Before you activate your iPhone, read this!
I was casually cruising the news sites yesterday when I came across a story about porting "ineligible" numbers to AT&T and iPhone. I clicked on the story because I know some of the people who lobbied for and won the rights to treat phone numbers more like personal property you own than corporate property you rent. I was right with the author until he said (without comment or outrage):
On that screen, enter your name, Social Security number, and your current billing information and home telephone.
Say WHAT!?
Apple and AT&T are demanding customers reveal SSNs to activate their iPhones. That should be the lead of every technology and business article written this week. If you don't believe me, read on.
SSN required to activate iPhone!
(Credit: AppleInsider.com)This weekend, 525,000 people, my wife, Amy, included, purchased the Apple iPhone. Those who purchased the phone via the Web, like Amy, were given a place in a virtual waiting line two to four weeks long, with a lengthy "homework assignment" to pass the time. Those who braved the crowds to purchase the phone at retail stores were rewarded with a form of instant gratification--the opportunity to activate their iPhone using an online activation mechanism that requires subscribers to enter a Social Security number (SSN). While Amy was at first disappointed to wait, I've convinced her that she got the far better deal. During this two- to four-week "cooling off period" she at least has some time to consider how best to protect herself from a consumer protection disaster in the making.
It is well known that Apple is a very secretive company. This does not necessarily mean that it handles personal data more responsibly than a very transparent company, it just means that it's very difficult for an average person like me to discover the truth about what it is doing and what it is hiding. But AT&T? The company is a defendant in a class-action lawsuit after a federal judge denied AT&T's motions to have the case dismissed. The case alleges that AT&T gave the NSA "unchecked backdoor access to its communications network and its record databases," violating the law and the privacy of its customers. Whatever the court may find, the AT&T case clearly demonstrates why it is profoundly bad judgment to give a telephone company (or most any other company) sensitive personal identifying information such as one's SSN. Period.
Before writing me off as a privacy kook, consider this testimony from 1992 by the group Computer Professionals for Social Responsibility (CPSR) before the Special Joint Subcommittee Studying State and Commercial Use of Social Security Numbers for Transactional Identification. According to testimony, "[until] 1972, each card issued was emblazoned with the phrase 'Not to be used for ID purposes.'" It cited a report by the U.S. Department of Health, Education, and Welfare that recommended, in unqualified terms, that the SSN not be used as an identifier (bold text in the original document):
We recommend against the adoption of any nationwide, standard, personal identification format, with or without the SSN, that would enhance the likelihood of arbitrary or uncontrolled linkage of records about people, particularly between government or government-supported automated personal data systems.
This advice was not followed, and by 1992 the CPSR reported the dismal facts: "Unfortunately, [the Federal Privacy Act of 1974] has not been effective due to bureaucratic resistance from inside the government, lack of an effective oversight mechanism, and the uncontrolled use of the SSN in the private sector." When states like California, New York, Virginia and others passed legislation in the mid-1990s requiring the collection of an applicant's SSN to issue a driver's license, they effectively flattened 60 years of privacy protection, and they effectively exposed every citizen to a degree of identity risk that was, and remains, unconscionable.
And so what has been the legacy of the government ignoring its own advice and the advice of leading computer experts? Precisely what the CPSR predicted: identity theft is now the most prevalent complaint received by the FTC, and it's America's fastest-growing crime. Unlike a video game that just eats your quarter and says "GAME OVER," a stolen identity can ruin your credit score, drain your bank account, endow you with a lengthy criminal record, or grant you an entry on the no-fly list. More troubling, identity theft can be a one-way ticket to a world in which the bits on some agent's computer screen matter more than your own testimony, a world in which the term habeas corpus is a lexical artifact rather than a constitutional guarantee, a world in which your physical self can be suborned based on what is believed about your virtual self.
On December 18, 2006, Tom Zeller reported "An Ominous Milestone: 100 Million Data Leaks" in the Technology section of The New York Times. The number of confirmed victims is at least 15 million. The cost is estimated at more than $50 billion a year. In health care terms, we have more than 100 million "exposed," 15 million "affected," and a cost of, well, more than $50 billion. How did we get here? And what are we going to do about this virtual epidemic?
Identity theft is not a new crime, but the combination of corporate opportunism and governmental policies designed to amplify rather than mitigate the risks have conspired to create a near-perfect storm. In simple terms, the more of our lives we commit to technology, the larger and more vulnerable a target we make ourselves to technical exploitation, including identity theft. Don't get me wrong: there are some computer-based technologies that allow for far better security than any other methods I know, but security is only as strong as its weakest link, and the more links you involve, especially the more parties you involve, the weaker things get. Conversely, the fewer keys you use, the more dependent you become on the strength of each key. Some keys (like the launch codes for our strategic nuclear missles) are very well-protected indeed. But if a key is weak, or is not particularly well-protected, you don't want to risk much if it fails.
The security records of many companies are dismal. We don't actually know how bad they are, because most companies don't even report breaches to themselves, let alone to the government or their customers. Don't ask, don't tell. But we get a glimpse every now and again, and frankly the best way to protect oneself is to use the least possible personal information to complete a transaction, favoring companies that request less personal information over those who demand too much. (Another approach to minimizing the problem is to merely deny its severity. For example, when the news broke that 26.5 million personal records of the U.S. Department of Veterans Affairs went missing, Avivah Litan, a security analyst for the Gartner Group, argued that the problem was not very serious because "Frankly, veterans don't have a lot of money." Frankly, I don't find that line of reasoning particularly compelling.)
