textfiles/hacking/ssn-stuf.txt

From ucdavis!ucbvax!RED.RUTGERS.EDU!AWalker Fri Nov 13 18:33:17 PST 1987
Article 136 of misc.security:
Path: ucdavis!ucbvax!RED.RUTGERS.EDU!AWalker
>From: AWalker@RED.RUTGERS.EDU (*Hobbit*)
Newsgroups: misc.security
Subject: Yet more about SS numbers
Message-ID: <12349698929.28.AWALKER@RED.RUTGERS.EDU>
Date: 11 Nov 87 08:42:20 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Distribution: world
Organization: The ARPA Internet
Lines: 402
Approved: security@rutgers.edu

Hopefully this is the last of it...  _H*

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Subject: Another no SSN reason
Date: Fri, 02 Oct 87 22:38:30 -0400
>From: new@udel.edu

Nark Mason writes about Social Security Numbers:
>I still haven't seen anyone give a good reason *why* to keep it [your
>SSN] secure. ... What horrible ded can be done with it that makes it not
>worth giving it out and the hassle that might follow?

Well, here's a story that happened to a good friend of mine that I
wouldn't want to worry about.  She sent in her tax returns, and got a
letter saying she still owed $6000 for the money that she inherited,
plus fines and interrest and a possible jail sentence.  It turns out that
someone, somewhere had inherited money and made up an SSN at random
to avoid the taxes.  After about six months of "hassle" (to say the least)
she finally convinced the IRS that she did not inherit anything.
She was able to do this only because the name did not match the SSN,
and the address was in New York instead of her actual address near Phila.

Now, I have been fighting institutions that use my SSN as a key primarily
because most of these insist on printing it on the mailing label along
with my name and address.  They claim this is so that when mail comes
back (mail that most people would consider "junk mail" anyway), they
can remove the name easily from the mailing list.  Can you imagine
the "hassles" I could have if the clerk at the institution plans ahead
for a successful trip to Atlantic City or Vegas, taking a few names,
addresses, and SSNs along?  How about the postal clerks that get to
read my SSNs?  My main complaint is not with the institution that uses my
SSN as a key, but rather the uses other than as a key to which it is put.

Incidently, does anyone use a database package that can handle sufficient
volume that names cause too many clashes, yet that does not have a
mechanism for generating unique keys?  Why must I supply my own key?
Not only am I reduced to a "mere number," but I must reduce MYSELF to
a number.

Regarding Government agencies requirements, what about Federally funded
institutions?  Can universities that are federally assisted demand
my SSN?
                               - Darren New
                                 University of Delaware
                                 new@dewey.udel.edu

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Mon, 5 Oct 87 09:33:45 cdt
>From: Jonathan Harris <harris%go-han@go-han.UChicago.EDU>
Subject: SSN's why get so upset about it.

	After all this talk of people not giving out social security numbers
to utilities and such, I have yet to hear anyone explain what is the harm in
giving it out and why it is worth all of this fuss. True, the social security
number is really meant for social security and tax administration, but what
harm can someone do if he finds your SSN. Apparently nothing; that is unless
you are a deadbeat intending to skip down and refuse to pay your phone/electric
bill.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Mon, 5 Oct 87 21:51:27 EDT
>From: Douglas Humphrey <deh@eneevax.umd.edu>
Subject: Re:  ssn's

>So the real question is this:
>    How many databases list my MIT 888 number as my SSN

I would hope that most peoples data bases have some sort of validity
check on SSNs, since you can call the SSA and get a definition of the
SSN from them, and it does mention at least some of the field values
that are 'not right'. I saw a spec for this stuff about 5 years ago
perhaps in a Government RFP or something. Maybe a call to the SSA
would answer this?

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:         Tue, 06 Oct 87 08:53:04 EDT
>From:         "A. Harry Williams" <HARRY%MARIST.BITNET@wiscvm.wisc.edu>
Subject:      Re: Digest of SSN responses

I find the response to both SSN and phone numbers as "If you don't have
anything to hide, why not give it out".  That is the same argument as
if the defendant doesn't take the stand in a criminal trial, he must be
guilty.

