Testimony and Statement for the Record of
Executive Director, Electronic Privacy Information Center
Adjunct Professor, Georgetown University Law Center
Hearing on the
Use and Misuse of the Social Security Number
Subcommittee on Social Security
Committee on Ways and Means
U.S. House of Representatives
May 22, 2001
B-318 Rayburn House Office Building
My name is Marc Rotenberg and I am the executive director of the Electronic Privacy Information Center, a public interest research organization based here in Washington DC. I am also on the faculty of the Georgetown University Law Center where I have taught the Law of Information Privacy for ten years. I have also participated in the litigation of two of the leading cases on the use of the Social Security Number.
I appreciate the opportunity to testify this morning. I will briefly review the legal status of efforts to regulate the use of the SSN, discuss some of the recent problems with universal unique identifiers, such as the SSN, and make a few brief recommendations. I believe that legislation to limit the collection and use of the SSN is appropriate, necessary, and fully consistent with US law. I also believe that if Congress fails to act, the problems that consumers will face in the next few years are likely to increase significantly.
I should note also that the Supreme Court just yesterday issued a ruling in an important case concerning a First Amendment challenge to the publication of information obtained by means of illegal wiretap. I will say a few words about the possible significance of this opinion for SSN legislation under consideration now by Congress.
History of the SSN and the Efforts to Regulate
The Social Security Number (SSN) was created in 1936 as a nine-digit account number assigned by the Secretary of Health and Human Services for the purpose of administering the Social Security laws. SSNs were first intended for use exclusively by the federal government as a means of tracking earnings to determine the amount of Social Security taxes to credit to each worker's account. Over time, however, SSNs were permitted to be used for purposes unrelated to the administration of the Social Security system. For example, in 1961 Congress authorized the Internal Revenue Service to use SSNs as taxpayer identification numbers.1
A major government report on privacy in 1973 outlined many of the concerns with the use and misuse of the Social Security Number that show a striking resemblance to the problems that consumers face today. Although the term "identify theft" was not yet in use, Records Computers and the Rights of Citizens described the risks of a "Standard Universal Identifier," how the number was promoting invasive profiling, and that many of the uses were clearly inconsistent with the original purpose of the 1936 Act. The report recommended several limitations on the use of the SSN and specifically said that legislation should be adopted "prohibiting use of an SSN, or any number represented as an SSN for promotional or commercial purposes."2
In response to growing concerns over the accumulation of massive amounts of personal information and the recommendations contained in the 1973 report, Congress passed the Privacy Act of 1974. Among other things, this Act makes it unlawful for a governmental agency to deny a right, benefit, or privilege merely because the individual refuses to disclose his SSN. This is a critical principle to keep in mind today because consumers in the commercial sphere often face the choice of giving up their privacy, their SSN, to obtain a service or product. The drafters of the 1974 law tried to prevent citizens from facing such unfair choices, particularly in the context of government services. But there is no reason that this principle could not apply equally to the private sector, and that was clearly the intent of the authors of the 1973 report.
In addition, Section 7 of the Privacy Act further provides that any agency requesting an individual to disclose his SSN must "inform that individual whether that disclosure is mandatory or voluntary, by what statutory authority such number is solicited, and what uses will be made of it."3 At the time of its enactment, Congress recognized the dangers of widespread use of SSNs as universal identifiers. In its report supporting the adoption of this provision, the Senate Committee stated that the widespread use of SSNs as universal identifiers in the public and private sectors is "one of the most serious manifestations of privacy concerns in the Nation."4 Short of prohibiting the use of the SSN outright, this provision in the Privacy Act attempts to limit the use of the number to only those purposes where there is clear legal authority to collect the SSN. It was hoped that citizens, fully informed where the disclosure was not required by law and facing no loss of opportunity in failing to provide the SSN, would be unlikely to provide an SSN and institutions would not pursue the SSN as a form of identification.
