Privacy in America: Social Security Numbers

If you're like most people, you've probably given out your Social Security number several times in the past few weeks. Chances are you didn't even know you had a choice in the matter. And anyway, it's such a convenient form of identification, you probably didn't think twice about it.

By revealing our SSNs to so many entities -- governmental and private organizations alike -- we're sacrificing our right to privacy and anonymity. And in an information society, these are increasingly rare commodities.

SSNs were originally created to number personal accounts for Social Security, tax collection and benefits payment. But today, SSNs have become a too-common identifier.

An ever-growing number of computer networks let organizations sell, store, transfer and link our personal and business information -- usually without our knowledge or consent. It's become way too easy for government agencies and private organizations to trace each of us, from cradle to grave.

The details of our personal lives belong to us -- they're no one else's business.

MY NUMBER, MYSELF

Whether you've paid taxes, opened a bank account, been accepted for a credit card, joined a gym or a shopping club, or applied for a video rental card, a driver's license or a mortgage, chances are you've been asked for -- and given out -- your SSN. That seems innocent enough.

But because the SSN is so commonly used as an individual account number, this nine-digit code ends up being a virtual pass key to a vast amount of private, and often sensitive, information about you -- your address, medical history, shopping preferences, household income, and use of prescription drugs, to name just a few.

The Internet has made the problem even more serious. More and more companies distribute SSNs through online personal locaters or look-up services -- California's Senator Dianne Feinstein has testified that it took her less than three minutes to retrieve her own SSN from the Internet.

A huge online database, Lexis-Nexis, recently announced a person-locator program that made it possible to find someone's most recent two addresses, maiden names, aliases and SSN with the click of a mouse. After a slew of complaints (such a service could prove fatal for victims of domestic abuse or stalking, for example) the company stopped giving out SSNs. In an era when information is money, even worse abuses are bound to occur.

How much do you want other people to know?

LITTLE LEGAL PROTECTION

Incredibly, the right to information privacy remains largely unprotected by law. The 1974 Privacy Act applies to the use of personal information by the government, but it is poorly enforced and has too many exceptions. Federal laws like the Fair Credit Reporting Act offer limited protection against non-government abuses, but with few exceptions, the collection and use of personal information by the private sector is unregulated. Your employment, insurance and health records are up for grabs.

WHO'S GOT YOUR NUMBER

The proliferation of SSNs has already led to some very serious problems. Here are a few examples:

FRAUD -- It was recently discovered that ten current and former SSA employees had accepted bribes from a credit fraud ring in the business of selling mothers' maiden names to activate fraudulently obtained credit cards.

IMPROPER PRYING -- Congress passed a law in 1997 making improper prying, or so-called "browsing," a crime after an IRS employee targeted a state prosecutor he had a grudge against. The employee scrutinized the prosecutor's tax form, which included detailed information about the day care center the prosecutor's children attended.

IDENTITY THEFT -- Because of the widespread availability of SSNs, criminals are able to assume the identities of others in order to gain access to their victims' bank and charge accounts and to steal their victims' government benefits.

It's my information, not theirs. I should have a right to know, and to choose who they're going to sell it to and what list I'm going to be on. There should be some way to govern what they do."
-- Plaintiff from a lawsuit against Metromail, a vendor of direct marketing information.

TAKE BACK YOUR DATA

Unless we quickly oppose further intrusions into our privacy, what little control we still have over our own personal information will soon disappear. That's why the ACLU has launched its Take Back Your Data Campaign. We're urging our members and everyone who values their increasingly fragile right to privacy to support the campaign. (See "What You Can Do" for more information on how you can get involved!)

We need laws that protect our privacy! Support the ACLU's Privacy Principles.

RESOURCES: E. Hendricks et al., Your Right to Privacy, ACLU Handbook, 1990. The Electronic Privacy Information Center provides valuable information on privacy issues, including SSN use. Its website is http://www.epic.org/privacy/ The Privacy Rights Clearinghouse provides important information and practical tips at its website: http://www.privacyrights.org/ Privacy Times is a twice-a-month newsletter covering developments in privacy and information access. Its website is http://www.privacytimes.com. Privacy Journal is a monthly newsletter on privacy. Its e-mail is 510719@mcmail.com.

WHAT WE ARE DOING

The sale, storage and transfer of vast collections of highly personal information seriously threaten privacy rights. To take back our data we need laws that are consistent with the following principles --

1. Your personal information should never be collected or disseminated without your knowledge and permission.
   
2. Organizations must let you know why they're collecting your information; and they can't use it for other reasons than the one you granted permission for (unless they get a second permission from you)
   
3. Organizations must ensure the privacy of the personal information they collect or maintain on you, retaining only what is necessary information and only for as long as it is needed.
   
4. You should have the right to examine, copy, and correct your own personal information.
   
5. There must be no national ID system -- either in law or in practice
   
6. Unrelated data bases must be kept strictly separate so information can't be cross-referenced.
   
7. Personal "biometric" data -- your fingerprints, DNA, retina or iris scans, etc. -- must not be involuntarily captured or used (except for fingerprinting criminals).
   
8. The government must not prohibit or interfere with the development of technologies that protect privacy (such as encryption).
   
9. These principles should be enforceable by law. Furthermore, no service, benefit, or transaction should be conditioned on waiving your privacy rights.

Take back your data! Write your local elected officials and tell them you want stronger laws to protect your privacy. (See next panel for more.)

WHAT YOU CAN DO

Support the Personal Information Privacy Act of 1997. Introduced by Senators Dianne Feinstin (D-CA) and Charles Grassley (R-Iowa), the Act, S.600, would bar the commercial use of Social Security numbers. A similar bill that covers only use of SSNs on the Internet was introduced in the House by Representative Bob Franks (R-NJ) as H.R. 1287, the Social Security On-line Privacy Protection Act.

Use caution when giving out your SSN to a government agency. They are required by the Privacy Act of 1974 to tell you why your SSN is necessary, whether giving your SSN is mandatory or voluntary, and how your SSN will be used. And stop giving your SSN to private organizations. Suggest they use an alternative identifying number. If they refuse, think about taking your business elsewhere. They'll get the hint.

The "ACLU in Congress" section of our website contains an Action Alert on this issue, allowing you to send a free fax to your members of Congress. Reach our website at http://archive.aclu.org

Write us for a Take Back Your Data Info Kit!
ACLU Take Back Your Data Campaign
125 Broad Street, New York, NY 10004