Congress adopted those recommendations the following year through passage of the Privacy Act, P.L. 93-579, 88 Stat. 1896, (1974). See S. Rep.No. 1183, 93d Cong., 2d Sess. reprinted in 1974 U.S. Code Cong. & Admin. News 6916, 6944-46 (citing HEW Report). The Privacy Act makes clear that Congress gave special recognition to the need to control the proliferation and misuse of the SSN. Section 7 makes it unlawful for any agency to deny any right, benefit or privilege to any individual "because of such individual's refusal to disclose his social security account number." It further provides that any agency requesting an individual to disclose his or her SSN must "inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it." P.L. 93-579, Sec. 7, 88 Stat. 1896, 1909 (1974), reprinted in 5 U.S.C. Sec. 552a note (1982).

In Section 3 of the Act, Congress provided that

[n]o agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless the disclosure would be [in compliance with several specified exceptions not applicable here].

any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual ....

In enacting these protections, Congress sought to prevent the privacy violations made possible by the proliferation of the SSN.

Citizens' complaints to Congress and the findings of several expert study groups have illustrated a common belief that a threat to individual privacy and confidentiality of information is posed by [expanding use of the SSN]. The concern goes both to the development of one common number to label a person throughout society and to the fact that the symbol most in demand is the Social Security number, the key to one government dossier.

* * *

A cross-section of such complaints appearing in the subcommittee hearings shows that people are pressured in the private sector to surrender their numbers in order to get telephones, to check out books in university libraries, to get checks cashed, to vote, to obtain drivers' licenses, to be considered for bank loans, and many other benefits, rights or privileges.

S. Rep. No. 1183, 93d Cong., 2d Sess., reprinted in 1974 U.S. Code Cong. & Admin. News 6916, 6944.

Amicus believes that the SSN privacy concerns Congress addressed in 1974 have even greater force today. Computerization of public and private sector databases, combined with insufficient attention to privacy protection, has increased the incidence of misuse of the SSN. As a congressional oversight committee recently noted,

[t]he extensive use of computers has resulted in the wide-spread private sector use of the social security number as an identifier. Many merchants require a customer to provide a social security number as a condition of doing business. Credit bureaus use the social security number to maintain individual credit files and routinely sell this information to almost anyone who requests it. The ability of the private sector to gather information such as credit history, grocery store purchases, medical records (including pre-natal information), family medical histories and genetic makeup has raised fears that in the near future unregulated companies will serve as national identity bureaus collecting and dispersing an individual's most private information.

Amicus' opposition to the misuse of the SSN is also shared by the Social Security Administration. As Gwendolyn S. King, Commissioner of Social Security, testified before the subcommittee,

[the Social Security Administration] and the Congress have historically had fundamental concerns about the possibility that the SSN might become a universal identifier in this country. These concerns center on questions of individual privacy and the increased possibility of the invasion of that privacy if all records pertaining to an individual could be accessed under one number. ...

The need for a unique number for individual records in computer systems means that use of the SSN is likely to continue to expand in the years ahead. While the Social Security Administration is not, and we believe should not be, responsible for use of the SSN in the private sector, we have a deep concern that individuals not be harmed through carelessness in the use of the SSN.

B. Disclosures of the SSN Jeopardize the Confidentiality of Personal Information

Concerns over the proliferation of single personal identifiers -- both in the United States and abroad -- are well- founded. Given the misuse of the SSN in the United States, access to the number provides a window into the activities and lifestyle of any person. Social Security Commissioner King recognized this in her congressional testimony. "An individual's Social Security number is the key to accessing a variety of information about that individual. That fact has shaped [the Social Security Administration's] current policy [of not disclosing SSNs without the individual's consent]." Use of SSN at 22.

The unnecessary disclosure of an individual's SSN creates the risk of confidential information being disclosed to any person or institution in possession of the individual's SSN. Because so much information is now retrievable by a person in possession of the SSN, the risk that personal information can be unlawfully obtained has greatly increased.

This problem of aggregated personal information was well stated by Congressman Frank Horton who said more than twenty-five years ago:

One of the most practical of our present safeguards of privacy is the fragmented nature of personal information. It is scattered in little bits across the geography and years of our life. Retrieval is impractical and often impossible. A central data bank removes completely this safeguard.

