Slashdot Mirror
Why Google Wants Your Kid's SSN
Jamie found a somewhat creepy story about a kid's art contest run by Google. As part of the entry, they need the last 4 digits of a social security number. The article suggests that the information requested by the contest should make it possible to guess at, and compile a list of children's social security numbers. It's bizarre and worth your read.
Google's already removed the field from a newer version of the entry form. will not store any collected numbers, and has explained the need for the city of birth (to help prove US citizenship as required by the contest).
Without even reading the article I know why. SSNs contain demographic data about where and when somebody is born. They are not serial numbers or randomly generated. Anybody with access to the first half of the SSN has demographic data.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
They need to have SSN numbers as children so that they may be claimed as tax deductions by their parents.
My general approach to life is to assume that any and all corporations will screw me over for a buck, and all advertisements are 75% distraction from the 20% lies and 5% facts.
I was largely indifferent to Google (I only switched from Yahoo because the page loaded faster), but when I heard that their motto was "don't be evil." I started to think that they most likely are evil, and are simply biding their time.
The problem isn't with google for collecting social security numbers. The problem is that SSNs are so sensitive in the US. I live in Sweden and here social security numbers are a matter of public record and many companies collect these numbers from their customers for their databases. It's quite convenient and, if done right, not as privacy infringing as people seem to think. It's quite ridiculous to have, like the US, a system where you can impersonate someone by knowing their number.
While your points are well-taken, complaining that it's really the government's fault when google collects information which could be harmful to you is like saying that it's really god's fault when someone shoots you to death because he declared that impacts from high-velocity masses shall rearrange your internal organs.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Making citizenship of the US a requirement for the contest is just stupid. I scanned briefly through their rules posted online - I couldn't really find an answer. Seems to create a lot more work for Google. Unless of course it was all a ruse to get your kids SSN... MUHAHAHHAHAHAAHA!
"The Tax Reform Act of 1986 required parents to list Social Security numbers for each dependent over the age of 5 for whom the parent wanted to claim a tax deduction. Before this act, parents claiming tax deductions were on the honor system not to lie about the number of children they supported. During the first year, this anti-fraud change resulted in seven million fewer minor dependents being claimed, nearly all of which are believed to have involved either children that never existed, or tax deductions improperly claimed by non-custodial parents." (wikipedia)
Aside from creating yet another federal identification number, this seems a reasonable argument for the age of taxing everything.
I don't know how the US got this meme that knowing your SSN somehow proved your identity. Of course once that meme has developed and companies start using the SSN as a password, people become very protective of their SSNs, and the idea that it's a special number that requires protection becomes self-reinforcing.
No kidding!!! What do you say at this point?
This is genuinely loathsome, and yet more proof that ignorance is no excuse when a parent offers up private informatioÂn about their children.
Let's be clear: You have no right to give up ANY private informatioÂn about your children without making very, very sure there's a good reason to do so, and that such information will be used within explicit, clearly defined limits. When your children are adults, they'll have to live with decisions you make about them now. That's especially true of informatioÂn that will allow interested parties who DO NOT have your child's best interests at heart to assemble a profile on them and target them every minute of their lives.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
And yet the government, banks, corporations, etc. all require you to provide it because they assume it to be secure. Or rather, because they convince us SSNs are secure, all while knowing they're not.
Keep your eyes to the sky.
It's not a contradiction to anyone who can understand the word "discarded" in relation to paper forms does not mean deletion of a file on a computer.
Also, this article was written 4 days AFTER Google had already changed the form to not have the SSN. This is even mentioned in the article body.
Yeah, I know it's on Huffington, but that crap doesn't qualify as a news article. Calling it a blog is doing it a favor, calling it a lunatic rant about a problem that's already taken care of would be more accurate.
This sentence no verb.
But I can literally taste the tin foil on this guy's head. The little nutter gave me synesthesia. I think Its mostly his tone of voice. The way he's simply incredulous about the possibilities, with nothing to show for it.
1.) I'm not much of a conspiracy theorist by disposition, but...
Hey, I think I spotted where he became a conspiracy nutcase.
Are these posts here to show us how evil Google has become to to show us how nutty the "google is evil" crowd has become? Because despite the title, I'm leaning with the latter.
When they have the 4 last digits of the SSN, they just apply the principle of explosion to derive the rest.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
This Ars Technica article (linked below) is a good summary on how the first five numbers can be determined. Apparently for persons born after 1988 (note that here we are dealing with a children's art contest, so this will likely be the case), the number can be accurately guessed 44% of the time if you know the date/place of birth. The odds vary by region - some states the first five digits can be guessed 90% of the time. http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hacking.ars
Some mid-level employee came up with a clever but ultimately bad way of distinguishing applications. Conspiracy theory: ignored.
