Slashdot Mirror
How To Stop Businesses Storing SSNs Indefinitely?
The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"
Some (financial) Point Of Sale software I designed uses SSNs to tell the difference between customers with identical names. If I change the SSN... it thinks you're a new customer. Well... this is something to think about.
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
Lately it seems everyone wants to know my SSN: my dentist, my grocery store, my heating fuel supplier, the guy who changes my oil, etc. When credit checks are required, I ask them to try running it without the SSN (just address data) and often they will try. Other times, they are simply using the SSN as a convenient identifier for customers -- !!!! -- so I politely suggest a different number, or insist on only giving 3-4 digits of it. Thankfully my health insurance company will generate an internal ID# for you, if you request it, so that your SSN is not printed on your insurance card and therefore stored at your physician's office.
Other than to the government, and to organizations directly attached to my banking needs, what's wrong with giving a different number in place of the SSN? As long as you can remember it, that is. Would that be considered some kind of fraud?
Liberal? Conservative? Compare perspectives at Left-Right
So, you could call them up and threaten them with prosecution under the aforementioned acts which--given the right tone of voice--should do the trick for you. Or, if you read the GAO report, they say:
In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.
Now, with that, I would seek a lawyer who would take this case (maybe even some high profile lawyer or a member of the EFF) and clearly outline the above in a written letter with your signature informing them that they are in violation of the "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" and if they do not remove your Social Security Numbers, you will take legal action. If your case is solid enough, you might be able to really stick it to DirectTV for storing personal private data "without lawful authority" as they do not have the written consent of every customer.
My work here is dung.
.P.I.P.E.D.A.
Canadian regulation that in short says any business has to divulge any personal information of yours that they are storing, and allow you to change or remove it. It may be with a simple web-site form, it may be with a written letter, but that's the law.
Information wants to be free.
A house divided against itself cannot stand.
If you provide your SSN to Comcast, they also store it indefinatly.
They use it for internal credit checks to make sure you don't owe them any money on previous accounts (and likely for other things as well).
That said you can usually setup an account without your SSN, but you'll need to set it up directly with your local office instead of by phone or internet.
Your SSN has expired, please choose a new one.
Old SSN: __________________
New SSN: __________________
Retype new SSN (tip: copy from above): __________________
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Comment removed based on user account deletion
As someone currently working on a database that contains SSNs, I can tell you I couldn't get rid of every instance of yours if I tried. The entire architecture is based around not losing your data no matter how stupid I am. It's a nice thought, but the reality is that you're only increasing the number of people looking at your SSN by trying to get rid of it.
Read This, I hope it helps!
http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm
Although is is actually illegal to use a SSN for identification, companies claim it is for, uhhh, just for the record. I'm sure you must be among the 99% pf people with a cell phone. I've tried with all of the big three to get a phone without giving a SSN, explaining that it is illegal to require me to provide it, and they all told me "I understand, thanks for shopping with us".
There is no reason for a POS to have SSN. There are many other methods to get uniqueness.
When companies ask for it, I request for what use do they have for it. I have left hospitals for requesting the information, for they have no need for the information.
But to ask a person doing a POS transaction for their SSN, is just plan broken.
The problem is that the banks (and similar) have convinced you that you are the one being defrauded.
Sure, someone opens an account using your details and it sucks for you, but it wasn't your mistake, it was the institution that opened the account that made the mistake.
Nerd rage is the funniest rage.
I had their collection agency call me earlier this year asking if I really was the person who ordered service in my name in a house on the other side of town and failed to pay the bill for three months. No, it was an SSN thief who took out service in my name, using my fine credit rating. It turns out that DirecTV doesn't check your bona fides such as your address - they only run a credit check on the name and SSN you provide, without verifying that you belong to either that name or SSN!
The determined Real Programmer can write Fortran programs in any language.
... explaining that it is illegal to require me to provide it...
Except for the purposes of a credit check.
Part of the reason companies keep this information, in my estimation, is to have ready to perform future credit checks if you request additional service.
I know with my cell contracts, every time I have added a line, my credit gets checked. Nevermind that I have been a customer in good standing for many years.
SSNs are not secrets. They are not authentication credentials.
