Pendulum Swinging Toward Privacy

netbuzz writes "The New York Times reports this morning on a gathering movement to remove Social Security numbers from online public records. While justifiable, given the reality of and concerns about identity theft, it also doesn't take much to imagine how such concerns will be abused by public officials who are strapped for cash and/or ethically challenged."

So What?

[TubeSteak]

Snohomish County, Wash., for example, said Wednesday that 61 types of documents, including tax liens and marriage certificates, would be blocked. (The documents are supposed to remain public at courthouses or state offices.)

Just because the records are 'offline' doesn't mean that the information in them is any safer.

Or is security by obscurity "good enough" in this case?

Re:

[ScrewMaster]

Yes, well, at least that cracker with the .ru TLD won't be able to grab a couple hundred thousand such records all at once. Not so much security-by-obscurity as it is security-by-inconvenience.

Re:So What?

[paeanblack]

The problem has never been that SSNs were widely known. Giving everybody a unique piece of information that can distinguish this John Smith from that John Smith is a very practical method.

The problem is that knowing your SSN is considered proof of identity.

This is equivalent to:
"Hi, I'm John Smith"
"Prove it"
"J-o-h-n S-m-i-t-h"
"Well, that's good enough for me...here's your new credit card".

I think the cleanest solution would be a statement from the government like this:
"Social Security Numbers are no longer to be used as a form of authentication. They are for identification purposes only. To ensure this state of affairs in the future, we will on January 1, 2009 publish all SSNs with the full names of the people to which they are assigned. After this date, any person or company found relying on SSNs as proof of identity will be solely and completely responsible for all damages from fraud and 'identity theft' occuring as a result of such idiocy. We are not mandating a specific method of proper authentication, nor are we establishing a national clearinghouse for such. All we are doing is telling you to get off your asses, incorporation some real security, and stop running your businesses like complete fucking retards"

Re:

[Anonymous Coward]

The problem is not that SSN's are used for authentication, which I'm not even sure is true.

The problem is that it's used as a primary key for me. You can use it to link together all sorts of information about me. Publishing all SSN's just makes this problem worse.

Re:

[paeanblack]

The problem is that it's used as a primary key for me. You can use it to link together all sorts of information about me. Publishing all SSN's just makes this problem worse.

The alternative is everybody rolling their own, which commonly leads to one agent's primary key being another agent's authentication factor. This gives anyone with access to both data sets the means to impersonate you.

Re:

[mikael]

There was story some time ago in Canada, about some tenants who managed to sell the house they were renting to a third party. This sale was achieved through a dodgy notary (apparently he was responsible for authenticating ownership, which he didn't bother to do). The consequence was that two mortgage payers (the landlord and the people who 'bought' the property) ended up having to go to court in order to decide ownership of the house. I didn't keep up with this case, but who have liked to know who won.

Re:

[jfengel]

Government statements don't usually use phrases like "complete fucking retards", but it seems warranted in this case. It's offensive that a company would give a loan to somebody just because they know my SSN and then have the audacity to come to me for the money.

Re:

[mpe]

The problem has never been that SSNs were widely known. Giving everybody a unique piece of information that can distinguish this John Smith from that John Smith is a very practical method.

Even then it's only intended for certain purposes. If a school needs to distinguish between two students with the same name it's really up to them to work out how to. Ditto for a bank with several customers having the same name.

Security through economics

[Beryllium Sphere(tm)]

Door locks, armored cars, fences and alarms don't prevent crime, they raise the cost (including risk) above the benefit.

Same here. An SSN has some market value. Cheap automated harvesting is profitable. Driving to a courthouse and copying by hand almost certainly isn't. No profit, no mass crime. The threat is then reduced to stalkers and private detectives.

Re:

[caluml]

Door locks, armored cars, fences and alarms don't prevent crime, they raise the cost (including risk) above the benefit.

I'd never thought of it like that. Insightful.

Doesn't Matter

[MBC1977]

The SSN is for my social security benefits, not my dammed identification. If they want to make a national identification number (after debating the pros and cons of such) later than that is fine. But to use the SSN for purposes that it was not intended for is foolish at best and dangerous at worse. One day I actually may have to claim those benefits (sad, as that may be), and don't want it tied into or tied up by any company's Bull****.

