On Wed, Nov 17, 2010 at 4:08 PM, Dan Kaminsky <[email protected]> wrote: > On Wed, Nov 17, 2010 at 4:04 PM, Jeffrey Walton <[email protected]> wrote: >> >> On Wed, Nov 17, 2010 at 6:58 PM, Dan Kaminsky <[email protected]> wrote: >> > Did anyone actually read the ruling? >> > They're basically saying a SSN# isn't an identity. >> > >> > Given that SSN#'s aren't actually unique in the population, they're, you >> > know, right. >> Expand, please. >> > > http://www.schneier.com/blog/archives/2009/07/social_security.html > > Information about an individual's place and date of birth can be > exploited to predict his or her Social Security number (SSN). Using > only publicly available information, we observed a correlation between > individuals' SSNs and their birth data and found that for younger > cohorts the correlation allows statistical inference of private SSNs. > The inferences are made possible by the public availability of the > Social Security Administration's Death Master File and the widespread > accessibility of personal information from multiple sources, such as > data brokers or profiles on social networking sites. Our results > highlight the unexpected privacy consequences of the complex > interactions among multiple data sources in modern information > economies and quantify privacy risks associated with information > revelation in public forums. > === > This is, of course, a direct consequence of (from > Wikipedia/SocialSecurity.gov): > > > The Social Security number is a nine-digit number in the format > "AAA-GG-SSSS". The number is divided into three parts. > > The Area Number, the first three digits, is assigned by the > geographical region. Prior to 1973, cards were issued in local Social > Security offices around the country and the Area Number represented > the office code in which the card was issued. This did not necessarily > have to be in the area where the applicant lived, since a person could > apply for their card in any Social Security office. Since 1973, when > SSA began assigning SSNs and issuing cards centrally from Baltimore, > the area number assigned has been based on theZIP code in the mailing > address provided on the application for the original Social Security > card. The applicant's mailing address does not have to be the same as > their place of residence. Thus, the Area Number does not necessarily > represent the State of residence of the applicant, neither prior to > 1973, nor since. > > Generally, numbers were assigned beginning in the northeast and moving > south and westward, so that people on the east coast had the lowest > numbers and those on the west coast had the highest numbers. As the > areas assigned to a locality are exhausted, new areas from the pool > are assigned, so some states have noncontiguous groups of numbers. > > Complete list of area number groups from the Social Security Administration > > The middle two digits are the group number. The group numbers range > from 01 to 99. However, they are not assigned in consecutive order. > For administrative reasons, group numbers are issued in the following > order: > > ODD numbers from 01 through 09 > EVEN numbers from 10 through 98 > EVEN numbers from 02 through 08 > ODD numbers from 11 through 99 > > As an example, group number 98 will be issued before 11. > > The last four digits are serial numbers. They represent a straight > numerical sequence of digits from 0001-9999 within the group. > > Information from http://www.socialsecurity.gov/history/ssn/geocard.html > > On June 25, 2011, SSA will change the SSN assignment process to "SSN > Randomization". SSN randomization will affect the SSN assignment > process in the following ways: > > It will eliminate the geographical significance of the first three > digits of the SSN, currently referred to as the area number, by no > longer allocating the area numbers for assignment to individuals in > specific states. > It will eliminate the significance of the highest group number and, as > a result, the High Group List will be frozen in time and can be used > for validation of SSNs issued prior to the randomization > implementation date. > Previously unassigned area numbers will be introduced for assignment > excluding area numbers 000, 666 and 900-999. > > === >
Actually, technically, the above doesn't *necessarily* make SSNs non-unique. It just means that they're not randomly assigned. They could still be uniquely assigned within a non-random space. So that's a fairly significant assumption on my part, especially with some evidence of being willing to use non-contiguous assignment to deal with exhausting of numbers. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
