How To Stop Businesses Storing SSNs Indefinitely? 505
The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"
Bad news. XD (Score:3, Informative)
Re:Bad news. XD (Score:5, Informative)
I was wondering if there was anything equivalent to the Data Protection Act [wikipedia.org] in the America:
Re:Bad news. XD (Score:5, Insightful)
No, in America we use the free market system. Which means the system is free to market your data any way they want.
Re:Bad news. XD (Score:5, Insightful)
Re:Bad news. XD (Score:4, Interesting)
It's Burn-Karma-Friday!
In scary America: (Slight exaggeration)
All data is now subordinated to Stopping Terrorists. All other uses are bonuses.
Data must be disclosed upon request without the consent of the individual, unless legislation provides a reason not to share the data, AND no current executive order exists allowing the override of that legislation.
Individuals have no right to access the info about them, subject to certain exceptions.
Personal info must be kept longer than necessary, and may not be up to date.
Re:Bad news. XD (Score:5, Informative)
In practice, as you say, even the weak constitutional and statutory protections of privacy are most often ignored.
http://www4.law.cornell.edu/uscode/42/408.html
http://www.usdoj.gov/04foia/privstat.htm
http://www.cavebear.com/nsf-dns/pa_history.htm
http://www.cavebear.com/nsf-dns/5usc552a.htm
http://www.cms.hhs.gov/privacyact/patraining.asp
http://www.cms.hhs.gov/privacyact/pa.pdf
http://www.so.doe.gov/documents/privactof1974.pdf
http://www.epic.org/privacy/laws/privacy_act.html
https://www.cnet.navy.mil/privacyact1974.pdf
http://library.lp.findlaw.com/articles/file/00007/004477/title/subject/topic/constitutional%20law_freedom%20of%20information/filename/constitutionallaw_1_88
http://library.lp.findlaw.com/articles/file/00007/004477/title/subject/topic/constitutional%20law_freedom%20of%20information/filename/constitutionallaw_1_88
http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html
http://www.cpsr.org/program/natlID/natlIDfaq.html
Re:Bad news. XD (Score:4, Informative)
There is not much [wikipedia.org]. This excerpt, In general terms, in the U.S., whoever can be troubled to key in the data, is deemed to own the right to store and use it, even if the data were collected without permission, is particularly disturbing.
Data may only be used for the specific purposes for which it was collected.
While you may THINK the data was collected for either a sale, long term lease agreements (similar to cable service), or whatnot... the ACTUAL specific purpose was to track you and sell your information to "partners".
Data must not be disclosed to other parties without the consent of the individual whom it is about
This is where the "partners" come in ... See JCpenny and SBS [google.com] for an example of 1 company using your information and giving it to a partner company.
Personal information may be kept for no longer than is necessary and must be kept up to date.
Too bad its not supposed to be deleted if it can't be confirmed in given period of time. Also, SSNs don't expire, so you get off thier list if you die. Yay.
Some companies keep it even if you die! (Score:3, Interesting)
"Also, SSNs don't expire, so you get off thier list if you die. "
This is not necessarily true. My mother died in the year 2000 and we still occasionally get in the mail offers from a company that kept her SSN. We told them she is dead but they keep sending stuff anyway. We've given up and are willing to let them continue to waste their money.
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
At one time one was not supposed to use the SSN for anything not involving the Social Security Administration. That was a long time ago. I was told that it was originally illegal, but I don't know that this was really so.
N.B.: This was specifically the SSN. Don't generalize it to other kinds of data, which have largely never been regulated.
Re: (Score:3, Insightful)
The best defense against a company keeping your SSN,is to NEVER give it. Sure, it might be a PITA sometimes, but, these days, it isn't nearly as hard as it used to be
Re: (Score:3, Interesting)
Who is it impossible with?
Cable? They don't have my SSN.
Cellphone? The don't have my SSN
Power? They don't have my SSN
Insurance? They don't have my SSN
Not impossible...some want a deposit, I do that...I get it back usually within a year.
Right now..only ONE utility I have has it..the water dept...and I verified that their system is so old and antiquated, that they cannot put anything in the computer without it. That is the one t
Broken by design. (Score:5, Insightful)
There is no reason for a POS to have SSN. There are many other methods to get uniqueness.
