Archive-Name: ssn-privacy What to do when they ask for your Social Security Number by Chris Hibbert Computer Professionals for Social Responsibility Many people are concerned about the number of organizations asking for their Social Security Numbers. They worry about invasions of privacy and the oppressive feeling of being treated as just a number. Unfortunately, I can't offer any hope about the dehumanizing effects of identifying you with your numbers. I *can* try to help you keep your Social Security Number from being used as a tool in the invasion of your privacy. Surprisingly, government agencies are reasonably easy to deal with; private organizations are much more troublesome. Federal law restricts the agencies at all levels of government that can demand your number and a fairly complete disclosure is required even if its use is voluntary. There are no comparable Federal laws restricting the uses non-government organizations can make of it, or compelling them to tell you anything about their plans. Some states have recently regulations on collection of SSNs by private | entities. With private institutions, your main recourse is refusing to do | business with anyone whose terms you don't like. Short History Social Security numbers were introduced by the Social Security Act of 1935. They were originally intended to be used only by the social security program, and public assurances were given at the time that use would be strictly limited. In 1943 Roosevelt signed Executive Order 9397 which required federal agencies to use the number when creating new record-keeping systems. In 1961 the IRS began to use it as a taxpayer ID number. The Privacy Act of 1974 required authorization for government agencies to use SSNs in their data bases and required disclosures (detailed below) when government agencies request the number. Agencies which were already using SSN as an identifier before January 1, 1975 were allowed to continue using it. The Tax Reform Act of 1976 gave authority to state or local tax, welfare, driver's license, or motor vehicle registration authorities to use the number in order to establish identities. The Privacy Protection Study Commission of 1977 recommended that the Executive Order be repealed after some agencies referred to it as their authorization to use SSNs. I don't know whether it was repealed, but that practice has stopped. Several states use the SSN as a driver's license number, while others record it on applications and store it in their database. Some states that routinely use it on the license will make up another number if you insist. According to the terms of the Privacy Act, any that have a space for it on the application forms should have a disclosure notice. Many don't, and until someone takes them to court, they aren't likely to change. (Though New York recently agreed to start adding the notice on the basis of a letter written by a reader of this blurb.) The Privacy Act of 1974 (5 USC 552a) requires that any federal, state, or local government agency that requests your Social Security Number has to tell you four things: 1: Whether disclosure of your Social Security Number is required or optional, 2: What law authorizes them to ask for your Social Security Number, 3: How your Social Security Number will be used if you give it to them, and 4: The consequences of failure to provide an SSN. In addition, the Act says that only Federal law can make use of the Social Security Number mandatory. So anytime you're dealing with a government institution and you're asked for your Social Security Number, just look for the Privacy Act Statement. If there isn't one, complain and don't give your number. If the statement is present, read it. If it says giving your Social Security Number is voluntary, you'll have to decide for yourself whether to fill in the number. Private Organizations The guidelines for dealing with non-governmental institutions are much more tenuous. Most of the time private organizations that request your Social Security Number can get by quite well without your number, and if you can find the right person to negotiate with, they'll willingly admit it. The problem is finding that right person. The person behind the counter is often told no more than "get the customers to fill out the form completely." Most of the time, you can convince them to use some other number. Usually the simplest way to refuse to give your Social Security Number is simply to leave the appropriate space blank. One of the times when this isn't a strong enough statement of your desire to conceal your number is when dealing with institutions which have direct contact with your employer. Most employers have no policy against revealing your Social Security Number; they apparently believe that it must have been an unintentional slip that you didn't give out your SSN. Public utilities (gas, electric, phone, etc.) are considered to be private organizations under the laws regulating SSNs. Most of the time they ask for an SSN, and aren't prohibited from asking for it, but they'll usually relent if you insist. Ask to speak to a supervisor, insist that they document a corporate policy requiring it, ask about alternatives, ask why they need it and suggest alternatives. Lenders and Borrowers (those who send reports to the IRS) Banks and credit card issuers and various others are required by the IRS to report the SSNs of account holders to whom they pay interest or when they charge interest and report it to the IRS. If you don't tell them your number you will probably either be refused an account or be charged a penalty such as withholding of taxes on your interest. Many Banks, Brokerages, and other financial institutions have started implementing automated systems to let you check your balance. All too often, they are using SSNs as the PIN that lets you get access to your personal account information. If your bank does this to you, write them a letter pointing out how many of the people you have financial business with know your SSN. Ask them to change your PIN, and if you feel like doing a good deed, ask them to stop using the SSN as a default identifier. Some customers will believe that there's some security in it, and be insufficiently protective of their account numbers. When buying (and possibly refinancing) a house, most banks will now ask for your Social Security Number on the Deed of Trust. This is because the Federal National Mortgage Association recently started requiring it. The fine print in their regulation admits that some consumers won't want to give their number, and allows banks to leave it out when pressed. [It first recommends getting it on the loan note, but then admits that it's already on various other forms that are a required part of the package, so they already know it. The Deed is a public document, so there are good reasons to refuse to put it there, even though all parties to the agreement already have access to your number.] Insurers, Hospitals, Doctors No laws require medical service providers to use your Social Security Number as an ID number (except for Medicare, Medicaid, etc.) They often use it because it's convenient or because your employer uses it to certify employees to its groups health plan. In the latter case, you