How To Stop Businesses Storing SSNs Indefinitely? 505
The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"
Re:Something I've considered... (Score:5, Interesting)
Back in the early 1980s -- yes, nearly 30 years ago -- MIT allowed students to refuse to have their SS numbers as their Institute ID numbers. In those cases, and also for foreign students who nominally don't have SS numbers, they issued numbers that passed the SS check, but were from an otherwise unallocated block. They cleverly encoded your class year into the number to boot. For a long time I gave my MIT ID number when non-finance-related institutions requested an SS. Worked fine.
I haven't had an active MIT ID for a long while, so don't know what they do now.
Not gonna happen (Score:5, Interesting)
As someone currently working on a database that contains SSNs, I can tell you I couldn't get rid of every instance of yours if I tried. The entire architecture is based around not losing your data no matter how stupid I am. It's a nice thought, but the reality is that you're only increasing the number of people looking at your SSN by trying to get rid of it.
Re:Something I've considered... (Score:4, Interesting)
MIT allowed students to refuse to have their SS numbers as their Institute ID numbers.
A technical college I attended in Arizona was slightly different. They did allow you to use your SSN for your student ID, however, if you did so, every 4 months you were sent a letter that explained why this was a bad idea, for the student, to persist in doing this, and it closed out with a paragraph urging you to change it to something different.
Re:Not gonna happen (Score:3, Interesting)
That's why SSNs should never be used as primary keys. They are a lookup field to provide a pseudo-unique way of looking up a tied-to-a-individual record much like you might use a last name, an account number, or some other piece of information that can find an actual record entry tied to for transactional purposes.
Primary/Foreign keys should be used to establish a unique record for transactional purposes or to relate to another record for referential integrity. That's all they should be used for.
Social security numbers, loan numbers, account numbers...These kind of things shouldn't be used for this purpose, they should be used for filtration purposes. That way if any of them change (SSNs blocked out for testing purposes, person switches to a new account number for some reasons, etc. it has no impact on the integrity of the system.
Comment removed (Score:3, Interesting)
Wrong Question (Score:1, Interesting)
It's an unfortunate fact that companies will gather sensitive and personally identifying information about its customers and then keep that data long after their business with that customer has ended. Short of regulation, I don't think that this practice will ever stop. As far as your SSN is concerned, it is just another data point in a company's records. It's as identifying as a name and address, a driver's license, or a cell phone number. I don't think that the question should be limited to this supposedly sacrosanct 9-digit number.
I would prefer if we could force a company to remove all of our data from their records once we are no longer their customer, but I don't think I like the unintended consequences that would bring. Maybe the company could be liable for damages caused by these records leaking out to identity thieves. Then again, that would require proof that a) a leak occurred, and b) an identity thief used data from that leak to your detriment. Odds are if you could prove point "a", and you were a victim of identity theft shortly afterward, point "b" would naturally follow (yeah, correlation v. causation and all that, but barring evidence to the contrary it is a reasonable conclusion). Then again, we never should have gotten into the position where a few data points are all that you need to spoof somebody's identity. Maybe the question should be, "what kind of identifying and authenticating data could be used that would be unfeasible to store indefinitely". Unfortunately, that is one of many questions to which I don't have an answer.
Re:Bad news. XD (Score:1, Interesting)
No. In America, anything you collect is yours to sell. It can be quiet a shock for those used to the European protections. US companies fall foul of this all the time when they set up EU operations. Old US companies are very good though, mainly because they're staffed by the locals and not exports.
Re:Ugh, DirecTV should just go away (Score:3, Interesting)
... explaining that it is illegal to require me to provide it...
Except for the purposes of a credit check.
Part of the reason companies keep this information, in my estimation, is to have ready to perform future credit checks if you request additional service.
I know with my cell contracts, every time I have added a line, my credit gets checked. Nevermind that I have been a customer in good standing for many years.
Re:Bad news. XD (Score:4, Interesting)
It's Burn-Karma-Friday!
In scary America: (Slight exaggeration)
All data is now subordinated to Stopping Terrorists. All other uses are bonuses.