When companies ask for it, I request for what use do they have for it. I have left hospitals for requesting the information, for they have no need for the information.
But to ask a person doing a POS transaction for their SSN, is just plan broken.
Re:Broken by design. (Score:5, Informative)
Re:Broken by design. (Score:4, Funny)
Re:Broken by design. (Score:5, Funny)
So it was you who gave them my SS#!
You insensative Clod!
Re:Broken by design. (Score:4, Interesting)
Re: (Score:3, Interesting)
so I gave them a fake one.
And I've done the same thing. The SSN is used by the medical records companies that are operated similar to credit bureaus. As with credit bureaus, the SSN is not the primary method of ID, but it helps sort out people with the same name. Medical records are far more detailed than your credit history. You'd be amazed what's in them.
Re: (Score:3, Informative)
I don't think giving a fake SSN is identity theft. (And I happen to be a victim of identity theft.) If I say "my name is Jason Levine and my SSN is 583-58-2958" (not my real SSN, of course), I haven't stolen anyone's identity. Yes, that number might match someone's SSN somewhere, but chances are the name won't. So if you look up the SSN and see it's assigned to "Jane Smith", it will be pretty obvious that the SSN given was wrong or an error occurred somewhere.
Now, if I said "my name is John Smith" and g
Re:Identity Theft is a crime. (Score:5, Interesting)
Your name will show up as an Alias on their credit report and your address will show up as a former/current place of residence. Then, later, if your house is being foreclosed, it may affect their ability to get a loan or sell their house.
I used to write mortgage software and credit report retrieval software and I have seen this exact situation, probably from someone giving out a "fake" SSN for privacy reasons, although we had no idea why this other information was on the report (maybe a transposed SSN).
Anyway, you can have a negative effect on others by doing this.
Re: (Score:3, Insightful)
Your name will show up as an Alias on their credit report and your address will show up as a former/current place of residence. Then, later, if your house is being foreclosed, it may affect their ability to get a loan or sell their house.
How is it my problem that the CRA keeps lousy records?
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
When the collection agency files against your victim using their social security number for you not paying your bill. It's definitely identity theft, and I bet you would find that if it did effect them, they would try to have you prosecuted.
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
This is bad policy, since many potential hospital "customers" don't have an SSN. Hospitals have to service newborns, visitors, illegals, etc. Using SSN as the unique ID doesn't work, and they usually have work-arounds for this.
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
It's not so much that the SSN is used as an identifier, that is after all what it was designed for. (Although as many have said, it was not supposed to be multi-purpose.) The bigger problem is that it's also used as authentication, even by the same organization that uses it as an identifier. It's like having a password that has
to be the same as your username, and you can never change it.
And using just the last 4 digits is not much better. Sure, your billing statement that someone grabs out of your trash
Re: (Score:3, Interesting)
Re:Broken by design. (Score:4, Informative)
I work at a college, when I started the main thing we were doing was changing our system to assign unique ID's to all students and remove all SSN numbers in places where it was used as ID's.
The whole project took about a year to do. Now there is only one place where you can still find the SSN number, and that is only because it is required for some financial aid things.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Almost every insurance company requires it to process your claim. Now, whether the insurance companies should be able to do that is a whole different argument.
For fun, try having twins and have the insurance agency disallow the second child as duplicate service.
Re: (Score:3, Insightful)
The SSN was never intended to be used this way. If it was your choice to use the SSN in ANY database, you should be beat, if it was somebody else, please identify them.
It is this type of abuse and use of SSN numbers that has helped enabled identity fraud.
Re: (Score:3, Insightful)
seriously, you didn't run away screaming from that credit union?
Re: (Score:2)
In order to perform collision detection, there is absolutely no reason that you couldn't track the SSN separately from the primary key on your "customers".
I'm not big on regulation, but there really should be a law preventing the usage of SSN as a PK in any data storage schema.
Re: (Score:3, Insightful)
And what would you suggest as an alternative? The SSN is the only unique number that a US citizen has, and every US citizen has one. Sometimes you need a PK which actually identifies someone, not just one which identifies the record in your database.