Also, I'm not sure that US SSN have a checksum.  My sisters and I
have consecutive SSNs.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Tue, 6 Oct 87 12:20:01 EDT
>From: Larry Hunter <hunter-larry@yale.arpa>
Subject: Re: Why Protect SSNs?

Well, the practical reasons to associate your SSN with as few records
about you as possible have to do with the fact that large, powerful
entities (like the IRS and large consumer products companies) use
techniques like block modelling and record matching to exert unpleasant
power over individuals.  For example, the IRS uses social security numbers
to look up credit ratings and self-described income data associated with
consumer purchases (those little warrantee registration cards...)
to audit people it thinks may be under-reporting income.  Big credit
and insurance concerns use SSNs to find records that can penalize you 
by denying you credit or insurance on the basis of information that
you rarely see and never know how they get.  Other uses include
targeting the marketing consumer products and matching government
records against each other or commercial records.

Those large tax, law enforcement and marketing data analyses are more
difficult to do on someone who witholds SSN.   Unfortunately, the cause
of most of the trouble is invisible to the people who get screwed.  Nobody
says "we decided to audit you (investigate you, use this ad on you) because
of information we could analyse based on your SSN."  It is quite difficult
to track down the explicit uses of SSNs within specific organizations;
they are not interested in baring their data analysis techniques to
outsiders at all.   So for illustrative purposes, let me show how with
your social security number and a little motivation someone can learn
all of the intimate details of your life, ruin your credit rating and
get warrants issued for your arrest:

Your enemy gets your social security number.  He goes to the local
department of motor vehicles and get a driver's license in your name
by telling them he lost it and giving them your SSN.  Knowing your driver's
license number (SSN in many states) is usually sufficient ID for getting
a replacement license.  He takes the driver's license to the social
security office, tells them the appropriate SSN and asks for "his" payment
record.  They tell him your employer, your income, any interest bearing
bank accounts you have and any securities you have bought or sold in
the last 3 years and some odd months.  He can find out the medical
insurance company used by your employer and get your medical records
from them in a similar way.  He can also use the employment information
along with your SSN to get credit cards in your name (credit
card grantors use SSNs to access your credit records, and want little
information on you other than SSN, employer and bank accounts).   After
buying a fast new car on your credit,  he gets a lot of speeding tickets
on your license.  The criminal warrants that show up when he doesn't
pay the tickets are attached to your social security number.  If he really
wants to get you in trouble,  he gets busted for drunk driving or hit
and run on your license, makes bail and throws the license away.  You
now have a mountain of bad debt and a felony arrest warrant, not to mention
an enemy who knows every penny you have, what your credit record is like
and all of your medical history.  He got it all by just knowing your SSN.

Paranoid?   Sure.  I don't think this sort of thing happens very often,
but it provides an idea of the power in those 9 digits.  I personally
believe that the institutional (mis)use of SSNs is by far a worse problem
than the kind of criminal behavior I just described, but I find the latter
is more persuasive to people who are cavalier about having "nothing to
hide".

Try reading David Burnham's "The Rise of the Computer State" or his
upcoming book on the IRS, or Robert Ellis Smith's "Privacy: How to Protect
What's Left of It" for more detailed discussions.

                                        Larry Hunter

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:      6 OCT 1987 22:51:13 EDT
>From:      "Bryan, Jerry"          <VM0A61%WVNVM.BITNET@wiscvm.wisc.edu>
Subject:   Digest of SSN responses

The Privacy Act of 1974 does *not* mention universities by name. I quote
as follows:

   "Sec. 7.(a)(1) It shall be unlawful for any Federal, State
    or local agency to deny to any individual any right, benefit,
    or privilege provided by law because of such individual's refusal
    to disclose his social security account number."


That all sounds well and good, except for the following little
"gottcha's".

  1 -- The original Privacy Act included the following exception:

       "(2) the provisions of paragraph (1) of this subsection
       shall not apply with respect to

           (A) and disclosure which is required by Federal statute"


       Note that "disclosures which are required by Federal statute"
       are legion.  For example, open a bank account, register for
       the draft, etc.

  2 -- the privacy act is grandfathered, so that anybody doing it
       before January 1, 1975 can keep doing it

  3 -- Congress has passed many, many exemptions and exceptions to
       the original Privacy Act, the worst of which is specifically
       authorizing states to use SSN's for driver's licenses and
       vehicle registration (Tax Reform Act of 1979).

