Date: Thu, 16 Jun 94 13:14:23 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#078
Computer Privacy Digest Thu, 16 Jun 94 Volume 4 : Issue: 078
Today's Topics: Moderator: Leonard P. Levine
Seeking IRS Spokesman's Statement
Forever SSN Problems..
Local Law Enforcement BBS
Electronic Monitoring of Employees in the Workplace
Brooks Statement on Crypto
Nightline: Your Secrets For Sale
Re: Terminology & Foreign Investing
Re: SSNs, Drivers and Students in Kentucky
Re: Information Required by Employer
Social Security Number FAQ
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: swd_lrr@afds.cca.rockwell.com (Lance Reichert)
Date: 14 Jun 94 14:19:05 GMT
Subject: Seeking IRS Spokesman's Statement
Organization: Rockwell International
A month to a month and a half ago, I saw an article summarizing an IRS
spokeman's speech regarding modernizing the IRS' computer system. The
woman (I can't remember who) included comments to the effect that it is
their goal to monitor money flow, calculate our tax returns for us and
then give us the opportunity to disagree.
I didn't save a copy (beating my head on the desk), although I did
cross-post it to a BBS echo. I can't remember who wrote it or even in
which newsgroup I saw it; I only hope it was c.s.p.
If my description rings a bell, can you help me locate this?
Thank you.
-=[ Support your local SAR team... Get lost! ]=-
--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--
swd_lrr@afds.cca.rockwell.com -or- || Don't believe everything
lance.reichert@f120.n283.z1.fidonet.org || you read. Whatever you
8E03 8D25 7D69 07F4 8845 6CCA 28E8 67CF || _do_ believe, make sure
BOMBREAKGBORDERESERVENCRYPTARGETRAITORSA || you DON'T believe the
PGPRESIDENTWACKENHUTFEMARSHALLETHALAJFBI || opinions embodied herein
EXPOSECRETFEDERALIASCIASSASINATEDEAGUNSA || are Rockwell's!
--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--
------------------------------
From: david@c-cat.PG.MD.US (Dave)
Date: 14 Jun 94 16:47:07 EDT
Subject: Forever SSN Problems..
Organization: China Cat BBS (301)604-5976
Where does it all end, It seems as thos privacy advocates are making
headway in the SSN privacy issue, in other areas, (ab)use of the SSN is
total anarchy. People tell me that it is a waste of time to to even
bother to fight because abuse is so widespread. Since I came across
c.s.p, my awareness of the SSN abuses have increased, for others, many
others, just don't care. here is my little story:
I recently lost my job, living and breathing on unemployment comp.
and doing job searches without disclosing my SSN is near impossible.
on the good side.
When filling out a job application I leave the SSN field blank. If the
company asks for it, I then ask the company.. Does company XXX respect
my individual privacy rights ? if so I don't disclose my SSN, if the
company does not respect my privacy rights I don't want to work for
them anyway. I found this to be a very low intimidation way of not
disclosing my SSN and maiking it look like I am trying to hide my
background. I did have one job application ( out of about 40) that
specified on the form that SSN was optional.
on the bad side..
in MD, I applied for unemployment compensateion, state requires SSN or
benefits wont get paid, I can see that. but it gets much worse, I was
waiting to talk to one rep. she comes out to the waiting area, hacks
my last name severly and say if your SSN is xxx-xx-xxxx were ready, I
almost sit my pants, I certanly got up and yelled Im here by the time
she got to the -xx-, but there was no right to disclose my SSN to the
public. I went to her desk to talk about my problems, again I had to
tell my SSN number so she could enter it into the computer and find my
funds. on here desk was about 50-60 vinilla folders with a name and a
SSN on each , strewn about the desk area, not a care in the world, (
I hope mine isnt). I looked over a bunch of names and numbers and then
got thouroughly disgusted. finally a buch of us were thrown into a room
to get our benefits briefing. we all had to sign one piece of paper
and put our SSN next to our name, by this time I was getting smart, I
was the last one to sign ( made sure of it) and gave it the the head
person, basically everyone in that room saw and probably coud receite
a few names and ssn's.
in summary, although there are some significant changes in the SSN
requirements in the unemployment/employment areas, I have found more
of the modernized up to date companies are willing to comply with my
privacy needs. but with the backwards state systems, they are severly
required to get any work done. if the state folks could gain an
understanding of the privacy issues I think disclosing the number to
get state funding wouldnt be so bad. to them it's just a number and
they really don't care who has access or knows it.
David R. Ristau
========================
david@c-cat.pg.md.us
uunet!anagld!c-cat!david
------------------------------
From: Al Cohan <0004526627@mcimail.com>
Date: 15 Jun 94 23:00 EST
Subject: Local Law Enforcement BBS
In today's Los Angeles Times there was an article on how with West
Valley Division of the Los Angeles Police Department has set up a BBS.
Apparently this is a trial basis for citizens to contact the police
department to find out information of interest to the community. In
addition there was some mention of obtaining graphics and asking
questions in some sort of public forum.
