Many people are concerned about the number
of organizations asking fortheir Social Security Numbers. They worry
about invasions of privacy and
the oppressive feeling of being treated as just a number. Unfortunately,
I can't offer any hope about the dehumanizing effects of identifying you
with your numbers. I *can* try to help you keep your Social Security
Number from being used as a tool in the invasion of your privacy.
The advice in this FAQ deals primarily with the Social Security Number
used in the US, though the privacy considerations are equally applicable
in many other countries. The laws explained here are US laws. The advice
about dealing with bureaucrats and clerks is universal.
The Privacy Act of 1974
The Privacy Act of 1974 (Pub. L. 93-579, in section 7), which is the
primary law affecting the use of SSNs, requires that any federal, state,
or local government agency that requests your Social Security Number has
to tell you four things:
1: Whether disclosure of your Social Security Number is required or
optional,
2: What statute or other authority they have for asking for your number,
3: How your Social Security Number will be used if you give it to them,
and
4: The consequences of failure to provide an SSN.
In addition, the Act says that only Federal law can make use of the
Social
Security Number mandatory (at 5 USC 552a note). So anytime you're dealing
with a government institution and you're asked for your Social Security
Number, look for the Privacy Act Statement. If there isn't one, complain
and don't give your number. If the statement is present, read it. Once
you've read the explanation of whether the number is optional or
required,
and the consequences of refusing to give your number, you'll be able to
decide for yourself whether to fill in the number.
There are several kinds of governmental organizations (see the list in
the
"Short History" section below) that usually have authority to request
your
number, but they are all required to provide the Privacy Act Statement
described above. The only time you should be willing to give your number
without reading that notice is when the organization you are dealing with
is not a part of the government.
Why You May Want to Resist Requests for Your SSN
When you give out your number, you are providing access to information
about yourself. You're providing access to information that you don't
have the ability or the legal right to correct or rebut. You provide
access to data that is irrelevant to most transactions but that will
occasionally trigger prejudice. Worst of all, since you provided the key,
(and did so "voluntarily") all the info discovered under your number will
be presumed to be true, about you, and relevant.
A major problem with the use of SSNs as identifiers is that it makes it
hard to control access to personal information. Even assuming you want
someone to be able to find out some things about you, there's no reason
to
believe that you want to make all records concerning yourself available.
When multiple record systems are all keyed by the same identifier, and
all
are intended to be easily accessible to some users, it becomes difficult
to allow someone access to some of the information about a person while
restricting them to specific topics.
Unfortunately, far too many organizations assume that anyone who presents
your SSN must be you. When more than one person uses the same number, it
clouds up the records. If someone intended to hide their activities, it's
likely that it'll look bad on whichever record it shows up on. When it
happens accidentally, it can be unexpected, embarrassing, or worse. How
do you prove that you weren't the one using your number when the record
was made?
Simson Garfinkel put it very well in an article for CACM's "Inside Risks"
column in October, 1995. His article started with the paragraph
The problem with Social Security Numbers today is that some
organizations are using these ubiquitous numbers for
identification, others are using them for authentication, and
still others are using them for both.
Simson went on to explain how the two uses are incompatible. I recommend
the article.
What You Can Do to Protect Your Number
It's not a good idea to carry your SSN card with you (or other documents
that contain your SSN). If you should lose your wallet or purse, your SSN
would make it easier for a thief to apply for credit in your name or
otherwise fraudulently use your number. Some states that normally use
SSNs as the drivers license number will give you a different number if
you
ask. If your health insurance plan uses your SSN for an ID number, it's
probably on your insurance card. If you are unable to get the insurance
plan to change your number, you may want to photocopy your card with your
SSN covered and carry the copy. You can then give a health care provider
your number separately.
Here are some suggestions for negotiating with people who don't want to
give you what you want. They work whether the problem has to do with SSNs
(your number is added to a database without your consent, someone refuses
to give you service without getting your number, etc.) or is any other
problem with a clerk or bureaucrat who doesn't want to do things any way
other than what works for 99% of the people they see. Start politely,
explaining your position and expecting them to understand and cooperate.
