Government records serve to outline the major events of an individual’s life – birth, marriage, employment, driving, criminal activity, and death. However, these records contain extensive personal information—much of it sensitive—that can put the subject of those records at risk for identity theft, discrimination, financial impact, and even physical assault or murder. Protections around these records must reflect the severity of these risks. State laws or sector-specific laws have attempted to address the privacy issues, but further protections are needed. EPIC has focused specifically on work tied to protecting privacy tied to Social Security Numbers, driving records, and expungement of criminal records, as described below.
Social Security Number Privacy
The Social Security Number (SSN) was created in 1936 as a nine-digit account number assigned by the Secretary of Health and Human Services for the purpose of administering the Social Security laws. SSNs were initially intended for use exclusively by the federal government as a means of tracking earnings to determine Social Security tax amounts to be credited to worker’s accounts. Over time, SSN use expanded to purposes entirely unrelated to the administration of the Social Security system, such as taxpayer identification numbers. In response to growing concerns over mass personal information accumulation, the Privacy Act of 1974 was passed. Among other items, the Act makes it unlawful for a government agency to deny a right, benefit, or privilege merely because the individual refuses to disclose their SSN. Further, Section 7 of the Privacy Act provides that any agency requesting an individual to disclose his SSN must inform the individual whether disclosure is mandatory or voluntary, by what statutory authority the number is being solicited, and how it will be used.
There is a real danger to privacy in the widespread use of SSNs as universal identifiers. Congress has previously stated that this spread in use of SSNs in the public and private sectors is “one of the most serious manifestations of privacy concerns in the Nation.” The hope is that passage of Section 7 would limit use of SSNs solely to those purposes with clear legal authority and that citizens, aware that disclosure is not required, would push back against providing their SSNs when not necessary. Large amounts of personal information, including tax information, credit information, school records, and medical records, is keyed to SSNs. This data is often sensitive and should be carefully protected.
Today, the SSN plays an unparalleled role in identification, authentication and tracking Americans. Because the identifier is used for so many purposes, it is invaluable to those wishing to acquire credit, commit crimes, or masquerade as another person. The SSN has also been increasingly used in the private sector, acting as the record locator for many private-sector profilers, credit bureaus, and credit card companies. In some cases, businesses have even used the SSN as an individual identifier or a password. Serious security problems arise in any system where a single number is used both as identifier and authenticator. According to the Privacy Rights Clearinghouse, identity theft (often stemming from this identifier and authenticator problem) now affects between 500,000 and 700,000 people annually. Identity theft litigation also shows that the SSN is central to committing fraud, allowing for numerous cases where imposters were able to obtain credit with their own name but a victim’s SSN.
The SSN as de jure or de facto national identifier has been raised repeatedly as a concern since creation of the SSN. The public and legislators have expressed fears that the SSN will become a system containing vast amounts of personal information, such as race, religion, and family history, that could be used by the government to track down and control the actions of citizens. The passage of the Privacy Act of 1974 was a specific reaction to these concerns. However, the risk has continued to expand, even extending into health data where many medical providers are using the SSN as a patient identifier.
Another SSN-tied risk comes from the Death Master File—an electronic record available for purchase from the Social Security Administration for a little under $1,800 for a single issue (or for free online at places like Ancestry.com). These records of Americans that have died contain important personal information, including name, SSN, date of birth, date of death, state of residence, ZIP code of last residence, and ZIP code of lump sum payment to the decedent’s beneficiary. These databases may be used to exploit the recently bereaved or take advantage of their changed financial circumstances. In addition to the residual privacy concerns for the recently departed, this disclosure affects survivor’s privacy.
Information brokers (loosely managed and represented by the Individual Reference Services Group or IRSG) routinely buy and sell detailed personal information on individuals, including SSNs. IRSG companies gather and sell SSNs from various public and non-public sources, such as bankruptcy filings, court records, credit reports, marriage licenses, and birth and death records. In 1997, the IRSG worked with the Federal Trade Commission to develop a set of self-regulatory principles which allow for the sale of SSNs without knowledge or permission of the data subject. These self-regulatory principles were not subject to public input and largely ignore the privacy interests of the data subject.
