Slashdot Mirror
How To Stop Businesses Storing SSNs Indefinitely?
The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"
Some (financial) Point Of Sale software I designed uses SSNs to tell the difference between customers with identical names. If I change the SSN... it thinks you're a new customer. Well... this is something to think about.
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
DirecTV. I cannot stand them and am getting ready to pull the plug on their service. Somehow their attitude doesn't surprise me.
Move to Canada.
Lately it seems everyone wants to know my SSN: my dentist, my grocery store, my heating fuel supplier, the guy who changes my oil, etc. When credit checks are required, I ask them to try running it without the SSN (just address data) and often they will try. Other times, they are simply using the SSN as a convenient identifier for customers -- !!!! -- so I politely suggest a different number, or insist on only giving 3-4 digits of it. Thankfully my health insurance company will generate an internal ID# for you, if you request it, so that your SSN is not printed on your insurance card and therefore stored at your physician's office.
Other than to the government, and to organizations directly attached to my banking needs, what's wrong with giving a different number in place of the SSN? As long as you can remember it, that is. Would that be considered some kind of fraud?
Liberal? Conservative? Compare perspectives at Left-Right
The IRS could send out a new number after they process your tax information. Since it's only "real" long term purpose is for social security and taxes right?
You can have your god back when you are old enough to handle the responsibility.
I give fake SSN's to everybody except banks and employers. Have been for years. No problems.
You can also say (with a funny accent...maybe Canadian, eh) that you're not a citizen and you don't have a SSN
So, you could call them up and threaten them with prosecution under the aforementioned acts which--given the right tone of voice--should do the trick for you. Or, if you read the GAO report, they say:
In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.
Now, with that, I would seek a lawyer who would take this case (maybe even some high profile lawyer or a member of the EFF) and clearly outline the above in a written letter with your signature informing them that they are in violation of the "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" and if they do not remove your Social Security Numbers, you will take legal action. If your case is solid enough, you might be able to really stick it to DirectTV for storing personal private data "without lawful authority" as they do not have the written consent of every customer.
My work here is dung.
Why did you have to give it in the first place?
This might be a US thing I guess but here in Canada only your boss and the companies you required financing with are required to have it. I can't think of opening an internet account that requires a SSN....
.P.I.P.E.D.A.
Canadian regulation that in short says any business has to divulge any personal information of yours that they are storing, and allow you to change or remove it. It may be with a simple web-site form, it may be with a written letter, but that's the law.
Information wants to be free.
A house divided against itself cannot stand.
It's not like your SSN is top-secret these days anyway.
Your SSN has expired, please choose a new one.
Old SSN: __________________
New SSN: __________________
Retype new SSN (tip: copy from above): __________________
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
I realize that this is of no help now, but this could have been avoided by simply not giving your SSN to people and companies that don't need it. I have found that when someone asks for my SSN, I can simply say that they can't have it with only minimal problems. Sometimes it means that I have to pay some sort of deposit because they can't do a credit check, but that is certainly worth my piece of mind.
What is needed is a form of ID that is acceptable nationwide, is not replicable, and can be used in business and official situations. Many times a National ID card has been proposed only to be shot down by luddites and paranoid conservatives who feel any identification system is somehow related to the Mark of the Beast. Hopefully the latest rising tide of anti-conservatism will wash away these people.
If you want to see what happens when heuristic identification is used in lieu of formal identification, just consider the No-Fly list which only identifies prohibited flyers by name. This system is a complete mess with people who have similar names to terrorists now needing to pass through extra layers of security and hassle for nothing more than having the wrong name.
The SSN is only a problem because it is also your TIN. Other than that, it would be an ideal identifier. What we need is not more laws preventing the use of certain identifying numbers, but a better system of identification that doesn't expose one to fraud. A National ID card would be extremely helpful in this regard.
Send them a certified/return receipt letter asking them to remove your SSN from all their records/databases. If they do not comply, and it is later determined that their keeping your SSN caused undue hardship on your life (i.e., it was stolen, "accidentally" disclosed, whatever), sue the @#$% out of 'em.
Comment removed based on user account deletion
As someone currently working on a database that contains SSNs, I can tell you I couldn't get rid of every instance of yours if I tried. The entire architecture is based around not losing your data no matter how stupid I am. It's a nice thought, but the reality is that you're only increasing the number of people looking at your SSN by trying to get rid of it.
Read This, I hope it helps!
http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm
Is there no data protection legislation in the US? In most countries in Europe, businesses are not allowed to retain data unless they can demonstrate a purpose for them. And if you have discontinued business with them, they certainly have no purpose for it (ulterior purposes not to do with the provision of services to you do not count).
The Social Security Administration doesn't accept paranoia as a criterion for granting a new card, but it recognizes cultural objections and religious pleas. One stratagem: Contend that your credit has been irrevocably damaged by a number-related snafu, or that you live in fear of a stalker who knows your digits. Once you switch your SSN, never use it. Instead, dole out 078-05-1120, an Eisenhower-era card that works 99 percent of the time.
If its a non-financial account, next time just make up some number. To catch it, they'd probably have to try to do a credit check, which they need your permission for.
They HAVE to remove your social security number when you ask and they CAN replace it with an alternative identifier equal to the string of characters such as all 0's. Businesses not doing business with you do not have the RIGHT to keep your information on file unless for tax purposes which they would need to fully disclose to you in some form which you would sign an acknowledgment for. What a crock they are feeding you. What state is this again?
this requirement so the individual can protect their ID. Companies can go bankrupt from lawsuits regarding ID theft.