Storing (or even leaking) SSNs is not the problem. The problem is when certain negligent organizations use knowledge of SSNs as some sort of proof of identity. If you're worried about your SSN being misused, talk to those companies.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Don't do that! Tin foil is actually aluminum foil, which is produced by Alcoa. Alcoa is a front for the New World Order and they treat the metal in such a way to actually increase signal propagation from your brain. The only real solution to government mind control or reading is to boil your head in distilled or rain water. 30 seconds at 100C should be enough.
Dish Network and DirecTV keep your SSN as previously mentioned to ensure that you do not owe them money from a previous account and so you can never again qualify for new user treatment (free equipment, programming packages and installation), the sock sucking bastiges. As for identity theft, unless you conduct all business by trading beans in a 3rd world country, at this point it seems to be a matter of when, not if.
I always turn it right around on them instantly whenever some merchant wants my number. I got nailed years ago with ID theft, which really sucks and takes a long time to fix, so I came up with something that has been working for me.
I mention getting nailed previously, etc.,, then ask to see their indemnification policy on security breaches, in writing, so everything is "legal and proper".
You get the *really* blank stare then, because about zero of these companies have anything like that..because they are jerks, but we all know that anyway.
Let them sit for a bit and stew on that. Again, you throw it right back at them when they claim they are secure and "your data is safe with us" and all the other BS..."well, sir, we are secure, and...". They ALL say that, every single stupid company out there claims to be "secure". They initiate that claim when you ask. That's a *vital point* there. As part of this proposed business transaction now, they, through their rep who is talking to you right then and is prepared to accept your money, will make a statement that they are 'secure". This is the bingo moment.
I go, along these lines, "swell, that sounds great! You are secure, wonderful, that makes me feel better because ID theft is such a hassle and expense! Err..uhh..just for my records then, please just show me and if you could provide me simple copy of your "data security" warranty provisions, the indemnification policy you must have then, thanks! And BTW, not that this will ever come up, but exactly how much cash do I get back from you when and if you get compromised? If you are "totally secure" as you claim, then you should have no problems with a guarantee that you are secure in writing".
Salt to taste there, and I am never outright rude or obnoxious about it,(I will speak in a loud and clear tone though so any other customers present can hear this exchange) just make them backup their contractual claims they just made to you. They just offered you a proviso in the terms of an oral contract to go along with whatever written crap they want you to fill out that they are, in fact, "secure", so you can ask for proof and so on.
The original clerk will be baffled as expected and will then pass the buck. Then just keep bumping it up the food chain until you hit some manager who doesn't want to be bothered and they give you the service without having to hork over your precious. Sometimes it's fast, other times it takes awhile, but usually it works.
If some manager starts to get redneck on you, you can go, again, along these lines, "Oh, you now are withdrawing your offer, because your company lied to me? You tried to extract my cash from me based on a lie? That's serious legal fraud in this state my friend" and etc.
Anyway, it usually works and it certainly is fun!
No, it's illegal for the Government to use it other than for its intended purpose. Companies can do what they like with it.
From the Social Security Website: http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/enduser/std_adp.php?p_faqid=78
If a business or other enterprise asks you for your number, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.
[emphasis mine]
"Also, SSNs don't expire, so you get off thier list if you die. "
This is not necessarily true. My mother died in the year 2000 and we still occasionally get in the mail offers from a company that kept her SSN. We told them she is dead but they keep sending stuff anyway. We've given up and are willing to let them continue to waste their money.
Why?
Why not - and I mean this seriously - sue them for libel when they bring action for identity theft against you?
You can very easily demonstrate that the SSN is not a proof of identity (authentication). You can (or should be able to) easily demonstrate that a company which relies on SSN for identity authentication is negligent of its fiduciary duty to protect the assets of its stockholders. Toward the libel charge, you should be able to demonstrate that the company *should have known* there was strong possibility the person who stole your identity was not you, and yet continued to blame you for what was ultimately *their failure* to properly identify the person to whom they extended credit.
A simple case of this nature - one which establishes precedent and carries high punitive damages - should be enough to get the industry to reform. Without that case, it's just a matter of bickering between consumers and corporations, and guess who controls the media....
The society for a thought-free internet welcomes you.
In the glorious future, the government will extend resources to financial institutions that mistakenly issue credit on fraudulently provided information, and help them deal with and resolve the consequences of their actions.
The hilarity of that statement makes me sad.
Nerd rage is the funniest rage.
