Why Google Wants Your Kid's SSN

Jamie found a somewhat creepy story about a kid's art contest run by Google. As part of the entry, they need the last 4 digits of a social security number. The article suggests that the information requested by the contest should make it possible to guess at, and compile a list of children's social security numbers. It's bizarre and worth your read.

TL;DR Version

[The MAZZTer]

Google's already removed the field from a newer version of the entry form. will not store any collected numbers, and has explained the need for the city of birth (to help prove US citizenship as required by the contest).

Re:TL;DR Version

[Renderer of Evil]

Except that neither city of birth nor SSN are indicators of citizenship / residency.

This reminds me of the wifi data gathering operation where they amassed all this information "by mistake."

Re:

[phunster]

You are wrong, the 14th amendment grants citizenship to those born in the U.S. From the Wikipedia article:

In the case of United States v. Wong Kim Ark, 169 U.S. 649 (1898), the Supreme Court ruled that a person becomes a citizen of the United States at the time of birth, by virtue of the first clause of the 14th Amendment, if that person is:

* Born in the United States
* Has parents that are subjects of a foreign power, but not in any diplomatic or of

Re:TL;DR Version

[Sciros]

Actually, the guy you replied to isn't wrong. City of birth isn't necessarily an indicator of citizenship. My city of birth is Leningrad, USSR (now St Petersburg, Russia). I am a US citizen. Dun dun duuuunnnnn!

Re:

[idontgno]

Good point. My "city of birth" is in a foreign country, but I was born an US citizen. No naturalization required.

I'm inclined to think the geniuses at Google decided to "solve" the "citizenship verification" problem with a borderline-illegal and conclusively-privacy-violating sledgehammer approach, rather than (for instance, as TFA suggested) using a "US citizen?" check box. (Yeah, liars gotta lie, but it's no harder to lie about your city of birth than to lie about the basic question "are you a US citizen?

Re:

[mcvos]

Are you saying it's impossible for a foreigner to become a US citizen? Or for a US citizen to lose his citizenship (by becoming citizen of another country, for example)?

Nothing you've quoted proves that either of these is the case. So city of birth is still not an indicator of citizenship.

Re:TL;DR Version

[digitig]

He's not wrong. Maybe the 14th amendment grants eligibility for citizenship to anybody born in the USA, but that doesn't mean that they necessarily are citizens. They might never take up that citizenship (eg, born to a visiting mother and brought up with her native citizenship) or might give it up when becoming a citizen of another country, especially of one that doesn't permit dual nationality. Place of birth is not a guarantee of citizenship.

grains of sand on a beach

[buback]

look, they have access to every email that gmail users send. If Google want's private information, they have more than enough for any evil thing they want to do. A couple of sniffed WiFi packets, or a couple of SSN's is just a drop in a very, very large bucket.

google can figure it out!

[Thud457]

You know, maybe google should tackle this "unique person identifier" thing once and for all.

errr, did I just say that?! nevermind, bad idea.

Re:

[AmiMoJo]

When taking exams in the UK you are identified by a random number assigned by the exam board. The people marking the exam have no idea who you are to prevent bias or favouritism. It seems like Google should actually be trying to anonymize entries rather than identifying them, with personal data only used after a winner is picked to verify citizenship.

Re:

[xaxa]

When taking exams in the UK you are identified by a random number assigned by the exam board.

Significantly, the exam board have to assign their own number, because British children probably don't have an identifying number when they're entered for the exam. (Not to mention non-British people taking the exams.)

However, unless this system has changed since 2004, the numbers aren't random. My number was 0003, and my surname was third in the list of all children at the school.

Re:

[digitig]

They probably all have (or could get) an NHS number. For overseas candidates the travel document number (typically the passport number) would do the job, which I would guess would be what would be used in lieu of SSN in the USA in those cases where visitors are eligible for something that needs SSN.

Re:

[Kell Bengal]

My number was 0003

I am not a number - I am a free man!