The Computer and the Invasion of Privacy: Hearings before the Special Subcommittee on Invasion of Privacy of the House Committee on Government Operations, 89th Cong., 2d Sess. 6 (1966).

In practice, the use of the SSN for purposes unrelated to the needs of the Social Security Administration has greatly diminished the "fragmented nature of personal information," as Congressman Horton warned against and Congress sought to prohibit through the passage of the Privacy Act of 1974. The SSN, once disclosed, is the key to that vast repository of personal information. As the Supreme Court recognizes, "the power of compilations [such as those accessible through an SSN] to affect personal privacy" mandates that the courts be particularly vigilant in protecting the security of aggregated personal information.

Recent news stories illustrate the threat to personal privacy created by the indiscriminate disclosure of an individual's SSN. According to the Wall Street Journal, Fidelity Investment offers a toll-free telephone service that -- upon entry of a Social Security number -- provides an audio summary of a customer's investment portfolio. The system, which does not use a single- purpose, personal identification number ("PIN") [10] to verify a caller's identity, permits anyone knowing the SSN of any Fidelity customer to access that individual's confidential account information. Clements, "Finding Out How Your Neighbor Invests is a Free Phone Call Away," Wall Street Journal, February 4, 1991, page C1.

The Boston Globe has reported that there are more than 300 cases of fraud involving SSNs each year in Massachusetts. "Authorities say that, with another person's Social Security number, a thief can apply to obtain that person's welfare benefits, Social Security benefits, credit cards or even the victim's paycheck." Neuffer, "Victims Urge Crackdown on Identity Theft," The Boston Globe, July 9, 1991. In California, reported cases of SSN fraud increased from 390 cases in 1988 to an estimated 800 cases in 1991. Anwar, "Thieves Hit Social Security Numbers: Fouled Up Benefits and Credit," San Francisco Chronicle, August 30, 1991, page 1.

The recent congressional testimony of the Deputy Inspector General of the Department of Health and Human Services provides additional evidence.

The SSN is a critical element of identification used in nearly every sector of American society. As such, it has been targeted for abuse in a wide variety of criminal activities. The SSN can be used to obtain Social Security or other government benefits, driver's licenses, credit cards, and passports. We often see persons who commit a wide range of credit fraud and other crimes using false SSNs to conceal their true identity. ...

* * *

Of the 1,066 criminal convictions the [Office of Inspector General] obtained in fiscal year 1991 relating to fraud in Social Security programs, 590 involved unlawful use of SSNs.

The HEW advisory committee recognized the problem in 1973, noting that "[a]s long as the SSN of an individual can be easily obtained ... , both individuals and the organizations that use it as a password are vulnerable to whatever harm may result from impersonation." HEW Report at 132.

"A further problem with the use of the SSN as an identifier is that it makes it hard to control access to personal information." C. Hibbert, What to do When They Ask for Your Social Security Number (1992) at 3.

Even assuming you want someone to be able to find out some things about you, there's no reason to believe that you want to make all records concerning yourself available. When multiple record systems are all keyed by the same identifier ... it becomes difficult to allow someone access to some of the information about a person while restricting them to certain topics.

The Court should regard the disclosure of the SSN as a critical problem of public safety and information privacy. The number is akin to the combination of a safe containing an individual's most intimate possessions. Sensible information practices would mandate that the use of the number be carefully controlled. The non-consensual disclosure of an SSN is tantamount to the disclosure of highly personal information.

