************************************************************************
* Document from the CPSR Privacy/Information Archive *
* Copyright 1992, Computer Professionals for Social Responsibility *
* *
* Ftp/Gopher/WAIS: cpsr.org email: listserv @ cpsr.org "help" *
* For more information contact: cpsr@csli.stanford.edu 415-322-3778 *
************************************************************************


Protecting the Privacy of Social Security Numbers and Records

Marc Rotenberg,
Director, CPSR Washington Office,
Chairman, ACM Committee on Scientific Freedom and Human Rights

Subcommittee on Social Security and Family Policy,Committee on Finance,
United States Senate

February 28, 1992

CPSR Washington Office
666 Pennsylvania Ave., SE, Suite 303
Washington, DC 20003
202/544-9240 (Tel) 202/547-5481 (Fax)
Email: rotenberg @ washofc.cpsr.org



Mr. Chairman, members of the Subcommittee, thank you for
the opportunity to testify today on privacy protection for
social security records and the special problems of the
Social Security Number (SSN). My name is Marc Rotenberg and
I am the director of the Washington Office of Computer
Professionals for Social Responsibility (CPSR). I am also
the chairman of the Scientific Freedom and Human Rights
Committee of the Association for Computing Machinery (ACM).
CPSR is a national membership organization of computer
scientists from across the country. Our membership includes
a Nobel laureate and four winners of the Turing Award, the
highest honor in computer science. CPSR has a particular
interest in privacy issues and we have testified before
several Congressional committees in support of efforts to
protect privacy.1 A little over two years ago we completed a
report on the proposed expansion of the FBI's computerized
record-keeping system at the request of Mr. Don Edwards, the
Chairman of the Subcommittee on Civil and Constitutional
Rights of the House Judiciary Committee.2
The ACM is largest association of computing
professionals in the United States. It was established in
1947 "to advance the sciences and arts of information
processing; to promote the free interchange of information
about the sciences and arts of information processing both
among specialists and among the public; and to develop and
maintain the integrity and competence of individuals engaged
in the practice of information processing." The Scientific
Freedom and Human Rights Committee has the special
responsibility to oversee those computing activities that may
adversely impact individual freedom and human rights.3

INFORMATION BROKERS BUY AND SELL CONFIDENTIAL GOVERNMENT
RECORDS
Two months ago, The Washington Post reported that 16
individuals in 10 states were arrested in the largest case
ever involving the theft of federal computer data. So-called
information brokers boasted that they could provide detailed
personal information on anyone in the country. The records
ranged from private credit reports and business histories to
driver's license records, Social Security records and even
criminal history backgrounds. These confidential records were
taken from government agencies and then sold for a fee to
lawyers, insurance companies, private employers and others.
Peter Neumann, a computer security expert, said that "The
public is abysmally uninformed about problems like this.
With sufficient access to a few databases these days, you can
get pretty close to somebody's life history with nothing more
than a Social Security Number."4
A story in Time magazine described a "black market in
government data" that included Social Security employees,
police officers, private eyes and "information brokers."
According to Time, Social Security employees sold earnings
histories for $25 apiece, and these were then marked up and
resold by brokers for as much as $175. Even a top-ranked IRS
criminal investigator was recently indicted for selling non-
public marital records to a California-based investigation
outfit run by ex-IRS officials.5

SIGNIFICANCE OF GROWING RECORD PROTECTION PROBLEM
The first reaction to these stories might be to call for
more prosecutions or new criminal penalties for the sale of
personal information. Both measures might be considered, but
neither approach is likely to address the fundamental changes
that must be taken in the next few years to ensure the
privacy of personal information held by federal agencies.
To understand the extent of the problem with the
protection of records held by the Social Security
Administration and the special problem of the Social Security
number, it is helpful to look at a sales brochure of
Nationwide Electronic Tracking, which the FBI believes was at
the center of this operation. According to that brochure,
with just a person's Social Security Number, Nationwide
Electronic Tracking could provide name and home address
(within 1-2 hours for $7.50), place of current employment (1
week, $75), and previous employment and earnings (3-5 days,
$100-$175).6
Now it may be possible to crack down on information
brokers such as Nationwide Electronic Tracking, but what
should be done over the long-term about the many other holes
in the government's record-keeping systems, such as the IRS's
careless practice of printing social security numbers of the
mailing labels for the form 1040s?7
A long range solution for the privacy protection of
Social Security records, and similar government records,
will require looking more closely at the need to control
the use of the Social Security number and to establish
an independent agency charged with privacy protection.

THE PRIVACY ACT SOUGHT TO CONTROL THE MISUSE OF THE SSN
In 1973 an expert panel of computer scientists, business
leaders, civil libertarians, and government officials
undertook a study, at the request of then HEW Secretary
Elliot Richardson, on the potential problems with automated
data processing systems. That study produced a landmark
report Records, Computers, and the Rights of Citizens which
became the foundation for the Privacy Act of 1974. Among the
issues considered in the study was the potential misuse of
the SSN. On this matter, the Advisory Committee was very
clear. It stated that:
We recommend against the adoption of any
nationwide, standard personal identification
format, with or without SSN, that would enhance the
likelihood of arbitrary or uncontrolled linkage of
records about people, particularly between
government or government-supported automated
personal data systems.
The Advisory Committee further recommended that:
¥ Use of the Social Security Number be limited to only
those purposes required by the federal government.
¥ Federal agencies should not require the use of the
Social Security Number without statutory authority.
¥ Congress should evaluate any proposed use of the Social
Security Number
¥ Individuals should have the right to refuse to provide
their Social Security Numbers, and should suffer no harm
for exercising this right.
¥ Organizations required by Federal law to obtain the
Social Security Number use the number solely for the
purpose for which it was obtained and not make any
secondary use or disclose the Number without the
informed consent of the individual.
In 1974 Congress adopted many of the recommendation of
the Advisory Committee and made clear that the use of the
Social Security Number would be restricted. Section seven of
the Privacy Act of 1974 said specifically that:
It shall be unlawful for any Federal, State or local
government agency to deny to any individual any right,
benefit or privilege provided by law because of such
individual's refusal to disclose his social security
account number. (7)(a)(1).
The Privacy Act further stated that:
Any Federal, State or local government agency which
requests an individual to disclose his social security
number shall inform that individual whether the
disclosure is mandatory or voluntary, by what statutory
or other authority such number is solicited, and what
use will be made of it. (7)(b)
This means that any government agency which requests an
individual's social security number is required to (1) cite
its formal legal authority for using the number; (2) reveal
whether disclosure is mandatory or voluntary; and (3) explain
how the number will be used.
Mr. Chairman, these are very good principles and the
provisions set out in the Privacy Act could go a long way
toward controlling the misuse of the SSN. They reflect the
widespread belief that the development of a single universal
identifier would lead to an invasion of personal privacy and
might encourage anti-democratic tendencies.

MISUSE OF THE SSN BY THE PRIVATE SECTOR HAS CREATED NEW
PROBLEMS
Richard Kusserow, the Inspector General of the
Department of Health and Human Services, recently wrote that
as the use of the SSN "as an identifier has grown, so has the
opportunity for misuse."8 Stories across the country during
the past year demonstrate that the incidents of SSN fraud are
on the rise. One story revealed that there are more than 300
fraud incidents involving social security numbers every year
in Massachusetts. According to the Boston Globe:
Because the state uses the Social Security numbers
as license numbers, the theft of a license gives a
thief access to another person's name, address and
social security number. Authorities say that, with
another person's Social Security number, a thief
can apply to obtain that person's welfare benefits,
Social Security benefits, credit cards or even the
victim's paycheck.9
An article from a California paper reports that the rate
of Social Security fraud is dramatically increasing, from 390
cases in 1988 to an estimated 800 cases in 1991. According
to the article, "experts attribute the increasing abuse of
the Social Security number to two factors: undocumented
immigrants seeking work in the United States, and the
business world's increasing use of the number as a universal
ID."10
In another incident with almost Orwellian implications,
a college student was arrested by campus police when he
failed to provide his social security number, after he had
given the officer his name and address.11

THE UNRESTRICTED USE OF THE SOCIAL SECURITY NUMBER UNDERMINES
PRIVACY AND IT IS AN INHERENTLY FLAWED IDENTIFIER
The central privacy problem with the use of a Social
Security Number as an identifier is that it allows
organizations to compile information about individuals
without their knowledge or consent. This tends to diminish
an individual's ability to control information about himself
or herself and leads to the compilation of elaborate
dossiers.
When an individual discloses an account number to a
particular business or institution, the information that is
disclosed is only that necessary to identify the person to
the particular institution. The disclosure of personal
information to a particular company for a specific purpose
establishes an expectation of confidentiality.12 Numbering
schemes that are designed for particular businesses help
promote confidentiality because they strengthen the ties
between the individual and the institution and create an
expectation that information which is transferred to the
institution will not be used for other purposes.
Similarly, single-purpose identification schemes without
universal identifiers can actually enhance personal privacy
by restricting the extent of a person's identity that must be
disclosed to interact with a large institution. A typical
library card is a good example. In those information
systems, privacy protection should focus on the subsequent
use of the information by the information-holding
institution, but the card by itself is unlikely to create a
privacy problem.

Multi-purpose identification numbers for which the
purpose is open-ended may be more problematic. An
institution that obtains the number presumably will have
access to all the information that the document holder would
have. This access allows the institution to create a more
elaborate picture of the document-holder than the single-
purpose document.
From a design standpoint there are a number of reasons
that the growing use of Social Security Numbers will lead to
greater problems, errors in record-keeping as well as fraud.
First, the SSN is an imperfect identifier. It is not unique
for each individual, and there are many reported cases of
misidentification
There is also a particular problem where the SSN is used
as an "authenticator" or password as some organizations have
tried to do. This would be similar to placing a three-digit
combination lock on a locker with a three-digit designation,
such as "215," and then setting the number on the combination
lock to correspond with the number on the locker. Any person
who could read the number on the locker door could open the
combination lock.
But even if a perfect identifier were developed, perhaps
stamped on a bracelet that each person would wear, the
privacy problems would remain. In general the SSN promotes
the unanticipated transfer of personal information. As CPSR
member and computer researcher Chris Hibbert has noted
"Multiple record systems keyed to the same identifier make it
difficult to restrict the release of personal information to
selected institutions and encourage compromise."

ALTERNATIVES TO THE SSN EXIST
It is a truism in the privacy world that the SSN has
become a "de facto national identifier" as if there were no
alternative to placing a nine-digit code on every record
containing personal information or that this particular
problem was somehow beyond our ability to solve. In fact,
every day organizations make decisions about the design of
record systems and whether the use of the SSN as an
identifier is necessary or appropriate. While some
industries, such as the Associated Credit Bureaus, rush to
databases of detailed personal files using the SSN, other
organizations avoid the SSN and develop their own, oftentimes
more accurate, numbering scheme. Similarly at the state
level, some states have placed an unnecessary reliance on the
SSN while other states have developed better policies.
In one striking case, a resident in the state of
Virginia was denied the right to vote because he would not
provide his Social Security number to the State Board of
Elections. He was, in every other way, eligible to vote.
However, he could not vote in Virginia because Virginia is
one of the few states in the country that makes disclosure of
the SSN a mandatory registration requirement.13

Why should Virginia impose this requirement? Few of the
other states do. In another area of state administration,
motor vehicle records, the state of Maryland just this week
took an important step in the right direction when the Motor
Vehicle Administration announced that it "will stop requiring
applicants to divulge their Social Security numbers when
obtaining or renewing driver's licenses." According to an
article in yesterday's Washington Post, Maryland does not
print Social Security numbers on driver's licenses. The
agency will continue to ask for the number, but applicants
will not be required to provide it.14

This is clearly a welcome development. Similarly, other
states have taken steps to control the collection and use of
the SSN. There does seem to be a growing awareness of the
potential for abuse, and a willingness to consider safeguards
and alternatives.
The point, Mr. Chairman, is that whether the SSN is
requested and used in a system of records is ultimately a
question of public policy that can be decided in the Congress
or the state legislatures. It is not a problem beyond
control.
There is further reason to be hopeful about this
problem. A computer researcher named David Chaum has
proposed a method that could protect security and privacy for
individuals while providing businesses and agencies with the
information they need for commercial transactions and user
authentication.15 Dr. Chaum's work has attracted a great deal
of interest in the computer science community. If he has
found a successful way to permit commercial transactions
while controlling the undesired secondary transfer of
personal information, then a great breakthrough may be at
hand. To use an analogy from the environmental world, this
would be similar to designing an engine that generated no
pollutants.

RECOMMENDATIONS
Mr. Chairman, we are very pleased that you have convened
this hearing to look at the problem of privacy protection for
Social Security records and the special difficulties with the
widespread use of the SSN. Certainly, one response could be
to encourage more raids, to strengthen criminal fines, and to
monitor government workers more closely. But, given the
dramatic changes currently underway and the need for a long-
term solution, we would propose the following steps.
First, CPSR strongly supports the establishment of a
data protection board in the United States and recommends
that you support the proposal which has been introduced in
the House by Congressman Bob Wise. These new privacy
problems are far-reaching and complex. Agencies are trying
to address privacy concerns, but oftentimes they lack the
resources or the expertise to develop appropriate solutions.
Many countries have established independent data protection
agencies precisely to fill this function. In fact, the
creation of an independent oversight agency was considered a
critical component of the Privacy Act of 1974. Regrettably,
this provision was removed prior to passage of the Act. (I
have attached to my testimony an article that describes the
proposal in more detail).

Second, CPSR recommends that the Privacy Act
restrictions which control the misuse of the SSN by the
public sector be extended to the private sector. No company
should request a Social Security Number without explicit
statutory authority. Where the number is necessary for tax
reporting purposes, then the company must take measures to
ensure that it is not improperly disclosed. Fines and
sanctions should be imposed when companies obtain the SSN
without authority or publish the SSN without consent.
Third, CPSR recommends that either the Computer Science
and Telecommunications Board of the National Research Council
or the Office of Technology Assessment undertake a study of
alternative information transaction schemes, such as the one
proposed by David Chaum, for record-keeping systems. The
purpose of such a study would be to determine how best to
achieve the twin goals of protecting privacy for the
individual and ensuring the transfer of necessary information
for the institution.16

Mr. Chairman, certainly these are strong measures. Many
organizations in the private sector rely on the SSN for
records management and will be reluctant to change. However
as more organizations turn to the SSN, the incidents of fraud
will increase and the opportunities for misuse will multiply.
A far-reaching problem will require far-reaching solutions.
A little more than twenty years ago MIT President Jerome
Weisner testified before Senator Sam Ervin's Committee on the
need for strong privacy measures. Professor Weisner drew a
parallel between the challenge of privacy protection and
public policy in the area of environmental protection. He
stated that:
It is obvious that means for effective record-
keeping, information gathering, and data processing
are essential needs of a modern society. The
problem for us is to determine how to reap the
maximum assistance from modern technology in
running a better society and at the same time, how
to keep it from dominating us. In order to do this
we may need to adopt some stern measures in the
form of very strict controls on who can do what
with private information about any individual in
the society.17
This concludes my testimony. I would be pleased to
answer your questions.
1 See The Privacy for Consumers and Workers Act Before the
Subcomm. on Employment and Productivity of the Senate Comm.
on Labor and Human Resources, 102d Cong., 1st Sess. ___
(Sept. 24, 1991); The Fair Credit Reporting Act Before the
Subcomm. on Consumer Affairs and Coinage of the House Comm.
on Banking, Finance and Urban Affairs, 102d Cong., 1st Sess.
___ (June 6, 1991); Telemarketing/Privacy Issues Before the
Subcomm. on Telecommunications and Finance of the House Comm.
on Energy and Commerce, 102d Cong., 1st Sess. 43 (April 24,
1991); Use of Social Security Number as a National
Identifier Before the Subcomm. on Social Security of the
House Comm. on Ways and Means, 102d Cong., 1st Sess. 71
(February 27, 1991); The Computer Abuse Amendments Act of
1990 Before the Subcomm. on Technology and the Law of the
Senate Comm. on the Judiciary, 101st Cong., 2d Sess. ___ (
July 31, 1990 ); Data Protection, Computers, and Changing
Information Practices Before the Subcomm. on Government
Information, Justice, and Agriculture of the House Comm. on
Government Operations, 101st Cong., 2d Sess. 109 (May 16,
1990); The Government Printing Office Improvement Act of
1990 Before the Subcomm. on Procurement and Printing of the
House Comm. on House Administration, 101st Cong., 2d Sess.
104 (March 8, 1990); Computer Virus Legislation Before the
the Subcomm. on Criminal Justice of the House Comm. on the
Judiciary, 101st Cong., 1st Sess. 25 (November 8, 1989);
Military and Security Control of Computer Security Before the
Subcomm. on Legislation and National Security of the House
Comm. on Government Operations, 101st Cong., 1st Sess. 80
(May 4, 1989).

2 FBI Oversight and Authorization Request for Fiscal Year
1990 Before the Subcomm.on Civil and Constitutional Rights of
the House Comm. on the Judiciary, 101st Cong., 1st Sess. 512
(May 18, 1989).