Data must be disclosed upon request without the consent of the individual, unless legislation provides a reason not to share the data, AND no current executive order exists allowing the override of that legislation.
Individuals have no right to access the info about them, subject to certain exceptions.
Personal info must be kept longer than necessary, and may not be up to date.
Re:Something I've considered... (Score:2, Interesting)
Re:Broken by design. (Score:3, Interesting)
Indemnification (Score:5, Interesting)
I always turn it right around on them instantly whenever some merchant wants my number. I got nailed years ago with ID theft, which really sucks and takes a long time to fix, so I came up with something that has been working for me.
I mention getting nailed previously, etc.,, then ask to see their indemnification policy on security breaches, in writing, so everything is "legal and proper".
You get the *really* blank stare then, because about zero of these companies have anything like that..because they are jerks, but we all know that anyway.
Let them sit for a bit and stew on that. Again, you throw it right back at them when they claim they are secure and "your data is safe with us" and all the other BS..."well, sir, we are secure, and...". They ALL say that, every single stupid company out there claims to be "secure". They initiate that claim when you ask. That's a *vital point* there. As part of this proposed business transaction now, they, through their rep who is talking to you right then and is prepared to accept your money, will make a statement that they are 'secure". This is the bingo moment.
I go, along these lines, "swell, that sounds great! You are secure, wonderful, that makes me feel better because ID theft is such a hassle and expense! Err..uhh..just for my records then, please just show me and if you could provide me simple copy of your "data security" warranty provisions, the indemnification policy you must have then, thanks! And BTW, not that this will ever come up, but exactly how much cash do I get back from you when and if you get compromised? If you are "totally secure" as you claim, then you should have no problems with a guarantee that you are secure in writing".
Salt to taste there, and I am never outright rude or obnoxious about it,(I will speak in a loud and clear tone though so any other customers present can hear this exchange) just make them backup their contractual claims they just made to you. They just offered you a proviso in the terms of an oral contract to go along with whatever written crap they want you to fill out that they are, in fact, "secure", so you can ask for proof and so on.
The original clerk will be baffled as expected and will then pass the buck. Then just keep bumping it up the food chain until you hit some manager who doesn't want to be bothered and they give you the service without having to hork over your precious. Sometimes it's fast, other times it takes awhile, but usually it works.
If some manager starts to get redneck on you, you can go, again, along these lines, "Oh, you now are withdrawing your offer, because your company lied to me? You tried to extract my cash from me based on a lie? That's serious legal fraud in this state my friend" and etc.
Anyway, it usually works and it certainly is fun!
Re:Broken by design. (Score:3, Interesting)
Re:Bad news. XD (Score:3, Interesting)
As primary key, a UUID [wikipedia.org] makes more sense than a number such as an SSN which can change (yes it can- I'm down to my third by now). No need to make that UUID public or even let people know what it is; you *can* look people up by (a combination of ) other bits of information. If someone doesn't want to provide their SSN, you can use their Full Name+Date of Birth for searching - this combination will usually render very few collisions.
Technical solutions aside, I'm with the GP- places that have no business knowing your SSN shouldn't.
Re:Broken by design. (Score:4, Interesting)
Some companies keep it even if you die! (Score:3, Interesting)
"Also, SSNs don't expire, so you get off thier list if you die. "
This is not necessarily true. My mother died in the year 2000 and we still occasionally get in the mail offers from a company that kept her SSN. We told them she is dead but they keep sending stuff anyway. We've given up and are willing to let them continue to waste their money.
Re:Something I've considered... (Score:3, Interesting)
(something similar to md5 but which is guaranteed to be unique).
No such algorythm is guaranteed to be unique, because it's lossy. It's the same reason you can't zip and rezip a 100 MB file down to 1 byte. There are only a certain number of combinations that you can fit in 32 bits, and eventually you're going to get collisions. This is for any hash, not just MD5. It's not possible to make a hash function that doesn't have collisions. The only reason they're an issue for security is that vulnerabilities can make those collisions predictable. Collisions aren't a security risk. Predictable collisions are.