have to get your employer to change their policies. Often, the people who work in personnel assume that the employer or insurance company requires use of the SSN when that's not really the case. When my current employer asked for my SSN for an insurance form, I asked them to try to find out if they had to use it. After a week they reported that the insurance company had gone along with my request and told me what number to use. Blood banks also ask for the number but are willing to do without if pressed on the issue. After I asked politely and persistently, the blood bank I go to agreed that they didn't have any use for the number. They've now expunged my SSN from their database, and they seem to have taught their receptionists not to request the number. Most insurance companies share access to old claims through the Medical Information Bureau. If your insurance company uses your SSN, other insurance companies will have a much easier time finding out about your medical history. You can get a copy of the file MIB keeps on you by writing to Medical Information Bureau, P.O. Box 105, Essex Station, Boston, MA 02112. Their phone number is (617)426-3660. If an insurance agent asks for your Social Security Number in order to "check your credit", point out that the contract is invalid if your check bounces or your payment is late. They don't need to know what your credit is like, just whether you've paid them. Children The Family Support Act of 1988 (42 USC 1305, 607, and 602) apparently requires states to require parents to give their Social Security Numbers in order to get a birth certificate issued for a newborn. The law allows the requirement to be waived for "good cause", but there's no indication of what may qualify. The IRS requires taxpayers to report SSNs for dependents over one year of age, but the requirement can be avoided if you're prepared to document the existence of the child by other means if challenged. The law on this can be found at 26 USC 6109. Universities and Colleges Universities that accept federal funds are subject to the Family Educational Rights and Privacy Act of 1974 (the "Buckley Amendment"), which prohibits them from giving out personal information on students withses, and phone numbers, and another exception for release of information to the parents of minors. There is no exception for Social Security Numbers, so covered Universities aren't allowed to reveal students' numbers without their permission. In addition, state universities are bound by the requirements of the Privacy Act, which requires them to provide the disclosures mentioned above. If urity Numbers is a problem The Social Security Number doesn't work well as an identifier for several reasons. The first reason is that it isn't at all secure; if someone makes up a nine-digit number, it's quite likely that they've picked a number that is assigned to someone. There are quite a few reasons why people would make up a number: to hide their identity or the fact that they're dohat it makes it hard to control access to personal information. Even assuming you want someone to be able to find out some things about you, there's no reason to believe that you want to make all records concerning yourself available. When multiple record systems are all keyed by the same identifier, and all are intended to be easily accessible to some users, it becomes difficult to allow sh the passage of the Immigration reform law. While making up a number is usually good enough to fool the public library, employers submit the number to the IRS, which cross checks with its own and SSA's records. Because of the checks, illegal workers need to know what name goes with the number so they won't be caught as quickly. What you can do to protect your number tion and expecting them to understand and cooperate. If that doesn't work, there are several more things to try: 1: Talk to people higher up in the organization. This often works simply because the organization has a standard way of dealing with requests not to use the SSN, and the first person you deal with just hasn't been around long enough to know what it is. o get back to your supervisor and affect your job. 3: Threaten to complain to a consumer affairs bureau. Most newspapers can get a quick response. Ask for their "Action Line" or equivalent. If you're dealing with a local government agency, look in the state or local government section of the phone book under "consumer affairs." If it's a federal lp. 4: Insist that they document a corporate policy requiring the number. When someone can't find a written policy or doesn't want to push hard enough to get it, they'll often realize that they don't know what the policy is, and they've just been following tradition. 5: Ask what they need it for and suggest alternatives. If you're talking to someyour number in order to have a continuing relationship, you can choose to ignore the request in hopes that they'll forget or find another solution before you get tired of the interruption. If someone absolutely insists on getting your Social Security Number, you may want to give a fake number. There is no legal penalty as long as you're not doing it to get somethinds of new wallets sold in the 40's and 50's. It's been used so widely that both the IRS and SSA recognize it immediately as bogus, while most clerks haven't heard of it. There are several prefixes that have never been assigned, and which therefore don't conflict with anyone's real number. They include the following patterns: 1. Any field all zeroes (no field of zeroes is ever assigneut some have been assigned to organizations and for other special purposes. The Social Security Administration recommends that people showing Social Security cards in advertisements use numbers in the range 987-65-4320 through 987-65-4329. If you're designing a database, and want to use numbers other than Social Security Numbers, you'd be better off generating numbers that are shorter thanepending on these unused patterns. The Social Security Administration recommends that you request a copy of your file from them every few years to make sure that your records are correct (your income and "contributions" are being recorded for you, and no one else's are.) As a result of a recent court case, the SSA has agreed to accept corrections of errors when there isn't any contradictorined two legal cases concerning Social Security Numbers and privacy. One of them challenged the IRS practice of printing Social Security Numbers on mailing labels when they send out tax forms and related correspondence. The other challenged Virginia's requirement of a Social Security Number in order to register to vote. Dr. Peter Zilahy Ingerman filed suit against the IRS in Federal Distr. CPSR plans to appeal. The Virginia case was filed by a resident of the state who refused to supply a Social Security Number when registering to vote. When the registrar refused to accept his registration, he filed suit. He is also challenging the state of Virginia on two other bases: the registration form apparently lacked a Privacy Act notice, and the voter lists the state publishes id them to me at: Chris Hibbert hibbert@xanadu.com or Xanadu Operating Company 550 California Ave, Suite 101 Palo Alto, CA 94306