Computer Professionals for Social Responsibility
Many people are concerned about the number of organizations asking for their Social Security Numbers. They worry about invasions of privacy and the oppressive feeling of being treated as just a number. Unfortunately, I can't offer any hope about the dehumanizing effects of identifying you with your numbers. I *can* try to help you keep your Social Security Number from being used as a tool in the invasion of your privacy.
Surprisingly, government agencies are reasonably easy to deal with; private organizations are much more troublesome. Federal law restricts the agencies at all levels of government that can demand your number and a fairly complete disclosure is required even if the disclosure is voluntary. There are no comparable Federal laws either restricting the uses non-government organizations can make of it, or compelling them to tell you anything about their plans. Some states have recently enacted regulations on collection of SSNs by private entities. With private institutions, your main recourse is refusing to do business with anyone whose terms you don't like. They, in turn, are allowed to refuse to deal with you on those terms.
Universities that accept federal funds are subject to the Family Educational Rights and Privacy Act of 1974 (the "Buckley Amendment", it's on-line at http://www.cpsr.org/cpsr/privacy/law/education_records_privacy.txt), which prohibits them from giving out personal information on students without permission. There is an exception for directory information, which is limited to names, addresses, and phone numbers, and another exception for release of information to the parents of minors. There is no exception for Social Security Numbers, so covered Universities aren't allowed to reveal students' numbers without their permission. In addition, state universities are bound by the requirements of the Privacy Act, (so they have to give a Privacy Act notice if they ask for a SSN). If they make uses of the SSN which aren't covered by the disclosure they are in violation.
The application for US Passports (DSP-11 12/87) requests a Social Security Number, but doesn't give enough information in its Privacy Act notice to verify that the Passport office has the authority to request it. There is a reference to "Federal Tax Law" and a misquotation of Section 6039E of the 1986 Internal Revenue Code, claiming that that section requires that you provide your name, mailing address, date of birth, and Social Security Number. The referenced section only requires TIN (SSN), and it only requires that it be sent to the IRS (not to the Passport office). It appears that when you apply for a passport, you can refuse to reveal your SSN to the passport office, and instead mail a notice to the IRS, give only your SSN (other identifying info optional) and notify them that you are applying for a passport. [Copies (in postscript) of the letter that was used by one contributor can be found at http://www.cpsr.org/cpsr/privacy/ssn/passport.ps.Z. I've since heard from | other readers who have also used this technique successfully.] |
I have recently gotten several reports of a new Federal requirement that employer-provided health plans must get employees to provide the SSNs of all covered dependents, including minor children. I don't have complete or authoritative information on this yet, but it seems that the Omnibus Budget Reconciliation Act of 1993 required employers to collect social security numbers for each plan participant, including dependents. The part that bureaucrats weren't reporting was that this requirement wasn't supposed to go| into effect until January, 1995. [March 95: I haven't heard anything recently about it. No requests for SSNs,| no word about cancelling the program.] |
According to a note in the Federal Register on May 10, 1994, the department of Health and Human Services requested that the requirements be delayed for 18 months in order that the requirements could be made more consistent with (then impending) health care reform legislation. I don't know whether the delay was ever implemented, but you can probably keep your HR department busy by telling them that HHS wanted a delay. You can also point them at the compliance requirements in HHS' proposed regulations; they require only a good faith effort on the employer's part, and even define what that is.
"An employer is deemed to have made a reasonable good faith effort to provide the information with respect to the name and TIN of each other individual covered by the group health plan with respect to the reports for a specific calendar year if the employer can prove that it has established a systematic method to obtain the necessary information that includes both (i) a documented initial effort to obtain the necessary information from the electing individual and (ii) a documented follow-up effort if the electing individual does not respond to the initial effort."In any case, when the federal government requires your employer to collect SSNs from you, it has to provide a form with a Privacy Act notice. If your personnel department asks you to give them your dependents' SSNs, ask to see a Privacy Act notice. If necessary, ask them to look at the statement on W-4 forms and tell them that they need a statement like it in order for the request to be legal.
The Family Support Act of 1988 (Pub. L. 100-485) requires states to require parents to give their Social Security Numbers in order to get a birth certificate issued for a newborn. The law allows the requirement to be waived for "good cause", but there's no indication of what may qualify.
