Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Google Your Rights Online

Why Google Wants Your Kid's SSN 391

Jamie found a somewhat creepy story about a kid's art contest run by Google. As part of the entry, they need the last 4 digits of a social security number. The article suggests that the information requested by the contest should make it possible to guess at, and compile a list of children's social security numbers. It's bizarre and worth your read.
This discussion has been archived. No new comments can be posted.

Why Google Wants Your Kid's SSN

Comments Filter:
  • TL;DR Version (Score:5, Informative)

    by The MAZZTer ( 911996 ) <megazzt@Nospam.gmail.com> on Wednesday February 23, 2011 @10:37AM (#35289864) Homepage
    Google's already removed the field from a newer version of the entry form. will not store any collected numbers, and has explained the need for the city of birth (to help prove US citizenship as required by the contest).
    • Re:TL;DR Version (Score:4, Informative)

      by Renderer of Evil ( 604742 ) on Wednesday February 23, 2011 @10:39AM (#35289892) Homepage

      Except that neither city of birth nor SSN are indicators of citizenship / residency.

      This reminds me of the wifi data gathering operation where they amassed all this information "by mistake."

      • Re: (Score:3, Informative)

        by phunster ( 701222 )

        You are wrong, the 14th amendment grants citizenship to those born in the U.S. From the Wikipedia article:

        In the case of United States v. Wong Kim Ark, 169 U.S. 649 (1898), the Supreme Court ruled that a person becomes a citizen of the United States at the time of birth, by virtue of the first clause of the 14th Amendment, if that person is:

        * Born in the United States
        * Has parents that are subjects of a foreign power, but not in any diplomatic or of

        • Re:TL;DR Version (Score:4, Informative)

          by Sciros ( 986030 ) on Wednesday February 23, 2011 @11:52AM (#35290638) Journal

          Actually, the guy you replied to isn't wrong. City of birth isn't necessarily an indicator of citizenship. My city of birth is Leningrad, USSR (now St Petersburg, Russia). I am a US citizen. Dun dun duuuunnnnn!

          • Good point. My "city of birth" is in a foreign country, but I was born an US citizen. No naturalization required.

            I'm inclined to think the geniuses at Google decided to "solve" the "citizenship verification" problem with a borderline-illegal and conclusively-privacy-violating sledgehammer approach, rather than (for instance, as TFA suggested) using a "US citizen?" check box. (Yeah, liars gotta lie, but it's no harder to lie about your city of birth than to lie about the basic question "are you a US citizen?

        • by mcvos ( 645701 )

          Are you saying it's impossible for a foreigner to become a US citizen? Or for a US citizen to lose his citizenship (by becoming citizen of another country, for example)?

          Nothing you've quoted proves that either of these is the case. So city of birth is still not an indicator of citizenship.

        • Re:TL;DR Version (Score:4, Informative)

          by digitig ( 1056110 ) on Wednesday February 23, 2011 @12:12PM (#35290846)
          He's not wrong. Maybe the 14th amendment grants eligibility for citizenship to anybody born in the USA, but that doesn't mean that they necessarily are citizens. They might never take up that citizenship (eg, born to a visiting mother and brought up with her native citizenship) or might give it up when becoming a citizen of another country, especially of one that doesn't permit dual nationality. Place of birth is not a guarantee of citizenship.
      • look, they have access to every email that gmail users send. If Google want's private information, they have more than enough for any evil thing they want to do. A couple of sniffed WiFi packets, or a couple of SSN's is just a drop in a very, very large bucket.

    • by fredjh ( 1602699 )
      How does someone saying what city prove anything?
  • Well duh (Score:4, Informative)

    by ElectricTurtle ( 1171201 ) on Wednesday February 23, 2011 @10:38AM (#35289886)
    Without even reading the article I know why. SSNs contain demographic data about where and when somebody is born. They are not serial numbers or randomly generated. Anybody with access to the first half of the SSN has demographic data.
    • Re:Well duh (Score:4, Funny)

      by Sockatume ( 732728 ) on Wednesday February 23, 2011 @10:42AM (#35289924)

      It's the last four digits that they were collecting, as a unique ID.

      • "Limited Info" - implying that no deductions can be made from that info? There's other related articles that current zip code crossed with all that stuff also produces matches, and this time they have the parents' info.

