Website Posts Partial SSNs of Politicians in Protest

John3 writes "The Foundation for Taxpayer & Consumer Rights has posted partial Social Security numbers for several California politicians to protest their vote against pending privacy legislation. According to a San Francisco Chronicle story, the SSNs were purchased on the Internet for $26." Now there's an effective way of showing the problems of the status quo.

SB1386 tie in

[eericson]

What I find amusing about this situation is that these are the same leglislators (scuse the spelling) that unanimously voted for SB1386 [strongauth.com] when their bank/credit info was compromised, yet don't want to take that last step now to protect everyone's privacy.

The more time I spend in CA the more I realize our state legislators are like ill trained puppies: They're cute to look at, but occassionally you need to whack them with a magazine to keep them from crapping on the carpet.

-E2

Reminds me of that time....

[Anonymous Coward]

This reminds me of that time that reporters in Washington St. decided to rumage through the garbage of all the goverment officials who supported the police in removing garbage as evidence from the outside of suspects homes.

That didnt end up well for the officials then, sort of a double standard.

Re:Why only partial?

[anthony_dipierro]

Well, the reason is because if I post my own SSN, then I could be considered to be implicitly allowing others to use it. I don't care if someone else posts my SSN, but I'm not going to do it myself.

Re:Whoop deedoo

[KingArthur10]

Actually, the credit beuru once accidently typed in the wrong SSN of a convicted felon. After that, the man's SSN that they typed in was suddenly not able to find a job or get credit for anything. After at least 10 years in the gutter, one of the people he looked to employment said to him "we don't hire people with your history". The man began inquiring what that must mean and found out that the credit bearu screwed up his account by saying he was a convicted felon. He then sued the bearu for a good 20-50million dollars and is now living on easy street. All I was really trying to say is that if someone wants to get your SSN, all they have to do is act like an employer and do a credit check. There are a million other ways, too. When I worked at CVS, our login code was our SSN. All someone had to do would be watch closely a few times, and wham, they've got it.

Re:Why only partial?

[ChadN]

If Bill ever collects on Social Security, it might make front page news (well, front Slashdot page news, anyway).

Re:Why only partial?

[anthony_dipierro]

See, I still think if I give it to you I'd be negligently guilty of its use. But hey, for $26 you can find it out, right? I'll give $26 to the first person who posts my SSN on slashdot.

Semi O/T Rant...

[curunir]

The problem isn't that we need privacy laws to protect user's SSNs...those can be publicly available. The problem is that the SSN has been overloaded by businesses and other organizations.

A SSN is a number granted to an individual by the government for the purposes of identifying that person to the government. It shouldn't be a means of identifying someone to a credit card company, bank or other institution (my university used SSN as our student ID numbers). If one of these institutions wants to identify me by a number, they can assign me their own damn number.

What we need is legislation preventing private institutions from assigning extra significance to any government issued piece of identification. Just because SSN is a handy primary key for their db tables doesn't mean that they should be allowed to use it.
</rant>

Funniest Thing To Me

[Babbster]

The only reason not to vote for increased privacy for financial data would be the cost of said legislation to business, government or both. Yet their response is to call for increased lobbying restrictions that presumably will cost the government more money.

Like most here, I think this is an effective demonstration of the ease with which personal information can be obtained, whether on the Interweb or elsewhere. The mere fact that these legislators are reacting so badly to release of fairly benign personal information is probably an indicator that they made a mistake in their voting. If they truly believed in their position they would have looked at this release and shrugged, or even been amused.

SSN: Public or Confidential Information?

[GillBates0]

Social Security numbers were originally intended to be used only by the social security program and were supposed to make record keeping easier. They were never meant to function as an authentication mechanism.

The problem arose when the mapping between a person's name (or identity) and the SSN was considered confidential information, and a number of government and non government organizations started treating the knowledge of a person's SSN as an authentication mechanism.

Many companies treat the fact that you know (the last 4 digits of) a social security number combined with some additional information like the last name and street address as proof that you are indeed who the record states you are.

This is absurd. Either each individual should be assigned a secret id, which when used in conjunction with the SSN proves one's identity, or some other mechanism to verify identity should be developed. As long as the SSN continues to be (ab)used as a supposedly public index into a database, as well as a piece of confidential information, privacy will remain a farce.

Presume negligence

[Animats]

The easy way to fix this is to legislate that any person or institution who uses a social security number, or part thereof, for authentication purposes is presumptively negligent. Any person or institution that uses a SSN for identification purposes assumes all risk thereby, including liability to other parties, and cannot disclaim, offset, or shift said liability.

This allows the use of SSNs as an identifier, but not as an authentication token. Lawyers have a hard problem with that distinction, but they understand negligence.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why is SSN such a big deal?

[Ed Avis]

The root of the problem is that any system relying on keeping your social security number secret is broken. An SSN is an identifier for a person, it is like a name. You don't keep your name secret (Wizard of Earthsea aside) so why should the number be different?

