Last week a new law went into effect that exempts the first five digits of social security numbers from FOIA requests. Which strikes me as a good thing. It’s a result of Del. Joe May’s HB2427. But, unfortunately, it looks like that’s not actually helpful. Why? The structure of the SSN makes the first five digits predictable, and thus the least helpful bit to suppress for privacy purposes. The first three digits indicate the geographic region where the applicant lives (probably where the person was born); Virginians’ SSNs start with a number between 223-231. The second two digits are a group number, subsets of each geographic region, that are released in batches over time. Anybody with a sufficiently large list of SSNs and birth dates can correlate each batch of those second two digits with birth dates. The result is that knowing where and when somebody was born allows the first five digits of their SSN to be guessed 44% of the time.
It’s great that Virginia is protecting citizens’ social security numbers, but it looks to me like they’ve protected the wrong half of them. Here’s hoping this gets fixed, and fast.