EPIC Testimony on SSN Misuse and Terrorism

Testimony and Statement for the Record of
Chris Jay Hoofnagle
Legislative Counsel, Electronic Privacy Information Center

Hearing on Preserving the Integrity of Social Security Numbers and Preventing Their Misuse by Terrorists and Identity Thieves

Subcommittee on Social Security of the Committee on Ways and Means and the Subcommittee on Immigration, Border Security, and Claims of the Committee on Judiciary
U.S. House of Representatives

My name is Chris Hoofnagle and I am legislative counsel with the Electronic Privacy Information Center (EPIC), a not-for-profit research organization based in Washington, D.C.

Founded in 1994, EPIC has participated in cases involving the privacy of the Social Security Number (SSN) before federal courts and, most recently, before the Supreme Court of New Hampshire. [1] EPIC has also taken a leading role in campaigns against the use of globally unique identifiers (GUIDs) involving the Intel Processor Serial Number and the Microsoft Corporation's Passport identification and authentication system.

I appreciate the opportunity to testify this afternoon. I will briefly summarize identity theft developments, review historical and recent attempts to regulate the use of the SSN, and make recommendations. [2]

The states have taken effective, common sense steps to reduce private and public-sector reliance on use of the SSN. Congress should take action now to implement these protections on a national level. Long-term approaches to the problem of privacy and identity theft need a comprehensive legislative framework of protections for individuals. Accordingly, it will be necessary for Congress to pass legislation limiting the collection and use of the SSN to mitigate risks of identity theft and the risk that terrorists will use credit or identity fraud to harm the nation. H.R. 2036, The Social Security Number Privacy and Identity Theft Protection Act of 2001, which enjoys bipartisan support, would establish much of the framework needed to address these risks.

Identity theft accounts for over 80 percent of Social Security number misuses reported to the Social Security Administration. [3] The cost of identity theft is expected to reach eight billion dollars by the year 2005. [4] However, this represents one tenth of a percent of the credit industry's income and only a small fraction of the amount of loss due to fraud and stolen credit cards. The average loss to the financial industry is $17,000 per identity loss, but the loss to the victim is potentially much greater, especially because most victims do not discover the crime until many months after its occurrence. [5]

Most victims of identity theft face significant credit bills and the destruction of their credit history. The immediate consequence could be the loss of securing a job or purchasing a home, or worse. [6] Other victims face arrest for crimes that an impersonator has committed in their name. If the arrest occurs, it may be impossible to expunge the criminal record. Identity theft has been used to obtain employment, drivers' licenses, receive government benefits, and evade criminal prosecution. Identity theft indirectly affects everyone because it causes interest rates to increase to cover the industry's losses.

Identity thieves have proven themselves to be crafty criminals. Earlier this year, Experian, one of the principal credit reporting agencies, experienced an unprecedented breach of security involving individuals' personal information. In that case, identity thieves posed as Ford Motor Credit employees to gain access to almost 13,000 credit files of wealthy individuals. [7] In another case this year, identity thieves used stolen SSNs to engage in a series of fraudulent sales designed to strip equity from elderly homeowners in the Detroit area. [8]

But criminals do not necessarily have to be resourceful to obtain credit or identification in another person's name. The problem of identity theft has been exacerbated by the financial service industry's hunger to issue credit. Aggressive marketing of credit, including unsolicited direct mail credit advertising, gives "dumpster divers" and people with access to mailboxes opportunity to obtain credit in another's name.

Since September 11, 2001, public attention has also focused on how identity theft can facilitate terrorism or raise funds for terrorist activities. For instance, a terrorist suspect reportedly connected to the Al Qaeda network was recently charged with selling the SSNs of twenty-one people who were members of the Bally's Health Club in Cambridge, Massachusetts. The SSNs were sold in order to create false passports and credit lines for bank accounts. [9] The situation could be avoided by not collecting the SSN and by issuing health club members alternative identifiers. If the SSN was collected in order to run a credit check, the health club could have purged the SSN after the check was complete.

Several times this year, news reports have been published outlining theft of blank identity cards, equipment, and personal information. [10] Most recently, burglars entered a Colorado DMV office, and stole all the equipment and information necessary to manufacture identity cards that include a biometric identifier. [11] It is clear that the burglars involved are sophisticated criminals who disabled alarms and performed two different break-ins in one week. It is unclear how the criminals will use the identification cards and equipment.

