Why You Should Never Email a Social Security Number
Tax season is officially in the rear view, which means most of us are breathing a sigh of relief. But some of us remain anxious. It’s not about the chance of being audited (which is small, though terrifying), but rather about the fear that we’ll have our identity stolen.
If you’re self-employed—whether an Uber driver, an Etsy artist, or something less 21st century (like a freelance journalist)—the companies that pay you are legally required to provide a 1099 to help you prepare your taxes. And with the explosion of the “sharing economy,” more people are getting these documents instead of W-2s, the tax form reserved for employees. Companies physically mail out 1099s, but because mistakes happen, tax deadlines are immovable, and the Internet is so convenient, some finance departments email these forms out instead.
And often, they email these tax forms out unencrypted, even though doing so is reckless. That’s because these documents carry sensitive data like Social Security numbers and email is a prime target for hackers looking for identities to steal.
Get Data Sheet, Fortune’s technology newsletter.
If you don’t think this could happen to you, consider this. Over the past six years, more than a half-dozen people have emailed me unencrypted financial forms containing personally identifying information. One company—a multi-million dollar, major American brand—even did it twice.
“Social security numbers are more susceptible and more valuable than ever,” says Rob Douglas, a security consultant who specializes in identity theft and scams. Douglas first testified before Congress about protecting personally identifying information in 1998. Since then, just about the only thing that has changed is how easy it has become for fraudsters to snatch our sensitive digits.
From the massive degree of identity theft linked to the Office of Personnel Management hack to the billions lost in tax refund fraud, it’s clear that there are a lot of things bad guys can do with your Social Security number. “Criminals love this crime, because it is a crime that pays, and there’s so little prosecutor interest,” says Douglas. For instance, the San Diego police won’t even look at an identity theft case unless there’s at least $40,000 involved, he says, because there are so many of them. Imagine having that amount lifted from your bank account today and not finding anyone willing to help you tomorrow.
So naturally you would assume it’s illegal to treat someone’s vital information so carelessly, right? Wrong. Though the Social Security number is a federal identifier, states have authority over how they’re handled, which means the protocols vary. Currently just 12 states restrict the physical mailing of Social Security numbers, but no states ban emailing them. Again: It’s completely legal to put someone’s Social Security number in an email.
That’s a problem. While we may feel like email is safe, and while providers like Apple, Google, and Microsoft have made it so that notes sent and received from addresses within their domain (gmail.com, for instance) are secure, once a message starts traversing the open web, all bets are off.
Over 21 Million Americans Affected in Massive Federal Data Breach
When emails are sent, they typically move from the software on the sending computer to servers called mail transfer agents. They will likely go through several of these nodes until they reach their recipient. Between these relays, emails are encrypted, but when they hit a server, they are unencrypted, read, and then re-encrypted before being sent along to the next node. Milton Mueller, professor of public policy at the Georgia Institute of Technology, warns this process could be “imperfect” in terms of security. “The content of the messages is revealed to, and can be altered by, intermediate email relays,” he says.
Mueller says the problem is that the email nodes are independently managed, so one node’s encryption policy might be slightly incompatible with that of another. And some nodes may even be compromised, allowing hackers to access all the information flowing through them.
Still, you can protect your data by encrypting files containing private info. Most recently, with that major American brand, I requested that they do this. To my amazement, not only did a financial professional at this Fortune 500 company not know how to encrypt a PDF file, but neither did its tech team. (It’s as simple as checking a box.) “People who should know how to do encryption—particularly when it comes to sensitive financial information—it’s not that they don’t know how to do it, it’s not even in their protocol,” says Douglas. “It’s mind-blowing that we haven’t wrapped our minds around this issue.”
I told this company exactly how to encrypt my file, and yet it was still sent unprotected. What will it take to actually make people respect others’ private data and handle it responsibly, like they would with their own sensitive information? Douglas says it requires financial professionals to stop looking at these vitals as minutia, as just numbers on a page, and instead see them for what they are: a person’s financial identity.
But that’s unlikely to make a big enough difference. Instead, Douglas believes that the only thing that will change the nonchalant way people handle Social Security numbers via email or on paper would be “a tragedy of such a nature of physical harm to some people that it shocks the nation’s conscience.”
For instance, on Oct. 15, 1999, 20-year-old Amy Boyer was murdered in front of her apartment by Liam Youens, a stalker who found Boyer’s address after buying her Social Security number from a website. He shot her multiple times before turning the gun on himself. In the outrage that followed, “Amy Boyer’s Law” was presented to prevent the display or sale of anyone’s Social Security number. The law never passed, so the conscience-kick Douglas referenced has yet to come.
And despite my Social Security number parading around the Internet like a color guard, I have not fallen victim to identity theft or any other fraud. It’s my hope that I’m in the clear, but Douglas isn’t as optimistic. “I have no doubt that your [Social Security number] is out there,” he says. “Statistically, multiple times over.”