The problem with SSN's and identity theft is verifying that an SSN belongs to a person not the SSN itself, if you replace the SSN with someone other number which is sufficiently unique as to identify you as an individual it's sufficiently unique for someone to
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
As primary key, a UUID [wikipedia.org] makes more sense than a number such as an SSN which can change (yes it can- I'm down to my third by now). No need to make that UUID public or even let people know what it is; you *can* look people up by (a combination of ) other bits of information. If someone doesn't want to provide their SSN, you can use their Full Name+Date of Birth for searching - this combination will usually render very few collisions.
Technical solutions aside, I'm
Re: (Score:3, Informative)
For your first point: If I wanted to consent to a credit check, then I'd have no problem giving them my SSN, but there's no reason they need to store that permanently. For my simple reasoning, keep reading.
For your second point: My last paragraph (see "Caveat:") in my previous post mentioned that idea, but you didn't read the last sentence:
I'm sure one could invent other methods of solving this.
One trivial solution would be to store only a hash of the SSN. That way, nothing is lost if the database is stolen/copied/sold, and nobody loses their privacy. The SSN
Re: (Score:3, Informative)
Well for credit checks for one, which is one of the things they do with it. It can be useful for medical records too. Government benefits. Taxation, criminal records. Knowing who you are(and more importantly who you aren't) is rather important for an awful lot of things. Most of these companies mostly want it to make sure you pay your bill. It doesn't technically need to be the PK, but if it's unique it may as well be.
Your SSN isn't really all that important a number in and of itself. The only reason it's i
Re: (Score:3, Informative)
Then you use a number unique to them in their context, but for the most part, the vast majority of the kinds of customers you'd need to uniquely identify for a US company are US residents and since you can't work without an SSN, people who don't have one aren't generally good customers or will pay in cash.
Something I've considered... (Score:5, Insightful)
Lately it seems everyone wants to know my SSN: my dentist, my grocery store, my heating fuel supplier, the guy who changes my oil, etc. When credit checks are required, I ask them to try running it without the SSN (just address data) and often they will try. Other times, they are simply using the SSN as a convenient identifier for customers -- !!!! -- so I politely suggest a different number, or insist on only giving 3-4 digits of it. Thankfully my health insurance company will generate an internal ID# for you, if you request it, so that your SSN is not printed on your insurance card and therefore stored at your physician's office.
Other than to the government, and to organizations directly attached to my banking needs, what's wrong with giving a different number in place of the SSN? As long as you can remember it, that is. Would that be considered some kind of fraud?
Re:Something I've considered... (Score:5, Interesting)
Back in the early 1980s -- yes, nearly 30 years ago -- MIT allowed students to refuse to have their SS numbers as their Institute ID numbers. In those cases, and also for foreign students who nominally don't have SS numbers, they issued numbers that passed the SS check, but were from an otherwise unallocated block. They cleverly encoded your class year into the number to boot. For a long time I gave my MIT ID number when non-finance-related institutions requested an SS. Worked fine.
I haven't had an active MIT ID for a long while, so don't know what they do now.
Re:Something I've considered... (Score:4, Interesting)
MIT allowed students to refuse to have their SS numbers as their Institute ID numbers.
A technical college I attended in Arizona was slightly different. They did allow you to use your SSN for your student ID, however, if you did so, every 4 months you were sent a letter that explained why this was a bad idea, for the student, to persist in doing this, and it closed out with a paragraph urging you to change it to something different.
Re:Something I've considered... (Score:5, Insightful)
I'm not from the United States, nor I live there, but I never got why exactly is a SSN supposed to be secret, is it possible to do identity theft with only the SSN alone? Here in Mexico we have a ton of personal identification numbers (RFC, CURP, IFE number, Passport, Drivers License, Military Service, Social Security, Professional Certificate, etc) and none of them is really supposed to be secret, I don't get why people from the USA a secret number that you're not supposed to divulge, yet you need to give up for reasons like cable TV contracts and there's chaos when something like a database of SSN got leaked .
Re:Something I've considered... (Score:5, Informative)
is it possible to do identity theft with only the SSN alone?
Unfortunately, yes. It provides enough of a building block (used both as an identifier and as an authenticator) to allow a moderately-clever person to build up the rest of the identity.
Re:Something I've considered... (Score:5, Informative)
It's not. It's supposed to be unique (within certain criteria: they do get reused eventually) across everyone in the USA, so the Social Security Administration can identify everyone. That's all it was designed for.
