Date: Fri, 07 Jan 94 14:38:04 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#015 Computer Privacy Digest Fri, 07 Jan 94 Volume 4 : Issue: 015 Today's Topics: Moderator: Leonard P. Levine Re: Phone company selling forwarding addresses Re: Phone company selling forwarding addresses Re: Autoland Credit Scam SSN reqd by public schools; DL reqd with credit card Social Security Number FAQ (long) The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: rmg3@access.digex.net (Robert Grumbine) Subject: Re: Phone company selling forwarding addresses Date: 6 Jan 1994 11:02:02 -0500 Organization: Under construction In article , Dave Ptasnik wrote: >Sure enough, we are getting mail bombed by insurance agencies, siding sales reps, etc, looking for Del Murphy at the PO Box address (Welcome to town...). The only way they could have gotten that name/place combination would have been if GTE had sold it. At least we recycle.< Ditto for the Bell company in central Pennsylvania. I didn't have an identifiable name error/combination, though, to tip me off. The mail came to Mr. Phone Hooked Up. -- Bob Grumbine rmg3@access.digex.net Sagredo (Galileo Galilei) "You present these recondite matters with too much evidence and ease; this great facility makes them less appreciated than they would be had they been presented in a more abstruse manner." Two New Sciences ------------------------------ From: Dave Banisar Date: Thu, 6 Jan 1994 14:10:02 EST Subject: Re: Phone company selling forwarding addresses Organization: CPSR Washington Office Postal Service Still Selling NCOA Info FOR IMMEDIATE RELEASE: News from the office of January 4, 1994 Congressman Gary A . Condit CALIFORNIA - 15TH DISTRICT 1529 LONGWORTH HOUSE OFFICE BUILDING WASHINGTON, D.C. 20515 (202) 225-6131 CONDIT CLAIMS VICTORY IN FIGHT FOR POSTAL PRIVACY BUT NOTES CONTINUED POSTAL SERVICE VIOLATION OF FEDERAL LAWS Rep. Gary A. Condit (D-CA) today claimed a partial victory in his ongoing battle to compel the U.S. Postal Service to comply with Federal statutes that protect the privacy of customer name and address information. The Postal Service informed Condit today of its intention to alter regulations which currently allow anyone to obtain the new address of someone who has moved simply by presenting the Postal Service with the individual's old address and a $3 fee. However, the Postal Service will continue to sell change of address information to the nation's largest direct mail companies, unless someone can produce a court order to stop the sale. Condit responded to the Postal Service action: "The Postal Service has taken a small positive step to protect personal privacy and safety -- one that I've been strongly advocating. But it still has a long way to go. The Postal Service has no plan to halt its regular sale of change of address information to the junk mail industry. Ordinary citizens who want to protect their privacy will continue to have no recourse. Only those people protected by a court order will be able to prevent the Postal Service from selling their change of address information many thousands of times." Condit chairs the House Committee on Govenunent Operations Subcommittee on Information, Justice, Transportation, and Agriculture, which has oversight jurisdiction over the Postal Service. In November 1992, the Government Operations Committee issued a unanimous report, based on the subcommittee's investigation, which condemned the Postal Service's address dissemination practices. Entitled _Give Consumers a Choice: Privacy Implications of U.S. Postal Service National Change of Address Program_ (House Report 102-1067), the report explained that the Postal Service's address dissemination practices violate federal statutes restricting the release of names and addresses of postal patrons by the Postal Service. The Postal Reorganization Act prohibits the Postal Service from making available any mailing or other list of names or addresses of postal patrons or other persons. The Privacy Act of 1974 prevents agencies, including the Postal Service, from selling or renting an individual's name and address unless the agency has specific legal authority to do so. Condit continued: "I've objected to the Postal Service's sale of address information all along, not just because it violates personal privacy but also because it violates the law. Nothing the Postal Service did today cures its continuous violation of Federal statutes. The Postal Service's disregard for privacy rights and for privacy statutes is callous and irresponsible." Last year, Condit introduced legislation to give postal customers the right to prevent the U.S. Postal Service from giving out their change of address information. H.R. 1344, the Postal Privacy Act of 1993, targets both the Postal Service's $3 sale of an individual's new address and its widespread sale of change of address information through its National Change of Address (NCOA) service. Condit explained the impact of NCOA on personal privacy: "Every year, 40 million people file change of address orders with the Postal Service. Little do they realize that every one of those orders is immediately made public. Under the NCOA program, the Postal Service sells all of those records to 25 of the largest direct mail companies in the country, which in turn