The IRS requires taxpayers to report SSNs for dependents over one year of age when you claim them as a deduction, but the requirement can be avoided if you're prepared to document the existence of the child by other means if the IRS challenges you. The law on this can be found at 26 USC 6109. The penalty for not giving a dependent's number is only $5. Several people have reported that they haven't provided SSNs for their dependents for several years, and haven't been challenged by the IRS.
The guidelines for dealing with non-governmental institutions are much more tenuous. Most of the time private organizations that request your Social Security Number can get by quite well without your number, and if you can find the right person to negotiate with, they'll willingly admit it. The problem is finding that right person. The person behind the counter is often told no more than "get the customers to fill out the form completely."
Most of the time, you can convince them to use some other number. Usually the simplest way to refuse to give your Social Security Number is simply to leave the appropriate space blank. One of the times when this isn't a strong enough statement of your desire to conceal your number is when dealing with institutions which have direct contact with your employer. Most employers have no policy against revealing your Social Security Number; they apparently believe that it must be an unintentional slip when an employee doesn't provide an SSN to everyone who asks.
Employers are required by the IRS to get the SSNs of people they hire. They often ask for it during the interview process, but there are good reasons to refuse if you can afford to argue with the potential employer. Some of them use the SSN to check credit records, to look for criminal history, and otherwise to delve into your past in areas you might object to. Tell them you'll give them your SSN when you accept their offer. They have no legitimate use for it before then.
Public utilities (gas, electric, phone, etc.) are considered to be private organizations under the laws regulating SSNs. Most of the time they ask for an SSN, and aren't prohibited from asking for it, but they'll usually relent if you insist. See the other suggestions below under "What you can do to protect your number" for more ideas.
Banks and various others are required by the IRS to report the SSNs of account holders to whom they pay interest. If you don't tell them your number you will probably either be refused an account or be charged a penalty such as withholding of taxes on your interest.
Most banks send your name, address, and SSN to a company called ChexSystem when you open an account. ChexSystem keeps a database of people whose accounts have been terminated for fraud or chronic insufficient funds in the past 5 years. ChexSystems is covered by the Fair Credit Reporting Act, and the bank is required to let you know if it refuses to open your account and a report from ChexSystems was a factor. You can also send a letter to ChexSystems directly (Consumer Relations, 1550 E. 79th Street, Suite 700, Minneapolis, MN 55425) and request a copy of their report on you.
Many Banks, Brokerages, and other financial institutions have started implementing automated systems to let you check your balance. All too often, they are using SSNs as the PIN that lets you get access to your personal account information. If your bank does this to you, write them a letter pointing out how common it is for the people with whom you have financial business to know your SSN. Ask them to change your PIN, and if you feel like doing a good deed, ask them to stop using the SSN as a default identifier for their other customers. Some customers will believe that there's some security in it, and be insufficiently protective of their account numbers.
Sometimes banks provide for a customer-supplied password, but are reluctant to advertise it. The only way to find out is to ask if they'll let you provide a password. (This is reportedly true of Citibank Visa, for instance. They ask for a phone number but are willing to accept any password.)
When buying (or refinancing) a house, you have to give your number, because the bank is required to report the interest you pay. Most banks will now ask for your Social Security Number on the Deed of Trust. This is because the Federal National Mortgage Association requires it. The fine print in their regulation admits that some consumers won't want to give their number, and allows banks to leave it out when pressed. [It first recommends getting it on the loan note, but then admits that it's already on various other forms that are a required part of the package, so they already know it. The Deed is a public document, so there are good reasons to refuse to put it there, even though all parties to the agreement already have access to your number.]
No laws require private medical service providers to use your Social Security Number as an ID number. They often use it because it's convenient or because your employer uses it to identify employees to its groups health plan. In the latter case, you have to get your employer to change their policies. Often, the people who work in personnel assume that the employer or insurance company requires use of the SSN when that's not really the case. When a previous employer asked for my SSN for an insurance form, I asked them to find out if they had to use it. After a week they reported that the insurance company had gone along with my request and told me what number to use.