Re:Doesn't Matter

[profplump]

The problem isn't that SSN are used as public identifiers -- having another public identifer would just shift the problem to that number instead of your SSN. And it's unlikely that having a stolen SSN would actually affect your ability ot make SS claims anyway, at least not for very long.

The problem is that your SSN is both a public ID and a secret used to validate that ID. So long as a single bit of information is used as both the public and private bits of that equation there's no way to solve this problem no matter how many ID numbers you generate.

Would is really be so hard to require that new credit accounts can only be issued with a notarized signature? Notary publics are intended to serve just this kind of purpose -- to validate that a particular person really did execute an agreement. It's pretty easy to find a notary public even in rural areas, and they don't report their specific activities to the government, so there's aren't a lot of big-brother concerns with respect to having your documents notarized. Seriously, this seems like a problem we solved 100 years ago.

Re:

[Yoweigh116]

Mod up this post's parent, please. Sacrificing the security of your financial identity in exchange for a little bit of convenience is absurd.

Re:

[mkoko]

Would is really be so hard to require that new credit accounts can only be issued with a notarized signature?

Say goodbye to online applications, applying over the phone, etc. Now the credit card business is making less money than it was before.
And they won't like that.

Re:

[profplump]

You can still apply online, the account just isn't active until they get their notarized copy of your acceptance.

By the time they've approved you for credit paying an extra couple of dollars to actually open the account is no problem -- it's not like they have to process notarized paperwork at the pre-approval stage.

Notarization

[Beryllium Sphere(tm)]

>Would is really be so hard to require that new credit accounts can only be issued with a notarized signature?

Credit is a drug. Drug pushers don't want anything to slow down their chance to get money from a desperate customer.

Credit issuers make lots of money from both legal instant credit and from lending to crooks and collecting from fraud victims.

Your suggestion is good security, good policy, and will be blocked by intense lobbying. (Also vulnerable to the forged ID problem, since that's what notaries

Re:

[profplump]

Notaries are, of course, still subject to fraud, just like anyone else. But they're a lot less subject to fraud then someone who just asks for your ID number.

If you're vicimized because of mistake by a notary you can take action against them -- in most places they're required to be bonded and are strictly liable up to several thousand dollars.

Re:

[maxume]

If notaries were expected to authenticate credit applications, and they were regularly held liable for mistakes, they would start charging a great deal more.

It seems like a good idea to make sure that companies that issue cards to the wrong person are responsible for the consequences of that action. They will just pass the cost on to their customers, but they are also the only ones who are in a position to do anything about it. For the most part, if somebody decides they are going to impersonate me, there i

Re:

[Phoobarnvaz]

Would is really be so hard to require that new credit accounts can only be issued with a notarized signature? Notary publics are intended to serve just this kind of purpose -- to validate that a particular person really did execute an agreement. It's pretty easy to find a notary public even in rural areas, and they don't report their specific activities to the government, so there's aren't a lot of big-brother concerns with respect to having your documents notarized. Seriously, this seems like a problem we

Re:

[BlueItalian]

I don't understand the mechanism that allows identity theft in the USA. There's no such thing in any european country of my knowledge, and frankly I don't understand why the idea of a national ID with a picture on it to certify who you really are is so scary to you and the english. How is it possible for someone to impersonate someone else in the USA by simply using their SSN?

Re:

[JimBobJoe]

There's no such thing in any european country of my knowledge, and frankly I don't understand why the idea of a national ID with a picture on it to certify who you really are is so scary to you and the english. How is it possible for someone to impersonate someone else in the USA by simply using their SSN?

The problem is not the lack of an identity card (and I happen to disagree with the parent posters that somehow the point of failure is that the SSN is used both as an identifier and password.)

The problem i

Re:

[Kadin2048]

Mod parent up. That identity theft is (apparently/allegedly) less common in Europe has nothing to do with identity cards, and identity cards would not do anything to curb identity theft in the US. Actually, I could think of a few ways in which they'd probably make it worse.