What was interesting is that the LA Times published the telephone
number and mentioned that you have to fill out a questionnaire -
apparently to verify who you are and give you access to different parts
of the board.
I guess they are not interested in comments until you identify
yourself. What bothers me is that caller ID in California is delivered
by setting 1 bit on the setup template for a given number. I would
assume that the LAPD could possibly request for caller ID and get it
with no questions asked.
If this is the case (and I am not saying that it is), then I want
Caller ID also!
I cannot understand the completion of a detailed registration form for
a public entity BBS - least of all the police department.
------------------------------
From: garye@SONNENBERG.UCT.AC.ZA (Gary Edelstein)
Date: 15 Jun 1994 14:37:47 GMT
Subject: Electronic Monitoring of Employees in the Workplace
Organization: UCT
I am a senior student enrolled in the Information Systems honours
program at the University of Cape Town, Republic of South Africa. I am
currently conducting research into the Electronic Monitoring (EM) of
Employees in the Workplace.
Ottensmeyer and Heroux in the article titled Ethics, Public Policy
and Managing Advanced Technologies: The case of electronic
surveillance, 1991 stated: Certain realities in a manager's world
help us understand why electronic surveillance is rarely
interpreted, treated, or 'framed' as an ethical issue. Managers
clearly have a responsibility to stockholders to protect and to
make productive use of a firm's assets. Also, US managers, in
their decisions about electronic surveillance can readily avoid
examination of ethical concerns by pointing out the strong cultural
tradition- in both law and practice- of management monitoring and
control of workplace activity. In addition, the language and logic
of ethical reasoning are considerably more remote to managers than
are the languages of control, productivity or law. Thus, managers
are more likely to make decisions about adopting or dropping
surveillance on the basis of their legality or effectiveness,
rather than on their ethical impacts. This assumes, of course,
that managers actually make decisions about electronic surveillance
and are not simply swept along mindlessly by the forces of
technological determinism.
The focus of our research is: "Do managers and employees fully
understand the impact of EM on the employment relationship from ethical
and productivity- oriented perspectives ? The investigation team
comprises myself, a fellow honours student and a senior academic staff
member. The envisaged product of this research is a research article
which will be submitted for publication through the Information Systems
Department in October 1994.
Our study will be targeting a sample of managers and employees to
evaluate their understanding of issues involved in the design and
implementation of EM systems. We are especially interested in
obtaining a validated (or previously utilised) instrument, preferably
in questionnaire format, which would be of assistance to us in
conducting our own field research in the South African environment.
Should anyone be aware of research being performed in this area, we
would greatly appreciate it if he/she could forward the details of who
to contact
Thanking you for your interest
Gary J. Edelstein (GARYE@SONNENBERG.UCT.AC.ZA)
Department of Information Systems
University of Cape Town
Republic of South Africa
------------------------------
From: David Banisar <Banisar@epic.org>
Date: 14 Jun 1994 14:20:25 -0400
Subject: Brooks Statement on Crypto
The following statement by Rep. Jack Brooks (D-TX) was today entered
in the Congressional Record and transmitted to the House Intelligence
Committee. Rep. Brooks is Chairman of the House Judiciary Committee
and played a key role in the passage of the Computer Security Act of
1987 when he served as Chairman of the House Government Operations
Committee.
David Sobel <sobel@epic.org> Legal Counsel Electronic Privacy
Information Center
=============================================================
ENCRYPTION POLICY ENDANGERS U.S. COMPETITIVENESS IN
GLOBAL MARKETPLACE
For some time now, a debate has been raging in the media and in
the halls of Congress over the Administration's intention to require
U.S. corporations to use and market the Clipper Chip, an encryption
device developed in secret by the National Security Agency.
The Clipper Chip will provide industry and others with the
ability to encode telephone and computer communications. The use of
the Clipper Chip as the U.S. encryption standard is a concept
promoted by both the intelligence and law enforcement communities
because it is designed with a back door to make it relatively easy
for these agencies to listen in on these communications.
The law enforcement and intelligence communities have a
legitimate concern that advances in technology will make their jobs
more difficult. But the issue here is whether attempts to restrict
the development, use and export of encryption amounts to closing the
barn door after the horse has already escaped.
The notion that we can limit encryption is just plain fanciful.
Encryption technology is available worldwide -- and will become more
available as time goes on.
First, generally available software with encryption capabilities
is sold within the U.S. at thousands of retail outlets, by mail,
even, over the phone. These programs may be transferred abroad in
minutes by anyone using a public telephone line and a computer
modem.
Second, it is estimated that over 200 products from some 22
countries -- including Great Britain, France, Germany, Russia, Japan,
India, and South Africa -- use some form of the encryption that the
Government currently prohibits U.S. companies from exporting.
According to the May 16, 1994 issue of _Fortune_, not only are U.S.
companies willing to purchase foreign encryption devices, American
producers of encrypted software are also moving production overseas
to escape the current export controls.
