Slashdot Mirror
How To Stop Businesses Storing SSNs Indefinitely?
The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"
Some (financial) Point Of Sale software I designed uses SSNs to tell the difference between customers with identical names. If I change the SSN... it thinks you're a new customer. Well... this is something to think about.
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
So, you could call them up and threaten them with prosecution under the aforementioned acts which--given the right tone of voice--should do the trick for you. Or, if you read the GAO report, they say:
In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.
Now, with that, I would seek a lawyer who would take this case (maybe even some high profile lawyer or a member of the EFF) and clearly outline the above in a written letter with your signature informing them that they are in violation of the "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" and if they do not remove your Social Security Numbers, you will take legal action. If your case is solid enough, you might be able to really stick it to DirectTV for storing personal private data "without lawful authority" as they do not have the written consent of every customer.
My work here is dung.
.P.I.P.E.D.A.
Canadian regulation that in short says any business has to divulge any personal information of yours that they are storing, and allow you to change or remove it. It may be with a simple web-site form, it may be with a written letter, but that's the law.
If you provide your SSN to Comcast, they also store it indefinatly.
They use it for internal credit checks to make sure you don't owe them any money on previous accounts (and likely for other things as well).
That said you can usually setup an account without your SSN, but you'll need to set it up directly with your local office instead of by phone or internet.
Read This, I hope it helps!
http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm
I had their collection agency call me earlier this year asking if I really was the person who ordered service in my name in a house on the other side of town and failed to pay the bill for three months. No, it was an SSN thief who took out service in my name, using my fine credit rating. It turns out that DirecTV doesn't check your bona fides such as your address - they only run a credit check on the name and SSN you provide, without verifying that you belong to either that name or SSN!
The determined Real Programmer can write Fortran programs in any language.
This isn't really in defense of the hospitals, but a WHOLE LOT of people use the hospital because they can't pay for medical attention and the hospital can't refuse. The SSN is likely there so they can track you down to the ends of the Earth to try and get their money.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
is it possible to do identity theft with only the SSN alone?
Unfortunately, yes. It provides enough of a building block (used both as an identifier and as an authenticator) to allow a moderately-clever person to build up the rest of the identity.
Reply to That ||
It's not. It's supposed to be unique (within certain criteria: they do get reused eventually) across everyone in the USA, so the Social Security Administration can identify everyone. That's all it was designed for.
It just happened that the SSN was the first major government number that everyone was required to have. So everyone else used the fact that it was there and unique to make their lives easier. Which means that now everybody tracks you by that number, and if you have that number you can impersonate anyone in any database that uses it.
It's not supposed to be secret. It's not supposed to be your full ID. It just became that.
'Sensible' is a curse word.
Dish Network and DirecTV keep your SSN as previously mentioned to ensure that you do not owe them money from a previous account and so you can never again qualify for new user treatment (free equipment, programming packages and installation), the sock sucking bastiges. As for identity theft, unless you conduct all business by trading beans in a 3rd world country, at this point it seems to be a matter of when, not if.
That's actually a good question. The answer is , no, it is not supposed to be secret. It is an identifier; identifiers are not secret.
The problem is that so many companies misuse SSNs. They treat them as if they were passwords.
What is your name? John Smith
What is your SSN? 123-45-6789
OK, you must be John Smith all right. What can I do for you?
It is this completely broken way that companies "verify" your identity that is the problem. People try to keep their SSN secret to reduce the chances an "identity thief" will get it and use a company's and/or bank's broken procedures to steal from you.
That's funny I usually just provide my health card, and then I don't have to worry about giving out my social insurance number. I also don't have to worry about paying.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
No, it's illegal for the Government to use it other than for its intended purpose. Companies can do what they like with it.
From the Social Security Website: http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/enduser/std_adp.php?p_faqid=78
If a business or other enterprise asks you for your number, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.
[emphasis mine]
I work at a college, when I started the main thing we were doing was changing our system to assign unique ID's to all students and remove all SSN numbers in places where it was used as ID's.
The whole project took about a year to do. Now there is only one place where you can still find the SSN number, and that is only because it is required for some financial aid things.
I don't think giving a fake SSN is identity theft. (And I happen to be a victim of identity theft.) If I say "my name is Jason Levine and my SSN is 583-58-2958" (not my real SSN, of course), I haven't stolen anyone's identity. Yes, that number might match someone's SSN somewhere, but chances are the name won't. So if you look up the SSN and see it's assigned to "Jane Smith", it will be pretty obvious that the SSN given was wrong or an error occurred somewhere.
Now, if I said "my name is John Smith" and gave John Smith's SSN, Address, etc, *that* would be identity theft.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Who or what generates the number isn't the problem. If everyone switched over to using your ID number, then pretty soon everyone would be saying to keep that secret just like they do for SSN now. The problem is that the number is being used to authenticate you instead of just identifying you. If companies demanded a valid notarized SSN card as proof prior to obtaining anything in your name, then you could tell your SSN to anyone and it wouldn't matter (with the assumption that it's impossible to forge a SSN card -- granted it isn't impossible, but that's another topic).
They then asked me to prove to them I didn't have the modem. How the fuck do you prove that?
You keep the receipt they give you when you return the modem. I've been screwed like that too, now I know better.
This is bad policy, since many potential hospital "customers" don't have an SSN. Hospitals have to service newborns, visitors, illegals, etc. Using SSN as the unique ID doesn't work, and they usually have work-arounds for this.
Sleep is for the Weak
About a year ago I politely asked my Senators if they would work to end use of SS#s by private companies either by outlawing it except for financial institutions or forcing some sort of costly security minimum for storage of SS#s and insurance in the event of theft to discourage people who don't actually need it. Both of which seem logical enough no one should be actively opposed to it.
Months later I received a response from both Senators. One was a form letter about how great the Senator was and how he appreciated my support. The other said that he would consider such a bill if one came before him. So feel free to write the bill and send it to your Senator as mine didn't realize creating legislation was part of his job. Not that its a surprise as it would explain why lobbist are so busy writting our laws.
I've had good luck reporting companies to the Better Business Bureau if their customer service is highly uncooperative. I was receiving unsolicited credit card offers from Citi, even though I'd signed up for the permanent do-not-sell list. Their customer service couldn't tell me who sold them my information, but after talking to the BBB, I got a call from someone higher up who let me know Equifax had sold it to them.
I had much worse issues with Alienware, whose customer service was atrocious. I eventually had to go to both the BBB and the Florida Attorney General's office, but they finally swapped out my lemon of a laptop for a new one.