Pendulum Swinging Toward Privacy

netbuzz writes "The New York Times reports this morning on a gathering movement to remove Social Security numbers from online public records. While justifiable, given the reality of and concerns about identity theft, it also doesn't take much to imagine how such concerns will be abused by public officials who are strapped for cash and/or ethically challenged."

So What?

Snohomish County, Wash., for example, said Wednesday that 61 types of documents, including tax liens and marriage certificates, would be blocked. (The documents are supposed to remain public at courthouses or state offices.)

Just because the records are 'offline' doesn't mean that the information in them is any safer.

Or is security by obscurity "good enough" in this case?

Re:So What?

The problem has never been that SSNs were widely known. Giving everybody a unique piece of information that can distinguish this John Smith from that John Smith is a very practical method.

The problem is that knowing your SSN is considered proof of identity.

This is equivalent to:
"Hi, I'm John Smith"
"Prove it"
"J-o-h-n S-m-i-t-h"
"Well, that's good enough for me...here's your new credit card".

I think the cleanest solution would be a statement from the government like this:
"Social Security Numbers are no longer to be used as a form of authentication. They are for identification purposes only. To ensure this state of affairs in the future, we will on January 1, 2009 publish all SSNs with the full names of the people to which they are assigned. After this date, any person or company found relying on SSNs as proof of identity will be solely and completely responsible for all damages from fraud and 'identity theft' occuring as a result of such idiocy. We are not mandating a specific method of proper authentication, nor are we establishing a national clearinghouse for such. All we are doing is telling you to get off your asses, incorporation some real security, and stop running your businesses like complete fucking retards"

Security through economics

Door locks, armored cars, fences and alarms don't prevent crime, they raise the cost (including risk) above the benefit.

Same here. An SSN has some market value. Cheap automated harvesting is profitable. Driving to a courthouse and copying by hand almost certainly isn't. No profit, no mass crime. The threat is then reduced to stalkers and private detectives.

Doesn't Matter

The SSN is for my social security benefits, not my dammed identification. If they want to make a national identification number (after debating the pros and cons of such) later than that is fine. But to use the SSN for purposes that it was not intended for is foolish at best and dangerous at worse. One day I actually may have to claim those benefits (sad, as that may be), and don't want it tied into or tied up by any company's Bull****.

Re:Doesn't Matter

The problem isn't that SSN are used as public identifiers -- having another public identifer would just shift the problem to that number instead of your SSN. And it's unlikely that having a stolen SSN would actually affect your ability ot make SS claims anyway, at least not for very long.

The problem is that your SSN is both a public ID and a secret used to validate that ID. So long as a single bit of information is used as both the public and private bits of that equation there's no way to solve this problem no matter how many ID numbers you generate.

Would is really be so hard to require that new credit accounts can only be issued with a notarized signature? Notary publics are intended to serve just this kind of purpose -- to validate that a particular person really did execute an agreement. It's pretty easy to find a notary public even in rural areas, and they don't report their specific activities to the government, so there's aren't a lot of big-brother concerns with respect to having your documents notarized. Seriously, this seems like a problem we solved 100 years ago.

Re:Doesn't Matter

If you have a old SSN card like mine it says on the bottom

FOR SOCIAL SECURITY AND TAX PURPOSES-NOT FOR IDENTIFICATION

This is from about 1970ish.

Gathering? Been happening for over a decade

In the 1990s health care plans, universities, and others stopped using SS#s as identifiers out of privacy concerns.

In the last 15-plus years, some public records have also changed identifiers, been removed from the public records, or had SS#s redacted for the same reason.

The pendulum may be moving faster now but the swing began long ago.

But will universities/ follow suit?

At the university I went to the student ID was the social security number, and since that is used with credit companies and businesses for tax reasons, its still a problem. Heck, even standardized tests where TAs were grading, they used SS#s. This is a step in the right direction, but its only the first one.

Re:But will universities/ follow suit?

I was taking a part time college class at a Junior College several years ago. The students social security number was printed on the class schedule that each student carried around with them on the first day of class. On the first day, there were misplaced class schedules laying on the ground and on desks all around the campus. Nobody seemed too concerned. I don't know if the local junior college still does that or not.

Back in the 1970's, I got an Arizona drivers license shortly after moving to Arizona. Back then, by default, they would use the social security number as the drivers license number unless the applicant specifically asked them not to. My social security number was on my drivers license for over 30 years. ATM machines did not yet exist in grocery stores or small shops, so checks were typically used to pay. When cashing a check they would typically ask for a drivers license and write the drivers license number on the check. Over a few decades, that would be thousands of checks, per person, with the social security number on them. A few years ago, I went over to the department of motor vehicles and had them change my drivers license number to something other than the social security number.

For many years, the envelope for my monthly medical insurance bill always asked me to write my account number under the return address on the outside of the envelope. My account number was my social security number and I always hated having to write that on the outside of the envelope. They finally stopped using my social security number as my account number a few years ago and also stopped asking me to write it under the return address on the outside of the envelope.

A few decades ago most people also kept their social security card in their wallet. Some people still do, even though wallets are frequently lost or stolen.

For many years, identity theft was very rare and there was very little effort to keep social security numbers secret. So after decades of not keeping them secret everyone is now being told that they need to keep them secret. Who's idea was it to start using something that had never been very secret for identification purposes? Knowing a social security number or a mother's maiden name should never have been considered to be proof that someone is who they say they are.