It just happened that the SSN was the first major government number that everyone was required to have. So everyone else used the fact that it was there and unique to make their lives easier. Which means that now everybody tracks you by that number, and if you have that number you can impersonate anyone in any database that uses it.
It's not supposed to be secret. It's not supposed to be your full ID. It just became that.
Re: (Score:3, Insightful)
It just happened that the SSN was the first major government number that everyone was required to have.
The same is true of the Social Insurance Number (SIN) in Canada, and I don't think I've ever divulged mine to anyone who wasn't my employer, my accountant, or the Canada Revenue Agency.
So the question in my mind is why Americans have allowed their SSN's to be used in these ways, while in Canada we've not allowed a similar number to be used in similar ways? I don't think I've ever given my SIN to my cell
I fought the good fight (Score:3, Interesting)
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Re:Something I've considered... (Score:5, Informative)
That's actually a good question. The answer is , no, it is not supposed to be secret. It is an identifier; identifiers are not secret.
The problem is that so many companies misuse SSNs. They treat them as if they were passwords.
What is your name? John Smith
What is your SSN? 123-45-6789
OK, you must be John Smith all right. What can I do for you?
It is this completely broken way that companies "verify" your identity that is the problem. People try to keep their SSN secret to reduce the chances an "identity thief" will get it and use a company's and/or bank's broken procedures to steal from you.
Re:Something I've considered... (Score:5, Insightful)
Many years back I worked as a skiptracer / fraud researcher for a well known credit card company. The short of the answer is that with a social security number a person can readily learn a persons private financial details by pulling a credit report.
There is no mechanism that prevents companies from doing so, they 'self authenticate' as it were. Unlike a person who must provide details to prove that they really are who they claim they are. All a business has to do either claim you have given your consent or that you owe them money and they gain full access to your private credit report.
With a credit report alone I can tell everything from what kind of car you own (as most people finance) to where you live, where you have lived, what your lifestyle choices are, where you shop and so on. It's a pretty thorough invasion of privacy. Using additional services I can gain other information about you such as property you own, tax records, court records, family records, residence, an unscrupulous person could even find out your health records. In ten to fifteen minutes I have a very telling picture of your life, whether you want someone to have it or not.
The bottom line is that with a social security number there is very little about a person that cannot be readily discerned in a very short period of time. Unethical people will quickly cross the line, checking things that they shouldn't or, even stealing your identity.
Re: (Score:3, Interesting)
Sure, these can be done fairly easily. One of the most common types of fraud I encountered was where a parent would take credit out in the name of their own child. The parent figures their in the clear, and denies responsibility when it comes time to pay. Meanwhile the child may not find out until they turn 18 years and suffer a bad experience. I had many instances where I would get hold of someone around 18-20 years old and tell them what was going on.
It's a terrible position to be in, your 18 years old, q
Re: (Score:3, Informative)
Who or what generates the number isn't the problem. If everyone switched over to using your ID number, then pretty soon everyone would be saying to keep that secret just like they do for SSN now. The problem is that the number is being used to authenticate you instead of just identifying you. If companies demanded a valid notarized SSN card as proof prior to obtaining anything in your name, then you could tell your SSN to anyone and it wouldn't matter (with the assumption that it's impossible to forge a
Re:Something I've considered... (Score:4, Funny)
Something I've considered, it seems that SSN's are being used very similarly to passwords. Make sure to use good security practices and change yours every 60 days.
Re: (Score:3, Insightful)
The real answer is to hold businesses to the fire for exposing/trading/selling it an
Re:Something I've considered... (Score:4, Interesting)
> so I politely suggest a different number, or insist on only giving 3-4 digits of it.
I tried this once with Verizon. I was signing up for a new account, in person, at the Verizon store. They wanted my SSN, and I told them I wouldn't take the account if I had to give that out.
They said no problem. The salesman called their credit dept, and handed the phone to me. They asked my name & address, and asked for the last 4 digits of my SSN.
They were searching some database - they found me by last name & address, and they only wanted the last 4 digits to verify that they found me. And I am sure they put my SSN into my account while I was on the phone.
I don't think it helps to keep SSN's from these businesses . . . they can grab them without needing to get them from you.
