×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How To Stop Businesses Storing SSNs Indefinitely?

kdawson posted more than 4 years ago | from the not-so-secret dept.

Privacy 505

The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

505 comments

Bad news. XD (3, Informative)

BlueKitties (1541613) | more than 4 years ago | (#29064895)

Some (financial) Point Of Sale software I designed uses SSNs to tell the difference between customers with identical names. If I change the SSN... it thinks you're a new customer. Well... this is something to think about.

Re:Bad news. XD (4, Informative)

dintech (998802) | more than 4 years ago | (#29065021)

I was wondering if there was anything equivalent to the Data Protection Act [wikipedia.org] in the America:

  • Data may only be used for the specific purposes for which it was collected.
  • Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
  • Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
  • Personal information may be kept for no longer than is necessary and must be kept up to date.
  • Personal information may not be sent outside the European Economic Area unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
  • Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner's Office.
  • Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).
  • Subjects have the right to have factually incorrect information corrected (note: this does not extend to matters of opinion).

Re:Bad news. XD (1, Interesting)

Anonymous Coward | more than 4 years ago | (#29065211)

No. In America, anything you collect is yours to sell. It can be quiet a shock for those used to the European protections. US companies fall foul of this all the time when they set up EU operations. Old US companies are very good though, mainly because they're staffed by the locals and not exports.

Re:Bad news. XD (5, Insightful)

Hatta (162192) | more than 4 years ago | (#29065245)

No, in America we use the free market system. Which means the system is free to market your data any way they want.

Re:Bad news. XD (3, Interesting)

TaoPhoenix (980487) | more than 4 years ago | (#29065345)

It's Burn-Karma-Friday!

In scary America: (Slight exaggeration)
All data is now subordinated to Stopping Terrorists. All other uses are bonuses.
Data must be disclosed upon request without the consent of the individual, unless legislation provides a reason not to share the data, AND no current executive order exists allowing the override of that legislation.
Individuals have no right to access the info about them, subject to certain exceptions.
Personal info must be kept longer than necessary, and may not be up to date.

Re:Bad news. XD (3, Informative)

Sun.Jedi (1280674) | more than 4 years ago | (#29065417)

There is not much [wikipedia.org]. This excerpt, In general terms, in the U.S., whoever can be troubled to key in the data, is deemed to own the right to store and use it, even if the data were collected without permission, is particularly disturbing.

Data may only be used for the specific purposes for which it was collected.

While you may THINK the data was collected for either a sale, long term lease agreements (similar to cable service), or whatnot... the ACTUAL specific purpose was to track you and sell your information to "partners".

Data must not be disclosed to other parties without the consent of the individual whom it is about

This is where the "partners" come in ... See JCpenny and SBS [google.com] for an example of 1 company using your information and giving it to a partner company.

Personal information may be kept for no longer than is necessary and must be kept up to date.

Too bad its not supposed to be deleted if it can't be confirmed in given period of time. Also, SSNs don't expire, so you get off thier list if you die. Yay.

Re:Bad news. XD (1, Funny)

Anonymous Coward | more than 4 years ago | (#29065445)

Generally speaking, I think they use a variant of this disclaimer [buynlarge.com].

Broken by design. (4, Insightful)

jackb_guppy (204733) | more than 4 years ago | (#29065127)

There is no reason for a POS to have SSN. There are many other methods to get uniqueness.

When companies ask for it, I request for what use do they have for it. I have left hospitals for requesting the information, for they have no need for the information.

But to ask a person doing a POS transaction for their SSN, is just plan broken.

Re:Broken by design. (4, Informative)

TheRealMindChild (743925) | more than 4 years ago | (#29065309)

This isn't really in defense of the hospitals, but a WHOLE LOT of people use the hospital because they can't pay for medical attention and the hospital can't refuse. The SSN is likely there so they can track you down to the ends of the Earth to try and get their money.

Re:Bad news. XD (2, Insightful)

HogGeek (456673) | more than 4 years ago | (#29065135)

The SSN was never intended to be used this way. If it was your choice to use the SSN in ANY database, you should be beat, if it was somebody else, please identify them.

  It is this type of abuse and use of SSN numbers that has helped enabled identity fraud.

Re:Bad news. XD (1)

Silverstrike (170889) | more than 4 years ago | (#29065201)

No offense, but I've always suspected that the biggest reason companies have irresponsible policies like the one described in the OP is because of irresponsible programming like you just described.

In order to perform collision detection, there is absolutely no reason that you couldn't track the SSN separately from the primary key on your "customers".

I'm not big on regulation, but there really should be a law preventing the usage of SSN as a PK in any data storage schema.

Ugh, DirecTV should just go away (0)

Anonymous Coward | more than 4 years ago | (#29064897)

DirecTV. I cannot stand them and am getting ready to pull the plug on their service. Somehow their attitude doesn't surprise me.

Re:Ugh, DirecTV should just go away (5, Informative)

Reece400 (584378) | more than 4 years ago | (#29064971)

If you provide your SSN to Comcast, they also store it indefinatly.
They use it for internal credit checks to make sure you don't owe them any money on previous accounts (and likely for other things as well).