If that doesn't work, there are several more things to try:
1: Talk to people higher up in the organization. This often works
simply because the organization has a standard way of dealing
with requests not to use the SSN, and the first person you deal
with just hasn't been around long enough to know what it is.
2: Enlist the aid of your employer. You have to decide whether talking
to someone in personnel, and possibly trying to change
corporate policy is going to get back to your supervisor and
affect your job. The people in the personnel and benefits
departments often carry a lot of weight when dealing with health
insurance companies.
3: Threaten to complain to a consumer affairs bureau. Most newspapers
can get a quick response. Ask for their "Action Line" or
equivalent. If you're dealing with a local government agency,
look in the state or local government section of the phone book
under "consumer affairs." If it's a federal agency, your
congress member may be able to help.
4: Insist that they document a corporate policy requiring the number.
When someone can't find a written policy or doesn't want to
push hard enough to get it, they'll often realize that they
don't know what the policy is, and they've just been following
tradition.
5: Ask what they need it for and suggest alternatives. If you're
talking to someone who has some independence, and they'd like
to help, they will sometimes admit that they know the reason
the company wants it, and you can satisfy that requirement a
different way.
6: Tell them you'll take your business elsewhere (and follow through if
they don't cooperate.)
7: If it's a case where you've gotten service already, but someone
insists that you have to provide your number in order to have a
continuing relationship, you can choose to ignore the request
in hopes that they'll forget or find another solution before
you get tired of the interruption.
How To Find Out If Someone Is Using Your Number
There are two good places to look to find out if someone else is using
your number: the Social Security Administration's (SSA) database, and
your
credit report. If anyone else used your number when applying for a job,
their earnings will appear under your name in the SSA's files. If someone
uses your SSN (or name and address) to apply for credit, it will show up
in the files of the big three credit reporting agencies.
The Social Security Administration recommends that you request a copy of
your file from them every few years to make sure that your records are
correct (your income and "contributions" are being recorded for you, and
no one else's are.) As a result of a recent court case, the SSA has
agreed to accept corrections of errors when there isn't any contradictory
evidence, SSA has records for the year before or after the error, and the
claimed earnings are consistent with earlier and later wages. (San Jose
Mercury News, 5/14, 1992 p 6A) Call the Social Security Administration at
(800) 772-1213 and ask for Form 7004, (Request for Earnings and Benefit
Estimate Statement.) The forms are available online at the SSA's website:
http://www.ssa.gov/online/forms.html. You can also pick up a copy at any
office of the SSA.
Information about the credit reporting agencies is available in the Junk
Mail FAQ, and various other privacy-related FAQs. Try looking at
http://www.cpsr.org/dox/program/privacy/privacy.html
Choosing A Key For New Databases
Most organizations that have studied the issue have concluded that a
simple combination of Name, Address, and Phone number is usually
sufficient. In cases where you are likely to be dealing with several
members of the same family (and thus Jr. and Sr. might have matching
records), you can add Date of Birth. If the database saves an old address
and the date of the move, that will usually be sufficient to identify
particular clients uniquely.
If you're designing a database or have an existing one that currently
uses
SSNs and want to use numbers other than SSNs, it's useful to have the
identifiers use some pattern other than 9 digits. You can make them
longer or shorter than that, or include letters. That way it won't be
mistaken for an SSN.
Robert Ellis Smith, the publisher of the Privacy Journal, recently asked
people to suggest alternatives to the SSN for indexing databases. He
published some of the answers in Privacy Journal, and in the Computers
Privacy Digest, volume 9, #13 available at:
gopher://miller.cs.uwm.edu:70/. (This is a gopher refernce, you have to
navigate manually to "Computers & Privacy Digest", then "Volume 9", then
"Number 13".) Other excerpts are available at EPIC.
