Note to reader: This is Chapter 16 of Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission transmitted to President Jimmy Carter on July 12, 1977. The full Table of Contents is listed below.
The Commission's mandate suggests that the Privacy Protection Study Commission make a study of:
the use of social security numbers, license plate numbers, universal identifiers and other symbols to identify individuals in data banks and to gain access to, integrate, or centralize information systems and files. [Section 5(c)(1)(C) of P. L. 93-5 79]
In accordance with this suggestion, the Commission undertook such a study, but decided to limit its empirical study to the use of the Social Security number (SSN). There is more public concern about the SSN than any other identifier and second only to names, the SSN appears to be the most widely used label 1 in America . The Commission's findings, however, apply to any widely used system of labelling individuals; its SSN study is a case study of the advantages and disadvantages of any commonly used label.
There are essentially three basic ways to identify a person-by his physical attributes (e.g., color of hair and eyes, voiceprints, fingerprints); by a possession (e.g., passport with a photograph); and by a label (e.g., name, SSN, address). This study covers only the third because the Privacy Act, the Commission's mandate, focuses primarily on the use of labels to identify individuals.
IDENTIFICATION AND AUTHENTICATION
Before the issues surrounding the use of the SSN are described, it is necessary to understand precisely what identification and authentication mean; their role in record keeping; and the way the SSN is used in identifying and authenticating individuals and records.
Identification is the process by which an individual asserts who he is or by which an organization initially determines that a record pertains to a particular individual. Although the first process can be achieved by visual recognition, people usually identify themselves by stating or showing a label; typically an individual introduces himself to an organization by stating his name. For a record-keeping organization a label is essential to select a record that pertains to a particular individual from a set of records.
Authentication is the process of confirming that a person is who he claims to be, or that a particular record does indeed pertain to a particular individual. Typically, an individual authenticates his identity by providing a fact about himself, or another label in addition to his identifier, that is known both to the individual and to the organization. An organization authenticates that it has correctly associated a record with an individual by comparing what it learns about the individual with information already in the record.
An example of how these processes work may be helpful. When Arthur Klein goes to his bank to make a withdrawal from his savings account, the bank first asks him for his name and then for his account number. His name is used in this instance as an identifier; the account number is used as an authenticator. The bank maintains a list of all customer names with cross-references to account numbers and when Arthur recites his number, the bank employee locates it on the list to ascertain that Arthur is who he purports to be. Before Arthur's withdrawal is processed, his account record must be located. The records clerk goes to the file containing records about customers with last names beginning with "K." There are, however, three records identified by the name "Arthur Klein." Thus, the records clerk must use Arthur's account number to discriminate among the three records identified by the label "Arthur Klein" and to authenticate the fact that a particular record pertains to the Arthur Klein in question.
After Arthur makes his withdrawal, he asks the bank to use some of the money he has withdrawn to make a payment on his mortgage. Because mortgages are handled by another bank employee, information about the mortgage payment must be transferred from one part of the bank to another. When the information is transferred, it is labelled with Arthur's name and account number. When the mortgage section receives the information about the payment, it includes it in another previously compiled record about Arthur. In the process of doing so, it locates records about three Arthur Klein's and uses Arthur's account number to assure itself that the record finally selected does indeed pertain to the Arthur Klein in question.
Finally, when the bank reports information about the interest on Arthur's account to the Internal Revenue Service each year, it labels the information with Arthur's name and Taxpayer Identification Number. When the IRS receives the information and wishes to add it to a record it already maintains about Arthur, it will use his Taxpayer Identification Number to discriminate among the 100 Arthur Klein's on whom it maintains records.
As this example illustrates, identification and authentication processes are essential in almost any transaction that involves an individual and an organization, an organization's employees and its record systems, and the record system of one organization and that of another. For ease of reference, the process will be called personal identification and personal authentication in the first instance, and record identification and record authentication in the latter two instances. Record identification and authentication can be intra-organizational or inter-organizational; that is, they can take place between two record systems maintained by the same organization, or by separate organizations.