C. The Need to Restrict the Use of Personal Identification Numbers is Widely Recognized in Other Countries

The particular privacy problem of multi-use identification numbers, such as the SSN, is not unique to the United States. In Canada, "the abuse of the Social Insurance Number is the only privacy issue that has regularly commanded the attention of members of the House of Commons in the last twenty years." D. Flaherty, Protecting Privacy in Surveillance Societies 281 (1989). The Canadian government has taken steps to prevent the Social Insurance Number from becoming a universal personal identifier; a separate employee identifier is being introduced for federal employees, and the matching of computer files is being reduced.[11]

In France, the memory that identification numbers on government records were used to round up Jews during the Nazi occupation has played an important role in the efforts to restrict the use of such numbers. At a meeting of European data protection commissioners in 1980, France's National Commission on Informatics and Freedoms prevented the development of international identity cards, the use of personal identification numbers, and the assignment of a new unique number to each recipient. Its solution was to attach a number to the card and not the person, so that if a card was lost, the individual received a new number. D. Flaherty, Protecting Privacy in Surveillance Societies 227 (1989). The use of the card became a matter of national debate in 1981. In an election statement on informatics, Francois Mitterand stated that "the creation of computerized identity cards contain a real danger for the liberty of individuals." Id.

Today, as the Europeans consider the development of a continent-wide standard for data protection, controlling the possible misuse of unique identifiers remains a central concern. Portugal's new constitution forbids the interconnection of files save in exceptional cases, and it is clear that "citizens shall not be given all purpose national identification numbers." Greece has instituted a system of national identity numbers for certain public sector data files, but the linkage of these files is forbidden by law. In Australia, the Privacy Act of 1988 forbids the use of the tax file number as a national identification system by "whatever means." M. Spencer, 1992 And All That: Civil Liberties in the Balance 60 (1990).

---

II. The Courts have Recognized that Disclosure of an SSN Violates Personal Privacy Rights

In cases decided under the Freedom of Information Act ("FOIA"), 5 U.S.C. Sec. 552, the courts have held that disclosure of SSNs is precluded by Exemption 6 of the FOIA, which restricts the release of "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." Id. Sec. 552(b)(6). See, e.g., Painting and Drywall Work Preservation Fund, Inc. v. Department of Housing and Urban Development, 936 F.2d 1300 (D.C. Cir. 1991); Local 3, IBEW v. Nat'l Labor Relations Board, 845 F.2d 1177 (2d Cir. 1988); Oliva v. United States, 756 F. Supp. 105 (E.D.N.Y. 1991); Aronson v. Internal Revenue Service, 767 F. Supp. 378 (D. Mass. 1991); Painting Industry of Hawaii Market Recovery Fund v. Department of the Air Force, 751 F. Supp. 1410 (D. Hawaii 1990).[12]

In IBEW Local No. 5, a union sought the release of, inter alia, the SSNs of non-union employees working for a federal contractor.[13] The Third Circuit began its analysis by noting that "there is a presumption in favor of disclosure" in FOIA cases. 852 F.2d at 89.[14] Nonetheless, the court found that "the disclosure of the Social Security numbers would constitute a clearly unwarranted invasion of privacy and is therefore barred by Exemption 6." Id. The court looked to the congressional policy embodied in the Privacy Act.

The employees have a strong privacy interest in their Social Security numbers. Congress has recognized this privacy interest by making unlawful any denial of a right, benefit, or privilege by a government agency because of an individual's refusal to disclose his Social Security number. Moreover, in its report supporting the adoption of this provision, the Senate Committee stated that the extensive use of Social Security numbers as universal identifiers in both the public and private sectors is "one of the most serious manifestations of privacy concerns in the Nation."

Having recognized an individual's "strong privacy interest" in his or her SSN, the Third Circuit cited the risk that the SSN, if disclosed, could be misused and noted that "once a number is public knowledge, it could wind up in anyone's hands." Id. (emphasis added). Likewise, this Court has recognized the harm that would flow from the FOIA disclosure of federal employees' home addresses:

[e]mployees have a strong privacy interest in their home addresses. Disclosure could subject the employees to an unchecked barrage of mailings and perhaps personal solicitations, for no effective restraints could be placed on the range of uses to which the information, once revealed, might be put.

Once an SSN "wind[s] up in anyone's hands," the potential privacy ramifications are substantial. While the disclosure of this multi-use identifier might not cause immediate harm to the individual, it is the subsequent use that might be made of the SSN that is determinative. As the D.C. Circuit emphasized in protecting the names and addresses of federal annuitants from disclosure under FOIA,

[i]n virtually every case in which a privacy concern is implicated, someone must take steps after the initial disclosure in order to bring about the untoward effect. Disclosure does not, literally by itself, constitute a harm .... Where there is a substantial probability that disclosure will cause an interference with personal privacy, it matters not that there may be two or three links in the causal chain.