Third, encryption techniques and technology are well understood
throughout the world. Encryption is routinely taught in computer
science programs. Text books explain the underlying encryption
technology. International organizations have published protocols for
implementing high level encryption. Actual implementations of
encryption -- programs ready to use by even computer novices -- are
on the Internet.
The only result of continued U.S. export controls is to threaten
the continued preeminence of America's computer software and hardware
companies in world markets. These restrictive policies jeopardize
the health of American companies, and the jobs and revenues they
generate.
I support, therefore, the immediate revision of current export
controls over encryption devices to comport with the reality of
worldwide encryption availability.
I believe law enforcement and the intelligence community would
be better served by finding real, and targeted ways to deal with
international terrorists and criminals rather than promoting
scattershot policies, which restrict American industries' ability to
design, produce and market technology.
Now -- more than ever -- we cannot afford to harm our economic
competitiveness and justify it in the name of national security.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 16 Jun 1994 11:31:05 -0500 (CDT)
Subject: Nightline: Your Secrets For Sale
Organization: University of Wisconsin-Milwaukee
Taken from Risks-Forum Digest Wed 15 June 1994 (16:15) FORUM ON
RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee
on Computers and Public Policy, Peter G. Neumann, moderator
Date: 12 Jun 94 17:39:31 -0700
From: Les Earnest <les@sail.stanford.edu>
Subject: Privacy: Your Secrets For Sale
ABC's Nightline programs on June 9 & 10 focussed on invasions of
privacy that are facilitated by computers and other electronic media.
The program mainly covered things that we are familiar with but
performed a valuable service, I believe, by bringing some important
privacy issues to the attention of the general public in a fairly clear
and direct way.
The program began with Ted Koppel presenting results of a public
opinion poll on two questions:
Is the sale of records to mail order companies an invasion of
privacy?
YES - 73% NO - 27%
Are you concerned about threats to your privacy?
YES - 85% NO - 15%
Koppel went on to assert that the amount of personal information that
is available online is currently quadrupling each year. An interview
followed with an information broker named Al Schweitzer, who they
mentioned is currently on probation for bribery in connection with
information gathering. They gave him names and social security numbers
of a couple of people and he showed that in less than 24 hours he could
get a great deal of information about them from legal sources,
including their residential addresses going back a number of years, the
amounts of all outstanding loans and credit card debts and terms of a
divorce settlement.
Schweitzer could not resist mentioning that he could get additional
information, including detailed phone bills and lists of credit card
purchases through illicit but readily accessible channels and could get
the person's income through another such channel at a cost of $50. He
showed a list of kinds of information, both legal and illegal, that are
available and the schedule of fees for these services.
There was a discussion of the fact that state and local governments
sell a great deal of information to direct marketers, including voter
registration, property owners lists, court records, and (in many
states) motor vehicle and drivers license registrations. These
agencies derive a great deal of income from selling this information,
which has assisted direct marketers to keep track of 80 million
Americans. Thus they have a mutually beneficial relationship, arguably
at the expense of the public.
It was mentioned that Barbara Boxer's bill, which has passed the U.S.
Senate, would restrict dissemination of information by all state
departments of motor vehicles.
They interviewed a "reformed hacker" named Ian Murphy who is now a
security consultant. Murphy pointed out that all calls to 800 or 900
numbers make the caller's phone number available and that with a
computer and an available database this can be mapped into the
subscriber's name and address. He also discussed how it was possible
to intercept a telephone conversation from a specific cellular phone.
He noted that this is illegal but that it is almost impossible to catch
anyone who does it. He concluded that "Laws can't keep up with
technology."
In a discussion of the Clipper Chip there was a short interview with
John Perry Barlow in which he remarked that with it "The government can
sit in your living room and hear everything you say."
A woman from Houston, Texas, named Carol Gibbs told her horror story
about having her credit usurped by another person and the fact that it
has taken her two years to get her life back together.
It was pointed out that even though it is now illegal to sell video
rental records, it is perfectly legal to sell personal medical
records!
The second program concluded with a discussion between Koppel,
Schweitzer, Sally Katzen of the "Clinton Privacy Group" and
Representative Ed Markey, who discussed his proposed "Privacy Bill of
Rights." Markey said that this bill would impose two requirements:
(1) That individuals must be given knowledge that information is being
gathered about them electronically;
(2) Individuals must be given notice when information that has been
gathered is proposed to for a use other than the one for which it
was gathered.
Katzen mentioned that it has been over 20 years since the Code of Fair
Information Practices was developed and that technology has changed
substantially: in 1973-74 most records were paper-based but
computer-based records now dominate. She asserted that the law has to
catch up.
In parting it was mentioned that a representative of one of the "big
three" credit information houses had originally agreed to participate
in the discussion but decided not to come after learning who else would
be there.
