Ten Worst Privacy Debacles of All Time

Not a bad list:

10. ChoicePoint data spill
9. VA laptop theft
8. CardSystems hacked
7. Discovery of data on used hard drives for sale
6. Philip Agee’s revenge
5. Amy Boyer’s murder
4. Testing CAPPS II
2. AT&T lets the NSA listen to all phone calls
1. The creation of the Social Security Number

EDITED TO ADD (8/22): Daniel Solove comments.

Posted on August 22, 2006 at 6:19 AM45 Comments


anna August 22, 2006 8:05 AM

The social security number thing is interesting … globally ….
in Finland, if you know anyone’s social security number’s last 4 digits (you’ll know the part before that if you know their birth date and year) you can prove that you are that other person.
As in so many places they ask for those 4 digits as a proof of who you are, e.g. on the phone … so a friend of mine has used her mum to call to the state offices to take care of her issues while she wasn’t living in Finland. As the mum did know those 4 digits, it was always proven that her mum was her, so the issues were always solved correctly, just as if she would have called herself … I don’t even want to think what other uses people have had for the SSN numbers in that country.

Brian August 22, 2006 8:38 AM

I hesitate to start another discussion about the NSA’s access to phone records, but did Wired get the facts wrong in the #2 entry on the list?

My understanding was that
– AT&T had turned over phone records to the NSA. There was (is) warrantless wire-tapping going on, but that did not require the cooperation of AT&T.

  • Initial reports were that all of the telcos except Qwest had turned over phone records, but now several of the other phone companies are claiming they didn’t hand out that data either.

I would have expected both of those issues to be caught by the fact-checkers at Wired, so I’m wondering whether I am misinformed.

Ed T. August 22, 2006 10:18 AM

“I’m sorry, but given that only one of them talks about a murder, that one should definitely be #1, don’t you think?”

Only if you believe that murder is the worst thing that can happen to somebody. Now, while I happen to think that being killed isn’t all that nice a thing, I think there may well be worse things – and having your very identity stolen is among them.


Hullu August 22, 2006 10:38 AM

Also, if you kill a single person is that worse than losing one million identities?

As a single incident happening on a single person – murder is probably among the worst. But that’s not what we’re talking about here.

Jim August 22, 2006 10:40 AM

I was looking at a top 10 list of evil children in the movies. The Children of the Damned went high tech and built a supersonic weapon out of a church organ to battle the government. Maybe the modern Children of the Damned will weaponize their ipods. Maybe they have. I’m not sure. We need a top 10 ipod weapons list.

Kevin S. August 22, 2006 10:45 AM

From #10 Choicepoint:
“….at least $5 million of which goes to the consumers whose lives they ruined.”

lives they ruined seems to be a bit of an overstatement. Has there been a documented case of anyone’s life being RUINED as a result? I’m not saying that its not a potentially very bad situation, but jeez – talk about drama!

Jim August 22, 2006 10:53 AM

Talk about drama. Millions of children form a cult, they all have ipods loaded with Choicepoint data. Lives are ruined, adults sleep in the ipod plant to keep pace with demand. Children take over the global economy and enslave the United States using social security data.

ct August 22, 2006 11:03 AM

The list covers a fairly recent slice of history for representing the worst privacy violations “of all time.”

What about the creation of the Roman Census?

What about slavery?

What about the Nazi’s use of the census to identify and persecute Jews and other minorities?

Jim August 22, 2006 11:22 AM

A friend told me that U.S. census data is manipulated to move federal money around. A census isn’t exact, so the data can be used in corrupt ways. 2+2 can=5. A family can have 2.3 children. The new census will use Microsoft mobile devices from what I have read. Everybody will get a MS # that meshes with their SS #. You will be databased in a corporate government server. You the microserf can be stored, tracked and manipulated for profit and geek fun. This will create huge profits of course.

Jim August 22, 2006 11:25 AM

Drunk. So what, it’s not like I’m on the road going 50 MPH ready to kill a car load of people or something.

Lamby August 22, 2006 11:49 AM

#11: Schneier accidently posts his private diary online, thousands view it and post cryptic comments.

Carlo Graziani August 22, 2006 11:57 AM

I think the “Great Social Security Number Creation Calamity” is a bit of a canard. Many countries have unique identifiers for their citizens, as well as national ID cards, and those citizens’ liberties are not necessarily under threat.

The problem is what the government and private actors do with that unique identifier. SSN is a catastrophe in the US because we have no laws seriously regulating the aggregation and use of personal data by law enforcement and particularly by corporations. Such laws exist in Europe, and as a result there is a widespread view of unique ID for citizens as benign, or at least neutral, from the viewpoint of civil liberty.

Brian August 22, 2006 12:20 PM


I’m inclined to agree. IMHO, the most serious threat to privacy isn’t SSNs, it is corporate data aggregation. I can refuse to give out my SSN to someone, but how do I refuse to give out my personal information when I make a financial transaction more elaborate than buying groceries? Once upon a time, I could have given out my name, address, and phone number to someone and know that they would need to do some serious work to use that data to find out more information about me. Now, they can tap into all kinds of corporate databases and know all about me in a few minutes.

