Protecting Social Security numbers online is a futile exercise

Social Security numbers face myriad securty problems.

News Tuesday that Social Security numbers may not be as random nor secure as believed is just one more security problem the ubiquitous identification number faces.

Last fall, the Government Accountability Office found that Social Security numbers are under attack and your personal records are more exposed than you’d like to think. At least that seems to be the observation in a frightening study that says among other things that 85% of large counties and 41% of small counties in the U.S. make records that may contain SSNs generally available in bulk or online.

On top of that, many record-keepers do not or cannot restrict the types of entities that can obtain public records and may not know how records are being used. Finish that observation off with the notion that some businesses are sending records with SSNs offshore, primarily to India and the Philippines, even though not much is known about how such data are protected overseas.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

News Tuesday that Social Security numbers may not be as random nor secure as believed is just one more security problem the ubiquitous identification number faces.

Last fall, the Government Accountability Office found that Social Security numbers are under attack and your personal records are more exposed than you’d like to think. At least that seems to be the observation in a frightening study that says among other things that 85% of large counties and 41% of small counties in the U.S. make records that may contain SSNs generally available in bulk or online.

On top of that, many record-keepers do not or cannot restrict the types of entities that can obtain public records and may not know how records are being used. Finish that observation off with the notion that some businesses are sending records with SSNs offshore, primarily to India and the Philippines, even though not much is known about how such data are protected overseas.

The dour Web-based GAO study looked at 247 counties across the U.S. responsible for recording documents — including the 97 largest counties by population and a random sample of 150 of the remaining counties. Records could include birth, death, and marriage records; criminal and civil court case files; and records that reflect property ownership, such as property liens. Some records contain personally identifiable information, such as SSNs, dates of birth, and credit card or bank account numbers.

Alaska, Connecticut, Hawaii, Rhode Island and Vermont were not included in the study because the GAO said individual counties don’t collect personal data in those states.

So, if you have ever wondered how identity theft can be the number one consumer fraud problem seven years running, costing consumers more than $1.2 billion in 2007 alone, and showing no signs of letting up, perhaps we need only look to the results of studies such as this.

Some of the other disturbing GAO findings include:
• Only about 16% of counties that make records available in bulk or online place some restrictions on the types of entities that can obtain records.
• The GAO estimates that only about 23% of counties that make records available in bulk or online take any steps to verify the identity of entities that obtain records.
• A majority of counties reported that there is no state or local law that requires or prohibits them from obtaining the identity of those who receive records in bulk or online.
• Businesses obtain these records to use or resell data in them and may use SSNs to link identifying information on records back to specific individuals, such as ensuring that liens are applied to the correct individuals, since many people share the same name.
• Large counties and businesses said SSNs generally appear more often in certain types of documents, including state and federal liens. To a lesser extent, SSNs appear in judgments and mortgage records. The prevalence of SSNs in documents is relatively low and has decreased over time. However, because record keepers can maintain millions of documents, many SSNs may be displayed.
• The GAO said that title companies are the most frequent recipients of these records, but others such as mortgage companies and data resellers that collect and aggregate personal information often obtain records as well. Private companies said they obtain records to help them conduct their business, including using SSNs as a unique identifier.
• The GAO did not identify any federal laws that appeared to restrict the bulk transfer of state and local public records or the display of SSNs in those records, nor did it identify any federal law that provides protections for SSNs obtained from public records and sent overseas by private parties.