You are Visitor # Here Since 04/30/98!

Related pages: Public Sources of SSNs -- Govt Disclosure of SSNs -- Hope in Michigan!

By Will Dwyer III, Esq.

Introduction

Who in 1935 could have conceived that before the end of the century a simple nine-digit number*1 intended only to identify retired American workers for pension purposes would take center stage in the social struggle to preserve personal privacy.

From that innocent inception*2, the Social Security Number (``SSN'') has become the most widely used and carefully controlled number in the country. It is the par excellence individual identifier.

Everybody has one -- try to claim a dependent tax exemption for your kid age 1 or older if that child is ``numberless'' -- and everyone else always seem to be asking for it. Most of us probably see SSN identification as harmless; indeed, some who are fond of technological conquest consider it an extremely efficient device to retrieve records.

Although it's doubtless true that retrieval efficiency is fostered by the SSN, as a near-universal personal record identifier, it is that pervasiveness which I find frightening. Hitler, too, had ``efficient'' means, but that kind of utility is championed only by those without reasoning power sufficient to know that capability must be balanced by charity.

The Privacy Problem

In his 1967 book, ``Privacy and Freedom,'' political scientist Alan Westin defined privacy as ``the rights of persons to control the distribution of information about themselves.'' I accept the definition and, therefore, believe that the gathering of personal information or after-the-fact disclosure of it to others can constitute an invasion of privacy.

Westin points out that organizational record keeping became a mainstay of life in our complex urban society after World War II. It involved the collection and use of personal information by government and business to make determinations about rights, benefits, and opportunities for individuals.

However, this compiling of records relied mainly on manual files and electro-mechanical technology (typewriters, telephones, cameras, mimeographs, etc.). The threat to privacy, thus, was inherently limited; a cross-ruff carried prohibitive cost.

Enter ``the rise of the computer state,'' a phrase drawn from the title of another critical work, namely, David Burnham's in 1983. He points out that as electronic data processing spread through the organizational world in the late 1950s and the 1960s, computer systems not only increased significantly the ability of organizations to collect, store, process, and disseminate information but also they decreased significantly the cost and time required to carry out such functions.

The age of computerized information brought new urgency to privacy issues.

I recall my younger days as an aide on Capitol Hill, helping organize a privacy-grounded inquiry into just what computers could do, were doing, and might be able to do in the near future. The most compelling testimony came from Vance Packard, author and sociologist. He testified that unchecked use of computer systems would dangerously empower organizations by allowing them:

1. to collect far more personal information about their record subjects;

2. to exchange such data more rapidly and extensively with other organizations; and

3. to use information in ways that individuals would not know about or have any control over under existing U.S.law.

Along with other witnesses, he warned that in the private sector, this would involve credit, banking, insurance, employment, and medical transactions; and in the public sector, activities such as welfare, law enforcement, taxation, and licensing programs.

Privacy historian Westin writes that these early alarms brought about detailed public and private computer-and-privacy studies during 1969-74. They ultimately led to broad agreement that it would be only a short time before reduction of hardware costs for data input and storage, and increases in software capabilities, would make greatly increased data collection and file merging highly cost effective.

There were varying reactions as to what the public policy response should be. The one that prevailed in the several studies was to let the technology proceed, but subject it to rules extending traditional privacy and due process rights to cover both manual and computerized information practices.*3

Because the studies Congress had set in motion concluded that existing U.S. law did not provide the definition of record-subject rights of privacy, confidentiality, and access for inspection and challenge that were needed to assure basic citizen rights in the next decades, a legislative agenda was set.

``How Our Laws Are Made''*4

The first generation of privacy protection rules for the computer age were enacted by law or adopted as organizational rules covering all federal agencies, state agencies in most states, and many specific areas of record keeping -- credit, insurance, banking, law enforcement, etc. Such laws (1) required personal-data record systems to be publicized and their uses described to record subjects; (2) set rules of confidentiality and for sharing personal data beyond the collecting organization; and (3) gave record subjects rights to inspect, correct, and challenge information in their files.

In statutory form these three themes resonate in both the Freedom of Information Act (``FOIA'') and the Privacy Act. As one who played a part in their legislative genesis, I urge those seeking the benefits of these laws to be mindful that Congress intended that the two acts be considered together in the processing of requests for information. Indeed, many government agencies handle FOIA and Privacy Act requests out of the same office.