        Wait, what? What parents will send their complete info to Google for a kid's art contest?

        You can't get that national ID database under the RFID label, so let's do it ... wait for it... for the kids! Google will hand that list over, to make sure no terrorists in training are practicing drawing

        • The last four digits of a US SSN are allocated in sequence from 0000 to 9999 for a given SSN group. They are exactly and completely uninterpretable and arbitrary.

          • The last four digits of a US SSN are allocated in sequence from 0000 to 9999 for a given SSN group. They are exactly and completely uninterpretable and arbitrary.

            Note, though, that the method of assigning the initial sets of numbers is slated to change this summer: http://en.wikipedia.org/wiki/Social_security_number#Structure [wikipedia.org]

          • by rwa2 ( 4391 ) *

            Exactly... the first 5 digits are kinda recoverable from your birth date and location. So if you give them the last 4 numbers, which are the only ones that are really kinda random, then they can pretty much deduce your entire SSN from available public records.

            But I don't really understand why I'm supposed to keep my SSN any more protected and secret than, say my employee ID number or my Slashdot UID for that matter. Any bank or government that uses a simple 9 digit number as a S3(R1+ C0D3 to authenticate

          • Which is why the whole last 4 digits thing is so completely stupid. Those are the only 4 digits in the number which have any degree of randomness applied to them. The rest of it can be figured out with a bit of knowledge about the age and location of birth of the person. There's this view people have that giving up the last four digits is somehow preferable from a security point of view to giving up the whole string, but it's really analogous to giving somebody that ammunition and pistol, but making them ge

      • by JustOK ( 667959 )

        they must not be expecting less than 10001 entrants.

      • Right, and by also asking for their city of birth they can get the first five digits.

    • The last four digits don't. Its the first 5 that can be translated into location.

      My understanding is that if I knew your place of birth/hometown I could figure out the first five (or work it down to a small set) and just append the last four and have your social.

      Storing socials is pretty crazy nowadays. Even Walgreens has stopped doing this. They do what hospitals do use a primary key of Lastname + birthdate, and the verify secondly with address or first name. Its not perfect but your number of collisions

      • Set size can vary widely. Can you imagine how many SSNs are valid for NYC or LA? Last four digits only provide for 10k-1 blocks, so with NYC at ~6m you would need ~600 different preceding number sets. Not what I would call small.
        • by rwa2 ( 4391 ) *

          Meh, NYC and LA mostly consist of illegal immigrants / permanent residents anyway. Right? :-P

          A lot of the numbers eventually get reused when geezers croak as well... I realize we're not too many generations into it, but seems like that should make things complicated soon.

      • .... do use a primary key of Lastname + birthdate, and then verify secondly with address or first name ....

        Which makes me remember what happened to me ten years ago. "Just of the Boat" :-) in Canada I signed up for my companies healthcare. Got a first dental claim cheque but it had on it the wrong company name. Called the insurance guys and, long story short, there was another guy in Canada with the same last name (which is a weird Dutch one "Van Schatter", not your "Smith" or "Johnson") but also the same b

    • It took them long enough. In pre-computer days each ofice would get batch(es) of 10K numbers to give out. The numbering of offices was not random but geographic.
    • Not necessarily the state you were born in, but, rather, the state where the SSN application was sent from, at least from 1972 on. More here. Notable:

      Since 1972, when SSA began assigning SSNs and issuing cards centrally from Baltimore, the area number assigned has been based on the ZIP code in the mailing address provided on the application for the original Social Security card. The applicant's mailing address does not have to be the same as their place of residence. Thus, the Area Number does not necessarily represent the State of residence of the applicant, either prior to 1972 or since.

      They even say (you can choose to believe them or not):

      Note: One should not make too much of the "geographical code." It is not meant to be any kind of useable geographical information. The numbering scheme was designed in 1936 (before computers) to make it easier for SSA to store the applications in our files in Baltimore since the files were organized by regions as well as alphabetically. It was really just a bookkeeping device for our own internal use and was never intended to be anything more than that.