Yeah, I read that article last night:
1) Just because google could use the other info the guess at the first 5 digits of ss #s, and according to some professors somewhere, get almost 10% of them right, certainly does not mean that was what google was going to do. For identity theft, nearly 10% right is great. For any other use, more than 90% wrong is pretty awful.
2) The author does not seem to realize that full name & birth date are not even close to uniquely identifying children. In fact, even full name, birth date, and city is likely to have a few collisions. When Timmy Jones wins a prize, they might need to know which Timmy Jones.
SSN was a bad choice, precisely because people should be protective of it; they should have gone with some other info. But last four of SSN is a default used in all sorts of situations, so somebody picked that common bit of info without thinking about it too much. That's all. No grand conspiracy. No attempt, I'm sure, to take last four and derive the other 5.
The Huffington Post does not pay the authors of their stories. They are owned by Arianna Huffington, new owner of AOL.
Evil...
Done...
"Helping to keep you two steps ahead of the Thought Police!"
792 - 'Password Reuse"
While not a password, this kind of "opportunistic data gathering" adds up. Digital records remain for ever. Next week ask for the first 5.
Then join them later. But the first 5 aren't needed if you know birth year and region.
Why can't we make a security token out of an MD5 sum the SSN with trailing garbage text (to prevent a dictionary attack - say a GUID which would identify the use of this security token) and use that? GUID is chosen by the SSN holder, so the host cannot dictionary attack its own participants.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Not until the kid starts working (age 16; 18; whatever) do they need to apply for an SSN.
PLEASE don't fight this... the last thing I need is another government-issued ID number for my whole family. Let the IRS re-use the number given by the SSA. I already have a passport number, a drivers license number, and a social security number for every member of the family.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Same with my parents...in the 70s and 80s. But guess what? I need my kids' SSNs to claim them as dependents now, starting in the late 90s. So your premise that laws never change is flawed, therefore your conclusion that olsmeister's claim is false is flat-out wrong.
God invented whiskey so the Irish would not rule the world.
Was anyone else bothered that the summary and headline didn't read Kids', but instead read Kid's?
They are running out of SSN's and will now implement v6. It will look something like this; wh47:0th3:f0ck:00is:g01n:00on:0n0w:dud3
You would think the post Vietnam generation recalls where data like this can end up in bulk, for profit and in a very uniquely identified way for the US gov.
http://en.wikipedia.org/wiki/Farrell's_Ice_Cream_Parlour
But dont worry, Google only has links with the NSA and they only like data outside the USA...
Domestic spying is now "Benign Information Gathering"
Exactly... the first 5 digits are kinda recoverable from your birth date and location. So if you give them the last 4 numbers, which are the only ones that are really kinda random, then they can pretty much deduce your entire SSN from available public records.
But I don't really understand why I'm supposed to keep my SSN any more protected and secret than, say my employee ID number or my Slashdot UID for that matter. Any bank or government that uses a simple 9 digit number as a S3(R1+ C0D3 to authenticate people are obviously morons when it comes to security and deserves to cover any losses they accrue due to "identity theft". Give me a two-factor authentication smartcard now, dammit, and to hell with any idiot credit card company that is foolish enough to allow someone to open an account in my name without it.
No, you don't have "troves of personal information." That's hyperbole. You've got a statistical guess about the demographics of the children who enter the contest. You simply can't go from a statistical guess+the last 4 digits of the SS number to personal information about a particular individual.
As a thought experiment though, suppose Google could. Suppose Google could look take "4321" and "Schenectady, NY" and come up with "little 5 year old Jimmy Smith at 1 Second Ave." What are they going to do with this information? Take out a mortgage in his name?
Finally, now Google has removed the requirement. Poof. The imaginary problem now has even less basis, so let's all stop crying "whaaaa...Google is teh evil" and move on to something important. Fer cryin' out loud, somewhere out there Apple is selling shiny toys to hipsters. THIS MUST BE STOPPED!
How dare Google organize a contest where mature adults can choose to not enter their children in a contest !!!!!
When taking exams in the UK you are identified by a random number assigned by the exam board.
Significantly, the exam board have to assign their own number, because British children probably don't have an identifying number when they're entered for the exam. (Not to mention non-British people taking the exams.)
However, unless this system has changed since 2004, the numbers aren't random. My number was 0003, and my surname was third in the list of all children at the school.
It gets my blood pressure up a bit every time I read about "revealing" someone's SSN as having penetrated an inner sanctum. The password-secret treatment of that number needs to be dropped. It's time for legislation in the US that makes it invalid and indefensible in court to treat knowledge of an SSN as an authentication factor. Any organization that treats knowledge of the SSN as an authentication factor should be fully liable for the consequences of any fraud that results.
Note I'm talking about authentication, not identification. Nobody thinks Google shouldn't be able to identify the contestants, and an SSN is more unique than names. The problem only comes from the ability to use that number as a "password" to authenticate for access to things (like bank accounts). Treating the SSN as a "username" would not cause the problem; it's using it as an authenticating secret despite the fact that it's easily accessible that makes revealing it a terrible security lapse.
