Date: Tue, 19 Mar 96 11:09:00 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#025 Computer Privacy Digest Tue, 19 Mar 96 Volume 8 : Issue: 025 Today's Topics: Moderator: Leonard P. Levine Re: Legal Restrictions on SSN Re: Legal Restrictions on SSN Identification challenge Re: Privacy Suit in San Diego Re: 800 ANI Re: 800 ANI Re: 800 ANI MS Internet Assistant Cache Re: Netscape Problems Help about IDEA Encryption Social Security Number FAQ Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: johnl@iecc.com (John R Levine) Date: 17 Mar 96 18:23 EST Subject: Re: Legal Restrictions on SSN Organization: I.E.C.C., Trumansburg, N.Y. If someone knows of any other relevant federal laws, please post them with specific cites. This language dates from the original 1939 Social Security Act, at which time it never occurred to anyone that SSNs would be used outside the government, but the law says what it says. It looks to me like section (7)(B) broadly prohibits lying about your SSN. Note the last phrase before part (A), "for any other purpose". What is says is: 42 USC Sec. 408 [Whoever] (7) for the purpose of causing an increase in any payment authorized under this subchapter (or any other program financed in whole or in part from Federal funds), or for the purpose of causing a payment under this subchapter (or any such other program) to be made when no payment is authorized thereunder, or for the purpose of obtaining (for himself or any other person) any payment or any other benefit to which he (or such other person) is not entitled, or for the purpose of obtaining anything of value from any person, or for any other purpose - (A) willfully, knowingly, and with intent to deceive, uses a social security account number, assigned by the Secretary (in the exercise of his authority under section 405(c)(2) of this title to establish and maintain records) on the basis of false information furnished to the Secretary by him or by any other person; or (B) with intent to deceive, falsely represents a number to be the social security account number assigned by the Secretary to him or to another person, when in fact such number is not the social security account number assigned by the Secretary to him or to such other person; or (C) knowingly alters a social security card issued by the Secretary, buys or sells a card that is, or purports to be, a card so issued, counterfeits a social security card, or possesses a social security card or counterfeit social security card with intent to sell or alter it; or (8) discloses, uses, or compels the disclosure of the social security number of any person in violation of the laws of the United States; shall be guilty of a felony and upon conviction thereof shall be fined under title 18 or imprisoned for not more than five years, or both. -- John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869 johnl@iecc.com "Space aliens are stealing American jobs." - Stanford econ prof ------------------------------ From: curunir@deltanet.com Date: 18 Mar 1996 05:52:59 GMT Subject: Re: Legal Restrictions on SSN Organization: Delta Internet Services, Anaheim, CA References: Robert Gellman wrote: The only real federal law restricting the collection of SSNs is section 7 of the Privacy Act of 1974. That is Public Law 93-579, and section 7 is uncodified. It can be found at 5 USC 552a note. Here is the text: (a)(1) It shall be unlawful for any Federal, State or localH government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his social security account number. (b) Any Federal, State, or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it. Two items: How did the codification miss that particular section? I thought codification took the public law word for word into the US Code... Second, my employer demands I get an airport ID at the Long Beach Airport. In the absence of a privacy act disclosure statement, I refused to give my SSAN. Now they're demanding it again. I think they probably qualify under one of the exceptions (as a polic agency), but it seems to me that they still have to give out a disclosure notice. Showing them a copy of the law simply does not impress them - no SSAN, no ID. So what do I do? ------------------------------ From: rj.mills@pti-us.com (Dick Mills) Date: 18 Mar 1996 09:22:25 -0500 Subject: Identification challenge After reading so much about SSN abuse here in CPD and elsewhere, I despair at ever solving the SSN problem. The genie is out of the bottle. We privacy advocates, by refusing to accept this fact, may be shooting ourselves in our collective feet. Real people are being harmed every day because SSN fails to provide secure identification. It is time to think of other ways to protect our identities. Even simple daily activities cause privacy conflicts. To protect the privacy of my bank account, I require the bank to secure the identity of persons attempting to access it. On one hand, I may feel invaded when the bank demands that I identify myself. On the other hand, I would be angry if the bank failed to protect me from an unauthorized person using a false identity. The simple act of identification necessarily invades privacy to protect privacy. I challenge us net.citizens to propose a solution to this simplest of all privacy problems. Rather than SSN, what practical means is there of identifying people? A practical system should not be dependent on nationality, or race, or electronics, or superior math skills. It must be affordable, fraud resistant, scaleable, applicable anywhere, and not offensive to privacy advocates or civil libertarians. It should not be able to be used for passive surveillance of an entire populace by machine. Me? I'd vote for face or voice recognition by a fellow