The judicial authority recognizing an individual's privacy interest in the confidentiality of his or her SSN -- and in the information to which the SSN is a key -- provides strong policy arguments against the practice challenged here. And, as amicus has shown, the potential for injury is not hypothetical. Instances of fraud and invasion of privacy have increased markedly as non-essential uses of the SSN have proliferated. In recognition of this potential harm, the Court should scrutinize closely any claim that the collection and dissemination of the SSN is necessary to advance a compelling state interest. See, e.g., Norman v. Reed, 112 S. Ct. 698, 705 (1992); Anderson v. Celebrezze, 460 U.S. 780, 789 (1983).

---

III. The Collection and Dissemination of the SSN for Election Purposes is Unnecessary and Serves no Significant State Interest

Every day, organizations and institutions make decisions about the design of their records systems and whether the use of the SSN is necessary or appropriate. While some entities do opt to use the SSN, many other organizations avoid the SSN and develop their own, oftentimes more accurate, numbering schemes.[15] Similarly at the state level, some states have placed an unnecessary reliance on the SSN while others have developed better, less intrusive policies.[16] Single-purpose identification cards without universal identifiers can actually enhance personal privacy by restricting the extent of a person's identity that must be disclosed to interact with a large institution. Library cards and driver's licenses are examples of such limited purpose cards.[17]

The practices of other states demonstrate that voter registration systems can, indeed, be administered without resort to the SSN. According to a report compiled by the Federal Election Commission ("FEC"), the nation's five most populous states -- California, New York, Texas, Florida and Pennsylvania -- do not require their citizens to provide SSNs when registering to vote. Federal Election Commission, National Clearinghouse on Election Administration, Technical Report 2 (February 1992). If California, with 14 million registered voters (according to the FEC) can administer its registration system without requiring the SSN, it is difficult to fathom why Virginia, with 2.9 million voters, cannot do the same.[18]

Aside from the question of Virginia collecting the SSN, there remains the issue of the state disclosing it. While the state might claim a marginal interest of "administrative convenience" in support of the collection of the SSN, but see Harman v. Forsenius, 380 U.S. 528, 542 (1965), there is no articulable justification for the disclosure of the number. In the face of the obvious and proven harm inherent in the disclosure of an individual's SSN, Virginia's reckless and unnecessary policy cannot be sustained.

---

CONCLUSION

Respectfully submitted,

MARC ROTENBERG
DAVID L. SOBEL

Computer Professionals for Social Responsibility
666 Pennsylvania Avenue, S.E.
Suite 303
Washington, DC 20003
(202) 544-9240

June 30, 1992 Counsel for Amicus

FOOTNOTES

2 The Association for Computing Machinery ("ACM") Code of Professional Conduct states that:

Ethical Considerations:

EC5.1 An ACM member should consider the health, privacy, and general welfare of the public in the performance of his work.

EC5.2 An ACM member, whenever dealing with data concerning individuals, shall always consider the principle of individual privacy and seek the following:

To minimize the data collected;

To limit authorized access to the data;

To provide proper security for the data;

To determine the required retention period of the data;

To ensure proper disposal of the data.

"In Recognition of My Obligation to Society I Shall: Protect the privacy and confidentiality of all information entrusted to me"

1.2 Protection of Privacy

Information Technology Professionals have a fundamental respect for the privacy and integrity of individuals, groups, and organizations. They are also aware that computerized invasion of privacy, without informed authorization and consent, is a major, continuing threat for potential abuse of individuals, groups, and populations. Public trust in informatics is contingent upon vigilant protection of established cultural and ethical norms of information privacy.

20 Computers & Society 36 (March 1990) (emphasis added).

3 The Association for Computing Machinery, for instance, passed the following resolution in 1974:

The Council of the ACM states its concern over the absence of legislative safeguards against the misuse of universal identifiers, including the Social Security Number, and urges the prompt generation and passage of such legislation.

