What I Believe

Let’s start by framing the discussion a bit:

• My religious faith is an incredibly large part of my life. As a Christian, I believe that living a homosexual lifestyle is a sin against God. I do not, however, believe that any one sin is fundamentally worse than another. We live in a fallen world in which all people live in sin to some degree or another.

• In general, I do not believe that you can legislate morality. Passing Proposition 8 is not going to cause gay couples to change their lifestyles. If the Church wishes to witness to homosexuals in an attempt to save them from a believed sinful lifestyle, that is perfectly acceptable. The first amendment guarantees any religion the right to exist and express their belief system, and I don’t believe any level-headed person would disagree with the Church’s right to do so, whether they agree with them or not.

• I believe that marriage is an institution created by God to be between one man and one woman.

• Being a religious institution, I believe marriage has no place in government, either in being defined or performed. If governments wish to offer various rights and benefits to legally recognized family units, those rights should be equally extended without any kind of discrimination, whether based on age, race, sexual orientation, etc. I believe government should be involved only in the business of performing such civil unions, seperate from the institution of marriage.

The Ideal Scenario

As mentioned in my last point above, my ideal scenario is one in which governments perform only civil unions, which are equally available to straight and gay couples. Any and all rights and benefits currently afforded married couples are instead granted to these civil unions. Chris Messina and I completely agree on this point.

Where I do not completely agree with Chris is what we should do in our current non-ideal situation. Chris immediately jumps to the conclusion that if marriage must exist, then it should be non-discriminatory. While I agree with the sentiment, I think there’s more to it in this case.

Current Legislation

California domestic partnerships have quite a history. They were first established by the Domestic Partnership Act of 1999 and have continually been granted more rights in every session of congress since. At this point, nearly all of the state benefits available to married couples are also available to those in a domestic partnership. In fact, Equality California and the NCLR said in the introduction to their brochure for Gay couples explaining the law:

… registered domestic partners in California are provided with most of the rights and responsibilities of married couples under California law. However, registered domestic partners still do not receive any of the 1,138 rights and benefits of married couples under federal law. Registered domestic partners also continue to have less security than married couples when they travel or move outside of California.

In the absence of a recognized right to gay marriage, the state of California took the appropriate action of establishing another institution that would afford same-sex couples all the same rights (at the State level) as an opposite-sex couple. Now I’m not a lawyer, but I’m pretty sure that no matter what happens with Proposition 8, same-sex couples will have no more or less rights than they do now within California.

Beyond California, the Defense of Marriage Act prevents the effects of Proposition 8 from having any effect in other states or the federal level. First, the act establishes that no state can be forced to recognize a same-sex marriage from another state:

No State, territory, or possession of the United States, or Indian tribe, shall be required to give effect to any public act, record, or judicial proceeding of any other State, territory, possession, or tribe respecting a relationship between persons of the same sex that is treated as a marriage under the laws of such other State, territory, possession, or tribe, or a right or claim arising from such relationship.

Additionally, it defines marriage at the federal level as being between a man and a woman:

In determining the meaning of any Act of Congress, or of any ruling, regulation, or interpretation of the various administrative bureaus and agencies of the United States, the word “marriage” means only a legal union between one man and one woman as husband and wife, and the word “spouse” refers only to a person of the opposite sex who is a husband or a wife.

While I most certainly do not agree with this act (especially the latter part) and believe that it should be repealed, it’s important to note what this law means for Proposition 8. I would love to hear an analysis from someone more familiar with these laws, but it seems to me that Proposition 8 (whether it passes or not) is likely to have little effect with regards to the actual rights and benefits available of same-sex couples.

Moving Forward

So if my understanding above is correct, then how do we move forward from here? My primary criteria at this point is to identify which vote on Proposition 8 is more likely to be a step in the direction of my ideal scenario.

On one hand, I’m concerned that if we do not pass Proposition 8 and the marriage is made available to same-sex couples, then it will be viewed as having won the war and no more effort will be spent in trying to disconnect marriage and government. If instead Proposition 8 does pass, then at the very least it protects the traditional religious definition of marriage. At most, it would emphasize the need to continue expanding the rights afforded domestic partnerships if there are any shortcomings. Over time, additional legislation could seek the removal of marriage from state law, to be replaced by domestic partnerships (or civil unions) for both same-sex and opposite-sex couples.

On the other hand, I’m generally in favor of small government and don’t like the idea of passing laws that are not really necessary. Even more, amending the constitution pretty firmly plants the institution of marriage within the state government, which is not what I want.

So like I said, I’m not really sure how I’ll be voting next month. I’ve got pretty clear ideas (I think) on the issue, but there’s just no way of knowing what chain reaction this proposition could set in motion in either direction. I welcome any thoughts or comments.

