How To Stop Businesses Storing SSNs Indefinitely?

The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"

Something I've considered...

[Anonymusing]

Lately it seems everyone wants to know my SSN: my dentist, my grocery store, my heating fuel supplier, the guy who changes my oil, etc. When credit checks are required, I ask them to try running it without the SSN (just address data) and often they will try. Other times, they are simply using the SSN as a convenient identifier for customers -- !!!! -- so I politely suggest a different number, or insist on only giving 3-4 digits of it. Thankfully my health insurance company will generate an internal ID# for you, if you request it, so that your SSN is not printed on your insurance card and therefore stored at your physician's office.

Other than to the government, and to organizations directly attached to my banking needs, what's wrong with giving a different number in place of the SSN? As long as you can remember it, that is. Would that be considered some kind of fraud?

Re:Something I've considered...

[moose_hp]

I'm not trying to be a troll here, this is an honest question.

I'm not from the United States, nor I live there, but I never got why exactly is a SSN supposed to be secret, is it possible to do identity theft with only the SSN alone? Here in Mexico we have a ton of personal identification numbers (RFC, CURP, IFE number, Passport, Drivers License, Military Service, Social Security, Professional Certificate, etc) and none of them is really supposed to be secret, I don't get why people from the USA a secret number that you're not supposed to divulge, yet you need to give up for reasons like cable TV contracts and there's chaos when something like a database of SSN got leaked .

Re:Something I've considered...

[ronaldb]

The main problem I think is that a lot of businesses use it as if it were a secret. If that mindset would change, the problem would go away.

"So you say you're Mike Jones. We need to verify that. What are the last 4 digits of your SSN?"
- "Hold on, let me get your last bill, where it's printed on the top of every page."

How can that be used as a security measure? Using an identifier as an authentication method is simply a BAD IDEA.

Re:Something I've considered...

[db32]

I see this problem as backwards. People are scrambling to fight this nonsense uphill battle. The cat is out of the bag. Pandora's box has been opened. It is WAY too late to get all of this stuff back. The only way forward is for SSNs to become worthless as identifiers. This personal information is quickly becoming trivial to obtain, fighting the trend is only going to continue to make it a problem for identity theft.

The real answer is to hold businesses to the fire for exposing/trading/selling it and accepting it so readily to open new accounts. If businesses were more security minded in defending the information it would be less of an issue. If businesses were more security minded in verification it wouldn't be an issue. However, this continued nonsense about trying to protect your SSN is only allowing businesses to continue to put the risk and responsibility on the individual for their own greed driven fuckups.

Re:Something I've considered...

[radtea]

It just happened that the SSN was the first major government number that everyone was required to have.

The same is true of the Social Insurance Number (SIN) in Canada, and I don't think I've ever divulged mine to anyone who wasn't my employer, my accountant, or the Canada Revenue Agency.

So the question in my mind is why Americans have allowed their SSN's to be used in these ways, while in Canada we've not allowed a similar number to be used in similar ways? I don't think I've ever given my SIN to my cell phone provider, cable company, or anyone like that.

Having lived in the US my impression is that this is a cultural difference: Americans value convenience much more than Canadians (which probably explains why the US has somewhat higher productivity than Canada) and that the bellicosity of American culture has normalized intimidation and bullying as a means of social interaction, so American businesses are more likely to try to bully customers into giving up inappropriate information, and individual Americans are more likely to go the convenient route and give that information up.

Re:Something I've considered...

[onyxruby]

Many years back I worked as a skiptracer / fraud researcher for a well known credit card company. The short of the answer is that with a social security number a person can readily learn a persons private financial details by pulling a credit report.

There is no mechanism that prevents companies from doing so, they 'self authenticate' as it were. Unlike a person who must provide details to prove that they really are who they claim they are. All a business has to do either claim you have given your consent or that you owe them money and they gain full access to your private credit report.

With a credit report alone I can tell everything from what kind of car you own (as most people finance) to where you live, where you have lived, what your lifestyle choices are, where you shop and so on. It's a pretty thorough invasion of privacy. Using additional services I can gain other information about you such as property you own, tax records, court records, family records, residence, an unscrupulous person could even find out your health records. In ten to fifteen minutes I have a very telling picture of your life, whether you want someone to have it or not.

The bottom line is that with a social security number there is very little about a person that cannot be readily discerned in a very short period of time. Unethical people will quickly cross the line, checking things that they shouldn't or, even stealing your identity.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Your Rights & Your Actions

[Richard_at_work]

In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.