Re:google can figure it out!

[Drethon]

Thanks 711123

Re:

[bberens]

I think all other companies should uniquely identify me by my gmail account.

Re:

[biryokumaru]

Seriously? I can't think of a form I've filled out ever that didn't ask for social security crap on it, and I sure as hell am never going to get anything from the actually social security funds. Full: car insurance, bank, credit reports, credit cards, health insurance, my doctors, my wife's doctors, my son's doctors, the dentist. Last 4: my college, cell phone (Verizon always did... I think T-Mobile does too), cable company, miscellaneous forms at work. I mean, what kind of rock do you live under where you

Re:

[Tanktalus]

I give my Social Insurance Number (Canada) only to people who have to deal with tax-related things concerning me. That is: my employer (only AFTER job offer is accepted), my life insurance company, and my financial advisor (RRSPs, TFSA, and normal investments).

Credit card applications, cell carriers, and the like, simply do not get it. I usually cross out the section to indicate I looked at it and refused to fill it in.

In Canada, we have health care numbers in addition to the SIN, unrelated to the SIN, by

Re:

[biryokumaru]

The insurance company, cable company and phone company all use it as a unique identifier, not to run credit checks. Likewise the doctor needs it to give to the insurance company as a unique identifier.

Re:

[Chaos Incarnate]

That may be true for the cable company, but both the insurance (talking home/auto here, not medical) and cell phone carriers do indeed use it to perform credit checks.

Re:

[biryokumaru]

Which is why every time I call the cell phone company they ask for the last four of my social. Because they're doing a credit check. Right.

Re:

[gknoy]

They're required by law to allow you to use a unique identifier of your choosing instead.

Re:

[Qzukk]

US Medicare issues people ID numbers that consist of their SSN followed by the letter A (sometimes other letters).

Re:

[biryokumaru]

That's cute, but I like my job.

Re:

[realityimpaired]

Maybe he means his handwriting is really atrocious, and they wouldn't have been able to read his submission? I know mine's pretty awful after 20+ years of jiu jitsu and the accompanying arthritis....

Re:

[fredjh]

How does someone saying what city prove anything?

Re:

[mcvos]

How is it a problem? Will Google check and disqualify you? Can they even check? And if they can, why would they even need this contest to gather this data?

Well duh

[ElectricTurtle]

Without even reading the article I know why. SSNs contain demographic data about where and when somebody is born. They are not serial numbers or randomly generated. Anybody with access to the first half of the SSN has demographic data.

Re:Well duh

[Sockatume]

It's the last four digits that they were collecting, as a unique ID.

Re:Unique ID

[TaoPhoenix]

"Limited Info" - implying that no deductions can be made from that info? There's other related articles that current zip code crossed with all that stuff also produces matches, and this time they have the parents' info.

Wait, what? What parents will send their complete info to Google for a kid's art contest?

You can't get that national ID database under the RFID label, so let's do it ... wait for it... for the kids! Google will hand that list over, to make sure no terrorists in training are practicing drawing

Re:

[Sockatume]

The last four digits of a US SSN are allocated in sequence from 0000 to 9999 for a given SSN group. They are exactly and completely uninterpretable and arbitrary.

Re:

[VolciMaster]

The last four digits of a US SSN are allocated in sequence from 0000 to 9999 for a given SSN group. They are exactly and completely uninterpretable and arbitrary.

Note, though, that the method of assigning the initial sets of numbers is slated to change this summer: http://en.wikipedia.org/wiki/Social_security_number#Structure [wikipedia.org]

Re:

[rwa2]

Exactly... the first 5 digits are kinda recoverable from your birth date and location. So if you give them the last 4 numbers, which are the only ones that are really kinda random, then they can pretty much deduce your entire SSN from available public records.

