Archive-Name: ssn-privacy
 
 
        What to do when they ask for your Social Security Number
 
                            by Chris Hibbert
 
                         Computer Professionals
                       for Social Responsibility
 
 
 Many people are concerned about the number of organizations asking for their
 Social Security Numbers.  They worry about invasions of privacy and the
 oppressive feeling of being treated as just a number.  Unfortunately, I
 can't offer any hope about the dehumanizing effects of identifying you with
 your numbers.  I *can* try to help you keep your Social Security Number from
 being used as a tool in the invasion of your privacy.
 
 Surprisingly, government agencies are reasonably easy to deal with; private
 organizations are much more troublesome.  Federal law restricts the agencies
 at all levels of government that can demand your number and a fairly
 complete disclosure is required even if its use is voluntary.  There are no
 comparable Federal laws restricting the uses non-government organizations
 can make of it, or compelling them to tell you anything about their plans.
 Some states have recently regulations on collection of SSNs by private
 |
 entities.  With private institutions, your main recourse is refusing to do
 |
 business with anyone whose terms you don't like.
 
 
                             Short History
 
 Social Security numbers were introduced by the Social Security Act of 1935.
 They were originally intended to be used only by the social security
 program, and public assurances were given at the time that use would be
 strictly limited.  In 1943 Roosevelt signed Executive Order 9397 which
 required federal agencies to use the number when creating new record-keeping
 systems.  In 1961 the IRS began to use it as a taxpayer ID number.  The
 Privacy Act of 1974 required authorization for government agencies to use
 SSNs in their data bases and required disclosures (detailed below) when
 government agencies request the number.  Agencies which were already using
 SSN as an identifier before January 1, 1975 were allowed to continue using
 it.  The Tax Reform Act of 1976 gave authority to state or local tax,
 welfare, driver's license, or motor vehicle registration authorities to use
 the number in order to establish identities.  The Privacy Protection Study
 Commission of 1977 recommended that the Executive Order be repealed after
 some agencies referred to it as their authorization to use SSNs.  I don't
 know whether it was repealed, but that practice has stopped.
 
 Several states use the SSN as a driver's license number, while others record
 it on applications and store it in their database.  Some states that
 routinely use it on the license will make up another number if you insist.
 According to the terms of the Privacy Act, any that have a space for it on
 the application forms should have a disclosure notice.  Many don't, and
 until someone takes them to court, they aren't likely to change.  (Though
 New York recently agreed to start adding the notice on the basis of a letter
 written by a reader of this blurb.)
 
 The Privacy Act of 1974 (5 USC 552a) requires that any federal, state, or
 local government agency that requests your Social Security Number has to
 tell you four things:
 
 1:  Whether disclosure of your Social Security Number is required or
     optional,
 
 2:  What law authorizes them to ask for your Social Security Number,
 
 3:  How your Social Security Number will be used if you give it to them,
     and
 
 4:  The consequences of failure to provide an SSN.
 
 In addition, the Act says that only Federal law can make use of the Social
 Security Number mandatory.  So anytime you're dealing with a government
 institution and you're asked for your Social Security Number, just look for
 the Privacy Act Statement.  If there isn't one, complain and don't give your
 number.  If the statement is present, read it.  If it says giving your
 Social Security Number is voluntary, you'll have to decide for yourself
 whether to fill in the number.
 
                         Private Organizations
 
 The guidelines for dealing with non-governmental institutions are much more
 tenuous.  Most of the time private organizations that request your Social
 Security Number can get by quite well without your number, and if you can
 find the right person to negotiate with, they'll willingly admit it.  The
 problem is finding that right person.  The person behind the counter is
 often told no more than "get the customers to fill out the form completely."
 
 Most of the time, you can convince them to use some other number.  Usually
 the simplest way to refuse to give your Social Security Number is simply to
 leave the appropriate space blank.  One of the times when this isn't a
 strong enough statement of your desire to conceal your number is when
 dealing with institutions which have direct contact with your employer.
 Most employers have no policy against revealing your Social Security Number;
 they apparently believe that it must have been an unintentional slip that
 you didn't give out your SSN.
 
