Social Security Numbers: Internet Resellers Provide Few Full	 
SSNs, but Congress Should Consider Enacting Standards for	 
Truncating SSNs (17-MAY-06, GAO-06-495).			 
                                                                 
GAO previously reported on how large information resellers like  
consumer reporting agencies obtain and use Social Security	 
numbers (SSNs). Less is known about information resellers that	 
offer services to the general public over the Internet. Because  
these resellers provide access to personal information, SSNs	 
could be obtained over the Internet. GAO was asked to examine (1)
the types of readily identifiable Internet resellers that have	 
SSN-related services and characteristics of their businesses, (2)
the extent to which these resellers sell SSNs, and (3) the	 
applicability of federal privacy laws to Internet resellers.	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-495 					        
    ACCNO:   A54119						        
  TITLE:     Social Security Numbers: Internet Resellers Provide Few  
Full SSNs, but Congress Should Consider Enacting Standards for	 
Truncating SSNs 						 
     DATE:   05/17/2006 
  SUBJECT:   Information security				 
	     Internet						 
	     Internet privacy					 
	     Privacy law					 
	     Right of privacy					 
	     Social security number				 
	     Information resellers				 
	     Personal information				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-495

     

     * Results in Brief
     * Background
     * Internet Resellers' Web Sites Shared Similar Characteristics
          * Internet Resellers Offered to Sell a Variety of Information
          * Internet Resellers Usually Identified Their Clients
          * Three-Quarters of Internet Resellers Identified Their Source
     * Most Attempts to Purchase SSNs Failed
     * Applicability of Federal Privacy Laws to Internet Resellers
     * Conclusions
     * Matter for Congressional Consideration
     * Agency Comments and Our Evaluation
     * GAO Contact
     * Staff Acknowledgments
     * GAO's Mission
     * Obtaining Copies of GAO Reports and Testimony
          * Order by Mail or Phone
     * To Report Fraud, Waste, and Abuse in Federal Programs
     * Congressional Relations
     * Public Affairs

Report to Congressional Requesters

United States Government Accountability Office

GAO

May 2006

SOCIAL SECURITY NUMBERS

Internet Resellers Provide Few Full SSNs, but Congress Should Consider
Enacting Standards for Truncating SSNs

GAO-06-495

Contents

Letter 1

Results in Brief 2
Background 4
Internet Resellers' Web Sites Shared Similar Characteristics 7
Most Attempts to Purchase SSNs Failed 12
Applicability of Federal Privacy Laws to Internet Resellers Cannot Be
Determined 16
Conclusions 19
Matter for Congressional Consideration 19
Agency Comments and Our Evaluation 19
Appendix I Scope and Methodology 21
Appendix II Comments from the Social Security Administration 24
Appendix III GAO Contact and Staff Acknowledgments 25

Tables

Table 1: Aspects of Selected Federal Laws Affecting Public and Private
Sector Disclosure of Personal Information 7
Table 2: Categories and Examples of Information Provided by Internet
Resellers 9
Table 3: Types of Clients to Which Internet Resellers Market Their
Services 10
Table 5: Reasons Internet Resellers Did Not Provide SSNs 12
Table 6: Results of Attempted SSN Purchases 14

Figures

Figure 1: Number of Services Provided by the 154 Internet Resellers 8
Figure 2: Combinations of the Sources of Information Used by Internet
Resellers 11
Figure 3: Frequency of Federal Privacy Laws Cited by Internet Resellers 18

Abbreviations

DCI data collection instrument

DPPA Driver's Privacy Protection Act

FACTA Fair and Accurate Credit Transactions Act

FCRA Fair Credit Reporting Act

FTC Federal Trade Commission

GLBA Gramm-Leach-Bliley Act

MSN Microsoft Network

SSA Social Security Administration

SSN Social Security number

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office

Washington, DC 20548

May 17, 2006 May 17, 2006

The Honorable Jim McCrery Chairman Subcommittee on Social Security
Committee on Ways and Means House of Representatives The Honorable Jim
McCrery Chairman Subcommittee on Social Security Committee on Ways and
Means House of Representatives

The Honorable E. Clay Shaw, Jr. House of Representatives The Honorable E.
Clay Shaw, Jr. House of Representatives

The Social Security number (SSN) is a key piece of personal information
and has come to be used for numerous non-Social Security purposes. In
recent years, both public and private sector entities have increasingly
used the SSN as a personal identifier and ask individuals to supply their
SSNs. Consequently an individual's SSN can be found on a number of public
documents such as land ownership records, birth certificates, and marriage
licenses, and is advertised for sale. Private-sector entities known as
information resellers are specializing in amassing personal information,
including SSNs, from various public and private sources and providing
information about someone for specific purposes for a fee. The Social
Security number (SSN) is a key piece of personal information and has come
to be used for numerous non-Social Security purposes. In recent years,
both public and private sector entities have increasingly used the SSN as
a personal identifier and ask individuals to supply their SSNs.
Consequently an individual's SSN can be found on a number of public
documents such as land ownership records, birth certificates, and marriage
licenses, and is advertised for sale. Private-sector entities known as
information resellers are specializing in amassing personal information,
including SSNs, from various public and private sources and providing
information about someone for specific purposes for a fee.