The EU's Data Protection and privacy regulations are remarkably sane on this -- companies are only allowed to store personal information on people for as long as it's needed, and it must be kept up-to-date and consistent. Users also have the rights to see what sorts of information are held about them by corporate identities, and have the power to get this information removed or changed.
Then don't provide it.
Sincerely,
AC
There is no reason for a POS to have SSN. There are many other methods to get uniqueness.
When companies ask for it, I request for what use do they have for it. I have left hospitals for requesting the information, for they have no need for the information.
But to ask a person doing a POS transaction for their SSN, is just plan broken.
It's an unfortunate fact that companies will gather sensitive and personally identifying information about its customers and then keep that data long after their business with that customer has ended. Short of regulation, I don't think that this practice will ever stop. As far as your SSN is concerned, it is just another data point in a company's records. It's as identifying as a name and address, a driver's license, or a cell phone number. I don't think that the question should be limited to this supposedly sacrosanct 9-digit number.
I would prefer if we could force a company to remove all of our data from their records once we are no longer their customer, but I don't think I like the unintended consequences that would bring. Maybe the company could be liable for damages caused by these records leaking out to identity thieves. Then again, that would require proof that a) a leak occurred, and b) an identity thief used data from that leak to your detriment. Odds are if you could prove point "a", and you were a victim of identity theft shortly afterward, point "b" would naturally follow (yeah, correlation v. causation and all that, but barring evidence to the contrary it is a reasonable conclusion). Then again, we never should have gotten into the position where a few data points are all that you need to spoof somebody's identity. Maybe the question should be, "what kind of identifying and authenticating data could be used that would be unfeasible to store indefinitely". Unfortunately, that is one of many questions to which I don't have an answer.
go to the Social Security office and turn in my SSN card and say "here, that this back, I want out!, delete me from your database."
Politics is Treachery, Religion is Brainwashing
I had their collection agency call me earlier this year asking if I really was the person who ordered service in my name in a house on the other side of town and failed to pay the bill for three months. No, it was an SSN thief who took out service in my name, using my fine credit rating. It turns out that DirecTV doesn't check your bona fides such as your address - they only run a credit check on the name and SSN you provide, without verifying that you belong to either that name or SSN!
The determined Real Programmer can write Fortran programs in any language.
SSNs are not secrets. They are not authentication credentials.
Storing (or even leaking) SSNs is not the problem. The problem is when certain negligent organizations use knowledge of SSNs as some sort of proof of identity. If you're worried about your SSN being misused, talk to those companies.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
During my most recent trip to the midwest, I ended up flying DELTA, although I had purchased Northwest tickets initially. Now, I'm waiting for one of my flights from Charlotte NC to Chicago IL. I am accosted by one of the DELTA "SkyTeam" who is trying (heroically) to sell me on their SkyMiles, and get me enrolled.
So, I take a look at the enrollment form, and not surprisingly, it has SSN as a required field. I ask this guy (he couldn't have been more than 22 years old) why on earth he wants my SSN so I can be allowed to accumulate Sky Miles.
He became quite offended I was challenging him on the necessity of this SSN, and retorted "Whats the matter? Don't you trust me? We have a safe right here on site." I asked who stores the number, where it is stored, how many 3rd parties get to have it in the process, whether it is encrypted, and these types of questions. He basically thought I was off my rocker. Last time I fly DELTA.
Reply to That ||
What possessed you to give your SSN to DirectTV?
What possible reason could they have to require that information in the first place, and why would you deal with a business that required it?
Some people have a way with words, and some people, um, thingy.
Seriously, the first thing that came to my mind is extreme paranoia. Time to buy stock in tin foil!
No.
Keep that in mind whenever a company asks for your SSN.
I've been rejected for phone service because I refused to provide it. But most of the time I just leave it blank on the application form, and most of the time nobody bats an eye. If you're applying online and it's a required field on the form, try applying by phone instead.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
1. I wrote to the company, explained that our relationship had ended, quoted the data protection act and asked them to wipe all data held about me using a qualified database administrator.
We don't call them SSN here though. They are called NI numbers.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
We are all hopeless, in case you nice people haven't noticed. In a sort of Skynet-like proceeding nothing and no-one can stop all private information of everybody to be open to anybody, good or bad, public or private, rich or poor. And this goes about SSN, all medical records, bank records, work career records, study career, who are our friends and enemies ever been, travel records, any word ever said on a chat, any comment ever inserted on a website, any email ever received or sent. It's the revenge of the Net, it's the high price to pay in the digital era. We wanted an open space free and without rules? Fine, then we must stay there all naked.
Considered that, the attempt of have a SSN deleted from company's records appears to me, however sweet, pathetical nonsense. You all know that even if they are so kind to ever talk to us, those thousand-customers corporations hiding behind their lawyers, their back-ends (and I have it over the vast majority of companies with more than 100 clients) have ended up to be such a complicated and frustrating mess made of different technologies that they will hardly know how to delete a record, assuming that's even technically possible.
My conclusion is: the company who said they won't delete it, has just been the more honest.
Now stop whoever is ready with the usual "we have nothing to hide" speech. Me not, too. But if you have a minimum technical knowledge of reality you can easily imagine in how many zillions of terrible ways may some perfectly 'nothing to hide' piece of personal information be abused against you.