resell them to thousands of other mailers." Condit continued, "What makes this practice a real invasion of privacy is that the Postal Service doesn't give anyone a choice about it. If you ask the Postal Service to forward your mail, your new address is automatically made public -- and there is nothing you can do to stop it." Condit's proposed legislation would require the Postal Service to give customers explicit written nodce that their change of address information will be given out and to whom. Moreover, the legislation would require the Postal Service to include a check-off box on change of address cards where people could prevent public access to their address records. Condit added, "The Postal Service has recognized that the sale of address information invades the privacy of sonie people. It is now time to ensure that everyone with a privacy concern has the same rights. My bill would bring the Postal Service into compliance with federal law. More importantly, it would give people a say about how their personal information is used. It would give them the right to say no." 920 13th Street Federal Building Modesto, CA 95354 415 West 18th Street (209) 527-1914 Merced, CA 95340 (209) 383-4455 ------------------------------ From: jepstein@cordant.com (Jeremy Epstein -C2 PROJECT) Date: Thu, 6 Jan 1994 20:46:16 -0500 (EST) Subject: Re: Autoland Credit Scam There was a description in a recent issue of this mailing list about the Autoland scam. It was similar to something I'm going through now, and I've learned some interesting stuff. I discovered something was wrong when I received a letter from Fifth Third Bank (that's the real name) informing me that they had rejected my credit card application. After checking with MasterCard that that is a real bank (I thought it was a prank), I learned that someone had changed my address from Virginia to Houston and applied for a credit card in my name. The bank noticed that things didn't quite add up and rejected the application. Score one for the good guys. Seems that Fifth Third is seeing a rash of these, so they're working with the FBI, Secret Service, and postal inspectors on them. No one has complete jurisdiction, which slows things down. A few days later, I noticed that I hadn't received a bill from AT&T for my mastercard. I called them and discovered that they had the same wrong address in Houston for me. I changed it back and added an extra security code. The bad guy hadn't managed to charge anything to my account. The security person said that since the bad guy didn't have my card expiration date he could't charge me anything anyway. After thinking about this a few second, I realized that there are only about two dozen possible expiration dates (all cards expire within two years), so it should be easy to guess it by trying out a few choices. I convinced him to close the account and issue me new cards. Seems that if you change your address in writing (rather than on the phone) you don't need to supply your mother's maiden name, which provides something of an authenticator. Oh well. Got them to mark that *any* change, even in writing, must have the additional code. I called the rest of my credit card companies. The bad guy hadn't gotten any of those, but I put in an extra code on those. With one bank, though, it took some convincing. The nice lady said "well who would know your SSN anyway"? Guess they don't hire those folks for brains. I applied for a car looan and discovered that the bad data had made it into Equifax. After "proving" who I am to Equifax (by FAXing a copy of my Social Security card and driver's license) they took all the bad data out, and put an automatic notification on the account. Any time someone does an inquiry they're supposed to let me know about it. No charge. I'm still working on getting TRW to do the same thing. We'll see if it actually works. I asked Equifax if the FBI was interested in these things. They said that unless there's $10K or more lost, they're not interested. Lesson learned: like so many other people, I've been complacent. I'm a bit more cautious now. Amusing note: the bad guy isn't too smarrt. Instead of a PO box, he listed a street address including an apartment number. Of course I have no idea if that building actually exists. And the ironic part? I earn my living as a computer security specialist! --Jeremy Epstein Cordant, Inc. jepstein@cordant.com ------------------------------ From: wrf@ecse.rpi.edu (Wm. Randolph U Franklin) Date: 7 Jan 1994 17:28:50 GMT Subject: SSN reqd by public schools; DL reqd with credit card Organization: ECSE Dept, Rensselaer Polytechnic Institute, Troy, NY, 12180 USA The local grade schools are now advertising the times the new parents in the district can register their kids. The required documentation includes in addition to the medical record etc, the kid's SSN. Not having kids, I've not tried to see how hard it is to waive that, but it sounds illegal. ---------------- The local Service Merchandise requires the driver's licence for some people paying by credit card, like those who refuse to give an address. (They're tougher than Radio Shack at wanting addresses and phones.) Then they write the DL number on the slip. I called them later, and this is their policy when the card is not signed or they suspect