But let's think about your "irreversible algorythm" idea:
An SSN is a 9 digit number. That's a maximum of 1 billion SSN numbers across the country.
If this "standard method" uses an algorythm that's publicly known (and it wouldn't be a standard if it didn't) then someone simply needs to do:
x=1
while (x++ 1000000000)
{
store_data(perform_algorythm(x))
}
and they've got a lookup table for the encrypted data.
A billion calculations won't take long, even on a single computer. Let's say it takes 1 second (a horrendously complex hash) to calculate this hash for a given number. That's a billion seconds. It would take only 31 years to calculate the entire SSN keyspace, on that single machine.
Get 60 machines doing it, and you've got it in 6 months.
What criminal gang wouldn't do this, since it would give them access to "encrypted" identity theft information for...well....ever?
Now, to give you an idea of how complex that 1 second hash is, to determine a WPA-PSK key from a passphrase involves 4096 iterations of the hash function. This is for a single key. I tested performance on an old 400MHz Pentium 2, and it calculated about 10 keys per second. So that's 40,960 hashes per second, for a standard hash. 1 hash per second on a current machine would be unbelievably slow.
If the has used were similar in performance to HMAC-SHA1 used for WPA-PSK, it would take that 400MHz machine not quite 7 hours to calculate the entire encrypted data value for every SSN in the USA.
I don't know what driver's licence numbers are like in the US, but in Canada (Ontario) they're a letter followed by 14 digits. That makes the entire keyspace 2600 trillion possibilities. That increases the possibilities quite a bit, but current computers are exponentially more powerful than the 400MHz PII I tested on.
A current machine can do more like a million hashes per second, or more.
Get a couple of dozen machines working on this, and you'll have usable data sooner, rather than later.
Re:Something I've considered... (Score:4, Interesting)
> so I politely suggest a different number, or insist on only giving 3-4 digits of it.
I tried this once with Verizon. I was signing up for a new account, in person, at the Verizon store. They wanted my SSN, and I told them I wouldn't take the account if I had to give that out.
They said no problem. The salesman called their credit dept, and handed the phone to me. They asked my name & address, and asked for the last 4 digits of my SSN.
They were searching some database - they found me by last name & address, and they only wanted the last 4 digits to verify that they found me. And I am sure they put my SSN into my account while I was on the phone.
I don't think it helps to keep SSN's from these businesses . . . they can grab them without needing to get them from you.
Re:Ugh, DirecTV should just go away (Score:3, Interesting)
When I set up my utilities, they all asked for my SSN.
The gas company and the phone company both told me that providing it was optional. BUT, if I didn't provide it, they would not run a credit check on me, and so would require a $250 cash deposit (interesting that both companies had $250 as the deposit amount) before connecting service, to remain in their possession until I canceled service upon moving out.
I was glad that I had the option, and I thought it was most honest and upfront of them to tell me my choices.
I elected to let them run the credit check, but I appreciated having the option.
I fought the good fight (Score:3, Interesting)
I fought and resisted and refused and was greatly inconvenienced for many years over the SSN issue. I don't think it started with businesses; I think the government first started abusing it.
When I went to get my first drivers license in 1986, I brought my scored test and driving evaluation to the little booth where they bundle your info together and take your photo. Way back then, you had to wait a couple weeks for them to mail it to you. Prior to that, oddly, they just gave you the card. I heard the DMV worker tell one guy that they are "going computerized" and the reason for the delay was the data entry process. This new system used your SSN as your drivers license number. I wasn't thrilled about that.
Part of the application had a big area on the top for your SSN. I left mine blank. In the instructions they mention (in the fine print) that you can get an alternate number, which is what I wanted to do. I get to the counter and the guy throws a major fit. No joke. He loudly asks why I haven't bothered to fill in my SSN, and I ask for the alternate number. He goes on and on, telling me that I'm holding up the line, to "just fill in your damn number like everyone else" and so on. We have about 15 minutes of this back and forth until in a huff he throws me the little additional paper I need to fill out to ask for an alternate number.