The use of the SSN has expanded significantly since the provision was adopted in 1974. This is particularly clear in the financial services sector. In an effort to collect and share financial information about Americans, companies trading in financial information are the largest private-sector users of SSNs, and it is these companies that are among the strongest opponents of SSN restrictions. For example, credit bureaus maintain over 400 million files, with information on almost ninety percent of the American adult population. These credit bureau records are keyed to the individual SSN. Such information is freely sold and traded, virtually without legal limitations.5
But it is also critical to understand that the legal protection to limit the collection and use of the SSN is still present in the Privacy Act and can be found also in court decisions, which recognize that there is a constitutional basis to limit the collection and use of the Social Security Number. When a Federal Appeals court was asked to consider whether the state of Virginia could compel a voter to disclose an SSN that would subsequently be published in the public voting rolls, the Court noted the growing concern about the use and misuse of the SSN, particularly with regard to financial services. The Fourth Circuit said:Since the passage of the Privacy Act, an individual's concern over his SSN's confidentiality and misuse has become significantly more compelling. For example, armed with one's SSN, an unscrupulous individual could obtain a person's welfare benefits or Social Security benefits, order new checks at a new address on that person's checking account, obtain credit cards, or even obtain the person's paycheck. . . . . Succinctly stated, the harm that can be inflicted from the disclosure of a SSN to an unscrupulous individual is alarming and potentially financially ruinous.6
The Court said that:The statutes at issue compel a would-be voter in Virginia to consent to the possibility of a profound invasion of privacy when exercising the fundamental right to vote. As illustrated by the examples of the potential harm that the dissemination of an individual's SSN can inflict, Greidinger's decision not to provide his SSN is eminently reasonable. In other words, Greidinger's fundamental right to vote is substantially burdened to the extent the statutes at issue permit the public disclosure of his SSN.7
The Court concluded that to the extent the Virginia voting laws, "permit the public disclosure of Greidinger's SSN as a condition of his right to vote, it creates an intolerable burden on that right as protected by the First and Fourteenth Amendments."8
In a second case, testing whether a state could be required to disclose the SSNs of state employees under a state open record law where there was a strong presumption in favor of disclosure, the Ohio Supreme Court held that there were privacy limitations in the federal Constitution that weighed against disclosure of the SSN. The court concluded that:We find today that the high potential for fraud and victimization caused by the unchecked release of city employee SSNs outweighs the minimal information about governmental processes gained through the release of the SSNs. Our holding is not intended to interfere with meritorious investigations conducted by the press, but instead is intended to preserve one of the fundamental principles of American constitutional law -- ours is a government of limited power. We conclude that the United States Constitution forbids disclosure under the circumstances of this case. Therefore, reconciling federal constitutional law with Ohio's Public Records Act, we conclude that [the provision] does not mandate that the city of Akron discloses the SSNs of all of its employees upon demand.9
While it is true that many companies and government agencies today use the Social Security Number indiscriminately as a form of identification, it is also clear from the 1936 Act, the 1974 provision, and these two cases -- Greidinger v. Davis and Beacon Journal v. City of Akron -- that there is plenty of legislative and judicial support for limitations on the collection and use of the SSN. The question is therefore squarely presented whether the Congress will at this point in time follow in this tradition, respond to growing public concern, and establish the safeguards that are necessary to ensure that the problems associated with the use of the SSN do not increase.
More recently, the question has been raised whether the First Amendment could limit the ability of Congress to pass legislation protecting personal information. But two different courts in the context of the privacy provisions contained in the Financial Services Modernization Act have made clear that such statutes are permissible.
In TransUnion v. FTC the DC Circuit found that the government's interest in keeping personally identifiable information private was substantial and upheld the FTC's ban on the sale of target marketing lists. And a DC District Court in IRSG v. FTC upheld restrictions on "credit header" information, which includes names, address, and social security number, and said that:The speech does not involve any matter of public concern, but consists of information of interest solely to the speaker and the client audience. Thus, restriction on the dissemination of this nonpublic personal information does not impinge upon any public debate.
Id. at 51.