human; except that fails the scalability requirement. If there is no solution, then compromise is necessary. Some of our beloved principles have to give, and we should be working to define our priorities. -- Dick Mills +1(518)395-5154 O- http://www.pti-us.com AKA dmills@albany.net http://www.albany.net/~dmills ------------------------------ From: prvtctzn@aol.com (Prvt Ctzn) Date: 17 Mar 1996 13:38:32 -0500 Subject: Re: Privacy Suit in San Diego Organization: America Online, Inc. (1-800-827-6364) References: >The paragraph stated, in general terms, that the check was an agreement >between the individual and the retailer. That the retailer agreed not >to use the individual's address WITHOUT consent, and that the check >endoresment was not consent. Also, the paragraph sited some 'specific >consumer protection bill' (my words, I'm looking to find out what this >reference was!) I believe the reference you seek was to the : `Universal' Commercial Code.. otherwise (and better) known as the Uniform Commercial Code. The guy's name is Robert Beken, and he sued a division of Tandy Corp (Computer City?) . Robert Bulmash Private Citizen, Inc. http://webmill.com/prvtctzn/home ------------------------------ From: johnl@iecc.com (John R Levine) Date: 17 Mar 96 17:52 EST Subject: Re: 800 ANI Organization: I.E.C.C., Trumansburg, N.Y. References: This is exactly the attitude I was complaining about, i.e., "we're not going to solve the problem because..." vs. "here's how the problem can be solved...." Don't give up so easily. An important question to start with is how much per month extra you're willing to pay to make 800 numbers blockable. Someone has to pay, and 800 customers certainly don't have any interest in paying for this. If, as I suspect, the answer for most people is "nothing", that suggests that nothing's going to change. A reasonable compromise requiring no technical changes at all is to encourage organizations with 800 numbers to publish equivalent non-800 numbers, which you can call if you don't want them to get ANI. Smart organizations publish their regular numbers anyway, so that potential customers outside of the area where their 800 number works can call them. Dumb but true: US companies put ads in European magazines with the only contact number an 800 number you can't call from Europe. -- John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869 johnl@iecc.com "Space aliens are stealing American jobs." - Stanford econ prof ------------------------------ From: wbe@psr.com (Winston Edmond) Date: 18 Mar 1996 15:29:26 GMT Subject: Re: 800 ANI Organization: Panther Software and Research References: I believe there are two issues regarding "ANI blocking": a policy issue and a technological issue, and that no one with the power to change the technology is going to do so unless the prevailing policy is addressed first. The policy is that the one who pays for the call is entitled to enough information to determine whether or not their bill is correct. "Somebody, somewhere, but we're not going to tell you who or where, called and you owe us $5 for the call" isn't an acceptable billing practice. * CLID when you pay for the call does not conflict with this policy and so blocking options are acceptable. * You may have seen warnings that calls to cellular phones may result in the called person getting your phone number. Cellular phone customers pay for incoming calls and thus fall under the policy. * If 800-number customers are entitled to caller information at the end of the month, then they are equally entitled to it at the time of the call. IMO, the best deal you'll ever get if you pursue "ANI blocking" is suppression of the last 4 digits of the number, as in 614-366-xxxx. That still marginally satisfies policy while providing some anonymity. Of course, whether or not something like this would ever be implemented depends on the market. CLID is sold to call recipients (who aren't paying for the call) under the banner of security, caution, anti- harrassment, etc. The equivalent for ANI blocking would be to offer you, the caller, an extra-cost service to block the low 4 digits of your number when calling an 800 or 888 number. Would you pay $5 / month for that? If enough people answer yes, then maybe you have a chance of seeing it happen. Unlike CLID, where both caller and callee got new capabilities at the same time, ANI blocking has to be proposed in an environment where service to the callee already exists. Certainly the current 800/888 and cellular customers aren't going to pay extra, and they may well complain that such a capability by callers would reduce the value of the service they now have. Anyhow, as I said, the issue of ANI blocking isn't primarily technological (though there may well be some of those, too). -- WBE ------------------------------ From: tpeters@hns.com (Thomas Peters) Date: 18 Mar 1996 18:23:32 GMT Subject: Re: 800 ANI Organization: Hughes Network Systems Inc. References: The technical challenge in blocking the calling number from 800 and 900 numbers and other recipient-pays services is considerable, but that isn't the real point. There are essentially no customers for this feature, where customer is defined as someone who pays money. The callers want it, but they aren't paying for the call. With possibly a few exceptions (e.g. tip lines), the 800-number owners will not support the service. The information is valuable to them and the 800-number is worth less if they cannot have it. Aside from all of the other reasons for wanting the information, the need to audit long-distance phone bills is real. So I don't see any of the long distance providers jumping at the chance to add this expensive new feature and aggravate their own