Subsequent reports by the Office of Technology Assessment have often relied heavily on computer scientists to assess the privacy risks on automated information systems. See, e.g., Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information (1987). See also National Research Council, Computers At Risk: Safe Computing In the Information Age (1991).

5 See, e.g., Rein Turn, "Information Privacy Issues for the 1990s," 1990 IEEE Symposium on Security and Privacy 395.

6 See, e.g., "Protecting the Privacy of Social Security Numbers and Records," the Subcommittee on Social Security and Family Policy, Committee on Finance, U.S. Senate, February 28, 1992;Use of Social Security Number as a National Identifier: Hearing Before the Subcommittee on Social Security, House Committee on Ways and Means, 102d Cong., 1st Sess. (February 27, 1991) (testimony of Marc Rotenberg, Director, CPSR Washington Office).

7 See, e.g., Ingerman v. Internal Revenue Service, et al., No. 91-5467 (3d Cir.) (amicus brief of CPSR).

8 While the Court's analysis of Fourth Amendment claims under the Katz test has raised substantial questions about the impact of technological change upon "the reasonable expectation of privacy," see, e.g., Rakas v. Illinois, 439 U.S. 128, 431 n. 12 (1978); see also Amsterdam, Perspectives on the Fourth Amendment, 56 Minn. L. Rev. 349 (1974), where Congress has sought explicitly through statutory authority to regulate an information practice, the privacy protection must be broadly construed.

9 Likewise, considerations of bureaucratic convenience will not sustain unwarranted barriers to the exercise of voting rights -- the issue that is central to this case. As the Supreme Court has held, "constitutional deprivations may not be justified by some remote administrative benefit to the State." Harman v. Forsenius, 380 U.S. 528, 542 (1965).

10 Personal identification numbers ("PINs") refer to any identity number associated with a card. In the United States, an individual may have many PINs: a bank ATM card, a telephone charge card, a workplace access card. In other countries such as Sweden and Australia, the term "PIN" is often used to refer to a universal tax number, similar to the SSN in the United States, and therefore raises much of the same concern as the SSN.

11 Privacy Laws & Business, February 1989, at 4, quoted in M. Spencer, 1992 And All That: Civil Liberties in the Balance 60 (1990). See also Access Reports, July 11, 1990, at 6.

12 Amicus' research has uncovered no case in which a court has authorized disclosure of SSNs under the FOIA.

13 In that case, the Union sought payroll records from the United States Department of Housing and Urban Development ("HUD"). HUD released the payroll records, including the employees' work classification, hours worked, rates of pay, and gross and net pay levels. However, HUD withheld the employees' names, home addresses, and Social Security numbers.

14 The Third Circuit held in IBEW Local No. 5 that the disclosure of the names and addresses of the employees would not constitute an unwarranted invasion of privacy. 852 F.2d at 92. Although this Court has not had occasion to consider the withholding of SSNs under FOIA, it has long held that disclosure of the addresses of federal employees under FOIA would constitute an unwarranted invasion of privacy. American Federation of Gov't Employees v. United States, 712 F.2d 931 (4th Cir. 1983).

15 From a technical viewpoint, the SSN is a poorly designed numbering scheme for personal identification. It lacks a "check sum digit," i.e., a procedure for determining the facial validity of the number.

16 For instance, the Maryland Motor Vehicle Administration announced earlier this year that it will no longer require applicants to divulge their SSN when obtaining or renewing driver's licenses. Nor does Maryland print the SSN on its licenses. "Md. Forgets the Number," Washington Post, February 27, 1992, at C6.

17 Computer scientists have developed new verification and identification methods that protect security and privacy for individuals while providing businesses and government agencies with the information they need for commercial transactions and user authentication. See, e.g., Chaum, "Security Without Identification: Transaction Systems to Make Big Brother Obsolete," Communications of the ACM (October 1985).

18 According to the FEC, voter registration figures for the 1988 presidential election in the other large states which do not require SSNs were as follows: New York, 8.6 million; Texas, 8.2 million; Florida, 6 million; and Pennsylvania, 5.9 million. Federal Election Commission, National Clearinghouse on Election Administration, Technical Report 1 (February 1992).

Return to SSN Legal Links.

Return to the CPSR home page.

Send mail to SSN webmaster.