 Public utilities (gas, electric, phone, etc.) are considered to be private
 organizations under the laws regulating SSNs.  Most of the time they ask for
 an SSN, and aren't prohibited from asking for it, but they'll usually relent
 if you insist.  Ask to speak to a supervisor, insist that they document a
 corporate policy requiring it, ask about alternatives, ask why they need it
 and suggest alternatives.
 
 
       Lenders and Borrowers (those who send reports to the IRS)
 
 Banks and credit card issuers and various others are required by the IRS to
 report the SSNs of account holders to whom they pay interest or when they
 charge interest and report it to the IRS.  If you don't tell them your
 number you will probably either be refused an account or be charged a
 penalty such as withholding of taxes on your interest.
 
 Many Banks, Brokerages, and other financial institutions have started
 implementing automated systems to let you check your balance. All too often,
 they are using SSNs as the PIN that lets you get access to your personal
 account information.  If your bank does this to you, write them a letter
 pointing out how many of the people you have financial business with know
 your SSN.  Ask them to change your PIN, and if you feel like doing a good
 deed, ask them to stop using the SSN as a default identifier.  Some
 customers will believe that there's some security in it, and be
 insufficiently protective of their account numbers.
 
 When buying (and possibly refinancing) a house, most banks will now ask for
 your Social Security Number on the Deed of Trust.  This is because the
 Federal National Mortgage Association recently started requiring it.  The
 fine print in their regulation admits that some consumers won't want to give
 their number, and allows banks to leave it out when pressed.  [It first
 recommends getting it on the loan note, but then admits that it's already on
 various other forms that are a required part of the package, so they already
 know it.  The Deed is a public document, so there are good reasons to refuse
 to put it there, even though all parties to the agreement already have
 access to your number.]
 
 
                      Insurers, Hospitals, Doctors
 
 No laws require medical service providers to use your Social Security Number
 as an ID number (except for Medicare, Medicaid, etc.)  They often use it
 because it's convenient or because your employer uses it to certify
 employees to its groups health plan.  In the latter case, you have to get
 your employer to change their policies.  Often, the people who work in
 personnel assume that the employer or insurance company requires use of the
 SSN when that's not really the case.  When my current employer asked for my
 SSN for an insurance form, I asked them to try to find out if they had to
 use it.  After a week they reported that the insurance company had gone
 along with my request and told me what number to use.  Blood banks also ask
 for the number but are willing to do without if pressed on the issue.  After
 I asked politely and persistently, the blood bank I go to agreed that they
 didn't have any use for the number.  They've now expunged my SSN from their
 database, and they seem to have taught their receptionists not to request
 the number.
 
 Most insurance companies share access to old claims through the Medical
 Information Bureau.  If your insurance company uses your SSN, other
 insurance companies will have a much easier time finding out about your
 medical history.  You can get a copy of the file MIB keeps on you by writing
 to Medical Information Bureau, P.O. Box 105, Essex Station, Boston, MA
 02112.  Their phone number is (617)426-3660.
 
 If an insurance agent asks for your Social Security Number in order to
 "check your credit", point out that the contract is invalid if your check
 bounces or your payment is late.  They don't need to know what your credit
 is like, just whether you've paid them.
 
 
                                   Children
 
 The Family Support Act of 1988 (42 USC 1305, 607, and 602) apparently
 requires states to require parents to give their Social Security Numbers in
 order to get a birth certificate issued for a newborn.  The law allows the
 requirement to be waived for "good cause", but there's no indication of what
 may qualify.
 
 The IRS requires taxpayers to report SSNs for dependents over one year of
 age, but the requirement can be avoided if you're prepared to document the
 existence of the child by other means if challenged.  The law on this can be
 found at 26 USC 6109.
 