In some circumstances, for example when the SSN is used in the context of political speech, then the privacy interest would likely give way to the First Amendment interest. If, for example, a journalist or a political activist were to disclose an SSN for the purpose of drawing attention to a privacy issue, then I believe a court must review any effort to restrict such speech under strict scrutiny analysis. But where the SSN is collected, used, and disclosed in the context of commercial relations, then I believe a privacy statute would survive a Constitutional challenge.
Specific Problems with the IRSG
Several years ago significant public concern was raised about information brokers that routinely buy and sell detailed personal information, including Social Security Numbers. The Individual Reference Services Group was established to improve practices in the industry. We do not believe these principles provide sufficient safeguards for consumers. We also do not think the discussion between public and non-public information incorporated in GLB is consistent with the general purpose of privacy laws.
IRSG companies gather and sell Social Security numbers. Social Security numbers are collected from a variety of public and non-public sources. Public documents such as bankruptcy filings and other types of court records often contain Social Security numbers of the parties to a proceeding. Non-public documents such as credit headers, the identifying information at the top of credit reports (including names, addresses, ages and SSNs), are also culled for information. IRSG companies use both public and non-public sources of personal information to compile data on individuals.
During 1997, the IRSG worked with the Federal Trade Commission, absent public input, to develop a set of self-regulatory principles.10 These self-regulatory principles allow the sale of Social Security numbers without the knowledge and permission of the data subject.
Under the IRSG Principles, companies can freely sell and distribute SSNs gathered from public records. The IRSG Principles treat the same data, Social Security numbers, differently if it comes from a non-public source such as credit headers. However, the guidelines for the sale of Social Security numbers from non-public sources are completely subjective and largely ignore the privacy interests of the data subject.
The IRSG Principles create a three-tier system for the sale of information gathered from non-public sources. The first tier for the sale of Social Security numbers applies to "qualified subscribers." Complete Social Security numbers can be sold to those deemed to fall into this category. There is no definition of what makes someone whom wishes to purchase a social security number a "qualified subscriber." Moreover, the conditions that qualified subscribers must meet under the IRSG Principles rely entirely on the determination of the data seller and the data purchaser on what is an "appropriate" use of such information. The data subject, the person whose Social Security number is being collected and sold, has no input into whether such use is in fact "appropriate."11 The balancing process for deciding whether such uses are appropriate is carried out by the parties selling and purchasing the data; that is, the ones that have a strong interest in letting a transaction proceed. In addition, IRSG companies do not have a strong incentive to establish whether information being sold to a responsible entity that will use data in a strictly appropriate manner.
Oversight of IRSG companies is generally weak. Yearly assessments required by the IRSG Principles, are conducted by "reasonably qualified independent professional" services. The assessment criteria, in many places, simply ask whether IRSG companies have some process in place, rather than evaluating whether such a process is effective.12 The assessment criteria do not seek to evaluate whether such qualifications are stringent enough or even if they are evenly applied among different IRSG companies. The criteria do not even try to offer some metric against which qualifications can be measured. In addition, none of the results of assessments are publicly displayed. None of the third-party assessments conducted in the past three years provide the answers to the questions asked during the assessments.13 The third-party assessment information page simply lists the company that conducted the assessment.
The failings of the IRSG Principles, and their general disregard of privacy protections, are a result of the lack of statutory protections for the underlying information. Without such legal protection for personal information, companies like the members of the IRSG will continue to traffic in personal data without the knowledge or permission of data subjects.
Crafting SSN legislation
We believe it is appropriate, necessary and consistent with other privacy measures to develop and enact legislation in the 107th Congress that will safeguard the use of the SSN. We also believe it is important to take a long-term view of the SSN. The best legislative strategy is one that discourages the collection of the SSN and that encourages organizations to develop alternative systems of record identification.
We further recommend that legislation:
- Limit the use of the SSN to those circumstances where use is explicitly authorized by law. For example, an employer should be permitted to ask an employee for an SSN for tax-reporting purposes (as long as the SSN remains the Taxpayer Identification Number), but a health club should not be permitted to ask a customer for an SSN as a condition of membership.
- Prohibit the sale and limit the display of the SSN by government agencies. It is simply inconsistent with Section 7 of the Privacy Act to allow the federal government to disseminate the SSN.
