings from decades ago - and can use that to apply pressure. "Senator, weren't you in x hearing, why then did you not do anything about y?" It can also inform the select few Hero politicians who can actually do good work for us with this new information - they're busy as fuck and this is one hell of a way to get data to them.
Ancillaries include giving new ammunition to Word Wars - various politicians can use buzzlines from the hearing to further their own goal, which might help us, might not, god only knows.
So my opinion, I'm glad these happen, but I think afterwards it'd be cool if people like Troy Hunt used their position to drum up donations to buy a couple of the politicians in the hearing, or at the very least throw more money at Twitter so that the Comcast and BroadBandForAmerica lobbyist propaganda promoted tweets can be buried under pro-WeThePeople material.
You are right to point out the extent of how corrupt our political system is. It's understandable that you've become cynical after all this. But I hope your cynicism doesn't discourage you from trying to make things better. The corruption is allowed to exist because so many people, who should be outraged, simply throw up their hands and say that nothing can be changed.
Troy is doing what he can to make a difference. We shouldn't have unrealistic expectations of what this can accomplish. But we should applaud the effort.
We can force companies and governments to change their approach to security. But we need to start talking about these issues outside of HN. We need to get organized. We need to force change in our own companies.
I feel you. I do my part, writing my congressfolks, kicking up shitstorms in their voicemails occasionally.
My end-game though is to become Really Goddamned Rich and start swinging my big cash dick around. I'm kind of curious why folks like Musk don't do that more often. Gates did it once and nearly irradiated an entire species of virus (polio).
Troy: HUGE kudos for how you managed such an open and transparent process. Don’t recall any other examples of such inclusiveness and openness for a senate testimony. Bruce Schnier did a good job sharing his testimony after the fact but you went all in.
It is unfortunate that he uses "date of birth" and "home address" as exemplars of information that is "of no use to the service." That is because these two pieces of information are most frequently used to establish that the user is of the age of majority (an adult) and under which set of licensing regimes is the product operating. Both of which may be critical to the function of the service.
Much better examples would be "Gender" and "telephone number".
I completely agree with the notion that data maximization (or aggregation of meta data associated with a unique ID) are the roots of many evils and risks.
I don't disagree with your analysis, however I have been informed that there are reasons for asking things this way. At a class for booth volunteers for selling alcohol for example we were told to ask for someone's birthday rather than their age. The reasoning in that training was that someone could quickly lie about their age but they had to work at it to back compute a birth date that would fall within the range of legal drinking age and not be ridiculous for someone of their apparent youth.
I am not saying that this is a reason that everyone uses for asking these questions obliquely. I am simply sharing a situation for which I was explicitly told that was the reasoning behind asking the question in that way.
There is usually no time constraint when filling out an online form. And I'd imagine the physical nature of the in-person alcohol exchange allows the booth operator to evaluate the physical response of the person being asked. All of this is to say, while I understand the idea in physical exchanges, to me the logic breaks down when I can find a completely valid and full address on Google maps in a couple of seconds (assuming one of the reasons they ask for full address is the difficulty in generating at random a valid address that exists).
I'm replying in the hope that Troy Hunt reads it, because I am commenting too late for conversation to happen.
This presentation involves a lot of complex terminology from the get go. This keeps it from engaging people's logical brains, and means that you are too easy to ignore. Our first pass at analyzing people is to figure out whether they can be safely ignored. This response is well before rational thought, and the part of our brain that decides it is unable to handle complex language. It doesn't matter how right you are, you are literally not heard.
You can't fix the document. But you'll be talking in person to lawmakers. You can address the challenge there.
Don't open with something like, Data breaches occur via a variety of different “vectors” including malicious activity by attackers exploiting vulnerabilities, misconfiguration on behalf of system owners and software products intentionally exposing data by design.
Open with something like, Anyone can steal your identity.
Your wife's as well. My site shows you some of the security breaches that criminals can use to pretend to be you. Nobody knows how many more are out there.
Make it simple and straightforward. Make the threat personal. This requires their full attention to figure out what you are saying. That makes their logical brains connect.
Good luck. You have an important message and I really hope that they hear you.
I hope some good comes from this testimony. I help run a product that works with a tremendous amount of data. I welcome additional accountability as well as the security that would come from knowing that any regulatory requirements are properly met.
On a second note, will this be the historic first time anyone says the word "Pwned" before congress?
I hope they won't use the hearing for blaming foreign adversaries that need to be fought with offensive capabilities. It should be made clear that the problems are homegrown.
Liable how? And to what extent, the idea "let the companies be liable for their own data breaches." sounds good until you think about for more than 10 seconds.