Going to live in a cave without electricity should be an option. Time travel back to the 70's also good. For the rest: resistance is futile.
Copyright your SSN and sue them to the ground.
Actually, not true.
The Social Security Administration tells you to not give it out and find another company to do business with.
DMV is required by State and supported by Federal law to gather SSN, just like the courts, to help find "dead beat dads" via the SSN.
...throw-away one-time IDs. As long as they *can*, they *will* store something as long as they can.
But those IDs would be useless afterwards.
Unfortunately you can't fabricate them as easily as e-mail addresses. (I said *you*. I can. ;)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
You could inform them they are now on notice you are concerned about the security of you identity due to information they hold and they refused to listen and act. If so, then they assume all liability of identity theft if such a breach of their records occur and you will also apply punitive damages as well. Then tell them they can erase their potential liability if they just comply with your request.
I used to work at DirectTV and I have a friend who still works at DirectTV as a manager in their local call center in Idaho. I completely agree with you that they should not have your SSN and it's a potential security hole. What they are trying to do is behave like a bank. Your bank and creditors probably have your SSN and wouldn't delete it from their system even if you threatened them. What they do is run a credit check on you when you get their service, just like a bank would. That's what prompts them to ether charge you 500$ to activate the service or 200$ with an annual contract. If you don't have a SSN or other identification you're stuck with a 500$ charge and they will most likely slip an annual contract with your account too at some point. If you default on the contract in some way or don't pay your bill they can even report that to the credit agencies as well. They also use it to track down people stealing services because all those unique ID numbers on your equipment are then married to your SSN. In their minds this allows them to find the "real" you if you're into trying to hack their equipment to get free DTV or sell it to others. If you cancel they still want to be able to track this just in case you're that kind of person. It's the ultimate big brother is watching your but what do you expect from a company that is owned by Rupert Murdoch aka New Corp aka Fox News.
The government should issue a new social security number via a website on demand to any citizen that requests one. The government would always have your current number on file to use for it's purposes, and anyone else would be left with an invalid number. The value of social security number for nefarious purposes would decrease. Of course government records of all previous ssns would be kept, so that for instance a loan that you took out two years ago could still be traced to you if need be, but if someone claimed that you took a loan out under that SSN a week ago, when you changed your SSN a year ago to something else would be denied the ability to fsck up your credit.
...
Don't do that! Tin foil is actually aluminum foil, which is produced by Alcoa. Alcoa is a front for the New World Order and they treat the metal in such a way to actually increase signal propagation from your brain. The only real solution to government mind control or reading is to boil your head in distilled or rain water. 30 seconds at 100C should be enough.
Dish Network and DirecTV keep your SSN as previously mentioned to ensure that you do not owe them money from a previous account and so you can never again qualify for new user treatment (free equipment, programming packages and installation), the sock sucking bastiges. As for identity theft, unless you conduct all business by trading beans in a 3rd world country, at this point it seems to be a matter of when, not if.
Sorry charlie, it is NOT AGAINST any FEDERAL law to STORE your SSN, or use it for INTERNAL PURPOSES.
What is ILLEGAL is the DISCLOSURE of the SSN to third parties.
As someone who avoids giving SSN to every company that wants it, here are a few tips on how to avoid giving your SSN:
1. Work with the business. Sometimes, there is a valid reason why they'd want a Social Security number (tax purposes, credit check, etc). Sometimes there's just the need for a unique identifier. And sometimes they just collect it because someone thought it'd be a good idea. If you ask (politely) why they need it, sometimes the rep you are talking to will say that they really don't and that they are just required to ask. But even if there's a valid reason, there are sometimes ways around it.
2. Many companies want to do a credit check on you. This can be a reasonable request for someone you want to open an account with (phone company, cable company, etc) since they are offering you a line of credit. They want some assurance that you will pay them. However, they will also accept an escrow payment in lieu of SSN if you ask. Yes, you have to tie up some money in escrow, but if you're concerned about your SSN this is a viable alternative that I've used several times in the past. Some companies will also accept a credit card number on file, though this is less secure since you could just close the credit card account.
3. There are some cases where the company has no business doing a credit check. If I'm ordering some non-recurring service (fuel tank refill), then I simply tell them that I do not want SSN in their databases, but that I will meet the driver with a check, or give them a credit card to put on file that they can use in the case of non-payment. With most of these services, they happen at my home, so the vendor knows where I live if there is a dispute - they rarely insist on it.
4. If a business absolutely insists on SSN, I give them one last opportunity then hang up and call a competitor. You'll generally find someone who wants to do business with you. If you really want to do business with a particular company, call them back and tell them that their competitor is willing to play ball. Giving them one final chance to get your business generally works.
5. Finally, for those cases where you have to give it up, consider the circumstances under which you give out the SSN. If you end up needing to give someone an SSN, consider a few details. Are you on an unencrypted (most are, even the digital ones) cordless phone? Might want to switch over to a wired phone, or ask if they have a secure website you can enter the information. Also, never EVER give out your SSN to someone who has called YOU.
As far as removing it, some companies will resist it, because they want to retain your information forever. If your business relationship with the company has ended, it's generally worth sending them a registered letter requesting that the database information be removed, and requesting a response when this has been accomplished or a valid technical reason why it cannot. If you get a reason that sounds bogus, pay a lawyer a few bucks to sign the same letter and re-send it with some legalese about record retention and privacy liabilities at the end. Some companies will just have someone purge the data out to make it go away. Some will say "yeah, we deleted it" and not, but you've at least tried (and you might want to call back and ask about your account a few weeks later, then have your lawyer send a somewhat sterner letter the next time).