(http://www.epic.org/privacy/ssn/alternatives_ssn.html)
Some of the qualities that are (often) useful in a key and that people
think they are getting from the SSN are uniqueness, universality,
security, and identification. When designing a database, it is
instructive to consider which of these qualities are actually important
in
your application; many designers assume unwisely that they are all useful
for every application, when in fact each is occasionally a drawback. The
SSN provides none of them, so designs predicated on the assumption that
it
does provide them will fail in a variety of ways.
Uniqueness
Many people assume that Social Security Numbers are unique. They were
intended by the Social Security Administration to be unique, but the SSA
didn't take sufficient precautions to ensure that it would be so. They
have several times given a previously issued number to someone with the
same name and birth date as the original recipient, thinking it was the
same person asking again. There are a few numbers that were used by
thousands of people because they were on sample cards shipped in wallets
by their manufacturers. (One is given below.)
The passage of the Immigration reform law in 1986 caused an increase in
the duplicate use of SSNs. Since the SSN is now required for employment,
illegal immigrants must find a valid name/SSN pair in order to fool the
INS and IRS long enough to collect a paycheck. Using the SSN when you
can't cross-check your database with the SSA means you can count on
getting some false numbers mixed in with the good ones.
Universality
Not everyone has a Social Security Number. Foreigners are the primary
exception (though the SSA will now assign a number to a legal immigrant
without connecting that to the authority to work), but many children
don't
get SSNs until they're in school (and some not until they get jobs). They
were only designed to be able to cover people who were eligible for
Social
Security. If your database will keep records on organizations as well as
individuals, you should realize that they're not covered either.
Identification
Few people ever ask to see an SSN card; they believe whatever you say.
The ability to recite nine digits provides little evidence that you're
associated with the number in anyone else's database.
There's little reason to carry your card with you anyway. It isn't a good
form of identification, and if your wallet is lost or stolen, it provides
another way for the thief to hurt you.
Security
Older cards are not at all forgery-resistant, even if anyone did ever ask
for it. (Recently-issued cards are more resistant to forgery.) The
numbers don't have any redundancy (no check-digits) so any 9-digit number
in the range of numbers that have been issued is a valid number. It's
relatively easy to write down the number incorrectly, and there's no way
to tell that you've done so.
In most cases, there is no cross-checking that a number is valid. Credit
card and checking account numbers are checked against a database almost
every time they are used. If you write down someone's phone number
incorrectly, you find out the first time you try to use it. An incorrect
SSN might go unnoticed for years in some databases. In others it will
likely be caught at tax time, but could cause a variety of headaches.
Short History
Social Security numbers were introduced by the Social Security Act of
1935. They were originally intended to be used only by the social
security program. In 1943 Roosevelt signed Executive Order 9397 which
required federal agencies to use the number when creating new
record-keeping systems. In 1961 the IRS began to use it as a taxpayer ID
number. The Privacy Act of 1974 required authorization for government
agencies to use SSNs in their data bases and required disclosures
(detailed below) when government agencies request the number. Agencies
which were already using SSN as an identifier before January 1, 1975 were
allowed to continue using it. The Tax Reform Act of 1976 gave authority
to state or local tax, welfare, driver's license, or motor vehicle
registration authorities to use the number in order to establish
identities. The Privacy Protection Study Commission of 1977 recommended
that EO9397 be revoked after some agencies referred to it as their
authorization to use SSNs. It hasn't been revoked, but no one seems to
have made new uses of the SSN recently and cited EO9397 as their sole
authority, either.
Several states use the SSN as a driver's license number, while others
record it on applications and store it in their database. Some states
that routinely use it on the license will make up another number if you
insist. According to the terms of the Privacy Act, any that have a space
for it on the application forms should have a disclosure notice. Many
don't, and until someone takes them to court, they aren't likely to
change.
Dealing with Government Organizations
Surprisingly enough, government agencies are reasonably easy to deal
with;
private organizations are much more troublesome. Few agencies are allowed
to request the number, and all agences are required to give a disclosure
complete enough that you can find the law that empowers them. There are
no comparable Federal laws either restricting the uses non-government
organizations can make of the SSN, or compelling them to tell you
anything
about their plans.
