From ucdavis!ucbvax!RED.RUTGERS.EDU!AWalker Fri Nov 13 18:33:17 PST 1987 Article 136 of misc.security: Path: ucdavis!ucbvax!RED.RUTGERS.EDU!AWalker >From: AWalker@RED.RUTGERS.EDU (*Hobbit*) Newsgroups: misc.security Subject: Yet more about SS numbers Message-ID: <12349698929.28.AWALKER@RED.RUTGERS.EDU> Date: 11 Nov 87 08:42:20 GMT Sender: daemon@ucbvax.BERKELEY.EDU Distribution: world Organization: The ARPA Internet Lines: 402 Approved: security@rutgers.edu Hopefully this is the last of it... _H* -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Subject: Another no SSN reason Date: Fri, 02 Oct 87 22:38:30 -0400 >From: new@udel.edu Nark Mason writes about Social Security Numbers: >I still haven't seen anyone give a good reason *why* to keep it [your >SSN] secure. ... What horrible ded can be done with it that makes it not >worth giving it out and the hassle that might follow? Well, here's a story that happened to a good friend of mine that I wouldn't want to worry about. She sent in her tax returns, and got a letter saying she still owed $6000 for the money that she inherited, plus fines and interrest and a possible jail sentence. It turns out that someone, somewhere had inherited money and made up an SSN at random to avoid the taxes. After about six months of "hassle" (to say the least) she finally convinced the IRS that she did not inherit anything. She was able to do this only because the name did not match the SSN, and the address was in New York instead of her actual address near Phila. Now, I have been fighting institutions that use my SSN as a key primarily because most of these insist on printing it on the mailing label along with my name and address. They claim this is so that when mail comes back (mail that most people would consider "junk mail" anyway), they can remove the name easily from the mailing list. Can you imagine the "hassles" I could have if the clerk at the institution plans ahead for a successful trip to Atlantic City or Vegas, taking a few names, addresses, and SSNs along? How about the postal clerks that get to read my SSNs? My main complaint is not with the institution that uses my SSN as a key, but rather the uses other than as a key to which it is put. Incidently, does anyone use a database package that can handle sufficient volume that names cause too many clashes, yet that does not have a mechanism for generating unique keys? Why must I supply my own key? Not only am I reduced to a "mere number," but I must reduce MYSELF to a number. Regarding Government agencies requirements, what about Federally funded institutions? Can universities that are federally assisted demand my SSN? - Darren New University of Delaware new@dewey.udel.edu -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Mon, 5 Oct 87 09:33:45 cdt >From: Jonathan Harris Subject: SSN's why get so upset about it. After all this talk of people not giving out social security numbers to utilities and such, I have yet to hear anyone explain what is the harm in giving it out and why it is worth all of this fuss. True, the social security number is really meant for social security and tax administration, but what harm can someone do if he finds your SSN. Apparently nothing; that is unless you are a deadbeat intending to skip down and refuse to pay your phone/electric bill. -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Mon, 5 Oct 87 21:51:27 EDT >From: Douglas Humphrey Subject: Re: ssn's >So the real question is this: > How many databases list my MIT 888 number as my SSN I would hope that most peoples data bases have some sort of validity check on SSNs, since you can call the SSA and get a definition of the SSN from them, and it does mention at least some of the field values that are 'not right'. I saw a spec for this stuff about 5 years ago perhaps in a Government RFP or something. Maybe a call to the SSA would answer this? -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Tue, 06 Oct 87 08:53:04 EDT >From: "A. Harry Williams" Subject: Re: Digest of SSN responses I find the response to both SSN and phone numbers as "If you don't have anything to hide, why not give it out". That is the same argument as if the defendant doesn't take the stand in a criminal trial, he must be guilty. Also, I'm not sure that US SSN have a checksum. My sisters and I have consecutive SSNs. -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Tue, 6 Oct 87 12:20:01 EDT >From: Larry Hunter Subject: Re: Why Protect SSNs? Well, the practical reasons to associate your SSN with as few records about you as possible have to do with the fact that large, powerful entities (like the IRS and large consumer products companies) use techniques like block modelling and record matching to exert unpleasant power over individuals. For example, the IRS uses social security numbers to look up credit ratings and self-described income data associated with consumer purchases (those little warrantee registration cards...) to audit people it thinks may be under-reporting income. Big credit and insurance concerns use SSNs to find records that can penalize you by denying you credit or insurance on the basis of information that you rarely see and never know how they get. Other uses include targeting the marketing consumer products and matching government records against each other or commercial records. Those large tax, law enforcement and marketing data analyses are more difficult to do on someone who witholds SSN. Unfortunately, the cause of most of the trouble is invisible to the people who get screwed. Nobody says "we decided to audit you (investigate you, use this ad on you) because of information we could analyse based on your SSN." It is quite difficult to track down the explicit uses of SSNs within specific organizations; they are not interested in baring their data analysis techniques to outsiders at all. So for illustrative purposes, let me show how with your social security number and a little motivation someone can learn all of the intimate details of your life, ruin your credit rating and get warrants issued for your arrest: Your enemy gets your social security number. He goes to the local department of motor vehicles