Director, Electronic Privacy information Center
Adjunct Professor, Georgetown University Law Center
on the Social Security Administration
and the PEBES Program
Before the House of Representatives,
Committee on Ways and Means,
Subcommittee on Social Security
May 6, 1997
Electronic Privacy Information Center
666 Pennsylvania Ave., SE
Washington, DC 20003
202 544 9240 (tel)
202 547 5482 (fax)
I appreciate the opportunity to appear before the Subcommittee on Social Security today. I will make four points this afternoon about the recent developments with the SSA online database.
The first point is that public concern about the loss of privacy is well documented and not surprising. As technology has raced ahead, basic legal safeguards have failed to keep up. And while it is true that there are technical solutions that could help limit the loss of privacy, too little has been done to promote these techniques. Thus, when the public became aware of the SSA plan to make payment records available online, much of the concern may have been simply a result of the growing sense that too much data has been computerized while too few safeguards have been established.
Second, even though SSA came under criticism for making personal information available on the Internet, the agency was attempting to uphold one of the most important privacy principles - the right of individuals to get access to their own records held by others, to ensure that the information is accurate and complete, and to make corrections if necessary. In the area of Social Security contributions, this is particularly important for American taxpayers. Privacy laws are not just about restricting access to personal information. They also require that organizations in possession of personal information make sure that the individuals to whom the information relates are able to get access to their data easily and cheaply. If SSA is to be faulted, it should not be for their effort to make the PEBES more readily available.
Third, there are several techniques that could be developed to improve authentication, but each technique involves some trade-off. Greater security may require more cost for the agency and more inconvenience for the end-user. It is important also to keep in mind that the unauthorized request for a Social Security record is a federal offense and subject to criminal penalties. Routine auditing and criminal prosecution where wrongdoing is established could do a lot to protect privacy and discourage illegal access. I would also like call the attention of the committee to the testimony of Peter Neumann, Principal Scientist for SRI. Dr. Neumann's statement provides an excellent basis for further investigation into the various options that the Social Security Administration could pursue.
Fourth, I think the SSA took the right steps when it decided to suspend the service and seek public comment through regional hearings. Privacy is clearly an issue of great concern. The comment period will allow the SSA to gauge the public concern and to explore options. As a pioneer in the delivery of online government services, the SSA's work will also benefit other federal agencies that may be considering similar programs in the future. But I don't think the SSA alone can address the widespread public concerns about the loss of privacy. More steps will need to be taken. A privacy agency, for example, could provide technical support and guidance to federal agencies and ensure that the aims of the Privacy Act are upheld as federal agencies go forward with new efforts to take advantage of information technologies. Some legal controls on the collection and use of the Social Security Number may also be appropriate.
Properly developed privacy safeguards and the creation of a federal agency with expertise in privacy matters will help ensure public trust in new information services and allow agencies such as the Social Security Administration to move forward with innovative and cost-effective programs to deliver government services. But without such safeguards and such expertise, we may continue to see more public opposition to the computerization of personal information.
This hearing focuses on the decision earlier this year of the Social Security Administration to make available the Personal Earnings and Benefit Estimate Statements (PEBES) over the Internet. While many criticized SSA for this decision, it is my view that the SSA was trying to do the right thing and got caught in the growing public concern about the loss of privacy. There are steps that the SSA can take to address concerns about the risk of unlawful access to the PEBES records, but the larger problem is not something that the Social Security Administration will be able to solve. To address this problem may require the creation of an office within the federal government with privacy expertise and the passage of legislation to control the misuse of the Social Security Number.
The PEBES provides individuals with their earnings by years, Social Security taxes paid, and an estimate of future benefits. The statement has been available by mail for the past decade. For the past year, the SSA allowed individuals to request the statement over the Internet. It was then sent by mail. The document is important for American workers and families and allows individuals to plan for their family's economic security in the event of retirement, disability, or death.
