I'm not afraid that "http://www.markbaker.ca" is passed around as identifier for me, because although anybody can claim it as their own (as with an SSN), I'm the only one who can back up that claim as I control the content that's returned on a GET (unlike with an SSN).

Check out Technorati's means of "claiming" a weblog.

I think you overlook the main problem with SSNs as a public identifier. If someone has access to that, they can apply for credit in your name. I think widely dispersed SSNs would make it much more likely to be victimized in this way than by a passing stranger. Would you be willing to post yours online?

Hi. Quick correction re FOAF. FOAF doesn't dictate that mailboxes (or their hashes) are "the FOAF way" of identifying you. FOAF's way is to say that any property that is an owl:InverseFunctionalProperty can be used. This includes but isn't limited to foaf:homepage, foaf:mbox etc.
My take on the problem is at
http://rdfweb.org/mt/foaflog/archives/000039.html

One observation re mailboxes changing: http://xmlns.com/foaf/0.1/#term_mbox
[[
personal mailbox - A personal mailbox, ie. an Internet mailbox associated with exactly one owner, the first owner of this mailbox. This is a 'static inverse functional property', in that there is (across time and change) at most one individual that ever has any particular value for foaf:mbox.
]]

This allows for scenarios such as my losing access to mailto:daniel.brickley@bristol.ac.uk yet it remains in FOAF terms a foaf:mbox of mine, and hence a thing that can be used to identify me, even years later. Of course we might now want to add some notion of 'current mailbox', 'work vs home' mailboxes etc., but all in good time...

I really don't know how I feel about SSNs. I'm simply raising two questions: 1) are privacy fears regarding SSNs still justified? 2) if they are, why wouldn't *any* universal identifier (URI) carry the same danger. This second point is connected to SSNs ability to tie information about me together easily.

As for their "password" quality, perhaps the question that needs asking is "Why would a bank give credit because I simply gave a number to them?" Perhaps the real danger is our false comfort in thinking people don't know our SSN. If everyone knew our SSN, then people wouldn't be so stupid as to treat them as some kind of personal password.

Maybe our efforts are better spent lobbying for banks and hospitals to make more of an effort verifying our identity. I'm mean, come on.... "SSN", "mother's maiden name?", "zip code", "city of birth" ... seems like identity theft would be a piece of cake. I mean, how hard could it be to find these things out on anyone.

Dan, about URIs ... I see the problem of choosing one method for all, but it'd sure be sweet if we could all agree (and trust) some common naming scheme. I'm not sure how often email addresses get re-used, but I'm sure it happens. Without some kind of registration procedure or central repository, the chance of two people using the same URI for their record certainly exists.

I guess the real point of this post is this: let's say there was a "foaf.org" registration server that merely existed to prevent conflicts. I made my foaf file, submitted it to foaf.org, it checked my URI for uniqueness, and sent me some kind of ascii-armored something or other I could include in the foaf file. To prevent privacy concerns, no informaton could be retrieved from the server other than YES or NO. Let's say (for example) that it actually assigned a unique ID number or key sequence, so you didn't have to rely on a mailbox.... the foaf server gave you the URI you could use.
'
Here's the point: isn't this the same problem as with SSNs? Doesn't personal URIs, however they're done, make it too easy to tie information together, much as the SSN privacy folks are worried about?

Crikey!