And it gets worse. Individuals who can be victimized by their own data can also become collective victims of those with whom they are associated. As Bruce Schneier wrote for Wired magazine:
Contrary to decades of denials, the U.S. Census Bureau used individual records to round up Japanese-Americans during World War II.
The Census Bureau normally is prohibited by law from revealing data that could be linked to specific individuals; the law exists to encourage people to answer census questions accurately and without fear. And while the Second War Powers Act of 1942 temporarily suspended that protection in order to locate Japanese-Americans, the Census Bureau had maintained that it only provided general information about neighborhoods.
New research proves they were lying.
The whole incident serves as a poignant illustration of one of the thorniest problems of the information age: data collected for one purpose and then used for another, or "data reuse."
It is bad enough that the government might collect data for one (lawful) purpose and then use it for another (nefarious) purpose, but what happens when all data is keyed by a single key, such as a Social Security number (SSN), which itself was never designed for the purpose of personal identification? And what happens when that number is leaked (100 million instances and counting) or stolen (15 million instances and counting)? The opportunities for abuse, both within and outside the system become virtually limitless. (And legislation passed in 2005 has only served to accelerate both the breadth and depth of these opportunities.)
Which is why the iPhone activation mechanism is so troubling, because it compels people in the heat of the moment to do something they should never do if given a moment's thought. Now, I'm sure that it's possible to get a phone activated without giving up one's SSN. I did it with my carrier several years ago by walking the issue up to a VP's desk and posting a $1,000 bond for two years. So it can be done. But should it be so hard? And how are we going to teach our children the importance of protecting personal information when the laws of the state and mainstream corporate behavior make it virtually impossible to do so?
The only solution I can see is that our family will have to dramatically expand the lesson of "you are responsible for you" beyond the basics of verbal and physical conduct. If you have any good references on how to teach your third-grader the ins and outs of identity management and information security, I'd be happy to receive them now. In the meantime, we'll let you know whether we find a way to activate Amy's new iPhone without handing over sensitive personal information to a company that has demonstrated no respect for personal privacy or identifying data.
Michael Tiemann is president of the Open Source Initiative and vice president of open source affairs at Red Hat. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure. 
Also Out there is another upcoming story about New Norton AntiVirus 2008, if You want You can check them (or even download one) at:
Security CENTRAL Forum
http://www.SCForum.info
For a credit check, something like a credit card and a driver's license number is sufficient.
"Oh Henny Penny, where are you rushing off to", she inquired.
"I'm off to warn the King, Turky Lurky," Henny Penny answered. "The sky is
FALLING."
"The sky is falling," Turky Lurky asked.
"The SKY is FALLING!" exclaimed Henny Penny.
"OH MY THE SKY IS FALLING!" shouted Turky Lurky. "Let's both go warn the
King."
Have you been living under a Rock ?????
everybody asks for it, but that doesn't mean they should get it. For a credit
check? Again, the SSN should not be used for identification.....but it is. And
identity theft continues.
entered all the data including my social security. To date (fingers crossed) there
has been no problem.
For those interested in the possibility of using a carrier other than AT&T, you might want to give this a read:
http://www.cio-today.com/news/-DVD-Jon--Cracks-iPhone-Activation/story.xhtml?story_id=011000TUEM65
http://www.macnewsworld.com/rsstory/58173.html
check?
credit cards, mortgages, car loans, cell phone contracts, etc
anything that requires a credit check requires your SSN, as this is how the three
main credit reporting agencies differentiate people. plain and simple.
this "public service statement" is a bunch of FUD
ever read on CNet -- and that's saying a lot.
Is this your first cell phone? Has CNet never actually activated any of the
thousands of phones it has reviewed? As others have pointed out, all cell
carriers ask for your SSN in order to complete their credit check. It's shocking
and frankly, offensive that you failed to mention this point.
But what's MOST offensive about this piece of "journalism" is the fact that you
framed it as having something to do with the iPhone. If you think AT&T (or all
cell carriers) shouldn't require a SSN, then write an article about it. But don't
mooch off the iPhone's popularity and use your personal pet peeve about cell
phone activation as another way to feed into CNet's anti-Apple hyperbole
machine.
This article has nothing to do with Apple, the iPhone or AT&T. It only has to
do with the fact that SSNs are required to do credit checks, which is not news,
since everyone -- including you, I'm quite certain -- has been through this
process a million times.
And seriously -- doesn't CNet have a graphic design department you can take
advantage of? That red-marker on a screenshot piece is not doing you any
favors in the please-take-me-seriously department.
after all the comments you received? You should be ashamed of yourself.
PATHETIC.
To those who don't know what I'm talking about:
http://news.com.com/8301-10784_3-9739118-7.html?tag=tb
proccess and quite often AT & T uses SSNs to identify customers calling in about
certain topics (mostly billing related).
Regardless of phones...iPhone, RAZRs, the crappy LG flipphones that are "free".
Whatever. Yeah, its probably a terrible policy but it has nothing to do with the
iPhone specifically. Cnet needs to dial back the sensationalism a few notches.
- Government Paranoia
- by aldenstrad July 6, 2007 10:12 PM PDT
- SSNs are overused - true statement. SSNs are often in credit checks to
- Like this Reply to this comment
-
(19 Comments)establish uniqueness and identity - also true. You do not propose an
alternative, by the way.
The canard about AT&T's cooperation with requests for records information
and call logs is just silly, though. Did it happen? Sure. Is it wrong? Lots of
arguments about that.
Who was the request source, though? Yep, it was the big, bad government.
Think they might already have your SSN? Sure hope so.
So that data leak you were so worried about? Rest easy and activate your
wife's iPhone. It's the least risky thing you've done with your SSN in a while.