Shostack + Friends Blog Archive

 

Dear SSN-publishing crowd

There’s a bunch of folks out there who are advocating for publishing all SSNs, and so wanted to point out (courtesy of Michael Froomkin’s new article on Government Data Breaches ) that it would be illegal to do so.

42 USC § 405(c)(2)(C)(viii) reads:

(viii)(I) Social security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law enacted on or after October 1, 1990, shall be confidential, and no authorized person shall disclose any such social security account number or related record.

Which doesn’t impact on your policy analysis, but since you need to advocate for a law being changed, we might as well advocate for the right law, rather than a change you hope will have certain effects.

In my view, the right law is one that says that reliance on the SSN for authentication or authorization purposes shall be presumed negligent.

Oh, and Froomkin’s article is delightful too. Take a look.

2 comments on "Dear SSN-publishing crowd"

  • rob sama says:

    They publish them for dead people:

    http://ssdi.rootsweb.ancestry.com/

    Go do a search for a deceased celebrity name or your dead relative or something. I’m sure there’s some mischief to be made of this…

  • Dissent says:

    Adam: while the statute you cite does prevent “authorized persons” as defined earlier in Section 205 from disclosing SSN, it does not seem to prohibit states from posting SSN in public records online. It seems that federally authorized persons or federal agents may not disclose what they obtained within the context of addressing disability and SSA business, but thanks to creep in use of SSN, the federal law doesn’t stop states if they acquired the SSN via non-SSA purposes. Indeed, some states continue to argue that they are required to disclose SSN under their desperately-needing-to-be-updated public records laws.

    Alessandro Acquisti’s research made it pretty clear that entities need to stop using SSN for identification and authorization purposes. But how did Congress respond when Alessandro briefed them? Nobody really jumped up and said, “Okay, that’s it — we’ll deal with this right now.”

    But maybe I’m wrong. It wouldn’t be the first time. 🙂

Comments are closed.