Social Security numbers are like shims in the hands of identity thieves—along with names and home addresses, they’re part of the “Holy Trinity” of information used by identity thieves to plunder credit card accounts. Names and addresses are simple to find, so Social Security number privacy is the last bastion of consumer fraud protection.
If you want to be an identity thief, masquerading as an employer is not a bad way to get this kind of identifying information.” --Latanya Sweeney
Back in 2001, before large-scale reporting of high-profile government and corporate security breaches made “Identity Theft” a media buzzword, Carnegie Mellon computer science instructor Latanya Sweeney presented graduate students enrolled in her privacy technology course a simple challenge: figure out where thieves might find Social Security numbers. Universities had long posted them to distribute grades “anonymously,” and some even printed the numbers on university-issued identification cards. With online commerce and a rise in the use of credit cards opening the floodgates for an expected surge in fraudulent credit activity, Sweeney thought it would be useful to figure out where dangers lie.Internet flooded with Social Security numbers:
One of the students created a simple program to scour the Internet for the nine-digit numbers. It eventually discovered a goldmine for would-be identity thieves—an online job bank in which 30,000 applicants had freely offered up their Social Security numbers right alongside their names and addresses—it was a one-stop shopping center for fraudsters. “Obviously an alarm went off,” Sweeney later recalled. “If you want to be an identity thief, masquerading as an employer is not a bad way to get this kind of identifying information.”
In the not-so-distant early days of online transactions, employers and employees alike didn’t realize Social Security numbers were an invitation for fraud, so job sites proliferated with ready-to-rip identities. Businesses needed these numbers if they wanted to do a background check on a job candidate or, if that person was hired, to process payroll. Job site administrators figured they might as well require them in order for people to post their resumes. What they failed to take into consideration, however, was that once a resume is posted online, it can live in perpetuity, thanks to search engine caching and organizations that take regular “snapshots” of the internet and archive all online content. In light of the growing number of identity thefts, they failed to realize that the Internet wasn’t the best place to be putting Social Security numbers.
“How do you construct privacy-enhancing technology that does the same thing as the privacy-invasive technology, but does it with privacy guarantees? We're not talking about standard credit monitoring here” –Latanya Sweeney
“So, the next year, we went to find some [resumes] that were readily available online and contact the person to see what would happen,” Sweeney says. She and her staff of student volunteers began contacting those whose private information had been exposed. “People didn’t know what we were talking about,” Sweeney laughs. “Some of them were threatening us—if you try to steal my identity I’m going to sue you. We’re saying no, no we’re trying to help you. They didn’t get it at all.”
A scientific approach to identity theft:
She called her program “Identity Angel” and after working through some initial kinks, she made her second big run in 2004. “The results were amazing,” she says. “People got it. We got all these ‘thank yous.’” She tried to secure National Science Foundation funding for the project but was turned down because it wasn’t “scientific”— it didn’t purport to solve a scientific problem. “Maybe I wasn’t able to convey it in a proposal,” Sweeney admits, but she says the problem of identity management has a scientific basis, indeed. “I think if I submitted that same exact proposal today I’m 90 percent sure that it would be funded.”
Though she hasn’t been actively shopping her Identity Angel technology, Sweeney is open to the possibility of selling or licensing it to a private or public organization. In the meantime, Identity Angel continues to coast along the information superhighway. Last summer, the program found 6,000 resumes in 24 hours. But given the limitations of her all-volunteer staff, she can only contact affected customers 100 at a time. “For every 100 you send out, 50 are going to send back questions,” Sweeney says. Fortunately, Sweeney is happy to address these questions and others that extend even beyond the realm of identity theft. Other topics on her research plate include fingerprint technology and bioterrorism surveillance.
“How do you construct privacy-enhancing technology that does the same thing as the privacy-invasive technology, but does it with privacy guarantees?” she asks. “How do you prove that you can develop technology that can still be useful but still can provide privacy?” The verdict may yet be out, but we’re happy to defer to Sweeney for answers in the meantime.
Job Search Tips
*Experts say the information contained on your resume should be no different than what you might list in a phone book: a name, address, telephone number and e-mail are all the information needed by a would-be employer. Never post a Social Security number online. *If an employer asks for a Social Security number for a background check or because you’ve been hired, you should first check into the legitimacy of the organization. It’s best to do this through a face-to-face meeting at the workplace. If this isn’t possible, call the company’s human resources department. Make sure that the person you are dealing with is, in fact, a legitimate representative of the business.