fraud. Apparently not giving your address is a badge of criminality to them. Note: A "badge of criminality" is an act, that is legal in itself, but that is considered by the legal system so illogical that only a criminal would do it, and if you do, you've demonstrated criminal intent, and are guilty until proven innocent. An example is opening a safe-deposit box under another name. ------------------------ Wm. Randolph Franklin, wrf@ecse.rpi.edu, (518) 276-6077; Fax: -6261 ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180 USA ------------------------------ From: hibbert@netcom.com (Chris Hibbert) Subject: Social Security Number FAQ (long) Date: 7 Jan 1994 00:00:37 -0500 Organization: CPSR Archive-name: ssn-privacy If you have comments on the following, please send them to hibbert@netcom.com | This posting is available via anonymous ftp from rtfm.mit.edu in the file /pub/usenet-by-hierarchy/news/answers/ssn-privacy. It's also available from | mail-server@rtfm.mit.edu by sending a mail message containing the line "send usenet-by-hierarchy/news/answers/ssn-privacy" (without the quote marks) as | the sole contents of the body. Send a message containing "help" to get general information about the mail server, which also has many other FAQs. What to do when they ask for your Social Security Number by Chris Hibbert Computer Professionals for Social Responsibility Many people are concerned about the number of organizations asking for their Social Security Numbers. They worry about invasions of privacy and the oppressive feeling of being treated as just a number. Unfortunately, I can't offer any hope about the dehumanizing effects of identifying you with your numbers. I *can* try to help you keep your Social Security Number from being used as a tool in the invasion of your privacy. Surprisingly, government agencies are reasonably easy to deal with; private organizations are much more troublesome. Federal law restricts the agencies at all levels of government that can demand your number and a fairly complete disclosure is required even if its use is voluntary. There are no comparable Federal laws restricting the uses non-government organizations can make of it, or compelling them to tell you anything about their plans. Some states have recently enacted regulations on collection of SSNs by private entities. With private institutions, your main recourse is refusing to do business with anyone whose terms you don't like. They, in turn, are allowed to refuse to deal with you on those terms. Short History Social Security numbers were introduced by the Social Security Act of 1935. They were originally intended to be used only by the social security program. In 1943 Roosevelt signed Executive Order 9397 which required federal agencies to use the number when creating new record-keeping systems. In 1961 the IRS began to use it as a taxpayer ID number. The Privacy Act of 1974 required authorization for government agencies to use SSNs in their data bases and required disclosures (detailed below) when government agencies request the number. Agencies which were already using SSN as an identifier before January 1, 1975 were allowed to continue using it. The Tax Reform Act of 1976 gave authority to state or local tax, welfare, driver's license, or motor vehicle registration authorities to use the number in order to establish identities. The Privacy Protection Study Commission of 1977 recommended that the Executive Order be repealed after some agencies referred to it as their authorization to use SSNs. I don't know whether it was repealed, but no one seems to have cited EO 9397 as their authorization recently. Several states use the SSN as a driver's license number, while others record it on applications and store it in their database. Some states that routinely use it on the license will make up another number if you insist. According to the terms of the Privacy Act, any that have a space for it on the application forms should have a disclosure notice. Many don't, and until someone takes them to court, they aren't likely to change. (Though New York recently agreed to start adding the notice on the basis of a letter written by a reader of this blurb.) The Privacy Act of 1974 (Pub. L. 93-579) requires that any federal, state, or local government agency that requests your Social Security Number has to tell you four things: 1: Whether disclosure of your Social Security Number is required or optional, 2: What statute or other authority they have for asking for your number, 3: How your Social Security Number will be used if you give it to them, and 4: The consequences of failure to provide an SSN. In addition, the Act says that only Federal law can make use of the Social Security Number mandatory. So anytime you're dealing with a government institution and you're asked for your Social Security Number, just look for the Privacy Act Statement. If there isn't one, complain and don't give your number. If the statement is present, read it. If it says giving your Social Security Number is voluntary, you'll have to decide for yourself whether to fill in the number. Private Organizations The guidelines for dealing with non-governmental institutions are much more tenuous. Most of the time private organizations that request your Social Security Number can