Slashdot Mirror
How To Stop Businesses Storing SSNs Indefinitely?
The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"
If you provide your SSN to Comcast, they also store it indefinatly.
They use it for internal credit checks to make sure you don't owe them any money on previous accounts (and likely for other things as well).
That said you can usually setup an account without your SSN, but you'll need to set it up directly with your local office instead of by phone or internet.
I was wondering if there was anything equivalent to the Data Protection Act in the America:
This isn't really in defense of the hospitals, but a WHOLE LOT of people use the hospital because they can't pay for medical attention and the hospital can't refuse. The SSN is likely there so they can track you down to the ends of the Earth to try and get their money.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
is it possible to do identity theft with only the SSN alone?
Unfortunately, yes. It provides enough of a building block (used both as an identifier and as an authenticator) to allow a moderately-clever person to build up the rest of the identity.
Reply to That ||
It's not. It's supposed to be unique (within certain criteria: they do get reused eventually) across everyone in the USA, so the Social Security Administration can identify everyone. That's all it was designed for.
It just happened that the SSN was the first major government number that everyone was required to have. So everyone else used the fact that it was there and unique to make their lives easier. Which means that now everybody tracks you by that number, and if you have that number you can impersonate anyone in any database that uses it.
It's not supposed to be secret. It's not supposed to be your full ID. It just became that.
'Sensible' is a curse word.
That's actually a good question. The answer is , no, it is not supposed to be secret. It is an identifier; identifiers are not secret.
The problem is that so many companies misuse SSNs. They treat them as if they were passwords.
What is your name? John Smith
What is your SSN? 123-45-6789
OK, you must be John Smith all right. What can I do for you?
It is this completely broken way that companies "verify" your identity that is the problem. People try to keep their SSN secret to reduce the chances an "identity thief" will get it and use a company's and/or bank's broken procedures to steal from you.
No, it's illegal for the Government to use it other than for its intended purpose. Companies can do what they like with it.
From the Social Security Website: http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/enduser/std_adp.php?p_faqid=78
If a business or other enterprise asks you for your number, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.
[emphasis mine]
In practice, as you say, even the weak constitutional and statutory protections of privacy are most often ignored.
http://www4.law.cornell.edu/uscode/42/408.html
http://www.usdoj.gov/04foia/privstat.htm
http://www.cavebear.com/nsf-dns/pa_history.htm
http://www.cavebear.com/nsf-dns/5usc552a.htm
http://www.cms.hhs.gov/privacyact/patraining.asp
http://www.cms.hhs.gov/privacyact/pa.pdf
http://www.so.doe.gov/documents/privactof1974.pdf
http://www.epic.org/privacy/laws/privacy_act.html
https://www.cnet.navy.mil/privacyact1974.pdf
http://library.lp.findlaw.com/articles/file/00007/004477/title/subject/topic/constitutional%20law_freedom%20of%20information/filename/constitutionallaw_1_88
http://library.lp.findlaw.com/articles/file/00007/004477/title/subject/topic/constitutional%20law_freedom%20of%20information/filename/constitutionallaw_1_88
http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html
http://www.cpsr.org/program/natlID/natlIDfaq.html