Insecurity over 9 worrisome digits

Some antifraud experts question a new bid by Congress to limit use of Social Security numbers.

By Brian Bergstein
Associated Press

NEW YORK - Recent disclosures of massive data leaks at information brokers, banks and retailers have prompted Congress to consider again tightening access to Social Security numbers, which have evolved into dangerous master keys for fraudsters.

But Social Security numbers already have come under a hodgepodge of restrictions over the years, and many experts question whether the new proposals would truly hinder identity theft. In fact, reducing some companies' access to Social Security numbers could worsen the situation.

Several identity theft watchdogs say the bills would neglect the deeper reason why committing financial fraud is relatively easy: Speed, not identity assurance, is the main priority of U.S. financial institutions that issue credit.

The fact that many companies use Social Security numbers essentially as a password - not only are they the key to getting credit, they can also unlock access to an account over the phone - certainly magnifies the problem. That's why Congress hopes to hide the numbers better - by reducing the ways they can be sold, for example, or by prohibiting them from being printed on benefit checks.

Even so, keeping the numbers and other personal data out of the wrong hands likely will remain tricky.

"It's too easy to get to data no matter what the key is, from insiders or hackers or mistakes," said Jody Westby, head of the security and privacy practice at PricewaterhouseCoopers L.L.P. "What we have to do is make it harder to use the data."

Westby's solution would be simple: universal use of the fraud alert, which identity theft victims are allowed to put on their credit reports for seven years. Before any new credit is granted, a card issuer or loan provider is supposed to call them and double-check that they, rather than an impostor, really made the application.

Putting everyone on fraud alert status would be a simple way of bringing more personal control to the system, Westby argues, just as do-not-call lists let people decide for themselves whether to talk to telemarketers.

In contrast, the data bills pending in Congress would make a lot of changes at once. Consumer advocates like many of the provisions, such as allowing people to refuse to give businesses their Social Security numbers, requiring more encryption of financial records, and demanding widespread disclosure of data breaches.

Finer points in the bills are expected to change as several measures are combined in hopes of generating one likely to pass. But a look at some of the details shows the difficulty of restricting Social Security numbers.

For example, a proposal from Sens. Arlen Specter (R., Pa.) and Pat Leahy (D., Vt.) would prohibit data brokers from selling a Social Security number without the consent of the subject. But there are many exceptions. The numbers could be sold for "research" purposes, for example, or if just the last four digits are listed.

The latter exception "almost nullifies the entire bill," said Daniel Solove, a law professor at George Washington University and author of The Digital Person. That's because the last four digits of any Social Security number are the only truly random part of the string. A savvy thief sometimes can determine the first five digits, because those are determined by where and when the number was granted.

Even if a fraudster doesn't get someone's exact number, he still might be able to obtain credit in that person's name.

Because the system is built to grant credit in a minute, there's a built-in tolerance for typographical errors or misprints such as transposed digits in a Social Security number.

"They're looking for accurate matches, but not exact matches, and that gray area is where fraudsters seek to perpetrate their crime," said Terrence DeFranco, chief of Edentify Inc., which makes software that scans credit applications for signs of fraud.

To perform that check, Edentify examines information harvested by data brokers, companies such as ChoicePoint Inc. or Reed Elsevier P.L.C.'s LexisNexis, which both had breaches that led to the current scrutiny.

Consequently, DeFranco has lobbied Congress to make sure Social Security numbers could still be sold for fraud-prevention services such as his.

Since ChoicePoint discovered that it let identity thieves posing as legitimate customers get information on 145,000 Americans, the company has stopped printing Social Security numbers on background reports.

But James Lee, ChoicePoint's director of marketing, argues that preventing data brokers from harvesting Social Security numbers would be ill-advised. The accuracy of background checks and other reports would suffer, he said, because the numbers remain the best way to differentiate people with similar names and to examine people's financial histories.

"You have to be very careful of the law of unintended consequences," he said.

What this all points out, many people in the information business argue, is the need for a new identifier.

One solution could be a "federated identity" system that relies on the mathematical principles of cryptography to ensure that information can be transferred only among prearranged parties.

*********************************************

Ladies and Gentlemen, . . . with all due respect, the above AP story is a bit off-kilter. The author is correct in saying that "it will be tricky." The author suggests that a new unique identifier be adopted by our government, to replace the social security numbers that have been in use for the past sixty, or so, years.

Sure! . . . . You Betcha! . . . . And the idea that this new, unique, identifer would somehow be more theft-proof, than the old, out-dated, worn out, over-used, blase' social security numbers, is pure unadulterated HYPE!

What's worse is that it's unintended consequences are so far-reaching that it would scare you to listen to the group that represents America's Private Investigation and Security Professions. As has been posted here in the past, (see archives for early July, 2005), the investigative profession supports several phrases found in the U.S. Constitution as well as the one on the precipitium overhanging the steps of the U.S. Supreme Court Building, that says, "Equal Justice Under Law."

Let's say, for example that you are arrested for a terrible crime, but you claim you're not guilty of that crime. Your fellow citizens of your community have paid some law enforcement agency, set up under the government of and by the people, has expended public funds to investigate a crime, and they concluded that you committed it. You must defend yourself. If you cannot afford an attorney, one will be appointed for you, at no cost. Good deal, ehh? You Betcha! And, along with that, you get a free investigator, with equal access to evidence and investigative powers, just like those taxpayer funded law enforcement investigators?

Theoretically, YES!

But the reality is, that the things mentioned in the above article will prevent any such thing from happening. You will NOT have equal justice under law. You will be railroaded by the government, and your trial will be anything BUT fair. The private sale of a social security number may not seem like a big deal, to most. But forty-four out of the fifty states make those Licensed Private Investigators who will be your key to proving your innocence, jump through a number of hoops, and force them to meet certain licensing requirements, before they can legally perform those kinds of duties for you. (Sure, some of the states do a very poor job of understanding exactly WHAT a Private Investigator does, how he does it, why he does it, or what effect it has on the quality of life in America, but the licensing laws are there as a foundation for controlling these individuals, and raising the standards for professionalism)

So, next time you see an article on "Privacy" or "Identity Theft," or the loss of thousands of data files by the credit reporting companies, or the industries that serve them and work for them, please understand that the issue is being exploited by some, who would, wittingly or unwittingly, take your freedom to know the truth, and protect you from the government away -- far away! An excellent example of this, is the prolifery of HIPPA laws, passed "to protect your medical privacy," but which had extremely extensive unintended consequences. When it comes to the government taking your guarenteed pursuits of life, liberty and happiness, and destroying them, with well-intentioned legislation, damaged by extreme unintended consequences.

Don't get me wrong, Private Investigators are NOT anti-privacy. We endorse legislation that truly prevents the misuse of unique identifiers. We'll work hard to get a comprehensive bill passed. As I've said many times, this is an insidious crime. We help people to fix problems, when their identity has been stolen. We've seen the insidious damage that can be done to an individual, by some criminal who obtains and misuses those unique identifiers. But passing legislation that bans all sales of those unique identifiers, will never solve the problem, and it will damage American freedoms, to extents never before seen. Trading the social security number, for some other unique identifer will NEVER make that unique identifer more secure, just like banning guns doesn't keep gun related crimes from happening.

Wake-up America! This may not be important to you, right now. But when you need it, to either stay out of jail or to know the truth about some huge issue in your life, whether it's days, months, or years in the future, it will be too late to change it.

God Bless,
Dan'L