EPIC has actively pushed for more protections related to SSNs, supporting state laws with additional protections and individual rights related to SSN collection and use, issuing public education on protecting SSNs, and highlighting elements that must be included for effective SSN legislation. EPIC has also issued testimony in response to high-profile data breaches by Equifax, recommending free credit freezes and other consumer safeguards.
Driving Record Privacy
Driving records contain multiple personal data elements that may be abused by bad actors or exploited for profit when not carefully protected. One such high-profile abuse was the 1989 death of actress Rebecca Schaeffer. In this case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer’s address through her California motor vehicle record. The fan then used this information to stalk and kill her. Other incidents include a ring of Iowa home robbers who targeted victims by taking down the license plates of expensive cars and obtaining home address information from the state’s department of motor vehicles and multiple cases of stalking, harassment, assault, and murder—all made possible with information obtained from driving records.
In response to several of these abuses, the Drivers Privacy Protection Act (DPPA) was originally enacted in 1994 to protect the privacy of personal information assembled by various state Departments of Motor Vehicles (DMVs). The DPPA prohibits release or use by any state DMV (or any officer, employee, or contractor thereof) of personal information about an individual obtained in connection with a motor vehicle record. It sets penalties for violations and makes violators liable through civil action to the individual linked to the released information. The “Shelby amendment,” which took effect June 1, 2000, modified the DPPA to require states to obtain express permission from individuals prior to selling or releasing their personal motor vehicle record to third-party marketers.
The DPPA and its amendments safeguard the personal information of licensed drivers from improper use or disclosure, protecting a fundamental privacy interest. EPIC has supported the DPPA in former actions, such as through an amicus brief filed in the U.S. Supreme Court, arguing that the DPPA is a Constitutional exercise of Congressional authority. In addition, EPIC has issued recommendations on safeguards for vehicle event data recorders and written on the privacy and security implications of the “Internet of Things,” which includes cars.
The social consequences of a criminal record can lead to the denial of an individual’s right to civic participation. Regardless of whether an individual has been convicted, an arrest or citation typically persists on a criminal record. Therefore, even a person who has had the charges against them dropped may be subject to a degree of social ostracism and a de facto public finding of guilt.
Some states permit individuals who are arrested, but not convicted, to expunge their arrest records. Others permit some convicts to apply for expungements after time has passed from the completion of their sentences. Many state and federal legislatures have passed expungement laws to address the difficulty of reintegration for offenders and the difficulty for those with an arrest on their records to obtain employment. Depending on the jurisdiction, this process may be referred to as erasure, destruction, sealing, setting aside, expunction, or purging.
While there is no uniform process known as expungement, it is commonly accepted that expungement is meant to conceal criminal records from the public. Essentially, expungement provides a legitimate means for those with criminal records to honestly deny that they have ever been charged with a crime. Most states permit individuals who have had their records expunged to answer in the negative if asked whether they have been arrested or charged with a crime, including on job or school applications. Some of the states that permit expungements after convictions also permit individuals to answer in the negative for questions concerning convictions as well. The severity of the crime will play a determinative role in whether or not expungement is possible.
Recent Documents on Government Records & Privacy
New Jersey Supreme Court
Whether New Jersey's Open Public Records Act protects from public disclosure the names and addresses of individuals possessing a government-issued dog license.
US District Court for the District of Columbia
Challenging the unlawful collection of all Americans' personal voter data
US Court of Appeals for the Eighth Circuit
Whether the statute of limitations under the DPPA accrues based on when the violation occurs or when it is discovered
Social Security Numbers
Government Accountability Office | 2017
The Origin of Fair Information Practices: Archive of the Meetings of the Secretary's Advisory Committee on Automated Personal Data Systems
Chris Jay Hoofnagle | 2016
Predicting Social Security Numbers from Public Data
Alessandro Acquisti and Ralph Gross | 2009