customers. What's left? Pass a law! This would allow everyone to help pay for the feature :-). Of course, if anonymous call rejection is allowed, most 800-number owners will probably sign up for it and we will be right back where we started. -- Tom Peters ------------------------------ From: Shannon Wenzel Date: 17 Mar 1996 21:23:52 -0500 Subject: MS Internet Assistant Cache Organization: Netcom I have begun learning HTML programming. In order to place an example graphic on an HTML page, I thought I would scan my harddisk for a suitable GIF or JPEG image. In Win95, I lauched the FIND utility and typed *.GIF. In seconds, a huge list of GIFS scolled across the screen. I though this was odd so I wen to the directory. Perhaps many of you are aware of Internet Assistant caching; I was not. There were 7.2Mb of GIFs and JPEGs from pages I had visited in the /CACHE directory. Needless to say, I was shocked and somewhat concerned that these images had been saved to my hard drive. Has anyone else had experience with this? I am concerned about "virus" delivery or some other unscrupulous use of such technology. -- /////////////////////////////////////////////////////////////// Shannon Wenzel KA3WBH Princeton, NJ Is it not possible than an individual may be right and a government wrong? -- Henry David Thoreau \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ------------------------------ From: Barry Campbell Date: 18 Mar 1996 01:48:06 -0500 Subject: Re: Netscape Problems Organization: CTSL References: Prof. L. P. Levine wrote: This is insidious; it means that E-mail messages, purportedly from me (and all traces will show they really are from me) can be sent anywhere, without my knowledge, with contents that I do not approve. Further, it means that I can no longer count on browsing a site without my userid being disclosed. Unlike Java, there is no way to disable this. [Also been submitted to Netscape.] There is now. Netscape has released version 2.01 of its Navigator software, which plugs this Javascript security hole and also fixes some other security-related problems. (You can also, at your discretion, now "turn off" Java and JavaScript support in the Netscape browser.) If you're interested in the particulars, point your browser to: http://home.netscape.com/newsref/std/java_security.html -- Barry Campbell | "There's no difference between theory | and practice in theory, but there is http://www.cris.com/~Btc | in practice." ------------------------------ From: deezxl@sunstation2.tsinghua.edu.cn (HOME_Xuelong Zhu) Date: 19 Mar 1996 02:29:16 GMT Subject: Help about IDEA Encryption Organization: Peking Univerity Where can I find the papers, technical reports or other materials about security consideration, security authentication, cryptanalysis of the IDEA (the International Data Encryption Algorithm). Can you tell me how and why the IDEA works. Specially 1) why and how the MA structure plays an important role. 2) How the operations from three groups of order 2^n (2 to the n_th power) play important roles. 3) is it the key point of the algorithm that one of the two groups in MA structure can be looked as a field and the other one can be looked as a ring in nature. 4) Why the little change from PEA to IDEA make the algorithm ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ stronger. ^^^^^^^^ Please send email to: deezxl@tsinghua.edu.cn Thank you advance ------------------------------ From: hibbert@netcom.com (Chris Hibbert) Date: 10 Mar 1996 14:10:27 GMT Subject: Social Security Number FAQ Organization: Computer Professionals for Social Responsibility If you have comments on the following, please send them to me at hibbert@netcom.com. A description of how to retrieve the most recent version of this and related documents appears at the end. What to do when they ask for your Social Security Number by Chris Hibbert Computer Professionals for Social Responsibility Many people are concerned about the number of organizations asking for their Social Security Numbers. They worry about invasions of privacy and the oppressive feeling of being treated as just a number. Unfortunately, I can't offer any hope about the dehumanizing effects of identifying you with your numbers. I *can* try to help you keep your Social Security Number from being used as a tool in the invasion of your privacy. The advice in this FAQ deals primarily with the Social Security Number used | in the US, though the privacy considerations are equally applicable in many | other countries. The laws explained here are US laws. The advice about | dealing with bureaucrats and clerks is universal. | The Privacy Act of 1974 The Privacy Act of 1974 (Pub. L. 93-579, in section 7), which is the primary | law affecting the use of SSNs, requires that any federal, state, or local | government agency that requests your Social Security Number has to tell you four things: 1: Whether disclosure of your Social Security Number is required or optional, 2: What statute or other authority they have for asking for your number, 3: How your Social Security Number will be used if you give it to them, and 4: The consequences of failure to provide an SSN. In addition, the Act says that only Federal law can make use of the Social Security Number mandatory (at 5 USC 552a note). So anytime you're dealing with a government institution and you're asked for your Social Security Number, look for the Privacy Act Statement. If there isn't one, complain and don't give your number. If the statement is present, read it. Once | you've read the explanation of whether the number is optional or required, | and the consequences of refusing to give your number, you'll be able to | decide for yourself whether to fill in the