And that doesn’t require any kind of security breach. It’s just how things work.

jim August 22, 2006 12:48 PM

I was wondering about this. “To protect your personal information and prevent identity theft, we cannot issue Social Security numbers or cards online. …”

Some day you might be able to do this online and even change your own SSN. People constantly changing their SSN’s would add randomness. SSN makes use of security by avoiding technology. A typical problem isn’t the number, it’s the fact it is difficult to change. If you get in the witness protection program, it can be changed. Most of us won’t, so we are stuck with the same number. The criminal has some advantages. Government doesn’t want too much public control over things. eVoting machines will use a unique number, so the secret ballot is about shot too. The only people with privacy will be the people working in government (public) jobs. Ironic!

Jim August 22, 2006 1:06 PM

Brian make a good point. It’ all about corp.x and the profit. They’re creating the problem and selling the solution, while killing innovation at every turn. It’s like DRM and your DID is based on what music you download and what your device identifier is. Cell phones are a big privacy debacle that keep evolving. You shouldn’t even need phone numbers by now.

Jim August 22, 2006 1:22 PM

Could Google be called a privacy debacle?After one story about that, Google wouldn’t speak to certain journalists. New ways to communicate, you just can’t say or write certain things or the information elite will boycott your reporters and publications.

Anonymous August 22, 2006 1:29 PM

Google tears down privacy, but it makes a lot of cash doing it, so people don’t care. The masses are worked up into a frenzy about the dreaded SSN. If you want to track a person, use Google, not the SSN. You’ll have more success, plus you can make money selling them back their privacy as they search for help.

Jim August 22, 2006 2:49 PM

Next big thing: Public wifi cameras on every lamp post in the world. It will be free and ad supported of course. You’ll be walking through an Internet commercial on the public sidewalk. The public square will be a corporate network of ads and cameras recording your life. You’ll be able to relive yesterday using Google. Your whole life can be replayed at your funeral and they can even place ads instead of flowers on the casket. The wifi cameras will be taping your hearse all the way to the graveyard. You won’t even have privacy being dead. You won’t need the SSN anymore, so hells bells.

Don August 22, 2006 3:30 PM

The SSN isn’t the debacle. It’s what came after it that’s the debacle:

A) Assuming that because it’s unique it’s also a secret.
B) Assuming that because it used to be more of a secret in a simpler era, it will always be just as secret, regardless of how technology changes.

Those are the security failures associated with SSN’s, not the SSN itself.

Dave Aronson August 22, 2006 4:06 PM

@jmc: “Depending on their religion, they actually do recover from it.”

ITYM, “Depending on their religion, they might claim that they will recover from it.” AFAIK, there have been no proven cases of actually doing so.

Mike Scott August 23, 2006 4:36 AM

They left out “Allowing drivers licenses to be used for purposes other than proving entitlement to drive a vehicle”, which leads to such nonsenses as state DMVs having to issue non-driver IDs.

Giacomo August 23, 2006 7:18 AM

@Dave Aronson:
Buddhist monks actually do “prove” that they are reincarnations of previous “spirits”. Obviously, it all depends of what you mean as “proving”… if it’s “scientifically proving”, then no, we’ll never be able to do that, of course. Science and religion are still two separate things, despite what some extremist $RELIGION sects would like us to believe.

and to make all this post on-topic… what about the recent AOL leak? That’s very bad as well.

Tim B August 23, 2006 8:29 AM

I’d say in order to be a true debacle, the privacy data would actually have to have been used in identity fraud. The VA laptop wasn’t a debacle (fortunately) by that standard. The debacle was in spending another $28MM to react to the loss, which turned out to be a simple theft.

By the way, if folks think the NSA is the only one grabbing you phone data, you are sadly mistaken.

Lizard August 23, 2006 9:53 AM


“Only if you believe that murder is the worst thing that can happen to somebody. Now, while I happen to think that being killed isn’t all that nice a thing, I think there may well be worse things – and having your very identity stolen is among them.”

Hmm, yeah, maybe the temporary inconvenience of having your ID stolen is worse than death, riiiiiight.

Is that argument like: “I’m against capital punishment because a lifetime of suffering in prison is worse for the murderer”? The hassle to regain your life back is worse than losing it in a very real sense?

On the other hand, how many murders have been enabled by the presence of the social security number and subsequent data spillages, etc. Apart from the scene in the movie “The Jerk” when M. Emmet Walsh’s character picks Navin Johnson’s name and address out of the phone book and starts shooting…

Xellos August 23, 2006 11:49 AM

–“The new census will use Microsoft mobile devices from what I have read.”

Yup. They did the test run in Austin, Tx, where I live. Had several of the polsters stop by my place, iPaq (or whatever; don’t recall the brand) in hand, asking for info. They’re even equipped with GPS systems so they can get the coordinates of your house. I told them they better take those from the (public) street, but I doubt they listened.