I suspect that the prevalence of identity theft / fraud here, is mostly the result (as the parent suggests) of shady creditors' practices of extending large amounts of credit to people more or less anonymously -- on nothing except their n

Re:

[profplump]

I agree that there would be less reward for fraud if credit were harder to obtain. But are you really suggesting that we do something to make it complicated to obtain large amounts of credit? I could never run my business without having access to at least $25k in credit -- you try selling someone a whole set of new computers and making them pay before you even order (let alone deliver) the equipment.

And in either case, wouldn't you like to know that someone can't take out a mortgage in your name without doi

Re:

[mpe]

The problem is that your SSN is both a public ID and a secret used to validate that ID. So long as a single bit of information is used as both the public and private bits of that equation there's no way to solve this problem no matter how many ID numbers you generate.

If anything declaring SSNs "private" is likely to make the problem worst as more fools will think it is secure in some way or other.

Re:Doesn't Matter

[nsaspook]

If you have a old SSN card like mine it says on the bottom

FOR SOCIAL SECURITY AND TAX PURPOSES-NOT FOR IDENTIFICATION

This is from about 1970ish.

Re:

[Attila Dimedici]

I am pretty sure that it states in the Social Security Act that the SS# is NOT to be used for identification. I don't believe that any law changing this has ever passed. Companies and governments (State, local, and federal) just started using the SS# to ID people because every legal resident had one. Some states use the SS# as the drivers license #, some colleges use the SS# as the student ID. If my recollection of the wording of the SSA is correct this is technically a violation of it, but nobody ever enfo

Re:

[mpe]

I don't believe that any law changing this has ever passed. Companies and governments (State, local, and federal) just started using the SS# to ID people because every legal resident had one. Some states use the SS# as the drivers license #, some colleges use the SS# as the student ID. If my recollection of the wording of the SSA is correct this is technically a violation of it, but nobody ever enforces it

The longer this kind of abuse go on the harder it is to do anything about it.

Gathering? Been happening for over a decade

[davidwr]

In the 1990s health care plans, universities, and others stopped using SS#s as identifiers out of privacy concerns.

In the last 15-plus years, some public records have also changed identifiers, been removed from the public records, or had SS#s redacted for the same reason.

The pendulum may be moving faster now but the swing began long ago.

Re:

[Anonymous Coward]

It took my school until 2004 to stop using our socials for student id. They were printed on our id cards, bus passes, library cards, etc. Even the course roster given to the instructors listed our ssn next to our name.

Then we started using 8 digit id's. The problem? The public numbers are now used as passwords into some systems.

Re:

[forlornhope]

Hello fellow Mountaineer, Or at least I would assume as WVU does the exact same idiotic thing.

But will universities/ follow suit?

[rob_squared]

At the university I went to the student ID was the social security number, and since that is used with credit companies and businesses for tax reasons, its still a problem. Heck, even standardized tests where TAs were grading, they used SS#s. This is a step in the right direction, but its only the first one.

Re:But will universities/ follow suit?

[Rick17JJ]

I was taking a part time college class at a Junior College several years ago. The students social security number was printed on the class schedule that each student carried around with them on the first day of class. On the first day, there were misplaced class schedules laying on the ground and on desks all around the campus. Nobody seemed too concerned. I don't know if the local junior college still does that or not.

Back in the 1970's, I got an Arizona drivers license shortly after moving to Arizona. Back then, by default, they would use the social security number as the drivers license number unless the applicant specifically asked them not to. My social security number was on my drivers license for over 30 years. ATM machines did not yet exist in grocery stores or small shops, so checks were typically used to pay. When cashing a check they would typically ask for a drivers license and write the drivers license number on the check. Over a few decades, that would be thousands of checks, per person, with the social security number on them. A few years ago, I went over to the department of motor vehicles and had them change my drivers license number to something other than the social security number.

For many years, the envelope for my monthly medical insurance bill always asked me to write my account number under the return address on the outside of the envelope. My account number was my social security number and I always hated having to write that on the outside of the envelope. They finally stopped using my social security number as my account number a few years ago and also stopped asking me to write it under the return address on the outside of the envelope.

