Slashdot Mirror
Why Google Wants Your Kid's SSN
Jamie found a somewhat creepy story about a kid's art contest run by Google. As part of the entry, they need the last 4 digits of a social security number. The article suggests that the information requested by the contest should make it possible to guess at, and compile a list of children's social security numbers. It's bizarre and worth your read.
Except to kids.
The dangers of knowledge trigger emotional distress in human beings.
Google's already removed the field from a newer version of the entry form. will not store any collected numbers, and has explained the need for the city of birth (to help prove US citizenship as required by the contest).
http://www.iambetterthanyourkids.com/ -- I hope THIS GUY isn't a judge!
Without even reading the article I know why. SSNs contain demographic data about where and when somebody is born. They are not serial numbers or randomly generated. Anybody with access to the first half of the SSN has demographic data.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
They aren't working. They aren't earning money, therefore they aren't depositing cash into an SSI account yet. Not until the kid starts working (age 16; 18; whatever) do they need to apply for an SSN.
Information wants to be expensive AND wants to be free. So you have Value vs. Cheap distribution fighting each other.
My general approach to life is to assume that any and all corporations will screw me over for a buck, and all advertisements are 75% distraction from the 20% lies and 5% facts.
I was largely indifferent to Google (I only switched from Yahoo because the page loaded faster), but when I heard that their motto was "don't be evil." I started to think that they most likely are evil, and are simply biding their time.
The problem isn't with google for collecting social security numbers. The problem is that SSNs are so sensitive in the US. I live in Sweden and here social security numbers are a matter of public record and many companies collect these numbers from their customers for their databases. It's quite convenient and, if done right, not as privacy infringing as people seem to think. It's quite ridiculous to have, like the US, a system where you can impersonate someone by knowing their number.
"Limited Info" - implying that no deductions can be made from that info? There's other related articles that current zip code crossed with all that stuff also produces matches, and this time they have the parents' info.
Wait, what? What parents will send their complete info to Google for a kid's art contest?
You can't get that national ID database under the RFID label, so let's do it ... wait for it... for the kids! Google will hand that list over, to make sure no terrorists in training are practicing drawing guns.
At least it's Google. I expect them to be evil, but not usually stupid, so it might take a few years before the Blackhats get hold of the list.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
While your points are well-taken, complaining that it's really the government's fault when google collects information which could be harmful to you is like saying that it's really god's fault when someone shoots you to death because he declared that impacts from high-velocity masses shall rearrange your internal organs.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Because only Google could figure out that SSNs are sequential, follow a known formula, and can generally be figured out with the last 4 digits and the location and date of birth. Sooo Scary! To think that SSNs are in any way a secure identifier is to be naive.
Making citizenship of the US a requirement for the contest is just stupid. I scanned briefly through their rules posted online - I couldn't really find an answer. Seems to create a lot more work for Google. Unless of course it was all a ruse to get your kids SSN... MUHAHAHHAHAHAAHA!
The last four digits of a US SSN are allocated in sequence from 0000 to 9999 for a given SSN group. They are exactly and completely uninterpretable and arbitrary.
No kidding!!! What do you say at this point?
That's so true. Same applies to fingerprints .. and soon to DNA as well.
I don't know how the US got this meme that knowing your SSN somehow proved your identity. Of course once that meme has developed and companies start using the SSN as a password, people become very protective of their SSNs, and the idea that it's a special number that requires protection becomes self-reinforcing.
No kidding!!! What do you say at this point?
This is genuinely loathsome, and yet more proof that ignorance is no excuse when a parent offers up private informatioÂn about their children.
Let's be clear: You have no right to give up ANY private informatioÂn about your children without making very, very sure there's a good reason to do so, and that such information will be used within explicit, clearly defined limits. When your children are adults, they'll have to live with decisions you make about them now. That's especially true of informatioÂn that will allow interested parties who DO NOT have your child's best interests at heart to assemble a profile on them and target them every minute of their lives.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Agreed.
SSN's became identical with credit score id number.
Credit Score is pretty meaningless these days. Perhaps for that first mortgage.... otherwise credit means "Do you pay your late fees?" "How much do you earn?" and "What BIG things do you own already?" Where is credit worthyness in that?
even contemplating that ssns could be used to identify people uniquely online was stupid from the start. think - its just a number. its not something encrypted or else. its a plain number that is constructed according to a particular algorithm. any half decent person intent on abusing it could eventually discover that algorithm by running tests and trials with crappy software. this goes for all kinds of such number schemes.
actually, anything that can be read in a digital environment, can easily be faked/duped in the same digital environment. there is no remedying this. think - even the paper documents were faked at large before digital age.