In some cases, notably where there is an automated record system involved, a label normally used as an authenticator can serve also as a record identifier and so either eliminate the authentication step altogether or require yet another label for authentication. In the above illustration, if the bank's savings and mortgage records were automated, the right Arthur Klein's record could be located by using his account number alone without reference to his name, so that the account number would be the record identifier, not the authenticator. Another label, Arthur's address, for example, could be used for record authentication purposes, or an authenticator may not be needed, especially if the identifier is known to be unique and accurate. The point here is that the same label can serve as an identifier in some instances, and as an authenticator in others. The development of automated record systems has, to a large extent, provided the impetus for widespread use of numerical labels such as the SSN for identification purposes.
As long as individuals have established relationships with organizations, personal identification and authentication have been important processes. For organizations which maintain records in order to facilitate their relationships with individuals, a record identification and authentication procedure within the organization is essential. As organizations and the populations served by them increase in size, the importance of identifying and authenticating the records which document and mediate interactions between organizations and individuals grows correspondingly. And, whenever organizations exchange records about an individual, inter-organizational identification and authentication become crucial. In such cases, the identifiers and authenticators used by the organizations between which exchanges of records take place must be common to both. This is one important reason why the use of a few widely available labels, such as the SSN, has become pervasive.
The genesis of the Social Security number offers a good example of the compelling need of organizations for accurate identification and authentication. Shortly after the Social Security Act of 1935 became effective, the Bureau of Internal Revenue issued a regulation requiring the issuance of an account number to each employee covered by the Social Security program, called a "Social Security account number." The need for the regulation is obvious. In order to carry out its program, the Social Security Administration would have to keep records about millions of workers for the rest of their lives. A worker's career could span more than half a century and could include many different employers in different locations. A separate account of the wages paid to, and the taxes withheld from, each worker had to be kept so that his eligibility for benefits, and the amount of those benefits, could be correctly established at retirement and paid thereafter.
Because the information in a single record might come from many different sources, because many workers share the same name, and because an individual may assume more than one name in the course of a lifetime, there had to be some way of uniquely labelling each worker. The solution adopted was to issue each worker a different number, and require a worker to report his number to his employers. Employers, in turn, were required to report to the Social Security Administration (SSA) certain information regarding the wages paid to, and the taxes withheld from, every worker. This information had to be labelled with the worker's Social Security number, which would enable the Social Security Administration to keep accurate accounts of each worker's earnings over the years. Then when a worker applied for benefits, the SSN would help SSA to match worker to record, and confirm that the worker was, in fact, the person he claimed to be.
A great many other organizations with large numbers of customers, beneficiaries, or employees also found it necessary to use labels other than names. Credit-card issuers, for example, assign unique numbers to individuals when they extend credit. When an individual uses his card to charge purchases at a wide variety of organizations in many different geographical locations, each charge on an account is reported to a central location so that the client can be billed at one time for all of his purchases. Like the Social Security Administration, credit-card issuers must consolidate information about individuals received from many different sources. It is important to know which of two John J. Smiths charged $1,000 to his account and which charged $50. This kind of discrimination is more easily and accurately made if each John J. Smith has a unique credit-card account number.
There are also exchanges of personal information about individuals between organizations. Here, accurate identification and authentication is especially important. If, for example, an individual is incorrectly billed for a credit-card purchase because of name confusion, he can probably identify the source of the error easily and attempt to get it corrected. If, however, the credit-card issuer has reported information about the wrong individual to a credit bureau, and the credit bureau then reports it to still another credit grantor, it can take much time and effort even to locate the source of the error.
As long as organizations have relationships with individuals, most of whom are not known personally by someone within the organization, effective personal identification and authentication is an essential social mechanism. As long as organizations make decisions about individuals on the basis of recorded information, some means of assuring that the information being used does indeed pertain to the individual affected by the decision is necessary. It should also be clear that while accurate identification and authentication facilitates the work of organizations, it also benefits individuals who seek fair and prompt decisions from them. If individuals and records are not correctly identified and authenticated, an individual may be unfairly denied a right, benefit, or opportunity as a result. Society as a whole also suffers when a benefit is given to an undeserving individual. In sum, accurate identification and authentication are an essential component of fairness in record keeping.