    • Well oddly enough, the numbers do not always accurately portray the location of birth or where you were issued the number as numbers are some counties cannot use anymore numbers within their allotted region code and have to then rely on nearby region codes to allot numbers. It does give you a general idea however thus allowing one to reduce the number of 'bob jones' to look for within a metropolitan region and within a specific issuing period.
  • They aren't working. They aren't earning money, therefore they aren't depositing cash into an SSI account yet. Not until the kid starts working (age 16; 18; whatever) do they need to apply for an SSN.

    • by olsmeister ( 1488789 ) on Wednesday February 23, 2011 @10:44AM (#35289932)
      They need to have SSN numbers as children so that they may be claimed as tax deductions by their parents.
    • "The Tax Reform Act of 1986 required parents to list Social Security numbers for each dependent over the age of 5 for whom the parent wanted to claim a tax deduction. Before this act, parents claiming tax deductions were on the honor system not to lie about the number of children they supported. During the first year, this anti-fraud change resulted in seven million fewer minor dependents being claimed, nearly all of which are believed to have involved either children that never existed, or tax deductions i
    • Not until the kid starts working (age 16; 18; whatever) do they need to apply for an SSN.

      PLEASE don't fight this... the last thing I need is another government-issued ID number for my whole family. Let the IRS re-use the number given by the SSA. I already have a passport number, a drivers license number, and a social security number for every member of the family.

    • by AHuxley ( 892839 )
      If SB 222 (2/10/2011) passes in Missouri http://www.senate.mo.gov/11info/BTS_Web/Bill.aspx?BillID=4124271&SessionType=R [mo.gov] with "eliminates the prohibition on employment of children under age fourteen" they will be working.
    • by Minwee ( 522556 )

      But the sooner they have their number assigned, the sooner it can be tattooed onto their hand and forehead.

    • They aren't working. They aren't earning money, therefore they aren't depositing cash into an SSI account yet. Not until the kid starts working (age 16; 18; whatever) do they need to apply for an SSN.

      They need one if you want to set up a 529 education investment account, or if you want to claim the deduction on your tax returns. They also need one for a bank account, and kids should learn about managing money as early as possible.

    • by NoSig ( 1919688 )
      SSN is used as an ID in all kinds of places outside and inside the government. SSN isn't really about social security or taxes. You just call it SSN in the US because you don't like the sound of something like "national unique identification number" which is what it really is.
  • My general approach to life is to assume that any and all corporations will screw me over for a buck, and all advertisements are 75% distraction from the 20% lies and 5% facts.

    I was largely indifferent to Google (I only switched from Yahoo because the page loaded faster), but when I heard that their motto was "don't be evil." I started to think that they most likely are evil, and are simply biding their time.
    • They *were* the good guys. It started when they went public. I predicted they'd start acting like every other amoral corporation as soon as they had their IPO. Took a year or so to see the effects, but it's here now.

    • by N1AK ( 864906 ) on Wednesday February 23, 2011 @11:53AM (#35290652) Homepage

      My general approach to life is to assume that any and all corporations will screw me over for a buck

      Mine is that any and all corporations are staffed, managed and owned by people. They also make money from people. If all corporations are evil it can only be because groups of people are incapable of being good, or there is an active disadvantage to being 'good'. Of course that's entirely ridiculous, which partially explains it's insightful moderation.

      There are plenty of companies out there that will actively refuse to screw customers over because they believe it for ideological reasons or because they believe it will make them more profitable in the long run. Tarring all companies with the same brush is just as naive and counter-productive as doing the same with people, women, Americans, politicians, Christians etc.

    • Could it be possible that a company is evil even though they say they aren't?? I'm not sure I've ever heard of a company doing or being something other than exactly what their marketing department says...

      And here's the part that people seem to continuously forget: even if by some miracle Google actually is consistently non-evil, there is absolutely no guarantee that they will stay that way.

      At the moment, Google is riding a high wave. It is imaginable that some day they may fall on harder times. What if they

    • There's no point in a company attempting not to be evil, when everyone will assume they're evil anyway. If they do anything that's not evil, then either people will fail to notice it, or if they do notice it, then they'll claim it's a purposeful distraction from how evil they secretly are (thus making them more evil)! Or if they do do something evil, then never mind those earlier publicity stunts, it proves they were evil all along!

