💾 Archived View for aphrack.org › issues › phrack35 › 6.gmi captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

-=-=-=-=-=-=-

                               == Phrack Inc. ==

                 Volume Three, Issue Thirty-five, File 6 of 13

                *****  Social Security Numbers & Privacy  *****
                 ***                                       ***
                  *     b y   C h r i s   H i b b e r t     *
                 ***                                       ***
                *****            June 1, 1991             *****

                Computer Professionals for Social Responsibility

Many people are concerned about the number of organizations asking for their
Social Security Numbers.  They worry about invasions of privacy and the
oppressive feeling of being treated as just a number.

Unfortunately, I can't offer any hope about the dehumanizing effects of
identifying you with your numbers.  I *can* try to help you keep your Social
Security Number from being used as a tool in the invasion of your privacy.

Surprisingly, government agencies are reasonably easy to deal with; private
organizations are much more troublesome.  Federal law restricts the agencies at
all levels of government that can demand your number and a fairly complete
disclosure is required even if its use is voluntary.  There are no comparable
laws restricting the uses non-government organizations can make of it, or
compelling them to tell you anything about their plans.  With private
institutions, your main recourse is refusing to do business with anyone whose
terms you don't like.



Social Security numbers were introduced by the Social Security Act of 1935.
They were originally intended to be used only by the social security program,
and public assurances were given at the time that use would be strictly
limited.  In 1943 Roosevelt signed Executive Order 9397 which required federal
agencies to use the number when creating new record-keeping systems.  In 1961
the IRS began to use it as a taxpayer ID number.  The Privacy Act of 1974
required authorization for government agencies to use SSNs in their data bases
and required disclosures (detailed below) when government agencies request the
number.  Agencies which were already using SSN as an identifier were allowed to
continue using it.  The Tax Reform Act of 1976 gave authority to state or local
tax, welfare, driver's license, or motor vehicle registration authorities to
use the number in order to establish identities.  The Privacy Protection Study
Commission of 1977 recommended that the Executive Order be repealed after some
agencies referred to it as their authorization to use SSNs.  I don't know
whether it was repealed, but that practice has stopped.

The Privacy Act of 1974 (5 USC 552a) requires that any federal, state, or local
government agency that requests your Social Security Number has to tell you
three things:

     1.  Whether disclosure of your Social Security Number is required or
         optional;

     2.  What law authorizes them to ask for your Social Security Number; and,

     3.  How your Social Security Number will be used if you give it to them.

In addition, the Act says that only Federal law can make use of the Social
Security Number mandatory.  So anytime you're dealing with a government
institution and you're asked for your Social Security Number, just look for the
Privacy Act Statement.  If there isn't one, complain and don't give your
number.  If the statement is present, read it.  If it says giving your Social
Security Number is voluntary, you'll have to decide for yourself whether to
fill in the number.



The guidelines for dealing with non-governmental institutions are much more
tenuous.  Most of the time private organizations that request your Social
Security Number can get by quite well without your number, and if you can find
the right person to negotiate with, they'll willingly admit it.  The problem is
finding that right person.  The person behind the counter is often told no more
than "get the customers to fill out the form completely."

Most of the time, you can convince them to use some other number.  Usually the
simplest way to refuse to give your Social Security Number is simply to leave
the appropriate space blank.  One of the times when this isn't a strong enough
statement of your desire to conceal your number is when dealing with
institutions which have direct contact with your employer.  Most employers have
no policy against revealing your Social Security Number; they apparently
believe the omission must have been an unintentional slip.



Banks and credit card issuers are required by the IRS to report the SSNs of
account holders to whom they pay interest or when they charge interest and
report it to the IRS.  If you don't tell them your number you will probably
either be refused an account or be charged a penalty such as withholding of
taxes on your interest.



