Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael R. Farnum

Hitting the Security Nerve

The Social Security Number debate - should your SSN be published for the public to see?

8 comments

IT TOPICS:Business Intelligence, Government & Regulation, Security

If you are a Texan or are just a general information junkie, you may have heard about the social security number debate going on in the Texas Legislature. I wrote a fairly lengthy diatribe about it on my personal blog the other day, but the basic issue is that the Texas House has voted to "de-privatize" the social security number in Texas. This means that county clerks can release forms that are publicly available (marriage license applications, etc.) without redacting the social security number of the person that filled out the form.

Martin McKeay first wrote about this on his personal blog, and it started somewhat of a blog storm with Cutaway and myself because we both live in Texas. Then Pete Lindstrom at his Spire Security Viewpoint blog wrote an opposing piece to Martin's post. While that post is significant in its arguments, it really points back to this post where Mr Lindstrom more fully explains his reasoning for disagreement. In this post, Mr. Lindstrom takes the position that all social security numbers should be published for all to see so as to "ensure that no organization has the opportunity to suggest that their secrecy can be maintained." All I can say is, "Wow." Actually, I can say more than that.

Mr. Lindstrom uses the following argument to prove his argument:

Quick, try this: Count the number of banks, credit card companies, insurance companies, mutual fund companies, mortgage companies, and utility companies that you have EVER done business with. Now, multiply that number by 1,000 average customer service representatives and information systems personnel. Add in about 20,000 IRS customer service reps (or 100,000 total employees if you are feeling really skeptical); 65,000 Social Security Administration employees; the total number of employees for every human resources department of every job you’ve ever had; employee counts for the admin department at all schools you’ve attended; and don’t forget the credit reporting agencies you love to hate.

My conservative estimate is that over 150,000 people have “defendable” access to a typical person’s Social Security Number (SSN) over his or her lifetime (a number of my colleagues suggest this number is much higher). And I’ve left out the use of your SSN on military service records, medical records, and local and state tax submissions, among others.

Mr. Lindstrom, I have a couple of issues with this argument. First, you call your estimate conservative while simultaneously attempting to inflate the numbers by asking the reader to make assumptions like including all 100,000 IRS employees because they MIGHT have access to your SSN. You also inflate your numbers by assuming every Social Security Administration employee has access and every HR employee of every company you have ever worked for can access your information, and on and on. While I consider myself fairly skeptical and paranoid (I'm paid to be that way), I do not have so little faith in humanity to think that every single one of these people are copying down my information and handing it out to the closet criminal for a few bucks. I'll agree with the paradigm that a secret is no longer a secret if you tell someone else, but the possession of knowledge does not necessitate dissemination of said knowledge.

Second, while it may be entirely practical to make the assumption that knowledge equals dissemination in the world of security, I also think that there is just as much a possibility that at least some of these organizations have some types of controls in place to control this type of curiosity and revelation of SSN's to criminals. That may sound naïve, but I don't really think it is at all. I can't prove that argument, but neither can you prove your numbers, Mr. Lindstrom. So your "conservative" estimate is actually quite liberal.

My third problem with your argument is that you ENTIRELY discount a very large portion of the population of the Untied States, namely children and new citizens. These people just got their SSN's, and they have not done much (if any) business with banks, credit card companies, and the like. Should we publish their information? No we shouldn't. Keeping their information private is still a possibility, IF we change the rules. If, as you say, there is no hope left for us poor souls who have taken part in this capitalist society we live in, then publishing our SSN's and other personal info may not be a big deal. But don't concurrently take away that same hope from the groups I named above. Again, IF we take this seriously and change the rules now, we can stop this problem from being inherited by our children and those trying to take part in our society by becoming citizens.

So Mr. Lindstrom, while I greatly appreciate your well thought out and very persuasive ideas, I do not think we can simply give everyone access to our private (yes, private) information just so no one can claim that it is being kept secret. I simply do not buy that. And in this case, shooting ourselves in the foot will also be shooting our kids and future citizens in the foot.

Email this

Digg this

What People Are Saying

Add new comment

I actually think making SSN

Submitted by DaveA on November 7, 2007 - 9:19 A.M.

I actually think making SSN numbers public is a great idea. Businesses have for too long used this identification number like a credit card number. It is identification and not authorization. By making them public, and even allowing people to look up by SSN has advantages in fraud detection and identification. And it forces businesses to reconsider how they use SSN in business. It would force them to use it as identification only, and not authorization. Which solves a lot of issues with it's use.

Reply | Report this comment

Yea, and what about us US

Submitted by Lucky225 on March 14, 2007 - 3:02 A.M.