Now -- in seeming contradiction of this congenial conjunction -- let me describe the essentials of each, separately:

The Freedom of Information Act

We've had some semblance of a FOIA since 1789. In that year, our founders permitted the heads of federal departments to regulate the storage and use of government records, but we legal history buffs take pleasure in noting that nowhere did this authority extend to withholding information or records from public view. Yet, as the road to where Lucifer lives has pavement of ``good intentions,'' over time the federal bureaucrats saw to it that agencies could classify for ``good cause found,'' ``in the public interest,'' or ``any matter relating solely to internal management.'' As if those ``gotchas'' weren't enough, Washington also said government information need only be disclosed to ``persons properly and directly concerned.''

After some fitful starts in 1966, a FOIA worthy of its name came into being with a set of substantial statutory amendments adopted in 1974. They truly open federal files to the American public.

Without going into exhaustive detail, a serious student of access to government information should know that FOIA:

* requires location/copying fees be uniform and moderate,

* prohibits withholding entire documents when only parts are covered by a statutory exemption from disclosure,

* directs expedited response to citizen complaints, and

* provides for recovery of attorney fees by requesting parties who are denied but then win in litigation. The Privacy Act of 1974

Where FOIA addresses documents concerning government in general, its companion, the Privacy Act, deals with records pertaining solely to you. Its purpose is to give citizens more control over what information is collected by the federal government about them and how that information is used.

This statute reflects official concern over the threat posed to personal privacy by government's increasing acquisition of vast quantities of individual information on Americans, through telephone monitoring, lie detectors, data banks, criminal justice information, military surveillance of citizens, and a host of other privacy-invading procedures.

The Act accomplishes its aims in five basic ways. It:

1. requires federal agencies to report publicly the existence of all systems of records maintained on individuals (they must do this annually in the Federal Register);

2. dictates that the information contained in these records be accurate, complete, relevant, and up-to-date;

3. allows individuals to inspect records in almost all federal files about themselves, and to correct inaccuracies;

4. specifies that information gathered for one purpose not be used for another without the individual's consent; and

5. mandates that agencies keep an accurate accounting of record disclosure and, with some exceptions, make these disclosures available to the subject of the record.

Congressional action in the area of privacy rights can leave an observer of the process perplexed. For example, the Privacy Act prohibits the exchange between agencies of personal information about individuals that is kept in government agency records. But, the Paperwork Reduction Act (1980) in effect allowed all personal data gathered by government to be made available to any agency.

A similar attenuation has occurred respecting a principal protection of the Privacy Act that relates to SSNs. Section 7 of the Privacy Act

The final substantive section of the Act insists that any agency requesting your SSN must tell you three things:

1. whether disclosure is mandatory or voluntary,

2. under what law or regulation the request is authorized, and

3. what use will be made of the number.

Please bear in mind that these restrictions apply only to public agencies. Requests for your SSN by private organizations are not legally limited.

This SSN section of the Act also placed a moratorium on new uses of the SSN by federal, state, or local government agencies after January 1, 1975. That section said that you could not be denied ``any right, benefit, or privilege, provided by law'' because you refused to disclose your SSN.

But, what the right hand gave vis-a-vis SSN protection, the left has somewhat taken away. (Perhaps, out of deference to the political spectrum, those directional sides should be reversed in this instance!)

All it now takes for a government (federal, state, or local) agency now to force you to provide your SSN is an act of Congress. And, only two years after the Privacy Act became law, a wholesale SSN exception was enacted.

A 1976 amendment to the Social Security Act allows any public agency that administers taxes, general public assistance, drivers' licenses, or motor vehicle registrations to require individual disclosure of SSNs, regardless of whether the agency used SSNs for identification under a law or regulation adopted before January 1, 1975.

Not So Fast!

Even with this erosion -- vexing as it is to those of us in the privacy movement -- the courts have helped keep governments' feet to the fire. Judicial strictness in construing the SSN section of the Privacy Act is encouraging. I have in mind two cases. (The full text of the reported decisions are reprinted in this document.)

The first occurred in New Jersey in 1985. There a water customer sued a private water company that had demanded her SSN in connection with a water allocation program the state had installed to combat a drought emergency.

As a threshold matter, the federal district court had to determine whether the plaintiff had standing because the defendant water company was not a government agency. Chief Judge Fisher ruled in the plaintiff's favor, holding that when an action of a private regulated entity is ``encouraged'' by the state, the action may be ``fairly treated as that of the state itself.''

