The IT Law Wiki
The IT Law Wiki

Historical background[]

The Social Security Number (SSN) was created in 1936 as a means of tracking workers’ earnings and eligibility for Social Security benefits.[1] SSNs are issued to most U.S. citizens, and to some non-citizens lawfully admitted to the United States. Since 1936, the Social Security Administration (SSA) has issued more than 400 million SSNs.

Through a process known as enumeration, a unique nine-digit number is created. The number is divided into three parts — first three digits represent the geographic area where the SSN was assigned; the middle two are the group number, which is assigned in a specified order for each area number; and the last four are serial numbers ranging from 0001 to 9999.

Although the SSN was originally created for administering the Social Security program, its use has expanded dramatically throughout both the public and private sectors. Federal use of the SSN was first mandated by President Roosevelt in 1943 with Executive Order 9397. This Executive Order required that any Federal department establishing a new system of permanent account numbers pertaining to an individual must exclusively utilize the SSN and that such personal information must be kept confidential. Today the SSN is required for the administration of a number of government benefit programs and the Federal income tax.

Because of the number’s uniqueness and broad applicability, SSNs have become the identifier of choice for government agencies and private businesses, and are used for a myriad of non–Social Security purposes. Since 1936, “there have been almost 40 congressionally authorized uses for [them] as an identification number.”[2] Companies trading in financial information are the largest private sector users of SSNs, with credit bureaus maintaining over 400 million files keyed to individual SSNs.[3] Financial institutions, insurers, universities, health care entities, government agencies, and innumerable other organizations use this nine-digit sequence as a default identifier to ensure accurate matching of consumers with their information within organizations, to facilitate matching of consumer information with other organizations, and to avoid having to establish a different identification system for each set of benefits or records. Many SSN uses have also been legally mandated. The Internal Revenue Service (“IRS”), for example, requires private sector entities, including banks, insurance companies, and employers, to collect SSNs for income and tax-related purposes. The numerous uses of the SSN reflect its considerable advantages as an identifier, because it is permanent, ubiquitous, and unique to each individual.

The largest criminal database in the country maintained by the NCIC includes SSNs in its list of identifying characteristics. Courts, DMVs, federal agencies, professional licensing groups, and student loan administrators all utilize SSNs in the administration of their records. The ubiquitous nature of these once confidential identifiers provide identity thieves myriad opportunities to steal and use them.

Identity theft/Privacy concerns[]

Many entities also use SSNs to authenticate consumers, i.e., to verify that individuals are who they say they are. These entities, in effect, treat the SSN as a secret piece of information, available only to the consumer and themselves, and give access to information or benefits only when the consumer is able to supply and confirm his or her SSN.

Ubiquitous use of SSNs and the ease with which individuals can access another person's SSN have raised serious concerns over privacy and opportunities for identity theft and fraud. SSNs often are described as the “keys to the kingdom,” because an identity thief with a consumer’s SSN (and perhaps other identifying information) may be able to use that information to convince a business that he is who he purports to be, allowing him to open new accounts, access existing accounts, or obtain other benefits in the consumer’s name. Unfortunately, SSNs have become increasingly available to identity thieves, at least in part because they are so widely used as identifiers. Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars.[4]

The Federal Trade Commission (FTC), SSA, the SSA Inspector General and others acknowledge that SSNs play a pivotal role in identity theft. Even worse, terrorists may steal, fake, or purchase SSNs in order to operate in our society and abet their nefarious acts.

Because of the numbering scheme used to assign SSNs, the first five digits of the nine-digit number can in many cases be extrapolated from a person’s place and date of birth. This means that in some cases, the last four digits of the SSN plus additional information may permit the entire SSN to be known.[5]

SSN misuse, not related to the determination of eligibility for, or the amount of, Social Security or SSI benefits, can also result in considerable costs for the government, the private sector, and individuals who are victims of fraud. In many cases, the costs of SSN misuse extend beyond monetary losses. The SSN is a valuable commodity today for criminals. The use of the SSN has grown so that it is interwoven into many aspects of every day life. It has become the de facto national identifier, used as a "breeder document" to obtain a driver's license or a credit card, open a bank account or secure a loan.