II. Congress and the Courts Have Regulated the Collection and Use of the SSN

The Social Security Number (SSN) was created in 1936 as a nine-digit account number assigned by the Secretary of Health and Human Services for the purpose of administering the Social Security laws. SSNs were first intended for use exclusively by the federal government as a means of tracking earnings to determine the amount of Social Security taxes to credit to each worker's account. Over time, however, SSNs were permitted to be used for purposes unrelated to the administration of the Social Security system. For example, in 1961 Congress authorized the Internal Revenue Service to use SSNs as taxpayer identification numbers.

A major government report on privacy in 1973 outlined many of the risks with the use and misuse of the Social Security Number. Although the term "identify theft" was not yet in use, Records Computers and the Rights of Citizens described the risks of a "Standard Universal Identifier," how the number was promoting invasive profiling, and that many of the uses were clearly inconsistent with the original purpose of the 1936 Act. The report recommended several limitations on the use of the SSN and specifically said that legislation should be adopted "prohibiting use of an SSN, or any number represented as an SSN for promotional or commercial purposes." [12]

In response to growing risks over the accumulation of massive amounts of personal information and the recommendations contained in the 1973 report, Congress passed the Privacy Act of 1974. [13] Among other things, this Act makes it unlawful for a governmental agency to deny a right, benefit, or privilege merely because the individual refuses to disclose his SSN. This is a critical principle to keep in mind today because consumers in the commercial sphere often face the choice of giving up their privacy, their SSN, to obtain a service or product. The drafters of the 1974 law tried to prevent citizens from facing such unfair choices, particularly in the context of government services. But there is no reason that this principle could not apply equally to the private sector, and that was clearly the intent of the authors of the 1973 report.

Section 7 of the Privacy Act further provides that any agency requesting an individual to disclose his SSN must "inform that individual whether that disclosure is mandatory or voluntary, by what statutory authority such number is solicited, and what uses will be made of it." At the time of its enactment, Congress recognized the dangers of widespread use of SSNs as universal identifiers. In its report supporting the adoption of this provision, the Senate Committee stated that the widespread use of SSNs as universal identifiers in the public and private sectors is "one of the most serious manifestations of privacy concerns in the Nation." Short of prohibiting the use of the SSN outright, the provision in the Privacy Act attempts to limit the use of the number to only those purposes where there is clear legal authority to collect the SSN. It was hoped that citizens, fully informed where the disclosure was not required by law and facing no loss of opportunity in failing to provide the SSN, would be unlikely to provide an SSN and institutions would not pursue the SSN as a form of identification.

It is certainly true that the use of the SSN has expanded significantly since the provision was adopted in 1974. This is particularly clear in the financial services sector. In an effort to learn and share financial information about Americans, companies trading in financial information are the largest private-sector users of SSNs, and it is these companies that are among the strongest opponents of SSN restrictions. For example, credit bureaus maintain over 400 million files, with information on almost ninety percent of the American adult population. These credit bureau records are keyed to the individual SSN. Such information is freely sold and traded, virtually without legal limitations.

Outside the financial services sector, many companies require the SSN instead of assigning an alternative identifier. These requirements appear in a myriad of commercial interchanges, many of which absolutely do not require the SSN. For instance, Golden Tee, a popular golf video game, requires players to enter their SSN in order to engage in "tournament play." [14] The company could assign its own identifier for players, but instead relies upon the SSN, which puts players at risk by requiring them to further circulate personal information.

It is critical to understand that the legal protection to limit the collection and use of the SSN is still present in the Privacy Act and can be found also in recent court decisions that recognize that there is a constitutional basis to limit the collection and use of the SSN. When a Federal Appeals court was asked to consider whether the state of Virginia could compel a voter to disclose an SSN that would subsequently be published in the public voting rolls, the Court noted the growing concern about the use and misuse of the SSN, particularly with regard to financial services. [15] The Fourth Circuit said:

The Court concluded that to the extent the Virginia voting laws, "permit the public disclosure of Greidinger's SSN as a condition of his right to vote, it creates an intolerable burden on that right as protected by the First and Fourteenth Amendments." [18]

In a second case, testing whether a state could be required to disclose the SSNs of state employees under a state open record law where there was a strong presumption in favor of disclosure, the Ohio Supreme Court held that there were privacy limitations in the federal Constitution that weighed against disclosure of the SSN. [19] The court concluded that:

In an important recent case from the U.S. Court of Appeals for the D.C. Circuit, a Court upheld the Federal Trade Commission's determination that SSNs are nonpublic personal information under the Gramm-Leach-Bliley Act. [21] The Court rejected First and Fifth Amendment challenges to regulations that restricted the use of the SSN without giving the individual notice and opportunity to opt-out. Additionally, the Court upheld regulations that prohibited the reuse of SSNs that are furnished to credit reporting agencies. [22]