- Prevent companies from compelling consumers to disclose their SSN as a condition of service or sale unless there is a statutory basis for the request
- Penalize the fraudulent use of another person's SSN but not the use of an SSN that is not associated with an actual individual. This would permit, for example, a person to provide a number such as "123-00-6789" where there is no intent to commit fraud.
- Encourage the development of alternative, less intrusive means of identification. We believe that the National Research Council should be funded to undertake research on new techniques that enable records management while minimizing privacy risks.
We do not believe there is any reason to distinguish between Internet-based and non-Internet based disclosure of SSN. The legislation in this area should focus on the subject matter and remain "technologically neutral." We also favor a proposal made by Robert Ellis Smith, publisher of the Privacy Journal, that would prohibit the sale or purchase of an SSN.
It is important to emphasize the unique status of the Social Security Number in the world of privacy. There is no other form of individual identification that plays a more significant role in record-linkage and no other form of personal identification that poses a greater risk to personal privacy. Given the unique status of the SSN, the established link to identity theft and the specific economic harms that result, as well as the clear history in federal statute and case law, it is fully appropriate for Congress to pass legislation.
Thank you for the opportunity to testify today. I will be pleased to answer your questions.
1. Pub. L. No. 87-397, 75 Stat. 828 (codified as amended at 26 U.S.C. §§ 6113, 6676) cited in Greidinger at 27-28.
2. Records, Computers and the Rights of Citizens at 135.
3. (a)(1) It shall be unlawful for any Federal, State, or local government agency to deny any individual any right, benefit or privilege provided by law because of such individual's refusal to disclose his social security account number. (2) the provisions of paragraph (1) of this subsection shall not apply with respect to - (A) any disclosure which is required by Federal statute, or (B) the disclosure of a social security number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual. (b) Any Federal, State, or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.
See Pub. L. No. 93-579, 7. This provision of the Privacy Act was never codified, but is instead set out as a historical note to 5 U.S.C.A 552a (West 1996).
4. S.Rep. No. 1183, 93d Cong., 2d Sess., reprinted in 1974 U.S. Code Cong. & Admin. News 6916, 6943, cited in Greidinger at 29.
5. Komuves at 557.
6. Greidinger at 30-31.
7. Greidinger at 32-33.
8. Greidinger at 36.
9. Beacon Journal at 17.
11. The terms appropriate or appropriately are defined as "actions or uses that are reasonable under the circumstances reflecting a balance between the interest of individual privacy and legitimate business, governmental, and personal uses of information, including prevention and detection of fraud."
Electronic Privacy Information Center, "Social Security Numbers" [http://www.epic.org/privacy/ssn/]
Flavio L. Komuves, "A Perspective on Privacy, Information Technology an the Internet: We've Got Your Number: An Overview of Legislation and Decisions to Control the Use of Social Security Numbers as Personal Identifiers," 16 J. Marshall J. Computer & Info. L. 529 (1998)
Testimony of Marc Rotenberg, Computer Professionals for Social Responsibility, "Use of Social Security Number as a National Identifier," Before the Subcomm. on Social Security of the House Comm. on Ways and Means, 102d Cong., 1st Sess. 71 (February 27, 1991)
Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993) and brief amicus curiae for CPSR (Marc Rotenberg and David Sobel) (SSN requirement for voter registration) (lead case on privacy of Social Security number)
Beacon Journal v. City of Akron, 70 Ohio St. 3d 605 (Ohio 1994) and brief amicus curiae for CPSR (Marc Rotenberg and David Sobel) (SSN disclosure of city employees)
IRSG v. FTC, Memorandum Opinion, D.C. Cir., Apr. 30, 2001.
Marc Rotenberg, Privacy Law Sourcebook: United States Law, International Law, and Recent Developments (EPIC 2000)
Department of Health, Education, and Welfare, Records, Computers, and the Rights of Citizens 108-35 (MIT 1973) (Social Security Number as a Standard Universal Identifier and Recommendations Regarding Use of Social Security Number)