Re: (Score:2)
Certainly. But why would my grocer run a credit check on me? I don't have any kind of credit account with them. Same with the dentist. Or the auto mechanic.
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
(something similar to md5 but which is guaranteed to be unique).
No such algorythm is guaranteed to be unique, because it's lossy. It's the same reason you can't zip and rezip a 100 MB file down to 1 byte. There are only a certain number of combinations that you can fit in 32 bits, and eventually you're going to get collisions. This is for any hash, not just MD5. It's not possible to make a hash function that doesn't have collisions. The only reason they're an issue for security is that vulnerabilities can make those collisions predictable. Collisions aren't a secur
Your Rights & Your Actions (Score:2, Informative)
So, you could call them up and threaten them with prosecution u
Re:Your Rights & Your Actions (Score:5, Insightful)
In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.
Now, with that, I would seek a lawyer who would take this case (maybe even some high profile lawyer or a member of the EFF) and clearly outline the above in a written letter with your signature informing them that they are in violation of the "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" and if they do not remove your Social Security Numbers, you will take legal action. If your case is solid enough, you might be able to really stick it to DirectTV for storing personal private data "without lawful authority" as they do not have the written consent of every customer.
Nothing in that quote suggests it is against the law for the company to retain the SSN in the course of lawful business, and as they are not intending to commit or aid or abet an unlawful activity, then your harshly worded letter would be meaningless.
Of course, other laws may be quotable with better effect...
Re: (Score:2)
Nothing in that quote suggests it is against the law for the company to retain the SSN in the course of lawful business, and as they are not intending to commit or aid or abet an unlawful activity, then your harshly worded letter would be meaningless.
So tell me, what are they intending to do with it? What he said of DirectTV:
... even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely.
And so what do they intend to do with it? Your business with them is complete. Now the only reason they have to keep it is for the purposes of tracking you and privacy invasion.
Like I said in the original post, you'd need a good lawyer and you'd need a solid case. You would, of course, need to be creative and show that either 1) storing the data puts you at necessary risk of identity theft and it is therefore unlawful or
Indemnification (Score:5, Interesting)
I always turn it right around on them instantly whenever some merchant wants my number. I got nailed years ago with ID theft, which really sucks and takes a long time to fix, so I came up with something that has been working for me.
I mention getting nailed previously, etc.,, then ask to see their indemnification policy on security breaches, in writing, so everything is "legal and proper".
You get the *really* blank stare then, because about zero of these companies have anything like that..because they are jerks, but we all know that anyway.
Let them sit for a bit and stew on that. Again, you throw it right back at them when they claim they are secure and "your data is safe with us" and all the other BS..."well, sir, we are secure, and...". They ALL say that, every single stupid company out there claims to be "secure". They initiate that claim when you ask. That's a *vital point* there. As part of this proposed business transaction now, they, through their rep who is talking to you right then and is prepared to accept your money, will make a statement that they are 'secure". This is the bingo moment.
I go, along these lines, "swell, that sounds great! You are secure, wonderful, that makes me feel better because ID theft is such a hassle and expense! Err..uhh..just for my records then, please just show me and if you could provide me simple copy of your "data security" warranty provisions, the indemnification policy you must have then, thanks! And BTW, not that this will ever come up, but exactly how much cash do I get back from you when and if you get compromised? If you are "totally secure" as you claim, then you should have no problems with a guarantee that you are secure in writing".
Salt to taste there, and I am never outright rude or obnoxious about it,(I will speak in a loud and clear tone though so any other customers present can hear this exchange) just make them backup their contractual claims they just made to you. They just offered you a proviso in the terms of an oral contract to go along with whatever written crap they want you to fill out that they are, in fact, "secure", so you can ask for proof and so on.
The original clerk will be baffled as expected and will then pass the buck. Then just keep bumping it up the food chain until you hit some manager who doesn't want to be bothered and they give you the service without having to hork over your precious. Sometimes it's fast, other times it takes awhile, but usually it works.
If some manager starts to get redneck on you, you can go, again, along these lines, "Oh, you now are withdrawing your offer, because your company lied to me? You tried to extract my cash from me based on a lie? That's serious legal fraud in this state my friend" and etc.
Anyway, it usually works and it certainly is fun!
