accesses since November 24, 1999
preprint copyright notice
link to published version: Communications of the ACM, February, 2000
accesses since November 24, 1999
When one changes employers, as I have recently, the different institutional and cultural attitudes become obvious. Consider salary-benefit packages for example. From my perspective, as an academic for the past 20+ years, employers seem to consistently bear about the same institutional cost for benefits - something on the order of 25-30% of salary. This is not to say that everything is equal, for different employers will emphasize different benefits options - a great group health plan may come at the expense of greater pension contributions, etc. But in my world, the employer commitment to employee benefits appears to be a constant.
What does this have to do with Social Security Numbers, the Web and Identity Theft? Well, one of the institutional differences I noticed with my current move was the widespread use of SSNs as primary keys within the university administration, municipal and State government, and a good percentage of utility and communications companies. In my effort to explain to sundry administrative folks just how dangerous the practice of misusing SSNs as primary keys and authenticators in their databases is, and how it exposes the employees and citizens to unnecessary risk, I wrote what became the first draft of this column. The point that the use of SSNs for purposes other than that for which it was intended is an exceedingly bad idea has been made many times. Add the Web, and we have the makings of a disaster that will make Y2k pale in comparison.
The Social Security Act that defined the U.S. Government's attempt to establish an old-age pension system was enacted in August, 1935, as one of President Roosevelt's many depression-era relief, reform and recovery programs. Originally intended for retirement alone, the Act has been periodically amended to include coverage in the form of survivor benefits, disability payments, etc. A byproduct of this legislation was the decision to assign every citizen who qualified for Social Security Benefits and/or contributed a Social Security Tax the unique record identifier which has come to be known as the Social Security Number. The intention from the beginning was that the SSN be a primary identifier only within the Social Security Administration. Then things beyond to unravel.
The first loose thread appeared in 1943 when the Roosevelt administration (executive Order 9397, incidentally) authorized the SSN for as a primary key for other Government databases. Although this practice was stopped in 1975 because of a change in policy brought about by The Privacy Act of 1974 (http://www4.law.cornell.edu/uscode/5/552a.html), by then the toothpaste was out of the tube.)
The Privacy Act brought about a number of changes. For one, it required some disclosures of the Federal agency which requested SSNs. The law mandated that any Government Agency except the SSA must provide a Privacy Act Disclosure Notice to the SSN owner which explains (a) by what authority they are entitled to know a SSN, (b) the intended, primary use of the information, (c) other secondary uses which might be made of the information, and (d) the consequences of refusing to divulge this information.
Second, it loosened the disclosure restrictions for state and local governments. In this case (a) and (b) were combined with a variation of (c) the disclosure of whether the request for SSN is mandatory or voluntary. It is noteworthy (and a major cause of alarm in some circles) that there is at the moment inadequate legal remedies for violations of the Privacy Act by states and municipalities. It is more noteworthy (and an even larger cause for alarm) that there are no explicit prohibitions or penalties for the use of SSNs in business and commerce.
Finally, the Privacy Act recognized the legitimate use of SSNs as primary keys for all Federal Agencies who were using it as such prior to January 1, 1975, thereby ensuring that the toothpaste would never find its way back into the tube.
So, by 1975 the SSN was in widespread use within the Federal Government and available for use by state and local governments subject to disclosure constraints under the Privacy Act. The Tax Reform Act of 1976 expressly authorized the use of the SSN by state and local revenue offices, licensing agencies, etc. To re-use my tired and worn metaphor, by this time the tube was all but empty. But the big threat to privacy was still over a decade away.
The popularity and widespread use of the SSN within governments, whether Federal, state or local, made the Social Security Number a popular choice among business and industry as well. Once the proprietary information of the first giant Government entitlement program, the SSN had in just under 40 years started to take on the character of a reliable, persistent, personal identifier for public use - which is specially ironic given that the original cards stated that they were "not to be used for identification." By everyone's agreement, the Social Security Administration never intended the SSN to be used by the public or commercially, but that hasn't impeded its evolution. This misuse has caused and is causing many problems, and the worst is yet to come.