------------------------------
From: "Willis H. Ware" <Willis_Ware@rand.org>
Date: 13 Jun 94 11:38:36 PDT
Subject: Re: Terminology & Foreign Investing
Padgett Peterson noted that: "For the US the privacy to which
individuals have a "right" to is spelled out in United States Code
title 5 section 552a (the Privacy Act)."
When I used the term "privacy law of the United States" in my original
message about the semantic confusion among privacy, secrecy,
confidentiality and security, it was as a categoric phrase for all laws
which speak to privacy, whether the word is in the title or not, and
whether there is an explicit Fair Code of Information Practices in the
law or not. It certainly was not an elliptic reference to the Privacy
Act of 1974.
There are many laws that give protections similar to those of the Act
itself, but in some cases particularized to the topic; there are others
that address different aspects of privacy, notably confidentiality of
the personal data but also sometimes specify allowable uses of the
pewrsonal information. The bulk of them were passed in the 1970s.
The Privacy Act of 1974
The Fair Credit Reporting Act - FCRA
The Family Educational Rights and Privacy Act - FERPA
The Fair Credit Billing Act - FCBA
The Fair Debt Collections Practices Act
The Tax Reform Act of 1976
The Equal Credit Opportunity Act
The Electronic Funds Transfer Act
More recently there is the Electronic Communications Protection Act
(ECPA), and the Video Rental Records Act.
Various state laws emulate Federal practices; The Privacy Journal's
compendium of state laws details them. There are many dozens by now.
In addition, there are various state laws that speak to the
confidentiality and access control for medical records.
Finally, there are also industry codes of practice [e.g., that of the
Direct Marketing Association] and various corporate codes which have
adopted principles similar to those of the Privacy Act, even though not
required by law.
All of these in the aggregate plus the case law that has developed
provide the legal and operational framework in which personal privacy
is protected, albeit far from being a complete umbrella or even one in
which legal redress is always provided.
Willis Ware
Santa Monica, CA
------------------------------
From: poivre@netcom.com (Poivre)
Date: 13 Jun 1994 22:29:52 GMT
Subject: Re: SSNs, Drivers and Students in Kentucky
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
I am happy to hear that at least one state, Kentucky, is restricting
the use and disclosure of SSNs. Everyone else seems to be increasing its
use and accessibility.
--
poivre@netcom.com : #include <disclaimer.h>
: Altruism Doesn't Pay!!
------------------------------
From: jdunn@hnssys1.hns.com (Joe Dunn)
Date: 15 Jun 1994 19:56:06 GMT
Subject: Re: Information Required by Employer
Organization: Hughes Network Systems Inc.
Chuck Weckesser <71233.677@CompuServe.COM> writes: In my state,
(Florida) virtually _all_ personnel records, including those of the
authorities, are open for inspection and duplication. I say if you
don't want to work for a state entity and have your bead buttered
with *MY* taxdollars, than find employment elsewhere.
On the other hand, I would have absolutely no problem with both
federal and state legislation beefing up the security of using
another person's SSN for any purpose other than law enforcement.
This would effect me in that I have demanded pursuant to law the
personnel files of *EVERY* faculty member in my department.
what would you do if someone doesn't have a SSN. there is no law
requiring anyone to get a SSN. Are you going to discriminate against
people who don't have one?? There are already laws on the book to
protect a person's SSN. The law already states that the SSN can not be
used for identification purposes. Its too bad you can't accept
someone's word about their personal life. With such trust, I'm sure
your faculty is very open with you.
--
Joe Dunn Hughes Network Systems jdunn@hns.com
The philosophy of the classroom will be the philosophy of the
government in the next generation.
-- Abraham Lincoln
Public opinion is a weak tyrant compared with our own
private opinion.
-- Thoreau
------------------------------
From: Chris Hibbert <hibbert@kwi.com>
Date: 16 Jun 1994 10:07:40 GMT
Subject: Social Security Number FAQ
Organization: CPSR
If you have comments on the following, please send them to me at |
hibbert@netcom.com. A description of how to retrieve the most recent |
version of this and related documents appears at the end. |
What to do when they ask for your Social Security Number
by Chris Hibbert
Computer Professionals
for Social Responsibility
Many people are concerned about the number of organizations asking for their
Social Security Numbers. They worry about invasions of privacy and the
oppressive feeling of being treated as just a number. Unfortunately, I can't
offer any hope about the dehumanizing effects of identifying you with your
numbers. I *can* try to help you keep your Social Security Number from being
used as a tool in the invasion of your privacy.
Surprisingly, government agencies are reasonably easy to deal with; private
organizations are much more troublesome. Federal law restricts the agencies
at all levels of government that can demand your number and a fairly complete
disclosure is required even if its use is voluntary. There are no comparable
Federal laws restricting the uses non-government organizations can make of
it, or compelling them to tell you anything about their plans. Some states
have recently enacted regulations on collection of SSNs by private entities.
With private institutions, your main recourse is refusing to do business with
anyone whose terms you don't like. They, in turn, are allowed to refuse to
deal with you on those terms.
Short History
Social Security numbers were introduced by the Social Security Act of 1935.
