How To Stop Businesses Storing SSNs Indefinitely?

The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"

Something I've considered...

[Anonymusing]

Lately it seems everyone wants to know my SSN: my dentist, my grocery store, my heating fuel supplier, the guy who changes my oil, etc. When credit checks are required, I ask them to try running it without the SSN (just address data) and often they will try. Other times, they are simply using the SSN as a convenient identifier for customers -- !!!! -- so I politely suggest a different number, or insist on only giving 3-4 digits of it. Thankfully my health insurance company will generate an internal ID# for you, if you request it, so that your SSN is not printed on your insurance card and therefore stored at your physician's office.

Other than to the government, and to organizations directly attached to my banking needs, what's wrong with giving a different number in place of the SSN? As long as you can remember it, that is. Would that be considered some kind of fraud?

Re:Something I've considered...

[pz]

Back in the early 1980s -- yes, nearly 30 years ago -- MIT allowed students to refuse to have their SS numbers as their Institute ID numbers. In those cases, and also for foreign students who nominally don't have SS numbers, they issued numbers that passed the SS check, but were from an otherwise unallocated block. They cleverly encoded your class year into the number to boot. For a long time I gave my MIT ID number when non-finance-related institutions requested an SS. Worked fine.

I haven't had an active MIT ID for a long while, so don't know what they do now.

Re:Something I've considered...

[moose_hp]

I'm not trying to be a troll here, this is an honest question.

I'm not from the United States, nor I live there, but I never got why exactly is a SSN supposed to be secret, is it possible to do identity theft with only the SSN alone? Here in Mexico we have a ton of personal identification numbers (RFC, CURP, IFE number, Passport, Drivers License, Military Service, Social Security, Professional Certificate, etc) and none of them is really supposed to be secret, I don't get why people from the USA a secret number that you're not supposed to divulge, yet you need to give up for reasons like cable TV contracts and there's chaos when something like a database of SSN got leaked .

Re:Something I've considered...

[jDeepbeep]

is it possible to do identity theft with only the SSN alone?

Unfortunately, yes. It provides enough of a building block (used both as an identifier and as an authenticator) to allow a moderately-clever person to build up the rest of the identity.

Re:Something I've considered...

[Daniel_Staal]

It's not. It's supposed to be unique (within certain criteria: they do get reused eventually) across everyone in the USA, so the Social Security Administration can identify everyone. That's all it was designed for.

It just happened that the SSN was the first major government number that everyone was required to have. So everyone else used the fact that it was there and unique to make their lives easier. Which means that now everybody tracks you by that number, and if you have that number you can impersonate anyone in any database that uses it.

It's not supposed to be secret. It's not supposed to be your full ID. It just became that.

Re:Something I've considered...

[MirthScout]

That's actually a good question. The answer is , no, it is not supposed to be secret. It is an identifier; identifiers are not secret.

The problem is that so many companies misuse SSNs. They treat them as if they were passwords.
What is your name? John Smith
What is your SSN? 123-45-6789
OK, you must be John Smith all right. What can I do for you?

It is this completely broken way that companies "verify" your identity that is the problem. People try to keep their SSN secret to reduce the chances an "identity thief" will get it and use a company's and/or bank's broken procedures to steal from you.

Re:Something I've considered...

[onyxruby]

Many years back I worked as a skiptracer / fraud researcher for a well known credit card company. The short of the answer is that with a social security number a person can readily learn a persons private financial details by pulling a credit report.

There is no mechanism that prevents companies from doing so, they 'self authenticate' as it were. Unlike a person who must provide details to prove that they really are who they claim they are. All a business has to do either claim you have given your consent or that you owe them money and they gain full access to your private credit report.

With a credit report alone I can tell everything from what kind of car you own (as most people finance) to where you live, where you have lived, what your lifestyle choices are, where you shop and so on. It's a pretty thorough invasion of privacy. Using additional services I can gain other information about you such as property you own, tax records, court records, family records, residence, an unscrupulous person could even find out your health records. In ten to fifteen minutes I have a very telling picture of your life, whether you want someone to have it or not.

The bottom line is that with a social security number there is very little about a person that cannot be readily discerned in a very short period of time. Unethical people will quickly cross the line, checking things that they shouldn't or, even stealing your identity.

Re:Something I've considered...

[MidnightPsycho]

> so I politely suggest a different number, or insist on only giving 3-4 digits of it.

I tried this once with Verizon. I was signing up for a new account, in person, at the Verizon store. They wanted my SSN, and I told them I wouldn't take the account if I had to give that out.

