On Wed, Nov 17, 2010 at 4:04 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > > On Wed, Nov 17, 2010 at 6:58 PM, Dan Kaminsky <d...@doxpara.com> wrote: > > Did anyone actually read the ruling? > > They're basically saying a SSN# isn't an identity. > > > > Given that SSN#'s aren't actually unique in the population, they're, you > > know, right. > Expand, please. >
http://www.schneier.com/blog/archives/2009/07/social_security.html Information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration's Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums. === This is, of course, a direct consequence of (from Wikipedia/SocialSecurity.gov): The Social Security number is a nine-digit number in the format "AAA-GG-SSSS". The number is divided into three parts. The Area Number, the first three digits, is assigned by the geographical region. Prior to 1973, cards were issued in local Social Security offices around the country and the Area Number represented the office code in which the card was issued. This did not necessarily have to be in the area where the applicant lived, since a person could apply for their card in any Social Security office. Since 1973, when SSA began assigning SSNs and issuing cards centrally from Baltimore, the area number assigned has been based on theZIP code in the mailing address provided on the application for the original Social Security card. The applicant's mailing address does not have to be the same as their place of residence. Thus, the Area Number does not necessarily represent the State of residence of the applicant, neither prior to 1973, nor since. Generally, numbers were assigned beginning in the northeast and moving south and westward, so that people on the east coast had the lowest numbers and those on the west coast had the highest numbers. As the areas assigned to a locality are exhausted, new areas from the pool are assigned, so some states have noncontiguous groups of numbers. Complete list of area number groups from the Social Security Administration The middle two digits are the group number. The group numbers range from 01 to 99. However, they are not assigned in consecutive order. For administrative reasons, group numbers are issued in the following order: ODD numbers from 01 through 09 EVEN numbers from 10 through 98 EVEN numbers from 02 through 08 ODD numbers from 11 through 99 As an example, group number 98 will be issued before 11. The last four digits are serial numbers. They represent a straight numerical sequence of digits from 0001-9999 within the group. Information from http://www.socialsecurity.gov/history/ssn/geocard.html On June 25, 2011, SSA will change the SSN assignment process to "SSN Randomization". SSN randomization will affect the SSN assignment process in the following ways: It will eliminate the geographical significance of the first three digits of the SSN, currently referred to as the area number, by no longer allocating the area numbers for assignment to individuals in specific states. It will eliminate the significance of the highest group number and, as a result, the High Group List will be frozen in time and can be used for validation of SSNs issued prior to the randomization implementation date. Previously unassigned area numbers will be introduced for assignment excluding area numbers 000, 666 and 900-999. === _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.