Most insurance companies share access to old claims through the Medical Information Bureau. If your insurance company uses your SSN, other insurance companies will have a much easier time finding out about your medical history. You can get a copy of the file MIB keeps on you by writing to Medical Information Bureau, P.O. Box 105, Essex Station, Boston, MA 02112. Their phone number is (617)426-3660.
If an insurance agent asks for your Social Security Number in order to "check your credit", point out that the contract is invalid if your check bounces or your payment is late. Insurance is always prepaid, so they don't need to know what your credit is like, just whether your check cleared.
Blood banks also ask for the number but are willing to do without if pressed on the issue. After I asked politely and persistently, the (non-Red Cross) blood bank I go to agreed that they didn't have any use for the number. They've now expunged my SSN from their database, and they seem to have taught their receptionists not to request the number. I've gotten one report that some branches of the Red Cross will issue a "file number" in lieu of your SSN if you insist. It's probably the case that not all branches (and especially not all receptionists) know about this possibility, so it will pay to be persistent.
Blood banks have changed their policies back and forth a few times in the last several years. When the AIDS epidemic first hit, they started using SSNs to identify all donors, so someone who was identified as HIV-positive at one blood bank wouldn't be able to contaminate the blood supply by donating at a different site. For a few years, they were a little looser, and though they usually asked for SSNs, some would allow you to donate if you provided proof of your identity. (I showed a Driver's license, but didn't let them copy down the number.) Now the Federal Government has declared blood banks to be "manufacturers" of a medical product, and imposed various Quality Control processes on them.
The Blood bank I go to now asks for SSNs, and if you refuse, allows you to give a Driver's License number. I balked at that, since I hadn't had to give it before. They let me donate, but while I was eating cookies, the director of Quality Control came down and talked to me. After a little bit of discussion, she was satisfied to have me pick an ID number that I promised to remember and provide when I visisted again. So, once again, if you want to protect your SSN and your privacy, it pays to push back when they ask.
Social Security numbers were introduced by the Social Security Act of 1935. They were originally intended to be used only by the social security program. In 1943 Roosevelt signed Executive Order 9397 which required federal agencies to use the number when creating new record-keeping systems. In 1961 the IRS began to use it as a taxpayer ID number. The Privacy Act of 1974 required authorization for government agencies to use SSNs in their data bases and required disclosures (detailed below) when government agencies request the number. Agencies which were already using SSN as an identifier before January 1, 1975 were allowed to continue using it. The Tax Reform Act of 1976 gave authority to state or local tax, welfare, driver's license, or motor vehicle registration authorities to use the number in order to establish identities. The Privacy Protection Study Commission of 1977 recommended that EO9397 be revoked after some agencies referred to it as their authorization to use SSNs. It hasn't been revoked, but no one seems to have made new uses of the SSN recently and cited EO9397 as their sole authority, either.
Several states use the SSN as a driver's license number, while others record it on applications and store it in their database. Some states that routinely use it on the license will make up another number if you insist. According to the terms of the Privacy Act, any that have a space for it on the application forms should have a disclosure notice. Many don't, and until someone takes them to court, they aren't likely to change.
The Privacy Act of 1974 (Pub. L. 93-579, in section 7) requires that any federal, state, or local government agency that requests your Social Security Number has to tell you four things:
1: Whether disclosure of your Social Security Number is required or optional,
2: What statute or other authority they have for asking for your number,
3: How your Social Security Number will be used if you give it to them, and
4: The consequences of failure to provide an SSN.
In addition, the Act says that only Federal law can make use of the Social Security Number mandatory (at 5 USC 552a note). So anytime you're dealing with a government institution and you're asked for your Social Security Number, just look for the Privacy Act Statement. If there isn't one, complain and don't give your number. If the statement is present, read it. If it says giving your Social Security Number is voluntary, you'll have to decide for yourself whether to fill in the number.
Database designers continue to introduce the Social Security Number as the key when putting together a new database or when re-organizing an old one. Some of the qualities that are (often) useful in a key and that people think they are getting from the SSN are uniqueness, universality, security, and identification. When designing a database, it is instructive to consider which of these qualities are actually important in your application; many designers assume unwisely that they are all useful for every application, when in fact each is occasionally a drawback. The SSN provides none of them, so designs predicated on the assumption that it does provide them will fail in a variety of ways.