      I'm not saying you're necessarily wrong about Google, or that scepticism isn

  • by water-vole ( 1183257 ) on Wednesday February 23, 2011 @10:46AM (#35289958)
    The problem isn't with google for collecting social security numbers. The problem is that SSNs are so sensitive in the US. I live in Sweden and here social security numbers are a matter of public record and many companies collect these numbers from their customers for their databases. It's quite convenient and, if done right, not as privacy infringing as people seem to think. It's quite ridiculous to have, like the US, a system where you can impersonate someone by knowing their number.
    • Re: (Score:3, Interesting)

      by drinkypoo ( 153816 )

      While your points are well-taken, complaining that it's really the government's fault when google collects information which could be harmful to you is like saying that it's really god's fault when someone shoots you to death because he declared that impacts from high-velocity masses shall rearrange your internal organs.

    • by Sockatume ( 732728 ) on Wednesday February 23, 2011 @10:55AM (#35290078)

      I don't know how the US got this meme that knowing your SSN somehow proved your identity. Of course once that meme has developed and companies start using the SSN as a password, people become very protective of their SSNs, and the idea that it's a special number that requires protection becomes self-reinforcing.

      • by arielCo ( 995647 )
        Well, the modern credit card was conceived in the US, and a signature that is checked by an untrained clerk against some ID is all that the merchant has after the transaction. The rest is known history.
      • The problem is that the USA has no ID card like the rest of the world. In the USA that number is a magic key to do whatever you want. If I know your number I can do lots of nasty things over the internet and ruin your life. That's why Identity theft is so easy in America. The rest of the world works like this:

        1) You turn X years old
        2) You give the government your picture, fingerprints, etc, and the government gives you an ID card
        3) You go to the bank to take a loan, and the bank is required to keep a ph

    • by arielCo ( 995647 )
      Same thing in countries that have ID cards. Your ID number is basically your primary key, allowing for unambiguous identification and simple registration in a number of systems, long before computers became commonplace, and you might as well wear it on a t-shirt since it's basically an alias for your full name.
  • by celticryan ( 887773 ) on Wednesday February 23, 2011 @10:50AM (#35290010)
    Making citizenship of the US a requirement for the contest is just stupid. I scanned briefly through their rules posted online - I couldn't really find an answer. Seems to create a lot more work for Google. Unless of course it was all a ruse to get your kids SSN... MUHAHAHHAHAHAAHA!
    • Legal issues pertaining to competitions, basically. You'll find that most contests run by US companies limit entry to residents of the United States and, sometimes, Canada.

      • by Yvan256 ( 722131 )

        And thanks to our over-protective Loto-Quebec government branch, most contests available in the USA and even in Canada aren't available for Quebec residents. Never mind the requirements about bilingual informations and rules, I've heard that they require you to submit something like 10% of the prize to them as a security deposit until the contest is over, that any legal problem has to be ruled in Quebec, etc. That's why it's always "All provinces except Quebec", it's just too much trouble.

  • by hyades1 ( 1149581 ) <hyades1@hotmail.com> on Wednesday February 23, 2011 @10:55AM (#35290082)

    This is genuinely loathsome, and yet more proof that ignorance is no excuse when a parent offers up private informatioÂn about their children.

    Let's be clear: You have no right to give up ANY private informatioÂn about your children without making very, very sure there's a good reason to do so, and that such information will be used within explicit, clearly defined limits. When your children are adults, they'll have to live with decisions you make about them now. That's especially true of informatioÂn that will allow interested parties who DO NOT have your child's best interests at heart to assemble a profile on them and target them every minute of their lives.

  • even contemplating that ssns could be used to identify people uniquely online was stupid from the start. think - its just a number. its not something encrypted or else. its a plain number that is constructed according to a particular algorithm. any half decent person intent on abusing it could eventually discover that algorithm by running tests and trials with crappy software. this goes for all kinds of such number schemes.

    actually, anything that can be read in a digital environment, can easily be faked/
  • by Posting=!Working ( 197779 ) on Wednesday February 23, 2011 @10:57AM (#35290110)

    I'm not much of a conspiracy theorist by disposition, but doesn't "these last 4 digits were not entered into our records and will be safely discarded," sound like a contradiction? (How can they delete something that is not in their records?)

    It's not a contradiction to anyone who can understand the word "discarded" in relation to paper forms does not mean deletion of a file on a computer.