They were originally intended to be used only by the social security program.
In 1943 Roosevelt signed Executive Order 9397 which required federal agencies
to use the number when creating new record-keeping systems. In 1961 the IRS
began to use it as a taxpayer ID number. The Privacy Act of 1974 required
authorization for government agencies to use SSNs in their data bases and
required disclosures (detailed below) when government agencies request the
number. Agencies which were already using SSN as an identifier before
January 1, 1975 were allowed to continue using it. The Tax Reform Act of
1976 gave authority to state or local tax, welfare, driver's license, or
motor vehicle registration authorities to use the number in order to
establish identities. The Privacy Protection Study Commission of 1977
recommended that the Executive Order be repealed after some agencies referred
to it as their authorization to use SSNs. I don't know whether it was
repealed, but no one seems to have cited EO 9397 as their authorization
recently.
Several states use the SSN as a driver's license number, while others record
it on applications and store it in their database. Some states that
routinely use it on the license will make up another number if you insist.
According to the terms of the Privacy Act, any that have a space for it on
the application forms should have a disclosure notice. Many don't, and until
someone takes them to court, they aren't likely to change. (Though New York
recently agreed to start adding the notice on the basis of a letter written
by a reader of this blurb.)
The Privacy Act of 1974 (Pub. L. 93-579) requires that any federal, state, or
local government agency that requests your Social Security Number has to tell
you four things:
1: Whether disclosure of your Social Security Number is required or
optional,
2: What statute or other authority they have for asking for your number,
3: How your Social Security Number will be used if you give it to them, and
4: The consequences of failure to provide an SSN.
In addition, the Act says that only Federal law can make use of the Social
Security Number mandatory. So anytime you're dealing with a government
institution and you're asked for your Social Security Number, just look for
the Privacy Act Statement. If there isn't one, complain and don't give your
number. If the statement is present, read it. If it says giving your Social
Security Number is voluntary, you'll have to decide for yourself whether to
fill in the number.
Private Organizations
The guidelines for dealing with non-governmental institutions are much more
tenuous. Most of the time private organizations that request your Social
Security Number can get by quite well without your number, and if you can
find the right person to negotiate with, they'll willingly admit it. The
problem is finding that right person. The person behind the counter is often
told no more than "get the customers to fill out the form completely."
Most of the time, you can convince them to use some other number. Usually
the simplest way to refuse to give your Social Security Number is simply to
leave the appropriate space blank. One of the times when this isn't a strong
enough statement of your desire to conceal your number is when dealing with
institutions which have direct contact with your employer. Most employers
have no policy against revealing your Social Security Number; they apparently
believe that it must be an unintentional slip when an employee doesn't
provide an SSN to everyone who asks.
Public utilities (gas, electric, phone, etc.) are considered to be private
organizations under the laws regulating SSNs. Most of the time they ask for
an SSN, and aren't prohibited from asking for it, but they'll usually relent
if you insist. Ask to speak to a supervisor, insist that they document a
corporate policy requiring it, ask about alternatives, ask why they need it
and suggest alternatives.
Lenders and Borrowers
(those who send reports to the IRS)
Banks and credit card issuers and various others are required by the IRS to
report the SSNs of account holders to whom they pay interest or when they
charge interest and report it to the IRS. If you don't tell them your number
you will probably either be refused an account or be charged a penalty such
as withholding of taxes on your interest.
Most banks send your name, address, and SSN to a company called ChexSystem
when you open an account. ChexSystem keeps a database of people whose
accounts have been terminated for fraud or chronic insufficient funds in the
past 5 years. ChexSystems is covered by the Fair Credit Reporting Act, and
the bank is required to let you know if it refuses to open your account and a
report from ChexSystems was a factor. You can also send a letter to
ChexSystems directly and request a copy of your report.
Many Banks, Brokerages, and other financial institutions have started
implementing automated systems to let you check your balance. All too often,
they are using SSNs as the PIN that lets you get access to your personal
account information. If your bank does this to you, write them a letter
pointing out how common it is for the people with whom you have financial
business to know your SSN. Ask them to change your PIN, and if you feel like
doing a good deed, ask them to stop using the SSN as a default identifier for
their other customers. Some customers will believe that there's some
security in it, and be insufficiently protective of their account numbers.
Sometimes banks provide for a customer-supplied password, but are reluctant
to advertise it. The only way to find out is to ask if they'll let you
provide a password. (This is reportedly true of Citibank Visa, e.g. They
ask for a phone number but are willing to accept any password.)
When buying (and possibly refinancing) a house, most banks will now ask for
your Social Security Number on the Deed of Trust. This is because the
Federal National Mortgage Association recently started requiring it. The
fine print in their regulation admits that some consumers won't want to give
their number, and allows banks to leave it out when pressed. [It first
recommends getting it on the loan note, but then admits that it's already on
various other forms that are a required part of the package, so they already
know it. The Deed is a public document, so there are good reasons to refuse
to put it there, even though all parties to the agreement already have access
to your number.]
