|Received:||8/4/2007 3:11:59 PM|
|Agency:||Federal Trade Commission|
|Rule:||Private Sector Use of SSNs|
Comments:The SSN system allows for a unique number for all Americans to aid the government in tracking items for taxation and benefit purposes. The number clearly should be something known only to the citizen, employers and parties reporting and processing data for the intended purposes only. The system was established at a time before computing was pervasive in business or ubiquitous in our society, as it is today. With the advent of computing came a logical business need to develop ID Codes to uniquely identify customers. The SSN number was and is abused for such purposes. It is not uncommon to see companies asking citizens for such information who have no authority to do so. I imagine that you are looking for an improved solution to better secure the system while not breaking the existing system. It seems logical to extend the existing SSNs and add a “PIN” code which can be changed by the citizen with such changes tracked in a central system as to the time period any given pin was in use. Given the population growth, it is not unreasonable to look at extending the core SSN system numbering, because we will run out of numbers in the current system soon enough. So, why not consider extending both the current number system and adding a pin before that disaster strikes? For example, Mr. X has a SSN of 000-00-0000 and on Jan 1, 2009 he participates in a new anti-abuse SSN system. He gets his new SSN of 000-00-0000-111-2222 (where the first 12 digits in the new SSN number would be unique and public with the last 4 being check digits used only as a citizen and government cross check ID without a pin) and he now adds a new pin of 123456 (or whatever length is logical) to his SSN. In our example, those companies who truly do need to have that data (e.g., employers and financial reporting institutions) could legitimately request his new 12 digit SSN and PIN. When they have this information, there is now a correlation between the citizen and those who need to know. Banks have spent much time in educating consumers that they should never give out their pin numbers, so there is some implicit understanding in a citizen’s mind that an SSN PIN is very important and should only be shared on a need to know basis. The citizen could use the first 12 digits to uniquely identify themselves on a public basis (i.e., in commerce), while the rest of the number remains private and their pin is entirely private. While the proposed new SSN is something of a long number, it is not any longer than the current credit card numbering scheme used by the VISA and MasterCard companies and so, given the acceptance of their numbering schemes, it should not cause any undue additional burden on the citizen. Should there be any problem which any party using the SSN detects, the citizen should be advised at once and the citizen should change the pin code immediately. This implies that a central government system should be in place for both reporting and changing the pin numbers. While a nuisance to do and an additional infrastructure expense, it goes some distance to protect citizens from SSN fraud. As far as legitimate parties are concerned, as long as they have an accurate pin dated prior to the detection of fraud that can be mapped to a pin history, they should have a complete and valid need to know reporting number. Clearly, additional legislation making the misuse of SSN PIN codes a substantial offense should be enacted to dissuade any party from even attempting to hack or gain unauthorized knowledge of citizen’s pin codes. Suggested penalties include mandatory jail time for any individual party (or its management and contracted agents in the case of an entity) who attempts to deliberately break the new system or use it fraudulently. Will this solve the problem entirely? Probably not, but it will make it harder on criminals than is the case today. Have further questions for me on this?