No Security in SSNs?

Jeb Bush’s Social Security number is right there on the Web for all to see. Yours probably is, too.

Consumer data bureaus like LexisNexis and ChoicePoint have topped the news by showing how easy it is for people to manipulate their pricey access to consumers’ personal information.

Meanwhile, people’s addresses, birth dates and SSNs are smeared all over the Web for anyone with a browser to find and copy.

Public records information is useful for professionals, such as title companies and attorneys. And it’s just as useful for crooks.

“Anybody can do this. It is so simple,” said Betty Ostergren, a consumer gadfly who’s spent thousands of dollars of her own money in a campaign to stop online access to public records.

Ostergren, a retired insurance claims supervisor, said that county clerks routinely post documents on the Internet without checking to see if they contain the kind of information that makes identity thieves’ jobs a breeze.

She’s lobbied local and national politicians, as well as celebrities. When she doesn’t get an immediate response, she likes to send the person a copy of a document emblazoned with his or her private info.

In her home state of Virginia, there’s a rush to put court judgments online. “On traffic tickets, you get the person’s address and Social Security number,” she complained. “It’s reckless, stupid and dangerous — and putting people at risk all over the country.”

Because lawmakers haven’t responded, Ostergren said, she exercised her First Amendment rights by republishing public records, such as the 1999 Quit-Claim Deed of Jeb Bush’s, on her own Web site, the Virginia Watchdog.

In 2002, Ostergren was able to get her Virginia county and a neighboring one to stop putting public documents online.

“I intend to stop [the practice of putting court records online] in this state,” she said. “If they don’t like my methods, maybe I don’t like getting in people’s faces. But I like the results I’m getting.”

Public records posted online, however, aren’t solely to blame for the devastating growth in identity theft — 635,173 complaints in 2004. Misuse of SSNs by business is at least as culpable. Because the same number is used by banks, credit card companies, merchants and many federal and state government departments, the SSN can unlock all kinds of sensitive records.

Universal ID

“The main reason we are stuck with an implacable identity theft problem in the U.S. today is because the Social Security number is used by finance companies as their customer identification number,” said Beth Givens, executive director of the Privacy Rights Clearinghouse, a consumer information and advocacy group.

Privacy experts like Givens are calling for a different kind of Social Security reform: They want business and the government to stop using the unique ID numbers for anything except managing Social Security benefits.

Ironically, in 2004, the Florida governor signed a law designed to help protect the SSNs of public employees. The bill allows employees to ask that their SSNs be held confidential and limits their release to commercial entities to the last four digits of the number. But the law acknowledges businesses’ need to use SSNs to identify their customers.

That’s just wrong, said Givens. “They all seem to have this mistaken notion that the only way to track you down is through your Social Security number. But in this digital age, if you have a name, phone number, current address and perhaps a medical number, you can use that information to try to find somebody. A Social Security number will help, but if you’re dealing with a dishonest person, they may not have given you a correct number anyway.”

There are plenty of other ways for businesses to automatically generate unique IDs for customers, said Robert Ellis Smith, publisher of Privacy Journal. “About 25 percent of credit applications received don’t have a Social Security number anyway, so it shows it can be done,” he said.

His estimate is based on testimony from various credit bureaus during hearings and litigation.

Nevertheless, Givens said, her organization gets complaints that cell phone companies, cable companies, even doctors and dentists have refused service without an SSN.

Smith proposes three measures to reduce criminals’ access to SSNs.

First, he said, the law should prohibit credit bureaus from sending a consumer credit report unless the SSN, name and address match. Often, he said, the company will provide a report based only on the number, making it easy for a scammer who’s snagged a valid Social Security number to get plenty of other damaging information.

Second, Smith wants to prohibit the disclosure of “header information” on credit reports. These headers don’t have data about a consumer’s creditworthiness, but they do contain personally identifying information that can be misused. The FTC ruled in the early 1990s that credit bureaus could sell header information to marketers, Smith said. “That’s when identity theft really began to take off.”

Finally, Smith thinks credit bureaus should be required to notify consumers when a change of address request is made, because ID thieves commonly set up new charge accounts with the consumer’s name and SSN but with their own addresses.

“These measures would get rid of 60 percent of identity theft,” Smith said.

A Long-Running Concern

The Internet has exacerbated the identity theft problem, but the writing has been on the wall for a long time. In fact, lawmakers in 1939 worried that the number could be used as a universal ID and made efforts to stop the practice.

Congress enacted the Privacy Act of 1974, limiting the ways government agencies could swap records on citizens and making it unlawful to deny services to those who refused to provide the number.

In the 1990s, the Federal Trade Commission considered regulating what had become a thriving trade in selling consumer data including SSNs. Instead, it worked with the data brokers to come up with self-policed guidelines, according to the Electronic Privacy Information Center, a public interest research center.

Last Friday, the Senate Banking Committee responded to the ChoicePoint, et al. debacles by holding hearings on how companies handle consumer data. Maybe this time they’ll take strong action, said Daniel Solove, an assistant professor at George Washington University Law School and author of The Digital Person.

“A lot of senators are interested,” he said. “We will see some kind of legislation out of this. But what will that legislation be?”

Credit bureaus and information brokers will doubtless lobby Congress, saying changes to the rules will hurt their business. But Solove said their voices might not carry as much weight as they used to.

“They had their chance. They weakened the legislation, and, as a result, more than 10 million citizens are victims of identity theft every year,” Solove said. “They got what they wanted, and it didn’t work.”

News Around the Web