Yesterday I received an email which is tantamount to murder. One of the end points which Mass Address has to use in the identity authentication process is the Social Security Administration(SSA). If a company wishes to validate a citizens social security number with the SSA, the citizen must fill out a form and this form must be retained by the company for auditing purposes.
That’s not the problem. We can automate and digitize this process with e-signature. The problem is we are REQUIRED to retain these forms in the event the SSA wants to audit our records. That is where we run into a major problem. You see, Mass Address is 100% private, end to end. All of our architecture is designed for maximum protection of a citizens identity in the event of an exploitation event.
Storing these forms completely destroys our terms of service and privacy policy. Mass Address cannot work if we are required to store these forms in a database. Here is how the conversation went between me and the SSA.
MY INITIAL EMAIL
Good Day,
    We currently building a private change of address service for US Citizens. This platform runs on decentralized identity. It is 100% private end to end. The problem we are facing is your requirements for audits and the form SSA-89. We can code a solution to where the citizen digitally fills out the form and signs it. THE PROBLEM is when that form is generated. It cannot be stored on our servers because the aggregated Pii violates our terms of service and the integrity of the users privacy.
We could save the form across our decentralized architecture but there would be no way for our company to retrieve it. Let me clarify. If SSA came to us and asked to see physical and/or digital copies of the SSA-89's for the citizens who digitally submitted the CBSV, it absolutely impossible for us to retrieve those records. You would have to contact the citizen and they would have to send you that information. All of these records can be generated from their singularity.
How do we do this? We cannot aggregate a citizens personally identifiable information in a centralized location. Please advise.
SSA RESPONSE
It is a requirement that the SSA-89 be retained by the company and is a violation of the CBSV User Agreement and subjects the company to suspension or possible termination for such a violation.
Rhonda D. Hooks, Program Analyst
SSA, ORDP, ODEPPIN,ODXIA
State and Private Industry Agreements Branch
MY RESPONSE
Who has the authority to change this requirement? There is literally no way American's can have true privacy without this requirement being modified and/or eliminated.
SSA RESPONSE
No response
I then used my OSINT skills to track down the individual responsible for possibly making the decision to modify the SSA-89. I sent this individual an email. If I do not get a response, I must escalate the situation. I will start making calls until I find out who has the authority to modify the SSA-89. I will testify before Congress if I have to. Please understand. Identity privacy is absolutely impossible if the Federal Government requires an SSA-89 to be retained on a database.
Technology is easy. Privacy is easy. The state and/or Federal Government is a train on fire while passing through Chernobyl. It is absolutely lethal in terms of privacy. This is an uphill battle. Not even encryption can protect your identity if it is stored in a centralized location. It must be decentralized.