THE SOCIAL SECURITY NUMBER AS AN IDENTIFIER AND AUTHENTICATOR
Because names are sometimes inadequate as identifiers-many individuals may possess the same name, a single individual may change his name-and because a different label must be used as an authenticator when a name is used as an identifier, alternative labels had to be developed. There are essentially two processes that can be used to develop these alternative labels. First, a government body can decree a system of labelling and registering citizens and either mandate the use of the new labels or make them available to organizations on a voluntary basis. Some European countries have used this method and, during World War II, the United States considered adopting it to facilitate draft registration and commodities rationing.2 Second, without such government action, the needed labelling systems grow up on an ad hoc basis to serve the special needs of particular private organizations and government agencies.
The United States did not choose the first alternative and thus, by default, has many systems of unique individual identification and authentication. Thus, today's typical American adult has a wide array of labels in addition to his or her name-a credit-card number, bank account number, driver's license number, license plate number, health insurance number, utilities account number, employee identification number, library card number, as well as a Social Security number.
Although the SSN is only one of many labels used for identification and authentication in America, it is relied on for these purposes more widely than any other kind of label except name; but the SSN is, at best, an imperfect identifier and authenticator. One reason is that until 1972, an applicant for an SSN was not asked if he had already been issued a number, nor was he asked to produce proof of identity. The result is that several million individuals now have more than one SSN-clearly a source of confusion. Another reason is that one SSN is sometimes used by more than one individual-as when a son, confused about how the system operates, uses his father's number when he goes to work. These problems are gradually being resolved in part because a Federal law [Section 205(c)(2)(B)(ii) of the Social Security Act] now gives the Department of Health, Education, and Welfare (DHEW) the authority to require verification of the identity of SSN applicants and to determine whether an applicant has previously been issued an SSN. Experience is slowly clearing up confusion about the system's operation.
An individual's SSN may be used for personal identification, although the instances in which an individual identifies himself with his SSN appear to be rare. The SSN is more often used for personal authentication, as when an individual wants to cash a check. The use of the SSN in record identification and authentication, both within and between organizations, however, is common. Most of these uses of the SSN have nothing at all to do with the purpose for which the SSN was originally created-the administration of the Social Security Act.3
CONCERN ABOUT THE USE OF THE SOCIAL SECURITY NUMBER
The clear need of organizations to identify and authenticate individuals and records accurately, both internally and in the course of exchanging personal information with other organizations, is seldom questioned. The propriety of certain widely used systems of labelling individuals and records, however, is hotly debated in this country. Much of this debate today centers on what uses of the Social Security number are appropriate. To understand the Commission's recommendations in this area, the arguments advanced against the use of the SSN as a widely used identifier and authenticator must be explored.
Some individuals simply resent being identified by a number rather than a name, and of these, most seem uncomfortable with the use of the SSN across the board for both personal and record identification and authentication. The case was stated by one of the Commission's correspondents, who implored the Commission to "prevent us from becoming our Social Security numbers." This concern seems to reflect the feeling that to label a person by a number rather than by a name is dehumanizing. It is probably safe to assume that these people do not object specifically to the Social Security number, but to any widely used numerical label. After all, the telephone companies incurred much wrath when they changed from name to number labels for exchanges.
In most cases, however, opposition to the use of the SSN appears to arise from a fear that if several organizations possess an individual's SSN, the ability with which these organizations can exchange information about the individual will be greatly facilitated. This kind of opposition is directed primarily to the use of the SSN for record, as opposed to personal, identification and authentication. Some individuals feel that information exchanges will not always be beneficial to them-particularly because some kinds of information should not be available to certain decision makers and thus these exchanges should not be encouraged. Such concern is also related to a more general feeling that if the SSN is used to facilitate unconstrained exchanges of information about people, dossiers about individuals may be created that will follow them throughout life. Thus, an individual's capacity to "make a fresh start" in life would be hampered, and the processes of social control of individuals would become increasingly threatening.