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
As others posted here, it is virtually impossible to buy certain products like cell phones, or cable TV service without giving SSN. Much more surprising was having to give SSN for garbage collection service and even to submit my resume for a job few years ago.
Talking with various people involved in these interactions was a real eye opener. Most of them said their IT system would not allow them to go forward without SSN, as these systems uses SSN as a unique key. So you have to thank these IT system designers for their lack of imagination to come up with a random key, at least for a major part of the problem.
I don't know how many times I've had "that SSN discussion" within our organization. Just the other day someone working with our HR department asked if our team really needed the SSN. I just laughed out loud and dropped a few high level names that were involved with these discussions over ten years ago.
SSN is a great identifier, as nearly everyone we deal with has one. It's a horrible password, though, and any organization that uses it as such should be held liable for any of the consequences that causes.
I'm responsible for tying in a wide variety of systems together and often SSN is the only common link. We actually do generate an internal ID for people, but no one knows what it is and it can theoretically change if an error occurs, unlike SSN which is far more reliable.
I read a comment that the problem is not the number but it being used for authentication credentials.
How true. The answer is still simple, requiring even less will - the government should publicise all social security numbers in a freely available database. Then they become completely worthless as authentication credentials, and the practice will cease.
...
...this is basic privacy law.
they must change their info when you ask them, and must delete you if you ask them to.
It would be nice like a compromised credit card , get a new one, (ssn) and start from scratch with that one, but keeping a point of reference to the old one, we are in the 21st century, most people have these systems in place, it would be nice for once if the government could keep up!
Identity theft is a big problem, and I see no action on the government's part to do something about it. Sure they improve on the legal tender, and the drivers license and passports, but otherwise, everything else is not important enough to them. They should man up, and add some sort of security level to help people with identity fraud to get new papers, and render the old ssn useless
(except to link up to as a foreign key for the new one to keep an eye on previous gov. info)
They keep them on file because the laws ALLOW IT.
The other reason is if you try to sign up for services again even 10 years later they won't allow you any NEW CUSTOMER special offers. I've found this out the hard way. Which is also why I refuse to ever go back to them. I'm not paying a higher price then the guy next door just because I did business with them TEN YEARS AGO.
I always turn it right around on them instantly whenever some merchant wants my number. I got nailed years ago with ID theft, which really sucks and takes a long time to fix, so I came up with something that has been working for me.
I mention getting nailed previously, etc.,, then ask to see their indemnification policy on security breaches, in writing, so everything is "legal and proper".
You get the *really* blank stare then, because about zero of these companies have anything like that..because they are jerks, but we all know that anyway.
Let them sit for a bit and stew on that. Again, you throw it right back at them when they claim they are secure and "your data is safe with us" and all the other BS..."well, sir, we are secure, and...". They ALL say that, every single stupid company out there claims to be "secure". They initiate that claim when you ask. That's a *vital point* there. As part of this proposed business transaction now, they, through their rep who is talking to you right then and is prepared to accept your money, will make a statement that they are 'secure". This is the bingo moment.
I go, along these lines, "swell, that sounds great! You are secure, wonderful, that makes me feel better because ID theft is such a hassle and expense! Err..uhh..just for my records then, please just show me and if you could provide me simple copy of your "data security" warranty provisions, the indemnification policy you must have then, thanks! And BTW, not that this will ever come up, but exactly how much cash do I get back from you when and if you get compromised? If you are "totally secure" as you claim, then you should have no problems with a guarantee that you are secure in writing".
Salt to taste there, and I am never outright rude or obnoxious about it,(I will speak in a loud and clear tone though so any other customers present can hear this exchange) just make them backup their contractual claims they just made to you. They just offered you a proviso in the terms of an oral contract to go along with whatever written crap they want you to fill out that they are, in fact, "secure", so you can ask for proof and so on.
The original clerk will be baffled as expected and will then pass the buck. Then just keep bumping it up the food chain until you hit some manager who doesn't want to be bothered and they give you the service without having to hork over your precious. Sometimes it's fast, other times it takes awhile, but usually it works.
If some manager starts to get redneck on you, you can go, again, along these lines, "Oh, you now are withdrawing your offer, because your company lied to me? You tried to extract my cash from me based on a lie? That's serious legal fraud in this state my friend" and etc.
Anyway, it usually works and it certainly is fun!
Funny, The government seems so keen to 'harmonize' so many facets of law with our European friends, why not this? hmmm?
Get it all in writing, then seek an injunction in federal court against the company and attach those documents to your complaint.
Once when opening a credit union checking account they asked for an SSN, they wanted to use it as an account number. Of course that meant it would be helpfully printed on each check we wrote.
I asked if I could just make up a number since I did not want my SSN floating around on my checks with my address and name. They said yes as long as it's unique so we tried a random number in their computer and it came back unique. They let me use that.
At least if all databases used some random unique number my number at bank X would not be the same as my number at Health Club Y or SuperDuperBoxStore Z.
Our current use of SSNs makes no sense at all.
What we need is a unique, unhackable, un-steal-able identifier, to identify each person for life.
What we have today, is the SSN.
In the beginning, it was NEVER intended to be secure or secret or to be used outside of ONE particular system.
But...little by little, companies, governments etc. started using it for other purposes.
