mailing list archives
RE: Risk of using SS#s (last 4 digits) for authentication
From: "Jason Coombs" <jasonc () science org>
Date: Fri, 8 Nov 2002 21:24:09 -1000
You can do anything you want with a person's SSN, and so can the State and
Federal government. See http://www.epic.org/privacy/ssn/
Here in Hawai'i my driver's license number is my social security number. The
State is working to remedy this problem, and recently it became possible for
me to request a replacement number and be issued a new license.
This condition was mandatory when my license was first issued, and my option
if I didn't want my SSN to appear on my driver's license was to try to live
without a State-issued identification card and without legal driving
privileges. There were some options, such as an International Driver's
license, or claiming residency in another State, but they would have
required a considerable amount of effort and cost and might have resulted in
legal problems of a different sort -- tax evasion, etc.
The FBI gave testimony before the House Ways and Means Subcommittee on
Social Security recently. The testimony is somewhat interesting:
An argument against use of the SSN that is much stronger than the privacy
argument is the one of religious freedom guaranteed by the First Amendment.
See BOWEN v. ROY, 476 U.S. 693 (1986), U.S. Supreme Court decision that
reversed a lower court decision where "the court held that the public
interest in maintaining an efficient and fraud-resistant system could be met
without requiring a Social Security number" and required the Secretary of
Health and Human Services of the plaintiff's State to provide AFDC and Food
Stamp program assistance to the plaintiff's 2-year-old daughter, Little Bird
of the Snow. The arguments made by plaintiff are especially interesting:
'At trial, Roy testified that he had recently developed a religious
objection to obtaining a Social Security number for Little Bird of the Snow.
2 Roy is a Native American descended from the Abenaki Tribe, and he asserts
a religious belief that control over one's life is essential to spiritual
purity and indispensable to "becoming a holy person." Based on recent
conversations with an Abenaki chief, Roy believes that technology is
"robbing the spirit of man." In order to prepare his daughter for greater
spiritual power, therefore, Roy testified to his belief that he must keep
her person and spirit unique and that the uniqueness of the Social Security
number as an identifier, coupled with the other uses of the number over
which she has no control, will serve to "rob the spirit" of his daughter and
prevent her from attaining greater spiritual power.'
If you listen carefully, you can almost hear your spirit being robbed every
moment of every day by the machinery of modern society. But the benefits
sure are great.
jasonc () science org
From: David Greenstein [mailto:dgreenst () tir com]
Sent: Monday, November 04, 2002 12:45 PM
To: Jim Lawton; security-basics () security-focus com
Subject: RE: Risk of using SS#s (last 4 digits) for authentication
How legal is the use of the SSN for authentication. My understanding
is that the SSN is to be used by state and federal government only
Please, any legal expert, help us to understand the issue
From: Jim Lawton [mailto:jblii () hotmail com]
Sent: Saturday, November 02, 2002 8:00 AM
To: security-basics () security-focus com
Subject: Risk of using SS#s (last 4 digits) for authentication
We are currently considerring the limited use of employee's Social Security
numbers to authenticate them when they request a password reset from the
Help Desk. We have chosen two items (in total) for authenticating them:
their employee # and the last 4 digits of their SS#. Only the last 4 digits
would be stored in the Help Desk app, and these would be viewable only by
Help Desk technicians. They would only be able to see them by selecting a
specific toolbar button (the SS# screen would not visible at all times).
We are concerned with the privacy issue potential if we use any part of a
SS# but are unaware of any legal precedent, standard or guideline either
supporting or against this use. Does anyone have knowledge they can share,
or know of web resources that might be useful to research this issue?
We are a corporation of roughly 1200 specializig in healthcare, and HIPAA
privacy/security regs, NCQA and URAC acredidations must be taken into
Thanks in advance for any suggestions or information.
Surf the Web without missing calls! Get MSN Broadband.