How Face Recognition Can Uncover SSNs

nonprofiteer writes "Building on previous work showing that social security numbers are not random, CMU researchers ran experiments in which they predicted students' social security numbers after taking a photo of them with a cheap webcam. Using off-the-shelf facial recognition technology and data-mining publicly available Facebook photos and profile information, they were able to come up with the social security numbers of several of the students. (More impressive, as they note that 60% of the students were foreign, and had no SSNs, leaving them a pool of less than 50)."

want to see something really scary?

[alphatel]

90% of Americans don't care if you know anything and everything about them, are invading their privacy, tracking their behavior or identifying their SSids. They latch onto kitch phrases like "The government owns Facebook" but they don't really understand what their personal and private freedoms are worth.

Re:want to see something really scary?

[SQLGuru]

Actually, it's the fault of the banking industry for comandeering a government number for a purpose other than what it was intended. An SSN was not supposed to be a unique identifier for anyone other than Uncle Sam as they go to collect Social Security tax money and then pay it back out.

Re:But SSNs aren't identifiers!

[kbolino]

The SSN was never intended as a means of identification initially, but:

1. When a system of identification was needed, the SSN system was already in place;
2. In theory, SSNs have a 1:1 person-to-number correspondence, unlike other forms of identification (name, birthplace, birthdate, etc.);
3. Without such a system, the government would perform much more invasive checks for things like employment, voting, and banking.

So either you accept that the government shouldn't be doing such things (so "illegal" immigrants can work, dead people can vote, and terrorists can open bank accounts, e.g.) or you recognize that SSNs are the lesser of two evils.

That doesn't mean there couldn't be a better system, but such a system would invariably require the government to keep even more information about its citizens.

Re:want to see something really scary?

[TheRaven64]

The problem is not using the SSN as a unique identifier (well, that's not the only problem - the fact that they're not actually globally unique makes that a bit of a problem too), it's using SSNs as proof of identity. Banks tend to assume that if you know someone's SSN, then you are that person, in spite of the fact that the SSN is public information. It's like designing an system where you can log in with a username and no password - and usernames are prepended to every message.

Re:Roundabout...

[Jahava]

I find this article title to be silly.

What they do is use facial recognition to match people to their Facebook profile, then use the details stored there to obtain the SSN.

Up next:

- How names and surnames can Uncover SSN - How giving people your email address can Uncover SSN. - How running a facebook search can Uncover SSN

Researchers demonstrated a clearly fatal flaw in SSNs. They have shown beyond a shadow of a doubt that the current SSN system is unsuitable for usage. They did this years ago ... and nothing has changed. It's not a political talking point. There's no proposed solution sweeping in to correct the problem. SSNs still are the gateway to every American's private information, and there's no sign that this will stop being the case, despite clearly-fatal flaws.

I welcome anything that makes this scary enough for people to demand that SSNs be immediately deprecated. This article is just the same researchers shouting louder, but the system does need to change.

Re:want to see something really scary?

[PatHMV]

Mod parent up. TFA says: "the social security number system has a huge security flaw — social security numbers are predictable if you know a person’s hometown and date of birth."

We should read that as sounding as absurd as: "the phone numbering system has a huge security flaw -- phone numbers are discoverable if you know a person's name." This was NOT a design flaw. Nobody, as best I can tell, ever thought, when designing the system, that an SSN should be treated like a PIN, a number known only to the individual, where knowledge of the PIN is considered strong evidence of the identity of the person.

The single best thing which could be done for security at this point is to publish a nation-wide database of all SSNs matched with the names registered to those SSNs, to totally destroy the idea that SSNs should be "secret" identifiers.

The SSN exists to establish that we're identifying the John Doe who was born to Jim and Jane Doe on January 1, 1972 in Madison, Wisconsin, rather than the John Doe who was born on January 8, 1963 in New York City, or the John Doe who was born to Bill and Joan Doe on January 1, 1972 in Madison Wisconsin. It is an identifier, not a PIN.

I'd like a good class action lawyer to consider a nice lawsuit against any creditor who acts on the assumption that somebody who knows a person's SSN must be that person, or authorized by that person to take action on their behalf.