Monday September 21, 2009 11:26 AM ET
Consumers who have spent hours locking up their passports, shredding their billing statements and filing away their tax returns may soon learn they’ve wasted a great deal of time. Their efforts to shield themselves from identity theft by guarding their Social Security numbers are being undermined by government officials and social networking sites.
These nine-digit combinations, unique for each individual, have for years been displayed on public-record documents published online by state government agencies. And according to a recent study, guessing one’s Social Security number is substantially easier if you know that person’s date and place of birth: information many share on their social networking profiles.
Originally created as a record-keeping system to manage the Social Security program, SSNs have quickly become the identifier most widely used by creditors, education institutions and health care and other service providers. They’ve also become a sought-after commodity in criminal circles. Identity fraud claimed 9.9 million victims last year – the highest in five years – and Social Security numbers were among the data most frequently compromised (38% of the time), along with names and addresses (43%), according to a report on identity fraud conducted by the research firm Javelin Strategy & Research.
Yet, when a Carnegie Mellon professor and a doctoral student said they had developed an algorithm that can predict, with alarming accuracy, a person’s Social Security number, privacy advocates weren’t surprised.
“The report makes clear something that has long been known,” says Marc Rotenberg, the executive director of the Electronic Privacy Information Center (EPIC) in Washington, D.C. “The Social Security number is not a reliable identifier and its increasing use in the private sector has clearly contributed to the problem of identity theft.”
To predict a person’s SSN, Carnegie Mellon professor Alessandro Acquisti and PhD student Ralph Gross used only information that was publicly available through voter registration lists, data brokers such as Peoplefinders.com, free online people searches like Zabasearch.com, or social networking sites.
Using names, dates and places of birth, the authors were able to identify correctly the first five digits of the numbers of more than one-third of the 621 university students they used as a sample group. (Where one is born determines the first three digits of their SSN and when they’re born determines the second two digits. To develop the algorithm, the authors used information from the SSA’s Death Master file, a record of the names and SSNs of deceased individuals.)
The algorithm was most accurate when used for people born after 1988, when most U.S. citizens started receiving their SSNs at birth. The chance of guessing one’s SSN accurately was also higher for people born in less populated states, where fewer SSNs are assigned.
The Social Security Administration says the method by which it assigns numbers has been a matter of public record for years. “The public should not be alarmed by this report because there is no foolproof method for predicting a person's Social Security Number,” Mark Lassiter, an SSA spokesman, said in an email. The SSA has been developing a system to randomly assign Social Security numbers, expected to be in place next year, he said. (The SSA had begun work on the system before the Carnegie Mellon report was published.)
Spokesmen at two of the most-often visited social networking sites said users could participate in their networks without making public the information used in the Carnegie Mellon study.
“The pieces needed [date and place of birth] are private by default, and Facebook users choose whether or not to even enter this information,” Facebook spokesman Barry Schnitt said in an email.
MySpace does not display users’ date of birth in its profiles or request users’ place of birth when they register, Hemanshu Nigam, the firm’s chief security officer, said. “Additionally, while we encourage self expression by our users, we also proactively advise users not to post personal information and to take advantage of our privacy settings in order to create the most secure experience on our site,” he said.
Still, even savvy social networkers are vulnerable to having their SSNs poached because many state government agencies are explicitly linking names to SSNs. Many agencies make available online public-record documents, such as property records, divorce agreements and tax liens, all of which display SSNs clearly and without guesswork.
A 2008 survey by the United States Government Accountability Office found that 85% of the largest counties in the U.S. and 41% of the smaller counties make records with full or partial SSNs available in bulk or online. (The survey is based on the responses of 89% of the 247 counties the GAO surveyed, including the 97 largest counties in the country.)
Based on that survey, the GAO estimates that 12% of counties have completed redacting or truncating (i.e., making only partially visible) SSNs in their records and that 26% are in the process of doing so. At the time the report was published, 25 states had enacted some sort of statutory restriction on displaying SSNs in public records.
For many counties, the problem comes down to resources. Redacting SSNs from old documents that have been scanned and posted online is time-consuming, expensive and, in some states, nearly impossible, says Pam Dixon, the executive director of the World Privacy Forum, a San Diego-based nonprofit group that studies the accessibility of personal information. “To fix this will be like crawling that last mile on your hands and knees,” she says.
B.J. Ostergren, a 60-year-old retired insurance claim supervisor in Richmond, Va., has been crawling that last mile for the last seven years. Since 2002, Ostergren has made it her full-time job to convince states to remove SSNs from public documents posted online. How does she get the right people’s attention? She finds records containing the names, SSNs and addresses of public figures like senators or other politicians, legislators and judges and posts them on her web site.
“She has single-handedly brought on change in many states,” Dixon says of Ostergren’s work. (SmartMoney.com first wrote about Ostergren’s efforts in 2005.)
In 2008, Virginia legislators responded to Ostergren’s efforts by passing a law that made it illegal for anyone, Ostergren included, to publish the SSN of a Virginia resident. The bill, which became known among legislators and privacy activists as the “Anti-B.J. law,” included an exemption for government agencies, allowing the state’s county clerks’ offices and courts to continue publishing public records with SSNs. (Ostergren sued the Virginia attorney general in federal court and won. The attorney general’s office is appealing the decision.)
Other states have been more responsive to Ostergren’s efforts. New York, Arizona and New Mexico, for example, have removed Social Security numbers from their documents published online.
Still, sensitive personal information remains accessible in a matter of several clicks on many states’ court or government web sites. Some, like Florida, have strict open-government laws that require them to make such documents public, Dixon says. And the Colorado Secretary of State has not removed SSNs from documents available on its web site, despite Ostergren’s warning a year and a half ago. Corporate filings that list the names, addresses and SSNs of top executives and directors at major corporations are accessible to anyone who cares to search.
The gatekeepers of this data are county clerks, and there’s very little consumers can do to prevent them from posting their SSN online. However, they can minimize the amount of additional information available about them on social networking sites. Share the date you were born, but omit the place and year, for example, says Adam Levin, co-founder and chairman of Identity Theft 911, a company that works with institutions, such as banks and credit-card companies, to provide identity-theft prevention and resolution services to their customers. To throw potential ill-doers off their tracks, you could even publish information that isn’t entirely true. “People may say you’re not being honest, but that kind of honesty can guarantee not such a happy ending,” Levin says.
No comments:
Post a Comment