EPIC logo

Testimony and Statement for the Record of

Chris Jay Hoofnagle

Associate Director, Electronic Privacy Information Center

Protecting the Privacy of Consumers' Social Security Numbers

House Committee on Energy and Commerce

Subcommittee on Commerce, Trade, and Consumer Protection

September 28, 2004

2123 Rayburn House Office Building

2:00 PM


Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee, thank you for extending the opportunity to testify on protecting Social Security Numbers.

My name is Chris Hoofnagle and I am associate director with the Electronic Privacy Information Center (EPIC), a not-for-profit research organization based in Washington, D.C.  Founded in 1994, EPIC has participated in cases involving the privacy of the Social Security Number (SSN) before federal courts and, most recently, before the Supreme Court of New Hampshire.[1]  EPIC has also taken a leading role in campaigns against the use of globally unique identifiers (GUIDs) involving the Intel Processor Serial Number and the Microsoft Corporation's Passport identification and authentication system. EPIC maintains an archive of information about the SSN online at http://www.epic.org/privacy/ssn/.

In previous testimony to Congress, EPIC has recommended a strong framework of Fair Information Practices to create rights and responsibilities for individuals and collectors of the SSN.  In 2001, EPIC Executive Director Marc Rotenberg traced the history of the SSN as an identifier, highlighted the use of the SSN in the financial services sector, and raised privacy issues associated with the Social Security Administration's Death Master File.[2] In 2002, EPIC testified that the problem of identity theft had grown worse, that the states were acting to limit collection and disclosure of the SSN, and that 107 H.R. 2036, the Social Security Number Privacy and Identity Theft Protection Act of 2001 could limit misuse of the SSN.[3] In 2003, EPIC appeared again to testify in favor of privacy protections, highlighting recent abuses, the continuing unnecessary use of the SSN as an identifier by both private and public sector entities, and the developing trends of state legislation crafted to limit collection and use of the identifier.[4]  In June 2004, EPIC provided an overview and recommendations for 108 H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act of 2003.[5]  We testified that the bill was a good start, but could use improvement.

In today's testimony, we highlight a substitute version of 108 H.R. 2971.  We make recommendations to strengthen the bill.  We then cite examples of state SSN regulation that could be adopted at the federal level to provide an umbrella of protections for the SSN.

I.          Recommendations for 108 H.R. 2971, the Social Security Number Privacy and Identity Theft Prevention Act of 2003

Introduced in July 2003, H.R. 2971 is the latest of a series of bills designed to enhance protections for the SSN and to promote the integrity of the identifier.  It enjoys bipartisan support in the House of Representatives.  The substitute measure contains many of the protections we recommended in our June 2004 testimony.  However, some sections have been changed to the detriment of privacy.  We highlight those sections below.

Title I of the bill sets forth limitations on government disclosure of SSNs.  Broadly put, this title would prohibit executive, legislative, or judicial entities from disclosing the SSN, subject to certain exceptions.

We think it critical to make several changes to section 101.  First, the legislation amends 42 U.S.C. § 405(c)(2)(C) to protects SSNs where the identifier has been given to an agency "pursuant to the assertion by such agency…that disclosure of such number is mandatory."  This is a serious weakness in the bill that is keyed upon a requirement in the Privacy Act that government entities disclose whether SSN collection is mandatory or voluntary.  Many state entities, in particular, do not comply with this disclosure requirement in the Privacy Act.  As a result, individuals do not always understand whether SSN collection is mandatory or voluntary.  Oddly, the legislation as drafted would reward agencies that didn't comply with the Privacy Act's voluntary/mandatory notice requirements by also immunizing them from prohibitions on SSN disclosure.  We recommend striking this language.

We recommend removal of exemption VI in section 101, which gives credit reporting agencies wholesale access to SSNs in the hands of the government.  It is not the role of government to collect SSNs from citizens, who are often under legal compulsion to provide the identifier, and then release the SSNs to the private sector for the purpose of compiling dossiers.  Professor Daniel Solove has fully articulated how this model of information flow is unfair to individuals and privacy invasive:

Imagine that the government had the power to compel individuals to reveal a vast amount of personal information about themselves - where they live, their phone numbers, their physical description, their photograph, their age, their medical problems, all of their legal transgressions throughout their lifetimes whether serious crimes or minor infractions, the names of their parents, children, and spouses, their political party affiliations, where they work and what they do, the property that they own and its value, and sometimes even their psychotherapists' notes, doctors' records, and financial information.
Then imagine that the government routinely poured this information into the public domain - by posting it on the Internet where it could be accessed from all over the world, by giving it away to any individual or company that asked for it, or even by providing entire databases of personal information upon request. In an increasingly "wired" society, with technology such as sophisticated computers to store, transfer, search, and sort through all this information, imagine the way that the information could be combined or used to obtain even more personal information.[6]

In section 101, we recommend harmonizing the definition of "sale" (to be codified at 42 U.S.C. § 405(c)(2)(C)(x)(IX)) with other references to the term that appear in the legislation.  The definition appearing in section 108, which defines sell as "to obtain, directly or indirectly, anything of value in exchange for such number," is more appropriate.