Read radical news here
Seriously, you can't use state ID numbers because they are even more prone to change. You can't use names because they're not unique and they change. You can't use biometrics because you can't. :) So what are you going to use to uniquely identify people? Death and taxes -> taxpayer ID until death.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
It's not a contradiction to anyone who can understand the word "discarded" in relation to paper forms does not mean deletion of a file on a computer.
Also, this article was written 4 days AFTER Google had already changed the form to not have the SSN. This is even mentioned in the article body.
Yeah, I know it's on Huffington, but that crap doesn't qualify as a news article. Calling it a blog is doing it a favor, calling it a lunatic rant about a problem that's already taken care of would be more accurate.
This sentence no verb.
But I can literally taste the tin foil on this guy's head. The little nutter gave me synesthesia. I think Its mostly his tone of voice. The way he's simply incredulous about the possibilities, with nothing to show for it.
1.) I'm not much of a conspiracy theorist by disposition, but...
Hey, I think I spotted where he became a conspiracy nutcase.
Are these posts here to show us how evil Google has become to to show us how nutty the "google is evil" crowd has become? Because despite the title, I'm leaning with the latter.
When they have the 4 last digits of the SSN, they just apply the principle of explosion to derive the rest.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
What kind of a genius must one be to divulge something just because someone asks nicely? It's like social engineering without the 'engineering' part. I routinely give randomly generated answers to various privacy invading "security" questions on bank sites: it's none of their damn business what is the name of my first girlfriend. On pretty much every non-governmental, non-credit-related form, I always use a made up number when asked for the SSN. They are too lazy to figure out what artificial keys are? I give them one.
Stupid parents give out their kids' SSN numbers without thinking. What's new? Google isn't really to blame, I don't think.
A successful API design takes a mixture of software design and pedagogy.
This Ars Technica article (linked below) is a good summary on how the first five numbers can be determined. Apparently for persons born after 1988 (note that here we are dealing with a children's art contest, so this will likely be the case), the number can be accurately guessed 44% of the time if you know the date/place of birth. The odds vary by region - some states the first five digits can be guessed 90% of the time. http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hacking.ars
I'm not much of a conspiracy theorist by disposition, but doesn't "these last 4 digits were not entered into our records and will be safely discarded," sound like a contradiction? (How can they delete something that is not in their records?)
I'm glad you asked Bob, and the answer is quite simple through this demonstration.
What we have here Bob, is an Parental Consent form. As you can see it does indeed
contain the 4 SSN digits. What we are going to do next is pivotal.
What we are going to do next is shoving the form, made from paper, into your big mouth.
And after we managed to shove it down your gullet, your stomach acids will render the data useless.
That's right Bob, paper forms need to be entered into systems. They do not enter themselves.
But given all the other demographics, the non-random first 5 digits can often be guessed with some accuracy. So, with a database loaded with demographics tied to those last four random digits, you're bound to be able to successfully complete several SSNs.
Yeah, I read that article last night:
1) Just because google could use the other info the guess at the first 5 digits of ss #s, and according to some professors somewhere, get almost 10% of them right, certainly does not mean that was what google was going to do. For identity theft, nearly 10% right is great. For any other use, more than 90% wrong is pretty awful.
2) The author does not seem to realize that full name & birth date are not even close to uniquely identifying children. In fact, even full name, birth date, and city is likely to have a few collisions. When Timmy Jones wins a prize, they might need to know which Timmy Jones.
SSN was a bad choice, precisely because people should be protective of it; they should have gone with some other info. But last four of SSN is a default used in all sorts of situations, so somebody picked that common bit of info without thinking about it too much. That's all. No grand conspiracy. No attempt, I'm sure, to take last four and derive the other 5.
The Huffington Post does not pay the authors of their stories. They are owned by Arianna Huffington, new owner of AOL.
Evil...
Done...
"Helping to keep you two steps ahead of the Thought Police!"
792 - 'Password Reuse"
While not a password, this kind of "opportunistic data gathering" adds up. Digital records remain for ever. Next week ask for the first 5.
Then join them later. But the first 5 aren't needed if you know birth year and region.
Why can't we make a security token out of an MD5 sum the SSN with trailing garbage text (to prevent a dictionary attack - say a GUID which would identify the use of this security token) and use that? GUID is chosen by the SSN holder, so the host cannot dictionary attack its own participants.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
The last four digits of a US SSN are allocated in sequence from 0000 to 9999 for a given SSN group. They are exactly and completely uninterpretable and arbitrary.
Note, though, that the method of assigning the initial sets of numbers is slated to change this summer: http://en.wikipedia.org/wiki/Social_security_number#Structure
antipaucity
You know, maybe google should tackle this "unique person identifier" thing once and for all.
errr, did I just say that?! nevermind, bad idea.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Was anyone else bothered that the summary and headline didn't read Kids', but instead read Kid's?
