What is the danger in someone learning a dead person's Social Security number?

And if legal access is eliminated, are there ways of getting pirated copies of that data (up to last year) anyway, seeing as it's been public for years?
posted by pracowity at 5:13 PM on April 5, 2012 [1 favorite]

You could probably apply for credit in the dead person's name, use it as a cover identity for an illegal employee, or relive the Shawshank Redemption.

Which is exactly what publishing this list is designed to prevent.
posted by one more dead town's last parade at 5:25 PM on April 5, 2012 [5 favorites]

This is really something that should be decided by the Death Master. It's his file, after all.
posted by Sys Rq at 5:41 PM on April 5, 2012 [25 favorites]

So this is not somehow any risk to the living relatives, just a (real or imagined) risk to corporations or the government?
posted by pracowity at 5:44 PM on April 5, 2012 [5 favorites]

It's a risk to credit card companies. The credit system is completely broken in that the company issuing credit caries no responsibility to verify who they are offering the credit to.

If a guy knocks on my door wearing a McDonald's uniform and says "hi I'm from McDonald's, I'll pay you $500 to put this couch in my van", I don't expect McDonalds to pay up when I don't get a check in the mail. So why the fuck can Visa expect me to pay up when some asshole steals my mail?
posted by idiopath at 6:05 PM on April 5, 2012 [1 favorite]

Actually, there's been some research by Alessandro Acquisti (and his coauthors) at Carnegie Mellon that shows that knowing some basic information about a person (usually easily available online) is enough, combined with the SSDI, to guess someone's social. I think this is the paper I'm thinking of.

SSNs were never a very good identity verification system in the first place for anything other than, say, Social Security. If nothing else, everyone uses it now, which means in the event of a breach at one location, a lot of other data suddenly could become insecure. The solution is probably to move to a different verification system, not make it harder to get hold of SSNs.
posted by dismas at 6:07 PM on April 5, 2012 [2 favorites]

“So what?,” many are likely thinking. “Genealogy is a hobby. How can you possibly weigh the pain of these parents against the needs of genealogists? No contest.”

Many likely make a good point. It's not going to be the end of the world if that information is delayed by 5, 10 years or whatever.

The people who are actually related to the dead will probably find out that they're dead.

If a guy knocks on my door wearing a McDonald's uniform and says "hi I'm from McDonald's, I'll pay you $500 to put this couch in my van", I don't expect McDonalds to pay up when I don't get a check in the mail. So why the fuck can Visa expect me to pay up when some asshole steals my mail?

Well, they don't.

There are two basic problems here, the difference between loans and cash. If someone takes a loan out in your name, you don't have to pay it. But, if someone takes money out of your bank account, well, that money is gone.

Despite that, though, pretty much every bank will return the money to you if it gets taken out of your account. In fact, I don't even think you're legally liable for it.

However, if a hacker steals money out of a corporate account, the bank may not reimburse it. There was a story recently where a corporate account was hacked by way of hacking the corporate desktop machine. Hackers stole a couple hundred k, the bank told them "sorry, you lost it, not us". I think it was Bank of America, or something. the article pointed out that users would be protected if it was a personal account.
posted by delmoi at 6:09 PM on April 5, 2012

I was thinking more of the credit rating issue - the burden of proof is on the victim to prove their identity was stolen, and the credit rating still may suffer.
posted by idiopath at 7:11 PM on April 5, 2012

There's always been a real, built-in limit to the genealogic research you could do with a SSN anyway: SSNs only began in the mid-1930s (offhand, I think it was 1936), and the SSDI really doesn't tell you much more than a person named x died xx/yy/zz and their final address was xxx --- the SSDI doesn't give a birthdate (just sometimes a birth year) or birth location, so there's no real way to tell if this 'John Smith' is your 'John Smith'.

And although nowadays kids are assigned SSNs when they're born, that's only been happening since 1972 --- before that, we of the Baby Boomer generation went downtown and got a number when we got our first job or wanted to get our driver's licenses: we didn't need an SSN before then. And the older folks were even worse: take my grandmother as an example.... she was born in 1889, never worked outside the home after she got married in 1910, received a SSN pension from my grandfather's work after his death in 1949, but never even applied for a SSN of her own until Medicare finally insisted in 1974 --- and from what I'm seeing in my own genealogical research, that was normal.
posted by easily confused at 7:28 PM on April 5, 2012 [1 favorite]

I use the SSDI in doing probate and estate work - you have to provide a list of all potential beneficiaries to the Surrogate's Court, and if you have a distant sibling of the deceased who hasn't been in contact with anyone for 20-30 years, it's one possible way to see if they're still alive or not. Social Security numbers don't even figure into the way I use the index.

Not having any access to it at all would be annoying.
posted by Lucinda at 8:11 PM on April 5, 2012 [3 favorites]

My previous employer was a debt buyer focusing on portfolios of charged-off credit card debt and judgments from major US banks. The first thing done with fresh files was scrubbing out any hits in the SSDI. Why? To avoid collection letters addressed to dead people ending up in the hands of the bereaved. It didn't matter whether the account was the result of fraud or if the account was legitimate and went into default when the consumer died; probate isn't worth the trouble. We'd rather just close the account for good and be done with it. Deaths that slip through the SSDI are more often than not a huge headache for us, and can be traumatic for the people on the other end. Thanks to the SSDI, I kept off the collections floor a file that belonged to someone who died on 9/11. Imagine the spouse getting that phone call. Get rid of access to the SSDI, and you can expect a lot of calls like that one, and letters threatening the dead with lawsuits, in the hands of their children.

