Re: Identity Theft (was: CRIME Computers vulnerable at Oregon department)

From: Greg Jorgensen (gregj@private)
Date: Thu Sep 26 2002 - 19:56:28 PDT

  • Next message: T. Kenji Sugahara: "Re: Identity Theft (was: CRIME Computers vulnerable at Oregon department)"

    On Thursday, September 26, 2002, at 06:19  PM, Crispin Cowan wrote:
    
    > What WILL work to prevent ID is legislation that prohibits banks & 
    > credit bureaus from using pathetically weak authenticators. Dr. 
    > Crispy's proposed law to largely eliminate ID theft:
    >
    >    * No financial institution or government agency may use a social
    >      security number, any attribute that is a matter of public record,
    >      or any attribute that is easily obtainable about another person
    >      (such as DOB, address, or mother's maiden name) as an
    >      authenticator. Authenticators must be *secret*, known only to the
    >      person and to the issuing organization at the time of issue.
    
     From the Social Security Administration's Publication No. 05-10002, 
    "Your Number and Card":
    
    > Giving Your Number To Others
    >
    > If a business or other enterprise asks you for your Social Security 
    > number, you can refuse to give it to them. However, that may mean 
    > doing without the purchase or service for which your number was 
    > requested. For example, utility companies and other services ask for 
    > your Social Security number, but do not need it; they can do a credit 
    > check or identify their customers by alternative means.
    >
    > Giving your number is voluntary even when you are asked for the number 
    > directly. If requested, you should ask:
    >
    >     * why your number is needed;
    >     * how your number will be used;
    >     * what happens if you refuse; and
    >     * what law requires you to give your number.
    >
    > The answers to these questions can help you decide if you want to give 
    > your Social Security number. The decision is yours.
    >
    > Our primary message is this--be careful with your Social Security 
    > number and your card to prevent their misuse.
    
    When Social Security was first established the law authorizing the 
    issuance of numbers specifically prohibited their use as 
    identification. The only legitimates purpose for the SSN according to 
    the original statute is to identify and access an individual's Social 
    Security account. The IRS uses your SSN as your Taxpayer ID Number 
    (TIN), but you can ask for and get a different TIN that is not your 
    SSN. I believe the IRS was later authorized to require SSNs when they 
    took over collecting FICA "contributions." Employers can ask for and 
    use your SSN only to complete tax forms.
    
    Most organizations that ask for your SSN--schools, utility companies, 
    etc.--will issue an identifier to you if you ask. Their use of SSNs is 
    more or less benign; the problem is that they don't secure the 
    information.
    
    The Federal Privacy Act of 1974 supersedes some earlier provisions 
    relating to government use of your SSN. The Privacy Act on its face 
    seems to cover the same points as Dr. Crispy's proposal, but it's full 
    of exceptions and loopholes, and probably conflicts with hundreds of 
    other regulations. No enforcement mechanism exists, either.
    
    State agencies and private companies can ask for your number, and even 
    deny services if you don't give it to them: the California DMV requires 
    a SSN to get a drivers license, and agencies in other states have 
    similar requirements. Federal courts have upheld such state laws on the 
    theory that the individual does not have to give their SSN (i.e. there 
    is no statutory penalty for not divulging it); not getting a license is 
    not regarded as a penalty because no statutory right to get a drivers 
    license exists.
    
    > Sadly, I don't think the State has the jurisdiction to implement such 
    > a law; it'll probably have to be Federal.
    
    In general states laws can't override or nullify Federal laws, but they 
    can clarify and narrow areas left open in a Federal law. Since Social 
    Security numbers are issued by the Federal government states can't 
    legislate on their use in any meaningful way. The Federal Privacy Act 
    also appears to create a Federal jurisdiction over identification 
    schemes.
    
    I'm not an attorney.
    
    --
    Greg Jorgensen
    PDXperts LLC, Portland, Oregon, USA
    



    This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 20:28:11 PDT