That said you can usually setup an account without your SSN, but you'll need to set it up directly with your local office instead of by phone or internet.

Re:Ugh, DirecTV should just go away (3, Insightful)

homey of my owney (975234) | more than 4 years ago | (#29065111)

Although is is actually illegal to use a SSN for identification, companies claim it is for, uhhh, just for the record. I'm sure you must be among the 99% pf people with a cell phone. I've tried with all of the big three to get a phone without giving a SSN, explaining that it is illegal to require me to provide it, and they all told me "I understand, thanks for shopping with us".

Re:Ugh, DirecTV should just go away (3, Interesting)

Lord Jester (88423) | more than 4 years ago | (#29065221)

... explaining that it is illegal to require me to provide it...

Except for the purposes of a credit check.

Part of the reason companies keep this information, in my estimation, is to have ready to perform future credit checks if you request additional service.

I know with my cell contracts, every time I have added a line, my credit gets checked. Nevermind that I have been a customer in good standing for many years.

Re:Ugh, DirecTV should just go away (1)

langelgjm (860756) | more than 4 years ago | (#29065141)

I recently set up cable and Internet service with Comcast. The phone rep asked me for my SSN, and I asked if it was required (knowing full well it's not).

He then replied with what I can only assume is complete and utter bullshit. Something about Comcast having special permission from the FCC to get SSNs, to help prevent identity theft. As if the FCC has the authority to do that?

I asked him if I could give him a code instead, and he refused. He finally got tired of me and said he could use my driver's license number.

DirecTV gives service to identity thieves! (2, Informative)

NixieBunny (859050) | more than 4 years ago | (#29065185)

I had their collection agency call me earlier this year asking if I really was the person who ordered service in my name in a house on the other side of town and failed to pay the bill for three months. No, it was an SSN thief who took out service in my name, using my fine credit rating. It turns out that DirecTV doesn't check your bona fides such as your address - they only run a credit check on the name and SSN you provide, without verifying that you belong to either that name or SSN!

Simple: Use Linux (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29064899)

Linux is well known to be an unreliable operating system, hence if you want your information to 'expire' as the author in this emails describes, storing it on a Linux based platform is probably your best option; chances are, after a few days, weeks or months, the system will have irrecoverably crashed or lost the data due to a syntax error in a configuration file. Also, Linux is free, which is always good.

The Solution. (0)

Anonymous Coward | more than 4 years ago | (#29064907)

Move to Canada.

Something I've considered... (5, Insightful)

Anonymusing (1450747) | more than 4 years ago | (#29064915)

Lately it seems everyone wants to know my SSN: my dentist, my grocery store, my heating fuel supplier, the guy who changes my oil, etc. When credit checks are required, I ask them to try running it without the SSN (just address data) and often they will try. Other times, they are simply using the SSN as a convenient identifier for customers -- !!!! -- so I politely suggest a different number, or insist on only giving 3-4 digits of it. Thankfully my health insurance company will generate an internal ID# for you, if you request it, so that your SSN is not printed on your insurance card and therefore stored at your physician's office.

Other than to the government, and to organizations directly attached to my banking needs, what's wrong with giving a different number in place of the SSN? As long as you can remember it, that is. Would that be considered some kind of fraud?

Re:Something I've considered... (4, Interesting)

pz (113803) | more than 4 years ago | (#29064977)

Back in the early 1980s -- yes, nearly 30 years ago -- MIT allowed students to refuse to have their SS numbers as their Institute ID numbers. In those cases, and also for foreign students who nominally don't have SS numbers, they issued numbers that passed the SS check, but were from an otherwise unallocated block. They cleverly encoded your class year into the number to boot. For a long time I gave my MIT ID number when non-finance-related institutions requested an SS. Worked fine.

I haven't had an active MIT ID for a long while, so don't know what they do now.

Re:Something I've considered... (3, Interesting)

jDeepbeep (913892) | more than 4 years ago | (#29065069)

MIT allowed students to refuse to have their SS numbers as their Institute ID numbers.

A technical college I attended in Arizona was slightly different. They did allow you to use your SSN for your student ID, however, if you did so, every 4 months you were sent a letter that explained why this was a bad idea, for the student, to persist in doing this, and it closed out with a paragraph urging you to change it to something different.

Re:Something I've considered... (1)

Reece400 (584378) | more than 4 years ago | (#29065007)

Well, if the number will be used in a credit check, the check will have a high potential for giving inaccurate information, or generally coming back with no record.

Re:Something I've considered... (1)

Anonymusing (1450747) | more than 4 years ago | (#29065027)

Certainly. But why would my grocer run a credit check on me? I don't have any kind of credit account with them. Same with the dentist. Or the auto mechanic.

Re:Something I've considered... (2, Interesting)

digitalchinky (650880) | more than 4 years ago | (#29065145)

The simple reason: Because everyone else is doing it.

Re:Something I've considered... (1)

Anonymusing (1450747) | more than 4 years ago | (#29065435)

Well, that's just stupid.

And if they do a credit check, and it fails because of a fake SSN, I'm sure they will either (a) alert me and ask WTF, or (b) ignore it because there is NO GOOD REASON they would need it anyway.