and get a driver's license in your name by telling them he lost it and giving them your SSN. Knowing your driver's license number (SSN in many states) is usually sufficient ID for getting a replacement license. He takes the driver's license to the social security office, tells them the appropriate SSN and asks for "his" payment record. They tell him your employer, your income, any interest bearing bank accounts you have and any securities you have bought or sold in the last 3 years and some odd months. He can find out the medical insurance company used by your employer and get your medical records from them in a similar way. He can also use the employment information along with your SSN to get credit cards in your name (credit card grantors use SSNs to access your credit records, and want little information on you other than SSN, employer and bank accounts). After buying a fast new car on your credit, he gets a lot of speeding tickets on your license. The criminal warrants that show up when he doesn't pay the tickets are attached to your social security number. If he really wants to get you in trouble, he gets busted for drunk driving or hit and run on your license, makes bail and throws the license away. You now have a mountain of bad debt and a felony arrest warrant, not to mention an enemy who knows every penny you have, what your credit record is like and all of your medical history. He got it all by just knowing your SSN. Paranoid? Sure. I don't think this sort of thing happens very often, but it provides an idea of the power in those 9 digits. I personally believe that the institutional (mis)use of SSNs is by far a worse problem than the kind of criminal behavior I just described, but I find the latter is more persuasive to people who are cavalier about having "nothing to hide". Try reading David Burnham's "The Rise of the Computer State" or his upcoming book on the IRS, or Robert Ellis Smith's "Privacy: How to Protect What's Left of It" for more detailed discussions. Larry Hunter -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: 6 OCT 1987 22:51:13 EDT >From: "Bryan, Jerry" Subject: Digest of SSN responses The Privacy Act of 1974 does *not* mention universities by name. I quote as follows: "Sec. 7.(a)(1) It shall be unlawful for any Federal, State or local agency to deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his social security account number." That all sounds well and good, except for the following little "gottcha's". 1 -- The original Privacy Act included the following exception: "(2) the provisions of paragraph (1) of this subsection shall not apply with respect to (A) and disclosure which is required by Federal statute" Note that "disclosures which are required by Federal statute" are legion. For example, open a bank account, register for the draft, etc. 2 -- the privacy act is grandfathered, so that anybody doing it before January 1, 1975 can keep doing it 3 -- Congress has passed many, many exemptions and exceptions to the original Privacy Act, the worst of which is specifically authorizing states to use SSN's for driver's licenses and vehicle registration (Tax Reform Act of 1979). 4 -- The clause in the original law making it apply to "any right, benefit, or privilege provided by law" is a pretty stiff test, according to lawyers who handled a SSN refusal case for me. It is pretty hard to convince a judge that attendance at a university is a "right, benefit, or privilege provided by law". And even if you did, the laws establishing universities in most states are ones which have been exempted from the Privacy Act by subsequent legislation (the Tax Reform Act of 1979). 5 -- The original Privacy Act contained no penalty for violation. Again, according to my lawyers, a law with no penalty is essentially unenforcable. What is needed is something like a $1000 fine for every violation. Can you imagine how quickly a university would straighten up if it had to pay $1000 for every student for which it used an SSN as a student ID? As an example of how tangled these webs can become, both the folks giving ACT tests and SAT tests key the results off of SSN's, and these are private organizations utterly uncovered by any privacy legislation. Most (all?) universities that receive ACT and/or SAT scores match them up with their students via SSN's. Thus, universities have a valid, practically mandatory reason for having the SSN for all students on file, even if they do not use SSN for student ID. Furthermore, if the university is involved at all in the disbursement of federal money to students (various student loans, etc.), the feds will *require* SSN's for all the students involved. What's the poor university to do? Finally, grant applications to such agencies as National Institute of Health and National Science Foundation require the SSN's of all professors and students who will use the money? Again, what is the university to do? It really is too late, folks. Big Brother is already here, alive and well. And even Mr. Reagan with all his "get the government off the back of the people" rhetoric has greatly expanded Big Brother, provided only that it is in support of his declared social goals -- catching welfare cheats and such. The ends do justify the means, you know, as long as it is your own ends you are after. -*-*-*-*-*-*-*-*-*-*-*-*-*-*- >From: mtune!mtgzy!norm@RUTGERS.EDU (n.e.andrews) Subject: Re: ssn's Date: 7 Oct 87 15:29:29 GMT > Why bother? What horrible deed can be done with it that makes it worth > not giving it out and the hassle that might follow? False income tax returns could be filed against someone's social security number. I suspect the consequences of that could qualify as a hassle... There must be other bad things that could be done using people's social security numbers, all of which could cause the real owner a lot of unnecessary trouble. I never did like the idea of tying the unlimited power of the State so intimately to everyone's personal business... -Norm Andrews, speaking for himself -*-*-*-*-*-*-*-*-*-*-*-*-*-*- >From: matt@oddjob.uchicago.edu (Godfather to putty-tats) Subject: Re: ssn's Date: 9 Oct 87 21:28:58 GMT Guess who asked for my