They are running out of SSN's and will now implement v6. It will look something like this; wh47:0th3:f0ck:00is:g01n:00on:0n0w:dud3
You would think the post Vietnam generation recalls where data like this can end up in bulk, for profit and in a very uniquely identified way for the US gov.
http://en.wikipedia.org/wiki/Farrell's_Ice_Cream_Parlour
But dont worry, Google only has links with the NSA and they only like data outside the USA...
Domestic spying is now "Benign Information Gathering"
Exactly... the first 5 digits are kinda recoverable from your birth date and location. So if you give them the last 4 numbers, which are the only ones that are really kinda random, then they can pretty much deduce your entire SSN from available public records.
But I don't really understand why I'm supposed to keep my SSN any more protected and secret than, say my employee ID number or my Slashdot UID for that matter. Any bank or government that uses a simple 9 digit number as a S3(R1+ C0D3 to authenticate people are obviously morons when it comes to security and deserves to cover any losses they accrue due to "identity theft". Give me a two-factor authentication smartcard now, dammit, and to hell with any idiot credit card company that is foolish enough to allow someone to open an account in my name without it.
No, you don't have "troves of personal information." That's hyperbole. You've got a statistical guess about the demographics of the children who enter the contest. You simply can't go from a statistical guess+the last 4 digits of the SS number to personal information about a particular individual.
As a thought experiment though, suppose Google could. Suppose Google could look take "4321" and "Schenectady, NY" and come up with "little 5 year old Jimmy Smith at 1 Second Ave." What are they going to do with this information? Take out a mortgage in his name?
Finally, now Google has removed the requirement. Poof. The imaginary problem now has even less basis, so let's all stop crying "whaaaa...Google is teh evil" and move on to something important. Fer cryin' out loud, somewhere out there Apple is selling shiny toys to hipsters. THIS MUST BE STOPPED!
How dare Google organize a contest where mature adults can choose to not enter their children in a contest !!!!!
The US has for most of it's history had "Can't hack it in your homeland? come to America, where the bar is low!" as it's recruiting slogan. It shouldn't be that surprising that we've got some pretty messed up social policy.
It gets my blood pressure up a bit every time I read about "revealing" someone's SSN as having penetrated an inner sanctum. The password-secret treatment of that number needs to be dropped. It's time for legislation in the US that makes it invalid and indefensible in court to treat knowledge of an SSN as an authentication factor. Any organization that treats knowledge of the SSN as an authentication factor should be fully liable for the consequences of any fraud that results.
Note I'm talking about authentication, not identification. Nobody thinks Google shouldn't be able to identify the contestants, and an SSN is more unique than names. The problem only comes from the ability to use that number as a "password" to authenticate for access to things (like bank accounts). Treating the SSN as a "username" would not cause the problem; it's using it as an authenticating secret despite the fact that it's easily accessible that makes revealing it a terrible security lapse.
Knowing your SSN should be no more helpful to a fraudster than knowing your full name or hair color. It should be treated as information too readily available to be of any use for authentication. Reliance on that kind of information for authentication should be evidence of failure in due diligence, and lead to liability for that inappropriate reliance. If your bank lets someone take all the money out of your account just because they know your full name they should be liable. If they do just because they knew your SSN it should be treated the same way.
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
Your ideas intrigue me, and I would like to subscribe to your newsletter.
So whats your SSN?
Your conspiracy makes no sense. The SSA already has a database matching SSNs to names and birth locations.
Nerd rage is the funniest rage.
The last four digits of a US SSN are allocated in sequence from 0000 to 9999 for a given SSN group. They are exactly and completely uninterpretable and arbitrary.
Not completely true. My SSN mostly matches my brother's due to identical demographics. My SSN is lower, indicating that I'm older than my brother.
Same thing in countries that have ID cards. Your ID number is basically your primary key, allowing for unambiguous identification and simple registration in a number of systems, long before computers became commonplace, and you might as well wear it on a t-shirt since it's basically an alias for your full name.
This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
I think the grandparent is not complaining that it is the government's fault, but rather pointing out that "It's quite ridiculous to have, like the US, a system where you can impersonate someone by knowing their number."
It isn't generally the U.S. Government that extends credit, financial products, and banking services on the basis of a number. It is the private sector financial service industries. Elaborating on the GP's point, the private sector is lazy and likes being able to freely provide banking services (and enforce debts and deficiency judgments) merely on the basis of the SSN. They resist efforts to prevent the use of SSN for that, because, notwithstanding all the costs of identity theft, the SSN-driven system is cheap and highly lucrative.