get by quite well without your number, and if you can find the right person to negotiate with, they'll willingly admit it. The problem is finding that right person. The person behind the counter is often told no more than "get the customers to fill out the form completely." Most of the time, you can convince them to use some other number. Usually the simplest way to refuse to give your Social Security Number is simply to leave the appropriate space blank. One of the times when this isn't a strong enough statement of your desire to conceal your number is when dealing with institutions which have direct contact with your employer. Most employers have no policy against revealing your Social Security Number; they apparently believe that it must be an unintentional slip when an employee doesn't provide an SSN to everyone who asks. Public utilities (gas, electric, phone, etc.) are considered to be private organizations under the laws regulating SSNs. Most of the time they ask for an SSN, and aren't prohibited from asking for it, but they'll usually relent if you insist. Ask to speak to a supervisor, insist that they document a corporate policy requiring it, ask about alternatives, ask why they need it and suggest alternatives. Lenders and Borrowers (those who send reports to the IRS) Banks and credit card issuers and various others are required by the IRS to report the SSNs of account holders to whom they pay interest or when they charge interest and report it to the IRS. If you don't tell them your number you will probably either be refused an account or be charged a penalty such as withholding of taxes on your interest. Most banks send your name, address, and SSN to a company called ChexSystem when you open an account. ChexSystem keeps a database of people whose accounts have been terminated for fraud or chronic insufficient funds in the past 5 years. ChexSystems is covered by the Fair Credit Reporting Act, and the bank is required to let you know if it refuses to open your account and a report from ChexSystems was a factor. You can also send a letter to ChexSystems directly and request a copy of your report. Many Banks, Brokerages, and other financial institutions have started implementing automated systems to let you check your balance. All too often, they are using SSNs as the PIN that lets you get access to your personal account information. If your bank does this to you, write them a letter pointing out how common it is for the people with whom you have financial business to know your SSN. Ask them to change your PIN, and if you feel like doing a good deed, ask them to stop using the SSN as a default identifier for their other customers. Some customers will believe that there's some security in it, and be insufficiently protective of their account numbers. Sometimes banks provide for a customer-supplied password, but are reluctant to advertise it. The only way to find out is to ask if they'll let you provide a password. (This is reportedly true of Citibank Visa, e.g. They ask for a phone number but are willing to accept any password.) When buying (and possibly refinancing) a house, most banks will now ask for your Social Security Number on the Deed of Trust. This is because the Federal National Mortgage Association recently started requiring it. The fine print in their regulation admits that some consumers won't want to give their number, and allows banks to leave it out when pressed. [It first recommends getting it on the loan note, but then admits that it's already on various other forms that are a required part of the package, so they already know it. The Deed is a public document, so there are good reasons to refuse to put it there, even though all parties to the agreement already have access to your number.] Insurers, Hospitals, Doctors No laws require medical service providers to use your Social Security Number as an ID number (except for Medicare, Medicaid, etc.) They often use it because it's convenient or because your employer uses it to identify employees to its groups health plan. In the latter case, you have to get your employer to change their policies. Often, the people who work in personnel assume that the employer or insurance company requires use of the SSN when that's not really the case. When a previous employer asked for my SSN for an insurance form, I asked them to try to find out if they had to use it. After a week they reported that the insurance company had gone along with my request and told me what number to use. Blood banks also ask for the number but are willing to do without if pressed on the issue. After I asked politely and persistently, the blood bank I go to agreed that they didn't have any use for the number. They've now expunged my SSN from their database, and they seem to have taught their receptionists not to request the number. Most insurance companies share access to old claims through the Medical Information Bureau. If your insurance company uses your SSN, other insurance companies will have a much easier time finding out about your medical history. You can get a copy of the file MIB keeps on you by writing to Medical Information Bureau, P.O. Box 105, Essex Station, Boston, MA 02112. Their phone number is (617)426-3660. If an insurance agent asks for your Social Security Number in