  4 -- The clause in the original law making it apply to "any right,
       benefit, or privilege provided by law" is a pretty stiff test,
       according to lawyers who handled a SSN refusal case for me.
       It is pretty hard to convince a judge that attendance at a
       university is a "right, benefit, or privilege provided by law".
       And even if you did, the laws establishing universities in most
       states are ones which have been exempted from the Privacy Act
       by subsequent legislation (the Tax Reform Act of 1979).

  5 -- The original Privacy Act contained no penalty for violation.
       Again, according to my lawyers, a law with no penalty is essentially
       unenforcable.  What is needed is something like a $1000 fine for
       every violation.  Can you imagine how quickly a university would
       straighten up if it had to pay $1000 for every student for which
       it used an SSN as a student ID?

As an example of how tangled these webs can become, both the folks giving
ACT tests and SAT tests key the results off of SSN's, and these are
private organizations utterly uncovered by any privacy legislation.
Most (all?) universities that receive ACT and/or SAT scores match them
up with their students via SSN's.  Thus, universities have a valid,
practically mandatory reason for having the SSN for all students on file,
even if they do not use SSN for student ID.  Furthermore, if the
university is involved at all in the disbursement of federal money to
students (various student loans, etc.), the feds will *require* SSN's
for all the students involved.  What's the poor university to do?
Finally, grant applications to such agencies as National Institute of
Health and National Science Foundation require the SSN's of all
professors and students who will use the money? Again, what is the
university to do?  It really is too late, folks.  Big Brother is
already here, alive and well.  And even Mr. Reagan with all his
"get the government off the back of the people" rhetoric has
greatly expanded Big Brother, provided only that it is in support of
his declared social goals  --  catching welfare cheats and such.
The ends do justify the means, you know, as long as it is your own
ends you are after.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

>From: mtune!mtgzy!norm@RUTGERS.EDU (n.e.andrews)
Subject: Re: ssn's
Date: 7 Oct 87 15:29:29 GMT

> Why bother? What horrible deed can be done with it that makes it worth
> not giving it out and the hassle that might follow?

False income tax returns could be filed against someone's social
security number.  I suspect the consequences of that could
qualify as a hassle...

There must be other bad things that could be done using people's
social security numbers, all of which could cause the real owner
a lot of unnecessary trouble.

I never did like the idea of tying the unlimited power of the
State so intimately to everyone's personal business...

-Norm Andrews, speaking for himself

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

>From: matt@oddjob.uchicago.edu (Godfather to putty-tats)
Subject: Re:  ssn's
Date: 9 Oct 87 21:28:58 GMT

Guess who asked for my SSN this week.  The Phone Company.

I was ordering new service preperatory to moving and they
first asked for employment information.  I said "You don't
really need that, do you?  I'm a current customer and you
know I pay my bills."  The clerk said "Just a moment", then
read me my employer's name and my (previous) title!

Then she asked for my SSN to "complete their records".  I
hollered quietly and she said, "Actually, you can decline."

			Matt Crawford

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

>From: mcb@lll-tis.arpa (Michael C. Berch)
Subject: Re: ssn's
Date: 8 Oct 87 23:06:48 GMT
To: <security@rutgers.edu>

This came up before in a Usenet newsgroup and is worth reiterating
here.  Look: I don't care what your feelings about giving out SSNs
are, or what effect it has on your privacy, or how the country is
going to hell in a handbasket because of the pervasive use of SSNs.
Just DON'T, under any circumstances, just "make up a number" and give
it out.  The odds that it is already assigned are substantial.
(And don't weasel around about how the 900's aren't used for SSNs;
they're used by the IRS as "Taxpayer Identification Numbers" (TINs)
and belong to people/corporations, too.)

If I got tangled up in a bureaucratic mess about some purchase or
payment or tax matter because some pinhead "made up a number" and it
happened to be mine, I would be massively (and justifiably) pissed off.
"Making up a number" is an anti-social, offensive thing to do,
and one that (even given my laissez-faire, anti-authoritarian point of 
view) I would not hesitate to report to criminal authorities if I 
discovered it.