There are, to be sure, different points of view regarding the unintended use of Social Security Numbers. Some would argue that the non-SSA (or at least the non-Government) use of SSNs makes it far too easy to infringe on personal privacy. Others would point out that the U.S. Constitution makes no mention of any right to privacy in the first place, and that the use of SSNs for commercial purposes is completely legal so long as it confirms to the relevant statutes, and completely ethical so long as it is used responsibly. One might argue that if a SSN was obtained legally (e.g., through lists obtained from licensing bureaus, credit bureaus, or even an occasional warranty response card list), then the responsible re-use by those who purchase these lists is entirely legitimate. The Direct Marketing Association, for example, defines "responsible use" in its codes of conduct, which it demands of its member if they are to be allowed to use the DMA seal of approval.
Consider the following quote from the Better Business Bureau on sensitive data: "Not all personal information is equal. Information, like a social security number or mother's maiden name, is far more sensitive than a name and address that can be found in a phone book. A mother's maiden name is often used to confirm identity and is especially sensitive information." (see, www.bbbonline.org/consumers/tips.html) The message is emphasized again on the BBB Website under 'online shopping': "Be cautious if you're asked to supply personal information, such as your Social Security number or personal bank account information. They should not be required to make a purchase." As an anecdote, I recently purchased a car from a dealer who was apoplectic over my refusal to provide my SSN, my home address and my telephone number for the sales contract. But in the end, the dealer wanted the cash more than the information, so the deal was consummated, no one the worse for wear. The plain fact of the matter is that if credit isn't involved, there's never a reason to give out a SSN. And if credit is involved, there shouldn't be - but we're getting sidetracked.
But this column is not about the debate over the legitimate right to obtain information about individuals vs. their desire for privacy. It is not about issues of states rights, or primary keys, or whether the commercial use of SSN is in the public good. This is about the use of SSNs as an instrument of crime - and the use of the Web as an unwitting co-conspirator.
Concerns about the impact of digital networks on personal privacy have been raised as long as there have been digital networks. For the past decade, researchers and developers alike have created a formidable array of utilities and tools to protect Internet privacy. These include:
Offsetting such technology are utilities such as
And all of this takes place in the context of Government anti-privacy initiatives such as the Clipper Chip and the recent judicial decisions such as the "Pillsbury Case" that determined that employees have no legitimate right to expect privacy from email which passes through the employer's network.
Identity theft will be the undoing of the blissful ignorance we have maintained with respect to the misuse of SSNs. As any victim can attest, identity theft can destroy personal credit and potentially lead to very expensive litigation from which it may take years, or perhaps decades, to fully recover. And computer technology is right at the heart of the problem.
Identity theft works in the following way. Important information is compiled on someone with good credit. Likely sources include:
Of all the pieces of information to be gained, the SSN is the "holy grail" of identity thieves. With that number, one can potentially access all of the databases which use SSNs as primary database key. Where pre-cyberspace thugs concerned themselves only with the cash and credit cards in a wallet, thereby limiting the "take" to the sum of the cash and that part of the credit limit that could be captured before the cards were cancelled, the bounty of the identity thief is the entire credit worthiness of a person. Their ability to buy homes, cars, educational loans - everything! In urban areas, identity theft rings eagerly pay a premium for stolen wallets that contain the SSN and other identifying data - the stolen credit cards can be left for the street urchins.
Of course, this would be a problem even if it were not for the Internet - as personal records in each state and municipal database could be accessed with very little information - SSN, mother's maiden name, address, etc. would do for starters. But what complicates things is the reckless abandon with which we have allowed the collection and dissemination of highly personal and confidential information the Web. In the absence of prohibitive legislation and substantial penalties for non-compliance, cyberspace is becoming a paradigm of untrustworthy systems.
Our two themes, the history of misuse (or at least unintended use) of SSNs on the one hand, and the evolution of privacy concerns with respect to the Internet and Web on the other, converge on theft identity. This may prove to be one of the most negative consequences of the Web. Identity theft, and sundry related computer crimes ported over to the Internet, may become an un-paralleled, de-stabilizing force for twenty-first century society to deal with. And yet it didn't have to happen. If only the SSA had held on to their proprietary identifiers, and the Web had evolved with provisions for regulating the posting of identifying data, this problem could have been avoided. By Travis Perry's (see sidebar) estimate, there are 500,000 cases of identity theft each year. By law enforcement accounts, identity theft is the fastest growing crime in the U.S.
In the end society will have been the victim of two well-intentioned concepts which just through a few twists of fate will come together to produce a great deal of harm. One would think that after dealing with the industrial revolution, the space age, radio and television, the computer era, and now the digital networks, we would have learned to be more socially responsible with our technology. At this point, the price for even modest security is perpetual vigilance.