Re:Something I've considered... (4, Insightful)

moose_hp (179683) | more than 4 years ago | (#29065191)

I'm not trying to be a troll here, this is an honest question.

I'm not from the United States, nor I live there, but I never got why exactly is a SSN supposed to be secret, is it possible to do identity theft with only the SSN alone? Here in Mexico we have a ton of personal identification numbers (RFC, CURP, IFE number, Passport, Drivers License, Military Service, Social Security, Professional Certificate, etc) and none of them is really supposed to be secret, I don't get why people from the USA a secret number that you're not supposed to divulge, yet you need to give up for reasons like cable TV contracts and there's chaos when something like a database of SSN got leaked .

Re:Something I've considered... (1)

Doctor Faustus (127273) | more than 4 years ago | (#29065329)

is it possible to do identity theft with only the SSN alone
SSN and name, yes. It's basically being used as both an ID and a password, when it's really just an ID. I think trying to keep it secret is addressing the problems from the wrong side, but to stop using it for authentication is not something an individual can do.

Re:Something I've considered... (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29065359)

Wait... A Mexican STAYING in Mexico? This is unheard of!!


Yes I'm being an ass. Feel free to mod me down. I'm being an asshole and a coward, I'm posting anonymously for just that reason.

Re:Something I've considered... (5, Informative)

jDeepbeep (913892) | more than 4 years ago | (#29065431)

is it possible to do identity theft with only the SSN alone?

Unfortunately, yes. It provides enough of a building block (used both as an identifier and as an authenticator) to allow a moderately-clever person to build up the rest of the identity.

Re:Something I've considered... (1)

B'Trey (111263) | more than 4 years ago | (#29065481)

It's a sort of self perpetuating system. Originally, the Social Security Number was intended only for use with the Social Security system. However, because it's a controlled, unique number assigned to individuals, it's easy and convenient to use as a unique ID for all sorts of record systems. Having someone's name and SSN makes it fairly easy to do identity theft. Part of the problem is the ubiquity of the SSN as an identifier and part of it is sloppy procedures which don't verify that the name and SSN actually belong to the individual using them.

Re:Something I've considered... (4, Informative)

Daniel_Staal (609844) | more than 4 years ago | (#29065487)

It's not. It's supposed to be unique (within certain criteria: they do get reused eventually) across everyone in the USA, so the Social Security Administration can identify everyone. That's all it was designed for.

It just happened that the SSN was the first major government number that everyone was required to have. So everyone else used the fact that it was there and unique to make their lives easier. Which means that now everybody tracks you by that number, and if you have that number you can impersonate anyone in any database that uses it.

It's not supposed to be secret. It's not supposed to be your full ID. It just became that.

Re:Something I've considered... (1)

iron-kurton (891451) | more than 4 years ago | (#29065361)

I don't see why there isn't a standard that says to use something like a Driver's license number, run it through an irreversible algorithm that uniquely identifies the DL number (something similar to md5 but which is guaranteed to be unique). Wouldn't that solve these stupid problems??

Re:Something I've considered... (1)

elrous0 (869638) | more than 4 years ago | (#29065437)

When I was in college, EVERYTHING was done by SSN. SSN's were frequently public posted (with names associated) on everything from tests to dorm sign-in sheets. It was amazing that there wasn't more identity theft back then (this was when the internet was just hitting). No way would I toss around my SSN today like I did then. I even made my workplace stop using full SSN's on their training sign-ins. SSN's have been used WAY too much in the past on stuff where there wasn't even really any need for them.

issue people new SSNs every year (1)

kk49 (829669) | more than 4 years ago | (#29064925)

The IRS could send out a new number after they process your tax information. Since it's only "real" long term purpose is for social security and taxes right?

Re:issue people new SSNs every year (4, Insightful)

Alaren (682568) | more than 4 years ago | (#29064989)

I was just thinking, "why are we advocating Social Security security through obscurity?"

If all it takes to completely defraud me is a 9-digit number, shouldn't we maybe, I don't know, change the system?

Of course, I guess that's another form of the question being asked. How do we convince corporations to unilaterally STOP using our social security numbers for everything? I would say "an act of Congress" most likely... if every credit reporting agency in America were told, "you can no longer use SS# for credit checks" that might do it.

Something tells me that ain't gonna happen...

Re:issue people new SSNs every year (5, Insightful)

maxume (22995) | more than 4 years ago | (#29065147)

The problem is that the banks (and similar) have convinced you that you are the one being defrauded.

Sure, someone opens an account using your details and it sucks for you, but it wasn't your mistake, it was the institution that opened the account that made the mistake.

Re:issue people new SSNs every year (1)

bertoelcon (1557907) | more than 4 years ago | (#29065195)

It used to be printed on the SS cards that you couldn't use the SSN for anything other than government uses and corporations did it anyway.

Re:issue people new SSNs every year (1)

jDeepbeep (913892) | more than 4 years ago | (#29065471)

It used to be printed on the SS cards that you couldn't use the SSN for anything other than government uses and corporations did it anyway.

By the time the phrase NOT TO BE USED FOR IDENTIFICATION was printed onto the cards, Roosevelt had issued an executive order [defenselink.mil][PDF file] allowing its use as such. His fault.