Identity Fraud is not normally carried out using just 1 breach, so it is several breaches combined that give a criminal what they need to commit full Identity fraud.
Credit Card Fraud can almost never be traced back to a single breach.
Are you holding the company that collected the data, or the company that the data was stolen from liable, often times these are not the same entities.
I can probably come up with about 1000 other things to bring up in relation to "let the companies be liable for their own data breaches."
I'm glad you hit the main points, but you did not offer any solutions, and I think partial encryption is one that is really important to lay out. Our social security numbers and valued information (that cannot be changed, like where you were born) need to be encrypted all the time, not just when convenient.
Encryption doesn't really help when 1/3 of Americans' SSNs have been publicized already. It's shutting the barn doors after the horses are long gone. SSN needs to be at most a username, rather than a credential.
Encryption is good. Even better, for credit cards, use reference numbers from the CC company instead that identify an individual account (to the CC company) but aren't the number can't be used for obtaining credit, just discussing the account. Encryption fine, but better not to store volatiles at all if you don't have to.
"4. An attitude of "data maximisation" is causing services to request extensive personal information well beyond the scope of what is needed to provide that service. That data is usually then retained for perpetuity thus adding to an individual's overall risk."
And HIBP is an example of this attitude because it collects data dumps and then (at least) collects and retains user-submitted email addresses and a record of presence/absence of such "live" email addresses in the data dumps. This is beyond the scope of what is needed to provide the service, namely, copies of the data dumps available for download. The user need not share their search terms with any third party, such as HIBP. A means to search these dumps locally (offline) without sharing the searches with third parties such as HIBP exists. "Online tools" are vectors for gathering the sort of data that is later the subject of "data breaches". Offline tools do not suffer from this problem.
"6. Data breaches are redistributed extensively. There's an active trading scene exchanging data both for monetary gain and simply as a hobby; people collect (and thus replicate) breaches."
HIBP is collecting and thus replicating data breaches for "monetary gain" or "simply as a hobby"? Or is it something else?
As above, HIBP does not provide users with the data dumps they need to check them locally (offline) without submitting contributing more data to third parties in the process (e.g., working email addresses, associated search terms, associated originating IPs, etc.).
Further, users are not provided with transparency into what HIBP is doing i.e., what it is storing and how and where it is stored. Users cannot evaluate the security practices of HIBP as yet another online repository of sensitive user data that by virtue of its existence could be a target.
In summary, what he is not telling US Congress is that 1. "online services" or so-called "online tools", HIBP being one, are a major part of the problem and 2. there are alternative solutions, i.e., offline service and offline tools, and what HIBP provides is an excellent example of where an online service is unnecessary and is collecting large amounts of user data, unnecessarily.
Addendum: "What I'm telling you" is that I believe the problem is data collection. Any "solution" which collects data, and in this case data it is not supposed to have (e.g., a data breach), then collects more data (e.g., metadata) from users and finally asks users to trust the "new collector" is not a solution, IMO. Especially where the new collector shares no technical details about his operation (e.g. storage of user data). This practice ignores simple, obvious solutions to the problem of data collection, such as performance of tasks offline which if performed online would likely lead to the collection of user data. It reinforces the mindset that perpetuates the problem: that data collection and trusting third parties is always necessary.
> This is beyond the scope of what is needed to provide the service, namely, copies of the data dumps available for download.
you're telling us that you'd rather that HIBP act as a clearing house for credentials and user information as a result of a data breach rather than exposing a single bit of information per user ("have i been pwned?")
I, at least, completely disagree with you, regardless of Troy's motives or any "monetary gain" he receives through HIBP. Troy has been incredibly transparent, and in fact talks about this very issue on his blog https://www.troyhunt.com/here-are-all-the-reasons-i-dont-mak...
Let's talk about how the ubiquitous use of SSN and credit reports puts a massively unfair burden on every US citizen.
Right now, it's all on me. I need to safeguard everything related to my government-issued nine digit ID that I never asked for - yet is somehow accepted as my financial identity, well beyond its intended scope.
If I fail to do so, or if I fail to aggressively identify fraudulent use of it by monitoring reports from 3-4 different agencies, it's on me. It's my credit that's screwed.
It's hard to emphasize enough how unreasonable that is. This isn't a house or other peace of real property that's in my control - it's 4 bytes of data that is assigned to me, but that I fundamentally have no control over.
In spite of that, I am accountable for any and all uses of that data. It's hours of my life each time a breach occurs - more if it's actually misused. The assumption of 'bad credit risk unless and until you convince the reporting agencies that fraud has happened' is a fundamentally flawed one.
I can't opt out. I can only keep spending my time and money to play the game - because it's the only one in town.