They said no problem. The salesman called their credit dept, and handed the phone to me. They asked my name & address, and asked for the last 4 digits of my SSN.

They were searching some database - they found me by last name & address, and they only wanted the last 4 digits to verify that they found me. And I am sure they put my SSN into my account while I was on the phone.

I don't think it helps to keep SSN's from these businesses . . . they can grab them without needing to get them from you.

What did you expect?

[pedestrian+crossing]

Information wants to be free.

Re:Ugh, DirecTV should just go away

[Reece400]

If you provide your SSN to Comcast, they also store it indefinatly.
They use it for internal credit checks to make sure you don't owe them any money on previous accounts (and likely for other things as well).

That said you can usually setup an account without your SSN, but you'll need to set it up directly with your local office instead of by phone or internet.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not gonna happen

[FlyingBishop]

As someone currently working on a database that contains SSNs, I can tell you I couldn't get rid of every instance of yours if I tried. The entire architecture is based around not losing your data no matter how stupid I am. It's a nice thought, but the reality is that you're only increasing the number of people looking at your SSN by trying to get rid of it.

Re:Bad news. XD

[dintech]

I was wondering if there was anything equivalent to the Data Protection Act in the America:

• Data may only be used for the specific purposes for which it was collected.
• Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
• Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
• Personal information may be kept for no longer than is necessary and must be kept up to date.
• Personal information may not be sent outside the European Economic Area unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
• Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner's Office.
• Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).
• Subjects have the right to have factually incorrect information corrected (note: this does not extend to matters of opinion).

Re:Your Rights & Your Actions

[Richard_at_work]

In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.

Now, with that, I would seek a lawyer who would take this case (maybe even some high profile lawyer or a member of the EFF) and clearly outline the above in a written letter with your signature informing them that they are in violation of the "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" and if they do not remove your Social Security Numbers, you will take legal action. If your case is solid enough, you might be able to really stick it to DirectTV for storing personal private data "without lawful authority" as they do not have the written consent of every customer.

Nothing in that quote suggests it is against the law for the company to retain the SSN in the course of lawful business, and as they are not intending to commit or aid or abet an unlawful activity, then your harshly worded letter would be meaningless.

Of course, other laws may be quotable with better effect...

Broken by design.

[jackb_guppy]

There is no reason for a POS to have SSN. There are many other methods to get uniqueness.

When companies ask for it, I request for what use do they have for it. I have left hospitals for requesting the information, for they have no need for the information.

But to ask a person doing a POS transaction for their SSN, is just plan broken.

Re:Broken by design.

[TheRealMindChild]

This isn't really in defense of the hospitals, but a WHOLE LOT of people use the hospital because they can't pay for medical attention and the hospital can't refuse. The SSN is likely there so they can track you down to the ends of the Earth to try and get their money.

Re:Broken by design.

[fataugie]

So it was you who gave them my SS#!
You insensative Clod!

Re:issue people new SSNs every year

[maxume]

The problem is that the banks (and similar) have convinced you that you are the one being defrauded.

Sure, someone opens an account using your details and it sucks for you, but it wasn't your mistake, it was the institution that opened the account that made the mistake.

Re:Bad news. XD

[Hatta]

No, in America we use the free market system. Which means the system is free to market your data any way they want.

you're confused

[Lord+Ender]

SSNs are not secrets. They are not authentication credentials.

Storing (or even leaking) SSNs is not the problem. The problem is when certain negligent organizations use knowledge of SSNs as some sort of proof of identity. If you're worried about your SSN being misused, talk to those companies.

Re:Glad you have free time

[wampus]

Don't do that! Tin foil is actually aluminum foil, which is produced by Alcoa. Alcoa is a front for the New World Order and they treat the metal in such a way to actually increase signal propagation from your brain. The only real solution to government mind control or reading is to boil your head in distilled or rain water. 30 seconds at 100C should be enough.

Re:Bad news. XD

[dnahelicase]

Do you think they actually delete your SSN anyway? I can see two things happening: 1) customer service tells you "yes, we can do that" and doesn't do anything or 2) somebody makes a note to change your SSN to XXX and then enters it in a system that keeps a change log that stores SSN to XXX. Unless they have a system for specifying different rules for SSN's, I think all customer information change would probably show up at least in a change log. Of course, I imagine most cust serv reps just tell you what you want to hear while you are on the phone with them.

Indemnification

[zogger]

I always turn it right around on them instantly whenever some merchant wants my number. I got nailed years ago with ID theft, which really sucks and takes a long time to fix, so I came up with something that has been working for me.

    I mention getting nailed previously, etc.,, then ask to see their indemnification policy on security breaches, in writing, so everything is "legal and proper".