Insurers, Hospitals, Doctors
No laws require medical service providers to use your Social Security Number
as an ID number (except for Medicare, Medicaid, etc.) They often use it
because it's convenient or because your employer uses it to identify
employees to its groups health plan. In the latter case, you have to get
your employer to change their policies. Often, the people who work in
personnel assume that the employer or insurance company requires use of the
SSN when that's not really the case. When a previous employer asked for my
SSN for an insurance form, I asked them to try to find out if they had to use
it. After a week they reported that the insurance company had gone along
with my request and told me what number to use. Blood banks also ask for the
number but are willing to do without if pressed on the issue. After I asked
politely and persistently, the blood bank I go to agreed that they didn't
have any use for the number. They've now expunged my SSN from their
database, and they seem to have taught their receptionists not to request the
number.
Most insurance companies share access to old claims through the Medical
Information Bureau. If your insurance company uses your SSN, other insurance
companies will have a much easier time finding out about your medical
history. You can get a copy of the file MIB keeps on you by writing to
Medical Information Bureau, P.O. Box 105, Essex Station, Boston, MA 02112.
Their phone number is (617)426-3660.
If an insurance agent asks for your Social Security Number in order to "check
your credit", point out that the contract is invalid if your check bounces or
your payment is late. They don't need to know what your credit is like, just
whether you've paid them.
Children
The Family Support Act of 1988 (Pub. L. 100-485) requires states to require
parents to give their Social Security Numbers in order to get a birth
certificate issued for a newborn. The law allows the requirement to be
waived for "good cause", but there's no indication of what may qualify.
The IRS requires taxpayers to report SSNs for dependents over one year of
age, but the requirement can be avoided if you're prepared to document the
existence of the child by other means if challenged. The law on this can be
found at 26 USC 6109. The penalty for not giving a dependant's number is
only $5. Several people have reported that they haven't provided SSNs for
their dependents for several years, and haven't been challenged by the IRS.
Universities and Colleges
Universities that accept federal funds are subject to the Family Educational
Rights and Privacy Act of 1974 (the "Buckley Amendment"), which prohibits
them from giving out personal information on students without permission.
There is an exception for directory information, which is limited to names,
addresses, and phone numbers, and another exception for release of
information to the parents of minors. There is no exception for Social
Security Numbers, so covered Universities aren't allowed to reveal students'
numbers without their permission. In addition, state universities are bound
by the requirements of the Privacy Act, which requires them to provide the
disclosures mentioned above. If they make uses of the SSN which aren't
covered by the disclosure they are in violation.
Why SSNs are a bad choice for UIDs in data bases
Database designers continue to introduce the Social Security Number as the
key when putting together a new database or when re-organizing an old one.
Some of the qualities that are (often) useful in a key and that people think
they are getting from the SSN are Uniqueness, Universality, Security, and
Identification. When designing a database, it is instructive to consider
which of these qualities are actually important in your application; many
designers assume unwisely that they are all useful for every application,
when in fact each is occasionally a drawback. The SSN provides none of them,
so designs predicated on the assumption that it does provide them will fail
in a variety of ways.
Uniqueness
Many people assume that Social Security Numbers are unique. They were
intended by the Social Security Administration to be unique, but the SSA |
didn't take sufficient precautions to ensure that it would be so. They have |
several times given a previously issued number to someone with the same name |
and birth date as the original recipient, thinking it was the same person |
asking again. There are a few numbers that were used by thousands of people
because they were on sample cards shipped in wallets by their manufacturers.
(One is given below.)
The passage of the Immigration reform law in 1986 caused an increase in the
duplicate use of SSNs. Since the SSN is now required for employment, illegal
immigrants must find a valid name/SSN pair in order to fool the INS, and IRS
long enough to collect a paycheck. Using the SSN when you can't cross-check
your database with the SSA means you can count on getting some false numbers
mixed in with the good ones.
Universality
Not everyone has a Social Security Number. Foreigners are the primary
exception, but many children don't get SSNs until they're in school. They
were only designed to be able to cover people who were eligible for Social
Security.
Identification
Few people ever ask to see an SSN card; they believe whatever you say. The
ability to recite the number provides little evidence that you're associated
with the number in anyone else's database.
There's little reason to carry your card with you anyway. It isn't a good
form of identification, and if your wallet is lost or stolen, it provides
another way for the thief to hurt you, especially if any of your banks use
the SSN as your PIN.
Security
The card is not at all forgery-resistant, even if anyone did ever ask for it.
The numbers don't have any redundancy (no check-digits) so any 9-digit number
in the range of numbers that have been issued is a valid number. It's
relatively easy to copy the number incorrectly, and there's no way to tell
that you've done so.
In most cases, there is no cross-checking that a number is valid. Credit
card and checking account numbers are checked against a database almost every
time they are used. If you write down someone's phone number incorrectly,
you find out the first time you try to use it.