Fortunately, I have never been the victim of identity theft other than one minor instance of having one fraudulent charge on a charge card a few years ago.

stupid

so now records which were easily identifiable will be obscure and hard to locate

oh yeah, right, this is always a good thing. because what the city hall of tacoma washington is used for is the fascist illuminati overlords attempting to turn you into slaves. not, you know, trying to buy land or registering a marriage certificate. you know, mundane every day things you WANT to be easy and painless. clearly, we have to worry about our irrational fears of being controlled by bogeymen from bad hollywood movies we watch and take as the truth of existence. pffft

make your choice slashdot: a "cash-strapped", as you say, municipality that can function for you because records are easy to locate, or one that... drum roll please... is like pulling nails out of your nailbed everytime you just want to buy some land or get a divorce

leave the social security numbers on the documents, please

the privacy above all costs idiots here on slashdot make me want to puke

bolt of lightning for some of you: there are actually real world limits on privacy... that make sense

REALLY

Re:stupid

>leave the social security numbers on the documents, please

Believe me, that muncipality is going to be even more cash-strapped if and when they have to pay for all the damage they cause by publishing SSNs.

What about other identifiers?

This is all good for SSNs, but what about other personal identifiers?

I'm tired of my local priest asking to see my penis for identification.

SSN is an account number

My Social Security Number (SSN) is an account number. Why is it used by so many companies as a form of authentication? It's simply a string of numbers indicating where money is stored for social security benefits. The ignorance of companies in relying on this single number as a form of identification and authentication is what has caused this problem. I should feel free to give out my SSN to anyone. It's not a password and should never have been USED as one PERIOD.

Re:SSN is an account number

It's simply a string of numbers indicating where money is stored for social security benefits.

There's no money stored anywhere. Social Security is a "pay as you go" system, and any excess funds are replaced with Treasury Bonds (IOUs from the taxpayers to fund Social Security in the future). At some point, the tax needs of repaying those bonds, as well as covering new retirees will exceed the ability of the workforce to pay - unless a significant change in the system is enacted.

Right...

public officials who are strapped for cash and/or ethically challenged.

Right. Aren't all public officials strapped for cash and/or "ethically challenged?"

Ther is a much much better way

Get rid of the stupid number, and the ponzi retirement scheme that comes with it. It may make it harder for the government to track my finances, well boo hoo hoo I think I'm going to cry.

all the eggs in one basket

this is exactly where having everyone's data in the same place is a problem. the government should invest in monitoring the access and controlling who can do what with it. queries should be controlled, and mechanisms have to be put in place to ensure that no user can extract too much data in a short period of time. i'm not in a position to suggest exactly how that should be implemented in the office as i do not work there, but i can see how organisations without access controls can easily be abused.

Blah blah blah

Why doesn't someone grow a pair testicles and forcibly tell all the businesses in the world that your SSN is not secret. It is not to be used as a strong credential. Treat it just as fucking public as something like your name. If the law said, it's not secret and any business that uses it as "proof" of someone's identity has to bear the burden of any losses that business incures. If they sign a contract with some scam artist and that person takes off with a brand new ferarri, too fucking bad, they can't come after the person who's name was used. They can't file a bad credit report.

Hey Jedediah! Hand me that arc welder!

I dun got this barn door nailed pretty darn shut, but I wanna weld it and and sink it in concrete, just to be sure. That horse may already be outside the barn but I fer gol dern sure don't want him to get any MORE out.

We're All Gonna Die!

All this hinges upon peoples' perception of "safety". I usually do not watch network TV, but last night I accidentally caught something by John Stossel wherein he was talking about relative safety. In this group we're pretty sophisticated (mod me up, pandering to the audience) but the average slob/pleb/6-pack Joe gets his info from mainstream TV.

Aside from providing big muscle to win good wars, make good entertainment and do the manifest destiny thing, the US is pretty good at mobilizing its citizens for the good fight.

Please don't let us down, America.

Regards from your younger obscure brother,
Canada

pendulum of privacy

The headline initially had me intrigued thinking that the USA Patriot act or some portion of it had been struck down as unconstitutional, or maybe that ISPs were refusing to do the RIAAs dirty work by not sending threatening letters for them. However...

nothing to see here, move along....

The solution to your problem: SIN!

What needs to be done is to prevent companies from requiring SSNs unless absolutely required. Just above you, in the land of the sensible, Social Insurance Numbers [wikipedia.org] have been like that for a while:

Unless an organization can demonstrate that the reason they are asking for a person's SIN is specifically allowed by law, or that no alternative identifiers would suffice to complete the transaction, they cannot deny or refuse a product or service on the grounds of a refusal to provide a SIN. Examples of organizations that legitimately require an SIN include employers, banks and investment companies, and federal government agencies. Giving an SIN when applying for consumer credit, such as buying a car or electronics, or allowing it to be used as a general purpose identification number, such as by your cable company, is likely a bad idea.

And now, thanks to the lovely PIPEDA [wikipedia.org], this is true for any personal information. Obviously if you're at a resort trying to rent a bike or something and they refuse, you're not going to leave and write the privacy commissioner, but next time you'll make it better for everyone, and maybe even educate someone and/or make their business more efficient.

It's sort of surprising that Congress hasn't gotten off its ass and done something about this. (Well, they have [com.com], just not enough of them.)

On second thought, it's not.

Re:Que?

...Cockroaches don't have SSNs...