Re: (Score:3, Insightful)
In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.
DirecTV can simply claim that they have no intent to commit, or to aid or abet, or use the SS# in connection with an unlawful activity.
PIPEDA (Score:3, Informative)
.P.I.P.E.D.A.
Canadian regulation that in short says any business has to divulge any personal information of yours that they are storing, and allow you to change or remove it. It may be with a simple web-site form, it may be with a written letter, but that's the law.
Re: (Score:3, Interesting)
The privacy act(federal legislation) [priv.gc.ca], is a pretty interesting bit of work. Applies to everyone, no matter what. Applies to all levels of government, law enforcement and the rest. If businesses want something they have to grovel for it, if you want it removed they have to do it. If the police want something, they have to show just cause(which can make it really hard to get
What did you expect? (Score:5, Funny)
Re: (Score:2)
This is why a non-encrypted, non-authenticated short sequence of digits that you give out to many different companies is a terrible thing to use as a secret access code for financial-identity verification.
The fact that companies want your SSN, use it as an identifier, and store it indefinitely is bad. But the really bad part is that the SSN has so much power in the first place. At this point the SSN should just be downgr
Why bother? (Score:2)
It's not like your SSN is top-secret these days anyway.
Expiration date (Score:4, Funny)
Your SSN has expired, please choose a new one.
Old SSN: __________________
New SSN: __________________
Retype new SSN (tip: copy from above): __________________
Not gonna happen (Score:5, Interesting)
As someone currently working on a database that contains SSNs, I can tell you I couldn't get rid of every instance of yours if I tried. The entire architecture is based around not losing your data no matter how stupid I am. It's a nice thought, but the reality is that you're only increasing the number of people looking at your SSN by trying to get rid of it.
Re: (Score:3, Interesting)
That's why SSNs should never be used as primary keys. They are a lookup field to provide a pseudo-unique way of looking up a tied-to-a-individual record much like you might use a last name, an account number, or some other piece of information that can find an actual record entry tied to for transactional purposes.
Primary/Foreign keys should be used to establish a unique record for transactional purposes or to relate to another record for referential integrity. That's all they should be used for.
Social se
Here is what you should know (Score:2, Informative)
Read This, I hope it helps!
http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm
Try this.. (Score:2)
what i want to do is (Score:2)
you're confused (Score:5, Insightful)
SSNs are not secrets. They are not authentication credentials.
Storing (or even leaking) SSNs is not the problem. The problem is when certain negligent organizations use knowledge of SSNs as some sort of proof of identity. If you're worried about your SSN being misused, talk to those companies.
Talk "those" companies... (Score:3, Insightful)
Why?
Why not - and I mean this seriously - sue them for libel when they bring action for identity theft against you?
You can very easily demonstrate that the SSN is not a proof of identity (authentication). You can (or should be able to) easily demonstrate that a company which relies on SSN for identity authentication is negligent of its fiduciary duty to protect the assets of its stockholders. Toward the libel charge, you should be able to demonstrate that the company *should have known* there was str
DELTA SkyMiles (Score:2)
So, I take a look at the enrollment form, and not surprisingly, it has SSN as a required field. I ask this guy (he couldn't have been more than 22 years old) why on earth he wants my SSN so I ca
try this (Score:3, Funny)
Here's a couple things you can try:
DROP TABLE customers
DROP TABLE accounts
DROP TABLE users
pollute the datastream! (Score:5, Interesting)
One should be careful giving out fake SSNs, as you may be accused of attempted identity theft or fraud or whatnot. But, who's to say you or some data entry person didn't make a mistake and mistype one of the numbers, or transpose two of the numbers? Looks like an innocent mistake, I say! If you do it consistently enough, you can even use the excuse, "God, that typo has been following me around forever!"
I'm just sayin'.
I also use my old phone numbers and addresses for those who require such information. "Oh, that's my _old_ number!" :)
Create a corporation (Score:4, Interesting)
That will give you a tax number you can provide for all these services that seem to require one. Also, if the corporation's identity somehow gets stolen, well, you just trash it and get a new one. It's not the cheapest option available, but it will at least keep your personal information private.
Just an idea.