Re:issue people new SSNs every year (1)

Shakrai (717556) | more than 4 years ago | (#29065357)

If all it takes to completely defraud me is a 9-digit number

It usually takes your birthdate as well.

Not saying that's a real "improvement" but it's rather hard to open an account in someones name without both the birthdate and SSN.

Re:issue people new SSNs every year (0)

Anonymous Coward | more than 4 years ago | (#29065389)

If the government really wanted to fix it, we'd have "an act of Congress" making credit agencies liable for thier fuckups, and they'll fix it real fast.

Re:issue people new SSNs every year (1)

iron-kurton (891451) | more than 4 years ago | (#29065415)

Or they could just use fingerprint data + a unique pin number to generate a number for you, that you can change once a year (or in cases of fraud), and only with the use of your print. Then, of course, they could issue RSA keys for total security too "Something you have (token) + something you know (pin) + something you are (fingerprint or iris or dna)"

Although, I suspect this opens up a whole new can of worms...

Why did you give DirectTV your SSN? (0)

Anonymous Coward | more than 4 years ago | (#29064929)

I give fake SSN's to everybody except banks and employers. Have been for years. No problems.
You can also say (with a funny accent...maybe Canadian, eh) that you're not a citizen and you don't have a SSN

Re:Why did you give DirectTV your SSN? (0)

Anonymous Coward | more than 4 years ago | (#29065167)

Only people who need to know my SSN are the IRS, IRS-related activities (taxes, so employers), banks, and anyone that has to report dues.

Joe Business asking for my SSN gets a bogus one from a block that will never get allocated. This is not ID theft because the number is not in use, and it makes the sales drones who must have every single blank on a piece of paper shut up, as opposed to having to stop everything and get a higher functioning "supervisor" to try to figure out what to do. These days, its far less of a hassle to give false information (assuming its not someone else's info), than no info.

Your Rights & Your Actions (2, Informative)

eldavojohn (898314) | more than 4 years ago | (#29064939)

Here's a 36 page document outlining your "Federal and State Laws Restricting the Use of SSNs" [gao.gov] and identifies the gaps. The GAO actually has some good reading and ammunition for this if you've got the time [gao.gov]. And here's the really dry "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" itself [ftc.gov]. Now, stronger stuff has been presented in 2005 [loc.gov] but aside from stiffer penalties being signed into law in 2004, I haven't seen much.

So, you could call them up and threaten them with prosecution under the aforementioned acts which--given the right tone of voice--should do the trick for you. Or, if you read the GAO report, they say:

In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.

Now, with that, I would seek a lawyer who would take this case (maybe even some high profile lawyer or a member of the EFF) and clearly outline the above in a written letter with your signature informing them that they are in violation of the "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" and if they do not remove your Social Security Numbers, you will take legal action. If your case is solid enough, you might be able to really stick it to DirectTV for storing personal private data "without lawful authority" as they do not have the written consent of every customer.

Re:Your Rights & Your Actions (0)

Anonymous Coward | more than 4 years ago | (#29065009)

I see posses the SSN
- AND -

"with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law."

It doesn't appear they are doing the second part.

Re:Your Rights & Your Actions (4, Insightful)

Richard_at_work (517087) | more than 4 years ago | (#29065043)

In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.

Now, with that, I would seek a lawyer who would take this case (maybe even some high profile lawyer or a member of the EFF) and clearly outline the above in a written letter with your signature informing them that they are in violation of the "Identity Theft and Assumption Deterrence Act (Identity Theft Act)" and if they do not remove your Social Security Numbers, you will take legal action. If your case is solid enough, you might be able to really stick it to DirectTV for storing personal private data "without lawful authority" as they do not have the written consent of every customer.

Nothing in that quote suggests it is against the law for the company to retain the SSN in the course of lawful business, and as they are not intending to commit or aid or abet an unlawful activity, then your harshly worded letter would be meaningless.

Of course, other laws may be quotable with better effect...

Re:Your Rights & Your Actions (1)

eldavojohn (898314) | more than 4 years ago | (#29065273)

Nothing in that quote suggests it is against the law for the company to retain the SSN in the course of lawful business, and as they are not intending to commit or aid or abet an unlawful activity, then your harshly worded letter would be meaningless.

So tell me, what are they intending to do with it? What he said of DirectTV:

... even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely.

And so what do they intend to do with it? Your business with them is complete. Now the only reason they have to keep it is for the purposes of tracking you and privacy invasion.

Like I said in the original post, you'd need a good lawyer and you'd need a solid case. You would, of course, need to be creative and show that either 1) storing the data puts you at necessary risk of identity theft and it is therefore unlawful or 2) the storage of said data without ongoing business is a clear cut invasion of privacy and your solitude . Hence the need to use privacy laws [wikipedia.org] which are not well defined leaving a good lawyer breathing room to make the case happen.

Re:Your Rights & Your Actions (3, Insightful)

jeffshoaf (611794) | more than 4 years ago | (#29065049)

While I agree that DirecTV shouldn't have their customers' Social Security # (and I'm a customer), I don't believe the quote you provided from the GAO report says that they're doing something illegal per the part I've emphasized below:

In 1998, Congress made identity theft a federal crime when it enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act).5 The act made it a criminal offense for a person to "knowingly transfer, possess, or use without lawful authority," another person's means of identification "with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Under the act, a name or SSN is considered a "means of identification," and a number of cases have been prosecuted under this law.