Some states have recently enacted regulations on collection of SSNs by
private entities. (Usually in cases of consumers making payments with
checks or credit cards.) With private institutions, your main recourse is
refusing to do business with anyone whose terms you don't like. They, in
turn, are allowed to refuse to deal with you on those terms.
Public Schools
Public schools that accept federal funds are subject to the Family
Educational Rights and Privacy Act of 1974
http://www.cpsr.org/cpsr/privacy/law/education_records_privacy.txt
(It's also known as FERPA or the "Buckley Amendment") which prohibits
them from giving out personal information on students without permission.
There is an exception for directory information, which is limited to
names, addresses, and phone numbers, and another exception for release of
information to the parents of minors. There is no exception for Social
Security Numbers, so covered Universities aren't allowed to reveal
students' numbers without their permission. In addition, state
universities are bound by the requirements of the Privacy Act, (so they
have to give a Privacy Act notice if they ask for a SSN). If they make
uses of the SSN which aren't covered by the disclosure they are in
violation.
The National Coalition of Advocates for Students (100 Boylston Street,
Suite 737, Boston, MA 02116, 617-357-8507) has some literature on what
information a school can ask you for based on a Supreme Court decision
[Plyler v. Doe [457 U.S. 202 (1982)] that held that requiring SSNs
from all students would discriminate illegally against undocumented
students. Even if you are a citizen, this ruling prevents schools
from requiring your Social Security Number.
US Passports
Some forms for applying for US Passports (DSP-11 12/87) request a Social
Security Number, but don't give enough information in their Privacy Act
notice to verify that the Passport office has the authority to request
it.
There is a reference to "Federal Tax Law" and a misquotation of Section
6039E of the 1986 Internal Revenue Code, claiming that that section
requires that you provide your name, mailing address, date of birth, and
Social Security Number. The referenced section only requires TIN (SSN),
and it only requires that it be sent to the IRS (not to the Passport
office). It appears that when you apply for a passport, you can refuse to
reveal your SSN to the passport office, and instead mail a notice to the
IRS, give only your SSN (other identifying info optional) and notify them
that you are applying for a passport. Copies (in postscript) of the
letter that was used by one contributor can be found at
ftp://ftp.cpsr.org/cpsr/privacy/ssn/passport.ps.Z. Other readers have
also used this technique successfully.
I've received several reports that a new printed version of the passport
application fixes the problems described above. Apparently, these new
applications ask for SSN, but state that failure to provide it isn't
grounds to deny a passport. It warns that the SSN is used to verify the
other information on the form, and processing of the application may be
delayed if the number is not provided. Recent trips to my local Post
Office showed on the old forms. There's another new version (DSP-11 1-94)
available now at the State department's web site
http://travel.state.gov/passport_services.html. It has a different notice
that implies (in the same roundabout way) that the SSN is required by the
abovementioned laws, and says passports will be refused if the number is
not included.
Requirement for Disclosing Employee's Children's SSNs Repealed
The Omnibus Budget Reconciliation Act of 1993 required all employers to
collect social security numbers for everyone covered by their health
plans, including all dependents. After not being pursued actively by the
government for a few years, legislation (PL 104-226) was passed in
October, 1996 repealing the Medicare and Medicaid Coverage Data Bank.
Children
The Family Support Act of 1988 (Pub. L. 100-485) requires states to
require parents to give their Social Security Numbers in order to get a
birth certificate issued for a newborn. The law allows the requirement to
be waived for "good cause", but there's no indication of what may
qualify.
Section 1615 of the Small Business Job Protection Act of 1996
strengthened the requirement for taxpayers to report SSNs for
dependents over one year of age when they are claimed as a deduction.
(H.R.3448, became PL104-188 8/20/96.
<http://thomas.loc.gov/cgi-bin/bdquery/z?d104:h.r.03448:>) The new law
allows the IRS to treat listing a dependent without including an SSN
as if it were an arithmetic error. This apparently means that the
taxpayer isn't allowed to petition the tax court.
