The New York Times reported yesterday that a publicly accessible government database exposed almost 30,000 social security numbers. While the SSNs have been redacted from the web site FedSpending.org, the original database has been in existence for more than two decades and copied thousands of times. While this is definitely a cause for concern, I don't know why people are surprised by this kind of thing any more. The problem is that SSNs have been used for two different purposes that should never have been combined. SSNs were originally intended for tracking income for Social Security and tax purposes, but since they are the only universal and unique identifier assigned to US residents, it became convenient to use them as identifiers in other applications, such as drivers licenses, medical records, and credit reports. Then they began to be used for a second purpose, which was as a password. The theory was that if you knew a person's SSN you must be that person, which is obviously stupid if that number is widely distributed, as it was in an era where every merchant demanded to see it before accepting a check and where it was printed on every driver's license and medical insurance card. There have been recent attempts to restrict the use of SSNs, but as this recent breach has shown, there are too many copies of too many databases to get that genie back in the bottle. Perhaps the only real fix is a stronger federal law prohibiting the collection and use of SSNs for any purpose other than tax collection, and the automatic prohibition of any attempt to collect a debt where SSNs were used as a means of establishing identity.