DirecTV can simply claim that they have no intent to commit, or to aid or abet, or use the SS# in connection with an unlawful activity.

Re:Your Rights & Your Actions (1)

gt6062b (1548011) | more than 4 years ago | (#29065081)

"with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law."

IANAL, but what unlawful activity/felony are they committing/intending to commit?

Also, when you sign contracts at most places that ask for a SSN, they say things like "we will collect certain pieces of information about you and hold them forever" - isn't that the consent needed?

Isn't the real issue that with a Unique Identifier for you, it's trivial to open many type of financial transactions in your name?

The real question is ... (1)

ReptileQc (679542) | more than 4 years ago | (#29064943)

Why did you have to give it in the first place?

This might be a US thing I guess but here in Canada only your boss and the companies you required financing with are required to have it. I can't think of opening an internet account that requires a SSN....

Re:The real question is ... (0)

Anonymous Coward | more than 4 years ago | (#29064995)

A lot of telcos in the US won't open an account without an SSN. Time Warner and Verizon among them, and I'm guessing Cablevision too.

Re:The real question is ... (1)

titaniumtux (1601949) | more than 4 years ago | (#29065085)

Internet account requiring SSN? If it's international like Paypal, they can't insist on such ID because it's an international service (you can add credit/bank account numbers from most countries). If you're a paying customer, you should not have to give away your SSN. If they insist you must provide your SSN for say a mobile phone plan, TV subscription, etc., take your business elsewhere and don't give them any of your money. If the competitors do the same, tell them that you're Canadian and don't have an SSN, and that you're calling from your [insert season here] house.

Re:The real question is ... (1)

gobbligook (465653) | more than 4 years ago | (#29065379)

Often it is sufficient in canada to use a credit card to apply for those things that require trivial amounts of credit. It can be considered proof of established credit to have one and usually there is some insurance protection that the credit card companies offer the business to protect them.

In my opinion it is rediculous to demand a credit check for anything other than loans, mortgages, lines of credit or financing through xyz company. Since internet service is not one of these things and since the amount per month is trivial what you have to ask is why do they need the SSN? Further, in Canada if you no longer do business with company X there is (as far as I know, and I am not a lawyer) some legal recourse to get this information removed.

You have to expect now days that once you give out your SSN (and any other personal information) to any company, it is now in the public domain. Although there are laws to prosecute companies and individuals that divuldge this information to others, it still doesn't change the fact that the information is out there. These laws deal with the problem after the irreparable damage is done.

I would go without internet service/phone service etc before I gave any of this kind of information up.

Glad you have free time (-1, Troll)

wampus (1932) | more than 4 years ago | (#29064959)

Maybe you could find something to do with your free time that is actually productive. I suppose at the very least you've given some call center employees something to talk about at lunch, so that's not so bad.

Re:Glad you have free time (0)

Anonymous Coward | more than 4 years ago | (#29065323)

Seriously, the first thing that came to my mind is extreme paranoia. Time to buy stock in tin foil!

PIPEDA (2, Informative)

holophrastic (221104) | more than 4 years ago | (#29064963)

.P.I.P.E.D.A.
Canadian regulation that in short says any business has to divulge any personal information of yours that they are storing, and allow you to change or remove it. It may be with a simple web-site form, it may be with a written letter, but that's the law.

What did you expect? (4, Funny)

pedestrian crossing (802349) | more than 4 years ago | (#29064965)

Information wants to be free.

Re:What did you expect? (1)

JustinOpinion (1246824) | more than 4 years ago | (#29065199)

Yes, this is true. Information is slippery: it's easy to copy and hard to contain.

This is why a non-encrypted, non-authenticated short sequence of digits that you give out to many different companies is a terrible thing to use as a secret access code for financial-identity verification.

The fact that companies want your SSN, use it as an identifier, and store it indefinitely is bad. But the really bad part is that the SSN has so much power in the first place. At this point the SSN should just be downgraded to the status of an identifier or unique customer number, without it having any power to, say, open an account. (Other, proper means of identification should instead be required for such things.)

Expiration date (3, Funny)

Bromskloss (750445) | more than 4 years ago | (#29064975)

Your SSN has expired, please choose a new one.
Old SSN: __________________
New SSN: __________________
Retype new SSN (tip: copy from above): __________________

Don't give it to them (1)

ed314159 (1481883) | more than 4 years ago | (#29064979)

I realize that this is of no help now, but this could have been avoided by simply not giving your SSN to people and companies that don't need it. I have found that when someone asks for my SSN, I can simply say that they can't have it with only minimal problems. Sometimes it means that I have to pay some sort of deposit because they can't do a credit check, but that is certainly worth my piece of mind.

No, you're screwed (and paranoid) (1)

BadAnalogyGuy (945258) | more than 4 years ago | (#29064983)

What is needed is a form of ID that is acceptable nationwide, is not replicable, and can be used in business and official situations. Many times a National ID card has been proposed only to be shot down by luddites and paranoid conservatives who feel any identification system is somehow related to the Mark of the Beast. Hopefully the latest rising tide of anti-conservatism will wash away these people.