So now we have this thing that was never designed to be secure, or even secret, being used for secret, secure identification.
I was in a large auto accident six years ago (5 cars, 8 people, 1 death, 1 homocide conviction). Everyone and their mother seemed to have my social. It was in the health records. All six insurance adjustors had it. And all the lawyers. I didnt put it on any forms I filled out.
http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm
This provides useful information about SSNs and their usage.
Life takes interesting turns, but the most interest is when you're off the beaten path.
Anonymous Coward works for Microsoft.
Oh Wait, that other coward - not me.
What law requires you to have one? It's probably impossible to get a 'normal' job without one, but what law compells a person to have a SSN?
I remember getting mine when I was 14 to get a part-time job and needed one, not because some law said I had to have one. We got one for our son right after he was born, but I seem to remember the logic of that having something to do with social security benefits depending on when your number was issued, not because he HAD to have one.
According to the LAWS that govern the use of a Social Security number: it is illegal to use that number for anything but social security tax purposes... In other words, you can only use it for Banks, Employment, and IRS Tax purposes.
But is it truly illegal? [warning: link is to pdf file]
Reply to That ||
I'm sure they have a "consumer problems" report, where they try to help viewers settle differences with companies. If you spin it as "I want DirectTV to help me protect my identity from being stolen, but they refuse putting my identity at risk" they'd probably jump at the chance to run a report on it.
It should not matter if businesses store your SSN. Would you object to storing your name, email address, phone number, postal address or any other publicly available number or information? The SSN should not be any different.
I'm afraid that the real problem is that businesses (and possibly government officials) are using SSN as authentication token instead of identification token.
We have exactly the same problem here in Finland with our SOTU/HETU/what-ever-it's-called-today identifier string. It was originally designed to be identifier for every citizen but the latest law (Henkilötietolaki, 1999) says that this identifier should not be public... Or it can still be used for identifying persons for statistical reasons, for selling services for credit, renting, insurances and other miscellaneus stuff. However, it cannot be used as the person idenfier "only because it were the easiest way to identify a person" (direct translation from the actual law)! How fucked up is that? A personal identification number that shall not be used as personal identification number? To my knowledge this originates from using this identifier for authentication (surely you are the only person that can remember the last 4 symbols in your identification number?)... After reading this discussion, it seems clear that the problem is the same in the USA. What I cannot understand is why they decided to codify this brain-damage as a law instead of simply saying that you cannot authenticate with identifier.
How can we get businesses and government to regognize the difference between identification and authentication? SSN or any other non-secret is not an authentication token and MUST NOT require any protection to keep it from public. One simple method would be to pass a new law that practically says that "SSN number cannot be used as an authentication". As a result, anybody using the SSN for authentication would have no authentication at all, according to law. Hopefully that would be clear enough even for dumber businesses.
_________________________
Spelling and grammar mistakes left as an exercise for the reader.
It's not your fault, but many companies are compelled to keep info about ex customers just in case you're a nogoodnik and try to scam them again.
They have no way of verifying your "new" id number of your choosing and even if they did they could not crosscheck it next time when you give a different type of Id or other DL number
"Also, SSNs don't expire, so you get off thier list if you die. "
This is not necessarily true. My mother died in the year 2000 and we still occasionally get in the mail offers from a company that kept her SSN. We told them she is dead but they keep sending stuff anyway. We've given up and are willing to let them continue to waste their money.
Comment removed based on user account deletion
Talk to your Congressmen.
SSN-based identity theft could be stopped with one simple law: "Provision of an SSN is not considered evidence of identity in court".
And as for those companies? They just need a few court judgements of "You say he owes you $10,000 and you know this because you have his SSN? I find in favor of the defendant." Possibly followed by a few more of "You reported a credit default based on only his name and SSN? I find in favor of the plaintiff, and the penalties for libel are..." They'll figure out better ways to confirm identity soon enough.
The reason nobody cares about SSNs being a lousy password isn't because they need a good talking to, it's because they have no legal reason to care. We just need to clarify the law to give them a good reason.
Giving a 'fake' SSN is not perjury. It is however 'identity theft' which is a federal crime.
Why?
Why not - and I mean this seriously - sue them for libel when they bring action for identity theft against you?
You can very easily demonstrate that the SSN is not a proof of identity (authentication). You can (or should be able to) easily demonstrate that a company which relies on SSN for identity authentication is negligent of its fiduciary duty to protect the assets of its stockholders. Toward the libel charge, you should be able to demonstrate that the company *should have known* there was strong possibility the person who stole your identity was not you, and yet continued to blame you for what was ultimately *their failure* to properly identify the person to whom they extended credit.
A simple case of this nature - one which establishes precedent and carries high punitive damages - should be enough to get the industry to reform. Without that case, it's just a matter of bickering between consumers and corporations, and guess who controls the media....
The society for a thought-free internet welcomes you.
Whats important to note here is that by keeping your data forever though (which the company has a right to do) they are also accepting the risk of losing that data and being sued. In other words its a liability to the company to keep your data forever, and you think that a company the size of GM (GM owns Direct TV) would be smarter than that.
Am I lying when I tell you that im telling the truth? Or am I telling the truth when I say that Im lying?
In the glorious future, the government will extend resources to financial institutions that mistakenly issue credit on fraudulently provided information, and help them deal with and resolve the consequences of their actions.
The hilarity of that statement makes me sad.