Many people assume that Social Security Numbers are unique. They were intended by the Social Security Administration to be unique, but the SSA didn't take sufficient precautions to ensure that it would be so. They have several times given a previously issued number to someone with the same name and birth date as the original recipient, thinking it was the same person asking again. There are a few numbers that were used by thousands of people because they were on sample cards shipped in wallets by their manufacturers. (One is given below.)
The passage of the Immigration reform law in 1986 caused an increase in the duplicate use of SSNs. Since the SSN is now required for employment, illegal immigrants must find a valid name/SSN pair in order to fool the INS and IRS long enough to collect a paycheck. Using the SSN when you can't cross-check your database with the SSA means you can count on getting some false numbers mixed in with the good ones.
Not everyone has a Social Security Number. Foreigners are the primary exception, but many children don't get SSNs until they're in school (and some not until they get jobs). They were only designed to be able to cover people who were eligible for Social Security. If your database will keep records on organizations as well as individuals, you should realize that they're not covered either.
Few people ever ask to see an SSN card; they believe whatever you say. The ability to recite nine digits provides little evidence that you're associated with the number in anyone else's database.
There's little reason to carry your card with you anyway. It isn't a good form of identification, and if your wallet is lost or stolen, it provides another way for the thief to hurt you.
Older cards are not at all forgery-resistant, even if anyone did ever ask for it. (Recently-issued cards are more resistant to forgery.) The numbers don't have any redundancy (no check-digits) so any 9-digit number in the range of numbers that have been issued is a valid number. It's relatively easy to write down the number incorrectly, and there's no way to tell that you've done so.
In most cases, there is no cross-checking that a number is valid. Credit card and checking account numbers are checked against a database almost every time they are used. If you write down someone's phone number incorrectly, you find out the first time you try to use it. An incorrect SSN might go unnoticed for years in some databases. In others it will likely be caught at tax time, but could cause a variety of headaches.
When you give out your number, you are providing access to information about yourself. You're providing access to information that you don't have the ability or the legal right to correct or rebut. You provide access to data that is irrelevant to most transactions but that will occasionally trigger prejudice. Worst of all, since you provided the key, (and did so "voluntarily") all the info discovered under your number will be presumed to be true, about you, and relevant.
A major problem with the use of SSNs as identifiers is that it makes it hard to control access to personal information. Even assuming you want someone to be able to find out some things about you, there's no reason to believe that you want to make all records concerning yourself available. When multiple record systems are all keyed by the same identifier, and all are intended to be easily accessible to some users, it becomes difficult to allow someone access to some of the information about a person while restricting them to specific topics.
Unfortunately, far too many organizations assume that anyone who presents your SSN must be you. When more than one person uses the same number, it clouds up the records. If someone intended to hide their activities, it's likely that it'll look bad on whichever record it shows up on. When it happens accidentally, it can be unexpected, embarrassing, or worse. How do you prove that you weren't the one using your number when the record was made?
If despite your having written "refused" in the box for Social Security Number, it still shows up on the forms someone sends back to you (or worse, on the ID card they issue), your recourse is to write letters or make phone calls. Start politely, explaining your position and expecting them to understand and cooperate. If that doesn't work, there are several more things to try:
If someone absolutely insists on getting your Social Security Number, you may want to give a fake number. There are legal penalties for providing a false number when you expect to gain some benefit from it. A federal court of appeals ruled that using a false SSN to get a Driver's License violates the federal law.
There are a few good choices for "anonymous" numbers. Making one up at random is a bad idea, as it may coincide with someone's real number and cause them some amount of grief. It's better to use a number like 078-05-1120, which was printed on "sample" cards inserted in thousands of new wallets sold in the 40's and 50's. It's been used so widely that both the IRS and SSA recognize it immediately as bogus, while most clerks haven't heard of it. The Social Security Administration recommends that people showing Social Security cards in advertisements use numbers in the range 987-65-4320 through 987-65-4329.
There are several patterns that have never been assigned, and which therefore don't conflict with anyone's real number. They include numbers with any field all zeroes, and numbers with a first digit of 8 or 9. For more details on the structure of SSNs and how they are assigned, click here.