Michael C. Berch 
ARPA: mcb@lll-tis.arpa
UUCP: {ames,ihnp4,lll-crg,lll-lcc,mordor}!lll-tis!mcb

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Sun, 11 Oct 87 23:06:51 EDT
>From: lear@aramis.rutgers.edu (eliot lear)
Subject: Re: ssn's

Hi Curios,

If someone wants to do a credit check on you, generally they need only
your ssn and your permission.  If they don't have the latter, they
shouldn't have the former.

Eliot

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:         Mon, 12 Oct 87 08:31-0700
>From:         The Bandit   <WIZARD@rita.ACS.WASHINGTON.EDU>
Subject:      moron social security numbers.

I have seen numerous messages fly by these past few weeks regarding the
sense (or nonsense) of keeping one's ssn private.  All too often people
declare that ssn's are unique.  Would that this were true, but, unfortunately,
it is not.  Because uniqueness is not guaranteed, I prefer not to give out
my ssn.  I certainly wouldn't want someone's tainted credit rating affecting
my rating, nor would I wish to demolish someone else's -- were such dire
things to occur.

Derek Haining
Academic Computing Services
University of Washington
Seattle, Washington
(206) 543-5852

DEREK@UWARITA.BITNET
        -or-
DEREK@RITA.ACS.WASHINGTON.EDU

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:         Fri, 16 Oct 87 11:02:00 EDT
>From: "Una R. Smith" <Q2813%PUCC.BITNET@wiscvm.wisc.edu>
Subject:      SSN

Yes, it's much easier for people to manipulate information about you in
a computer when they have your SSN, since it's a variable that can be
matched so easily.

But the flip side of that coin is what worries me.  Think how easy, with
a NINE digit number, it is for data coders to make keystroke errors.  Of
course this can happen with your name, but names have familiar patterns,
or are very unfamiliar.  Either way, the rate of error should be lower
for coding names.  But even if it isn't, that's ok, because few (if any)
organizations with information about you will ever even attempt to merge
data by your name.  If 2 files are being combined, and your name is the
common variable, and there is an error in 1 name record, there is no
match.  But if the SSN is used, and a coding error has occurred, there
is the chance that SOMEONE ELSE'S history will be appended to your name,
either under your SSN, or under theirs, depending on the coding error.

Now, if you are a bad customer or whatever, you don't really care if this
happens, because the chances are your history will only be improved.  But
if you are one of those sterling types who always pay on time, etc. and
you "have nothing to hide, so why not give the SSN without a fuss", you
might be burned badly.  And even if the error isn't terrible, getting the
problem fixed can take a long time.  Just try telling someone that thier
records on you are WRONG, especially if they have them on a computer.
The chances are high that you will only get to talk to someone who either
1) believes computers don't make mistakes, or 2) is afraid of the computer,
or 3) doesn't know how to correct the records on you, since they are hidden
in the computer, and doesn't want to bother finding out, or 4) CAN NOT change
the data in the computer because someone down the line never imagined that
changes would be necessary.

If you think any of the 4 cases above is unrealistic, let me assure you that
I know of instances of all 4 cases occuring.  My mother is still fighting
the property tax administrator in her city after 2 years because the records
she got out of his computer database, thanks to a naive underling, do not
agree with the tax assessments people in her neighborhood have been paying.
The difference, she has discovered, amounts to nearly a million dollars
annually coming out of single family residences instead of appartment
complexes.  The tax administrator's office has been stonewalling for over
2 years because they won't admit that there is no way, currently, for them
to get to the actual data;  they insist "the printout is wrong."  This is
clearly an example of case 4 above, with maybe a little old-fashioned
corruption thrown in for good measure.

Recently someone said he hadn't withheld his SSN in the past, so there
is no point to beginning now.  I strongly disagree.  No one is going to
make any great effort to match SSN's to data about you by hand, and it's
unlikely that if they do have your SSN that they also have a way of
looking at your name and address via computer.  After all, the SSN is
so handy just because it lets merchants, etc. treat your name as just the
first line of your address.  The format is often free-form, and it is
difficult to extract your name in program-driven databases.

They certainly won't get any help from the SS Administration.
-------