If you want to see what happens when heuristic identification is used in lieu of formal identification, just consider the No-Fly list which only identifies prohibited flyers by name. This system is a complete mess with people who have similar names to terrorists now needing to pass through extra layers of security and hassle for nothing more than having the wrong name.

The SSN is only a problem because it is also your TIN. Other than that, it would be an ideal identifier. What we need is not more laws preventing the use of certain identifying numbers, but a better system of identification that doesn't expose one to fraud. A National ID card would be extremely helpful in this regard.

Re:No, you're screwed (and paranoid) (0)

Anonymous Coward | more than 4 years ago | (#29065065)

You're making the assumption that the only reason they want the SSN is so they have a convenient way to ID the customer. They typically want the SSN so that they can run a credit check on the customer before spending up front money to get them set up for service. (i.e. installing a dish or whatever)

Re:No, you're screwed (and paranoid) (1)

Rogerborg (306625) | more than 4 years ago | (#29065183)

What is needed is a form of ID that [is] not replicable

Heheheh, most amusing [computerworlduk.com].

I know, I know - a US ID card would be SUPAR-SEKURE(tm).

Re:No, you're screwed (and paranoid) (1)

jackb_guppy (204733) | more than 4 years ago | (#29065299)

the system being a complete mess has nothing to do with a unique id. It has to do with a group of people that do not understand the bill of rights and their need to fell important.

There is no need of any national id card, except for designers of systems are lazy or did not do their research. I meet a designer for a resort wanted every guest SSN, because it makes easier for an unique key. I pointed out that SSN are not neither fixed nor unique, so at the best you can use them as a foreign key, like a phone number.

You are in that same group.

Re:No, you're screwed (and paranoid) (0)

Anonymous Coward | more than 4 years ago | (#29065439)

How would a non-SSN national ID be any less subject to identity theft?

Simple (0)

Anonymous Coward | more than 4 years ago | (#29064987)

Send them a certified/return receipt letter asking them to remove your SSN from all their records/databases. If they do not comply, and it is later determined that their keeping your SSN caused undue hardship on your life (i.e., it was stolen, "accidentally" disclosed, whatever), sue the @#$% out of 'em.

Not gonna happen (5, Interesting)

FlyingBishop (1293238) | more than 4 years ago | (#29064999)

As someone currently working on a database that contains SSNs, I can tell you I couldn't get rid of every instance of yours if I tried. The entire architecture is based around not losing your data no matter how stupid I am. It's a nice thought, but the reality is that you're only increasing the number of people looking at your SSN by trying to get rid of it.

You might want to protect your company by changing (1)

SargentDU (1161355) | more than 4 years ago | (#29065079)

this requirement so the individual can protect their ID. Companies can go bankrupt from lawsuits regarding ID theft.

Re:Not gonna happen (3, Interesting)

clam666 (1178429) | more than 4 years ago | (#29065117)

That's why SSNs should never be used as primary keys. They are a lookup field to provide a pseudo-unique way of looking up a tied-to-a-individual record much like you might use a last name, an account number, or some other piece of information that can find an actual record entry tied to for transactional purposes.

Primary/Foreign keys should be used to establish a unique record for transactional purposes or to relate to another record for referential integrity. That's all they should be used for.

Social security numbers, loan numbers, account numbers...These kind of things shouldn't be used for this purpose, they should be used for filtration purposes. That way if any of them change (SSNs blocked out for testing purposes, person switches to a new account number for some reasons, etc. it has no impact on the integrity of the system.

Re:Not gonna happen (0)

Anonymous Coward | more than 4 years ago | (#29065157)

That's a cop out excuse for "I'm too damn lazy to figure out how to get rid of it." I work as a Software Developer and I can say for certain that any system can be molded and changed to meet evolving requirements, anyone who says otherwise is only guilty of being lazy or stupid.

Piggy backing on that idea; I have a feeling that if this issue were to progress up the chain of the law we'd hear lots of excuses along the lines of "But our systems are dependent on SSNs for this and that, and it's built so deeply in our system it'd be impossible to fix." (see above poster). My response would be, who fucking cares? The law shouldn't be molded around technology, technology should be molded around the law.

Re:Not gonna happen (1)

hydroponx (1616401) | more than 4 years ago | (#29065461)

Why not use an auto-increment column ? I do this all the time in my databases, it makes sure that the only data you may corrupt is either update the wrong record or enter bad data ....

Here is what you should know (2, Informative)

Anonymous Coward | more than 4 years ago | (#29065005)

Read This, I hope it helps!

http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm

data protection (1)

xcut (1533357) | more than 4 years ago | (#29065025)

Is there no data protection legislation in the US? In most countries in Europe, businesses are not allowed to retain data unless they can demonstrate a purpose for them. And if you have discontinued business with them, they certainly have no purpose for it (ulterior purposes not to do with the provision of services to you do not count).

