How To Stop Businesses Storing SSNs Indefinitely?

The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"

Bad news. XD

[BlueKitties]

Some (financial) Point Of Sale software I designed uses SSNs to tell the difference between customers with identical names. If I change the SSN... it thinks you're a new customer. Well... this is something to think about.

Your Rights & Your Actions

[eldavojohn]

Here's a 36 page document outlining your "Federal and State Laws Restricting the Use of SSNs" [gao.gov] and identifies the gaps. The GAO actually has some good reading and ammunition for this if you've got the time [gao.gov]. And here's the really dry "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" itself [ftc.gov]. Now, stronger stuff has been presented in 2005 [loc.gov] but aside from stiffer penalties being signed into law in 2004, I haven't seen much.

So, you could call them up and threaten them with prosecution under the aforementioned acts which--given the right tone of voice--should do the trick for you. Or, if you read the GAO report, they say:

In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.

Now, with that, I would seek a lawyer who would take this case (maybe even some high profile lawyer or a member of the EFF) and clearly outline the above in a written letter with your signature informing them that they are in violation of the "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" and if they do not remove your Social Security Numbers, you will take legal action. If your case is solid enough, you might be able to really stick it to DirectTV for storing personal private data "without lawful authority" as they do not have the written consent of every customer.

PIPEDA

[holophrastic]

.P.I.P.E.D.A.
Canadian regulation that in short says any business has to divulge any personal information of yours that they are storing, and allow you to change or remove it. It may be with a simple web-site form, it may be with a written letter, but that's the law.

Re:Ugh, DirecTV should just go away

[Reece400]

If you provide your SSN to Comcast, they also store it indefinatly.
They use it for internal credit checks to make sure you don't owe them any money on previous accounts (and likely for other things as well).

That said you can usually setup an account without your SSN, but you'll need to set it up directly with your local office instead of by phone or internet.

Here is what you should know

[Anonymous Coward]

Read This, I hope it helps!

http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm

Re:Bad news. XD

[dintech]

I was wondering if there was anything equivalent to the Data Protection Act [wikipedia.org] in the America:

• Data may only be used for the specific purposes for which it was collected.
• Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
• Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
• Personal information may be kept for no longer than is necessary and must be kept up to date.
• Personal information may not be sent outside the European Economic Area unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
• Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner's Office.
• Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).
• Subjects have the right to have factually incorrect information corrected (note: this does not extend to matters of opinion).

DirecTV gives service to identity thieves!

[NixieBunny]

I had their collection agency call me earlier this year asking if I really was the person who ordered service in my name in a house on the other side of town and failed to pay the bill for three months. No, it was an SSN thief who took out service in my name, using my fine credit rating. It turns out that DirecTV doesn't check your bona fides such as your address - they only run a credit check on the name and SSN you provide, without verifying that you belong to either that name or SSN!

Re:Broken by design.

[TheRealMindChild]

This isn't really in defense of the hospitals, but a WHOLE LOT of people use the hospital because they can't pay for medical attention and the hospital can't refuse. The SSN is likely there so they can track you down to the ends of the Earth to try and get their money.

Re:Bad news. XD

[Sun.Jedi]

There is not much [wikipedia.org]. This excerpt, In general terms, in the U.S., whoever can be troubled to key in the data, is deemed to own the right to store and use it, even if the data were collected without permission, is particularly disturbing.

Data may only be used for the specific purposes for which it was collected.

While you may THINK the data was collected for either a sale, long term lease agreements (similar to cable service), or whatnot... the ACTUAL specific purpose was to track you and sell your information to "partners".

Data must not be disclosed to other parties without the consent of the individual whom it is about

This is where the "partners" come in ... See JCpenny and SBS [google.com] for an example of 1 company using your information and giving it to a partner company.

Personal information may be kept for no longer than is necessary and must be kept up to date.

Too bad its not supposed to be deleted if it can't be confirmed in given period of time. Also, SSNs don't expire, so you get off thier list if you die. Yay.

Re:Something I've considered...

[jDeepbeep]

is it possible to do identity theft with only the SSN alone?