The court in this case further ruled that although the water company's use of SSNs was not necessarily impermissible, its failure to comply with the disclosure requirements of the Privacy Act was. In short, the judge said those three things (see above) an agency must say when it requests SSNs are ``designed to discourage improper uses of SSNs and to allow individuals the opportunity to make an intelligent decision regarding its disclosure.''

My second favorite case comes from Virginia.*5

A young lawyer who works for the U.S. Court of Appeals in Richmond, according to the New York Times, was put off when he ``found it nearly impossible to obtain a driver's license, open accounts with local utilities, or even rent a video without encountering demands for his SSN. He drew the line when the State of Virginia refused to register him as a voter unless he provided his number.''

He sued the state and lost in the trial court. However, on appeal -- to the court that employs him; hence, its insistence that he work on no cases while the three-judge panel considered his -- the ruling was in his favor.

``Intolerable,'' was the word used by the appellate judges to describe the burden Virginia imposed on the right to vote by requiring would-be electors to disclose their SSNs. Because the state sells its database of voter information to political parties and campaign organizations as well as permitting public access to it, the court said ``the harm that can be inflicted from disclosure of SSNs to an unscrupulous individual is alarming and potentially financially ruinous.''

Virginia now must stop requiring SSNs on voter applications or keep them confidential. Privacy Security

If I may be permitted a piece of advice -- and it's what lawyers are paid to offer -- don't disclose your SSN willingly.

If it's a public agency that requests your SSN, you know from this article what the law compels that agency to inform you. Make 'em work for it.

If the request is from a private entity, you also know that they have no legally-insured right to it. There, it really comes down to whether the private requester is sufficiently interested in having your business that it will waive its ``policy.'' Given that in most situations, the institution asking for your SSN is so vast that its agent asking for the number is some working stiff who fears reprisal if he or she doesn't do as the boss orders, the intellectualized issue of privacy protection is likely to fall on deaf ears. Thus, your on your own. But, if you can find a situation like the New Jersey water company, which was a private utility enforcing a public directive, then I urge you to go for it under the Privacy Act.

FOOTNOTES

1. The nine digits contain three parts, ``XXX-XX-XXXX''. Reading from left to right they are: Area, Group, and Serial. For the most part, Area is determined by where the individual applied for the SSN (before 1972) or resided (after 1972). The two-digit Group portion has no meaning other than to determine whether a number has been assigned. The Serial portion of four digits has no meaning, but they are not assigned in strictly numerical order. All SSNs now are assigned by computer from Baltimore headquarters.

2. The Social Security Act of 1935 provided retirement benefits only to retired workers themselves. In 1939, however, before any benefits had been paid, the first of numerous extensions to the system provided benefits for survivors and dependents. Later extensions included several classes of workers not covered under the original law. For example, during the 1950s state and local government employees, members of the armed forces, and many farm workers, domestic workers, and self-employed professionals were taken into the system. In 1956 the age at which women become eligible for some benefits was reduced from 65 to 62, and in 1961 men were given the option of retiring at a reduced level of benefits at the age of 62. The year 1957 saw the introduction of the national Disability Insurance (DI) program, under which a separate fund was established to provide cash benefits to workers over age 50 who become totally and permanently disabled. In 1965, Medicare was introduced, providing medical benefits for those over 65 and creating yet another social security fund to finance them. In 1974 the Social Security Administration established the federal Supplemental Security Income (SSI) program, which took over responsibility from state-administered programs for providing aid to the blind, the disabled, and the indigent aged.

3. Worthy of note is that this stance succeeded because events like ``Watergate'' and exposure of federal agency surveillance practices in the early 1970s persuaded the public that safeguards against government abuse of information power were necessary. Also, social change in the 1960s and '70s produced greater acceptance of diversity. In its wake, the public wanted to be sure that business or government records were not used to discriminate against different people.

4. As a wag once suggested, ``legislation, like sausage, is better when you don't see it made.''

5. Although I'm a native upstate New Yorker, transplanted to California, my political roots relate to Virginia's first Governor, Patrick Henry. His ``tongue of the Revolution'' was the subject of a one-man play I wrote and performed in the Washington, D.C. area during the Bi-Centennial observance. As much as any of our founders, Patrick Henry helped assure that the federal Constitution found favor only after installation of the first ten amendments, our Bill of Rights.