Try this.. (1)

i_want_you_to_throw_ (559379) | more than 4 years ago | (#29065051)

The Social Security Administration doesn't accept paranoia as a criterion for granting a new card, but it recognizes cultural objections and religious pleas. One stratagem: Contend that your credit has been irrevocably damaged by a number-related snafu, or that you live in fear of a stalker who knows your digits. Once you switch your SSN, never use it. Instead, dole out 078-05-1120, an Eisenhower-era card that works 99 percent of the time.

Next don't give your real one (0)

Anonymous Coward | more than 4 years ago | (#29065053)

If its a non-financial account, next time just make up some number. To catch it, they'd probably have to try to do a credit check, which they need your permission for.

Privacy Advocate (0)

Anonymous Coward | more than 4 years ago | (#29065059)

They HAVE to remove your social security number when you ask and they CAN replace it with an alternative identifier equal to the string of characters such as all 0's. Businesses not doing business with you do not have the RIGHT to keep your information on file unless for tax purposes which they would need to fully disclose to you in some form which you would sign an acknowledgment for. What a crock they are feeding you. What state is this again?

EU Data Protection (0)

Anonymous Coward | more than 4 years ago | (#29065119)

The EU's Data Protection and privacy regulations are remarkably sane on this -- companies are only allowed to store personal information on people for as long as it's needed, and it must be kept up-to-date and consistent. Users also have the rights to see what sorts of information are held about them by corporate identities, and have the power to get this information removed or changed.

Don't want information stored? (0)

Anonymous Coward | more than 4 years ago | (#29065125)

Then don't provide it.

Sincerely,
AC

Wrong Question (1, Interesting)

Anonymous Coward | more than 4 years ago | (#29065149)

It's an unfortunate fact that companies will gather sensitive and personally identifying information about its customers and then keep that data long after their business with that customer has ended. Short of regulation, I don't think that this practice will ever stop. As far as your SSN is concerned, it is just another data point in a company's records. It's as identifying as a name and address, a driver's license, or a cell phone number. I don't think that the question should be limited to this supposedly sacrosanct 9-digit number.

I would prefer if we could force a company to remove all of our data from their records once we are no longer their customer, but I don't think I like the unintended consequences that would bring. Maybe the company could be liable for damages caused by these records leaking out to identity thieves. Then again, that would require proof that a) a leak occurred, and b) an identity thief used data from that leak to your detriment. Odds are if you could prove point "a", and you were a victim of identity theft shortly afterward, point "b" would naturally follow (yeah, correlation v. causation and all that, but barring evidence to the contrary it is a reasonable conclusion). Then again, we never should have gotten into the position where a few data points are all that you need to spoof somebody's identity. Maybe the question should be, "what kind of identifying and authenticating data could be used that would be unfeasible to store indefinitely". Unfortunately, that is one of many questions to which I don't have an answer.

what i want to do is (1)

FudRucker (866063) | more than 4 years ago | (#29065165)

go to the Social Security office and turn in my SSN card and say "here, that this back, I want out!, delete me from your database."

mo=3 up (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#29065203)

direct orders, or F8reBSD continues

It is actually a lot more simple... (-1, Redundant)

Efialtis (777851) | more than 4 years ago | (#29065255)

According to the LAWS that govern the use of a Social Security number: it is illegal to use that number for anything but social security tax purposes... In other words, you can only use it for Banks, Employment, and IRS Tax purposes. The DMV is breaking Federal Law, and any other organization, group, entity, company, or even Government Agency that uses your Social Security number as an IDENTIFICATION number are BREAKING federal law... So why not just enforce the law?

Re:It is actually a lot more simple... (1)

jackb_guppy (204733) | more than 4 years ago | (#29065423)

Actually, not true.

The Social Security Administration tells you to not give it out and find another company to do business with.

DMV is required by State and supported by Federal law to gather SSN, just like the courts, to help find "dead beat dads" via the SSN.

you're confused (5, Insightful)

Lord Ender (156273) | more than 4 years ago | (#29065281)

SSNs are not secrets. They are not authentication credentials.

Storing (or even leaking) SSNs is not the problem. The problem is when certain negligent organizations use knowledge of SSNs as some sort of proof of identity. If you're worried about your SSN being misused, talk to those companies.

Re:you're confused (1)

Marcika (1003625) | more than 4 years ago | (#29065447)

SSNs are not secrets. They are not authentication credentials.

Storing (or even leaking) SSNs is not the problem. The problem is when certain negligent organizations use knowledge of SSNs as some sort of proof of identity. If you're worried about your SSN being misused, talk to those companies.

You can't conceivably talk to all of the 10,000s of stupid businesses/hospitals/agencies who accept SSNs as ID and thus facilitate fraudulent use of your SSN... It would only work if the govt would mandate it.

Therefore right now the only pragmatic workaround is to minimize the exposure of your SSN to potential crooks, alas.

DELTA SkyMiles (1)

jDeepbeep (913892) | more than 4 years ago | (#29065283)

During my most recent trip to the midwest, I ended up flying DELTA, although I had purchased Northwest tickets initially. Now, I'm waiting for one of my flights from Charlotte NC to Chicago IL. I am accosted by one of the DELTA "SkyTeam" who is trying (heroically) to sell me on their SkyMiles, and get me enrolled.