In section 101, we recommend removal of language that would allow continued disclosure of just the last four digits of the SSN, even with the six-year sunset.  These last four digits are the unique portion of the SSN, and the legislation's protections are significantly weakened if this portion can sill be displayed.

Section 102 specifies the authority of the Attorney General to create exemptions to the general prohibition on government disclosure of the SSN.  We agree with the standard set forth by the legislation—that SSNs should not be disclosed absent a compelling interest that cannot be served through the employment of alternative measures.  This same standard should apply to sale of the SSN to the general public.  Currently, the substitute measure would require the Attorney General to engage in a balancing test of the benefits and harms associated with the sale of the SSN to the private sector. 

We think that exceptions to the general prohibition should be limited in duration.  A time limit will encourage users of the SSN to transition to alternative identifiers.  Exceptions that are not time limited will ensure that SSN users never transition to alternative measures.

Section 103 would codify an important safeguard—a prohibition of printing SSNs on checks issued by governments.  This is a common sense protection against identity theft.  It is necessary because a standard check with a SSN contains all the personal information necessary for commission of identity theft.

Section 104 would prohibit states from displaying the SSN on driver's licenses.  Again, this is a common sense approach to preventing identity theft.  Indeed, many states already incorporate a ban on printing the SSN on driver's licenses.[7]  Such a prohibition makes it more likely that the SSN will not appear in the wallet of individuals, thus reducing the risk that a lost or stolen wallet will provide the personal information necessary to commit identity theft. 

Section 106 would prohibit government entities from allowing prisoners to have access to the SSN.  We think that this too is a common sense protection, in light of the Metromail case, where a company employed prisoners to enter personal information from surveys into computers. This resulted in a stalking case where a prisoner harassed a woman based on information she submitted on a survey.  The woman received mail from a convicted rapist and burglar who knew everything about her—including her preferences for bath soap and magazines.  The woman sued and as a result of a class-action suit, Metromail may no longer use prisoners to process personal information.[8] Nevertheless, a general prohibition on inmate access to SSNs is appropriate, and California and Kentucky already have passed legislation to keep SSNs out of the hands of prisoners.[9]

Section 108 generally prohibits disclosure of the SSN in the private sector, subject to exceptions.  We think it important to limit exceptions to the general prohibition in order to curb private sector use of the SSN.  First, the exception for public health purposes should be limited to "emergency public health purposes."  In its current articulation, this exception could allow medical providers and insurance companies to continue to rely upon the SSN in normal operations.  Limiting the exception will encourage the industry to shift away from the identifier.  We note that Empire Blue Cross is transitioning its 4.8 million customers away from the SSN as an identifier, demonstrating that it is possible for large health care operations to use an alternative identifier.[10]

Section 108 contains an exception for SSNs of the deceased, meaning that they could be freely traded on the market.  We think there are important public policy reasons to place some protections on SSNs of the deceased.  SSNs of deceased individuals should receive protection for the same reasons that justify protections for living individuals; those reasons include preventing fraud and identity theft.  Additionally, criminals are known to assume the identities of deceased individuals in order to engage in criminal acts and to avoid law enforcement.  Some protection for these identifiers is justified.

Section 109 codifies a much-needed protection for the SSN.  Prior to the implementation of the Gramm-Leach-Bliley Act, CRAs and other entities sold SSNs in credit headers to individuals outside Fair Credit Reporting Act regulation.  We understand that some businesses are still selling SSNs from credit headers that were collected before implementation of Gramm-Leach-Bliley.  Section 108 would eliminate this unregulated sale of SSNs by tying the identifier to the credit report, and thus to protections in the Fair Credit Reporting Act.

Section 110 contains important protections against the practice of "coercive disclosure," a practice where an entity conditions provision of a product or service based on disclosure of the SSN.  Maine, New Mexico, and Rhode Island have established protections against coercive disclosure, and we think it a good idea to federalize this important right to enhance privacy of the SSN.[11]

II.        States Have Innovated Clever Protections for the SSN; Congress Should Consider Incorporating Them in 108 H.R. 2971

In recent years, state legislatures have functioned in their traditional roles as "laboratories of democracy," creating new approaches to enhancing the privacy of SSNs.  These privacy protections demonstrate that major government and private-sector entities can still operate in environments where disclosure and use of the SSN is limited.  They also provide examples of protections that should be considered at the federal level.

