You're told over and over again to keep your Social Security number safe. Don't give it out unnecessarily. Don't keep it in your wallet. Don't use some of its digits as the PIN for your ATM card.
That's sound advice, but all it does is keep a bad situation from getting worse. Social Security numbers (SSNs) are in wide circulation today. The Internet speeds up access, but your privacy was cracked even before the Web.
"The SSN horse has been out of the barn for a long time now, but we've only just noticed," says David Medine, the Federal Trade Commission's associate director for financial practice. "We need a new way of identifying people."
Believe it or not, it's legal for private firms to sell, or reveal, Social Security numbers. When Congress passed the Privacy Act of 1974, it restricted the government's use of SSNs but left the private sector free to use them at will.
Until two years ago, anyone could buy SSNs over the Web. Finally, Congress and the FTC prodded the database industry into limiting public access.
The limitation agreement covers the 14 members of the Individual Reference Services Group, which includes the three major credit bureaus as well as the largest compilers of public records and other personal databases.
But, although they cut out general public access, these companies still sell your SSN (or part of it) to commercial firms of all kinds: private detectives, lawyers, banks, insurers, firms granting credit, debt collectors, phone companies, hospitals, insurers, law-enforcement agencies, employers.
Inevitably, some of the people with access will be dishonest or malicious -- taking SSNs and other personal data for illegal purposes.
In many cases, Social Security numbers are open to public view. In his new book, "Database Nation" (O'Reilly, $24.95), Simson Garfinkel lists about two dozen ways that SSNs are used as general identifiers.
For example, your Medicare number is your SSN. It may also appear on your driver's license, marriage license, blood-donor card, your children's birth certificates and any application for government benefits.
Public records are one of the ways commercial databases get your number. The other way is from credit bureaus.
In the early 1990s, the FTC went after the three major credit bureaus for selling your credit information for "nonpermissible purposes," such as direct marketing. The FTC said that violated the Fair Credit Reporting Act. Equifax quit voluntarily. Experian (then TRW) negotiated a written agreement on what it could and couldn't sell.
The deal allows bureaus to sell your name, address, date of birth and SSN, but no other credit information that can be tied to you, personally. For example, they can't sell the names of people with high credit limits on their bank cards.
The third credit bureau, Trans Union, refused a deal, and has been fighting the FTC, in and out of court, since 1992. Recently, the FTC ordered it to stop selling personal credit information, including your age, for marketing purposes. Trans Union will appeal.
The FTC staff had hoped that the commission would limit the sale of Social Security numbers, too, but that didn't happen. "The SSN issue is getting hotter because it's the key to identity theft," Medine told my associate, Dori Perrucci.
Armed with your name and SSN, someone can pretend to be you and apply for a credit card, using a different address. By the time you find out, your record will be tarred with unpaid bills. It can take years of frustration and expense to get your good name back.
Attorney and reader Francis J. Menton Jr. of Willkie Farr & Gallagher in New York got interested in safeguarding his own SSN after three acquaintances had their identities stolen. As it turns out, there's no way to maintain your privacy.
Credit bureaus say you can't opt out of databases used by organizations with a legitimate need for the information (banks, insurers, employers and law-enforcement agencies, among others). The databases themselves won't expunge your SSN or any other information. The Social Security Administration won't change your number, except in extraordinary circumstances.
Menton checked my file for me, at a database service called Database Technologies, in Boca Raton, Fla. It contained not only my SSN but also those of two of my kids, my son-in-law and the people who bought our old house, along with their addresses and other information. All can be legally disclosed, if it comes from public records, Medine says. And there's nothing you can do.