number. There are several kinds of governmental organizations (see the list in the | "Short History" section below) that usually have authority to request your | number, but they are all required to provide the Privacy Act Statement | described above. The only time you should be willing to give your number | with reading that notice is when the organization you are dealing with is | not a part of the government. | Why You May Want to Resist Requests for Your SSN When you give out your number, you are providing access to information about yourself. You're providing access to information that you don't have the ability or the legal right to correct or rebut. You provide access to data that is irrelevant to most transactions but that will occasionally trigger prejudice. Worst of all, since you provided the key, (and did so "voluntarily") all the info discovered under your number will be presumed to be true, about you, and relevant. A major problem with the use of SSNs as identifiers is that it makes it hard to control access to personal information. Even assuming you want someone to be able to find out some things about you, there's no reason to believe that you want to make all records concerning yourself available. When multiple record systems are all keyed by the same identifier, and all are intended to be easily accessible to some users, it becomes difficult to allow someone access to some of the information about a person while restricting them to specific topics. Unfortunately, far too many organizations assume that anyone who presents your SSN must be you. When more than one person uses the same number, it clouds up the records. If someone intended to hide their activities, it's likely that it'll look bad on whichever record it shows up on. When it happens accidentally, it can be unexpected, embarrassing, or worse. How do you prove that you weren't the one using your number when the record was made? What You Can Do to Protect Your Number Here are some suggestions for negotiating with people who don't want to give | you what you want. They work whether the problem has to do with SSNs (your | number is added to a database without your consent, someone refuses to give | you service without getting your number, etc.) or is any other problem with | a clerk or bureaucrat who doesn't want to do things any way other than what | works for 99% of the people they see. Start politely, explaining your | position and expecting them to understand and cooperate. If that doesn't work, there are several more things to try: 1: Talk to people higher up in the organization. This often works simply because the organization has a standard way of dealing with requests not to use the SSN, and the first person you deal with just hasn't been around long enough to know what it is. 2: Enlist the aid of your employer. You have to decide whether talking to someone in personnel, and possibly trying to change corporate policy is going to get back to your supervisor and affect your job. The people in the personnel and benefits | departments often carry a lot of weight when dealing with health | insurance companies. | 3: Threaten to complain to a consumer affairs bureau. Most newspapers can get a quick response. Ask for their "Action Line" or equivalent. If you're dealing with a local government agency, look in the state or local government section of the phone book under "consumer affairs." If it's a federal agency, your congressmember may be able to help. 4: Insist that they document a corporate policy requiring the number. When someone can't find a written policy or doesn't want to push hard enough to get it, they'll often realize that they don't know what the policy is, and they've just been following tradition. 5: Ask what they need it for and suggest alternatives. If you're talking to someone who has some independence, and they'd like to help, they will sometimes admit that they know the reason the company wants it, and you can satisfy that requirement a different way. 6: Tell them you'll take your business elsewhere (and follow through if they don't cooperate.) 7: If it's a case where you've gotten service already, but someone insists that you have to provide your number in order to have a continuing relationship, you can choose to ignore the request in hopes that they'll forget or find another solution before you get tired of the interruption. How To Find Out If Someone Is Using Your Number There are two good places to look to find out if someone else is using your | number: the Social Security Administration's (SSA) database, and your credit | report. If anyone else used your number when applying for a job, their | earnings will appear under your name in the SSA's files. If someone uses | your SSN (or name and address) to apply for credit, it will show up in the | files of the big three credit reporting agencies. | The Social Security Administration recommends that you request a copy of your file from them every few years to make sure that your records are correct (your income and "contributions" are being recorded for you, and no one else's are.) As a result of a recent court case, the SSA has agreed to accept corrections of errors when there isn't any contradictory evidence, SSA has records for the year before or after the error, and the claimed earnings are consistent with earlier and later wages. (San Jose Mercury News, 5/14, 1992 p 6A) Call the Social Security Administration at (800) 772-1213 and ask for Form 7004, (Request for Earnings and Benefit Estimate Statement.) The forms are available online at the SSA's website: | http://www.ssa.gov/online/forms.html. You can also pick up a copy at any | office of the SSA. | Information about the credit reporting