Several of the Commission's correspondents expressed this general fear. For example, one asserted that "tile extensive use of this single number by all government agencies allows unscrupulous individuals within the government to easily obtain all the information in a file concerning an individual." Another objected to the collection of SSNs by credit grantors and life insurance companies because he opposed the ease with which ".. . one computer can `interface' with another guy's computer and swap information."
Again, there is no evidence to suggest that any unique aspect of the Social Security number is peculiarly objectionable. Presumably, any other label-except a name-that is used as widely would arouse the same opposition and, if each individual had a unique name for life, used by him alone, it is conceivable that names also would become a target of concern.
RESTRICTIONS ON THE USE OF THE SSN
The Privacy Protection Study Commission is not the first government organization to study the use of the SSN and other identifiers and make recommendations regarding them. The Social Security Administration's Social Security Number Task Force,4 the DHEW Secretary's Advisory Committee on Automated Personal Data Systems,5 and the Federal Advisory Committee on False Identification,6 have all reported on the use of the Social Security number and other means of labelling individuals. In addition, the Congress has enacted legislation regarding the conditions under which disclosure of an individual's Social Security number can be compelled.
The enactment by the Congress of Section 7 of the Privacy Act of 1974 was the first step in establishing a Federal policy limiting compulsory divulgence of the SSN.7 Section 7 provides that:
(a)(1) It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his social security account number.
(2) the provisions of paragraph (1) of this subsection shall not apply with respect to-(A) any disclosure which is required by Federal statute, or
(B) the disclosure of a social security number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual.
(b) Any Federal, State, or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.
This statute implicitly endorses two proposals of the DHEW Secretary's Advisory Committee on Automated Personal Data Systems: (1) that an individual whose SSN is requested should be informed as to whether or not divulging his number is legally required; and (2) that no individual should be denied a benefit because of his refusal to divulge his SSN for purposes other those required by Federal law.
The Privacy Act's Section 7 exempts from its restrictions demands for an individual's SSN that are mandated by statute or regulation adopted prior to January 1, 1975 for systems of records in operation prior to that time, and, of course, does not apply at all to private organizations. Section 7 was not, however, intended to do more than impose a moratorium on demands for an individual's Social Security number by government agencies under circumstances where the individual has no choice but to comply.
In 1976, for the first time since passage of the Privacy Act, the Congress exercised its authority to authorize compulsory divulgence of the SSN. Section 1211 of the Tax Reform Act of 1976 provides that:
(i) It is the policy of the United States that any State (or political subdivision thereof) may, in the administration of any tax, general public assistance, driver's license, or motor vehicle registration law within its jurisdiction, utilize the social security account numbers issued by the [HEW] Secretary for the purpose of establishing the identification of individuals affected by such law, and may require any individual who is or appears to be so affected to furnish to such State (or political subdivision thereof) or any agency thereof having administrative responsibility for the law involved, the social security account number (or numbers, if he has more than one such number) issued to him by the Secretary.
(ii) If and to the extent that any provision of Federal law heretofore enacted is inconsistent with the policy set forth in clause (i) of this subparagraph, such provision shall, on or after the date of the enactment of this subparagraph, be null, void, and of no effect.
(iii) For purposes of clause (i) of this subparagraph, an agency of a State (or political subdivision thereof) charged with the administration of any general public assistance, driver's license, or motor vehicle registration law which did not use the social security account number for identification under a law or regulation adopted before January 1, 1975, may require an individual to disclose his or her social security number to such agency solely for the purpose of administering the laws referred to in clause (i) above and for the purpose of responding to requests for information from an agency operating pursuant to the provisions of part A or D of title IV of the Social Security Act [AFDC and Child Support Enforcement programs].
This provision was designed primarily to help State Child Support Enforcement units locate parents who have defaulted on their child support obligations, and to facilitate the matching of information on Federal and State tax returns by State taxing authorities.
The Privacy Act's Section 7 appears to have had little impact on Federal, State, and local government agencies. Most Federal agencies have been able to cite some legal authority in effect before January 1, 1975 that lets them continue to demand disclosure of the SSN. Although a few State and local agencies have abandoned the use of the SSN because they lack such legal authority, the Tax Reform Act grants most State and local government agencies that found its continued use necessary the authority to demand it. In short, the Privacy Act and the Tax Reform Act essentially preserved the status quo with respect to the SSN: namely, widespread collection and use of the number.