In March, the Social Security Administration made the PEBES available online at the SSA's web site. An individual could view the information contained in the Earnings Statement directly on a computer terminal. To obtain online access to the records the SSA required individuals to provide their full name, date of birth, place of birth, Social Security number, and mother's maiden name. This was the same information that an individual would provide if he or she sent a request by mail to the SSA for a copy of the PEBES.
What made the SSA project somewhat unique is that the new service was designed to allow individuals to download their personal information from a government agency over the Internet. There are many federal agencies that have taken advantage of the Internet to make information widely available to the public at little cost. Congress itself has done an excellent job with the Thomas system which now makes it possible for individuals across the country to track Congressional legislation, read the Congressional Record and obtain other public information.
But the PEBES statement is not public information. It is private information and individuals are rightly concerned that such information should not be improperly disclosed or made available to others.
A front page story in USA Today on April 7 focused public attention on the SSA project. Evan Hendricks, the publisher of Privacy Times and one of the country's leading privacy experts, expressed concern that the SSA database could lead to the disclosure of sensitive personal information. Several members of Congress cited the risk that others might get access to the online database. The SSA received calls as did the Committee about the possible risks to personal privacy.
On April 9 the Social Security Administration suspended the service. Commissioner Callahan said that maintaining public confidence in protecting the privacy of sensitive data was one of the SSA's primary missions. He also noted that over the ten-year period that SSA has offered the PEBES, and during the month that the PEBES was offered online, the SSA "received no allegations of individuals fraudulently accessing SSA's records."
On April 30, the Social Security Administration published a federal Register Notice announcing that a series of Public Forums would be held to solicit comments on the PEBES service. The SSA intends to conclude the comment period this summer and develop recommendations.
Considering the ongoing efforts of the Social Security Administration to make the PEBES more easily available to the public, it is almost surprising that the public reaction was so strong and so swift. But the loss of public confidence in the privacy of personal information is very real today.
Lou Harris reported last year that public concern about the loss of privacy is at an all-time high. Privacy concern is particularly high among users of the Internet, arguably the most technologically sophisticated individuals. A comprehensive survey undertaken by the Georgia Institute of Technology found that after censorship, privacy was the top concern among Internet users. And among women, privacy outranked censorship as the number one concern. According to the survey, Internet users also favor new laws to protect personal privacy (3.8/5.0) [http://www.cc.gatech.edu/gvu/user_surveys/survey-10-1996/]
There are many factors that have contributed to the growing concern about the loss of privacy -- the rapid growth of technology, the increased collection and sale of personal data, the development of new surveillance techniques. But perhaps the most significant factor is the sense that we have simply lost the ability to control the collection and use of data. Indeed, the Harris poll found that 60% of consumers believe they have lost all control over personal information.
This problem is not easily solved. But as the SSA goes forward with its assessment of the PEBES service, it will be critical to keep in mind the larger concern about the loss of privacy in America.
When Congress addressed the question in the early 1970's about what should be done to protect the privacy of personal information held by federal agencies, it concluded that it would be necessary to establish in law certain obligations for federal agencies and certain rights for American citizens. The rights and responsibilities were set out in the Privacy Act and reflected an approach that is commonly understood as a Code of Fair Information Practices.
The key point about the SSA's efforts is that under the Privacy Act, federal agencies have two obligations, that may appear to operate at cross purposes, but are in fact quite consistent. The Privacy Act requires federal agencies to prevent the unlawful disclosure and use of personal information. The Privacy Act also requires that federal agencies make information pertaining to particular individuals available to those individuals.
Indeed, one of main purposes of the Privacy Act is to "permit an individual to gain access to information pertaining to him in Federal agency records and to have a copy made of all or any portion thereof and to correct or amend such records" Of course, federal agencies also have a responsibility to ensure that "adequate safeguards are provided to prevent misuse" of identifiable personal information.
Many other privacy laws follow a similar approach. The Fair Credit Reporting Act of 1970, for example, both limits the disclosure of credit reports and requires Credit Reporting Agencies to make available credit reports to individuals to whom the reports pertain. Such access can be critical when credit is denied, particularly if such decisions came about as a result of incorrect information.