Some States Have Placed Broad Prohibitions on Disclosure and Use by Government and Private Entities

Colorado Governor Bill Owens signed H.B. 1311, legislation that creates important new protections for the SSN that took effect this summer.  The new law will limit the collection of the SSN and its incorporation in licenses, permits, passes, or certificates issued by the state.  The law requires the establishment of policies for safe destruction of documents containing the SSN.  Insurance companies operating in the state must remove the SSN from consumers' identification cards.  Finally, the legislation creates new penalties for individuals who use others' personal information to injure or defraud another person.

A law taking effect in January 2005 in Arizona prohibits the disclosure of the SSN to the general public, the printing of the identifier on government and private-sector identification cards, and establishes technical protection requirements for online transmission of SSNs.[12]  The new law also prohibits printing the SSN on materials mailed to residents of Arizona.  Exceptions to the new protections are limited—companies that wish to continue to use the SSN must do so continuously, must disclose the use of the SSN annually to consumers, and must afford consumers a right to opt-out of continued employment of the SSN.  Arizona's new law is based on California Civil Code § 1798.85.

Special Protections Have Been Crafted for Students

A number of states have passed legislation limiting colleges and universities from employing the SSN as a student identifier.  Limiting use of the SSN in this context reduces the risk of identity theft, as databases of student information, student identity cards, and even posting of grades sometimes contain SSNs. 

In Arizona, major universities can no longer use the SSN as the student identifier.[13]  In Colorado, as of July 2003, public and private postsecondary institutions were required to establish protections for the SSN and discontinue its use as the primary student identifier.[14]  New York and West Virginia prohibit all public and private schools from using the SSN as a primary identifier.[15]  Kentucky law allows students to opt-out of use of the SSN as student identifier.[16]

Protections Crafted for Public, Vital, and Death Records

Commercial data brokers obtain SSNs from a number of sources, including public records that individuals are required to file in order to enjoy important rights and privileges offered by society.  For instance, marriage licenses have been a source for SSNs and a number of states, including Arizona, California, Indiana, Iowa, Kentucky, Louisiana, Maine, Montana, Ohio, and Michigan, have enacted legislative protections to prevent their disclosure.[17]

Birth and death records are rich in personal information, and states have acted to shield SSNs collected in these life events against disclosures.  Arizona, California, Illinois, Kansas, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New Hampshire, and other states limit the appearance of the parents' SSN on birth records.[18]  Similarly, several states restrict disclosure of the SSN in records associated with death.[19]

Protections Against Pretexting Should Be Considered

We wish to raise one additional concern here—even legitimate collection of the SSN contributes to unauthorized access to the identifier.  That is, we are increasingly aware of manuals for private investigators and other materials suggesting that SSNs can be obtained from motor vehicle departments, applications for professional licenses, and even tax returns.[20] In these cases, the investigator probably obtains the identifier through a friend or contact working at the institution with a SSN. Alternatively, the manuals suggest the use of "pretexting," a practice where an investigator requests personal information from an entity while pretending to be another person or while pretending to have a legitimate reason for access to the information.  The Gramm-Leach-Bliley Act prohibits pretexting with respect to financial, securities, and insurance companies, but the law doesn't apply to pretexting targeted at employers, utility companies, or other entities that have SSNs.  The Subcommittee should consider whether expanding protections against pretexting would enhance the privacy of the SSN.


We think that the privacy and integrity of SSNs could be enhanced through the passage of federal legislation that limits the collection and approved uses of the identifier.  We urge the Subcommittee to examine state laws that have created new, clever protections for the SSN.  We look forward to continuing to work with the Subcommittee on this and other privacy matters.

[1] Estate of Helen Remsburg v. Docusearch, Inc., et al, C-00-211-B (N.H. 2002).  In Remsburg, the "Amy Boyer" case, Liam Youens was able to locate and eventually murder Amy Boyer through hiring private investigators who tracked her by her date of birth, Social Security Number, and by pretexting.  EPIC maintains information about the Amy Boyer case online at http://www.epic.org/privacy/boyer/.

[2] Social Security Numbers and Identity Theft, Joint Hearing Before the House Financial Services Subcommittee on Oversight and Investigations and the House Ways and Means Subcommittee on Social Security, Nov. 8, 2001 (testimony of Marc Rotenberg, Executive Director, EPIC), available at http://www.epic.org/privacy/ssn/testimony_11_08_2001.html.

[3] Hearing on Preserving the Integrity of Social Security Numbers and Preventing Their Misuse by Terrorists and Identity Thieves, Joint Hearing Before the House Ways and Means Subcommittee on Social Security and the House Judiciary Subcommittee on Immigration, Border Security, and Claims, Sept. 19, 2002 (testimony of Chris Jay Hoofnagle, Legislative Counsel, EPIC), available at http://www.epic.org/privacy/ssn/ssntestimony9.19.02.html.

