RISKS-LIST: RISKS-FORUM Digest Thursday, 24 December 1987 Volume 5 : Issue 83 ------------------------------ To: RISKS FORUM (Peter G. Neumann -- Coordinator) Cc: rpick@ucqais.uc.edu (Roger Pick), willis@rand-unix.ARPA Subject: Social Insecurity (Re: RISKS-5.82) Date: Thu, 24 Dec 87 09:12:05 PST From: willis@rand-unix.ARPA Let's talk about the SSN some more, even tho it's been done a lot. Originally the SSN was the number that identified one's account with the SSA; hence, it was like a bank account number. As we all know, the cards and literature from the SSA all specificically say: Not an identification number. In fact it was called the SSAN. As the SSN spread throughout society, someone along the way observed that it could play the role of a personal identifier. I do not recall, may not even ever have known, the first such occurrence. The best definitive treatment of the SSN and its role in society is chapter 16 of the report of the Privacy Protection Study Commission: Personal Privacy in an Information Society, July 1977, USGPO. I wrote the original drafts of the chapter, and at the time, it was factually complete and accurate. It is of course now 10 years old. Generally speaking, there are only a few situations in which one is obligated by law to give his SSN. Aside from the SSA business, it generally revolves around tax reporting and secondary aspects of same. Thus, financial transactions require the SSN but it's still really a tax matter because the IRS wants to track financial matters in its own interests. At least one state has required by law that the SSN be the driver license number and it was upheld in court; I think it was Virginia. Another state tried but was shot down in court; it may have been Illinois. UCLA tried to use it as a student ID but backed off when threatened by a student in a court case. The point is that most organizations that ask for it do not have a legal basis for requesting it. Rather, it's more like a condition of doing business with the organization. In that respect, it's like one's phone number or driver license, one or both of which are commonly asked for in California when making a bankcard purchase. On occasion, I have challenged such requests, usually successfully, but it's always a hassle because the clerks are only doing as told. The phone number is easy; give any one that comes to mind. That one has never backfired on me; I and a lot of other people give a business phone. After all why asdvertise a residential number that you pay to keep unlisted? I have corresponded with MasterCard about this, but it can do nothing to control the merchants. They do not require it of the merchants, and it's not clear to me why the merchant's even want the supplementary data. I suppose they believe that the driver license number may lead to a good current address and that a phone number may be useful in a collection action. I frankly feel uneasy about a phone number, a DL number, and a bankcard number on one piece of paper being handled by people who are not trained or accustomed to dealing with sensitive personal information. The combination of numbers makes it all that much easier to masquerade. Organizations try circuitous ways to get the SSN. For example, when one gets or renews a driver license in California, he finds a place for inserting the SSN but without explanation. The sheep among the population of course fill it in without asking although there is no statement on the form saying that it is required. The presence of the blank space for the SSN implies that it is a required data item. If one asks about it though (and clearly I have) he's told that "it's optional". How about that as a way to finesse people and get data that the state has no legal basis for requesting? It's clear why they want it; it makes it easier to correlate DMV data with that from insurance companies. Anyway, the best you can do is to ask anyone: Under what legal authority do you request my SSN? If there's no answer or a poor answer, then you're in the confrontation business -- which maybe you can win by escalating it up the line to the top of the organization. It's not unheard of for the administrative or ADP types to make a policy decision to use the SSN without the concurrence or knowledge of the top management. My usual line of argument is: "You have no legal basis for requesting my SSN and you have no need for it." If there is no legal basis for requesting it, your choices are: 1. Do business with another company, or at least, threaten to. 2. Continue to confront and ignore the requests as long as you can. Sometimes ignoring the request will make it go away. 3. Give an incorrect SSN number to satisfy the request, but realize that in doing so, there could always be a backlash if there happens to be a legitimate use for it. This amounts to seeding the recordkeeping system with noisy data. I think it's rather clear what's going on. The company you deal with has adopted the SSN as a convenient personal identifier. You might be able to force it to issue its own identifier. Sometimes an insurance company will contract with some outsider for record keeping support so the decision may have originated elsewhere. In the end, it's a Catch-22 situation. nne doesn't always have competition to give him alternate choices, or he may prefer the company that's bugging him. All any of us can do is drag our feet, refuse as often as possible, and bring pressure wherever possible. At the same time we need to know when we're legally obligated to give the SSN and what the penalty is for not doing so. That'a quick once-over lightly. One individual at Los Alamos contested a request for his SSN and as I recall, with success. I don't wish to intrude on his privacy by publishing his name/contact publicly. If you're interested in his case, I'll pass along names/addresses to him. Willis H. Ware, Rand Corporation