While it is true that many companies and government agencies today use the Social Security Number indiscriminately as a form of identification and authentication, it is also clear from the 1936 Act, the 1974 Privacy Act, and these three cases--Greidinger v. Davis, Beacon Journal v. City of Akron, and Trans Union v. FTC--that there is plenty of legislative and judicial support for limitations on the collection and use of the SSN. The question is therefore squarely presented whether the Congress will at this point in time follow in this tradition, respond to growing public concern, and establish the safeguards that are necessary to ensure that the problems associated with the use of the SSN do not increase.

California and Georgia have both recently enacted legislation that will increase protections against identity theft. Recognizing that most identity theft occurs when malicious actors steal personal identifiers from invoices and solicitations from mail or waste bins, California and Georgia have enacted legislation to limit the reproduction of the SSN in the private sector. Both states have incorporated common sense protections that could be adopted at the federal level to reduce identity theft.

In California, Senate Bill 168 was signed into law in October 2001. [23] The bill gives individuals the ability to request that a "security alert" be placed on their credit record via a toll-free phone number. The bill also enables Californians to request a "security freeze" that prevents credit agencies from releasing personal information from an individual's credit report. The bill places important restrictions on use of the SSN—public posting of a SSN and printing the SSN on an identity card or document used to obtain a product or service is prohibited. Businesses that use the SSN to identify customers, such as utility companies, will no longer be permitted to print the SSN on invoices or bills sent through the mail.

In Georgia, businesses are now required to safely dispose of records that contain personal identifiers. [24] Business records—including data stored on computer hard drives—must be shredded or in the case of electronic records, completely wiped clean where they contain SSNs, driver's license numbers, dates of birth, medical information, account balances, or credit limit information. The Georgia law carries penalties up to $10,000.

IV. H.R. 2036, The Social Security Number Privacy and Identity Theft Protection Act of 2001, Is a Good Proposal

The Social Security Number Privacy and Identity Theft Protection Act of 2001, sponsored by Chairman Shaw, contains a comprehensive set of rights to protect individuals from identity theft. As of this writing, the bill enjoys the bipartisan support of 77 Representatives.

Title I establishes important protections against public-sector sale or display of SSNs. We commend the Chairman for including language in the Act that would stem the unnecessary publication of the SSN. These provisions will prohibit the display of the SSN on checks and government-issued employment cards. We also commend the Chairman for including a prohibition on disclosure of the SSN to inmates. Perhaps most importantly, the language sweeps broadly enough to prohibit the display of SSNs in public records. Increasingly, public records are a source for the collection of personal identifiers that then can be reused for any purpose. It is important now more than ever to limit the appearance of SSNs in publicly-available case files and other public records, such as marriage licenses.

Title II places needed restrictions on private sector sale of the SSN. I believe it especially important that Section 202 of the bill prohibits "coercive disclosure"—the practice of denying a product or service when an individual refuses to give a SSN. Additionally, Section 203 would place the SSN "below the line" on credit reports. This is an important and much needed protection that would stem unregulated trafficking in SSNs.

Title II, however, suffers a weakness that needs attention: the rulemaking authority of the Department of Justice must be guided by the principle that the private sector should minimize the use of SSNs. This could be accomplished by adding another factor to the balancing test in Section 201(c) that requires the Department of Justice to consider whether an alternate identifier could be used in place of the SSN. In many circumstances, private entities could use an alternate identifier, and reduce privacy risk to individuals by stemming the circulation of the SSN.

Title III creates a framework of accountability of civil and criminal penalties for misuse of the SSN. We recommend that this provision be expanded to include a private right of action for the misuse of SSNs that provides for actual, liquidated, and punitive damages and that provides for the awarding of attorneys fees and costs to a plaintiff who has substantially prevailed in litigation. Additionally, provisions allowing attorneys general to enforce these protections should also be included. In recent years, state attorneys general have zealously pursued privacy violators; the application of their resources to identity theft prevention and privacy protection should be expressly encouraged.

I believe it is important that individuals do not assume civil or criminal liability for inadvertent disclosure of a false SSN, or for intentional disclosure of a false SSN when the individual is attempting to protect her privacy. Individuals often provide false information to businesses when attempting to protect their privacy. Section 302 would prohibit this form of "privacy self-defense." That section prohibits the false representation of one’s Social Security number to any individual. We recommend that this section be amended to only prohibit individuals from falsifying a SSN when there is intent to commit fraud or a crime.