Unfortunately, yes. It provides enough of a building block (used both as an identifier and as an authenticator) to allow a moderately-clever person to build up the rest of the identity.

Re:Something I've considered...

[Daniel_Staal]

It's not. It's supposed to be unique (within certain criteria: they do get reused eventually) across everyone in the USA, so the Social Security Administration can identify everyone. That's all it was designed for.

It just happened that the SSN was the first major government number that everyone was required to have. So everyone else used the fact that it was there and unique to make their lives easier. Which means that now everybody tracks you by that number, and if you have that number you can impersonate anyone in any database that uses it.

It's not supposed to be secret. It's not supposed to be your full ID. It just became that.

Those SSN Grubbing low lifes

[SomeRADDude]

Dish Network and DirecTV keep your SSN as previously mentioned to ensure that you do not owe them money from a previous account and so you can never again qualify for new user treatment (free equipment, programming packages and installation), the sock sucking bastiges. As for identity theft, unless you conduct all business by trading beans in a 3rd world country, at this point it seems to be a matter of when, not if.

Re:Something I've considered...

[MirthScout]

That's actually a good question. The answer is , no, it is not supposed to be secret. It is an identifier; identifiers are not secret.

The problem is that so many companies misuse SSNs. They treat them as if they were passwords.
What is your name? John Smith
What is your SSN? 123-45-6789
OK, you must be John Smith all right. What can I do for you?

It is this completely broken way that companies "verify" your identity that is the problem. People try to keep their SSN secret to reduce the chances an "identity thief" will get it and use a company's and/or bank's broken procedures to steal from you.

Re:Broken by design.

[CastrTroy]

That's funny I usually just provide my health card, and then I don't have to worry about giving out my social insurance number. I also don't have to worry about paying.

Re:Ugh, DirecTV should just go away

[Albanach]

Although is is actually illegal to use a SSN for identification

No, it's illegal for the Government to use it other than for its intended purpose. Companies can do what they like with it.

From the Social Security Website: http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/enduser/std_adp.php?p_faqid=78 [ssa.gov]

If a business or other enterprise asks you for your number, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.
[emphasis mine]

Re:Broken by design.

[FictionPimp]

I work at a college, when I started the main thing we were doing was changing our system to assign unique ID's to all students and remove all SSN numbers in places where it was used as ID's.

The whole project took about a year to do. Now there is only one place where you can still find the SSN number, and that is only because it is required for some financial aid things.

Re:Identity Theft is a crime.

[Jason Levine]

I don't think giving a fake SSN is identity theft. (And I happen to be a victim of identity theft.) If I say "my name is Jason Levine and my SSN is 583-58-2958" (not my real SSN, of course), I haven't stolen anyone's identity. Yes, that number might match someone's SSN somewhere, but chances are the name won't. So if you look up the SSN and see it's assigned to "Jane Smith", it will be pretty obvious that the SSN given was wrong or an error occurred somewhere.

Now, if I said "my name is John Smith" and gave John Smith's SSN, Address, etc, *that* would be identity theft.

Re:Something I've considered...

[KingMotley]

Who or what generates the number isn't the problem. If everyone switched over to using your ID number, then pretty soon everyone would be saying to keep that secret just like they do for SSN now. The problem is that the number is being used to authenticate you instead of just identifying you. If companies demanded a valid notarized SSN card as proof prior to obtaining anything in your name, then you could tell your SSN to anyone and it wouldn't matter (with the assumption that it's impossible to forge a SSN card -- granted it isn't impossible, but that's another topic).

Re:Ugh, DirecTV should just go away

[LeadLine]

They then asked me to prove to them I didn't have the modem. How the fuck do you prove that?

You keep the receipt they give you when you return the modem. I've been screwed like that too, now I know better.