SSN this week. The Phone Company. I was ordering new service preperatory to moving and they first asked for employment information. I said "You don't really need that, do you? I'm a current customer and you know I pay my bills." The clerk said "Just a moment", then read me my employer's name and my (previous) title! Then she asked for my SSN to "complete their records". I hollered quietly and she said, "Actually, you can decline." Matt Crawford -*-*-*-*-*-*-*-*-*-*-*-*-*-*- >From: mcb@lll-tis.arpa (Michael C. Berch) Subject: Re: ssn's Date: 8 Oct 87 23:06:48 GMT To: This came up before in a Usenet newsgroup and is worth reiterating here. Look: I don't care what your feelings about giving out SSNs are, or what effect it has on your privacy, or how the country is going to hell in a handbasket because of the pervasive use of SSNs. Just DON'T, under any circumstances, just "make up a number" and give it out. The odds that it is already assigned are substantial. (And don't weasel around about how the 900's aren't used for SSNs; they're used by the IRS as "Taxpayer Identification Numbers" (TINs) and belong to people/corporations, too.) If I got tangled up in a bureaucratic mess about some purchase or payment or tax matter because some pinhead "made up a number" and it happened to be mine, I would be massively (and justifiably) pissed off. "Making up a number" is an anti-social, offensive thing to do, and one that (even given my laissez-faire, anti-authoritarian point of view) I would not hesitate to report to criminal authorities if I discovered it. Michael C. Berch ARPA: mcb@lll-tis.arpa UUCP: {ames,ihnp4,lll-crg,lll-lcc,mordor}!lll-tis!mcb -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Sun, 11 Oct 87 23:06:51 EDT >From: lear@aramis.rutgers.edu (eliot lear) Subject: Re: ssn's Hi Curios, If someone wants to do a credit check on you, generally they need only your ssn and your permission. If they don't have the latter, they shouldn't have the former. Eliot -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Mon, 12 Oct 87 08:31-0700 >From: The Bandit Subject: moron social security numbers. I have seen numerous messages fly by these past few weeks regarding the sense (or nonsense) of keeping one's ssn private. All too often people declare that ssn's are unique. Would that this were true, but, unfortunately, it is not. Because uniqueness is not guaranteed, I prefer not to give out my ssn. I certainly wouldn't want someone's tainted credit rating affecting my rating, nor would I wish to demolish someone else's -- were such dire things to occur. Derek Haining Academic Computing Services University of Washington Seattle, Washington (206) 543-5852 DEREK@UWARITA.BITNET -or- DEREK@RITA.ACS.WASHINGTON.EDU -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Fri, 16 Oct 87 11:02:00 EDT >From: "Una R. Smith" Subject: SSN Yes, it's much easier for people to manipulate information about you in a computer when they have your SSN, since it's a variable that can be matched so easily. But the flip side of that coin is what worries me. Think how easy, with a NINE digit number, it is for data coders to make keystroke errors. Of course this can happen with your name, but names have familiar patterns, or are very unfamiliar. Either way, the rate of error should be lower for coding names. But even if it isn't, that's ok, because few (if any) organizations with information about you will ever even attempt to merge data by your name. If 2 files are being combined, and your name is the common variable, and there is an error in 1 name record, there is no match. But if the SSN is used, and a coding error has occurred, there is the chance that SOMEONE ELSE'S history will be appended to your name, either under your SSN, or under theirs, depending on the coding error. Now, if you are a bad customer or whatever, you don't really care if this happens, because the chances are your history will only be improved. But if you are one of those sterling types who always pay on time, etc. and you "have nothing to hide, so why not give the SSN without a fuss", you might be burned badly. And even if the error isn't terrible, getting the problem fixed can take a long time. Just try telling someone that thier records on you are WRONG, especially if they have them on a computer. The chances are high that you will only get to talk to someone who either 1) believes computers don't make mistakes, or 2) is afraid of the computer, or 3) doesn't know how to correct the records on you, since they are hidden in the computer, and doesn't want to bother finding out, or 4) CAN NOT change the data in the computer because someone down the line never imagined that changes would be necessary. If you think any of the 4 cases above is unrealistic, let me assure you that I know of instances of all 4 cases occuring. My mother is still fighting the property tax administrator in her city after 2 years because the records she got out of his computer database, thanks to a naive underling, do not agree with the tax assessments people in her neighborhood have been paying. The difference, she has discovered, amounts to nearly a million dollars annually coming out of single family residences instead of appartment complexes. The tax administrator's office has been stonewalling for over 2 years because they won't admit that there is no way, currently, for them to get to the actual data; they insist "the printout is wrong." This is clearly an example of case 4 above, with maybe a little old-fashioned corruption thrown in for good measure. Recently someone said he hadn't withheld his SSN in the past, so there is no point to beginning now. I strongly disagree. No one is going to make any great effort to match SSN's to data about you by hand, and it's unlikely that if they do have your SSN that they also have a way of looking at your name and address via computer. After all, the SSN is so handy just because it lets merchants, etc. treat your name as just the first line of your address. The format is often free-form, and it is difficult to extract your name in program-driven databases. They certainly won't get any help from the SS Administration. -------