The following is from the current issue of PRIVACY JOURNAL, a monthly newsletter available in hard copy or electronic form at a special discounted rate to users of EPIC's home page. For subscription information, write or call PRIVACY JOURNAL, PO Box 28577, Providence RI 02908, 401/274-7861
ALTERNATIVES TO USING SOCIAL SECURITY NUMBERS IN LARGE ORGANIZATIONS
Organizations need to be extremely cautious about collecting, using, and disclosing Social Security numbers of customers or other individuals.
There are many reasons for this: First, stolen or misappropriated Social Security numbers lead to thousands of cases of "theft-of-identity" or "credit theft" each month. In addition new immigrants without documentation appropriate strangers' Social Security numbers as a means to get a legal identity. If lists of persons' Social Security numbers are available even within an organization, employees can be bribed or corrupted to sell them, or can misuse them themselves.
Second, with someone else's SSN, a stranger can impersonate that person over the telephone, in person, or on-line and retrieve personal information about the individual. The Internal Revenue Service, for instance, will disclose detailed tax information to anyone who provides a Social Security number of an individual taxpayer. Many banks and brokers do so as well.
Third, the number is not totally anonymous - strangers can tell in what state it was issued and approximately what year. Fourth, the incidents of inaccurate SSNs are so numerous that any record linkage based on the SSNs will be flawed. Fifth, many individuals have a sincerely held religious or philosophical objection to being enumerated.
With today's data base technology, the SSN and other personal identifiers are less necessary than in the past. A search for information on Winston Smith, for instance, when all you have is first name, last name, and home address, telephone number, or date of birth is a reasonable search today whereas in the past such a search would have required more computing resources than were available at reasonable cost.
MIB Inc. (formerly Medical Information Bureau) is an example of an organization that stores millions of computerized records on individuals with no numerical identifiers at all. This is done by using an algorithm to digitize a person's full name and other identifying information (birth date, address, or occupation), in order to locate a match in the data base. Proprietary forms of this methodology include SOUNDEX, Alpha Search, and SearchSoftwareAmerica. A search for a file will provide the closest match, based on a comparison of the data elements. Thus, an error in one data element will still produce an accurate match. This is not always true when only one numerical identifier, like the Social Security number, is used for a search in a data base. Large organizations like Federal Express, National Insurance Crime Bureau, VISA, and Wausau Insurance use variations of this methodology, without the need for Social Security numbers.
When Social Security numbers must be kept on individuals (as in the case of the personnel department), the numbers can be encrypted so that they may be used for linkage of data files, as necessary, without revealing the actual digits of the SSNs. The resulting "record linkage number" will not permit a stranger to derive the SSN even if the linkage number becomes publicly known (see "Encrypting Personal Identifiers" by Eleanor Marx, HSR: HEALTH SERVICES RESEARCH 29:2, June 1994).
Still another alternative, if an office must have a numerical identifier to make an accurate match of a record or to detect duplicates, is to ask a customer for only the last four digits of his or her SSN. This maintains the anonymity and the confidentiality of the complete number, but in most cases will be adequate for establishing matches. It is also a number that each person can easily remember.
An organization can avoid most of the dangers of keeping Social Security numbers by establishing its own unique account number. Clearly this will require extra effort. One argument against this has been that most people don't remember a unique identifier. However, many studies show that a sizeable percentage of people inadvertently provide erroneous Social Security numbers, when asked. Records have a higher accuracy rate when applicants are asked to consult a document - or use an electronic device - when providing an ID number, not to rely on memory.
In any event, the Social Security number is not a reliable means for establishing personal identity, because it has been so readily available and has been subject to widespread use by imposters. Administrators should rely, instead, on what has always been the best means of establishing personal identity - personal recognition. Where this is not practical or possible, there are adequate surrogate methods, like signature comparison, passwords, a personal identifying number known only to the individual (PIN), encryption for authentication, digital or digitized signatures, identity documents with photographs, fingerprint comparison (where there is no stigma or compulsion), and forms of biometrics.