| Comment Number: | 531096-00071 |
| Received: | 8/4/2007 7:59:10 PM |
| Organization: | |
| Commenter: | Vaughn |
| State: | WA |
| Agency: | Federal Trade Commission |
| Rule: | Private Sector Use of SSNs |
| No Attachments |
Comments:
I have worked in and written about the computer industry since 1972. I know that many (too many) companies use SSAN as a Primary Key to uniquely identify customers, patients and other individuals. I for one have counseled against this practice for decades because we have found that it’s not really a unique number. Unguarded use of a SSAN in databases also puts the individual and the company that stores it in unnecessary jeopardy. While you might wish to force companies to stop its use, the cost to do so over 70 years since its inception would be prohibitive. As you know, there are literally millions of applications large and small that have the SSAN woven into the fabric of the program. Forcing companies to re-write these applications is literally impossible. One reason for this is the source code for a significant percentage of these applications is no longer available. The computer industry discovered that during the Y2K crisis. I also think that the Federal Government needs to clean up its own act first. The Veteran’s Administration is a clear violator of the letter and spirit of the law. DOD and other federal offices that don’t have a need for anything other than a unique identifier are equally guilty. When I was in the service, I was ordered to wear my SSAN on my dog tags and stencil it in 6” letters on my duffle bag. I’m a pragmatist. I really would like to see a solution that makes an individual’s private information private and secure in a way that existing uses can be made more secure. I think it’s time we have legislation that makes the sale or dissemination of SSAN or other personal information by anyone for any reason a felony. I would like to see the entire credit industry disclosure and new credit approval process revamped to further protect personal information. As far as alternatives, I now recommend the use of Globally Unique Identifiers (GUID) values that can be easily generated by most modern computer languages. While less user-friendly than the SAN, they are more universally accepted than SAN. However, these would not help if an individual’s GUID was disclosed by a careless worker (as the VA has done several times in recent memory) or captured by a dumpster diver prowling through the trash outside a business that collects the personal information from its customers or patients. Feel free to contact me for further illumination on these points. I'm sure you won't have any trouble finding me... ;) William Vaughn Author, Mentor, Dad