But I don't really understand why I'm supposed to keep my SSN any more protected and secret than, say my employee ID number or my Slashdot UID for that matter. Any bank or government that uses a simple 9 digit number as a S3(R1+ C0D3 to authenticate

Re:

[Byzantine]

Your ideas intrigue me, and I would like to subscribe to your newsletter.

Re:

[hedwards]

Which is why the whole last 4 digits thing is so completely stupid. Those are the only 4 digits in the number which have any degree of randomness applied to them. The rest of it can be figured out with a bit of knowledge about the age and location of birth of the person. There's this view people have that giving up the last four digits is somehow preferable from a security point of view to giving up the whole string, but it's really analogous to giving somebody that ammunition and pistol, but making them ge

Re:

[Original Replica]

Does the SSA have a database matching names and browsing habits? They do now.

Re:

[JustOK]

they must not be expecting less than 10001 entrants.

Re:

[JustOK]

uh, they must be expecting less than 10001 entrants.

Re:

[TheRaven64]

They were probably expecting a lot fewer [wikimedia.org].

Re:

[just_another_sean]

Right, and by also asking for their city of birth they can get the first five digits.

Re:

[VolciMaster]

Right, and by also asking for their city of birth they can get the first five digits.

No, you can't - you can only derive the area number from whence the application was sent, and the group number of that batch: http://en.wikipedia.org/wiki/Social_security_number#Structure [wikipedia.org]

Re:

[SudoGhost]

That's only true to a degree, as the numbers are assigned by zip codes near a given social security office, not by city. If you were given the mailing address of the child (instead of just the city), you could feasibly narrow the numbers down more. I'm not saying you'll be able to get it right even all of the time, but even if you only get it right 30% of the time, that's alot of SSNs.

Re:

[gad_zuki!]

The last four digits don't. Its the first 5 that can be translated into location.

My understanding is that if I knew your place of birth/hometown I could figure out the first five (or work it down to a small set) and just append the last four and have your social.

Storing socials is pretty crazy nowadays. Even Walgreens has stopped doing this. They do what hospitals do use a primary key of Lastname + birthdate, and the verify secondly with address or first name. Its not perfect but your number of collisions

Re:

[ElectricTurtle]

Set size can vary widely. Can you imagine how many SSNs are valid for NYC or LA? Last four digits only provide for 10k-1 blocks, so with NYC at ~6m you would need ~600 different preceding number sets. Not what I would call small.

Re:

[rwa2]

Meh, NYC and LA mostly consist of illegal immigrants / permanent residents anyway. Right? :-P

A lot of the numbers eventually get reused when geezers croak as well... I realize we're not too many generations into it, but seems like that should make things complicated soon.

Re:

[wwwillem]

.... do use a primary key of Lastname + birthdate, and then verify secondly with address or first name ....

Which makes me remember what happened to me ten years ago. "Just of the Boat" :-) in Canada I signed up for my companies healthcare. Got a first dental claim cheque but it had on it the wrong company name. Called the insurance guys and, long story short, there was another guy in Canada with the same last name (which is a weird Dutch one "Van Schatter", not your "Smith" or "Johnson") but also the same b

randomized in two years

[peter303]

It took them long enough. In pre-computer days each ofice would get batch(es) of 10K numbers to give out. The numbering of offices was not random but geographic.

Re:

[rivaldufus]

Not necessarily the state you were born in, but, rather, the state where the SSN application was sent from, at least from 1972 on. More here. Notable:

Since 1972, when SSA began assigning SSNs and issuing cards centrally from Baltimore, the area number assigned has been based on the ZIP code in the mailing address provided on the application for the original Social Security card. The applicant's mailing address does not have to be the same as their place of residence. Thus, the Area Number does not necessarily represent the State of residence of the applicant, either prior to 1972 or since.

They even say (you can choose to believe them or not):

Note: One should not make too much of the "geographical code." It is not meant to be any kind of useable geographical information. The numbering scheme was designed in 1936 (before computers) to make it easier for SSA to store the applications in our files in Baltimore since the files were organized by regions as well as alphabetically. It was really just a bookkeeping device for our own internal use and was never intended to be anything more than that.

