Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Visit Count

Software

Packages

Topic Guides

Digital ID Policies
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2012 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« Identity Privacy Contracts | Main | Social Playground or Media Sandbox? »

SSNs and Security

A colleague of mine is taking his son to Washington D.C. with him on business and they decided they wanted to tour the White House. To get approval, he sent a note to his Senator’s office. They asked him to send his and his son’s Social Security Numbers via email so that they could do a security clearance. He objected and said he’d prefer to fax them the information. They responded that this was OK, but that they’d be sending the SSNs to the offices of other Senators and Representatives to coordinate their tour with other groups. Of course, they’ll be sending these via unencrypted email.

Does it strike anyone else as odd that an organization that is supposedly concerned about security is passing around SSNs via email, storing them on who knows who’s hard drives and is otherwise as clueless as this? Presumably they want the SSN because there’s some feeling that they can gather information about the person that can be used in triage. But by making them less secure and by using them insecurely, they expose themselves to being fooled.

A better solution would be to have a secured Web site where potential visitors enter their SSN so that it can be managed in a secure way—SSL protection in transit, encrypted field in the database, one record, etc. You’d still need governance to ensure the information was handled securely, but at least you’d have a chance.

Posted by windley on April 11, 2006 12:44 PM

See related posts:

 Share this article on Facebook
 Email this article to a friend
  Post this article to del.icio.us
 Format this article for printing
 Get the SNUrlfor this page

6 Comments

Comment from Adam at April 11, 2006 2:55 PM

I had a similar experience just an hour ago. I dropped my iMac G5 off at the BYU Bookstore to get some warranty work done. Although my problem was with the power supply (so not a software issue) they still asked for my admin password. I declined to give it out, but I'm guessing they ask everyone and most probably hand it over. Forget SSNs, with that password any worker would probably have access to many accounts, including bank and school accounts (they also ask for your email). At the same time, what if my problem did have to do with software and I wanted them to help. What do I do then?

Comment from Alun Jones at April 11, 2006 3:08 PM

I'm thoroughly amused that the answer suggested by the guy concerned about email security was to use fax!
We are forever receiving faxes for a couple of different local companies, who apparently have numbers close to ours.
Let's not even get on to the topic of how safe the physical location is for a fax machine - usually in a shared location, with received faxes sitting out in the open for a couple of hours before they are finally retrieved.
How is a fax any more secure than an email? At least email _can_ be secured without requiring everyone to be on the same manufacturer.

Comment from alan herrell - the head lemur at April 11, 2006 5:40 PM

You still believe politicians have intelligence? and especially in herds?

Comment from osoblanco at April 11, 2006 5:46 PM

I agree with the comment about FAX's. They are not secure. Nothing on piece of paper is secure. No one can track the piece of paper (trail of evidence) through the various hands and under the many eyes that may see the information. Electronic data has a better potential for security and tracking. Therefore, the idea, the promise of readily available and secure (private and confidential) information. Congress passes laws for the secure treatment and transmission of data (HIPAA, etc.) and then doesn't live by the same standard. Almost as big a paradox as the Homeland Security guy who is busted in an Internet sting and his department oversees the monitoring and snooping into and through every phone call, Internet visit, email, etc., in and out of the US.

Comment from orcmid at April 11, 2006 11:09 PM

What's even funnier is that an SSN is not a valid form of identification and what the U.S. Senate thinks they need them for is absolutely bizarre.

In New York State, in the early 80's, they got around to realizing that they couldn't legally request it for things like making student identifications at the university system so I declined to give one. The down side is that I have to look up my student ID (an assigned identifier that has the form of an SSN but is impossible as an SSN) to communicate with the institution.

Comment from delagtrix at April 12, 2006 7:06 AM

I was at BoA this year and as I waited in the waiting area to discuss something about my account, a clerk filled out a form for a man sitting there. She asked him all the information for the form, and I had the opportunity to know this man's SSN, address, DOB, account number, and his wife's same information. Seeing how irresponsible the bank was, I propmtly closed my account and explained why. This also shows how oblivious some people are to the dangers of giving out this information in public. I believe messaging centers will become a popular solution for the exchange of sensitive information, as Phil notes.