agencies is available in the Junk | Mail FAQ, and various other privacy-related FAQs. Try looking at | http://www.cpsr.org/dox/program/privacy/privacy.html | Choosing A Key For New Databases Most organizations that have studied the issue have concluded that a simple | combination of Name, Address, and Phone number is usually sufficient. In | cases where you are likely to be dealing with several members of the same | family (and thus Jr. and Sr. might have matching records, you can add Date | of Birth. If the database saves an old address and the date of the move, | that will usually be sufficient to identify particular clients uniquely. | If you're designing a database or have an existing one that currently uses | SSNs and want to use numbers other than SSNs, it's useful to have the | identifiers use some pattern other than 9 digits. You can make them longer | or shorter than that, or include letters. That way it won't be mistaken for | an SSN. | Some of the qualities that are (often) useful in a key and that people think they are getting from the SSN are uniqueness, universality, security, and identification. When designing a database, it is instructive to consider which of these qualities are actually important in your application; many designers assume unwisely that they are all useful for every application, when in fact each is occasionally a drawback. The SSN provides none of them, so designs predicated on the assumption that it does provide them will fail in a variety of ways. Uniqueness Many people assume that Social Security Numbers are unique. They were intended by the Social Security Administration to be unique, but the SSA didn't take sufficient precautions to ensure that it would be so. They have several times given a previously issued number to someone with the same name and birth date as the original recipient, thinking it was the same person asking again. There are a few numbers that were used by thousands of people because they were on sample cards shipped in wallets by their manufacturers. (One is given below.) The passage of the Immigration reform law in 1986 caused an increase in the duplicate use of SSNs. Since the SSN is now required for employment, illegal immigrants must find a valid name/SSN pair in order to fool the INS and IRS long enough to collect a paycheck. Using the SSN when you can't cross-check your database with the SSA means you can count on getting some false numbers mixed in with the good ones. Universality Not everyone has a Social Security Number. Foreigners are the primary exception (though the SSA will now assign a number to a legal immigrant | without connecting that to the authority to work), but many children don't | get SSNs until they're in school (and some not until they get jobs). They | were only designed to be able to cover people who were eligible for Social Security. If your database will keep records on organizations as well as individuals, you should realize that they're not covered either. Identification Few people ever ask to see an SSN card; they believe whatever you say. The ability to recite nine digits provides little evidence that you're associated with the number in anyone else's database. There's little reason to carry your card with you anyway. It isn't a good form of identification, and if your wallet is lost or stolen, it provides another way for the thief to hurt you. Security Older cards are not at all forgery-resistant, even if anyone did ever ask for it. (Recently-issued cards are more resistant to forgery.) The numbers don't have any redundancy (no check-digits) so any 9-digit number in the range of numbers that have been issued is a valid number. It's relatively easy to write down the number incorrectly, and there's no way to tell that you've done so. In most cases, there is no cross-checking that a number is valid. Credit card and checking account numbers are checked against a database almost every time they are used. If you write down someone's phone number incorrectly, you find out the first time you try to use it. An incorrect SSN might go unnoticed for years in some databases. In others it will likely be caught at tax time, but could cause a variety of headaches. Short History Social Security numbers were introduced by the Social Security Act of 1935. They were originally intended to be used only by the social security program. In 1943 Roosevelt signed Executive Order 9397 which required federal agencies to use the number when creating new record-keeping systems. In 1961 the IRS began to use it as a taxpayer ID number. The Privacy Act of 1974 required authorization for government agencies to use SSNs in their data bases and required disclosures (detailed below) when government agencies request the number. Agencies which were already using SSN as an identifier before January 1, 1975 were allowed to continue using it. The Tax Reform Act of 1976 gave authority to state or local tax, welfare, driver's license, or motor vehicle registration authorities to use the number in order to establish identities. The Privacy Protection Study Commission of 1977 recommended that EO9397 be revoked after some agencies referred to it as their authorization to use SSNs. It hasn't been revoked, but no one seems to have made new uses of the SSN recently and cited EO9397 as their sole authority, either. Several states use the SSN as a driver's license number, while others record it on applications and store it in their database. Some states that routinely use it on the license will make up another number if you insist. According to the terms of the Privacy Act, any that have a space for it on the application forms should have a disclosure notice. Many don't, and until someone takes