The guy called me a nut, the people stared at me like I was insane. But using a SSN as a license number is a horrible idea. It was later scrapped, too.
When I moved to California in the late 90's the situation was even worse. I was told I not only needed to provide my SSN, but also a thumbprint before I could get a license. I politely mentioned that SSNs weren't allowed to be used as personal identifiers, and asked what my options were. Apparently not a new topic three, as the very bored lady rolled her eyes and muttered "Your other option is to not drive in California". And that was it.
Once the government starts doing this, people get the notion that they can do it in their business as well. I tried to rent an apartment once and refused to hand over my SSN. I was unable to rent the apartment. When you get a phone, or cable service, they ask for an SSN. Anything involving a credit check will involve them asking for an SSN, and you can get around it, but it makes things harder. I fought it for years and years, but in the end realized it was futile.
It's become so common place that refusing to hand over an SSN makes you look like a whacko in many people's eyes. Which is really sad.
California has had a law since 2002 that requires any business holding personally identifiable information to disclose any security breaches regarding that info to anyone possibly affected. Businesses screamed holy hell when it was enacted. I've seen first hand how worked up people get when you provide them with a list of people they are forced to notify. I know how much all those letters cost to mail. A federal law like that would be a good thing. But I think the genie is out of the bottle.
-B
Re:Identity Theft is a crime. (Score:5, Interesting)
Your name will show up as an Alias on their credit report and your address will show up as a former/current place of residence. Then, later, if your house is being foreclosed, it may affect their ability to get a loan or sell their house.
I used to write mortgage software and credit report retrieval software and I have seen this exact situation, probably from someone giving out a "fake" SSN for privacy reasons, although we had no idea why this other information was on the report (maybe a transposed SSN).
Anyway, you can have a negative effect on others by doing this.
Re:Something I've considered... (Score:3, Interesting)
Sorry to break it to you, my passive-aggressive Canadian friend, but you're wrong. This has nothing to do with the reasons that SSNs have become a prevalent form of identification.
In the past, US states had a far larger measure of autonomy than they do today, and were unwilling or unable to exchange information with each other. Even things like mailing addresses were and are non standard -- most of Brooklyn in NYC has a mailing address of "Brooklyn, NY", while in Queens, NYC, mailing addresses are the names of the original towns! (Maspeth, Flushing, Astoria, etc)
One side effect of this was the US Banks and other institutions were local or regional. (Which is why US banks have generally been smaller than European banks, which are national banks) This was fine until the early 20th century, because people tended to stay in the same area. But in the post-WW1 era, people became more mobile, which led to problems.
If you had lots of debt and bounced a bunch of checks in New York, you could setup shop in Virginia and essentially start with a clean slate. Or if you lost your driver's license in New York, you could get one in Vermont, etc. The SSN was really the only way to establish that Frank Smith in NY who bounced a check or had a criminal record was the same Frank Smith in Virginia.
Today, computers and interstate compacts are linking state records, so a speeding ticket in Maine is known to cops in California. Most border states also have compacts with Canadian provinces, because US truck drivers would get Canadian drivers licenses after getting DWIs in the US. (and vice versa).
Today, a business can protect itself against fraud in many cases without an SSN. But this was not the case in the past, and past practices take a long time to fade away.
Re:PIPEDA (Score:3, Interesting)
The privacy act(federal legislation) [priv.gc.ca], is a pretty interesting bit of work. Applies to everyone, no matter what. Applies to all levels of government, law enforcement and the rest. If businesses want something they have to grovel for it, if you want it removed they have to do it. If the police want something, they have to show just cause(which can make it really hard to get some types of warrants). Then there's provincial legislation as well, which builds on top.
Personally I'm quite happy with it. Now if we could just get some of our regulatory bodies working as well as the privacy commissioner we'd be doing better in other areas.