[4] Hearing on Use and Misuse of the Social Security Number, Hearing Before the House Ways and Means Subcommittee on Social Security, July 10, 2003 (testimony of Chris Jay Hoofnagle, Deputy Counsel, EPIC), available at http://www.epic.org/privacy/ssn/testimony7.10.03.html.

[5] Hearing on Enhancing Social Security Number Privacy, Before the House Ways and Means Subcomm. on Social Security, 108th Cong. (2004) (statement of Chris Hay Hoofnagle, associate director, Electronic Privacy Information Center), available at http://www.epic.org/privacy/ssn/ssntestimony6.15.04.html

[6] Professor Daniel Solove describes this problem in Access and Aggregation: Public Records, Privacy, and the Constitution, 86 Minnesota Law Review 1137 (2002), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=283924.

[7] See Ariz. Rev. Stat. § 28-3158; C.R.S. § 42-2-107; C.R.S. § 42-3-302; D.C. Code Ann. § 50-402; O.C.G.A. § 40-3-23; HRS § 286-109; HRS § 286-239; Idaho Code § 49-306; Idaho Code § 49-2444; Ky. Rev. Stat. Ann.§186.412; Mont. Code Ann. §61-5-111(2)(b); Nev. Rev. Stat. Ann. § 483.345; .N.H. Rev. Stat. Ann. §263:40-a; N.D. Cent. Code 39-06-14; Ohio Rev. Code Ann. §4501.31; Okla. Stat. Ann. tit. 47, § 6-106 (2002); Pa. Cons. Stat. Ann. § 1510;  Tenn Code Ann. § 55-50-331; Tex. Trans. § 521.044; Va. Code Ann. § 46.2-342; Wash. Rev. Code Ann. § 26.23.150.

[8] During litigation, Metromail claimed that they had not violated the woman's privacy, that they had no duty to inform individuals that prisoners were processing their personal data, and that the data processed was not highly intimate or embarrassing.  Beverly Dennis, et al. v. Metromail, et al., No. 96-04451, Travis County, Texas.

[9] Cal Pen Code § 4017.1, § 5071; Cal Wel & Inst Code § 219.5; Ky. Rev. Stat. Ann. § 131.191.

[10] Empire Blue Cross Will End Use Of SSNs, Use Alternate Number System, Privacy and Security Law Report (Jun. 7, 2004) at 666.

[11] 2003 Me. ALS 512; N.M. Stat. Ann. §57-12B-3; R.I. Gen Laws §6-13-17.

[12] Ariz. Rev. Stat. § 44-1373.

[13] Ariz. Rev. Stat. §15-1823.  Rhode Island and Wisconsin have similar protections.  R.I. Gen. Laws § 16-38-5.1; Wis. Stat. Ann. § 36.11(35).

[14] C.R.S. § 23-5-127.

[15] N.Y. Educ. Law § 2-b; W. Va. Code Ann. §18-2-5f.

[16] Ky. Rev. Stat. Ann.156.160. See also Ky. Rev. Stat. Ann.197.120.

[17] Ariz. Rev. Stat.  § 25-121; Cal Fam Code § 2024.5; Burns Ind. Code Ann. § 31-11-4-4; Iowa Code § 595.4; Ky. Rev. Stat. Ann. 402.100; La. R.S. 9:224; 19-A M.R.S. § 651; MCL § 333.2813; Mont. Code Ann. § 40-1-107; Ohio Rev. Code Ann. § 3101.05.

[18] See Ariz. Rev. Stat. § 36-322; Cal Health & Saf Code § 102425; 410 ILCS 535/11; K.S.A. § 65-2409a; 22 M.R.S. § 2761; Md. Ann. Code § 4-208; ALM GL ch. 111, § 24B; Minn. Stat. § 144.215; Miss. Code Ann. § 41-57-14; Mo. Rev. Stat. § 193.075; Mo. Rev. Stat. § 454.440; N.H. Rev. Stat. Ann. § 5-C:10.

[19] See Ariz. Rev. Stat. §16-165; Cal Health & Saf Code § 102231; Idaho Code § 67-3007; Burns Ind. Code Ann. § 16-37-3-9; La R.S. § 23:1671; N.D. Cent. Code § 23-02.1-28.

[20] See e.g. Lee Lapin, How to Get Anything on Anybody 533-543 (Intelligence Here, 3d ed. 2003) (section titled "How to Find Anyone's Social Security Number" suggests thirty sources for the SSN, including driver's license applications, bankruptcy filings, court records, bank files, utility records, professional and recreational licenses, and employment files).

EPIC Privacy Page | EPIC Home Page

Last Updated: September 28, 2004
Page URL: http://www.epic.org/privacy/ssn/privacy/ssntestimony9.28.04.html