I don't think giving a fake SSN is identity theft. (And I happen to be a victim of identity theft.) If I say "my name is Jason Levine and my SSN is 583-58-2958" (not my real SSN, of course), I haven't stolen anyone's identity. Yes, that number might match someone's SSN somewhere, but chances are the name won't. So if you look up the SSN and see it's assigned to "Jane Smith", it will be pretty obvious that the SSN given was wrong or an error occurred somewhere.
Now, if I said "my name is John Smith" and gave John Smith's SSN, Address, etc, *that* would be identity theft.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
They then asked me to prove to them I didn't have the modem. How the fuck do you prove that?
You keep the receipt they give you when you return the modem. I've been screwed like that too, now I know better.
When I set up my utilities, they all asked for my SSN.
The gas company and the phone company both told me that providing it was optional. BUT, if I didn't provide it, they would not run a credit check on me, and so would require a $250 cash deposit (interesting that both companies had $250 as the deposit amount) before connecting service, to remain in their possession until I canceled service upon moving out.
I was glad that I had the option, and I thought it was most honest and upfront of them to tell me my choices.
I elected to let them run the credit check, but I appreciated having the option.
Part of the reason companies keep this information, in my estimation, is to have ready to perform future credit checks if you request additional service.
It's also so they can make you repeat to them the last four digits of your SSN over the phone, out loud, regardless of whether you're in a public place and might not want to tell everyone in the room the last four digits of your SSN. Oh, and that's just to prove you are who you say you are (even though it doesn't do any such thing).
Oh, and does it bug anyone else when the automated phone system says "we're pulling up your account based on your phone number for your convenience." and then the CSR immediately asks for the same information so they can pull up the account manually (which, of course, most of the time requires giving them the last four digits of your SSN)?
Having lived in the US my impression is that this is a cultural difference: Americans value convenience much more than Canadians (which probably explains why the US has somewhat higher productivity than Canada) and that the bellicosity of American culture has normalized intimidation and bullying as a means of social interaction, so American businesses are more likely to try to bully customers into giving up inappropriate information, and individual Americans are more likely to go the convenient route and give that information up.
I fought and resisted and refused and was greatly inconvenienced for many years over the SSN issue. I don't think it started with businesses; I think the government first started abusing it.
When I went to get my first drivers license in 1986, I brought my scored test and driving evaluation to the little booth where they bundle your info together and take your photo. Way back then, you had to wait a couple weeks for them to mail it to you. Prior to that, oddly, they just gave you the card. I heard the DMV worker tell one guy that they are "going computerized" and the reason for the delay was the data entry process. This new system used your SSN as your drivers license number. I wasn't thrilled about that.
Part of the application had a big area on the top for your SSN. I left mine blank. In the instructions they mention (in the fine print) that you can get an alternate number, which is what I wanted to do. I get to the counter and the guy throws a major fit. No joke. He loudly asks why I haven't bothered to fill in my SSN, and I ask for the alternate number. He goes on and on, telling me that I'm holding up the line, to "just fill in your damn number like everyone else" and so on. We have about 15 minutes of this back and forth until in a huff he throws me the little additional paper I need to fill out to ask for an alternate number.
The guy called me a nut, the people stared at me like I was insane. But using a SSN as a license number is a horrible idea. It was later scrapped, too.
When I moved to California in the late 90's the situation was even worse. I was told I not only needed to provide my SSN, but also a thumbprint before I could get a license. I politely mentioned that SSNs weren't allowed to be used as personal identifiers, and asked what my options were. Apparently not a new topic three, as the very bored lady rolled her eyes and muttered "Your other option is to not drive in California". And that was it.
Once the government starts doing this, people get the notion that they can do it in their business as well. I tried to rent an apartment once and refused to hand over my SSN. I was unable to rent the apartment. When you get a phone, or cable service, they ask for an SSN. Anything involving a credit check will involve them asking for an SSN, and you can get around it, but it makes things harder. I fought it for years and years, but in the end realized it was futile.
It's become so common place that refusing to hand over an SSN makes you look like a whacko in many people's eyes. Which is really sad.
California has had a law since 2002 that requires any business holding personally identifiable information to disclose any security breaches regarding that info to anyone possibly affected. Businesses screamed holy hell when it was enacted. I've seen first hand how worked up people get when you provide them with a list of people they are forced to notify. I know how much all those letters cost to mail. A federal law like that would be a good thing. But I think the genie is out of the bottle.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
When the collection agency files against your victim using their social security number for you not paying your bill. It's definitely identity theft, and I bet you would find that if it did effect them, they would try to have you prosecuted.