Yea, and what about us US citizens who *DONT* have SSN's like myself. Texas doesn't even have a SSN on file for my driver license, however if the real ID ACT goes in to effect I made need to obtain an SSN, and I sure as hell wouldn't want that number public if that time comes...

Reply | Report this comment

Purposeful disclosure of all

Submitted by P Kline on March 12, 2007 - 2:41 P.M.

Purposeful disclosure of all SSNs would cause immeasurable pain to many; much of that would be irreparable because of our inability to prosecute fraud perpetrated by those outside our borders. It would also probably tank the entire banking business as a result of their statutory obligation to eat credit card fraud. It would, however, have the beneficial side effect of forcing the government to issue everyone a new SSN in order to clean up the mess.

There has to be a better way.

Reply | Report this comment

I'm not advocating the

Submitted by Shy Anne on March 12, 2007 - 2:34 P.M.

I'm not advocating the universal publication of everyone's SSN as some kind of panacea for identity theft, but I do need to point out the flaw in your objection to Mr. Lindstrom's argument.

I do not have so little faith in humanity to think that every single one of these people are copying down my information and handing it out to the closet criminal for a few bucks.

Identity theft doesn't require that "every single one" of those people be dishonest. It only takes one, out of those thousands of people who -- yes! -- have access to your information, whether they need to have it or not. If you don't believe me, let's ask the government social worker, who was the caseworker for my mother when she was in the nursing home, whose wife used my identifying information to obtain credit cards in my name. In all of the times that I met with him, all of the paperwork I filled out, I never gave that man my SSN, but the Dept. of Human Services investigator who looked into the situation told me that as an experiment, he was able to successfully bring that information up for himself through his access to private information as a state DHS employee.

Anyone, young or old, whether they've used it or not, who thinks their SSN is safe is kidding themselves.

Reply | Report this comment

The impression in the back

Submitted by jbl on March 12, 2007 - 2:09 P.M.

The impression in the back of my memory is that this whole issue started out when it was discovered that Texas counties were already making SSNs available on public web sites, contrary to current laws. The subject legislation arose to enable the county governments to continue on without having to fix their web sites. Instead of making these web sites compliant, they would just change the rules to make current practice legal.

Reply | Report this comment

Shot over Shot

Submitted by Cutaway on March 9, 2007 - 11:23 P.M.

Shot over
Shot out
....
Impact over
Impact out
....
BDA 100 and 100 target destroyed over
BDA 100 and 100 target destroyed have a nice day out

Reply | Report this comment

Of course you don't buy it,

Submitted by Pete on March 9, 2007 - 10:00 P.M.

Of course you don't buy it, because you are stuck in a box and it makes you really nervous - your entire argument is circular and you don't even know it. Note that my position is that the publication should be done with reasonable time (2 or 3 years?) for those entities that similarly latch onto your misguided apprehension.

I am happy to entertain alternative estimates for the number of people with access to your SSN; I ran those numbers by a private mailing group at www.securitymetrics.org and I stand by the estimate as a conservative one. (If you really want inflated numbers, check out the baloney that privacyrights.org is purposely pushing to get its 100 million IDs stolen estimate. And note that possession of any information there is subject to fraudulent use in the same manner as the insider case).

In any case, after tens of thousands or the hundreds of thousands that I estimate, the number doesn't really matter. What does matter is that the identity fraud perpetrated by these "legitimate" people outweighs that of your bad guys by far.

Unfortunately, that box you are in apparently has no room for alternative solutions that are better suited to the job at hand. You may not be familiar with the many different forms of legitimate authentication that are available to us today - if you were, perhaps you would recognize that there is no shortage of options and the only thing holding back a more secure approach is people like you that think that you can somehow make your SSN private again (no, not private, and never really was).

Btw, the whole heartstrings emotional presentation of doing things for "the children" is so truly lame not to mention naive and wrong that you should be embarrassed for saying it.

Reply | Report this comment

Texas Rules!!! No

Submitted by Cutaway on March 9, 2007 - 12:52 P.M.

Texas Rules!!! No seriously, we rock!!

That said, I hope that some state and federal congress men and women are following these debates. If anything I believe this overall conversation to be a great start to deciding how we are going to proceed with the future protections associated with our citizens.

We need toe government to force businesses to stop providing methods for criminals to so easily affect their customers. SSNs are just the first step. I believe the only answer to this situation is going to be forcing business to stop using electronic means to establish authenticity of a person. They already have the means in place to recognize and mitigate suspicious and malicious activity (because it costs them money). Now it is time for the next step.

Keep up the good work, Michael.

Did I mention that Texas Rocks!!

Go forth and do good things,
Cutaway

Reply | Report this comment