Re:Broken by design. (Score:3, Interesting)
pollute the datastream! (Score:5, Interesting)
One should be careful giving out fake SSNs, as you may be accused of attempted identity theft or fraud or whatnot. But, who's to say you or some data entry person didn't make a mistake and mistype one of the numbers, or transpose two of the numbers? Looks like an innocent mistake, I say! If you do it consistently enough, you can even use the excuse, "God, that typo has been following me around forever!"
I'm just sayin'.
I also use my old phone numbers and addresses for those who require such information. "Oh, that's my _old_ number!" :)
Re:Something I've considered... (Score:3, Interesting)
Sure, these can be done fairly easily. One of the most common types of fraud I encountered was where a parent would take credit out in the name of their own child. The parent figures their in the clear, and denies responsibility when it comes time to pay. Meanwhile the child may not find out until they turn 18 years and suffer a bad experience. I had many instances where I would get hold of someone around 18-20 years old and tell them what was going on.
It's a terrible position to be in, your 18 years old, quite possibly still living at home, and discover that your own mother or father took out 10-20 thousand dollars worth of debt in your name. The way the law works is that you are not responsible for fraud ($50 limit can apply in some cases) as long as you file a fraud report. The net result of this is you end up with a kid in the position of having the file a fraud report with the police knowing that their own parents could go to prison. It's a terrible position to put someone in, but without the fraud report and police report there is nothing that can be done.
These things can also apply in situations where someone has "no credit". Typically a person with no credit still has credit, even if they have never taken out a loan. You would have records from getting a checking account, paying your utilities (this is becoming far more common and will soon be standard practice), renting an apartment, cell phone and so on. Even if you had none of the above (you use cash only) you would discover that many creditors will give someone with no credit a $2-300 credit line regardless.
A determined identity thief will even build up your credit on your behalf, paying the small bill over a course of a year or two until they can get your credit improved to the point were you start qualifying for $1000+ credit on credit cards. In essence they pay some of your bills they give you on your behalf until such time as they can walk out on several thousand dollar plus credit accounts. By all means, even someone with no credit should monitor their credit report (even if only the annual credit report you get for free).
Re:Identity Theft is a crime. (Score:3, Interesting)
Providing a false SSN is *not* identity theft when it's the only fictitious information given, and I challenge you to show where someone has been prosecuted for it.
Re:Broken by design. (Score:3, Interesting)
so I gave them a fake one.
And I've done the same thing. The SSN is used by the medical records companies that are operated similar to credit bureaus. As with credit bureaus, the SSN is not the primary method of ID, but it helps sort out people with the same name. Medical records are far more detailed than your credit history. You'd be amazed what's in them.
Create a corporation (Score:4, Interesting)
That will give you a tax number you can provide for all these services that seem to require one. Also, if the corporation's identity somehow gets stolen, well, you just trash it and get a new one. It's not the cheapest option available, but it will at least keep your personal information private.
Just an idea.
-Restil
Re:Why did you give DirectTV your SSN? (Score:2, Interesting)
Re:Bad news. XD (Score:3, Interesting)
At one time one was not supposed to use the SSN for anything not involving the Social Security Administration. That was a long time ago. I was told that it was originally illegal, but I don't know that this was really so.
N.B.: This was specifically the SSN. Don't generalize it to other kinds of data, which have largely never been regulated.
Re:Something I've considered... (Score:3, Interesting)
Re:Bad news. XD (Score:3, Interesting)
Who is it impossible with?
Cable? They don't have my SSN.
Cellphone? The don't have my SSN
Power? They don't have my SSN
Insurance? They don't have my SSN
Not impossible...some want a deposit, I do that...I get it back usually within a year.
Right now..only ONE utility I have has it..the water dept...and I verified that their system is so old and antiquated, that they cannot put anything in the computer without it. That is the one time I've relented in almost a decade, and I've been fighting this fight for like 20 years...it is MUCH easier now, you just have to be a bit adament and fight for it some times, but it is much easier now than it used to be, believe me.
I ONLY give mine out for SSN taxation reasons, and the like. I've had my identity stolen twice, and usually when I explain that...they relent and find a way around it...