Why you should resist requests for your SSN
When you give out your number, you are providing access to information about
yourself. You're providing access to information that you don't have the
ability or the legal right to correct or rebut. You provide access to data
that is irrelevant to most transactions but that will occasionally trigger
prejudice. Worst of all, since you provided the key, (and did so
"voluntarily") all the info discovered under your number will be presumed to
be true, about you, and relevant.
A major problem with the use of SSNs as identifiers is that it makes it hard
to control access to personal information. Even assuming you want someone to
be able to find out some things about you, there's no reason to believe that
you want to make all records concerning yourself available. When multiple
record systems are all keyed by the same identifier, and all are intended to
be easily accessible to some users, it becomes difficult to allow someone
access to some of the information about a person while restricting them to
specific topics.
Unfortunately, far too many organizations assume that anyone who presents
your SSN must be you. When more than one person uses the same number, it
clouds up the records. If someone intended to hide their activities, it's
likely that it'll look bad on whichever record it shows up on. When it
happens accidentally, it can be unexpected, embarrassing, or worse. How do
you prove that you weren't the one using your number when the record was
made?
What you can do to protect your number
If despite your having written "refused" in the box for Social Security
Number, it still shows up on the forms someone sends back to you (or worse,
on the ID card they issue), your recourse is to write letters or make phone
calls. Start politely, explaining your position and expecting them to
understand and cooperate. If that doesn't work, there are several more
things to try:
1: Talk to people higher up in the organization. This often works
simply because the organization has a standard way of dealing
with requests not to use the SSN, and the first person you deal
with just hasn't been around long enough to know what it is.
2: Enlist the aid of your employer. You have to decide whether talking
to someone in personnel, and possibly trying to change
corporate policy is going to get back to your supervisor and
affect your job.
3: Threaten to complain to a consumer affairs bureau. Most newspapers
can get a quick response. Ask for their "Action Line" or
equivalent. If you're dealing with a local government agency,
look in the state or local government section of the phone book
under "consumer affairs." If it's a federal agency, your
congressmember may be able to help.
4: Insist that they document a corporate policy requiring the number.
When someone can't find a written policy or doesn't want to
push hard enough to get it, they'll often realize that they
don't know what the policy is, and they've just been following
tradition.
5: Ask what they need it for and suggest alternatives. If you're
talking to someone who has some independence, and they'd like
to help, they will sometimes admit that they know the reason
the company wants it, and you can satisfy that requirement a
different way.
6: Tell them you'll take your business elsewhere (and follow through if
they don't cooperate.)
7: If it's a case where you've gotten service already, but someone
insists that you have to provide your number in order to have a
continuing relationship, you can choose to ignore the request
in hopes that they'll forget or find another solution before
you get tired of the interruption.
If someone absolutely insists on getting your Social Security Number, you may
want to give a fake number. There are legal penalties for providing a false
number when you expect to gain some benefit from it. A federal court of
appeals ruled that using a false SSN to get a Driver's License violates the
federal law.
There are a few good choices for "anonymous" numbers. Making one up at
random is a bad idea, as it may coincide with someone's real number and cause
them some amount of grief. It's better to use a number like 078-05-1120,
which was printed on "sample" cards inserted in thousands of new wallets sold
in the 40's and 50's. It's been used so widely that both the IRS and SSA
recognize it immediately as bogus, while most clerks haven't heard of it.
There are several patterns that have never been assigned, and which therefore
don't conflict with anyone's real number. They include numbers with any
field all zeroes, and numbers with a first digit of 8 or 9. For more details
on the structure of SSNs and how they are assigned, use anonymous ftp to
retrieve the file /cpsr/privacy/ssn/SSN-structure from the machine cpsr.org. |
Giving a number with an unused patterns rather than your own number isn't
very useful if there's anything serious at stake since they're likely to be
noticed . The Social Security Administration recommends that people showing
Social Security cards in advertisements use numbers in the range 987-65-4320
through 987-65-4329.
If you're designing a database or have an existing one that currently uses
SSNs and want to use numbers other than SSNs, you should make your
identifiers use some pattern other than 9 digits. You can make them longer
or shorter than that, or include letters somewhere inside. That way no one
will mistake the number for an SSN.
The Social Security Administration recommends that you request a copy of your
file from them every few years to make sure that your records are correct
(your income and "contributions" are being recorded for you, and no one
else's are.) As a result of a recent court case, the SSA has agreed to
accept corrections of errors when there isn't any contradictory evidence, SSA
has records for the year before or after the error, and the claimed earnings
are consistent with earlier and later wages. (San Jose Mercury News, 5/14,
1992 p 6A) Call the Social Security Administration at (800) 772-1213 and ask
for Form 7004, (Request for Earnings and Benefit Estimate Statement.)
When All Else Fails
(Getting a Replacement Number)
The Social Security Administration (SSA) will occasionally issue a
replacement SSN. The most common justification is that the SSA or the IRS
has mixed together earnings records from more than one person, and since one
of the people can't be located, it's necessary to issue a new number to the
other. The SSA tries very hard to contact the person who is using the number
incorrectly before resorting to this process.
