Protecting Social Security numbers online is a futile exercise

Social Security numbers face myriad securty problems.

Current Job Listings

News today that Social Security numbers may not be as random nor secure as believed is just one more security problem the ubiquitous identification number faces.

News Tuesday that Social Security numbers may not be as random nor secure as believed is just one more security problem the ubiquitous identification number faces.

Last fall, the Government Accountability Office found that Social Security numbers are under attack and your personal records are more exposed than you’d like to think. At least that seems to be the observation in a frightening study that says among other things that 85% of large counties and 41% of small counties in the U.S. make records that may contain SSNs generally available in bulk or online.

On top of that, many record-keepers do not or cannot restrict the types of entities that can obtain public records and may not know how records are being used. Finish that observation off with the notion that some businesses are sending records with SSNs offshore, primarily to India and the Philippines, even though not much is known about how such data are protected overseas.

The dour Web-based GAO study looked at 247 counties across the U.S. responsible for recording documents — including the 97 largest counties by population and a random sample of 150 of the remaining counties. Records could include birth, death, and marriage records; criminal and civil court case files; and records that reflect property ownership, such as property liens. Some records contain personally identifiable information, such as SSNs, dates of birth, and credit card or bank account numbers.

Alaska, Connecticut, Hawaii, Rhode Island and Vermont were not included in the study because the GAO said individual counties don’t collect personal data in those states.

So, if you have ever wondered how identity theft can be the number one consumer fraud problem seven years running, costing consumers more than $1.2 billion in 2007 alone, and showing no signs of letting up, perhaps we need only look to the results of studies such as this.

Some of the other disturbing GAO findings include:

• Only about 16% of counties that make records available in bulk or online place some restrictions on the types of entities that can obtain records.

• The GAO estimates that only about 23% of counties that make records available in bulk or online take any steps to verify the identity of entities that obtain records.

• A majority of counties reported that there is no state or local law that requires or prohibits them from obtaining the identity of those who receive records in bulk or online.

• Businesses obtain these records to use or resell data in them and may use SSNs to link identifying information on records back to specific individuals, such as ensuring that liens are applied to the correct individuals, since many people share the same name.

• Large counties and businesses said SSNs generally appear more often in certain types of documents, including state and federal liens. To a lesser extent, SSNs appear in judgments and mortgage records. The prevalence of SSNs in documents is relatively low and has decreased over time. However, because record keepers can maintain millions of documents, many SSNs may be displayed.

• The GAO said that title companies are the most frequent recipients of these records, but others such as mortgage companies and data resellers that collect and aggregate personal information often obtain records as well. Private companies said they obtain records to help them conduct their business, including using SSNs as a unique identifier.

• The GAO did not identify any federal laws that appeared to restrict the bulk transfer of state and local public records or the display of SSNs in those records, nor did it identify any federal law that provides protections for SSNs obtained from public records and sent overseas by private parties.

The GAO study did say some things were being done to control the use of SSNs. Several bills have failed but may be reintroduced in Congress that would limit the display or sale of SSNs to the public or to private entities.

For example, S. 238 generally would have prohibited the display or purchase of SSNs without the express consent of the SSN holder; contains an exception for certain public records. H.R. 948 would have made it unlawful for any person to sell or purchase SSNs in a manner violating regulations to be promulgated by SSA. Then H.R. 3046 would have restricted the sale and display of SSNs to the general public by government entities; however it does not specifically address SSNs in public records but does require the Social Security Administration to develop uniform truncation standards. Finally S. 2915 would have stopped display of SSNs to the general public on the Internet by state and local governments unless truncation standards to be set by SSA in accordance with certain guidelines are met; considers certain unencrypted transmittals of SSNs through the Internet to be a public display.

The GAO said some federal, state, and local governments have recently taken steps to safeguard SSNs in public records. The GAO said more than a third of counties have already redacted or truncated SSNs or are currently removing SSNs from their records; some in response to state laws and others of their own accord. Some states, such as New Jersey and Ohio, prohibit SSNs from appearing in any publicly recorded document. Others limit the requirement to specific types of records; for example, Kansas and Utah prohibit SSNs from being shown in voter registration records, the GAO said.

However, recent actions by states and counties to limit the display of SSNs in records made available to the public through redaction or truncation are positive steps, but, because millions of records with SSNs have already been obtained in bulk or online, these actions will protect SSNs only in future transfers, the GAO said.

Ironically or perhaps preemptively in light of the GAO report, the President’s Identity Task Force last year said federal agencies have worked to eliminate unnecessary uses of SSNs in their programs. For example, the Social Security Administration has removed SSNs almost entirely from its internal human resources forms. The Department of Defense has issued a plan to reduce its internal use of SSNs, including their removal from military ID cards. The Internal Revenue Service has been redacting taxpayer SSNs to the last four digits on all federal tax lien documents filed in public records and issued to taxpayers.

In the news today, Carnegie Mellon University's Alessandro Acquisti, an assistant professor of information technology and public policy, and Ralph Gross, a postdoctoral researcher said they developed an algorithm that analyzed data from the Social Security Administration's Death Master File, a public database of some 65 million Americans who have died and their SSNs, which is used for antifraud purposes.

They looked for numerical patterns in the deceased's SSNs, drawing correlations between where a person was born and their birth date and how that data relates to their SSN. "Our prediction algorithm exploits the observation that individuals with close birth dates and identical state of SSN assignment are likely to share similar SSNs," they wrote.

Learn more about this topic

Can obnoxious cell phone towers help predict floods?

Drink Guinness, win a space flight

US sets final broad emergency responder wireless pilot

FTC opens all out assault on economic cyber-scammers

DARPA wants a super-efficient supercomputer that can fit into one cabinet, thanks

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT