Virginia’s SSN protection doesn’t particularly protect them.

Waldo Jaquith July 6, 2009 7 Comments

Last week a new law went into effect that exempts the first five digits of social security numbers from FOIA requests. Which strikes me as a good thing. It’s a result of Del. Joe May’s HB2427. But, unfortunately, it looks like that’s not actually helpful. Why? The structure of the SSN makes the first five digits predictable, and thus the least helpful bit to suppress for privacy purposes. The first three digits indicate the geographic region where the applicant lives (probably where the person was born); Virginians’ SSNs start with a number between 223-231. The second two digits are a group number, subsets of each geographic region, that are released in batches over time. Anybody with a sufficiently large list of SSNs and birth dates can correlate each batch of those second two digits with birth dates. The result is that knowing where and when somebody was born allows the first five digits of their SSN to be guessed 44% of the time.

It’s great that Virginia is protecting citizens’ social security numbers, but it looks to me like they’ve protected the wrong half of them. Here’s hoping this gets fixed, and fast.

Published by Waldo Jaquith

Waldo Jaquith (JAKE-with) is an open government technologist who lives near Charlottesville, VA, USA. more » View more posts

7 replies on “Virginia’s SSN protection doesn’t particularly protect them.”

Craig Fifer says:

July 7, 2009 at 1:27 am

As a member of the Virginia Freedom of Information Advisory Council, I’m right in the middle of this debate. It’s a difficult dilemma… on the one hand, nearly any part of the SSN represents a risk to one’s information security these days. On the other hand, failing to provide parts of the SSN with a record can make it nearly impossible for a reporter or a private investigator to ensure that he or she is looking at the correct person’s files. The SSN was never supposed to be a general identification number, but it’s been used that way. What’s worse, it’s been used as a private identification number at the same time. Until our society agrees to use some other number as a public identifier, we’re never going to be able to resolve the SSN tension.
Cathleen says:

July 7, 2009 at 11:36 am

Interesting. Caroline was born in Virginia and her SSN starts with a 6.
Waldo Jaquith says:

July 7, 2009 at 11:44 am

I think all of the 6XX SSNs are reserved for non-geographic assignation. There used to be special groups that would have non-geographic SSNs, like active-duty military families and, oddly, railroad workers. Caroline must be special. :)
KCinDC says:

July 7, 2009 at 11:46 am

The table here isn’t very clear, but it looks like Virginia also has 691-699.
Meri says:

July 7, 2009 at 11:49 am

While on the topic of security and identity theft, do you know if there have been any updates on that medical records “hostage” thingy from a month or two ago?
Craig Fifer says:

July 8, 2009 at 10:47 am

How timely: http://www.cnn.com/2009/TECH/07/07/social.security.numbers/index.html
Garren Shipley says:

July 8, 2009 at 4:02 pm

My 5 month old son Thomas was born in Virginia and he just got a 6XX number, too.

Comments are closed.