order to "check your credit", point out that the contract is invalid if your check bounces or your payment is late. They don't need to know what your credit is like, just whether you've paid them. Children The Family Support Act of 1988 (Pub. L. 100-485) requires states to require parents to give their Social Security Numbers in order to get a birth certificate issued for a newborn. The law allows the requirement to be waived for "good cause", but there's no indication of what may qualify. The IRS requires taxpayers to report SSNs for dependents over one year of age, but the requirement can be avoided if you're prepared to document the existence of the child by other means if challenged. The law on this can be found at 26 USC 6109. The penalty for not giving a dependant's number is only $5. Several people have reported that they haven't provided SSNs for their dependents for several years, and haven't been challenged by the IRS. Universities and Colleges Universities that accept federal funds are subject to the Family Educational Rights and Privacy Act of 1974 (the "Buckley Amendment"), which prohibits them from giving out personal information on students without permission. There is an exception for directory information, which is limited to names, addresses, and phone numbers, and another exception for release of information to the parents of minors. There is no exception for Social Security Numbers, so covered Universities aren't allowed to reveal students' numbers without their permission. In addition, state universities are bound by the requirements of the Privacy Act, which requires them to provide the disclosures mentioned above. If they make uses of the SSN which aren't covered by the disclosure they are in violation. Why SSNs are a bad choice for UIDs in data bases Database designers continue to introduce the Social Security Number as the key when putting together a new database or when re-organizing an old one. Some of the qualities that are (often) useful in a key and that people think they are getting from the SSN are Uniqueness, Universality, Security, and Identification. When designing a database, it is instructive to consider which of these qualities are actually important in your application; many designers assume unwisely that they are all useful for every application, when in fact each is occasionally a drawback. The SSN provides none of them, so designs predicated on the assumption that it does provide them will fail in a variety of ways. Uniqueness Many people assume that Social Security Numbers are unique. They were intended by the Social Security Administration to be unique, but they didn't take sufficient precautions to ensure that it would be so. There have been several instances when two different SSA offices issued the same number to different people. They have also given a previously issued number to someone with the same name as the original recipient, thinking it was the same person asking again. There are a few numbers that were used by thousands of people because they were on sample cards shipped in wallets by their manufacturers. (One is given below.) The passage of the Immigration reform law in 1986 caused an increase in the duplicate use of SSNs. Since the SSN is now required for employment, illegal immigrants must find a valid name/SSN pair in order to fool the INS, and IRS long enough to collect a paycheck. Using the SSN when you can't cross-check your database with the SSA means you can count on getting some false numbers mixed in with the good ones. Universality Not everyone has a Social Security Number. Foreigners are the primary exception, but many children don't get SSNs until they're in school. They were only designed to be able to cover people who were eligible for Social Security. Identification Few people ever ask to see an SSN card; they believe whatever you say. The ability to recite the number provides little evidence that you're associated with the number in anyone else's database. There's little reason to carry your card with you anyway. It isn't a good form of identification, and if your wallet is lost or stolen, it provides another way for the thief to hurt you, especially if any of your banks use the SSN as your PIN. Security The card is not at all forgery-resistant, even if anyone did ever ask for it. The numbers don't have any redundancy (no check-digits) so any 9-digit number in the range of numbers that have been issued is a valid number. It's relatively easy to copy the number incorrectly, and there's no way to tell that you've done so. In most cases, there is no cross-checking that a number is valid. Credit card and checking account numbers are checked against a database almost every time they are used. If you write down someone's phone number incorrectly, you find out the first time you try to use it. Why you should resist requests for your SSN When you give out your number, you are providing access to information about yourself. You're providing access to information that you don't have the ability or the legal right to correct or rebut. You provide access to data that is irrelevant to most transactions but that will occasionally trigger prejudice. Worst of all, since you provided the key, (and did so "voluntarily") all the info discovered under your number will