There are a few other situations that the SSA accepts as justifying a new
number. The easiest is if the number contains the sequences 666 or 13. The
digits need to be consecutive according to SSA's policy manual, but may be
separated by hyphens. You apparently don't have to prove that your religious
objection is sincere. Other commonly accepted complaints include harassment,
sequential numbers assigned to family members, or serious impact on your
credit history that you've tried to clear up without success.
In all cases, the process includes an in-person interview at which you have
to establish your identity and show that you are the original assignee of the
number. The decision is normally made in the local office. If the problem
is with a credit bureau's records, you have to show that someone else
continues to use your number, and that you tried to get the credit bureau to
fix your records but were not successful. When they do issue a new number,
the new recoreds are linked to the old ones. (Unless you can convince them
that your life might be endangered by such a link.)
There are a few justifications that they don't accept at all: attempting to
avoid legal responsibilities, poor credit record which is your own fault,
lost SSNm card (without evidence that someone else has used it), or use of
the number by government agencies or private companies.
The only justification the SSA accepts for cancelling the issuance of an SSN
is that the number was assigned under their Enumeration at Birth (wherein |
SSNs are assigned when birth certificates are issued) program without the
parent's consent. In this case, the field officer is instructed to try very
hard to convince the parent that getting the number revoked is futile, but to
give in when the parent is persistent.
US Passports
The application for US Passports (DSP-11 12/87) requests a Social Security
Number, but gives no Privacy Act notice. There is a reference to "Federal
Tax Law" and a misquotation of Section 6039E of the 1986 Internal Revenue
Code, claiming that the section requires that you provide your name, mailing
address, date of birth, and Social Security Number. The referenced section
only requires TIN (SSN), and it requires that it be sent to the IRS and not
to the Passport office. It appears that when you apply for a passport, you
can refuse to reveal your SSN to the passport office, and instead mail a
notice to the IRS, giving only your SSN (other identifying info optional) and
notifying them that you are applying for a passport. [Copies (in postscript)
of the letter that was used by one contributor (The measure of his success is |
that he didn't hear back from any with complaints.) are available by |
anonymous ftp from cpsr.org in /cpsr/privacy/ssn/passport.ps.Z. I'd be |
interested in hearing how the State department and the Post Office (which
processes passport applications) react.]
Results from Some Recent Legal Cases (3/24/93)
CPSR joined two legal cases in 1992 which concerned Social Security Numbers
and privacy. One of them challenged the IRS practice of printing Social
Security Numbers on mailing labels when they send out tax forms and related
correspondence. The other challenged Virginia's requirement of a Social
Security Number in order to register to vote.
Dr. Peter Zilahy Ingerman filed suit against the IRS in Federal District
Court in 1991, and CPSR filed a friend of the court brief in August '91. The
case was decided in favor of the IRS. According to "Privacy Journal", the
IRS plans to start covering the SSNs on its mailing labels, but they made the |
decision too late to affect this year's returns. Some people got a version |
that hid their numbers, but it was apparently a pilot project in limited |
areas. |
The Virginia case was filed by a resident who refused to supply a Social
Security Number when registering to vote. When the registrar refused to
accept his registration, he filed suit. He also challenged Virginia on two
other bases: the registration form lacked a Privacy Act notice, and the voter
lists they publish include Social Security Numbers. The Federal court of
appeals ruled that Virginia may not require the disclosure of Social Security
numbers as a condition of registering to vote. The court said that the
Virginia requirement places an "intolerable burden" on the right to vote.
The case is officially referred to as Greidinger v. Davis, No. 92-1571,
Fourth Circuit Court of Appeals, March 22, 1993.
If you have suggestions for improving this document please send them to me
at:
Chris Hibbert
hibbert@netcom.com or 1195 Andre Ave.
Mountain View, CA 94040
New versions of this posting are always available using any of the |
following mechanisms. You can use anonymous ftp from the following |
sites: |
Site Location |
rtfm.mit.edu /pub/usenet-by-hierarchy/news/answers/ssn-privacy |
ftp.pica.army.mil /pub/privacy/ssn-privacy.faq |
ftp.cpsr.org /cpsr/privacy/ssn/Social_Security_Number_FAQ |
|
Gopher can retrieve it from gopher.cpsr.org. World Wide Web (www) can |
find it using the following locator (and probably several others you |
could construct from the other directions I've given): |
http://polar.pica.army.mil/ssn_faq.html |
You can also retrieve it by sending email to |
Address Command (omit the quotes) |
listserv@cpsr.org "GET cpsr/privacy/ssn Social_Security_Number_FAQ" |
mail-server@rtfm.mit.edu |
"send usenet-by-hierarchy/news/answers/ssn-privacy" |
You can also ask for general help from either of these email servers by |
sending a message to the same address with just "help" in the body. |
------------------------------
End of Computer Privacy Digest V4 #078
******************************
.