Knowing your SSN should be no more helpful to a fraudster than knowing your full name or hair color. It should be treated as information too readily available to be of any use for authentication. Reliance on that kind of information for authentication should be evidence of failure in due diligence, and lead to liability for that inappropriate reliance. If your bank lets someone take all the money out of your account just because they know your full name they should be liable. If they do just because they knew your SSN it should be treated the same way.
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
They aren't working. They aren't earning money, therefore they aren't depositing cash into an SSI account yet. Not until the kid starts working (age 16; 18; whatever) do they need to apply for an SSN.
They need one if you want to set up a 529 education investment account, or if you want to claim the deduction on your tax returns. They also need one for a bank account, and kids should learn about managing money as early as possible.
Eagles may soar, but weasels don't get sucked into jet engines.
"As part of the entry, they need the last 4 digits of a social security number"
Want, not need.
Then your parents did their taxes incorrectly. I can assure you that shortly after my birth the government required SSNs for all dependents. Such that my parents had to get social security cards for myself, and 4 other siblings at the same time. As a result, our numbers are very close to each other. Further more, had you prepared your own taxes (properly), you would know that the parent is correct.
My number was 0003
I am not a number - I am a free man!
Scientists point out problems, engineers fix them
altslashdot.org: The future of slashdot.
Google fan boys will always defend Google no matter what the company does. Google has been censoring information. They have shared information with the government. They are asking for too much personal information and even tailoring your Gmail depending on what's in your email. They track where people surf using Google Analytics. The list goes on and on... they are a corporation out to make money and ethics are a completely separate issue from cash flow. Seriously... you don't have a problem with any of this? There's always some type of payoff - even if it's an ego problem. And switching to Yahoo is somehow better?
Thanks 711123
Whew! An anonymous coward has told us all to ignore this.
Of course, if it was anyone but Google, we'd be in an uproar. But it's Google, which has such a great track record when it comes to privacy *cough*.
I've recently run into a brick wall where Google wanted more info out of me than I was prepared to give.
I use Gmail to act as the mail servers for one of my domains, and recently needed to add a couple more user accounts to it.
Only problem is, when I go to their control panel Google are now demanding that I 'verify' myself, supposedly to prevent abuse.
Sounds simple enough, normally with Google I've just had to upload a file to the webserver or add an entry into the DNS records to prove ownership of the domain to them.
Oh not this time. Now have to enter my mobile phone number, and they'll send out a 'verification code' that I have to reenter. Until I do that, the control panel is locked and I can't change anything*
I've asked Google several times now to explain how they think this is supposed to verify anything about my domain, and have only received one reply (and that was because the help droid totally misread my email and unhelpfully gave me instructions on how to recover my password!), but yet still no answer or help on using another method of verification.
Simply put, since they have no previous record of my mobile number, I could be anyone entering a mobile number on that form. It proves absolutely nothing about my rights over the domain name.
All it is, is yet another way for Google to scrape more information about me, under the guise of 'security'.
*Their 'security' is a joke anyway. The way they've locked down the control panel is to simply run a script *AFTER* the control panel has loaded, which just redirects you to their verification page. All you have to do is simply press the 'stop' button in your browser after the panel has loaded, and the redirect never happens.. leaving you with full access to make whatever changes you need.
If anyone from Google is reading: .. somehow I'm not suprised.
I reported this to Google over 3 weeks ago. No reply , and your lame 'security' is still as lame as it was then !
It's clear you don't give a shit about your users, as long they keep feeding you the data you crave. So long, and thanks for all the fish.
Lots of US laws already prohibit or limit SSN use:
http://epic.org/privacy/ssn/
http://www.privacyrights.org/fs/fs10-ssn.htm
If it's illegal to collect and use in whole, is it illegal to cadge in part, and then reassemble and use?
Or does the law have holes?
As rwa2 points out above, deriving the whole SSN ID number from a partial one might be within the reach of a lot of people, not just huge datafarms.
I think that too. It should be a matter of public record to prevent fraud.
BUT there is still the matter of privacy and plausible anonymity. An SSN is a one-to-one match with a person, and will always be treated as such, *even if the match hasn't been verified*.
In other words, your SSN is subject to misuse even beyond its magical ability to open new credit lines. I might not be able to ruin your credit, but I could still impersonate you on Google Doodles, you see?
So definitely, lets end the need to keep it a state secret. But that doesn't mean SSNs are suddenly okay to use as IDs on web services.
If SSN numbers are given out in ascending sequence, not by state lots (each state gets a range of numbers), then having the high-order digits will allow them to determine the year of issue, and the age of the individual. Thats all.
Leslie Satenstein Montreal Quebec Canada