Not everybody has the same views regarding privacy. I for one don't mind being photographed in public, and where I live everybody has their 10 fingerprints taken when they get their first ID card; the common view is that knowing that you've been somewhere is no big deal.
This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
"As part of the entry, they need the last 4 digits of a social security number"
Want, not need.
It took them long enough. In pre-computer days each ofice would get batch(es) of 10K numbers to give out. The numbering of offices was not random but geographic.
Does the SSA have a database matching names and browsing habits? They do now.
We are all just people.
Well, the modern credit card was conceived in the US, and a signature that is checked by an untrained clerk against some ID is all that the merchant has after the transaction. The rest is known history.
This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
Their SSN and a photocopy of their drivers licence is all you need to get a loan. This is why I keep mine secret.
look, they have access to every email that gmail users send. If Google want's private information, they have more than enough for any evil thing they want to do. A couple of sniffed WiFi packets, or a couple of SSN's is just a drop in a very, very large bucket.
Which is why the whole last 4 digits thing is so completely stupid. Those are the only 4 digits in the number which have any degree of randomness applied to them. The rest of it can be figured out with a bit of knowledge about the age and location of birth of the person. There's this view people have that giving up the last four digits is somehow preferable from a security point of view to giving up the whole string, but it's really analogous to giving somebody that ammunition and pistol, but making them get their own trigger for the pistol.
The problem is that the USA has no ID card like the rest of the world. In the USA that number is a magic key to do whatever you want. If I know your number I can do lots of nasty things over the internet and ruin your life. That's why Identity theft is so easy in America. The rest of the world works like this:
1) You turn X years old
2) You give the government your picture, fingerprints, etc, and the government gives you an ID card
3) You go to the bank to take a loan, and the bank is required to keep a photocopy of your ID
4) The identity thief goes to the bank with a fake ID (with the victim's data)
5) If the fake ID has the victim's picture/fingerprints, the clerk realizes it's another person and the thief is busted.
6) If the fake ID has the thief's picture/fingerprints and the bank wants the victim to pay up; just compare with the government database.
An ID card is practical for a number of reasons. For example, I don't know how it works in the USA, but here you need to prove your identity when you are going to vote. So you show your ID and you're done. If you don't have a passport, you can go to neighbouring countries with your ID. You sing up for anything, name & ID, and done, it's you and nobody can take it away.
By the way, I'm 36154291.
In soviet russia the government regulates the companies.
Points for worst analogy of the day. Social security numbers are man-made and can be redesigned. Laws of physics not so much.
and Google should be prosecuted to the fullest extent of the law.
That's a ridiculous claim! There would be only 10,000 (0000 to 9999) possible entries into this database. Are you saying that there will be less than 10,00 entries? Also, many of those entries would be duplicates. That doesn't sound very unique to me!
It's not really the government's fault. Someone can take out a loan in your name using your SSN but that doesn't make you legally liable at all. You don't have to pay anything. It's the bank's problem.
The fact that bank that made the mistake can mark it on YOUR credit report is the problem. And that's all private sector business.
Godaddy is a scam and a ripoff.
Some mentioned taxes but another reason is for social security pay outs. My father died when I was young and I was sent money from his social security (on behalf of my parents of course). So one reason is to ID beneficiaries.
Tiger Blooded Bi-Winning Machine
Shouldn't have wasted all that plutonium on the delorean.
Google fan boys will always defend Google no matter what the company does. Google has been censoring information. They have shared information with the government. They are asking for too much personal information and even tailoring your Gmail depending on what's in your email. They track where people surf using Google Analytics. The list goes on and on... they are a corporation out to make money and ethics are a completely separate issue from cash flow. Seriously... you don't have a problem with any of this? There's always some type of payoff - even if it's an ego problem. And switching to Yahoo is somehow better?
government ------ google doing something wrong
god ------ gunman doing something wrong.
so you're argument is that as it's futile to blame god for the gunman's actions, it's futile to blame the government for googles actions. implying that in both cases responsibility lies with the gunman/google...
in both cases god/government created the rules and in both cases the gunman/google abused the rules.
correct?
what i don't understand about the analogy is how god's innate infallibility is transferred to the government. is the government innately infallible? if not, as the creator of the rules, aren't they ultimately responsible for all wrong doing allowed by them?
p.s.
pls pls pls don't let this become an argument about the fallibility of god ;-)
But is anyone really willing to submit their dna for ensured identity? Or any other biometric data? How about a federal ID card?