Identifiers versus passwords

The real problem is so obvious and simple that it’s almost embarrasing — it has to do with a confusion between IDs and passwords. Authentication is the process of proving that you are who you say that you are, and in its simplest form usually involves two pieces of information — the identity that you are claiming, and some type of credential that shows you have the right to claim that identity. A few examples:

• when you check your email, you provide an identity in the form of a username and a credential in the form of a password
• secure websites (such as online banking) make use of two certificates for authentication, a public certificate that is handed out to assert an identity and a private key that is used to authenticate that assertion
• a post office box has a box number (the identity) and a physical key used to open it (the credential)

In all of these examples, anyone can be aware of your identity without comprising the integrity of that identity. Quite the contrary, none of these systems would even function if the identity were not made public — what good is an email address if you don’t tell anyone what it is? How can people send you a package if they don’t know your post office box number? The publicity of the identity is fundamental to the functionality of the system. The real power lies in the credential, which is designed to be private. You certainly wouldn’t give your email password or PO box key to a perfect stranger or an untrusted authority.

Because one piece of this puzzle must be public and the other piece must be private, it can be very simply concluded that in order for the system to work these two pieces must be different. Imagine your Internet Provider suddenly decided to start using your email address as your password also, and therefore gave your private email away to anyone who simply knew your email address. You’ve been giving your email address out to friends, printing it on your business cards, and posting it on your website because it’s supposed to be public, but now anyone who has it can access your email account. Or imagine the Post Office started giving away your mail to anyone that could read the numbers on the front of your box, key or no key. Pretty scary thought, no? When there is no clear definition between identities and credentials, the entire security infrastructure caves in on itself.

A brief history of Social Security Numbers

The Social Security Act was enacted in 1935 under President Franklin Roosevelt. While it did authorize the use of some method of keeping records, it did not explicity mention SSNs. After considering several possibilities (including issuing metal dog-tags to every applicant) the Social Security Administration (then called the Social Security Board) finally decided on a 9 digit number that was handled through local post offices beginning in 1936.

In 1943, an executive order required “All Federal components to use the SSN ‘exclusively’ whenever the component found it advisable to set up a new identification system for individuals.” That order was followed when the Civil Service Commission adopted the SSN as an official Federal employee identifier in 1961, and the IRS began using SSN as its official taxpayer identification number in the following year. For the next ten years, SSN use continued to spread throughout government and non-government agencies as their official identifier.

Finally in 1971 the Social Security Administration began to see the potential for misuse of SSNs and a task force issued a report “which proposed that SSA take a ‘cautious and conservative’ position toward SSN use and do nothing to promote the use of the SSN as an identifier”. The report went mostly unheeded as the Privacy Act of 1975 was then passed to try and limit governmental use of SSNs. But by then the damage was already done and continuing to worsen.

(Information from Social Security Administration website: http://www.ssa.gov )

It all goes wrong

By this time all kinds of institutions, including hospitals, employers, and banks, were getting SSNs from their patrons to use as an identifier for their records. While the SSN was never really intended to be used outside of the Social Security Administration, there was no real immediate harm in doing this since SSNs provided a simple and unique identification number for every US citizen.

Somewhere along the line however, some organization mistakenly assumed that a person’s SSN would only be known by that individual. When it came time for this organization to verify that a patron was indeed who he claimed to be, they thought, “well we can just have them verify their SSN which we have on file. Certainly no one else would know this person’s number.” I don’t know when or where it happened, and I don’t know who’s brilliant idea it was, but this decision broke the cardinal rule in authentication — An identifier is NOT a credential.

Today we have SSNs being used as both identifiers and passwords, depending on what organization you are dealing with. Most employers and colleges use SSN as an ID, while most any bank will ask you to verify your Social Security Number “for security purposes”. I should note that you won’t likely find SSNs being used as both identifiers and credentials within the same organization, but there is no consensus on which is the appropriate use. Going back to our earlier examples, this would be similar to the Post Office giving your mail to anyone that knew your email address. As far as the Post Office is concerned, your box number is your identity and your email address is your credential (and should therefore be kept secret). However, your internet provider uses your email address as an identifier and thus encourages you to share it with people. To get your mail, a thief would have to know both your PO box number and your email address - two unrelated tokens, but since they are both public identifiers it would be a trivial task to connect them to each other.

9 minus 5 = the same problem!

Realizing the sensitivity of an individual’s SSN, many organizations have truncated it to only use the last four digits. It seems like a good idea on the surface but it’s the exact same problem, only five digits shorter — the same token is being used as both an identifier and a credential. However, it’s worth mentioning that this truncation does prevent some types of identity theft, such as opening a fraudulent line of credit which would require the entire SSN.

What to do now

So how do we deal with SSNs now? Do we treat them as IDs and not worry about who gets them, or do we treat them as passwords and guard them very carefully? We can’t do both. Of course in an ideal world they would have never been used as passwords to begin with and we wouldn’t have this problem. But since the problem does exist, and because of the sensitivity of data (such as your bank account) that is protected by little more than the last four digits of your SSN, we must treat them as passwords and guard them as such. As for organizations that use SSN in either capacity, efforts should be made to do away with it. If SSN is used as an ID, then an alternate number should be used. If SSN is used as a password, another system needs to be devised to verify a person’s identity such as a code word.

There are still organizations that will ask you for you SSN — don’t give it to them! If your college asks for it, don’t give it to them; they can assign you an alternate ID number (though they will legitimately need your SSN if you get financial aid). If your insurance company uses your SSN as your policy number, demand that they change it. There is presently no law stating who may and may not ask for your SSN (aside from certain government agencies). However, there is also no law preventing a company from not doing business with you if you refuse to give it. You can google for “ssn privacy” to find a lot more information about protecting your SSN.