                       Universities and Colleges
 
 Universities that accept federal funds are subject to the Family Educational
 Rights and Privacy Act of 1974 (the "Buckley Amendment"), which prohibits
 them from giving out personal information on students withses, and phone
 numbers, and another exception for release of
 information to the parents of minors.  There is no exception for Social
 Security Numbers, so covered Universities aren't allowed to reveal students'
 numbers without their permission.  In addition, state universities are bound
 by the requirements of the Privacy Act, which requires them to provide the
 disclosures mentioned above.  If urity Numbers is a problem
 
 The Social Security Number doesn't work well as an identifier for several
 reasons.  The first reason is that it isn't at all secure; if someone makes
 up a nine-digit number, it's quite likely that they've picked a number that
 is assigned to someone.  There are quite a few reasons why people would make
 up a number: to hide their identity or the fact that they're dohat it makes it
 hard to control access to personal information.  Even assuming you want
 someone to be able to find out some things about you, there's no reason to
 believe that you want to make all records concerning yourself available.
 When multiple record systems are all keyed by the same identifier, and all
 are intended to be easily accessible to some users, it becomes difficult to
 allow sh the passage of the Immigration reform law.  While making up a number
 is usually good enough to fool the public library, employers submit the number
 to the IRS, which cross checks with its own and SSA's records.  Because of the
 checks, illegal workers need to know what name goes with the number so they
 won't be caught as quickly.
 
 
                 What you can do to protect your number
 
 tion and expecting them to
 understand and cooperate.  If that doesn't work, there are several more
 things to try:
 
 1: Talk to people higher up in the organization.  This often works
         simply because the organization has a standard way of dealing
         with requests not to use the SSN, and the first person you deal
         with just hasn't been around long enough to know what it is.
 o get back to your supervisor and
         affect your job.
 
 3: Threaten to complain to a consumer affairs bureau.  Most newspapers
         can get a quick response.  Ask for their "Action Line" or
         equivalent.  If you're dealing with a local government agency,
         look in the state or local government section of the phone book
         under "consumer affairs."  If it's a federal lp.
 
 4: Insist that they document a corporate policy requiring the number.
         When someone can't find a written policy or doesn't want to
         push hard enough to get it, they'll often realize that they
         don't know what the policy is, and they've just been following
         tradition.
 
 5: Ask what they need it for and suggest alternatives.  If you're
         talking to someyour number in order to have a
         continuing relationship, you can choose to ignore the request
         in hopes that they'll forget or find another solution before
         you get tired of the interruption.
 
 If someone absolutely insists on getting your Social Security Number, you
 may want to give a fake number.  There is no legal penalty as long as you're
 not doing it to get somethinds of new wallets sold in the 40's and 50's.  It's
 been used so widely that both the IRS and SSA recognize it immediately as
 bogus, while most clerks haven't heard of it.
 
 There are several prefixes that have never been assigned, and which
 therefore don't conflict with anyone's real number.  They include the
 following patterns:
 
 1.  Any field all zeroes (no field of zeroes is ever assigneut some have been
 assigned to organizations and for other special purposes. The Social Security
 Administration recommends that people showing Social Security cards in
 advertisements use numbers in the range 987-65-4320 through 987-65-4329.
 
 If you're designing a database, and want to use numbers other than Social
 Security Numbers, you'd be better off generating numbers that are shorter
 thanepending on these unused patterns.
 
 The Social Security Administration recommends that you request a copy of
 your file from them every few years to make sure that your records are
 correct (your income and "contributions" are being recorded for you, and no
 one else's are.)  As a result of a recent court case, the SSA has agreed to
 accept corrections of errors when there isn't any contradictorined two legal
 cases concerning Social Security Numbers and privacy.  One of them challenged
 the IRS practice of printing Social Security Numbers on mailing labels when
 they send out tax forms and related correspondence.  The other challenged
 Virginia's requirement of a Social Security Number in order to register to
 vote.
 
 Dr. Peter Zilahy Ingerman filed suit against the IRS in Federal Distr.  CPSR
 plans to appeal.
 
 The Virginia case was filed by a resident of the state who refused to supply
 a Social Security Number when registering to vote.  When the registrar
 refused to accept his registration, he filed suit.  He is also challenging
 the state of Virginia on two other bases: the registration form apparently
 lacked a Privacy Act notice, and the voter lists the state publishes id them
 to me at:
                                        Chris Hibbert
 hibbert@xanadu.com        or           Xanadu Operating Company
                                        550 California Ave, Suite 101
                                        Palo Alto, CA 94306