There has been a buzz today regarding the “Predicting Social Security Numbers from Public Data” study that was released.  When I first read the blurb on Wired I noted 2 flaws in this method. Upon reading the paper I notice it only applies to SSN’s issued starting in 1988.  This is exactly the flaws I noted.

Prior to 1988 the US government did not require a SSN to be issued at birth. Many people were born and did not obtain an SSN until it was needed for some purpose.  This causes two issues that create flaws in the method used to predict the SSN:

1.  The method discussed in the paper guesses the first 3 digits of the person’s SSN based on the state the person was born in.  If at birth you did not have a SSN issued and then you moved, your prefix and state of birth would not match.  If you follow myself or Digital Ebola on twitter, you have most likely seen our discussions on the risks of social networks. If you are familiar with my work at Alvarez and Marsal, then you you undoubtedly know the privacy issues that can be exploited within social networks.  Through data mining and privacy attacks on users of social networks, it could be possible to overcome this problem by obtaining where the user lived from the time of birth through 1988, thus being able to guess the proper prefix.

2.  The second issue, relates to not having the SSN issued at birth.  The reasearchers attempt to guess the number by going in sequence, they admit this works best with low birth rate states.  If the person was born in one state, then moved to another, and was issued the SSN in the 2nd this would throw off the attacker.  Again, by exploiting data available on social network sites such as surveys, profiles, and other data sets which discuss where a person grew up, what schools the person attended and where their family lives or has lived the attacker could narrow back in on the proper location.

So even though there is an inherient flaw, it appears there are methods to overcome those flaws and extend this research past 1988.