Re:

[Foofoobar]

Well oddly enough, the numbers do not always accurately portray the location of birth or where you were issued the number as numbers are some counties cannot use anymore numbers within their allotted region code and have to then rely on nearby region codes to allot numbers. It does give you a general idea however thus allowing one to reduce the number of 'bob jones' to look for within a metropolitan region and within a specific issuing period.

Kids shouldnt even have SSI numbers

[commodore6502]

They aren't working. They aren't earning money, therefore they aren't depositing cash into an SSI account yet. Not until the kid starts working (age 16; 18; whatever) do they need to apply for an SSN.

Re:Kids shouldnt even have SSI numbers

[olsmeister]

They need to have SSN numbers as children so that they may be claimed as tax deductions by their parents.

Re:

[olsmeister]

I think that used to be true, but they've tinkered with things [wikipedia.org].

Re:Kids shouldnt even have SSI numbers

[corbettw]

Same with my parents...in the 70s and 80s. But guess what? I need my kids' SSNs to claim them as dependents now, starting in the late 90s. So your premise that laws never change is flawed, therefore your conclusion that olsmeister's claim is false is flat-out wrong.

Re:

[celticryan]

>>>may be claimed as tax deductions

My parents claimed ME and my two nieces on tax returns, and we didn't get SSNs until we were 16 (i.e. when we started working). So your claim is false.

You're right, because nothing could have possibly changed since were a kid... Take a look at http://www.irs.gov/publications/p17/ch01.html#en_US_2010_publink1000170567 [irs.gov] Specifically:

Dependent's social security number. You must provide the SSN of each dependent you claim, regardless of the dependent's age. This requirement applies to all dependents (not just your children) claimed on your tax return.

Re:Kids shouldnt even have SSI numbers

[jittles]

Then your parents did their taxes incorrectly. I can assure you that shortly after my birth the government required SSNs for all dependents. Such that my parents had to get social security cards for myself, and 4 other siblings at the same time. As a result, our numbers are very close to each other. Further more, had you prepared your own taxes (properly), you would know that the parent is correct.

Re:

[clorkster]

"The Tax Reform Act of 1986 required parents to list Social Security numbers for each dependent over the age of 5 for whom the parent wanted to claim a tax deduction. Before this act, parents claiming tax deductions were on the honor system not to lie about the number of children they supported. During the first year, this anti-fraud change resulted in seven million fewer minor dependents being claimed, nearly all of which are believed to have involved either children that never existed, or tax deductions i

Re:

[MightyYar]

Not until the kid starts working (age 16; 18; whatever) do they need to apply for an SSN.

PLEASE don't fight this... the last thing I need is another government-issued ID number for my whole family. Let the IRS re-use the number given by the SSA. I already have a passport number, a drivers license number, and a social security number for every member of the family.

Re:

[AHuxley]

If SB 222 (2/10/2011) passes in Missouri http://www.senate.mo.gov/11info/BTS_Web/Bill.aspx?BillID=4124271&SessionType=R [mo.gov] with "eliminates the prohibition on employment of children under age fourteen" they will be working.

Re:

[Minwee]

But the sooner they have their number assigned, the sooner it can be tattooed onto their hand and forehead.

Re:

[Anonymous Psychopath]

They aren't working. They aren't earning money, therefore they aren't depositing cash into an SSI account yet. Not until the kid starts working (age 16; 18; whatever) do they need to apply for an SSN.

They need one if you want to set up a 529 education investment account, or if you want to claim the deduction on your tax returns. They also need one for a bank account, and kids should learn about managing money as early as possible.

Re:

[NoSig]

SSN is used as an ID in all kinds of places outside and inside the government. SSN isn't really about social security or taxes. You just call it SSN in the US because you don't like the sound of something like "national unique identification number" which is what it really is.