Giving a number with an unused pattern rather than your own number isn't very useful if there's anything serious at stake since it's likely to be noticed.
If you're designing a database or have an existing one that currently uses SSNs and want to use numbers other than SSNs, you should make your identifiers use some pattern other than 9 digits. You can make them longer or shorter than that, or include letters somewhere inside. That way no one will mistake the number for an SSN.
The Social Security Administration recommends that you request a copy of your file from them every few years to make sure that your records are correct (your income and "contributions" are being recorded for you, and no one else's are.) As a result of a recent court case, the SSA has agreed to accept corrections of errors when there isn't any contradictory evidence, SSA has records for the year before or after the error, and the claimed earnings are consistent with earlier and later wages. (San Jose Mercury News, 5/14, 1992 p 6A) Call the Social Security Administration at (800) 772-1213 and ask for Form 7004, (Request for Earnings and Benefit Estimate Statement.)
There aren't any federal laws that explicitly forbid the collection of SSNs. However, there is a body of law, intended to prohibit the misuse of credit cards, that is written vaguely enough that it could be interpreted to cover personal collections of SSNs. The laws are at 18 USC 1029, and cover what is called "access device fraud." An access device is "any card, plate, code, account number or other means of access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of value." The law forbids the possession, "knowingly and with intent to defraud" of fifteen or more devices which are counterfeit or unauthorized access devices." If interstate commerce is involved, penalties are up to $10,000 and 10 years in prison.
The Social Security Administration (SSA) will occasionally issue a replacement SSN. The most common justification is that the SSA or the IRS has mixed together earnings records from more than one person, and since one of the people can't be located, it's necessary to issue a new number to the other. The SSA tries very hard to contact the person who is using the number incorrectly before resorting to this process.
There are a few other situations that the SSA accepts as justifying a new number. The easiest is if the number contains the sequences 666 or 13. The digits need to be consecutive according to SSA's policy manual, but may be separated by hyphens. You apparently don't have to prove that your religious objection is sincere. Other commonly accepted complaints include that someone who is harassing you is tracing you through your SSN, sequential numbers assigned to family members, or serious impact on your credit history that you've tried to clear up without success.
In all cases, the process includes an in-person interview at which you have to establish your identity and show that you are the original assignee of the number. The decision is normally made in the local office. If the problem is with a credit bureau's records, you have to show that someone else continues to use your number, and that you tried to get the credit bureau to fix your records but were not successful. When they do issue a new number, the new records are linked to the old ones. (Unless you can convince them that your life might be endangered by such a link.)
There are a few justifications that they don't accept at all: attempting to avoid legal responsibilities, poor credit record which is your own fault, lost SSN card (without evidence that someone else has used it), or use of the number by government agencies or private companies.
The only justification the SSA accepts for cancelling the issuance of an SSN is that the number was assigned under their Enumeration at Birth (wherein SSNs are assigned when birth certificates are issued) program without the parent's consent. In this case, the field officer is instructed to try very hard to convince the parent that getting the number revoked is futile, but to give in when the parent is persistent.
The Ohio Supreme Court ruled October 26 that SSNs of public employees are not public records, and so the city of Akron acted correctly in not disclosing them in response to a request from the Akron Beacon Journal. The newspaper had asked for copies of the city's employee master files, and the city had provided the bulk of the records, but had deleted the SSNs on privacy grounds. EPIC, on behalf of CPSR, wrote a friend of the court brief with the Public Citizen Litigation group arguing in favor of the city. The EPIC brief was based, in part, on the Greidinger v. Davis case (C.A.4, 1993), 988 F.2d 1344 decided in Virginia in 1993
If you have suggestions for improving this document please send them to me:
Chris Hibbert firstname.lastname@example.org or 1195 Andre Ave. Mountain View, CA 94040
The SSN FAQ is available from two places: rtfm.mit.edu (by FTP or EMail), or cpsr.org (by FTP or http).
rtfm.mit.edu is a standard archive which has many other FAQs.
cpsr.org has other resources on privacy, SSNs, and related subjects. Other directories contain information on pending legislation, the 1st amendment, computer security, cryptography, FOIA, NII, and CPSR.