them to court, they aren't likely to change. Dealing with Government Organizations Surprisingly enough, government agencies are reasonably easy to deal with; private organizations are much more troublesome. Few agencies are allowed | to request the number, and all agences are required to give a disclosure | complete enough that you can find the law that empowers them. There are no | comparable Federal laws either restricting the uses non-government organizations can make of the SSN, or compelling them to tell you anything about their plans. Some states have recently enacted regulations on collection of SSNs by private entities. (Usually in cases of consumers making payments with checks or credit cards.) With private institutions, your main recourse is refusing to do business with anyone whose terms you don't like. They, in turn, are allowed to refuse to deal with you on those terms. Universities and Colleges Universities that accept federal funds are subject to the Family Educational Rights and Privacy Act of 1974 (the "Buckley Amendment", it's at http://www.cpsr.org/cpsr/privacy/law/education_records_privacy.txt), which prohibits them from giving out personal information on students without permission. There is an exception for directory information, which is limited to names, addresses, and phone numbers, and another exception for release of information to the parents of minors. There is no exception for Social Security Numbers, so covered Universities aren't allowed to reveal students' numbers without their permission. In addition, state universities are bound by the requirements of the Privacy Act, (so they have to give a Privacy Act notice if they ask for a SSN). If they make uses of the SSN which aren't covered by the disclosure they are in violation. US Passports I've received several reports that a new version of the passport application | fixes the problems described below. Apparently, these new applications ask | for SSN, but state that failure to provide it isn't grounds to deny a | passport. It warns that the SSN is used to verify the other information on | the form, and processing of the application may be delayed if the number is | not provided. I just went to my local Post Office, and found the old form | still there. | Some forms for applying for US Passports (DSP-11 12/87) request a Social | Security Number, but don't give enough information in their Privacy Act notice to verify that the Passport office has the authority to request it. There is a reference to "Federal Tax Law" and a misquotation of Section 6039E of the 1986 Internal Revenue Code, claiming that that section requires that you provide your name, mailing address, date of birth, and Social Security Number. The referenced section only requires TIN (SSN), and it only requires that it be sent to the IRS (not to the Passport office). It appears that when you apply for a passport, you can refuse to reveal your SSN to the passport office, and instead mail a notice to the IRS, give only your SSN (other identifying info optional) and notify them that you are applying for a passport. Copies (in postscript) of the letter that was used by one contributor can be found at ftp://ftp.cpsr.org/cpsr/privacy/ssn/passport.ps.Z. Other readers have also | used this technique successfully. | Requirement for Disclosing SSNs of Minors Covered by Company Health Plans Quietly Dropped The Omnibus Budget Reconciliation Act of 1993 required all employers to | collect social security numbers for everyone covered by their health plans, | including all dependents. The latest word is that this database has been | quietly dropped, though it may still be in the law. If your employer | requests your children's SSNs, ask for a copy of the regulation they're | responding to. | Children The Family Support Act of 1988 (Pub. L. 100-485) requires states to require parents to give their Social Security Numbers in order to get a birth certificate issued for a newborn. The law allows the requirement to be waived for "good cause", but there's no indication of what may qualify. The IRS requires taxpayers to report SSNs for dependents over one year of age when you claim them as a deduction, but the requirement can be avoided if you're prepared to document the existence of the child by other means if the IRS challenges you. The law on this can be found at 26 USC 6109. The penalty for not giving a dependent's number is only $5. Several people have reported that they haven't provided SSNs for their dependents for several years, and haven't been challenged by the IRS. Notice that the instructions | for form 1040 report that the fine is $50. I have heard reports from | several people who haven't given any SSN for their children, and have paid | no fine, and I haven't heard from any one who has had to pay a fine. | Private Organizations The guidelines for dealing with non-governmental institutions are much more tenuous than those for government departments. Most of the time private organizations that request your Social Security Number can get by quite well without your number, and if you can find the right person to negotiate with, they'll willingly admit it. The problem is finding that right person. The person behind the counter is often told no more than "get the customers to fill out the form completely." Most of the time, you can convince them to use some other number. Usually the simplest way to refuse to give your Social Security Number is simply to leave the appropriate space blank. One of the times when this isn't a strong enough statement of your desire to conceal your number is when dealing with institutions which have direct contact with your employer. Most employers have no policy against revealing