be presumed to be true, about you, and relevant. A major problem with the use of SSNs as identifiers is that it makes it hard to control access to personal information. Even assuming you want someone to be able to find out some things about you, there's no reason to believe that you want to make all records concerning yourself available. When multiple record systems are all keyed by the same identifier, and all are intended to be easily accessible to some users, it becomes difficult to allow someone access to some of the information about a person while restricting them to specific topics. Unfortunately, far too many organizations assume that anyone who presents your SSN must be you. When more than one person uses the same number, it clouds up the records. If someone intended to hide their activities, it's likely that it'll look bad on whichever record it shows up on. When it happens accidentally, it can be unexpected, embarrassing, or worse. How do you prove that you weren't the one using your number when the record was made? What you can do to protect your number If despite your having written "refused" in the box for Social Security Number, it still shows up on the forms someone sends back to you (or worse, on the ID card they issue), your recourse is to write letters or make phone calls. Start politely, explaining your position and expecting them to understand and cooperate. If that doesn't work, there are several more things to try: 1: Talk to people higher up in the organization. This often works simply because the organization has a standard way of dealing with requests not to use the SSN, and the first person you deal with just hasn't been around long enough to know what it is. 2: Enlist the aid of your employer. You have to decide whether talking to someone in personnel, and possibly trying to change corporate policy is going to get back to your supervisor and affect your job. 3: Threaten to complain to a consumer affairs bureau. Most newspapers can get a quick response. Ask for their "Action Line" or equivalent. If you're dealing with a local government agency, look in the state or local government section of the phone book under "consumer affairs." If it's a federal agency, your congressmember may be able to help. 4: Insist that they document a corporate policy requiring the number. When someone can't find a written policy or doesn't want to push hard enough to get it, they'll often realize that they don't know what the policy is, and they've just been following tradition. 5: Ask what they need it for and suggest alternatives. If you're talking to someone who has some independence, and they'd like to help, they will sometimes admit that they know the reason the company wants it, and you can satisfy that requirement a different way. 6: Tell them you'll take your business elsewhere (and follow through if they don't cooperate.) 7: If it's a case where you've gotten service already, but someone insists that you have to provide your number in order to have a continuing relationship, you can choose to ignore the request in hopes that they'll forget or find another solution before you get tired of the interruption. If someone absolutely insists on getting your Social Security Number, you may want to give a fake number. There are legal penalties for providing a false number when you expect to gain some benefit from it. A federal court of appeals ruled that using a false SSN to get a Driver's License violates the federal law. There are a few good choices for "anonymous" numbers. Making one up at random is a bad idea, as it may coincide with someone's real number and cause them some amount of grief. It's better to use a number like 078-05-1120, which was printed on "sample" cards inserted in thousands of new wallets sold in the 40's and 50's. It's been used so widely that both the IRS and SSA recognize it immediately as bogus, while most clerks haven't heard of it. There are several patterns that have never been assigned, and which therefore | don't conflict with anyone's real number. They include numbers with any | field all zeroes, and numbers with a first digit of 8 or 9. For more details | on the structure of SSNs and how they are assigned, use anonymous ftp to | retrieve the file /CPSR/SSN/SSN-structure from the machine cpsr.org. | Giving a number with an unused patterns rather than your own number isn't | very useful if there's anything serious at stake since they're likely to be noticed . The Social Security Administration recommends that people showing | Social Security cards in advertisements use numbers in the range 987-65-4320 through 987-65-4329. If you're designing a database or have an existing one that currently uses | SSNs and want to use numbers other than SSNs, you should make your | identifiers use some pattern other than 9 digits. You can make them longer | or shorter than that, or include letters somewhere inside. That way no one | will mistake the number for an SSN. | The Social Security Administration recommends that you request a copy of your file from them every few years to make sure that your records are correct (your income and "contributions" are being recorded for you, and no one else's are.) As a result of a recent court case, the SSA has agreed to accept corrections of errors when there