Private Organizations
The guidelines for dealing with non-governmental institutions are much
more tenuous than those for government departments. Most of the time
private organizations that request your Social Security Number can get by
quite well without your number, and if you can find the right person to
negotiate with, they'll willingly admit it. The problem is finding that
right person. The person behind the counter is often told no more than
"get the customers to fill out the form completely."
Most of the time, you can convince them to use some other number. Usually
the simplest way to refuse to give your Social Security Number is simply
to leave the appropriate space blank. One of the times when this isn't a
strong enough statement of your desire to conceal your number is when
dealing with institutions which have direct contact with your employer.
Most employers have no policy against revealing your Social Security
Number; they apparently believe that it must be an unintentional slip
when
an employee doesn't provide an SSN to everyone who asks.
Employers
Employers are required by the IRS to get the SSNs of people they hire.
They often ask for it during the interview process, but there are good
reasons to refuse if you can afford to argue with the potential employer.
Some of them use the SSN to check credit records, to look for criminal
history, and otherwise to delve into your past in areas you might object
to. Tell them you'll give them your SSN when you accept their offer.
They have no legitimate use for it before then.
At one point I needed a security badge from a company that wasn't my
employer (my employer was contracting to the host.) The host company used
SSNs to do background checks on applicants for security badges. I asked
if there was a way I could keep my SSN out of their database, and we
worked things out so I gave my number directly to the person who ran the
background check, and he used it for that and then destroyed it. I may
have been the only person working at this very large company who didn't
have an SSN on file.
Utilities
Public utilities (gas, electric, phone, etc.) are considered to be
private
organizations under the laws regulating SSNs. Most of the time they ask
for an SSN, and aren't prohibited from asking for it, but they'll usually
relent if you insist. See the other suggestions above under "What you can
do to protect your number" for more ideas.
Banks
Banks and various others are required by the IRS to report the SSNs of
account holders to whom they pay interest. If you don't tell them your
number you will probably either be refused an account or be charged a
penalty such as withholding of taxes on your interest. Most banks will
refuse to open safe deposit boxes without a SSN, though there is no
direct
governmental requirement that they collect it. One correspondent reported
that he was able to open a non-interest bearing account at a US bank by
presenting a passport and international driver's license. (This
correspondent implied that it was a US passport. You can get an
international driver's license at AAA.)
Many banks send the names, addresses, and SSNs of people whose accounts
have been closed for cause to a company called ChexSystem. ChexSystem
keeps a database of people whose accounts have been terminated for fraud
or chronic insufficient funds in the past 5 years. ChexSystems apparently
doesn't believe they are covered by the Fair Credit Reporting Act, as I
had earlier reported. A few people have reported complete intransigence
on the part of Chexsystems, while others (who apparently received
cooperation from their banks or credit unions) have been able to get
Chexsystems to add annotations to their records that are accessible with
assistance from the consumer. You can send a letter to ChexSystems
(Consumer Relations, 12005 Ford Road, Suite 650, Dallas, TX, 75234) if
you
need to deal with them.
Many Banks, Brokerages, and other financial institutions have started
implementing automated systems to let you check your balance. All too
often, they are using SSNs as the PIN that lets you get access to your
personal account information. If your bank does this, write them a letter
pointing out how common it is for the people with whom you have financial
business to know your SSN. Ask them to change your PIN, and if you feel
like doing a good deed, ask them to stop using the SSN as a default
identifier for their other customers. Some customers will believe that
there's some security in it, and be insufficiently protective of their
account numbers. Nearly every financial institution I have asked has been
willing to use a password I supplied. (Fidelity was the exception. I no
longer have any funds there.) I don't know why they don't advertise this
rather than relying on the SSN.
Sometimes banks provide for a customer-supplied password, but are
reluctant to advertise it. The only way to find out is to ask if they'll
let you provide a password. (This is reportedly true of Citibank Visa,
for instance. They ask for a phone number but are willing to accept any
password.)