your Social Security Number; they apparently believe that it must be an unintentional slip when an employee doesn't provide an SSN to everyone who asks. Employers Employers are required by the IRS to get the SSNs of people they hire. They often ask for it during the interview process, but there are good reasons to refuse if you can afford to argue with the potential employer. Some of them use the SSN to check credit records, to look for criminal history, and otherwise to delve into your past in areas you might object to. Tell them you'll give them your SSN when you accept their offer. They have no legitimate use for it before then. At one point I needed a security badge from a company that wasn't my | employer (my employer was contracting to the host.) The host company used | SSNs to do background checks on applicants for security badges. I asked if | there was a way I could keep my SSN out of their database, and we worked | things out so I gave my number directly to the person who ran the background | check, and he used it for that and then destroyed it. I may have been the | only person working at this very large company who didn't have an SSN on | file. | Utilities Public utilities (gas, electric, phone, etc.) are considered to be private organizations under the laws regulating SSNs. Most of the time they ask for an SSN, and aren't prohibited from asking for it, but they'll usually relent if you insist. See the suggestions above under "What you can do to protect your number" for more ideas. Banks Banks and various others are required by the IRS to report the SSNs of | account holders to whom they pay interest. If you don't tell them your | number you will probably either be refused an account or be charged a | penalty such as withholding of taxes on your interest. Most banks will | refuse to open safe deposit boxes without a SSN, though there is no direct | governmental requirement that they collect it. | Many banks send the names, addresses, and SSNs of people whose accounts have | been closed for cause to a company called ChexSystem. ChexSystem keeps a | database of people whose accounts have been terminated for fraud or chronic insufficient funds in the past 5 years. ChexSystems is covered by the Fair Credit Reporting Act, and a bank is required to let you know if it refuses to open an account and a report from ChexSystems was a factor. You can also send a letter to ChexSystems directly (Consumer Relations, 12005 Ford Road, | Suite 650, Dallas, TX, 75234) and request a copy of their report on you. | Many Banks, Brokerages, and other financial institutions have started implementing automated systems to let you check your balance. All too often, they are using SSNs as the PIN that lets you get access to your personal account information. If your bank does this, write them a letter pointing out how common it is for the people with whom you have financial business to know your SSN. Ask them to change your PIN, and if you feel like doing a good deed, ask them to stop using the SSN as a default identifier for their other customers. Some customers will believe that there's some security in it, and be insufficiently protective of their account numbers. Every financial institution I have asked has been willing | to use a password I supplied. I don't know why they don't advertise this | rather than relying on the SSN. | When buying (or refinancing) a house, you have to give your SSN, because the bank is required to report the interest you pay. Most banks will now ask for your Social Security Number on the Deed of Trust. This is because the Federal National Mortgage Association wants it. The fine print in their regulation admits that some consumers won't want to give their number, and allows banks to leave it out when pressed. [It first recommends getting it on the loan note, but then admits that it's already on various other forms that are a required part of the package, so they already know it. The Deed is a public document, so there are good reasons to refuse to put it there, especially since all parties to the agreement already have access to your | number.] | Insurers, Hospitals, Doctors No laws require private medical service providers to use your Social Security Number as an ID number. They often use it because it's convenient or because your employer uses it to identify employees to its group's health plan. In the latter case, you have to get your employer to make an exception to their standard practices. Often, the people who work in personnel assume that the employer or insurance company requires use of the SSN when that's not really the case. When a previous employer asked for my SSN for an insurance form, I asked them to find out if they had to use it. After a week they reported that the insurance company had gone along with my request and told me what number to use. Insurance companies often require the SSN for underwriting purposes, but | don't usually use it for underwriting personal property or personal auto | insurance policies. You may be able to get them to leave the number out of | their data base, even if they want to use it when deciding whether to cover | you. They may call every few years to ask for it again. | Insurance companies share information with one another that they have | collected while evaluating applications for life, health, or disability | insurance. They do this by sending the information to an organization | called the Medical Information Bureau. The information they share includes | test results and brief descriptions of conditions relevant to health or | longevity. MIB rules prohibit the reporting of claims information. The MIB | doesn't use the SSN as an identifier in their files, and doesn't