isn't any contradictory evidence, SSA has records for the year before or after the error, and the claimed earnings are consistent with earlier and later wages. (San Jose Mercury News, 5/14, 1992 p 6A) Call the Social Security Administration at (800) 772-1213 and ask for Form 7004, (Request for Earnings and Benefit Estimate Statement.) When All Else Fails | (Getting a Replacement Number) | The Social Security Administration (SSA) will occasionally issue a | replacement SSN. The most common justification is that the SSA or the IRS | has mixed together earnings records from more than one person, and since one | of the people can't be located, it's necessary to issue a new number to the | other. The SSA tries very hard to contact the person who is using the number | incorrectly before resorting to this process. | There are a few other situations that the SSA accepts as justifying a new | number. The easiest is if the number contains the sequences 666 or 13. The | digits need to be consecutive according to SSA's policy manual, but may be | separated by hyphens. You apparently don't have to prove that your religious | objection is sincere. Other commonly accepted complaints include harassment, | sequential numbers assigned to family members, or serious impact on your | credit history that you've tried to clear up without success. | In all cases, the process includes an in-person interview at which you have | to establish your identity and show that you are the original assignee of the | number. The decision is normally made in the local office. If the problem | is with a credit bureau's records, you have to show that someone else | continues to use your number, and that you tried to get the credit bureau to | fix your records but were not successful. When they do issue a new number, | the new recoreds are linked to the old ones. (Unless you can convince them | that your life might be endangered by such a link.) | There are a few justifications that they don't accept at all: attempting to | avoid legal responsibilities, poor credit record which is your own fault, | lost SSNm card (without evidence that someone else has used it), or use of | the number by government agencies or private companies. | The only justification the SSA accepts for cancelling the issuance of an SSN | is that the number was assigned under their Enumeration at Birth program | without the parent's consent. In this case, the field officer is instructed | to try very hard to convince the parent that getting the number revoked is | futile, but to give in when the parent is persistent. | US Passports The application for US Passports (DSP-11 12/87) requests a Social Security Number, but gives no Privacy Act notice. There is a reference to "Federal Tax Law" and a misquotation of Section 6039E of the 1986 Internal Revenue | Code, claiming that the section requires that you provide your name, mailing address, date of birth, and Social Security Number. The referenced section only requires TIN (SSN), and it requires that it be sent to the IRS and not to the Passport office. It appears that when you apply for a passport, you can refuse to reveal your SSN to the passport office, and instead mail a notice to the IRS, giving only your SSN (other identifying info optional) and notifying them that you are applying for a passport. [Copies (in | postscript) of the letter that was used successfully by one contributor are | available by anonymous ftp from cpsr.org in /cpsr/ssn/passport.ps.Z. I'd be | interested in hearing how the State department and the Post Office (which | processes passport applications) react.] | Results from Some Recent Legal Cases (3/24/93) CPSR joined two legal cases in 1992 which concerned Social Security Numbers and privacy. One of them challenged the IRS practice of printing Social Security Numbers on mailing labels when they send out tax forms and related correspondence. The other challenged Virginia's requirement of a Social Security Number in order to register to vote. Dr. Peter Zilahy Ingerman filed suit against the IRS in Federal District Court in 1991, and CPSR filed a friend of the court brief in August '91. The case was decided in favor of the IRS. According to "Privacy Journal", the IRS plans to start covering the SSNs on its mailing labels. The Virginia case was filed by a resident of the state who refused to supply a Social Security Number when registering to vote. When the registrar refused to accept his registration, he filed suit. He also challenged the state of Virginia on two other bases: the registration form lacked a Privacy Act notice, and the voter lists the state publishes include Social Security Numbers. The Federal court of appeals ruled that the state of Virginia may not allow the disclosure of Social Security numbers as a condition of registering to vote. The court said that the Virginia requirement places an "intolerable burden" on the right to vote. The case is officially referred to as Greidinger v. Davis, No. 92-1571, Fourth Circuit Court of Appeals, March 22, 1993. If you have suggestions for improving this document please send them to me at: Chris Hibbert hibbert@netcom.com or 1195 Andre Ave. | Mountain View, CA 94040 ------------------------------ End of Computer Privacy Digest V4 #015 ****************************** .