Without a framework of restrictions on the collection and use of the SSN and other personal identifiers, identity theft will continue to increase, endangering individuals' privacy and perhaps the security of the nation. The best legislative strategy is one that discourages the collection and dissemination of the SSN and that encourages organizations to develop alternative systems of record identification and verification. It is particularly important that such legislation not force consumers to make unfair or unreasonable choices that essentially require trading the privacy interest in the SSN for some benefit or opportunity.

It is important to emphasize the unique status of the SSN in the world of privacy. There is no other form of individual identification that plays a more significant role in record-linkage and no other form of personal identification that poses a greater risk to personal privacy. Given the unique status of the SSN, its entirely inappropriate use as a national identifier for which it is also inherently unsuitable, and the clear history in federal statute and case law supporting restrictions, it is fully appropriate for Congress to pass legislation.

I am grateful for the opportunity to testify this afternoon and would be pleased to answer your questions.

[1] Estate of Helen Remsburg v. Docusearch, Inc., et al, C-00-211-B (N.H. 2002). In Remsburg, the "Amy Boyer" case, Liam Youens was able to locate and eventually murder Amy Boyer through hiring private investigators who tracked her by her date of birth, Social Security Number, and by pretexting. EPIC maintains information about the Amy Boyer case online at http://www.epic.org/privacy/boyer/.

[2] EPIC maintains an archive of information about the SSN online at http://www.epic.org/privacy/ssn/.

[3] Analysis of Social Security Number Misuse Allegations Made to the Social Security Administration's Fraud Hotline, Management Advisory Report, SSA (Aug. 1999).

[4] Identity Theft Complaint Data, Identity Theft Data Clearinghouse, Federal Trade Commission (2001).

[5] Statewide Grand Jury Report: Identity Theft in Florida, Case No. SC 01-1095 (Jan. 10, 2002).

[7] Security: Hackers pose as Ford Motor Credit workers to take confidential data about wealthy individuals, Los Angeles Times, May 17, 2002.

[8] Thieves Steal Homeowners' Identities and Their Equity, New York Times, May 28, 2002.

[9] Robert Ellis Smith, Privacy Protects Against Terror, Privacy Journal, Mar. 2002.

[10] A series of these reports are online at http://www.aamva.org/weekinreview/branchtheftnotices.asp.

[11] A major identity crisis: Info stolen from motor vehicles offices has residents worried, Rocky Mountain News, August 20, 2002, at http://www.rockymountainnews.com/drmn/state/article/0,1299,DRMN_21_1336085,00.html.

[12] Department of Health, Education, and Welfare, Records, Computers, and the Rights of Citizens 108-35 (MIT 1973) (Social Security Number as a Standard Universal Identifier and Recommendations Regarding Use of Social Security Number)

[13] 5 U.S.C. 552a. Marc Rotenberg, Privacy Law Sourcebook: United States Law, International Law, and Recent Developments (EPIC 2001)

[14] Official ITS Rules, at http://www.itsgames.com/ITS/its_rules.htm.

[15] Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993) and brief amicus curiae for CPSR (Marc Rotenberg and David Sobel) (SSN requirement for voter registration) (lead case on privacy of Social Security number)

[19] Beacon Journal v. City of Akron, 70 Ohio St. 3d 605 (Ohio 1994) and brief amicus curiae for CPSR (Marc Rotenberg and David Sobel) (SSN disclosure of city employees).

[21] Trans Union L.L.C. v. Fed. Trade Comm'n, No. 01-5202, 2002 U.S. App.LEXIS 14321 (D.C. Cir. July 16, 2002), at http://pacer.cadc.uscourts.gov/common/opinions/200207/01-5202a.txt.

[22] Id. In another recent case, the D.C. Circuit rejected a First Amendment challenge to the use of credit reports for marketing purposes. Trans Union v. FTC, No. 00-1141 (D.C. Cir. 2001), cert. denied, 536 U. S. ____ (2002).

[23] California Senate Bill 168, at http://info.sen.ca.gov/pub/bill/sen/sb_0151-0200/sb_168_bill_20010914_enrolled.html.

[24] Georgia Senate Bill 475, at http://www.legis.state.ga.us/Legis/2001_02/fulltext/sb475.htm; New law takes effect to fight identity theft; Businesses face fines of up to $10,000 for not protecting data, Atlanta Journal-Constitution, July 4, 2002.