To make Section 7 of the Privacy Act truly effective-that is, to severely restrict the circumstances under which an individual can be required to divulge his SSN to a government agency-could easily entail costly changes for agencies that rely on the SSN for identification and authentication. If even a few persons asserted their right to refuse to divulge the SSN to a government agency, it would be required to develop and administer a new labelling system, and to revise its automated record-keeping processes. Because of the character of such revisions-which involve creating the capacity for an automated record system to deal with identifiers and authenticators other than the SSN-the cost involved would be essentially the same whether only a few individuals refused to divulge the SSN or all subjects of the system's records declined to disclose the number.
As noted above, the Commission believes that most concern over the use of the SSN as identifier and authenticator can be traced to two sources: (1) the belief that the SSN may facilitate the exchange, consolidation, and linkage of records or information about individuals for purposes which may be unfair to them; and (2) resentment at being labelled with a number. Revisions in Federal policy on the use of the SSN must recognize these concerns.
As to the first point, the Commission agrees with many students of the issue 8 that the SSN is a surrogate for the problem of record linkage, exchange, and consolidation. Much of the Commission's work in other areas has focused on finding solutions to this problem. Although the SSN is often used to facilitate record exchanges, it is only one of many possible ways that records and information can be, and currently are being, linked, exchanged, and consolidated. Technical studies 9 indicate that record-matching techniques using a combination of attributes and labels other than numerical labels (e.g., name, address, birth date, sex) are entirely adequate in many situations and record-keeping organizations do use such means of identification and authentication instead of the SSN. The U.S. Department of Transportation's National Driver Register office, and TRW Credit Data, provide two examples of organizations with large record systems that rely largely on labels other than numerical labels for identification and authentication purposes. The National Driver Register keeps records of license suspensions and revocations throughout the United States and supplies information to States upon request. TRW Credit Data is a large, automated credit bureau described in detail in Chapter 2.
The National Driver Register (NDR) contains about 5.77 million records. It receives 94,000 inquiries daily, produces 3,500 possible matches every day, and mails 900 probable matches to the States. Yet the SSN (or another unique identifier) is not the primary identifier used in this system. Instead, NDR first uses name and date of birth as primary identifiers and then uses sex, height, weight, and eye color to discriminate among records of people with similar or identical names and birth dates. The SSN is, in some cases, used to facilitate this discrimination process, but it is not available for all drivers listed in the system.
Similarly, TRW Credit Data, which has approximately 50 million records in its system, does not use the SSN or another unique identifier as its primary identifier. Like the NDR, it relies on data elements such as name, address, zip code, and age to facilitate its matching processes.10
It is true that if organizations other than the Social Security Administration were forbidden to collect and use the SSN, their exchange of records might be inhibited for a time. Such a prohibition or restriction would, however, be extraordinarily costly and cumbersome, and it would also inhibit record exchanges everyone perceives as wholly desirable along with those perceived to be threatening. Furthermore, organizations which now rely on the SSN would devise alternative methods of identification and authentication that are equally effective for record exchanges.
In any case, the question of the appropriate limitations on exchange of records would remain even if the SSN were done away with altogether. The Commission finds that restrictions on the collection and use of the SSN to inhibit exchange beyond those already contained in law would be costly and cumbersome in the short run, ineffectual in the long run, and would also distract public attention from the need to formulate general policies on record exchanges.
The Commission is sensitive to the second point-the belief that being labelled with the SSN is dehumanizing. Clearly, a society in which each of us is called upon at every turn to state "name, rank, and serial number" is not pleasing to contemplate. The Commission fails to see, however, how drastically restricting the use of the Social Security number would make much difference in this respect, since any other widely used numerical label would, as pointed out earlier, be likely to engender the same feeling. Nonetheless, the Commission believes that some of the concern about dehumanization could be diminished if government agencies and private organizations would examine the circumstances under which they request an individual's SSN, and continue only those in which the SSN furthers a legitimate and valid record-keeping purpose.
