Slashdot Mirror
How To Stop Businesses Storing SSNs Indefinitely?
The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"
Back in the early 1980s -- yes, nearly 30 years ago -- MIT allowed students to refuse to have their SS numbers as their Institute ID numbers. In those cases, and also for foreign students who nominally don't have SS numbers, they issued numbers that passed the SS check, but were from an otherwise unallocated block. They cleverly encoded your class year into the number to boot. For a long time I gave my MIT ID number when non-finance-related institutions requested an SS. Worked fine.
I haven't had an active MIT ID for a long while, so don't know what they do now.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
As someone currently working on a database that contains SSNs, I can tell you I couldn't get rid of every instance of yours if I tried. The entire architecture is based around not losing your data no matter how stupid I am. It's a nice thought, but the reality is that you're only increasing the number of people looking at your SSN by trying to get rid of it.
MIT allowed students to refuse to have their SS numbers as their Institute ID numbers.
A technical college I attended in Arizona was slightly different. They did allow you to use your SSN for your student ID, however, if you did so, every 4 months you were sent a letter that explained why this was a bad idea, for the student, to persist in doing this, and it closed out with a paragraph urging you to change it to something different.
Reply to That ||
... explaining that it is illegal to require me to provide it...
Except for the purposes of a credit check.
Part of the reason companies keep this information, in my estimation, is to have ready to perform future credit checks if you request additional service.
I know with my cell contracts, every time I have added a line, my credit gets checked. Nevermind that I have been a customer in good standing for many years.
It's Burn-Karma-Friday!
In scary America: (Slight exaggeration)
All data is now subordinated to Stopping Terrorists. All other uses are bonuses.
Data must be disclosed upon request without the consent of the individual, unless legislation provides a reason not to share the data, AND no current executive order exists allowing the override of that legislation.
Individuals have no right to access the info about them, subject to certain exceptions.
Personal info must be kept longer than necessary, and may not be up to date.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
I always turn it right around on them instantly whenever some merchant wants my number. I got nailed years ago with ID theft, which really sucks and takes a long time to fix, so I came up with something that has been working for me.
I mention getting nailed previously, etc.,, then ask to see their indemnification policy on security breaches, in writing, so everything is "legal and proper".
You get the *really* blank stare then, because about zero of these companies have anything like that..because they are jerks, but we all know that anyway.
Let them sit for a bit and stew on that. Again, you throw it right back at them when they claim they are secure and "your data is safe with us" and all the other BS..."well, sir, we are secure, and...". They ALL say that, every single stupid company out there claims to be "secure". They initiate that claim when you ask. That's a *vital point* there. As part of this proposed business transaction now, they, through their rep who is talking to you right then and is prepared to accept your money, will make a statement that they are 'secure". This is the bingo moment.
I go, along these lines, "swell, that sounds great! You are secure, wonderful, that makes me feel better because ID theft is such a hassle and expense! Err..uhh..just for my records then, please just show me and if you could provide me simple copy of your "data security" warranty provisions, the indemnification policy you must have then, thanks! And BTW, not that this will ever come up, but exactly how much cash do I get back from you when and if you get compromised? If you are "totally secure" as you claim, then you should have no problems with a guarantee that you are secure in writing".
Salt to taste there, and I am never outright rude or obnoxious about it,(I will speak in a loud and clear tone though so any other customers present can hear this exchange) just make them backup their contractual claims they just made to you. They just offered you a proviso in the terms of an oral contract to go along with whatever written crap they want you to fill out that they are, in fact, "secure", so you can ask for proof and so on.
The original clerk will be baffled as expected and will then pass the buck. Then just keep bumping it up the food chain until you hit some manager who doesn't want to be bothered and they give you the service without having to hork over your precious. Sometimes it's fast, other times it takes awhile, but usually it works.
If some manager starts to get redneck on you, you can go, again, along these lines, "Oh, you now are withdrawing your offer, because your company lied to me? You tried to extract my cash from me based on a lie? That's serious legal fraud in this state my friend" and etc.
Anyway, it usually works and it certainly is fun!
What's even funnier is that the USPSTF has recommended AGAINST random PSA screening in individuals who are not already high risk (above 50, history of family prostate cancer) due to low positive predictive value and high false positive rates. The reasoning is that since you are more likely to get a false positive if you are not high risk, you will then spend unnecessary money on treatment, procedures (including biopsies which can put you at additional risk, AND if caught early they haven't been shown to increase your lifespan. I.E. Prostate cancer caught early is as treatable as prostate cancer caught later when true symptoms show up. Just an FYI if anyone cares.
"Thank you for using Stop-n-Drop, America's favorite suicide booth since 2008"
> so I politely suggest a different number, or insist on only giving 3-4 digits of it.
I tried this once with Verizon. I was signing up for a new account, in person, at the Verizon store. They wanted my SSN, and I told them I wouldn't take the account if I had to give that out.
They said no problem. The salesman called their credit dept, and handed the phone to me. They asked my name & address, and asked for the last 4 digits of my SSN.
They were searching some database - they found me by last name & address, and they only wanted the last 4 digits to verify that they found me. And I am sure they put my SSN into my account while I was on the phone.
I don't think it helps to keep SSN's from these businesses . . . they can grab them without needing to get them from you.
Your name will show up as an Alias on their credit report and your address will show up as a former/current place of residence. Then, later, if your house is being foreclosed, it may affect their ability to get a loan or sell their house.
I used to write mortgage software and credit report retrieval software and I have seen this exact situation, probably from someone giving out a "fake" SSN for privacy reasons, although we had no idea why this other information was on the report (maybe a transposed SSN).
Anyway, you can have a negative effect on others by doing this.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
One should be careful giving out fake SSNs, as you may be accused of attempted identity theft or fraud or whatnot. But, who's to say you or some data entry person didn't make a mistake and mistype one of the numbers, or transpose two of the numbers? Looks like an innocent mistake, I say! If you do it consistently enough, you can even use the excuse, "God, that typo has been following me around forever!"
I'm just sayin'.
I also use my old phone numbers and addresses for those who require such information. "Oh, that's my _old_ number!" :)
That will give you a tax number you can provide for all these services that seem to require one. Also, if the corporation's identity somehow gets stolen, well, you just trash it and get a new one. It's not the cheapest option available, but it will at least keep your personal information private.
Just an idea.
-Restil
Play with my webcams and lights here