Given the RFIDs in passports and the repeatedly escalating attempts to create a national ID system, and the Supreme Court’s ever increasing willingness to ignore the fourth and fifth amendments, it’s not hard to foresee a time in the US where everyone will be tracked constantly by their official ID and arrested if they don’t have it. sigh Can’t wait for when the cops can issue you a speeding ticket without even pulling you over, thanks to the integrated RFID reader in the radar/lidar gun.

Felix T. Cat August 23, 2006 1:36 PM

I work for a taxing agency and I can tell you for a fact that the American SSN is definitely not unique.

At one point, we had 4 SSNs on file that were shared by 2 taxpayers each. The SSNs in these cases had been legitimately issued by the Social Security Administration.

I don’t know the current situation (because my opportunity to converse with the responsible programmers during midnight emergencies is gone), but with the current horde of illegal aliens “borrowing” SSNs as a matter of course, I suspect it is much worse than before.

The “solution” to the problem was to append an in-house generated “sequence number” (3 decimal digits) and the first four characters of the surname to guarantee uniqueness.

Whenever our DBAs insist on using combinations of business data fields (including SSN or FEIN) to create “uinique” keys, I point this little historical anomaly out for them. The DBAs also attempted to insist that the SSN is unique because the Social Security Administration claims it to be unique. I suggested they call a retiree who worked on the above “fix” and the discussion abruptly ended. They hate it when this comes up because they always lose the argument before they force the practice. (It’s their database, after all…)

The main problem with the SSN with regard to privacy, was the government’s repeated assurances that it was private. When I was a young man, my Social Security card plainly said it was only to be used by the SSA and that other use for identification was prohibited by law. Such is longer the case, if it ever really was.

Stephan Engberg August 23, 2006 6:10 PM

The real question is not if we should have a SSN, but how we can have many in such a way that government cannot combine the separate compartments of yoyur life, but you get the benefits of structure and others get the benefits of some reasonable level of crime protection.

For instance the credit files in US in my view is an outdated mistake, that we dont need anymore. There is no reason why those that give you credit need to know what the credit is for.

What we – in my analysis – need to do is to move post-single SSN into a structure multi-SSN.
It is discussed here in the section of Denmark who has had a SSN-system with near-total function creap and thight government controls since the 60s.

Engberg August 23, 2006 6:20 PM

Forgot to mention.
Austria has a SSN system in place where you use sector-specific SSN codes.

However since these are derived from a unique number controlled by government and there are no User-Centric Identity Mangement Scheme in operation, the setup us really a single SSN trying to claim multi-SSN status. It is somewhat better, but not much.

This is not much different from the Server-side Single Signon setup claiming privacy without real justification. For instance SAML is filled with privacy claims like this even though the Identity Providers can easily link everything.

From a security perspective these entities are what I like to call single-point-of-trust-failures. THEY might survive a security failure through backup etc., but customers wouldnt – especially not if the attacker is internal or institutional.

Matt D August 24, 2006 5:19 AM

@xellos: “Can’t wait for when the cops can issue you a speeding ticket without even pulling you over, thanks to the integrated RFID reader in the radar/lidar gun.”

Well, that’s pretty much the situation already, really, depending on where you happen to live.

Speed cameras ‘write’ tickets for speeding based on a photograph of the vehicle’s registration plate and the registered owner/keeper of the vehicle. No pulling the vehicle over or anything, just a demand for cash through the mail at a later date.

Consider also the various ‘voluntary’ road taxing / toll collection schemes around the world that use RFID schemes to collect money / levy fines etc.

And then there are the upcoming ‘average speed’ speed traps, which, unlike the GATSOS systems, record the registration/RFID/whatever of all vehicles passing them, not merely the speeders, for forwarding to a second device a mile or two down the road – and, if the system designers so wish, to a central facility for addition to a database.

With systems such as this beginning to come on-line (e.g. here in the UK), RFID is a somewhat marginal issue, as far as vehicle tracking is concerned.

antibozo August 25, 2006 4:40 PM

The problem with SSNs is that they are perceived to be secret, though they never truly have been. And for an increasing population they are no longer perceived that way. As I’ve said many times, the totally obvious solution to the privacy problems associated with SSNs is for Congress to pass a law requiring the publication of everyone’s SSN. This is the most expedient way to dismiss any illusion of secrecy so that the people who use SSN for authentication no longer have any excuse for not actually implementing a secure authentication system.

This is so obvious I don’t understand why it wasn’t done years ago.

real world August 29, 2006 12:00 AM

Look at number two and read James Bamford’s The Puzzle Palace.At the turn of the last century ITT used to give the govt access to all its overseas cables before they were sent along.

steve smith February 20, 2007 5:31 PM

I would sugest that Google should not have out address information if a person asked for it not be given out. But they refuse to do this. How would Brin Sergey dob 8-21-1973 of 1984Latham Street #25 Mountain view, CA 94040 like his info being given out. Hmm I wonder Humm

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.