Now, with that, I would seek a lawyer who would take this case (maybe even some high profile lawyer or a member of the EFF) and clearly outline the above in a written letter with your signature informing them that they are in violation of the "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" and if they do not remove your Social Security Numbers, you will take legal action. If your case is solid enough, you might be able to really stick it to DirectTV for storing personal private data "without lawful authority" as they do not have the written consent of every customer.

Nothing in that quote suggests it is against the law for the company to retain the SSN in the course of lawful business, and as they are not intending to commit or aid or abet an unlawful activity, then your harshly worded letter would be meaningless.

Of course, other laws may be quotable with better effect...

Re:Your Rights & Your Actions

[jeffshoaf]

While I agree that DirecTV shouldn't have their customers' Social Security # (and I'm a customer), I don't believe the quote you provided from the GAO report says that they're doing something illegal per the part I've emphasized below:

In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.

DirecTV can simply claim that they have no intent to commit, or to aid or abet, or use the SS# in connection with an unlawful activity.

Re:Ugh, DirecTV should just go away

[homey+of+my+owney]

Although is is actually illegal to use a SSN for identification, companies claim it is for, uhhh, just for the record. I'm sure you must be among the 99% pf people with a cell phone. I've tried with all of the big three to get a phone without giving a SSN, explaining that it is illegal to require me to provide it, and they all told me "I understand, thanks for shopping with us".

Broken by design.

[jackb_guppy]

There is no reason for a POS to have SSN. There are many other methods to get uniqueness.

When companies ask for it, I request for what use do they have for it. I have left hospitals for requesting the information, for they have no need for the information.

But to ask a person doing a POS transaction for their SSN, is just plan broken.

Re:Broken by design.

[ThatsNotFunny]

Having worked in an admissions department at a hospital, I can tell you that SNNs are rarely verified by admissions personnel. Equal parts laziness due to job dissatisfaction and lack of time due to overwhelming workload. We would key in whatever number the patient gave us. It would be quite easy to provide a fake number and the hospital would not be aware.

Re:Broken by design.

[grimarr]

It's not so much that the SSN is used as an identifier, that is after all what it was designed for. (Although as many have said, it was not supposed to be multi-purpose.) The bigger problem is that it's also used as authentication, even by the same organization that uses it as an identifier. It's like having a password that has
to be the same as your username, and you can never change it.

And using just the last 4 digits is not much better. Sure, your billing statement that someone grabs out of your trash only has the last 4 digits of your SSN. But if that's all the bank is going to ask for as "proof" of identity, you're just as screwed.

Re:Bad news. XD

[HogGeek]

The SSN was never intended to be used this way. If it was your choice to use the SSN in ANY database, you should be beat, if it was somebody else, please identify them.

  It is this type of abuse and use of SSN numbers that has helped enabled identity fraud.

Re:issue people new SSNs every year

[maxume]

The problem is that the banks (and similar) have convinced you that you are the one being defrauded.

Sure, someone opens an account using your details and it sucks for you, but it wasn't your mistake, it was the institution that opened the account that made the mistake.

Re:Bad news. XD

[Hatta]

No, in America we use the free market system. Which means the system is free to market your data any way they want.

you're confused

[Lord+Ender]

SSNs are not secrets. They are not authentication credentials.

Storing (or even leaking) SSNs is not the problem. The problem is when certain negligent organizations use knowledge of SSNs as some sort of proof of identity. If you're worried about your SSN being misused, talk to those companies.

Re:Bad news. XD

[Eskarel]

And what would you suggest as an alternative? The SSN is the only unique number that a US citizen has, and every US citizen has one. Sometimes you need a PK which actually identifies someone, not just one which identifies the record in your database.

The problem with SSN's and identity theft is verifying that an SSN belongs to a person not the SSN itself, if you replace the SSN with someone other number which is sufficiently unique as to identify you as an individual it's sufficiently unique for someone to be able to use it to steal your identity.

I don't know what the solution to identity theft is, but no one knowing your SSN is not likely to be it. I think most likely the solution is penalties for companies and government departments who take inadequate steps to identify people and/or increasing the documentary requirements for certain kinds of identification. There might have to be some sort of central identification system for on-line purchases, who knows.

Re:Bad news. XD

[dnahelicase]

Do you think they actually delete your SSN anyway? I can see two things happening: 1) customer service tells you "yes, we can do that" and doesn't do anything or 2) somebody makes a note to change your SSN to XXX and then enters it in a system that keeps a change log that stores SSN to XXX. Unless they have a system for specifying different rules for SSN's, I think all customer information change would probably show up at least in a change log. Of course, I imagine most cust serv reps just tell you what you want to hear while you are on the phone with them.