The FTC reported in 2003 that 10 million Americans fell prey to identity theft in 2002. A more recent survey by Gartner, Inc. estimated the number of identity theft victims at 15 million in 2006. The FTC study found that victims spent an estimated $5 billion to rehabilitate their good names, and businesses lost over $50 billion to identity theft-related fraud in a single year. Protecting the privacy of SSNs will help to protect our individual and national security.

Federal legislation limiting SSN use[]

Since SSNs are the key to accessing an individual's financial and other personal information, the wide accessibility of SSNs has raised serious concerns over privacy. It is relatively easy for an individual can obtain another person's SSN and use the information to commit identity theft or other crimes. Restricting the display to the general public and sale of SSNs by governments will help curb fraudulent activity by making it more difficult for criminals to access this personal information.

There are some federal laws that limit the disclosure and use of SSNs. For example, Section 7 of the Privacy Act of 1974 limits the government's use of SSNs:

(a)(1) It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his social security account number.
(2) The provisions of paragraph (1) of this subsection shall not apply with respect to —
(A) any disclosure which is required by Federal statute, or
(B) the disclosure of a social security number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual.

(b) Any Federal, State, or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.[6]

Congress has created many exceptions to Section 7 that greatly reduce the reach of the Act’s central prohibition. For instance, a state may require the disclosure of SSNs for identification purposes “in the administration of any tax, general public assistance, driver's license, or motor vehicle registration law within its jurisdiction. . . .”[7] If an individual fails to comply with a state’s request for SSNs in these cases, the individual can be denied benefits. Nor does the Act apply to private entities, which can require a person to disclose his or her SSN as a condition for providing a service.

Other statutes also restrict the collection and dissemination of SSNs:

  1. The Freedom of Information Act (FOIA), which generally requires federal agencies to make their records available to the public, contains an exemption allowing an agency to withhold those records that would “disclose information of a personal nature where disclosure would constitute a clearly unwarranted invasion of personal privacy.”[8] The FOIA, however, does not address when agencies can require SSNs, how they can use them, and whether they can share them with other agencies.
  2. The Family Educational Rights and Privacy Act bars educational institutions receiving federal funds from releasing “personally identifiable information” about students to unauthorized persons.[9]
  3. The Fair Credit Reporting Act of 1970 directly constrains the dissemination of financial information, which usually contains SSNs.[10]
  4. In addition, some states have enacted laws addressing information privacy, although some commentators have criticized these efforts as “failing to provide comprehensive privacy protection.”[11]

References[]

  1. Social Security Online, Social Security Number Chronology.[1]
  2. Richard Sobel, "The Degradation of Political Identity Under a National Identification System," 8 B.U. J. Sci. & Tech. L. 37, 56 (2002).
  3. Flavio L. Komuves, "We’ve Got Your Number: An Overview of Legislation and Decisions to Control the Use of Social Security Numbers as Personal Identifiers," 16 J. Marshall J. Computer & Info. L. 529, 536 (1998).
  4. Federal Trade Comm'n, 2006 Identity Theft Survey Report 3 & 9 (Nov. 2007)[2] (hereinafter “FTC Identity Theft Survey”).
  5. For more information, see "The SSN Numbering Scheme."[3]
  6. Privacy Act of 1974, Pub. L. No. 93-579, §7, 88 Stat. 1896, 1909 (1974).
  7. 42 U.S.C. §405(c)(2)(C)(i).
  8. 5 U.S.C. §552(b); see Sherman v. United States Dep't of the Army, 244 F.3d 357 (5th Cir. 2001).
  9. Komuves, at 557; see United States v. Miami Univ., 294 F.3d 797 (6th Cir. 2002).
  10. 15 U.S.C. §1681.
  11. See, e.g., Yang v. Government Employees Ins. Co., 146 F.3d 1320 (11th Cir. 1998).