For similar reasons, the SSA must make the Earning Statements available to individuals to ensure that records are accurate and individuals are not improperly denied benefits to which they are entitled.
In making the PEBES statements available online, the SSA was clearly attempting to comply with the spirit of the Privacy Act. It would be wrong to fault the agency for this effort.
One of the critical questions that was raised in the aftermath of the PEBES episode was whether additional steps should have been taken to ensure the authenticity of the individuals requesting the requesting records. Some individuals proposed digital signature techniques or passwords. Others questioned whether it was ever appropriate to transfer personal information over the Internet.
The SSA is now conducting hearings and meeting with technical experts to explore a range of options. I don't mean to prejudge this process, but I would like to point out that at least in the near term there will almost certainly be a trade between the level of authentication� that can be provided and the ease of access and reduced cost. I do not believe that the steps that the SSA took to authenticate users, if coupled with auditing and the risk of criminal penalty, were unreasonable.
It is also signficiant that the Commissioner stated that there was no record of unauthorized access to the PEBES records during the period of time that the SSA made the records available. But the Social Security Administration could take additional steps to address public concern, including routine auditing and criminal prosecution where wrongdoing is established. These steps could do a lot to protect privacy and discourage illegal access.
It is also important to note that many techniques which could over time provide higher levels of authentication at low cost are being discouraged by the Administration's policy on encryption which has generally been to defer to law enforcement considerations rather than to allow new privacy solutions to develop. Improving the security of federal information systems will require that the Administration understand the importance of these new techniques.
One of the privacy issues that continues to plague efforts at the Social Security Administration is the growing use of the Social Security number. At EPIC we received several irate calls about the SSA database. One person asked whether the Social Security Administration had the right to request a Social Security number. This person asked whether there was any law to prevent this. I patiently explained that if there was any organization in the world with the right to request the Social Security number it was the Social Security Administration.
But the public concern about the misuse of the Social Security number is well-founded. The widespread availability of the SSN has increased the level of banking fraud and credit fraud.
Last summer a Lexis-Nexis locator service called P-Trak allowed anyone to search by Social Security number to find individuals. In this case the Social Security numbers were obtained when Lexis-Nexis exploited a loophole in the Fair Credit Reporting Act and obtained credit record information from TransUnion, a credit reporting agency. The display of the SSN was eventually discontinued after public protests, but it is still possible to look-up individuals by use of the SSN. Several members of Congress and the FTC are now looking at ways to close the loophole in the FCRA.
There have also been proposals to extend the use of the SSN to all forms of government, including,"any application for a professional license, commercial driver's license, occupational license, or marriage license [the SSN] be recorded on the application.." Even the Federal Aviation Administration has claimed the need to collect Social Security numbers for all air travelers.
The Privacy Act of 1974 tried to control the widespread use of the Social Security number when it incorporated provisions that limited the collection and use of the SSN and provided a notice requirement and legal authority when it was gathered. In the absence of effective oversight of the Privacy Act, the use and misuse of the Social Security number continues. Now the one agency that rightfully should be able to use the number runs into problems.
Many of the problems could be addressed in part if the United States would move forward with a proposal that was central to the original design of the Privacy Act and that is the creation of a federal privacy entity with the authority and the expertise to ensure that agencies are complying with the Privacy Act and to help agencies antitcipate the new challenges that technology necessarlu involves.
It is clear that there is a larger problem here than the SSA can solve. Some steps must be taken to strengthen the privacy infrastructure within the United States before other online services meet similar public protest.
EPIC, "National ID Cards" [http://www.epic.org/privacy/id_cards/default.html]
EPIC, "Privacy Surveys" [http://www.epic.org/privacy/survey/]
EPIC, "Social Security Administration and Online Privacy" [http://www.epic.org/privacy/databases/ssa/]
EPIC, "Social Security Number and Privacy" [http://www.epic.org/privacy/ssn/default.html]