So, I take a look at the enrollment form, and not surprisingly, it has SSN as a required field. I ask this guy (he couldn't have been more than 22 years old) why on earth he wants my SSN so I can be allowed to accumulate Sky Miles.

He became quite offended I was challenging him on the necessity of this SSN, and retorted "Whats the matter? Don't you trust me? We have a safe right here on site." I asked who stores the number, where it is stored, how many 3rd parties get to have it in the process, whether it is encrypted, and these types of questions. He basically thought I was off my rocker. Last time I fly DELTA.

What Possessed You ... (1)

cybermage (112274) | more than 4 years ago | (#29065311)

What possessed you to give your SSN to DirectTV?

What possible reason could they have to require that information in the first place, and why would you deal with a business that required it?

Don't give it out, duh (1)

SirGarlon (845873) | more than 4 years ago | (#29065349)

is there any way to force a company to erase your SSNs after you cease doing business with them ...?

No.

Keep that in mind whenever a company asks for your SSN.

I've been rejected for phone service because I refused to provide it. But most of the time I just leave it blank on the application form, and most of the time nobody bats an eye. If you're applying online and it's a required field on the form, try applying by phone instead.

Yeah (1)

Inda (580031) | more than 4 years ago | (#29065363)

1. I wrote to the company, explained that our relationship had ended, quoted the data protection act and asked them to wipe all data held about me using a qualified database administrator.

We don't call them SSN here though. They are called NI numbers.

Hopeless. All is already lost. (0)

Anonymous Coward | more than 4 years ago | (#29065367)

We are all hopeless, in case you nice people haven't noticed. In a sort of Skynet-like proceeding nothing and no-one can stop all private information of everybody to be open to anybody, good or bad, public or private, rich or poor. And this goes about SSN, all medical records, bank records, work career records, study career, who are our friends and enemies ever been, travel records, any word ever said on a chat, any comment ever inserted on a website, any email ever received or sent. It's the revenge of the Net, it's the high price to pay in the digital era. We wanted an open space free and without rules? Fine, then we must stay there all naked.

Considered that, the attempt of have a SSN deleted from company's records appears to me, however sweet, pathetical nonsense. You all know that even if they are so kind to ever talk to us, those thousand-customers corporations hiding behind their lawyers, their back-ends (and I have it over the vast majority of companies with more than 100 clients) have ended up to be such a complicated and frustrating mess made of different technologies that they will hardly know how to delete a record, assuming that's even technically possible.

My conclusion is: the company who said they won't delete it, has just been the more honest.

Now stop whoever is ready with the usual "we have nothing to hide" speech. Me not, too. But if you have a minimum technical knowledge of reality you can easily imagine in how many zillions of terrible ways may some perfectly 'nothing to hide' piece of personal information be abused against you.

Going to live in a cave without electricity should be an option. Time travel back to the 70's also good. For the rest: resistance is futile.

What you need is... (1)

Hurricane78 (562437) | more than 4 years ago | (#29065429)

...throw-away one-time IDs. As long as they *can*, they *will* store something as long as they can.
But those IDs would be useless afterwards.

Unfortunately you can't fabricate them as easily as e-mail addresses. (I said *you*. I can. ;)

Liability (0)

Anonymous Coward | more than 4 years ago | (#29065459)

You could inform them they are now on notice you are concerned about the security of you identity due to information they hold and they refused to listen and act. If so, then they assume all liability of identity theft if such a breach of their records occur and you will also apply punitive damages as well. Then tell them they can erase their potential liability if they just comply with your request.

Why DirectTV wont remove your SSN (1)

medv4380 (1604309) | more than 4 years ago | (#29065467)

I used to work at DirectTV and I have a friend who still works at DirectTV as a manager in their local call center in Idaho. I completely agree with you that they should not have your SSN and it's a potential security hole. What they are trying to do is behave like a bank. Your bank and creditors probably have your SSN and wouldn't delete it from their system even if you threatened them. What they do is run a credit check on you when you get their service, just like a bank would. That's what prompts them to ether charge you 500$ to activate the service or 200$ with an annual contract. If you don't have a SSN or other identification you're stuck with a 500$ charge and they will most likely slip an annual contract with your account too at some point. If you default on the contract in some way or don't pay your bill they can even report that to the credit agencies as well. They also use it to track down people stealing services because all those unique ID numbers on your equipment are then married to your SSN. In their minds this allows them to find the "real" you if you're into trying to hack their equipment to get free DTV or sell it to others. If you cancel they still want to be able to track this just in case you're that kind of person. It's the ultimate big brother is watching your but what do you expect from a company that is owned by Rupert Murdoch aka New Corp aka Fox News.

The answer is simple requiring only will. (1)

GargamelSpaceman (992546) | more than 4 years ago | (#29065469)

The government should issue a new social security number via a website on demand to any citizen that requests one. The government would always have your current number on file to use for it's purposes, and anyone else would be left with an invalid number. The value of social security number for nefarious purposes would decrease. Of course government records of all previous ssns would be kept, so that for instance a loan that you took out two years ago could still be traced to you if need be, but if someone claimed that you took a loan out under that SSN a week ago, when you changed your SSN a year ago to something else would be denied the ability to fsck up your credit.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...