Not So Unique

Department of Corrections: Recently in this column, I suggested that its a bad idea to use Social Security numbers as unique personal identification numbers just because theyre available and, well, theyre unique IDs.

I was wrong way, waaay wrong. As several readers wrote to point out, a Social Security number is far from unique.

It turns out that millions of people have been assigned more than one SSN more than 4 million by 1973, according to one government report, and probably many more today.

How does that happen? The Social Security Administration doesnt reuse SSNs and doesnt like changing anyones SSN. But the agency will sometimes do it in cases of domestic violence, identity theft, and religious or cultural objections (for example, numbers containing 666 are offensive to some people). A new number can even be assigned if members of the same family have sequential SSNs, and its causing problems.

In those cases, one person can have two different SSNs as identifiers in a database. So much for uniqueness.

Theres one other situation where the Social Security Administration issues a replacement number: when more than one person has been assigned, or is using, the same SSN. The most infamous case of that was 078-05-1120, which was used on a sample Social Security card by a wallet manufacturer. At one point, more than 5,700 people were using that number as their SSN.

And that doesnt include cases where a fraudster intentionally uses a specific persons SSN to fake that persons identity. Or where a prankster wants to cause problems for a victim. Or where someone wants to protect his own SSN, so he just pulls a number out of the air when asked to fill in a number on a form.

In other words, its not unique, and its not even a very good identifier.

But were still using SSNs as if they were both unique and good identifiers, arent we?

We use SSNs even though theyre easy to fake, easy to imitate and easy to steal. We treat them as proof of identification even though they have zero value for authentication. And at the same time, we fail to keep them confidential, splashing them all over reports that really dont need them except, of course, as unique identifiers.

Which is exactly what they arent.

We cant even straighten out this mess ourselves, because so many industries treat the SSN as a unique ID that it has become required data. Even though we know it shouldnt be used that way that it really wont work that way we cant get rid of it.

What we can do is box it in.

We can remove SSNs from printed reports. Long lists of SSNs arent actually useful to our users just to identity thieves.

We can obscure the display of SSNs on-screen. The last four digits are roughly as useful as the whole number, and blanking out the rest reminds users that SSNs should be kept confidential.

We can make sure theres a real unique customer ID in every database even if its never displayed to users.

We can build logic that requires more identifiers than just an SSN before a customers information is displayed.

In short, we can filter out most of the routine overuses and misuses of SSNs that currently riddle our systems and business processes.

Why should we? Well, theres the logical reason: Since an SSN isnt a unique identifier, we shouldnt act as if it is.

Then theres the practical reason: The screws are turning on SSN use. Slowly but surely, laws and regulations are changing to restrict how SSNs can be used and to dictate how they must be protected.

If we start now, we wont need a Y2k-style crash effort to solve the SSN problem when the new rules hit our businesses just a few tweaks.

For once, we can be ahead of the game.

And wouldnt that be unique.

Frank Hayes is Computerworlds senior news columnist. Contact him at frank_hayes@ computerworld.com.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon