SSN Privacy Internet Resources: Privacy Rights Clearinghouse
The Privacy Rights Clearinghouse web site offers consumers a unique opportunity to learn how to protect personal privacy. They offer several fact sheets relevant to SSN security:
Fact Sheet # 10: Your Social Security Number: How Secure Is It?
http://www.privacyrights.org/fs/fs10-ssn.htm-
Why is it important to keep the Social Security number private? The crime of identity theft is increasing at epidemic proportions. With the Social Security number accessible to so many people, it is relatively easy for someone to fraudulently use your SSN to assume your identity and gain access to your bank account, credit accounts, utilities records, and other sources of personal information. Identity thieves can also establish new credit and bank accounts in your name. (See PRC Fact Sheets 17 and 17a on identity theft.) Your Social Security number is also frequently used as your identification number in a wide variety of computer data bases, giving access to information you may want kept private and allowing an easy way of linking data bases. Therefore, it is wise to limit access to your Social Security number whenever possible.
-
Am I required to give my Social Security number to government agencies? It depends upon the agency. Some government agencies, including tax authorities, welfare offices and state Departments of Motor Vehicles, can require your Social Security number as mandated by federal law (42 USC 405 (c)(2)(C)(v) and (i)). Others may request the SSN in such a manner that you are led to believe you must provide it.
-
Never print your Social Security number on your checks, business cards, address labels or other identifying information. And do not carry your SSN card in your wallet, or other cards containing the SSN. Your wallet could be lost or stolen.
If your employer releases or displays your SSN, you may want to explain why you object. Most employers do not treat SSNs as confidential information. But they may be willing to change their policy when they understand the twin dangers of invasion of privacy and fraud.
Fact Sheet # 8: How Private Is My Medical Information?
http://www.privacyrights.org/fs/fs8-med.htmFact Sheet # 17: Coping with Identity Theft: What To Do When An Imposter Strikes
http://www.privacyrights.org/fs/fs17-it.htm-
do not carry extra credit cards, your Social Security card, birth certificate or passport in your wallet or purse
-
Protect your Social Security number (SSN). Release it only when absolutely necessary (like tax forms, employment records, most banking, stock and property transactions). The SSN is the key to your credit and banking accounts and is the prime target of criminals.
-
If a business requests your SSN, ask if it has an alternative number which can be used instead. Speak to a manager or supervisor if your request is not heeded. Ask to see the company's policy on SSNs. If necessary, take your business elsewhere.
Fact Sheet #17a : Identity Theft: What to Do if It Happens To You
http://www.privacyrights.org/fs/fs17a.htmFact Sheet # 1: Privacy Survival Guide - How to Take Control of Your Personal Information
http://www.privacyrights.org/fs/fs1-surv.htm
Computer Professionals for Social Responsibility
www.cpsr.orgA public-interest alliance of computer scientists and others concerned about the impact of computer technology on society. CPSR has published two excellent documents regarding SSN privacy:
Text of a
Letter on SSN and Health Care sent to Hillary Rodham Clinton 4/26/93Experts Call for Medical Privacy Protection: Recommend that Social Security number be LEFT OFF Health ID Card
http://www.cpsr.org/cpsr/privacy/ssn/ssn_and_health_care.txt"Dear Mrs. Clinton, We are writing to you regarding privacy protection and the anticipated report of the Health Care Reform Task Force. There are many privacy issues in the management of medical records, but one issue we are specifically concerned about is the possible use of the Social Security Number as a patient identifier. It is our belief that the SSN should not be used for medical record identification and that an alternative identification scheme must be developed. Now is the right time to develop an appropriate identification scheme. A good plan will serve the goal of streamlining health care administration while avoiding the risk inherent in the use of the Social Security number. A poorly designed system will create privacy problems for many years to come:
-
The widespread use of the SSN has led to an increase in credit and banking fraud and invites many types of abuse.
-
The use of the SSN increases the likelihood that medical information will be improperly disclosed to insurers, employers, and others.
Section 7 of the Privacy Act of 1974 creates a presumption that the Social Security number should not be used for record-keeping purposes unrelated to Social Security and taxation.
From a technical viewpoint, the SSN is not a good identifier. It is not unique, there are multiple users of a single SSN, and the absence of certain technical features makes it difficult to determine whether a random nine-digit number is in fact an SSN. The use of the current SSN as a patient identifier will likely lead to record misidentifications that could otherwise be avoided.
Many organizations that provide comprehensive health services do not use the SSN as a patient identifier. For example, the Harvard Community Health Plan, with over half a million subscribers, uses a separate number for patient identification in its automated records system.
Absent clear safeguards for privacy protection, patients may not be forthcoming about potentially embarrassing but medically relevant facts which providers should know.
In spite of the superficial attractiveness of the SSN, we urge the Health Care Task Force to state clearly in the anticipated report that the Social Security Number should not be used as a patient identifier."
Some Frequently Asked Questions on SSNs (Chris Hibbert)
http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html-
There are two problems with the way SSNs are used these days. The first is that they are used (by different parties) as if they were both a representation of identity and a secure password. The problem is that these uses are incompatible. The second problem is that they have become a widely used identifier which can be used to tie multiple records together about a single individual.
SSN FAQ Addendum (Chris Hibbert)
http://www.cpsr.org/cpsr/privacy/ssn/SSN-addendum.html-
Why SSNs Make Bad Keys in Databases: Some of the qualities that are (often) useful in a key and that people think they are getting from the SSN are uniqueness, universality, security, and identification. The SSN provides none of them.
-
Uniqueness: Many people assume that Social Security Numbers are unique. They were intended by the Social Security Administration to be unique, but the SSA didn't take sufficient precautions to ensure that it would be so.
Universality: Not everyone has a Social Security Number. Foreigners are the primary exception, but many children don't get SSNs until they're in school (and some not until they get jobs). They were only designed to be able to cover people who were eligible for Social Security.
Identification: Few people ever ask to see an SSN card; they believe whatever you say. The ability to recite nine digits provides little evidence that you're associated with the number in anyone else's database.
Security: Older cards are not at all forgery-resistant, even if anyone did ever ask for it. The numbers don't have any redundancy (no check-digits) so any 9-digit number in the range of numbers that have been issued is a valid number. It's relatively easy to write down the number incorrectly, and there's no way to tell that you've done so.
-
If someone absolutely insists on getting your Social Security Number, you may want to give a fake number. However, making a 9-digit number up at random is a bad idea, as it may coincide with someone's real number and cause them some amount of grief.
History and Significance of the Social Security Number (Chris Hibbert)
http://www.cpsr.org/cpsr/privacy/ssn/SSN-History.html-
Unfortunately, far too many organizations assume that anyone who presents your SSN must be you.
-
Social Security numbers were introduced by the Social Security Act of 1935. They were originally intended to be used only by the social security program.
Summary of some legal cases relevant to SSNs
http://www.cpsr.org/cpsr/privacy/ssn/legal.html
Electronic Privacy Information Center (EPIC)
EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC works in association with
Privacy International, an international human rights group based in London, UK and is also a member of the Global Internet Liberty Campaign, the Internet Free Expression Alliance, the Internet Privacy Coalition, the Internet Democracy Project, and the Trans Atlantic Consumer Dialogue (TACD).Alternatives To Using Social Security Numbers In Large Organizations
http://www.epic.org/privacy/ssn/alternatives_ssn.html-
Organizations need to be extremely cautious about collecting, using, and disclosing Social Security numbers of customers or other individuals.
An organization can avoid most of the dangers of keeping Social Security numbers by establishing its own unique account number. Clearly this will require extra effort. One argument against this has been that most people don't remember a unique identifier. However, many studies show that a sizeable percentage of people inadvertently provide erroneous Social Security numbers, when asked.
When Social Security numbers must be kept on individuals (as in the case of the personnel department), the numbers can be encrypted so that they may be used for linkage of data files, as necessary, without revealing the actual digits of the SSNs. The resulting "record linkage number" will not permit a stranger to derive the SSN even if the linkage number becomes publicly known (see "Encrypting Personal Identifiers" by Eleanor Marx, HSR: HEALTH SERVICES RESEARCH 29:2, June 1994).
United States Code
THE PRIVACY ACT OF 1974 (5 U.S.C. § 552a)
http://www.usdoj.gov/foia/privstat.htm-
The Privacy Act of 1974 requires all government agencies -- federal, state and local -- that request Social Security numbers to provide a "disclosure" statement on the form. The statement explains if you are required to provide your Social Security number or if it is optional, how the SSN will be used, and under what statutory or other authority the number is requested (5 USC 552a, note).
Association for Computing Machinery (ACM)
www.acm.orgFounded in 1947, ACM is the world's first educational and scientific computing society. Today, our members — over 80,000 computing professionals and students world-wide — and the public turn to ACM for authoritative publications, pioneering conferences, and visionary leadership for the new millennium.
Risks of social security numbers (Simson L. Garfinkel)
Communications of the ACM, Volume 38, Issue 10 (Oct 1995)
http://www.acm.org/pubs/citations/journals/cacm/1995-38-10/p146-garfinkel/
News Media Articles
Billionaires Left Exposed (CNET.com – News)
http://news.cnet.com/news/0-1005-200-315794.html?tag=-
CNET readily found the Social Security numbers of such leading American businessmen as