I hear these kinds of ideas being demolished by the Slashdot crowd all the time - so what WOULD be the proper alternative without invading privacy?
exactly why they asked for them - they also had birth city and year which can give a very
good estimate of the first 5 digits - so by getting the last 4 you have an good chance of
having the entire SSN
There are a lot of tin foil hats in Slashdot, and they'll complain until the end of their lives that their privacy is being encroached on BY EVERYONE. They're they type of person who would rather live on an abandoned void inaccessible by any sentient life if they could just keep all the creature comforts that modern connected society has so gracious blessed upon them. Why did I bother reading this article... I just knew it would be the same old cranks... later
Bye!
Assuming, of course, that you were issued a SSN at birth. For the purposes of this discussion, yes, that's most likely true - most kids get an SSN before they leave the hospital (I know my daughter was issued one and it was not offered to us as an option, it was one of the things we had to do in order to have her released from the hospital). I assume it's been going on for more than ten years now.
But when I was a kid, I didn't get my SSN until I tried to get a work permit at 13 to get my first paper route. Knowing when and where I was born would do you very little good in reconstructing the first 5 of my SSN, because my first 5 is based on neither of those things. We were living in a different state in a different part of the country, and my brother (who was born in a different state than I was) was issued the next consecutive number for his SSN since my parents decided to apply for both of our numbers at the same time since they had to sit in line anyway.
So if you used SSN to identify birth city and date, you'd assume we were twins, born in a completely different part of the country than where we actually were born, and we'd both appear to be ten years younger than we actually are.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
I've recently run into a brick wall where Google wanted more info out of me than I was prepared to give.
I use Gmail to act as the mail servers for one of my domains, and recently needed to add a couple more user accounts to it.
Only problem is, when I go to their control panel Google are now demanding that I 'verify' myself, supposedly to prevent abuse.
Sounds simple enough, normally with Google I've just had to upload a file to the webserver or add an entry into the DNS records to prove ownership of the domain to them.
Oh not this time. Now have to enter my mobile phone number, and they'll send out a 'verification code' that I have to reenter. Until I do that, the control panel is locked and I can't change anything*
I've asked Google several times now to explain how they think this is supposed to verify anything about my domain, and have only received one reply (and that was because the help droid totally misread my email and unhelpfully gave me instructions on how to recover my password!), but yet still no answer or help on using another method of verification.
Simply put, since they have no previous record of my mobile number, I could be anyone entering a mobile number on that form. It proves absolutely nothing about my rights over the domain name.
All it is, is yet another way for Google to scrape more information about me, under the guise of 'security'.
*Their 'security' is a joke anyway. The way they've locked down the control panel is to simply run a script *AFTER* the control panel has loaded, which just redirects you to their verification page. All you have to do is simply press the 'stop' button in your browser after the panel has loaded, and the redirect never happens.. leaving you with full access to make whatever changes you need.
If anyone from Google is reading: .. somehow I'm not suprised.
I reported this to Google over 3 weeks ago. No reply , and your lame 'security' is still as lame as it was then !
It's clear you don't give a shit about your users, as long they keep feeding you the data you crave. So long, and thanks for all the fish.
... like saying that it's really god's fault ...
Not really. God is fictional while the government and google are not.
How many different institutions use your employee ID or your slashdot UID, and for what purposes? What are the risks to you from disclosure of these other data?
I agree with you that genuine security has enjoyed painfully late adoption.
-fb Everything not expressly forbidden is now mandatory.
Go on.
Deleted
I don't know how the US got this meme that knowing your SSN somehow proved your identity.
WTF? That's the only, singular, PURPOSE of a SSN, identity.
However, it is only supposed to be used by the government and not private businesses except for certain exceptions. I actively refuse to give it to companies that don't need it, especially those who have no legal right to require it.
erm, the rest of the world? really?
here in the UK we get a unique National Insurance Number (which is basically the same as SSN) as soon as our birth is registered but it is not to be used as identification by anyone except the government. The last government's stupid expensive ID card scheme has been binned by the current government.
The UK has no ID card. The closest we have to a SSN is the national insurance number (XX nn nn nn X) which is used for official forms related to income (e.g. tax return) and requested by banks for handling tax on savings interest, but isn't usually used as any form of ID. Bizarrely, when I was a teenager, the government started issuing the number on cards, but it was literally a credit-card sized piece of plastic with a logo and the name and number embossed on the front. I've never been asked for it and I'm not even sure where it is right now. The most anyone could do if they stole it would be to pay taxes on my behalf, for which I would be most grateful. I suppose if they really planned ahead they could eventually collect my pension, but I suspect the UK will have some sort of formal ID card system by then.
By the way, I'm 36154291.
Oh yeah? And I'm 8675309, so there!