Submitted for your consideration: a Mr. John Doe Sr. and Jane Doe, parents of the late John Jr. (1985-2003), taken in a car accident when only 17. Because of a data entry error on a credit card John cosigned for his son months before he died, they have a blended credit report (peculiar, perhaps, but disturbingly common). He starts getting denied loans--his credit ruined by the unpaid debts of an Arizona roofer awaiting deportation for driving while brown. One lazy skiptracer using the blended SSN "locates" "JOHN DOE" the roofer at his old address from 2003, assuming he moved back with his folks. Thanks to SCIENCE! most skiptracing in the year 2013 is done by machines searching "databases" without meddling human hands confirming its accuracy. As a result, other creditors and collectors now have John Sr. and Jane's address as "recent" and they are being hounded for all these debts supposedly racked up by their son in his spendthrift days as a spectral roofer.

*ahem*

You want to know why the SSDI isn't doing much to stop identity theft? Because half the time, financial institutions are too lazy to use it or don't care, and regulators won't make them. Vaguely worded guidelines like the Red Flags Rule [PDF]* don't even explicitly require the use of this once freely available and simple method for preventing identity theft. Look at this monstrosity, if you can, and try to figure out what it says. All it basically requires is for creditors and financial institutions to have a reasonable written policy about looking out for potential identity theft, keeping the policy up to date, and having staff trained appropriately. You'd think doing this is basic prudence on the part of creditors and financial institutions, and that compliance would be a breeze because they would just be documenting procedures already in place. This was my experience as a fresh-faced compliance officer responsible for writing this policy one month into the job. Took me a few weeks because I was new at it. Imagine my surprise when the deadline was extended 6 months. The law it was based on was passed in 2003. The regulators only published the rules in November 2007, giving industry a whole year to get in compliance. Then the deadline was pushed ahead, then pushed ahead again, then pushed ahead again. It wasn't until December 2010 that the deadline for enforcement actually came, and I think that's only because the FTC forgot to keep posting last-minute 6 month extensions. Probably laid off the person responsible because of budget cuts.

Why keep delaying the implementation? Because the too-big-to-fail banks are like Tetsuo at the end of Akira. In boom and bust, all they did was eat any company in sight that looked like it might compete with them or be remotely tasty. They are completely unable to control their appendages, or even really know what they are up to. Banks like Chase, and BOA and Citi have accounts on their books from countless entities that in turn are composed of the corpses of banks and bank-like-entities they ate, and they have complete documentation for almost none of it. It's just too messy to deal with. This is why it's easier and cheaper for them to lobby for the death of the CFPA than to comply with basic regulations. The industry has been in a feeding frenzy and insulated from the consequences for decades, and the results are messy. I'm absolutely confident that there are at least hundreds of thousands, perhaps millions of judgments floating around out there where suit was filed without the creditor having any supporting documentation whatsoever. No signed application, no statements, no copies of last payment, no proper chain of title, not even the terms and conditions.

That's right, for a not insignificant number of judgments on credit cards out there could have been avoided if the defendant had filed an answer and asked to see the T&C. That fine print you pretend to read for a few seconds before signing? Yeah, the bank can't even produce that for the court. The bank that bought the bank that bought the subprime card issuer that issued the T&C that applied at the time of default can't find a copy. There is probably a T&C code in the file, but the table in the database to find the directory path for the file for each T&C is missing, because they guy who was supposed to convert it for the new database for merger 1 was laid off during merger 2. More likely, it refers to a path on an old server and the file is missing. That's OK, the microfilm backup it was scanned from is probably around here somewhere.

*Seriously, this is why the CFPA is so needed. Look at all the regulators responsible for implementing their own tweaked version of this rule in their own regulatory domain: the OCC, the Federal Reserve, the FDIC, the OTS, the NCUA and the FTC.
posted by [expletive deleted] at 8:18 PM on April 5, 2012 [98 favorites]

I was thinking more of the credit rating issue - the burden of proof is on the victim to prove their identity was stolen, and the credit rating still may suffer.

In Sweden they only have two credit ratings, good or bad. And they only have one collection agency that can give you a bad credit rating, run by the government.

Anyway, I personally find credit ratings in general kind of bogus. Why should private, unaccountable companies be able to keep records on us and have a huge influence over our lives? It's bullshit, IMO.

If it was up to me, people would get new, randomly generated SSNs every 2-5 years. The numbers should only be used for tracking social security income, not serve as a global database unique key.
posted by delmoi at 9:39 PM on April 5, 2012 [7 favorites]

US credit ratings are a funny thing, privately run but de-facto official since all the banks use them. There are similar smaller scale institutions for landlords and trucking companies (and other rackets I am sure). They make a great advertisement for labor unions in that way. Even without official recognition they get what they want thanks to solidarity. Too bad it's so much easier for corporations to "unionize" than it is for humans.
posted by idiopath at 9:52 AM on April 6, 2012 [1 favorite]

Credit ratings, yes...I think we can keep our eyes open for the list being restricted only to banks and credit agencies, and of course, still readily obtainable by criminals who are willing to put forth a little effort. But the public, for whatever that silly thing is they want to do? Pssh, that's just not the way things are done these days.
posted by Bokononist at 11:42 AM on April 6, 2012

when is the bill being voted on?

Al Maiorino
posted by maiorino65 at 1:37 PM on April 6, 2012

delmoi: "If it was up to me, people would get new, randomly generated SSNs every 2-5 years. The numbers should only be used for tracking social security income, not serve as a global database unique key."

Are you going to give us another one, or just force us into the quagmire?
posted by pwnguin at 8:49 PM on April 6, 2012

And although nowadays kids are assigned SSNs when they're born, that's only been happening since 1972

Not that early. I was born in 1972 and didn't get an SSN til I got my first job, at age 14 I think, in about 1986.

If you guessed where I was born based on my SSN, you would be off by about a thousand miles.
posted by marble at 9:10 PM on April 7, 2012