Re:Bad news. XD

[NickGnome]

"There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent."--- Elliot Richardson 1973 summarizing _Records, Computers, & the Rights of Citizens_ (quoted in Legislative History PL 93-579, Privacy Act of 1974, _Congressional Record_ vol 120, Senate Report #93-1183 pg 6924)

In practice, as you say, even the weak constitutional and statutory protections of privacy are most often ignored.

http://www4.law.cornell.edu/uscode/42/408.html

http://www.usdoj.gov/04foia/privstat.htm

http://www.cavebear.com/nsf-dns/pa_history.htm

http://www.cavebear.com/nsf-dns/5usc552a.htm

http://www.cms.hhs.gov/privacyact/patraining.asp

http://www.cms.hhs.gov/privacyact/pa.pdf

http://www.so.doe.gov/documents/privactof1974.pdf

http://www.epic.org/privacy/laws/privacy_act.html

https://www.cnet.navy.mil/privacyact1974.pdf

http://library.lp.findlaw.com/articles/file/00007/004477/title/subject/topic/constitutional%20law_freedom%20of%20information/filename/constitutionallaw_1_88

http://library.lp.findlaw.com/articles/file/00007/004477/title/subject/topic/constitutional%20law_freedom%20of%20information/filename/constitutionallaw_1_88

http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html

http://www.cpsr.org/program/natlID/natlIDfaq.html

Re:Bad news. XD

[Eskarel]

Well for credit checks for one, which is one of the things they do with it. It can be useful for medical records too. Government benefits. Taxation, criminal records. Knowing who you are(and more importantly who you aren't) is rather important for an awful lot of things. Most of these companies mostly want it to make sure you pay your bill. It doesn't technically need to be the PK, but if it's unique it may as well be.

Your SSN isn't really all that important a number in and of itself. The only reason it's important at all is because it's unique to you, any number you have which associates you with something can be stolen and the percentage of your identity associated with that number can be stolen. That's because no one ever validates that the SSN you give is actually yours, which is sort of where the whole problem comes in. Until a solution is worked out for that identity theft isn't going to go away any time soon.

Re:Broken by design.

[Mr. No Skills]

This is bad policy, since many potential hospital "customers" don't have an SSN. Hospitals have to service newborns, visitors, illegals, etc. Using SSN as the unique ID doesn't work, and they usually have work-arounds for this.

Re:Bad news. XD

[Eskarel]

Then you use a number unique to them in their context, but for the most part, the vast majority of the kinds of customers you'd need to uniquely identify for a US company are US residents and since you can't work without an SSN, people who don't have one aren't generally good customers or will pay in cash.

Re:Bad news. XD

[HeronBlademaster]

For your first point: If I wanted to consent to a credit check, then I'd have no problem giving them my SSN, but there's no reason they need to store that permanently. For my simple reasoning, keep reading.

For your second point: My last paragraph (see "Caveat:") in my previous post mentioned that idea, but you didn't read the last sentence:

I'm sure one could invent other methods of solving this.

One trivial solution would be to store only a hash of the SSN. That way, nothing is lost if the database is stolen/copied/sold, and nobody loses their privacy. The SSN is only in plain sight as long as it takes the CSR to type it into the computer.

Re:Ugh, DirecTV should just go away

[elbowboy]

About a year ago I politely asked my Senators if they would work to end use of SS#s by private companies either by outlawing it except for financial institutions or forcing some sort of costly security minimum for storage of SS#s and insurance in the event of theft to discourage people who don't actually need it. Both of which seem logical enough no one should be actively opposed to it.

Months later I received a response from both Senators. One was a form letter about how great the Senator was and how he appreciated my support. The other said that he would consider such a bill if one came before him. So feel free to write the bill and send it to your Senator as mine didn't realize creating legislation was part of his job. Not that its a surprise as it would explain why lobbist are so busy writting our laws.

BBB

[foeclan]

I've had good luck reporting companies to the Better Business Bureau [bbb.org] if their customer service is highly uncooperative. I was receiving unsolicited credit card offers from Citi, even though I'd signed up for the permanent do-not-sell list [creditinfocenter.com]. Their customer service couldn't tell me who sold them my information, but after talking to the BBB, I got a call from someone higher up who let me know Equifax had sold it to them.

I had much worse issues with Alienware, whose customer service was atrocious. I eventually had to go to both the BBB and the Florida Attorney General's office, but they finally swapped out my lemon of a laptop for a new one.