-Restil
Do not design DBs that store SSN! (Score:3, Insightful)
Many of our peers here are the ones designing databases with SSN keys. Stop doing that! Hash the SSNs with a seed using MD5 or a stronger algorithm (or weaker if there is the possiblity that on rare occasions you will need to brute force the original SSN out). If you are required to validate against a subset of the number, store that hashed also. Done consistently you can use the hash to uniquely identify your customer without having to store the SSN in plain text.
The U.S. Government should tax the storage of SSN numbers. We could start at 2 cents per day per instance. Once the tax is enacted, it will be a perpetual risk for businesses that this tax rate will go up and there will be an obvious business case for coming up with other methods for identifying customers.
Re:Ugh, DirecTV should just go away (Score:5, Informative)
They use it for internal credit checks to make sure you don't owe them any money on previous accounts (and likely for other things as well).
That said you can usually setup an account without your SSN, but you'll need to set it up directly with your local office instead of by phone or internet.
Re:Ugh, DirecTV should just go away (Score:4, Insightful)
Re: (Score:3, Interesting)
... explaining that it is illegal to require me to provide it...
Except for the purposes of a credit check.
Part of the reason companies keep this information, in my estimation, is to have ready to perform future credit checks if you request additional service.
I know with my cell contracts, every time I have added a line, my credit gets checked. Nevermind that I have been a customer in good standing for many years.
Re: (Score:3, Insightful)
Part of the reason companies keep this information, in my estimation, is to have ready to perform future credit checks if you request additional service.
It's also so they can make you repeat to them the last four digits of your SSN over the phone, out loud, regardless of whether you're in a public place and might not want to tell everyone in the room the last four digits of your SSN. Oh, and that's just to prove you are who you say you are (even though it doesn't do any such thing).
Oh, and does it bug anyone else when the automated phone system says "we're pulling up your account based on your phone number for your convenience." and then the CSR immediate
Re:Ugh, DirecTV should just go away (Score:5, Informative)
No, it's illegal for the Government to use it other than for its intended purpose. Companies can do what they like with it.
From the Social Security Website: http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/enduser/std_adp.php?p_faqid=78 [ssa.gov]
If a business or other enterprise asks you for your number, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.
[emphasis mine]
Re: (Score:3, Interesting)
When I set up my utilities, they all asked for my SSN.
The gas company and the phone company both told me that providing it was optional. BUT, if I didn't provide it, they would not run a credit check on me, and so would require a $250 cash deposit (interesting that both companies had $250 as the deposit amount) before connecting service, to remain in their possession until I canceled service upon moving out.
I was glad that I had the option, and I thought it was most honest and upfront of them to tell me my
Re: (Score:2)
I recently set up cable and Internet service with Comcast. The phone rep asked me for my SSN, and I asked if it was required (knowing full well it's not).
He then replied with what I can only assume is complete and utter bullshit. Something about Comcast having special permission from the FCC to get SSNs, to help prevent identity theft. As if the FCC has the authority to do that?
I asked him if I could give him a code instead, and he refused. He finally got tired of me and said he could use my driver's licens
DirecTV gives service to identity thieves! (Score:3, Informative)
Comment removed (Score:5, Insightful)
Re:issue people new SSNs every year (Score:5, Insightful)
The problem is that the banks (and similar) have convinced you that you are the one being defrauded.
Sure, someone opens an account using your details and it sucks for you, but it wasn't your mistake, it was the institution that opened the account that made the mistake.
Re: (Score:2)
Re: (Score:2)
Heheheh, most amusing [computerworlduk.com].
I know, I know - a US ID card would be SUPAR-SEKURE(tm).
Re: (Score:2)
the system being a complete mess has nothing to do with a unique id. It has to do with a group of people that do not understand the bill of rights and their need to fell important.
There is no need of any national id card, except for designers of systems are lazy or did not do their research. I meet a designer for a resort wanted every guest SSN, because it makes easier for an unique key. I pointed out that SSN are not neither fixed nor unique, so at the best you can use them as a foreign key, like a phon
Re:Glad you have free time (Score:5, Funny)
Don't do that! Tin foil is actually aluminum foil, which is produced by Alcoa. Alcoa is a front for the New World Order and they treat the metal in such a way to actually increase signal propagation from your brain. The only real solution to government mind control or reading is to boil your head in distilled or rain water. 30 seconds at 100C should be enough.