Motto: "Don't Be Evil"

[jgtg32a]

My general approach to life is to assume that any and all corporations will screw me over for a buck, and all advertisements are 75% distraction from the 20% lies and 5% facts.

I was largely indifferent to Google (I only switched from Yahoo because the page loaded faster), but when I heard that their motto was "don't be evil." I started to think that they most likely are evil, and are simply biding their time.

Re:

[GodfatherofSoul]

They *were* the good guys. It started when they went public. I predicted they'd start acting like every other amoral corporation as soon as they had their IPO. Took a year or so to see the effects, but it's here now.

Re:Motto: "Don't Be Evil"

[N1AK]

My general approach to life is to assume that any and all corporations will screw me over for a buck

Mine is that any and all corporations are staffed, managed and owned by people. They also make money from people. If all corporations are evil it can only be because groups of people are incapable of being good, or there is an active disadvantage to being 'good'. Of course that's entirely ridiculous, which partially explains it's insightful moderation.

There are plenty of companies out there that will actively refuse to screw customers over because they believe it for ideological reasons or because they believe it will make them more profitable in the long run. Tarring all companies with the same brush is just as naive and counter-productive as doing the same with people, women, Americans, politicians, Christians etc.

Re:

[Toe, The]

Could it be possible that a company is evil even though they say they aren't?? I'm not sure I've ever heard of a company doing or being something other than exactly what their marketing department says...

And here's the part that people seem to continuously forget: even if by some miracle Google actually is consistently non-evil, there is absolutely no guarantee that they will stay that way.

At the moment, Google is riding a high wave. It is imaginable that some day they may fall on harder times. What if they

Re:

[TheVelvetFlamebait]

There's no point in a company attempting not to be evil, when everyone will assume they're evil anyway. If they do anything that's not evil, then either people will fail to notice it, or if they do notice it, then they'll claim it's a purposeful distraction from how evil they secretly are (thus making them more evil)! Or if they do do something evil, then never mind those earlier publicity stunts, it proves they were evil all along!

I'm not saying you're necessarily wrong about Google, or that scepticism isn

It's ridiculous that SSNs should be sensitive info

[water-vole]

The problem isn't with google for collecting social security numbers. The problem is that SSNs are so sensitive in the US. I live in Sweden and here social security numbers are a matter of public record and many companies collect these numbers from their customers for their databases. It's quite convenient and, if done right, not as privacy infringing as people seem to think. It's quite ridiculous to have, like the US, a system where you can impersonate someone by knowing their number.

Re:

[drinkypoo]

While your points are well-taken, complaining that it's really the government's fault when google collects information which could be harmful to you is like saying that it's really god's fault when someone shoots you to death because he declared that impacts from high-velocity masses shall rearrange your internal organs.

Re:It's ridiculous that SSNs should be sensitive i

[Sockatume]

I don't know how the US got this meme that knowing your SSN somehow proved your identity. Of course once that meme has developed and companies start using the SSN as a password, people become very protective of their SSNs, and the idea that it's a special number that requires protection becomes self-reinforcing.

Re:

[arielCo]

Well, the modern credit card was conceived in the US, and a signature that is checked by an untrained clerk against some ID is all that the merchant has after the transaction. The rest is known history.

Re:

[aBaldrich]

The problem is that the USA has no ID card like the rest of the world. In the USA that number is a magic key to do whatever you want. If I know your number I can do lots of nasty things over the internet and ruin your life. That's why Identity theft is so easy in America. The rest of the world works like this:

1) You turn X years old
2) You give the government your picture, fingerprints, etc, and the government gives you an ID card
3) You go to the bank to take a loan, and the bank is required to keep a ph

Re:

[arielCo]

Same thing in countries that have ID cards. Your ID number is basically your primary key, allowing for unambiguous identification and simple registration in a number of systems, long before computers became commonplace, and you might as well wear it on a t-shirt since it's basically an alias for your full name.