It's not a question of security, it's a matter of privacy. Americans have a substantial aversion to their government tracking them. Social security numbers are used for authentication simply because they always were private. When introduced, there had to be numerous guarantees that it would only be used for income tax purposes, and you could not be compelled to disclose it for any other reason. Sadly, there isn't any enforcement of this restriction, so it's not true for practical purposes, unless you're willing to start a lawsuit every time you are asked for it.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Little history about SSN from Wiki: http://en.wikipedia.org/wiki/Social_Security_number
From the government's own website.
Social Security Number Allocations
http://www.ssa.gov/employer/stateweb.htm
New Feature - SSN Randomization
http://www.ssa.gov/employer/randomization.html
Life takes interesting turns, but the most interest is when you're off the beaten path.
Points for worst analogy of the day. Social security numbers are man-made and can be redesigned. Laws of physics not so much.
Disprove consensus reality before you say things like that to me. More seriously, my point is that google does not define whether SSNs are potentially harmful information, therefore google can only choose whether to collect them or not, and their action has to be based on the relative merits of their available choices.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Lots of US laws already prohibit or limit SSN use:
http://epic.org/privacy/ssn/
http://www.privacyrights.org/fs/fs10-ssn.htm
If it's illegal to collect and use in whole, is it illegal to cadge in part, and then reassemble and use?
Or does the law have holes?
As rwa2 points out above, deriving the whole SSN ID number from a partial one might be within the reach of a lot of people, not just huge datafarms.
Like your name, your SSN is an identifier; it identifies you.
Unlike your name, your SSN is a unique identifier; for many purposes, this makes it more useful and so many forms ask for it so that you can be uniquely identified.
Like your name, your SSN is not a secret.
Like knowing your name, knowing your SSN does not prove you are the person identified by that name/SSN.
Is that all clear enough for you?
"illegible for this contest" Don't spell checkers suck?
- Benjamin Dover
How does Sweden achieve that ? Assuming that I could pass for being Swedish and I am roughly the same age as you; if you and I both know your swedish SSN and we both turn up at a government office claiming to be you, what 'gold standard' of ID do you have that does not tie back to your SSN to prove that you are you ?
Nullius in verba
You're an idiot. The US (not him) think that knowing one's SSN is tantamount to having that person's identity. If he gave out his SSN, he'd legitimately be risking his identity.
The point is that knowledge of a number is not sufficient for proving identity, and the rest of the US is stupid for thinking that it is so.
GPs post sounds valid. Less-secure means of payment (check, cash) are being used less because of that reason. SSNs in the US aren't safe to use publicly. People leave insecure systems.
I put a freeze on my credit report so no new credit can be opened in my name. (In theory). I was on an eCommerce site and one of the payment options was -Bill me later-. So just for curiosity, I clicked the bill me later option. It asked for my first name, last name, etc, and most importantly the LAST FOUR digits of my SSN. So I entered only the last 4 and hit submit. My transaction was denied, and not much of a clear reason why. So I went on to make the purchase with a credit card. A few days later in the mail I get a letter saying my request was denied because they could not access my credit report to make a determination. That is when a flag raised. How did they know my credit was NOT accessibly? In order for them to access it, they would have needed all of the 9 digits. So somehow they took the last 4 I entered and determined the first 5 that went with it to try to gain access to my credit report. That taught me you don't need all the digits of someones SSN, with enough information and the last four digits you can still determine their whole SSN.
I fully agree that the use of SSNs as "secret" information for authentication is retarded and has to stop.
The question is, what should banks etc. be using instead?
The only other commonly-used authenticator I can think of is "mother's maiden name" which is just as weak and stupid as the SSN is.
The problem is that to authenticate yourself by revealing "something you know", the party you are authenticating to also has to know it. So either you establish a *unique* shared secret with each party you want to do business with, or you need some kind of centralized authentication clearinghouse that participates in every authentication transaction (and thus will know everybody you are transacting with and when), or else you need some kind of zero-knowledge proof or PKI infrastructure.
The truth is that SSNs get used for authentication because they are easy to use for that purpose. Back when they started doing it, most people's SSNs were "mostly secret" (in the sense that they were not widely available via countless different online services, leaks, huge aggregated databases, etc.like they are today). Decades ago when everybody started to use SSNs for authentication, it was inevitable and predictable that the situation would end up like it has today. But its a tragedy of the commons. We still have no replacement system, and there is no small group of powerful stakeholders with the necessary incentive to develop and deploy some better system. Certain practices of collecting and using SSNs might even be illegal, but everybody does it anyway.