3 The ACM has a long-standing commitment to privacy
protection. The ACM Code of Professional Conduct states
that:

An ACM member should consider the health, privacy and
general welfare of the public in the performance of
the member's work. (E.C. 5.1)

An ACM member, whenever dealing with data concerning
individuals, shall always consider the principles of
individual privacy and seek the following: To
minimize the data collected; To limit authorized
access to the data; To provide proper security for the
data; To determine the required retention period of
the data; and to ensure proper disposal of the data.
(E.C. 5.2).

A year ago the ACM passed a new resolution,
reaffirming its support for privacy protection. The
resolution stated that:

Whereas the ACM greatly values the right of
individual privacy;
Whereas members of the computing profession
have a special responsibility to ensure that
computing systems do not diminish individual
privacy;
Whereas the ACM's Code of Professional Conduct
places a responsibility on ACM members to protect
individual privacy; and
Whereas the Code of Fair Information Practices
places a similar responsibility on data holders to
ensure that personal information is accurate,
complete, and reliable;
Therefore, be it resolved that
(1) The ACM urges members to observe the
privacy guidelines contained in the ACM Code of
Professional Conduct;
(2) The ACM affirms its support for the Code
of Fair Information Practices and urges its
observance by all organizations that collect
personal information; and
(3) The ACM supports the establishment of a
proactive governmental privacy protection mechanism
in those countries that do not currently have such
mechanisms, including the United States, that would
ensure individual privacy safeguards.

4 Michael Isikoff, "Theft of U.S. Data Seen as Growing
Threat to Privacy," The Washington Post, December 28, 1991,
at A1.

5 Richard Behar, "Psst, Secrets for Sale: Shady Dealers are
doing brisk trade in IRS, FBI and other federal data," Time,
February 24, 1992.
6 The text of the brochure appears in the current issue of
Harper's Magazine at 26 (March 1992).
7 Dr. Willis Ware, the chairman of the Federal Computer
and Privacy Advisory Board, is unequivocal is his assessment
of the IRS practice of displaying the SSN on a mailing label.
He said:
I regard the IRS's inclusion of SSNs on tax-
form mailing labels as a risky and careless practice
that has the effect of unwarranted and needless
disclosure of sensitive personal data to casual or
potentially malicious eyes. Granted the essential
utility of the SSN to improve the accuracy of IRS
record-keeping, there are certainly means for
concealing a portion of the label from sight and
maintaining the confidentiality of the SSN.
Ingerman v. IRS, No. 91-5467, at 13 (Third Circuit 1991)
(Brief amicus curiae of CPSR).

8 "How We Fight Waste: Report from the Inspector General of
HHS," Government WasteWatch, at 17 (Winter 1992).

9 Elizabeth Neuffer, "Victims urge crackdown on identity
theft: Say officials often fail to act on complaints," The
Boston Globe, July 9, 1991.

10 Yasmin Anwar, "Thieves Hit Social Security Numbers: Fouled
Up Benefits and Credits," San Francisco Chronicle, August 30,
1991, at 1.

11 Chris Hawley, "State dismisses charge in bicycle-moving
case," Bowling Green News, November 21, 1991.

12 Report of the Privacy Protection Study Commission (1977).

13 CPSR is assisting Marc Greidinger in this case.
Greidinger v. Davis, No. 91CV00476 (Eastern District of
Virginia 1991).

14 "Around the Region: Md. Forgets the Number," The
Washington Post, February 27, 1992, at C6.

15 David Chaum, "Security Without Identification: Transaction
Systems to Make Big Brother Obsolete," Communications of the
ACM (October 1985). An abridged version of Mr. Chaum's
research appears in the proceedings of the 1991 Cryptography
and Privacy Conference sponsored by CPSR, the Electronic
Frontier Foundation, and RSA Data Security in Washington, DC.
"Numbers Can Be a Better Form of Cash than Paper
16 Both the NRC and OTA have recently completed studies in
related areas. In 1991 the CSTB released Computers at Risk:
Safe Computing in the Information Age which set out a series
of important policy recommendation for computer security. In
1987 the OTA completed Defending Secrets, Sharing Data: New
Locks and Keys for Electronic Information.

17 "Federal Data Banks, Computers and the Bill of Rights,"
Senate Judiciary Committee (1971).