Nerd rage is the funniest rage.
At some point, all financial backups were zapped after 7 years of retention; emails and corp docs were sometimes kept forever.
Then came the issue when the courts began to subpoena the corporate emails and use them for evidence -- after that, everyone was deleting emails backups that were over a 1 year, in some cases, only 3 months as a matter of policy.
I think their stance will change when someone whose identity is stolen takes class action against companies that store private personal information and have inadvertently lost it one way or the other.
I'm sure the recent cases of the breaches of retailers' and credit card clearinghouses would be in the forefront of the possible landmark cases. (see http://www.informationweek.com/news/security/showArticle.jhtml?articleID=199203277).
In a database, you often keep track of unique objects by their record numbers.
It's the same way with citizens.
They want a unique identifier for you.
One reason is so that if you scam them, and then delete your account, you can't sign back up and do it again.
But the primary reason is that businesses like to have a clear ID that points to a specific person.
Your government was too lazy to implement a Citizen ID Number plan mainly because people wail when anything like that occurs. So instead, you get a de facto one, and because we couldn't face this need honestly, it's now tied in to your tax returns.
I see no point in whinging about it here. You live in a democracy. Get others motivated to fix this.
What's that you say? Most people are too bloated on TV, free money from the government, video games and bad beer to be active? Well, I guess you'd better tackle that problem first, then.
Futurist Traditionalism
Both DirecTV and Dish Network use SSN's to help them establish if you have ever been a customer before. Satellite TV "virgins" can get deals not available to existing or repeat customers. Free PVR's, special programing packages, rebates, etc. are offered as an incentive to start a new account. I have a friend that ran a sales and installation firm for both services as well as their internet offerings. At his shop they always counseled people to get everything they could when they signed up, as the deals would never be better than when they first activate a new account. Both companies also decline to activate used equipment if there is an outstanding balance owed, even if someone else had purchased the receivers and wanted to add them to an existing account. If a satellite box has a bill outstanding,, they won't turn the box on until it is payed off.
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
There are likely legal requirements for companies to retain records of their transactions for several years (Sarbanes-Oxley?). This would make it legally sticky to have your ssn removed from a business database even after you no longer do business with them. Likely your ssn is the only unique identifier in the system that verifies who you are.
As an interesting aside, my last company was bought by another company, but a shell company was formed from the original strictly for the purpose of maintaining the old company records. That shell had to exist for three years before they could close it down and destroy the records.
Heh, the perfect answer, when in the USA, when asked for an SSN where one is not needed, why not just say you don't have one?
Give them your Hispanic pseudonym, say you have no SSN, and go about your business. Of course you might not get the service.
If you really need a good SSN, try 457-55-5462 - that's the one for that life lock guy. As long as you are not using it fraudulently (to get credit), it should be "good" (i.e. a real number, no credit dings, etc.)
I'm pretty sure my ssn card says it is not to be used for identification. Also I refused to give a hospital my ssn once and although they got reall pissy they said "well ok but next time you're here you'll have to give us your birthday to access these records" so I said fine I'll make one up at that point
"in the US social security numbers [Socialist Insecurity Numbers=SINs] seem unique enough, assuming we could ignore clerical errors (which is a bad assumption, because American SS numbers, unlike those in other countries, do not contain embedded check digits). And, because so many real-world systems do [ab]use SS number as an identifier, the typical analyst would assume that it's a safe choice -- until he discovers that the numbers get recycled. Depending on the problem space (e.g. a banking system) this potential duplication could be a serious problem." --- Peter Coad & Edward Yourdon 1990 _Object-Oriented Analysis_ pg 115 "The use of social security numbers as a means of identification, both in private commercial transactions & in citizen communications with gov't, is common-place, despite Congressional efforts to curb expanding compulsory disclosure of the number. The requirements of section 7 of the Privacy Act have not been so widely disseminated, moreover, as to become an integral part of the public consciousness. To the contrary, the average citizen automatically reveals his social security number on a myriad of forms in the course of his daily life, never questioning the propriety of forced disclosure or suspecting that in many situations the number may be withheld at his option." --- judge Latchum 1982-01-19 in Doyle v Wilson 529 FS 1343 @ 1351 "Admittedly, however, the number is not a perfect device, since millions of people are estimated to hold more than one number or to share a number." --- Privacy Protection Study Commission 1975-10-22 _The Use of the Social Security Number in the Private Sector_ pg 7 (quoted in Weinstein 1977-03-03 in Stevens v Berger 428 FS 896 @ 907) "A new sense of 'you have no right to ask that' needs to be defined & encouraged." --- John Curtis Raines (quoted in Gerald S. Snyder 1975 _The Right To Be Let Alone_ pg 162)
That way, I could make sure that I don't have it. If I keep it around forever, I know I won't ever collect it again. Do me a favor and let me know when you die though, so I can put it back.
This is my sig.
Having lived in the US my impression is that this is a cultural difference: Americans value convenience much more than Canadians (which probably explains why the US has somewhat higher productivity than Canada) and that the bellicosity of American culture has normalized intimidation and bullying as a means of social interaction, so American businesses are more likely to try to bully customers into giving up inappropriate information, and individual Americans are more likely to go the convenient route and give that information up.
I fought and resisted and refused and was greatly inconvenienced for many years over the SSN issue. I don't think it started with businesses; I think the government first started abusing it.