When buying (or refinancing) a house, you have to give your SSN, because
the bank is required to report the interest you pay. Most banks will now
ask for your Social Security Number on the Deed of Trust. This is because
the Federal National Mortgage Association wants it. The fine print in
their regulation admits that some consumers won't want to give their
number, and allows banks to leave it out when pressed. [It first
recommends getting it on the loan note, but then admits that it's already
on various other forms that are a required part of the package, so they
already know it. The Deed is a public document, so there are good reasons
to refuse to put it there, especially since all parties to the agreement
already have access to your number.]
Insurers, Hospitals, Doctors
No laws require private medical service providers to use your Social
Security Number as an ID number. They often use it because it's
convenient or because your employer uses it to identify employees to its
group's health plan. In the latter case, you have to get your employer to
make an exception to their standard practices. Often, the people who work
in personnel assume that the employer or insurance company requires use
of
the SSN when that's not really the case. When a previous employer asked
for my SSN for an insurance form, I asked them to find out if they had to
use it. After a week they reported that the insurance company had gone
along with my request and told me what number to use.
Insurance companies often require the SSN for underwriting purposes, but
don't usually use it for underwriting personal property or personal auto
insurance policies. You may be able to get them to leave the number out
of their data base, even if they want to use it when deciding whether to
cover you. They may call every few years to ask for it again.
Insurance companies share information with one another that they have
collected while evaluating applications for life, health, or disability
insurance. They do this by sending the information to an organization
called the Medical Information Bureau. The information they share
includes test results and brief descriptions of conditions relevant to
health or longevity. MIB rules prohibit the reporting of claims
information. The MIB doesn't use the SSN as an identifier in their files,
and doesn't report SSNs when providing reports. You can get a copy of
your MIB file by writing to Medical Information Bureau, P.O. Box 105,
Essex Station, Boston, MA 02112. Their phone number is (617)426-3660.
If an insurance agent asks for your Social Security Number in order to
"check your credit", point out that the contract is invalid if your check
bounces or your payment is late. Insurance is always prepaid, so they
don't need to know what your credit is like, just whether your check
cleared.
Blood banks
Blood banks also ask for the number but are willing to do without if
pressed on the issue. After I asked politely and persistently, the
(non-Red Cross) blood bank I go to agreed that they didn't have any use
for the number. They've now expunged my SSN from their database, and they
seem to have taught their receptionists not to request the number. I've
gotten one report that some branches of the Red Cross will issue a "file
number" in lieu of your SSN if you insist. It's probably the case that
not all branches (and especially not all receptionists) know about this
possibility, so it will pay to be persistent.
Blood banks have changed their policies back and forth a few times in the
last several years. When the AIDS epidemic first hit, they started using
SSNs to identify all donors, so someone who was identified as
HIV-positive
at one blood bank wouldn't be able to contaminate the blood supply by
donating at a different site. For a few years, they were a little looser,
and though they usually asked for SSNs, some would allow you to donate if
you provided proof of your identity. (I showed a Driver's license, but
didn't let them copy down the number.) Now the Federal Government has
declared blood banks to be "manufacturers" of a medical product, and
imposed various Quality Control processes on them.
The Blood bank I go to now asks for SSNs, and if you refuse, allows you
to
give a Driver's License number. I balked at that, since I hadn't had to
give it before. They let me donate, but while I was eating cookies, the
director of Quality Control came down and talked to me. After a little
bit of discussion, she was satisfied to have me pick an ID number that I
promised to remember and provide when I visisted again. So, once again,
if you want to protect your SSN and your privacy, it pays to push back
when they ask.
Landlords
Landlords often request SSNs from prospective tenants. There are two
things they usually want it for: a credit check, and in some parts of the
country, landlords apparently have access to a database of "bad tenants"
as reported by other landlords. There don't seem to be any laws
restricting the use of these kinds of databases, which leaves renters in
a
precarious situation. If a landlord makes a mistake, or a prior tenant
gave an incorrect number, the prospective tenant may be unable to find
out
why no landlord will rent to him or her.