A few decades ago most people also kept their social security card in their wallet. Some people still do, even though wallets are frequently lost or stolen.

For many years, identity theft was very rare and there was very little effort to keep social security numbers secret. So after decades of not keeping them secret everyone is now being told that they need to keep them secret. Who's idea was it to start using something that had never been very secret for identification purposes? Knowing a social security number or a mother's maiden name should never have been considered to be proof that someone is who they say they are.

Fortunately, I have never been the victim of identity theft other than one minor instance of having one fraudulent charge on a charge card a few years ago.

Re:

[MMC Monster]

Interestingly enough, when I went to high school (mid-to-late 80s), our ID number in school was a 9 digit number that was not our social security number. At that time I thought it was strange, now I think they were ahead of their time.

stupid

[circletimessquare]

so now records which were easily identifiable will be obscure and hard to locate

oh yeah, right, this is always a good thing. because what the city hall of tacoma washington is used for is the fascist illuminati overlords attempting to turn you into slaves. not, you know, trying to buy land or registering a marriage certificate. you know, mundane every day things you WANT to be easy and painless. clearly, we have to worry about our irrational fears of being controlled by bogeymen from bad hollywood movies we

Re:

[Poppler]

the privacy above all costs idiots here on slashdot make me want to puke

Currently, my SSN is bought and sold by unscrupulous companies without my knowledge or consent. I can't think of a single way that has made my life more "painless". Why does my SSN need to be published on the internet for a local official to verify my identity for a marriage license?

bolt of lightning for some of you: there are actually real world limits on privacy... that make sense

And this isn't one of them. If you're going to argue th

hello

[circletimessquare]

welcome to reality

in reality, you can have convenience and reliability

or you can have privacy and security

you can't have both at the same time

welcome to the real world

Re:

[Poppler]

in reality, you can have convenience and reliability

or you can have privacy and security

you can't have both at the same time

Once again, I have to ask you to elaborate on that. What "convenience and reliability" is being achieved by publishing Social Security numbers online?

Re:

[jrockway]

welcome to reality

in reality, you can have convenience and reliability

or you can have privacy and security

you can't have both at the same time

welcome to the real world

welcome to reality

in reality, you have punctuation marks and capital letters

sentences end with periods

sentences start with capital letters

welcome to the real world

Re:stupid

[Beryllium Sphere(tm)]

>leave the social security numbers on the documents, please

Believe me, that muncipality is going to be even more cash-strapped if and when they have to pay for all the damage they cause by publishing SSNs.

What about other identifiers?

[shakestheclown]

This is all good for SSNs, but what about other personal identifiers?

I'm tired of my local priest asking to see my penis for identification.

Re:

[Saikik]

Obviously you should stop leaving your penis laying around on public documents...

Re:

[shakestheclown]

...Cockroaches don't have SSNs...

SSN is an account number

[cepler]

My Social Security Number (SSN) is an account number. Why is it used by so many companies as a form of authentication? It's simply a string of numbers indicating where money is stored for social security benefits. The ignorance of companies in relying on this single number as a form of identification and authentication is what has caused this problem. I should feel free to give out my SSN to anyone. It's not a password and should never have been USED as one PERIOD.

Re:SSN is an account number

[malchus842]

It's simply a string of numbers indicating where money is stored for social security benefits.

There's no money stored anywhere. Social Security is a "pay as you go" system, and any excess funds are replaced with Treasury Bonds (IOUs from the taxpayers to fund Social Security in the future). At some point, the tax needs of repaying those bonds, as well as covering new retirees will exceed the ability of the workforce to pay - unless a significant change in the system is enacted.

Re:

[sjames]

While some changes may be in order, the fundamental argument against social welfare can be vastly simplified.

If those arguments are true, then it is also true that it is IMPOSSIBLE for a typical person to ever save enough money to retire, pay for health care, etc. If true, the problem is much more fundamental than tweaking policies and percentages in the Social Security program.

Re:

[PPH]

True. Its not a password. Knowledge of a SSN is not sufficient to validate my identity.