Although the Commission's mandate merely states that it may "research, examine, and analyze" the use of the Social Security number and other identifiers, its inquiry led it to conclude that some minor revisions to existing Federal policy on the use of the Social Security number are desirable. The Commission's recommendations and underlying rationale are set forth below.
SECTION 7 OF THE PRIVACY ACT
The Commission considered-and rejected-the idea of recommending repeal of Section 7 as it currently applies to Federal, State, and local government agencies. Although it does believe that, like any restrictions on the collection and use of the SSN, Section 7 does not address the complex problem of permissible exchanges and disclosures of records, the Commission recognizes that Section 7 may be somewhat successful in alleviating citizens' concerns about the "dossier-building" capacity of government. Accordingly, the Commission recommends:
That Section 7 of the Privacy Act be retained for government agencies.
Although the Commission does not believe that legal restrictions on the collection or use of the SSN should be made to apply to private organizations, it recognizes that private organizations are in many cases willing to respond to inquiries by customers and employees regarding whether the organization requires the disclosure of the SSN, and how it will be used and disclosed. To the extent that private organizations respond to such specific inquiries, such information may permit a concerned individual to determine whether the drawbacks he perceives in giving the SSN outweigh the potential benefits, and thus whether he wishes to continue to do business with a company or to take his business elsewhere.
Individuals cannot exercise a similar option with respect to government agencies-there is generally only one government agency with which an individual can "do business"-and thus limitations on the collection of the SSN by government agencies are appropriate even though the Commission considers them to be inappropriate for the private sector.
EXECUTIVE ORDER 9397
The Commission also recommends:
That the President amend Executive Order 9397 (November 30, 1943, 8 Federal Register 237, an order directing Federal agencies to use the Social Security account number when establishing a new system of permanent account numbers) so that Federal agencies may not, as of January 1, 1977, rely on it as legal authority by which to create new demands for the disclosure of an individual's SSN.
Executive Order 9397, issued in 1943 by President Roosevelt, provides in part as follows:
Whereas certain Federal agencies from time to time require in the administration of their activities a system of numerical identification of accounts of individual persons; and . . .
Whereas it is desirable in the interest of economy and orderly administration that the Federal Government move towards the use of a single, unduplicated numerical identification system of accounts and avoid the unnecessary establishment of additional systems;
Now, therefore, . . . it is hereby ordered as follows:
1. Hereafter any Federal department, establishment, or agency shall, whenever the head thereof finds it advisable to establish a new system of permanent account numbers pertaining to individual persons, utilize exclusively the Social Security account numbers ... .
This order has been cited by some Federal agencies as the legal authority permitting them to compel an individual to disclose his SSN to them, especially in cases in which no more specific legal authority for compelling SSN disclosure exists. Section 7 of the Privacy Act appears to suggest that government agencies need specific legal authority to support a request for SSN disclosure, rather than authority of general applicability such as that contained in E.O. 9397. Thus, to the extent that Federal agencies interpret E.O. 9397 as sufficient authority to establish requirements for collection of the SSN, the intent of Section 7 is undermined.
The Commission believes that Federal agencies should no longer be able to rely on E.O. 9397 as authority for new requests for SSN divulgence. In order to minimize the disruption that outright repeal of the order would cause, however, the Commission believes that agencies that cited it as the basis for their requests for the SSN prior to January 1, 1977 should be able to continue to do so. If the Commission's recommendation were adopted, any Federal agency that wishes to support a demand for the SSN after that date would have to seek specific legal authority from the Congress unless some other specific authority is otherwise available to them.
This means that if an agency had cited E.O. 9397 as authority to require disclosure of the SSN for one purpose prior to January 1, 1977-- such as personnel record keeping-it could not cite the executive order as authority for collecting the SSN for a new purpose-such as indexing records about individual contractors-after January 1, 1977. Because Section 7 of the Privacy Act currently requires Federal agencies to tell individuals under what legal authority they are soliciting the SSN, a record of the agencies citing E.O. 9397 as authority, and the purposes for which they requested the SSN pursuant to it, already exists and could be used in enforcing this recommendation.