I'm Swedish too. Swedish government is more open and democratic then US governemnt and the protection of personal privacy is in general better. I'm ok with having a "personnummer" in Sweden, but if I lived in a country governed behind closed door and without any protection against ministerstyre (a phenomenon seen as such natural part of government in English speaking countries, that there isn't even a word to describe it, the English language wikipedia article is factually wrong (the wikipedia article gets factually wrong every time someone living outside Scandinavia try to improve it, the concept seem to be so strange to comprehend to people from English speaking cultures, that they can't keep themselves from trying to remake it into something more similar to their frame of reference), the important part is the quote from The Swedish Instrument of Government) and weak laws against private interrests involvement in government , I'm not sure I would like having something that make me easily identifiable. Not that the Swedish "personnummer" haven't been misused, it is just that there is more transparency in the Swedish society and that Swedish bureaucrats are more concerned about personal privacy and is more likely to expose those that aren't then in USA. We have also more experience in implementing information systems that are more open to the public, but still with decent protection of personal data. In USA most government data is non-public, but within the government organisations the protection from someone getting their hands private information not meant for them is comparatively very weak.
I work for the marketing department of a publicly-traded tech firm. You'll see on most contests that there are standard rules - usually that you must be 18 years or older, a US citizen, and need not "play to win." These rules are required by law in various jurisdictions for various reasons. It's frustrating - especially because it means a truly global contest is all but impossible because of similar rules/regulations abroad. I doubt there is a conspiracy here, although having a simple check box of "click here to confirm you are a US citizen" should have been sufficient for Google's needs.
I think that too. It should be a matter of public record to prevent fraud.
BUT there is still the matter of privacy and plausible anonymity. An SSN is a one-to-one match with a person, and will always be treated as such, *even if the match hasn't been verified*.
In other words, your SSN is subject to misuse even beyond its magical ability to open new credit lines. I might not be able to ruin your credit, but I could still impersonate you on Google Doodles, you see?
So definitely, lets end the need to keep it a state secret. But that doesn't mean SSNs are suddenly okay to use as IDs on web services.
Your screen would explode from the rage. When Google does it, eh, not so much.
The card has my SSN on it. By showing this card I can prove that I am actually the real live person who, in their computer, is represented by that number. They can look me up in their system and take it from there.
Exactly! SSN is too widely known to be a decent password. It would like letting anyone who knew I was "Cro magnon" access my slashdot stuff.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
It's not really the government's fault, it's the fault of other corporations who assume these numbers are secret. They aren't. And the government will tell you that.
Actually it is very easy to steal your ID in Sweden and the other Scandinavian countries if one has the social security number, but most of you are kidding yourself into that it is quiet safe - until someone actually steals your idea. Read up on it. Du skulle bli fÃrvÃ¥nad
Our ID card is our driver's license. We essentially have that system, the only hard part is that driver's licensing is done on a state by state basis, so there is no national ID card or number, only a state one. The only real unique national ID number we have is the social security number.
The problem isn't with google for collecting social security numbers. The problem is that SSNs are so sensitive in the US.
Sounds like the problem is with both of them. SSNs shouldn't expose so much sensitive data, but Google shouldn't needlessly collect or misuse sensitive personal data regardless of how poorly the system is implemented. Furthermore, if companies like Google support the misuse of SSNs, then it is going to be all the more difficult for the American people to fix the system because corporations will claim that they depend on it (something that marketing companies do all the time).
Huh? (Google) Collecting the SSN could be harmful? The other guy replying to the parent says the SSN isn't something that needs protecting. So which is it?
I'm no American, but the SSN is a government issued number right? So can you steal someone's identity with this number and other basic information? And does the government have laws that protect against the misuse of this (government issued) number?
Both the US Social Security Number format and the Canadian Social Insurance Number nine digit formats have the last digit as a check flag and the first digits as a region/base code.
If you get young kids, you can ask them where they were born - and if it's local you have the first three digits of the SSN or SIN and with the last 4 SSN you have all but 2 digits - since the last is the check digit, you can extrapolate the full SSN with a simple brute force check digit run to narrow it down and try a login sequence at Social Security or Employee Verify to get confirmation.
In Canada they only trap the last 3 digits not the last four XXX-YYY-ZZZ (that's Zed not Zee) so it's a bit harder.
I used to program mil and civilian databases that had check routines for SSN and SIN verification ...
NEVER EVER GIVE SSN OR SIN TO ANYONE WHO IS NOT PAYING YOUR PENSION.
-- Tigger warning: This post may contain tiggers! --
Given how much this place looks like a run down porn shop, I suspect many a person has been misled by that sign...
This ain't exactly open to the world then......
Google is starting to upset me. (beware rant coming). There is a big movement in the UK at the moment for responsible companies to pay their taxes and folk are switching to alternatives (even if they cost more!). Google are one of these companies who minimize their taxes and attempt to avoid UK taxes. I don't feel very rosy hearted to corps or companies like this. Let alone exclude our children from entering their competitions. ....switch....
which it wasn't
Takeaway:
Programmers who want a pay-raise, don't hash people's sensitive data for this purpose;
Programmers who have a moral drive, go ahead and be ethical, baddie.
