News today that Social Security Numbers may not be as random nor secure as believed is just one more problem security problem the ubiquitous identification number faces.
Last Fall the Government Accountability office found that Social Security Numbers are under attack and your personal records are more exposed than you'd like to think. At least that seems to be the observation in a frightening study released that says among other things that 85% of large counties and 41% of small counties in the US make records that may contain SSNs generally available in bulk or online.
On top of that, many record keepers do not or cannot restrict the types of entities that can obtain public records and may not know how records are being used. Finish that observation off with the notion that some businesses are sending records with SSNs offshore, primarily to India and the Philippines, even though not much is known about how such data are protected overseas.
The dour Web-based GAO study looked at 247 counties across the US responsible for recording documents-including the 97 largest counties by population and a random sample of 150 of the remaining counties. Records could include birth, death, and marriage records; criminal and civil court case files; and records that reflect property ownership, such as property liens. Some records contain personal identifying information, such as SSNs, dates of birth, and credit card or bank account numbers.
AK, CT, HI, RI, and VT were not included in the study because the GAO said individual counties don't collect personal data in those states.
So if you have ever wondered how identity theft can be the number one consumer fraud problem seven years running, costing consumers more than $1.2 billion in 2007 alone, and showing no signs of letting up, perhaps we need only look to the results of studies such as this.
Some of the other disturbing GAO findings include:
The GAO study did say some things were being done to control the use of SSNs. Several bills have failed but may be reintroduced in Congress that would limit the display or sale of SSNs to the public or to private entities.
For example, S. 238 generally would have prohibited the display or purchase of SSNs without the express consent of the SSN holder; contains an exception for certain public records. H.R. 948 would have made it unlawful for any person to sell or purchase SSNs in a manner violating regulations to be promulgated by SSA. Then H.R. 3046 would have restricted the sale and display of SSNs to the general public by government entities; however it does not specifically address SSNs in public records but does require the Social Security Administration to develop uniform truncation standards. Finally S. 2915 would have stopped display of SSNs to the general public on the Internet by state and local governments unless truncation standards to be set by SSA in accordance with certain guidelines are met; considers certain unencrypted transmittals of SSNs through the Internet to be a public display.
The GAO said some federal, state, and local governments have recently taken steps to safeguard SSNs in public records. The GAO said more than a third of counties have already redacted or truncated SSNs or are currently removing SSNs from their records; some in response to state laws and others of their own accord. Some states, such as New Jersey and Ohio, prohibit SSNs from appearing in any publicly recorded document. Others limit the requirement to specific types of records; for example, Kansas and Utah prohibit SSNs from being shown in voter registration records, the GAO said.
However, recent actions by states and counties to limit the display of SSNs in records made available to the public through redaction or truncation are positive steps, but, because millions of records with SSNs have already been obtained in bulk or online, these actions will protect SSNs only in future transfers, the GAO said.
Ironically or perhaps preemptively in light of the GAO report, the President's Identity Task Force last year said federal agencies have worked to eliminate unnecessary uses of SSNs in their programs. For example, the Social Security Administration has removed SSNs almost entirely from its internal human resources forms. The Department of Defense has issued a plan to reduce its internal use of SSNs, including their removal from military ID cards. The Internal Revenue Service has been redacting taxpayer SSNs to the last four digits on all federal tax lien documents filed in public records and issued to taxpayers.
In the news today, Carnegie Mellon University's Alessandro Acquisti, an assistant professor of information technology and public policy, and Ralph Gross, a postdoctoral researcher said they developed an algorithm that analyzed data from the Social Security Administration's Death Master File, a public database of some 65 million Americans who have died and their SSNs, which is used for antifraud purposes.
They looked for numerical patterns in the deceased's SSNs, drawing correlations between where a person was born and their birth date and how that data relates to their SSN. "Our prediction algorithm exploits the observation that individuals with close birth dates and identical state of SSN assignment are likely to share similar SSNs," they wrote.
Layer 8 in a box
Check out these other hot stories:
Can obnoxious cell phone towers help predict floods?
Drink Guinness, win a space flight
US sets final broad emergency responder wireless pilot
FTC opens all out assault on economic cyber-scammers
DARPA wants a super-efficient supercomputer that can fit into one cabinet, thanks
How NASA connects with its latest moon orbiters
Scareware peddlers will only fork over $116,000 of $1.9M settlement
The Leader in Network Knowledge
Redaction
The option of redacting Social Security Numbers is proving to be the most effective method of eliminating SSNs from public documents/records.
Because of this fact, it's no surprise that the term 'Redaction' has experienced a huge increase in interest recently.
However there have been cases where supposedly redacted documents have been made public and sensitive information has been extracted from the documents. Redaction errors are usually attributed to insufficient or outdated methods and the lack of information provided in regard to document security.
There are a number of specifically designed software solutions available which make redacting documents a streamlined process and eliminate common mistakes associated with out-dated redaction methods. Once such product is RapidRedact, the website (www.rapidredact.com) provides a plethora of information about redaction and a software demonstration.
Simple
My Social Security card states plainly "Not to be used for identification" right there in blue and white. Enforce that with fines and huge penalties.
Go to two-factor authentication.
Social Security
When Social Security numbes were first issued, it was clearly stated that the numbers were not to be used for any other purpose than your Social Security records - not for medical records, drivers licenses, employee ID, etc. Why isn't that regulation enforced? Sure would solve a lot of problems!
Maybe now they'll stop using it as your "unique identifier"
When Socialist Insecurity was first being mooted, one of the big objections to it was the Orwellian prospect of a national ID number, so it was deliberately crippled so that it COULD be duplicated, with the belief that it would therefore not be used as a universal identifier.
That our banks, universities and others have been so lazy as to use it is the real problem.
We should stop using SSIDs, or any other universal number, as a substitute for knowing who we are doing business with.
This is supposed to be a surprise?
SS#s have been used on many documents and licenses that are available on-line. Only recently have the users been able to request an ID # specific to these documents.
Because the government uses the SS# to keep track of so many things it follows they are used on, or for such things as driver's licenses. At least, here they don't put them on the license, but you have to provide it to get the license so it is part of the database. The same with banking transactions. It allows the banks and thus the government to track financial transactions. Yes, mine also says specifically "not to be used for Identification". Any one who's does, is probably retired.
Privacy rules in India?!
"My Social Security card states plainly "Not to be used for identification" right there in blue and white. Enforce that with fines and huge penalties."
Ditto for mine, but Sed quis custodiet ipsos custodes? As von Hayek pointed out in his essay The Road to Serfdom (a polemic originally against the Nazis, and State socialism in general) centralizing a function leads to abuses. The more centralizations, the more abuses.
Until the US pension system is privatized and unless data accumulated about you in private hands is recognized as actually your very own property, no penalties will be levied on the careless and malicious.
The people in that south Texas county who opted out of the national-socialist 'social insurance' system in favor of a private arrangement were wise, and it's long past time that everybody else also began disaggrandizing the scope and depth of government in general.
Post new comment