You don't make the poor richer by making the rich poorer. - Winston Churchill
Your name will show up as an Alias on their credit report and your address will show up as a former/current place of residence. Then, later, if your house is being foreclosed, it may affect their ability to get a loan or sell their house.
I used to write mortgage software and credit report retrieval software and I have seen this exact situation, probably from someone giving out a "fake" SSN for privacy reasons, although we had no idea why this other information was on the report (maybe a transposed SSN).
Anyway, you can have a negative effect on others by doing this.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
About a year ago I politely asked my Senators if they would work to end use of SS#s by private companies either by outlawing it except for financial institutions or forcing some sort of costly security minimum for storage of SS#s and insurance in the event of theft to discourage people who don't actually need it. Both of which seem logical enough no one should be actively opposed to it.
Months later I received a response from both Senators. One was a form letter about how great the Senator was and how he appreciated my support. The other said that he would consider such a bill if one came before him. So feel free to write the bill and send it to your Senator as mine didn't realize creating legislation was part of his job. Not that its a surprise as it would explain why lobbist are so busy writting our laws.
seriously, you didn't run away screaming from that credit union?
Here's a couple things you can try:
DROP TABLE customers
DROP TABLE accounts
DROP TABLE users
Your name will show up as an Alias on their credit report and your address will show up as a former/current place of residence. Then, later, if your house is being foreclosed, it may affect their ability to get a loan or sell their house.
How is it my problem that the CRA keeps lousy records?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
One should be careful giving out fake SSNs, as you may be accused of attempted identity theft or fraud or whatnot. But, who's to say you or some data entry person didn't make a mistake and mistype one of the numbers, or transpose two of the numbers? Looks like an innocent mistake, I say! If you do it consistently enough, you can even use the excuse, "God, that typo has been following me around forever!"
I'm just sayin'.
I also use my old phone numbers and addresses for those who require such information. "Oh, that's my _old_ number!" :)
Everyone should just pick a number between 987-65-4320 and 987-65-4329 and use that. That block is reserved for use in advertising.
-- I'm old enough to have lived through six different meanings of the word "hacker."
This isn't a problem for anyone that knows their rights about the Fair Debt Collection Practices Act. If someone tries to collect a debt against you that isn't legitimate, it's a simple matter to write up a letter demanding verification of the debt and send it to the collector within 30 days of receiving the initial notice. The collector then must provide proof of the debt (which they won't be able to do even if the SSN is the same), and if they continue to attempt to collect without being able to verify it, it's like free money after the lawsuit.
Providing a false SSN is *not* identity theft when it's the only fictitious information given, and I challenge you to show where someone has been prosecuted for it.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
I've had good luck reporting companies to the Better Business Bureau if their customer service is highly uncooperative. I was receiving unsolicited credit card offers from Citi, even though I'd signed up for the permanent do-not-sell list. Their customer service couldn't tell me who sold them my information, but after talking to the BBB, I got a call from someone higher up who let me know Equifax had sold it to them.
I had much worse issues with Alienware, whose customer service was atrocious. I eventually had to go to both the BBB and the Florida Attorney General's office, but they finally swapped out my lemon of a laptop for a new one.
That will give you a tax number you can provide for all these services that seem to require one. Also, if the corporation's identity somehow gets stolen, well, you just trash it and get a new one. It's not the cheapest option available, but it will at least keep your personal information private.
Just an idea.
-Restil
Play with my webcams and lights here
For those who are wondering how to get a fake SSN from a block that won't get allocated, the easiest thing to do is just change the first digit of your real SSN to an "8" - no SSN starting with 8 has ever been allocated and likely will not be for quite some time.
Many of our peers here are the ones designing databases with SSN keys. Stop doing that! Hash the SSNs with a seed using MD5 or a stronger algorithm (or weaker if there is the possiblity that on rare occasions you will need to brute force the original SSN out). If you are required to validate against a subset of the number, store that hashed also. Done consistently you can use the hash to uniquely identify your customer without having to store the SSN in plain text.
The U.S. Government should tax the storage of SSN numbers. We could start at 2 cents per day per instance. Once the tax is enacted, it will be a perpetual risk for businesses that this tax rate will go up and there will be an obvious business case for coming up with other methods for identifying customers.