Re:Bad news. XD

[umghhh]

unless of course it is a tax office (or some other god like institution) that has a free ride and does not even need a court order to invide your privacy and all this of course for your own good.

Re:Bad news. XD

[DrLang21]

Why would need a PK that does more than identify a record if you have a field that can be searched in that record that identifies the person? Moreover, why not just issue your own account numbers?

Talk "those" companies...

[gillbates]

Why?

Why not - and I mean this seriously - sue them for libel when they bring action for identity theft against you?

You can very easily demonstrate that the SSN is not a proof of identity (authentication). You can (or should be able to) easily demonstrate that a company which relies on SSN for identity authentication is negligent of its fiduciary duty to protect the assets of its stockholders. Toward the libel charge, you should be able to demonstrate that the company *should have known* there was strong possibility the person who stole your identity was not you, and yet continued to blame you for what was ultimately *their failure* to properly identify the person to whom they extended credit.

A simple case of this nature - one which establishes precedent and carries high punitive damages - should be enough to get the industry to reform. Without that case, it's just a matter of bickering between consumers and corporations, and guess who controls the media....

Re:Ugh, DirecTV should just go away

[HeronBlademaster]

Part of the reason companies keep this information, in my estimation, is to have ready to perform future credit checks if you request additional service.

It's also so they can make you repeat to them the last four digits of your SSN over the phone, out loud, regardless of whether you're in a public place and might not want to tell everyone in the room the last four digits of your SSN. Oh, and that's just to prove you are who you say you are (even though it doesn't do any such thing).

Oh, and does it bug anyone else when the automated phone system says "we're pulling up your account based on your phone number for your convenience." and then the CSR immediately asks for the same information so they can pull up the account manually (which, of course, most of the time requires giving them the last four digits of your SSN)?

Re:Identity Theft is a crime.

[jcnnghm]

When the collection agency files against your victim using their social security number for you not paying your bill. It's definitely identity theft, and I bet you would find that if it did effect them, they would try to have you prosecuted.

Re:Bad news. XD

[Teufelsmuhle]

I sincerely doubt the customer service rep has any idea whether or not the SSN is really gone. I'm sure they're more than happy to change the number displayed on the screen in front of them though, and as far as they are concerned that means the old number has disappeared.

But yes, behind the scenes, the SSN is almost certainly still present in a change log or on backup tapes somewhere. There's zero chance these companies go through the effort to completely purge your SSN from every log and tape. Once they have that number in their system, they've got it forever.

Re:SSSN != Credit union checking account number

[sofar]

seriously, you didn't run away screaming from that credit union?

Re:Identity Theft is a crime.

[Fulcrum+of+Evil]

Your name will show up as an Alias on their credit report and your address will show up as a former/current place of residence. Then, later, if your house is being foreclosed, it may affect their ability to get a loan or sell their house.

How is it my problem that the CRA keeps lousy records?

Re:Bad news. XD

[cayenne8]

Well, just because 'they' ask for an SSN, doesn't mean you have to give it!!

The best defense against a company keeping your SSN,is to NEVER give it. Sure, it might be a PITA sometimes, but, these days, it isn't nearly as hard as it used to be

Do not design DBs that store SSN!

[laughingskeptic]

Many of our peers here are the ones designing databases with SSN keys. Stop doing that! Hash the SSNs with a seed using MD5 or a stronger algorithm (or weaker if there is the possiblity that on rare occasions you will need to brute force the original SSN out). If you are required to validate against a subset of the number, store that hashed also. Done consistently you can use the hash to uniquely identify your customer without having to store the SSN in plain text.

The U.S. Government should tax the storage of SSN numbers. We could start at 2 cents per day per instance. Once the tax is enacted, it will be a perpetual risk for businesses that this tax rate will go up and there will be an obvious business case for coming up with other methods for identifying customers.

Re:Bad news. XD

[unlametheweak]

And the company can then refuse to do business with you.

One could only hope. It amazes me how even in the 21st century there are some people who would be stupid enough to give a business there SSN. I could understand giving them a fake SSN, just to fuck them up, but not a real SSN. I used to give radio shack fake phone numbers and addresses when they asked for them. People do not need to know this information, in fact they should not know this information.

Unfortunately people continue to do business with these types of companies, thus rewarding them for their bad and irresponsible behavior. I never give out by SSN.