When I went to get my first drivers license in 1986, I brought my scored test and driving evaluation to the little booth where they bundle your info together and take your photo. Way back then, you had to wait a couple weeks for them to mail it to you. Prior to that, oddly, they just gave you the card. I heard the DMV worker tell one guy that they are "going computerized" and the reason for the delay was the data entry process. This new system used your SSN as your drivers license number. I wasn't thrilled about that.
Part of the application had a big area on the top for your SSN. I left mine blank. In the instructions they mention (in the fine print) that you can get an alternate number, which is what I wanted to do. I get to the counter and the guy throws a major fit. No joke. He loudly asks why I haven't bothered to fill in my SSN, and I ask for the alternate number. He goes on and on, telling me that I'm holding up the line, to "just fill in your damn number like everyone else" and so on. We have about 15 minutes of this back and forth until in a huff he throws me the little additional paper I need to fill out to ask for an alternate number.
The guy called me a nut, the people stared at me like I was insane. But using a SSN as a license number is a horrible idea. It was later scrapped, too.
When I moved to California in the late 90's the situation was even worse. I was told I not only needed to provide my SSN, but also a thumbprint before I could get a license. I politely mentioned that SSNs weren't allowed to be used as personal identifiers, and asked what my options were. Apparently not a new topic three, as the very bored lady rolled her eyes and muttered "Your other option is to not drive in California". And that was it.
Once the government starts doing this, people get the notion that they can do it in their business as well. I tried to rent an apartment once and refused to hand over my SSN. I was unable to rent the apartment. When you get a phone, or cable service, they ask for an SSN. Anything involving a credit check will involve them asking for an SSN, and you can get around it, but it makes things harder. I fought it for years and years, but in the end realized it was futile.
It's become so common place that refusing to hand over an SSN makes you look like a whacko in many people's eyes. Which is really sad.
California has had a law since 2002 that requires any business holding personally identifiable information to disclose any security breaches regarding that info to anyone possibly affected. Businesses screamed holy hell when it was enacted. I've seen first hand how worked up people get when you provide them with a list of people they are forced to notify. I know how much all those letters cost to mail. A federal law like that would be a good thing. But I think the genie is out of the bottle.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
It is no surprise that they would refuse to delete your SSN #.
Everyone that uses their service is getting screwed - some just might not realize it yet.
OTA HDTV FTW - Free and much better picture.
Starting now: MD5 sums for every newborn!
I am SHOCKED at how often companies will ask for your SSN to do a credit check. Want a cell phone? SSN. Want Cox Cable Internet? SSN. Want any number of services for which a company is not becoming your creditor? SSN.
When I first found out that Cox wanted my SSN to allow me to sign up as a customer, I emailed to ask them how they would be storing my SSN, and for how long, and what security measures they had in place to prevent the theft of my SSN. They couldn't answer these questions. They just kept telling me that providing my SSN would allow them to determine whether I needed to pay a deposit before I started service. Well, if you're not competent enough to answer those questions for me, I'm not forking over my SSN........
I don't understand how this came to be the accepted norm in this country. It seems like a horrendous violation of privacy. It's just BEGGING to be abused.
I used to work customer service for an e-commerce company with offices in Germany as well as the US. We didn't collect SSNs, but we did accept credit card payments. When customers placed an order, we automatically saved the credit card number in our database (middle digits x'd out for lowly CS reps, obviously). If they called in and asked us to remove their credit card information from the system, we had to tell them that German regulations required us to keep that data for 3 years or so. After 3 years, my managers told me it was automatically expunged from the database.
This was a couple of years back, but I wonder if other data retention laws have a role to play here with international businesses keeping private information around far longer than is necessary...
How to stop businesses storing SSN's indefinitely?
Well, you could, I don't know, work for passage of a law forbidding the practice and mandating a heavy penalty for breaking this law.
You could also pass a law forbidding the use of SSN's as general ID in the first place. That's not what they were created for, the government owns the SSN's, and they can forbid their misuse for any purpose by unauthorized groups such as huge faceless corporations and other assorted objectionable entites.
After all, it's not like the the entities people transacted business with before 1935 were unable to proceed without these magic numbers.
Why not just go to the IRS and request a Taxpayer ID number? They will give you one that you can then give to your employer. Your employer can use THAT number to submit tax payments on your behlaf and never has to know your SSN. Reserve your SSN for companies you need credit from or when you're actually dealing with the Social Security Administration.
A good DBA never trusts Other People's Numbers to be unique or stay unique.
Here's a couple things you can try:
DROP TABLE customers
DROP TABLE accounts
DROP TABLE users
One should be careful giving out fake SSNs, as you may be accused of attempted identity theft or fraud or whatnot. But, who's to say you or some data entry person didn't make a mistake and mistype one of the numbers, or transpose two of the numbers? Looks like an innocent mistake, I say! If you do it consistently enough, you can even use the excuse, "God, that typo has been following me around forever!"
I'm just sayin'.
I also use my old phone numbers and addresses for those who require such information. "Oh, that's my _old_ number!" :)
But it really hurts after 12 seconds and I can't hold my breath for longer than 18 seconds ..... now what should I do?
I've had good luck reporting companies to the Better Business Bureau if their customer service is highly uncooperative. I was receiving unsolicited credit card offers from Citi, even though I'd signed up for the permanent do-not-sell list. Their customer service couldn't tell me who sold them my information, but after talking to the BBB, I got a call from someone higher up who let me know Equifax had sold it to them.