  You get the *really* blank stare then, because about zero of these companies have anything like that..because they are jerks, but we all know that anyway.

    Let them sit for a bit and stew on that. Again, you throw it right back at them when they claim they are secure and "your data is safe with us" and all the other BS..."well, sir, we are secure, and...". They ALL say that, every single stupid company out there claims to be "secure". They initiate that claim when you ask. That's a *vital point* there. As part of this proposed business transaction now, they, through their rep who is talking to you right then and is prepared to accept your money, will make a statement that they are 'secure". This is the bingo moment.

    I go, along these lines, "swell, that sounds great! You are secure, wonderful, that makes me feel better because ID theft is such a hassle and expense! Err..uhh..just for my records then, please just show me and if you could provide me simple copy of your "data security" warranty provisions, the indemnification policy you must have then, thanks! And BTW, not that this will ever come up, but exactly how much cash do I get back from you when and if you get compromised? If you are "totally secure" as you claim, then you should have no problems with a guarantee that you are secure in writing".

  Salt to taste there, and I am never outright rude or obnoxious about it,(I will speak in a loud and clear tone though so any other customers present can hear this exchange) just make them backup their contractual claims they just made to you. They just offered you a proviso in the terms of an oral contract to go along with whatever written crap they want you to fill out that they are, in fact, "secure", so you can ask for proof and so on.

  The original clerk will be baffled as expected and will then pass the buck. Then just keep bumping it up the food chain until you hit some manager who doesn't want to be bothered and they give you the service without having to hork over your precious. Sometimes it's fast, other times it takes awhile, but usually it works.

    If some manager starts to get redneck on you, you can go, again, along these lines, "Oh, you now are withdrawing your offer, because your company lied to me? You tried to extract my cash from me based on a lie? That's serious legal fraud in this state my friend" and etc.

Anyway, it usually works and it certainly is fun!

Re:Ugh, DirecTV should just go away

[Albanach]

Although is is actually illegal to use a SSN for identification

No, it's illegal for the Government to use it other than for its intended purpose. Companies can do what they like with it.

From the Social Security Website: http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/enduser/std_adp.php?p_faqid=78

If a business or other enterprise asks you for your number, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.
[emphasis mine]

Re:Bad news. XD

[NickGnome]

"There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent."--- Elliot Richardson 1973 summarizing _Records, Computers, & the Rights of Citizens_ (quoted in Legislative History PL 93-579, Privacy Act of 1974, _Congressional Record_ vol 120, Senate Report #93-1183 pg 6924)

In practice, as you say, even the weak constitutional and statutory protections of privacy are most often ignored.

http://www4.law.cornell.edu/uscode/42/408.html

http://www.usdoj.gov/04foia/privstat.htm

http://www.cavebear.com/nsf-dns/pa_history.htm

http://www.cavebear.com/nsf-dns/5usc552a.htm

http://www.cms.hhs.gov/privacyact/patraining.asp

http://www.cms.hhs.gov/privacyact/pa.pdf

http://www.so.doe.gov/documents/privactof1974.pdf

http://www.epic.org/privacy/laws/privacy_act.html

https://www.cnet.navy.mil/privacyact1974.pdf

http://library.lp.findlaw.com/articles/file/00007/004477/title/subject/topic/constitutional%20law_freedom%20of%20information/filename/constitutionallaw_1_88

http://library.lp.findlaw.com/articles/file/00007/004477/title/subject/topic/constitutional%20law_freedom%20of%20information/filename/constitutionallaw_1_88

http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html

http://www.cpsr.org/program/natlID/natlIDfaq.html

Re:Identity Theft is a crime.

[PRMan]

Your name will show up as an Alias on their credit report and your address will show up as a former/current place of residence. Then, later, if your house is being foreclosed, it may affect their ability to get a loan or sell their house.

I used to write mortgage software and credit report retrieval software and I have seen this exact situation, probably from someone giving out a "fake" SSN for privacy reasons, although we had no idea why this other information was on the report (maybe a transposed SSN).

Anyway, you can have a negative effect on others by doing this.

pollute the datastream!

[Tumbleweed]

One should be careful giving out fake SSNs, as you may be accused of attempted identity theft or fraud or whatnot. But, who's to say you or some data entry person didn't make a mistake and mistype one of the numbers, or transpose two of the numbers? Looks like an innocent mistake, I say! If you do it consistently enough, you can even use the excuse, "God, that typo has been following me around forever!"

I'm just sayin'.

I also use my old phone numbers and addresses for those who require such information. "Oh, that's my _old_ number!" :)