as a former victim of ID theft several years ago I should've been more careful but...here is the deal...
I am on vacation now in the boonies. A few days ago I interviewed by phone and got a job starting when I return, which is great right! so... this recruiter has been pressuring me to start the paperwork asap, and needed my full SS. Tried calling him to see if I could do it over the phone but just couldn't reach him. The weather also has been very severe here so that makes it difficult to go to a booth and make calls, the phones are also in and out etc. As luck would have it the only fax machine I found in this little town is out of order
the only thing functional was my internet connection and since I will be gone on a trek for an entire week, the guy needed the info before and not knowing if my net is also going to go offline I just emailed the SS to him...arrgg
As a computer guy I know exactly who gets to see this data and I also know that it is probably going to be archived as part of some server backup but I also know that the risk is very small compared to other ways SSNs are compromised. For instance, MAIL is one of the problems...usually chock full of account numbers, SSNs, credit cards and everything else imaginable that anyone who can pick a lock has access to! This is how my ID was stolen the last time, through regular mail.
here is the interesting thing... once you give your SSN to a 3rd party (especially smaller places like mortgage brokerages, car dealerships etc.) there is no way to know how that data is held. There is nothing stopping them from exchanging the number with their partners for legitimate purposes by plain old insecure email and from what I've heard this is quite common.
The whole system is broken because just using very public pieces of readily available information (Name, SSN, DOB, DL# etc.) one can pretty much obtain mortgages, lines of credit etc. which is just insane. And because the SSN is not something that is uniquely private to you (since you share it with other people you do business with) it really cannot and should never be used by itself to authenticate a transaction.
I read a good article about separation of identification and authentication... the SSN currently plays both roles while it should only play the role of identification. Authentication should always be private and never revealed to anyone. To participate in any legally binding and enforceable contract identification should be followed by private authentication.
The authentication system that ties into the SSN system does not exist yet...but it's about time that it be created since ID thieves are having a field day!
Please do not e-mail my social security number - Jesper's Blog
HowStuffWorks "SSN Problems"