I had much worse issues with Alienware, whose customer service was atrocious. I eventually had to go to both the BBB and the Florida Attorney General's office, but they finally swapped out my lemon of a laptop for a new one.
Some (financial) Point Of Sale software I designed uses SSNs to tell the difference between customers with identical names. If I change the SSN... it thinks you're a new customer. Well... this is something to think about.
You are being lazy.
Use a 1-way hashing function on the SSN, then use the hash as a GUID.
"You have liberated me from thought."
That will give you a tax number you can provide for all these services that seem to require one. Also, if the corporation's identity somehow gets stolen, well, you just trash it and get a new one. It's not the cheapest option available, but it will at least keep your personal information private.
Just an idea.
-Restil
Play with my webcams and lights here
Great idea! However, stipulate it that this will not be done until a year after your estate is settled.
In this thread, SSN is generally understood but in other contexts, it could mean something entirely different. Specifically, POS? There can be many interpretations. There is too much "texting speak" out there and you are not limited to how much characters you can use.
Many of our peers here are the ones designing databases with SSN keys. Stop doing that! Hash the SSNs with a seed using MD5 or a stronger algorithm (or weaker if there is the possiblity that on rare occasions you will need to brute force the original SSN out). If you are required to validate against a subset of the number, store that hashed also. Done consistently you can use the hash to uniquely identify your customer without having to store the SSN in plain text.
The U.S. Government should tax the storage of SSN numbers. We could start at 2 cents per day per instance. Once the tax is enacted, it will be a perpetual risk for businesses that this tax rate will go up and there will be an obvious business case for coming up with other methods for identifying customers.
I appreciate the OP's concern, but really, any minimum wage peon at a credit or collection agency can look up any SSN in a couple minutes. The people who you need to sue are not the ones using SSNs for IDs, but the credit reporting agencies themselves and anyone else who skipped doing any actual verification of who you are in favor of the much cheaper use of your SSN as a password in direct violation of all the government documentation about how it was NOT secret.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Unfortunately, while this would be a fascinating legal case, there isn't, at the moment a lot you can really do about it unless you're willing to give out your SSN to any company that demands it. Of course, chances are that most will refuse you service but some, as you found out, will still work with you.
To those that don't work with you, it's not over yet. Take your business elsewhere BUT DO MORE: write a letter to the CEO and send CC's to the entire Board of Directors and tell them that 1) you wanted to become a paying customer and 2) you chose not to do so because of the requirement that you hand over your social. Be sure to include alternatives to SSN ID in your letter.
Really, because of the American reliance on using SSN's to link to credit reports, there's no real way to function effectively without giving out your SSN. Sure, some will suggest drivers license numbers but those aren't really reliable since they change from time to time. What we really need is a national ID that is assigned to every citizen and used ONLY for ID and credit purposes. You should never have to give your SSN out to anyone.
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
Yes the Social Security Act requires the SSN to be used ONLY for social security itself, which means the social security administration, taxes, and employers (since some social security is witheld from payroll.) NO OTHER USE can require an SSN. The law is just enitrely flaunted and ignored by everybody. Now that people are figuring out (last 5 years or so) that using the SSN for everything leads to easy identity theft, some are starting to finally phase it out.
The University thought I was crazy when I requested an ID without SSN -- a few years later they did it as standard. I requested a non-SSN drivers license, the bonus being I've had one ticket I never had to pay because the cops thought my ID # was all numbers and misrote the As and Os as 4s and 0s.
I'm not for the USA, and I'm wondering why you would give your SSN to some business, such as a cable company? There are other ways of proving your identity to them. Here in Canada I don't give my SIN (same thing as your SSN) to anyone, most don't ever ask for it either. Pretty much the only time you are required to hand that number over is if you are opening a bank account or starting a new job. There just is no reason for regular businesses needing it. I read someone's post, stating that they worked for a company that used the SSN as an ID for customers in a database, that to me has all sorts of trouble written all over it.
Both SSNs and Electronic Voting are facing same privacy issues.
Slashdot = Sarcasm
They don't need my SSN if they have my name, phone number, and the doctor I want the results sent to.
While it is true they do not need your SSN (and I support you not giving it out), the hospital does need at least two pieces of identifying information to try to ensure the reports are for the correct patient. These bits of information do not legally have to be individually or collectively unique, but together they do need to make it highly unlikely the wrong patient will be treated. Name and date of birth are common (highly unlikely two patients with the same name and DOB will show up at the same time in the same place) but others can be and are used. SSNs should not be used for this purpose but obviously they can and do serve as a unique identifier. Just your name, phone number and doctor's name would be insufficient and any doctor/hospital who used only that information to create/send a report would be exposing themselves to potential liability for sending a report without adequate confirmation of the identity of the patient.
Yes there is. They offer deals to new customers. They don't wanna offer deals to customers who were from 10 years ago. How else do you suppose they make sure it's not you in ten years?
I did; i di... i d
This is a good cause for a boycott. DirecTV... who else?
Sure, permanent retention of SSNs is bad. Even your "buddies" at slashdot will not delete an account if you request it. Try it; there is no way you can get them to delete even one of their lame accounts. For the love of breakfast, would someone please delete my idiotic account from slashdot?!?
You are overly paranoid. Anyone with $10, an internet connection, and a full name could get SSN, DOB, mail address, etc..
CC Agencies and those kind of businesses simply need to step up their validation to make sure people are really who they say they are, rather than just some random who could have paid for someone else's social.