    Also, this article was written 4 days AFTER Google had already changed the form to not have the SSN. This is even mentioned in the article body.

    Yeah, I know it's on Huffington, but that crap doesn't qualify as a news article. Calling it a blog is doing it a favor, calling it a lunatic rant about a problem that's already taken care of would be more accurate.

  • by HeckRuler ( 1369601 ) on Wednesday February 23, 2011 @10:59AM (#35290140)
    I mean, I understand the driving force behind a demographic's distrust of Google. They're a giant corporate information broker that lures people to simply hand over their data by providing free services. In certain distopian future sci-fi novels, that would be a nifty plot.

    But I can literally taste the tin foil on this guy's head. The little nutter gave me synesthesia. I think Its mostly his tone of voice. The way he's simply incredulous about the possibilities, with nothing to show for it.

    1.) I'm not much of a conspiracy theorist by disposition, but...

    Hey, I think I spotted where he became a conspiracy nutcase.

    Are these posts here to show us how evil Google has become to to show us how nutty the "google is evil" crowd has become? Because despite the title, I'm leaning with the latter.

    • But I can literally taste the tin foil on this guy's head.

      This literally killed me, and now I am literally rolling on the floor laughing as I type this, literally dead.

  • by mrjb ( 547783 ) on Wednesday February 23, 2011 @11:00AM (#35290142)
    When they have the 4 last digits of the SSN, they just apply the principle of explosion [xkcd.com] to derive the rest.
  • What kind of a genius must one be to divulge something just because someone asks nicely? It's like social engineering without the 'engineering' part. I routinely give randomly generated [keepass.info] answers to various privacy invading "security" questions on bank sites: it's none of their damn business what is the name of my first girlfriend. On pretty much every non-governmental, non-credit-related form, I always use a made up number when asked for the SSN. They are too lazy to figure out what artificial keys are? I gi

  • This Ars Technica article (linked below) is a good summary on how the first five numbers can be determined. Apparently for persons born after 1988 (note that here we are dealing with a children's art contest, so this will likely be the case), the number can be accurately guessed 44% of the time if you know the date/place of birth. The odds vary by region - some states the first five digits can be guessed 90% of the time. http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hac [arstechnica.com]
  • by sribe ( 304414 ) on Wednesday February 23, 2011 @11:03AM (#35290182)

    Yeah, I read that article last night:

    1) Just because google could use the other info the guess at the first 5 digits of ss #s, and according to some professors somewhere, get almost 10% of them right, certainly does not mean that was what google was going to do. For identity theft, nearly 10% right is great. For any other use, more than 90% wrong is pretty awful.

    2) The author does not seem to realize that full name & birth date are not even close to uniquely identifying children. In fact, even full name, birth date, and city is likely to have a few collisions. When Timmy Jones wins a prize, they might need to know which Timmy Jones.

    SSN was a bad choice, precisely because people should be protective of it; they should have gone with some other info. But last four of SSN is a default used in all sorts of situations, so somebody picked that common bit of info without thinking about it too much. That's all. No grand conspiracy. No attempt, I'm sure, to take last four and derive the other 5.

  • by killfixx ( 148785 ) * on Wednesday February 23, 2011 @11:04AM (#35290186) Journal

    The Huffington Post does not pay the authors of their stories. They are owned by Arianna Huffington, [wikipedia.org] new owner of AOL.



  • by scorp1us ( 235526 ) on Wednesday February 23, 2011 @11:04AM (#35290200) Journal

    792 - 'Password Reuse" [xkcd.com]

    While not a password, this kind of "opportunistic data gathering" adds up. Digital records remain for ever. Next week ask for the first 5.
    Then join them later. But the first 5 aren't needed if you know birth year and region.

    Why can't we make a security token out of an MD5 sum the SSN with trailing garbage text (to prevent a dictionary attack - say a GUID which would identify the use of this security token) and use that? GUID is chosen by the SSN holder, so the host cannot dictionary attack its own participants.