MONITORING AND FURTHER STUDY
The Commission recommends:
That the independent entity recommended by the Privacy Commission monitor the use of the SSN and other labels by private organizations and consider the desirability and feasibility of future restrictions on the use of the SSN and other labels for identification and authentication purposes.
Although the Commission does not believe that legal restrictions on the collection or use of the SSN by private organizations are appropriate at this time, it realizes that the use of the SSN may be a source of continuing public concern. The Commission hopes that as legislatures, public agencies, and private organizations take steps to apply its recommendations regarding the proper uses of records about individuals, this concern will diminish. If the independent entity recommended by the Commission11 is created by the Congress, it could, however, continue to monitor the use of the SSN by private organizations and recommend legislation if at any point it seemed to be warranted.
STANDARD UNIVERSAL LABEL
Finally, the Commission recommends:
That the Federal government not consider taking any action that would foster the development of a standard, universal label for individuals, or a central population register, until such time as significant steps have been taken to implement safeguards and policies regarding permissible uses and disclosures of records about individuals in the spirit of those recommended by the Commission and these safeguards and policies have been demonstrated to be effective.
Here as elsewhere, the Commission stresses the need to adopt policies regarding the permissible uses and disclosures of records about individuals, and in other chapters of this report the Commission has made recommendations regarding what the permissible uses and disclosures should be in a number of record-keeping areas. These recommendations address the substantive issues of record use and exchange and their adoption would more effectively deal with these issues than would restrictions on the use of the SSN.
At the same time, however, there is currently much debate about the need to develop foolproof methods of identification in order to deter fraudulent uses of standard documents widely used for identification and widely authentication purposes, such as drivers' licenses and Social Security cards. The Commission recognizes that such use of identification documents imposes a heavy cost on industry, government, and society as a whole, but also recognizes that the development of improved identity documents is often viewed as inconsistent with America's tradition of civil liberties. The conflict would become especially acute if a standard universal label were linked to a central population register that maintained records of not only the name and label of each individual, but also his current address, and much more so if such location data were freely available to government agencies and private organizations. Such a central population register could be created anew, or an existing record system-such as one maintained by the Social Security Administration-could serve as such a register.
Because of this potential conflict, the Commission believes that any consideration of a standard universal label and of a record system approximating a central population register, should be postponed until society, through its legislatures, has made significant progress in establishing policies to regulate the use and disclosure of information about individuals collected by both private organizations and government agencies, and until such policies are shown to be effective.
The Commission sees a clear danger that a government record system, such as that maintained by the Social Security Administration or the Internal Revenue Service, will become a de facto central population register unless prevented by conscious policy decisions. Therefore, Recommendation (4), above, means also that the Federal government should act positively to halt the incremental drift toward creation of a standard universal label and central population register until laws and policies regarding the use of records about individuals are developed and shown to be effective.
1. "Label," as used in this chapter, is a general term that includes other identifiers and authenticators in addition to the SSN.
2 See, for example, Measures Relating 10 Vital Records and Vital Statistics, U.S. House of Representatives, Document No. 242, 78th Congress, 1st Session.
3 See DHEW Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens (Washington: U.S. Government Printing Office, 1973), Chapter VII.
4 See Social Security Number Task Force, Report to the Commissioner, Social Security Administration, May 1971.
5 DHEW Secretary's Advisory Committee on Automated Personal Data Systems, op. cit.
6 See Federal Advisory Committee on False Identification, The Criminal Use of False Identification (Washington: U.S. Government Printing Office, 1976).
7 At least three States-Oklahoma, Arkansas, and Virginia-have also enacted statutes restricting compulsory disclosure of the SSN.
8 See, for example, Social Security Number Task Force, Report to the Commissioner, and DHEW Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens.
9 See, for example, Accessing Individual Records from Personal Data Fields Using Non-Unique Identifiers, National Bureau of Standards, Special Publication 500-2.
10 Testimony of TRW Credit Data, Credit Reporting and Payment Authorization Services, Hearings before the Privacy Protection Study Commission, August 4, 1976, p. 468.
11 See Chapter 1 for a discussion of this recommendation.