On the other hand, I don't want private organizations to have a universal identifier that they might use for data mining purposes. Do you really want your auto insurance company to access your local grocery store 'discount card' records to see how much beer you buy?

Re:

[mpe]

My Social Security Number (SSN) is an account number. Why is it used by so many companies as a form of authentication?

Especially considering that many of them have no interest at all in putting money into said account. Thus giving them the information makes about as much sense as giving them your bank account details.

Right...

[DittoBox]

public officials who are strapped for cash and/or ethically challenged.

Right. Aren't all public officials strapped for cash and/or "ethically challenged?"

Ther is a much much better way

[argoff]

Get rid of the stupid number, and the ponzi retirement scheme that comes with it. It may make it harder for the government to track my finances, well boo hoo hoo I think I'm going to cry.

all the eggs in one basket

[eneville]

this is exactly where having everyone's data in the same place is a problem. the government should invest in monitoring the access and controlling who can do what with it. queries should be controlled, and mechanisms have to be put in place to ensure that no user can extract too much data in a short period of time. i'm not in a position to suggest exactly how that should be implemented in the office as i do not work there, but i can see how organisations without access controls can easily be abused.

Blah blah blah

[Score Whore]

Why doesn't someone grow a pair testicles and forcibly tell all the businesses in the world that your SSN is not secret. It is not to be used as a strong credential. Treat it just as fucking public as something like your name. If the law said, it's not secret and any business that uses it as "proof" of someone's identity has to bear the burden of any losses that business incures. If they sign a contract with some scam artist and that person takes off with a brand new ferarri, too fucking bad, they can't come after the person who's name was used. They can't file a bad credit report.

Re:

[MollyB]

Why doesn't someone grow a pair testicles ...

For the same reason you don't grow a pair of ovaries, sir.
Personally, I think the metaphor of having (or growing, if you will...) a Spine or Backbone is more accurate, and includes everyone.
This is slashdot, I know, but, c'mon...

Re:

[maxume]

So you are saying that you have never once met a woman that was accurately described as 'having a pair'? Really? I've met a few ladies with big brass balls(I wonder if anyone will reply to that?).

Of course you haven't, because you think it is sexist, but whatever, I mean, c'mon, what's next, sensitivity training on the job?

Re:

[Anonymous Coward]

BTW, there is no such crime as identity theft. There is theft, and there is failure to correctly identify. The victime of "identity theft" is the victim not only of the person who used his credentials, but of the corporation or government agency which gave money / credentials to the wrong person, then tried to hold the victim responsible unless/until the victim offers evidence that he is entitled to get his own property/freedom/etc. back.

Hey Jedediah! Hand me that arc welder!

[jfengel]

I dun got this barn door nailed pretty darn shut, but I wanna weld it and and sink it in concrete, just to be sure. That horse may already be outside the barn but I fer gol dern sure don't want him to get any MORE out.

We're All Gonna Die!

[pipingguy]

All this hinges upon peoples' perception of "safety". I usually do not watch network TV, but last night I accidentally caught something by John Stossel wherein he was talking about relative safety. In this group we're pretty sophisticated (mod me up, pandering to the audience) but the average slob/pleb/6-pack Joe gets his info from mainstream TV.

Aside from providing big muscle to win good wars, make good entertainment and do the manifest destiny thing, the US is pretty good at mobilizing its citizens for

Re:

[account_deleted]

Comment removed based on user account deletion

The solution to your problem: SIN!

[telso]

What needs to be done is to prevent companies from requiring SSNs unless absolutely required. Just above you, in the land of the sensible, Social Insurance Numbers [wikipedia.org] have been like that for a while:

Unless an organization can demonstrate that the reason they are asking for a person's SIN is specifically allowed by law, or that no alternative identifiers would suffice to complete the transaction, they cannot deny or refuse a product or service on the grounds of a refusal to provide a SIN. Examples of organizat

Re:

[KDR_11k]

Or look at some European countries, we have no identifying numbers that are used by multiple organizations. Sure, I have a number for medical insurance, for studentship, etc but noone who isn't involved directly with those will ask for that number. We have ID cards for identifying ourselves.