report SSNs | when providing reports. You can get a copy of your MIB file by writing to | Medical Information Bureau, P.O. Box 105, Essex Station, Boston, MA 02112. | Their phone number is (617)426-3660. | Blood banks Blood banks also ask for the number but are willing to do without if pressed on the issue. After I asked politely and persistently, the (non-Red Cross) blood bank I go to agreed that they didn't have any use for the number. They've now expunged my SSN from their database, and they seem to have taught their receptionists not to request the number. I've gotten one report that some branches of the Red Cross will issue a "file number" in lieu of your SSN if you insist. It's probably the case that not all branches (and especially not all receptionists) know about this possibility, so it will pay to be persistent. Blood banks have changed their policies back and forth a few times in the last several years. When the AIDS epidemic first hit, they started using SSNs to identify all donors, so someone who was identified as HIV-positive at one blood bank wouldn't be able to contaminate the blood supply by donating at a different site. For a few years, they were a little looser, and though they usually asked for SSNs, some would allow you to donate if you provided proof of your identity. (I showed a Driver's license, but didn't let them copy down the number.) Now the Federal Government has declared blood banks to be "manufacturers" of a medical product, and imposed various Quality Control processes on them. The Blood bank I go to now asks for SSNs, and if you refuse, allows you to give a Driver's License number. I balked at that, since I hadn't had to give it before. They let me donate, but while I was eating cookies, the director of Quality Control came down and talked to me. After a little bit of discussion, she was satisfied to have me pick an ID number that I promised to remember and provide when I visisted again. So, once again, if you want to protect your SSN and your privacy, it pays to push back when they ask. Using a False Social Security Number If someone absolutely insists on getting your Social Security Number, you may want to give a fake number. I have never needed to give a fake number; | at least one of the remedies described above has always worked for me. | There *are* legal penalties for providing a false number when you expect to gain some benefit from it. For example, a federal court of appeals ruled that using a false SSN to get a Driver's License violates federal law. Making a 9-digit number up at random is a bad idea, as it may coincide with | someone's real number and cause them some amount of grief. It's better to | use a number like 078-05-1120, which was printed on "sample" cards inserted in thousands of new wallets sold in the 40's and 50's. It's been used so widely that both the IRS and SSA recognize it immediately as bogus, while most clerks haven't heard of it. There were at least 40 different people in | the Army's database at one point who gave this number as their SSN. The | Social Security Administration recommends that people showing Social Security cards in advertisements use numbers in the range 987-65-4320 through 987-65-4329. There are several patterns that have never been assigned, and which therefore don't conflict with anyone's real number. They include numbers with any field all zeroes, and numbers with a first digit of 8 or 9. For more details on the structure of SSNs and how they are assigned, see http://www.cpsr.org/cpsr/privacy/ssn/SSN-structure. Giving a number with an unused pattern rather than your own number isn't very useful if there's anything serious at stake since it's likely to be noticed. Collecting SSNs yourself There aren't any federal laws that explicitly forbid the collection of SSNs. However, there is a body of law, intended to prohibit the misuse of credit cards, that is written vaguely enough that it could be interpreted to cover personal collections of SSNs. The laws are at 18 USC 1029, and cover what is called "access device fraud." An access device is "any card, plate, code, account number or other means of access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of value." The law forbids the possession, "knowingly and with intent to defraud" of fifteen or more devices which are counterfeit or unauthorized access devices." If interstate commerce is involved, penalties are up to $10,000 and 10 years in prison. Retrieving the SSN FAQ and related documents The SSN FAQ is available from two places: rtfm.mit.edu (by FTP or EMail), or cpsr.org (by FTP or http). WWW (HTTP) http://www.cpsr.org/dox/program/privacy/ssn/ssn.faq.html. The HTML version of the SSN FAQ stored there contains several resources which I haven't included in the plain text version. rtfm.mit.edu is a standard archive which has many other FAQs. | EMail You can get the latest version of the SSN FAQ by sending mail to mail-server@rtfm.mit.edu with send usenet-by-hierarchy/news/answers/privacy/ssn-faq as the sole contents of the body. Send a message containing "help" to get general information about the mail server. cpsr.org has other resources on privacy, SSNs, and related subjects. Other directories contain information on pending legislation, the 1st amendment, computer security, cryptography, FOIA, NII, and CPSR. other Privacy-related Resources http://www.cpsr.org/dox/program/privacy/privacy.html | If you have suggestions for improving this document please send them to me: Chris Hibbert hibbert@netcom.com or 1195 Andre Ave. Mountain View, CA 94040 ------------------------------ From: "Prof. L. P. Levine" Date: 17 Mar 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #025 ****************************** .