Re:

[arielCo]

Not everybody has the same views regarding privacy. I for one don't mind being photographed in public, and where I live everybody has their 10 fingerprints taken when they get their first ID card; the common view is that knowing that you've been somewhere is no big deal.

Why do they have to be citizens?

[celticryan]

Making citizenship of the US a requirement for the contest is just stupid. I scanned briefly through their rules posted online - I couldn't really find an answer. Seems to create a lot more work for Google. Unless of course it was all a ruse to get your kids SSN... MUHAHAHHAHAHAAHA!

Re:

[Sockatume]

Legal issues pertaining to competitions, basically. You'll find that most contests run by US companies limit entry to residents of the United States and, sometimes, Canada.

Re:

[Yvan256]

And thanks to our over-protective Loto-Quebec government branch, most contests available in the USA and even in Canada aren't available for Quebec residents. Never mind the requirements about bilingual informations and rules, I've heard that they require you to submit something like 10% of the prize to them as a security deposit until the contest is over, that any legal problem has to be ruled in Quebec, etc. That's why it's always "All provinces except Quebec", it's just too much trouble.

Ignorance is NOT bliss

[hyades1]

This is genuinely loathsome, and yet more proof that ignorance is no excuse when a parent offers up private informatioÂn about their children.

Let's be clear: You have no right to give up ANY private informatioÂn about your children without making very, very sure there's a good reason to do so, and that such information will be used within explicit, clearly defined limits. When your children are adults, they'll have to live with decisions you make about them now. That's especially true of informatioÂn that will allow interested parties who DO NOT have your child's best interests at heart to assemble a profile on them and target them every minute of their lives.

SSN is stupid anyway.

[unity100]

even contemplating that ssns could be used to identify people uniquely online was stupid from the start. think - its just a number. its not something encrypted or else. its a plain number that is constructed according to a particular algorithm. any half decent person intent on abusing it could eventually discover that algorithm by running tests and trials with crappy software. this goes for all kinds of such number schemes.

actually, anything that can be read in a digital environment, can easily be faked/

Another conspiracy blog on Slashdot

[Posting=!Working]

I'm not much of a conspiracy theorist by disposition, but doesn't "these last 4 digits were not entered into our records and will be safely discarded," sound like a contradiction? (How can they delete something that is not in their records?)

It's not a contradiction to anyone who can understand the word "discarded" in relation to paper forms does not mean deletion of a file on a computer.

Also, this article was written 4 days AFTER Google had already changed the form to not have the SSN. This is even mentioned in the article body.

Yeah, I know it's on Huffington, but that crap doesn't qualify as a news article. Calling it a blog is doing it a favor, calling it a lunatic rant about a problem that's already taken care of would be more accurate.

Wow, this guy is over the top.

[HeckRuler]

I mean, I understand the driving force behind a demographic's distrust of Google. They're a giant corporate information broker that lures people to simply hand over their data by providing free services. In certain distopian future sci-fi novels, that would be a nifty plot.

But I can literally taste the tin foil on this guy's head. The little nutter gave me synesthesia. I think Its mostly his tone of voice. The way he's simply incredulous about the possibilities, with nothing to show for it.

1.) I'm not much of a conspiracy theorist by disposition, but...

Hey, I think I spotted where he became a conspiracy nutcase.

Are these posts here to show us how evil Google has become to to show us how nutty the "google is evil" crowd has become? Because despite the title, I'm leaning with the latter.

Re:

[drinkypoo]

But I can literally taste the tin foil on this guy's head.

This literally killed me, and now I am literally rolling on the floor laughing as I type this, literally dead.

Re:

[HeckRuler]

Yeah, that's probably due to the sheer audacity of what they're suggesting. Like those people that suggest that the moonlanding was faked. So many people would have to be "in on it", and so much effort put into the conspiracy that it's ludicrous. And it's easier to simply respond "you're a nutcase" rather then do the research to see who all was involved in NASA's glory years, dig into history, and learn a thing or two.