No laws require medical service providers to use your Social Security Number as
an ID number (except for Medicare, Medicaid, etc).  They often use it because
it's convenient or because your employer uses it to certify employees to its
groups health plan.  In the latter case, you have to get your employer to
change their policies.  Often, the people who work in personnel assume that the
employer or insurance company requires use of the SSN when that's not really
the case.  When my current employer asked for my SSN for an insurance form, I
asked them to try to find out if they had to use it.  After a week they
reported that the insurance company had gone along with my request and told me
what number to use.  Blood banks also ask for the number but are willing to do
without if pressed on the issue.  After I asked politely and persistently, the
blood bank I go to agreed that they didn't have any use for the number, and is
in the process of teaching their receptionists not to request the number.



The Social Security Number doesn't work well as an identifier for several
reasons.  The first reason is that it isn't at all secure; if someone makes up
a nine-digit number, it's quite likely that they've picked a number that is
assigned to someone.  There are quite a few reasons why people would make up a
number: to hide their identity or the fact that they're doing something;
because they're not allowed to have a number of their own (illegal immigrants,
e.g.), or to protect their privacy.  In addition, it's easy to write the number
down wrong, which can lead to the same problems as intentionally giving a false
number.  There are several numbers that have been used by thousands of people
because they were on sample cards shipped in wallets by their manufacturers
(one is included below).

When more than one person uses the same number, it clouds up the records.  If
someone intended to hide their activities, it's likely that it'll look bad on
whichever record it shows up on.  When it happens accidently, it can be
unexpected, embarrassing, or worse.  How do you prove that you weren't the one
using your number when the record was made?

A second problem with the use of SSNs as identifiers is that it makes it hard
to control access to personal information.  Even assuming you want someone to
be able to find out some things about you, there's no reason to believe that
you want to make all records concerning yourself available.  When multiple
record systems are all keyed by the same identifier, and all are intended to be
easily accessible to some users, it becomes difficult to allow someone access
to some of the information about a person while restricting them to specific
topics.



If despite your having written "refused" in the box for Social Security Number,
it still shows up on the forms someone sends back to you (or worse, on the ID
card they issue), your recourse is to write letters or make phone calls.  Start
politely, explaining your position and expecting them to understand and
cooperate.  If that doesn't work, there are several more things to try:

     1.  Talk to people higher up in the organization.  This often works simply
         because the organization has a standard way of dealing with requests
         not to use the SSN, and the first person you deal with just hasn't
         been around long enough to know what it is.

     2.  Enlist the aid of your employer.  You have to decide whether talking
         to someone in personnel, and possibly trying to change corporate
         policy is going to get back to your supervisor and affect your job.

     3.  Threaten to complain to a consumer affairs bureau.  Most newspapers
         can get a quick response.  Some cities, counties, and states also have
         programs that might be able to help.

     4.  Tell them you'll take your business elsewhere (and follow through if
         they don't cooperate).

     5.  If it's a case where you've gotten service already, but someone
         insists that you have to provide your number in order to have a
         continuing relationship, you can choose to ignore the request in hopes
         that they'll forget or find another solution before you get tired of
         the interruption.

If someone absolutely insists on getting your Social Security Number, you may
want to give a fake number.  There is no legal penalty as long as you're not
doing it to get something from a government agency or to commit fraud.  There
are a few good choices for "anonymous" numbers. Making one up at random is a
bad idea, as it may coincide with someone's real number and cause them some
amount of grief.  It's better to use a number like 078-05-1120, which was
printed on "sample" cards inserted in thousands of new wallets sold in the 40s
and 50s. It's been used so widely that both the IRS and SSA recognize it
immediately as bogus, while most clerks haven't heard of it.  It's also safe to
invent a number that has only zeros in one of the fields. The Social Security
Administration never issues numbers with this pattern.  They also recommend
that people showing Social Security cards in advertisements use numbers in the
range 987-65-4320 through 987-65-4329.

The Social Security Administration recommends that you request a copy of your
file from them every few years to make sure that your records are correct.

                                ***************
                                ***         ***
                                *** THE END ***
                                ***         ***
                                ***************
_______________________________________________________________________________