Not that you'd necessarily want people to be able to find out and disclose your number whenever they felt like it - there are still privacy considerations even with 'useless' information - but if disclosing the number exposes you to fraud then the fault is with the systems that rely on SSN to authenticate (rather than identify) an individual.

Every cheque you write has your bank account number on it. Disclosing the number doesn't automatically expose you fraud (unless you also supply headed notepaper and do other stupid things). If the banks can do it, why not social security?

Re:Glorious

[miu]

Heheh... what a great poke-in-the-eye to the legislators, and a great demonstration of what the issue was really about.

The problem is that civil servants (such as these politicians) often believe that they are our superiors. So most of them are incapable of realizing that privacy laws are for everyone. Instead they will look at creating a law or applying an existing law in such a way as to protect just themselves. That was exactly the reaction of the civil servants involved in the garbage search incident in Oregon.

Re:SSN makes you life easier.

[bucky0]

The problem is that in the US (I'm not sure how it works where you live) if I have your SSN, I can basically ruin your life. I can open a credit card in your name and run up thousands of dollars of charges with your SSN. 'Identity fraud' as it's called is a serious problem which ruins thousands of people's lives every year. This bill (as I understand it) limits how much the government can throw around your SSN to try and keep it out of thieve's hands.

Re:Why only partial?

[Cyclometh]

Actually, in the case of major political figures (which probably does not include California assembly members), actors/actresses and other famous individuals, the government, in particular GSA and the Social Security Administration, have flagged their numbers.

Having known people who work for the SSA, I've heard stories of having to deal with processing a legitimate information request for a major figure, such as an actor or member of Congress, and having to explain every aspect of the actions taken the next day, because any processing of data using a flagged number triggers an internal review.

If you try and use that SSN for anything, you'll very quickly be getting a visit from some individuals with their sense of humor surgically removed, and you'll very likely not be seen for a while.

Who do you work for?

[Anonymous Coward]

Give us a hint to go on...

I know for a fact, for example, that I can get the SSN of anyone in my company (or who previously worked for it, since they don't delete the info!).

No, I'm not privy to the information. They have an app with a poorly implemented security layer which will allow you to see anyone's information - where they live, ssn, name.

Perhaps you could work for the same company?

Re:SSN makes you life easier.

[henriksh]

I never hear of anyone having their CPR number misused.

I'm danish too, and I have heard several stories about misuse of CPR numbers. It's actually too easy to misuse, since a lot of people believe that you are who you say you are, if you can give out your CPR. No picture ID required. Terrible, I know, but I have experienced this many times.

So it's not just the Americans that have a reason to be paranoid.

Re:Valid Point, but..

[Lord Kano]

My point is that by performing the same exercise before the vote, they might have influenced the vote to go the way they wanted. By doing this after the vote, at best, they require the process to start over again with a new bill to achieve what they want.

Had they asked nicely before the vote (which I assume they did, they are lobbyists after all) they would have been ignored. If they had released this information they would have been accused of attemption to extort the assemblymen.

You don't persuade a burglar to not rape your wife or steal your property. You make sure that it is too costly for him (personally) to even try. If the big dog in the back yard doesn't discourage him, maybe the NRA bumper sticker on the pickup outside will.

Ask nicely beforehand, and if you are ignored, punish severely afterward.

These politicians already cared nothing for the privacy bill, perhaps because it was an abstract idea to them. Now that their information is at risk, it is more than just a concept. It is important to each and every one of them. Who cares if they like you? They will do the right thing because it will now benefit them.

Re:Why only partial?

[Cyclometh]

You have a point, but the fact is that people who are (in)famous are the target of harrassment, stalking, and other attacks more often than the average joe. I can imagine there's a few anti-Microsoft zealots who would love to savage Bill Gates' credit record or file an SSI claim as him, just as an example.

I think that if I were Bill Gates, I'd be justifiably more concerned about the potential of abuse of my SSA data than I personally am. I certainly am concerned about it, but I'm not subject to the same kind of exposure that political figures, actors, and so on are.

It's probably a question of simply allocating resources- you can't flag everyone's SSN for followup, but it should raise a flag (in my opinion) if the Speaker of the House's social security records are accessed by an operator answering the 1-800 line, for example. Chances are, it's just someone (usually a flunky) filing some piece of paperwork or other, but it could be something more sinister.

Re:SSN makes you life easier.

[bucky0]

Well, I don't know if any of these ideas would realistically work but a good fix would be to have several different ID numbers, one for financial information, one for health information etc... so it would at least 'partition off' any damage that a malicius person could cause.

Of course, the best and most ideal solution would to be to distribute RSA secureID cards to everyone. (They are little cards or keychains that display a number on a lcd screen that changes every minute or so) That way, the only way someone could steal your identity would for them to both steal the card from you and somehow figure out the pinnumber you memorised.

I don't think there's really an easy fix.