But after you do all that, the net result is the same: the moon-landing conspiracy peopl

Of course! The principle of explosion

[mrjb]

When they have the 4 last digits of the SSN, they just apply the principle of explosion [xkcd.com] to derive the rest.

Sheeple parents

[tibit]

What kind of a genius must one be to divulge something just because someone asks nicely? It's like social engineering without the 'engineering' part. I routinely give randomly generated [keepass.info] answers to various privacy invading "security" questions on bank sites: it's none of their damn business what is the name of my first girlfriend. On pretty much every non-governmental, non-credit-related form, I always use a made up number when asked for the SSN. They are too lazy to figure out what artificial keys are? I gi

Statistical Significance

[Nailer235]

This Ars Technica article (linked below) is a good summary on how the first five numbers can be determined. Apparently for persons born after 1988 (note that here we are dealing with a children's art contest, so this will likely be the case), the number can be accurately guessed 44% of the time if you know the date/place of birth. The odds vary by region - some states the first five digits can be guessed 90% of the time. http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hac [arstechnica.com]

tin-foil hat paranoia

[sribe]

Yeah, I read that article last night:

1) Just because google could use the other info the guess at the first 5 digits of ss #s, and according to some professors somewhere, get almost 10% of them right, certainly does not mean that was what google was going to do. For identity theft, nearly 10% right is great. For any other use, more than 90% wrong is pretty awful.

2) The author does not seem to realize that full name & birth date are not even close to uniquely identifying children. In fact, even full name, birth date, and city is likely to have a few collisions. When Timmy Jones wins a prize, they might need to know which Timmy Jones.

SSN was a bad choice, precisely because people should be protective of it; they should have gone with some other info. But last four of SSN is a default used in all sorts of situations, so somebody picked that common bit of info without thinking about it too much. That's all. No grand conspiracy. No attempt, I'm sure, to take last four and derive the other 5.

Do Not Read TFA - Huffington Post

[killfixx]

The Huffington Post does not pay the authors of their stories. They are owned by Arianna Huffington, [wikipedia.org] new owner of AOL.

Evil...

Done...

Obligatory XKCD

[scorp1us]

792 - 'Password Reuse" [xkcd.com]

While not a password, this kind of "opportunistic data gathering" adds up. Digital records remain for ever. Next week ask for the first 5.
Then join them later. But the first 5 aren't needed if you know birth year and region.

Why can't we make a security token out of an MD5 sum the SSN with trailing garbage text (to prevent a dictionary attack - say a GUID which would identify the use of this security token) and use that? GUID is chosen by the SSN holder, so the host cannot dictionary attack its own participants.

Kids'

[immakiku]

Was anyone else bothered that the summary and headline didn't read Kids', but instead read Kid's?

SSN v6

[Anonymous Coward]

They are running out of SSN's and will now implement v6. It will look something like this; wh47:0th3:f0ck:00is:g01n:00on:0n0w:dud3

Selective Service for the next generation

[AHuxley]

You would think the post Vietnam generation recalls where data like this can end up in bulk, for profit and in a very uniquely identified way for the US gov.
http://en.wikipedia.org/wiki/Farrell's_Ice_Cream_Parlour [wikipedia.org]
But dont worry, Google only has links with the NSA and they only like data outside the USA...

Trolling article is trolling.

[TimHunter]

The entire article is a ridiculous troll for hits from the newly-popular "anti-Google" crowd.

[A] person's city of birth and year of birth can be used to make a statistical guess about the first five digits of his/her social security number. Then, if you can somehow obtain those last four SSN digits explicitly -- voila, you've unlocked countless troves of personal information...

No, you don't have "troves of personal information." That's hyperbole. You've got a statistical guess about the demographics of the children who enter the contest. You simply can't go from a statistical guess+the last 4 digits of the SS number to personal information about a particular individual.