  • by immakiku ( 777365 ) on Wednesday February 23, 2011 @11:08AM (#35290248)
    Was anyone else bothered that the summary and headline didn't read Kids', but instead read Kid's?
  • SSN v6 (Score:2, Funny)

    by Anonymous Coward

    They are running out of SSN's and will now implement v6. It will look something like this; wh47:0th3:f0ck:00is:g01n:00on:0n0w:dud3

  • by AHuxley ( 892839 ) on Wednesday February 23, 2011 @11:09AM (#35290254) Journal
    You would think the post Vietnam generation recalls where data like this can end up in bulk, for profit and in a very uniquely identified way for the US gov.
    http://en.wikipedia.org/wiki/Farrell's_Ice_Cream_Parlour [wikipedia.org]
    But dont worry, Google only has links with the NSA and they only like data outside the USA...
  • by TimHunter ( 174406 ) on Wednesday February 23, 2011 @11:15AM (#35290300)
    The entire article is a ridiculous troll for hits from the newly-popular "anti-Google" crowd.

    [A] person's city of birth and year of birth can be used to make a statistical guess about the first five digits of his/her social security number. Then, if you can somehow obtain those last four SSN digits explicitly -- voila, you've unlocked countless troves of personal information...

    No, you don't have "troves of personal information." That's hyperbole. You've got a statistical guess about the demographics of the children who enter the contest. You simply can't go from a statistical guess+the last 4 digits of the SS number to personal information about a particular individual.

    As a thought experiment though, suppose Google could. Suppose Google could look take "4321" and "Schenectady, NY" and come up with "little 5 year old Jimmy Smith at 1 Second Ave." What are they going to do with this information? Take out a mortgage in his name?

    Finally, now Google has removed the requirement. Poof. The imaginary problem now has even less basis, so let's all stop crying "whaaaa...Google is teh evil" and move on to something important. Fer cryin' out loud, somewhere out there Apple is selling shiny toys to hipsters. THIS MUST BE STOPPED!

    • Agreed. As far as I can tell Googles plan is supposed to go like:

      1) Gather last digits of SSNs from kids who like art, live in US and can get an online form filled in.
      2) Spend a bit of processing power turning the partial SSN into a guess at the full SSN. And dance round laughing like maniacs having stolen almost several thousands of artistic kids SSN's.
      3) ??
      4) Profit!

      Jeez.. looks like they ARE evil then.. I'd just never spotted it before.

      Or maybe they have been hired by a someone who is dyslexic to get the

  • How dare Google organize a contest where mature adults can choose to not enter their children in a contest !!!!!

  • by PSaltyDS ( 467134 ) on Wednesday February 23, 2011 @11:36AM (#35290482) Journal

    It gets my blood pressure up a bit every time I read about "revealing" someone's SSN as having penetrated an inner sanctum. The password-secret treatment of that number needs to be dropped. It's time for legislation in the US that makes it invalid and indefensible in court to treat knowledge of an SSN as an authentication factor. Any organization that treats knowledge of the SSN as an authentication factor should be fully liable for the consequences of any fraud that results.

    Note I'm talking about authentication, not identification. Nobody thinks Google shouldn't be able to identify the contestants, and an SSN is more unique than names. The problem only comes from the ability to use that number as a "password" to authenticate for access to things (like bank accounts). Treating the SSN as a "username" would not cause the problem; it's using it as an authenticating secret despite the fact that it's easily accessible that makes revealing it a terrible security lapse.

    Knowing your SSN should be no more helpful to a fraudster than knowing your full name or hair color. It should be treated as information too readily available to be of any use for authentication. Reliance on that kind of information for authentication should be evidence of failure in due diligence, and lead to liability for that inappropriate reliance. If your bank lets someone take all the money out of your account just because they know your full name they should be liable. If they do just because they knew your SSN it should be treated the same way.

    • I think that too. It should be a matter of public record to prevent fraud.

      BUT there is still the matter of privacy and plausible anonymity. An SSN is a one-to-one match with a person, and will always be treated as such, *even if the match hasn't been verified*.

      In other words, your SSN is subject to misuse even beyond its magical ability to open new credit lines. I might not be able to ruin your credit, but I could still impersonate you on Google Doodles, you see?

      So definitely, lets end the need to keep it a

  • Want (Score:4, Informative)

    by Andy Smith ( 55346 ) on Wednesday February 23, 2011 @11:58AM (#35290692)

    "As part of the entry, they need the last 4 digits of a social security number"

    Want, not need.

Karl's version of Parkinson's Law: Work expands to exceed the time alloted it.