I'm a staunch Google apologist masquerading as an open mind, and even I think this is off-the-charts stupid.
If there was an agenda, it was fear that FB would colour in the social graph for the younger generation before the kids learned how to surf.
We need a some core curriculum in the grade two/three age range on how to falsify personal data in online profiles. It used to be as a parent, you could wait for the kids to teach themselves the gutter skills (the little angels can hardly restrain themselves).
I think technology has surpassed that now.
Do you seriously consider this an explanation?
So why was Google asking for the SSN in the first place if they had no plans to record it? Maybe just to give some landfill diggers a chance to collect this information?
Also, how is providing city of birth any better proof than clicking "yes - I am a citizen"? Do you think coming up with a name of a US city is so much harder? Google itself will provide you a myriad of choices (go ahead, google it).
Why not just ask: "Are you a citizen of the United State of America?"
I'm required to do something for this contest for my HS Graphic Design class. It is required for getting a good grade. I need the class in order to graduate. I don't really want to do it, but I have to... Google already provides me email, a phone number, and has access to my videos and some of my pictures, as well as providing the browser I'm writing this in. If you're out there watching, Google, I for one, welcome our GOOG overlords.
Geez, ONE idea, period. A decent search algorithm, at the right time and right place, and the consequent curse of too much money too soon so the naive kids gave away the store to their greedy grand parents. Although Google software is known to suck... they have yet to rival even the lowest quality MS apps (even "Publisher" quality won't be attained by Google in the next 10 years, no mattter how many hours of free time they give away to the developer kids swarming their campus, no matter how many billions they squander in deluded half-assed mockeries of "open source"... the founders were good at search for that moment in history but are profoundly dumb at software and too fat/materialistic to run a company). BUT they are out-MS'ing Microsoft at one thing and one thing only.... fascist identity tracking. They can't create software worth a dime, but they can set new lows in making sure they get enough identity out of those consumers poor enough to be stuck with Google offerings to feed their all-important Advertisers authentic trackable consumer-drones to manipulate and abuse. Google will ride out their monopoly for 10 years but will inevitably sink to the bottom where they belong with their spiritual brethren in Redmond.
If that is true, the I don't know my own identity. Sure I carry a plastic card in my wallet, and pull it out occasionally when taking on a job, or opening a bank account, but I don't actually know the number myself. Hell, I can barely remember my phone number, since I never call myself, and just hand out a buisness card when someone wants my number (or just call them on the spot so they can grab it from caller ID and save it in their phone)
Knowing your SSN should be no more helpful to a fraudster than knowing your full name or hair color.
You realize that your use of the phrase "should be" in that sentence betrays the fact that in the real world it nevertheless is, right? This is mainly due to the prevalence of bad security practices.
Though I hope they have changed the practice, Huntington National Bank, a large regional bank in my area only required the name and social security number of the account holder to assign the PIN for the account. They did not verify the identity of the person requesting the information because they could only assign the PIN via a web-based or an automated telephone system.
If SSN numbers are given out in ascending sequence, not by state lots (each state gets a range of numbers), then having the high-order digits will allow them to determine the year of issue, and the age of the individual. Thats all.
Leslie Satenstein Montreal Quebec Canada
Hey, ship'tard.
There is the obvious-known fact of Statutory Law that none under 18 can enter a contract, so when you try to debate the tax benefit of someone under 18 having a socio-economic relationship with a private corporation (read that as a "Government") and in-addition the facilities of many institutions nation-wide that deploy legal forms to support this form of transaction, as well as parents that leach off the system in ways that blur the line between them and money-grubbing illegal aliens, then all I can say is now you have an entire populous whose accepted practice is determined by whichever avenue the money flows easier and whatever the government is willing to hand-out.
I still find it laughable that you all are motivated by what the government thinks, rather than what is right and good. If the government wants to tax something, then you vote for or against it in a government-supplied voting booth, and then all walk home satisfied that democracy is in-favor of what the government wanted to do before you voted against it.
It's like everything that government wants in-place in the future, is already in place now but under the guises of membership cards and exemption cards that you are voluntarily compelled to use at every transaction. It was only before 1964 when there was the Right To Public Vehicular Travel movement of the people that traveled lawfully without injury to anyone in moving their cars around without license and without license plates, but now you are all assumed to be a foreign foe and enemy of the state.
Who do you want the state to be afraid of, you or the tourists/terrorists?
Hey Jenny, how's it going?
Correct, but you're responding out of context. The original post commented that Google collects SSNs, because the SSNs carry demographic data.