As a thought experiment though, suppose Google could. Suppose Google could look take "4321" and "Schenectady, NY" and come up with "little 5 year old Jimmy Smith at 1 Second Ave." What are they going to do with this information? Take out a mortgage in his name?

Finally, now Google has removed the requirement. Poof. The imaginary problem now has even less basis, so let's all stop crying "whaaaa...Google is teh evil" and move on to something important. Fer cryin' out loud, somewhere out there Apple is selling shiny toys to hipsters. THIS MUST BE STOPPED!

Re:

[EasyTarget]

Agreed. As far as I can tell Googles plan is supposed to go like:

1) Gather last digits of SSNs from kids who like art, live in US and can get an online form filled in.
2) Spend a bit of processing power turning the partial SSN into a guess at the full SSN. And dance round laughing like maniacs having stolen almost several thousands of artistic kids SSN's.
3) ??
4) Profit!

Jeez.. looks like they ARE evil then.. I'd just never spotted it before.

Or maybe they have been hired by a someone who is dyslexic to get the

how dare Google

[doperative]

How dare Google organize a contest where mature adults can choose to not enter their children in a contest !!!!!

Why treat SSN as a secret authentication factor?

[PSaltyDS]

It gets my blood pressure up a bit every time I read about "revealing" someone's SSN as having penetrated an inner sanctum. The password-secret treatment of that number needs to be dropped. It's time for legislation in the US that makes it invalid and indefensible in court to treat knowledge of an SSN as an authentication factor. Any organization that treats knowledge of the SSN as an authentication factor should be fully liable for the consequences of any fraud that results.

Note I'm talking about authentication, not identification. Nobody thinks Google shouldn't be able to identify the contestants, and an SSN is more unique than names. The problem only comes from the ability to use that number as a "password" to authenticate for access to things (like bank accounts). Treating the SSN as a "username" would not cause the problem; it's using it as an authenticating secret despite the fact that it's easily accessible that makes revealing it a terrible security lapse.

Knowing your SSN should be no more helpful to a fraudster than knowing your full name or hair color. It should be treated as information too readily available to be of any use for authentication. Reliance on that kind of information for authentication should be evidence of failure in due diligence, and lead to liability for that inappropriate reliance. If your bank lets someone take all the money out of your account just because they know your full name they should be liable. If they do just because they knew your SSN it should be treated the same way.

Re:

[psydeshow]

I think that too. It should be a matter of public record to prevent fraud.

BUT there is still the matter of privacy and plausible anonymity. An SSN is a one-to-one match with a person, and will always be treated as such, *even if the match hasn't been verified*.

In other words, your SSN is subject to misuse even beyond its magical ability to open new credit lines. I might not be able to ruin your credit, but I could still impersonate you on Google Doodles, you see?

So definitely, lets end the need to keep it a

Want

[Andy Smith]

"As part of the entry, they need the last 4 digits of a social security number"

Want, not need.

Re:Oh No!

[boarder8925]

And yet the government, banks, corporations, etc. all require you to provide it because they assume it to be secure. Or rather, because they convince us SSNs are secure, all while knowing they're not.

Re:Do no Evil

[Anonymous Coward]

Some mid-level employee came up with a clever but ultimately bad way of distinguishing applications. Conspiracy theory: ignored.

Re:

[c0d3g33k]

The amusing thing is, those pictures are probably all drawn by *his* kids, since I doubt he can just walk into a school and get artwork from other children to post to the web just to trash them in public. That's some quality parenting, for sure.

(Could be from friends or relatives, I suppose, but still ...)

Re:

[drinkypoo]

I disagree, I think we need UUIDs assigned at birth, and I think that simply possessing a copy of my UUID and my address info should be insufficient for actually getting credit. I think credit applications should have to be notarized. That would put a quick stop to all this credit application phishing spam.