The applicant can refuse to supply the number, but in a seller's market,
the landlord often has many other applicants to choose from. There aren't
many avenues of recourse, except to politely inquire if the landlord will
accept a letter of reference from a previous landlord or if there are
other ways that you can demonstrate your creditworthiness. The tenant is
almost powerless if the landlord doesn't want to go along.
Using a False Social Security Number
If someone absolutely insists on getting your Social Security Number, you
may want to give a fake number. I have never needed to give a fake
number; at least one of the remedies described above has always worked
for
me. There *are* legal penalties for providing a false number when you
expect to gain some benefit from it. For example, a federal court of
appeals ruled that using a false SSN to get a Driver's License violates
federal law.
Making a 9-digit number up at random is a bad idea, as it may coincide
with someone's real number and cause them some amount of grief. It's
better to use a number like 078-05-1120, which was printed on "sample"
cards inserted in thousands of new wallets sold in the 40's and 50's.
It's been used so widely that both the IRS and SSA recognize it
immediately as bogus, while most clerks haven't heard of it. There were
at least 40 different people in the Selective Service database at one
point who gave this number as their SSN. The Social Security
Administration recommends that people showing Social Security cards in
advertisements use numbers in the range 987-65-4320 through 987-65-4329.
There are several patterns that have never been assigned, and which
therefore don't conflict with anyone's real number. They include numbers
with any field all zeroes, and numbers with a first digit of 8 or 9. For
more details on the structure of SSNs and how they are assigned, see
http://www.cpsr.org/cpsr/privacy/ssn/ssn.structure.html.
Giving a number with an unused pattern rather than your own number isn't
very useful if there's anything serious at stake since it's likely to be
noticed.
Collecting SSNs yourself
There aren't any federal laws that explicitly forbid the collection of
SSNs. However, there is a body of law, intended to prohibit the misuse of
credit cards, that is written vaguely enough that it could be interpreted
to cover personal collections of SSNs. The laws are at 18 USC 1029, and
cover what is called "access device fraud." An access device is "any
card, plate, code, account number or other means of access that can be
used, alone or in conjunction with another access device, to obtain
money,
goods, services, or any other thing of value, or that can be used to
initiate a transfer of value." The law forbids the possession, "knowingly
and with intent to defraud" of fifteen or more devices which are
counterfeit or unauthorized access devices." If interstate commerce is
involved, penalties are up to $10,000 and 10 years in prison.
Retrieving the SSN FAQ and related documents
The SSN FAQ is available from two places: rtfm.mit.edu (by FTP or EMail),
or cpsr.org (by FTP or http). The html version is at cpsr.org, and
includes links to SSN-related info which has been omitted from the text
version. The text version is at MIT.
The URLs are:
http://cpsr.org/cpsr/privacy/ssn/ssn.faq.html
ftp://cpsr.org/ftp/cpsr/privacy/ssn
ftp://rtfm.mit.edu/pub/usenet-by-hierarchy/news/answers/privacy/ssn-faq
WWW (HTTP)
There is a more comprehensive privacy page at CPSR (which points at
both the SSN and junk mail FAQs). It's at:
http://www.cpsr.org/dox/program/privacy/privacy.html.
EMail
You can get the latest version of the SSN FAQ (the text version) by
sending mail to mail-server@rtfm.mit.edu withsend usenet-by-hierarchy/news/answers/privacy/ssn-faq
as the sole contents of the body. Send a message containing "help" to
get
general information about the mail server.
cpsr.org has other resources on privacy, SSNs, and related subjects.
Other directories contain information on pending legislation, the 1st
amendment, computer security, cryptography, FOIA, NII, and CPSR.
other Privacy-related Resources
http://www.cpsr.org/dox/program/privacy/privacy.html
http://www.epic.org/privacy/ssn
http://www.epic.org/privacy/
If you have suggestions for improving this document please send them to
me:
Chris Hibbert
hibbert@netcom.com or 1195 Andre Ave.
Mountain View, CA 94040