More prominent or large information resellers limit their services to
businesses and government entities that establish accounts with them and
have a legitimate purpose for obtaining personal information on an
individual. However, less is known about other information resellers,
particularly those that are Internet-based and offer their services to the
public at large for a fee. Such Internet information resellers (Internet
resellers) make public and nonpublic information accessible to the public,
raising concerns about how easy it would be for someone to obtain another
person's SSN over the Internet. At your request, we (1) describe the types
of readily identifiable Internet resellers that have SSN-related services
and characteristics of their business, (2) determine the extent to which
these Internet resellers sell SSNs, and (3) determine the applicability of
federal privacy laws to Internet resellers. More prominent or large
information resellers limit their services to businesses and government
entities that establish accounts with them and have a legitimate purpose
for obtaining personal information on an individual. However, less is
known about other information resellers, particularly those that are
Internet-based and offer their services to the public at large for a fee.
Such Internet information resellers (Internet resellers) make public and
nonpublic information accessible to the public, raising concerns about how
easy it would be for someone to obtain another person's SSN over the
Internet. At your request, we (1) describe the types of readily
identifiable Internet resellers that have SSN-related services and
characteristics of their business, (2) determine the extent to which these
Internet resellers sell SSNs, and (3) determine the applicability of
federal privacy laws to Internet resellers.

To identify Internet resellers and their characteristics, we developed an
initial list of over 1,000 potential Internet resellers by searching the
Internet with popular Web-based search engines, such as Google, and using
keywords and phrases that members of the general public would use if they
were trying to find Web sites that would allow them to obtain To identify
Internet resellers and their characteristics, we developed an initial list
of over 1,000 potential Internet resellers by searching the Internet with
popular Web-based search engines, such as Google, and using keywords and
phrases that members of the general public would use if they were trying
to find Web sites that would allow them to obtain someone else's SSN and
other personal information. We narrowed the list of Internet resellers to
154 distinct Web sites that had services that either required the customer
to provide the reseller with an SSN or sold an SSN. We then used a data
collection instrument (DCI) to capture information posted on resellers'
Web sites about their characteristics, such as the types of information
available for sale, the types of clients resellers market to, and the
sources of information they stated they used. To determine the extent to
which the Internet resellers sell SSNs, we analyzed the data obtained from
the DCI about Internet resellers with SSN-related services and attempted
to purchase the SSNs of consenting GAO staff members from a nonprobability
sample of 21 resellers on the list.1 The criteria we used to select the
resellers for our attempted purchases included (1) Web sites that
advertise the sale of an SSN without the customer's having to provide the
SSN of the subject of our inquiry, (2) Web sites that advertise the sale
of an SSN to the general public, and (3) the Web sites where the
transaction could be made online through use of a credit card. We also
interviewed staff from the Federal Trade Commission (FTC), officials from
the Social Security Administration (SSA), industry representatives, and
privacy experts to get their views about the use of SSN truncation. To
determine the applicability of federal privacy laws to the Internet
resellers, we reviewed federal privacy laws and examined pertinent
information on the resellers' Web sites, including their references to
privacy laws. Appendix I explains the scope and methodology of our work in
greater detail. We conducted our work between April 2005 and May 2006 in
accordance with generally accepted government auditing standards.

                                Results in Brief

Although numerous Internet resellers exist, resellers' Web sites we
reviewed generally had similar characteristics. Most advertised a
selection of personal information ranging from previous and current
addresses and dates of birth to drivers' license information, telephone
records, and credit reports. In addition, many of them offered to sell
personal information in various packages, such as criminal checks and
background checks. Web sites most frequently identified individuals,
businesses, attorneys, and financial institutions as their typical clients
and public or nonpublic sources, or both as their sources of information.

1We selected these Web sites using a nonprobability sample-a sample in
which some items in the population have no chance, or an unknown chance,
of being selected. Results from nonprobability samples cannot be used to
make inferences about a population. Thus, the information we obtained
cannot be generalized to the other Web sites we studied.

We generally failed in our attempts to purchase full SSNs, although we did
receive other personal information. Of the 53 Web sites that offered to
sell a person's SSN, we tried to purchase SSNs of consenting GAO employees
from 21 of these resellers and received one complete SSN for the person
whose number we requested; four truncated SSNs, where only the first five
digits were disclosed (123-45-XXXX); and no SSN from the remaining 16. In
our discussions with privacy experts, private sector representatives, and
federal officials, we found that entities in other industries, such as
credit reporting, sometimes truncate the SSN by masking the first five
digits of the SSN but displaying the last four (XXX-XX-1234). These
experts added there are few federal laws, and no specific industry
standards, about which digits of an SSN are displayed in a truncated
format. According to SSA officials, SSA does not have the authority to
regulate how other public and private entities use SSNs, including how
they are truncated. Furthermore, when we were successful in purchasing
truncated SSNs as part of a background check, we also received personal
information such as an individual's address, date of birth, and list of
neighbors. In one case, we received unrequested information including the
truncated SSNs of the person's current and past neighbors.

We could not determine if federal privacy laws were applicable to the
Internet resellers because such laws depend on the type of entity involved
and the source of information, and most of the resellers' Web sites did
not include this information. Certain federal privacy laws-such as the
Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), and
the Driver's Privacy Protection Act (DPPA)-restrict the disclosure of
personal information based on the type of entity or the specific source of
the information. We found that most of the Internet resellers' Web sites
we reviewed had insufficient information on their Web sites for us to
determine the type of entity the reseller was or the source of the
reseller's information. However, federal privacy laws could apply to these
resellers. In four cases, we found that the resellers stated on their Web
sites the type of entity they were-consumer reporting agencies and credit
bureau-which are subject to FCRA or GLBA. We also found that about 79, or
one-half, of the resellers referenced one or more federal privacy laws on
their Web sites, indicating some awareness of these laws, while others
referenced certain state laws, such as those of California, Florida, and
Michigan.

Because different entities truncate SSNs in different ways and no federal
agency has the authority to regulate how SSNs should be truncated,
Congress may wish to consider enacting standards for truncating SSNs or
delegating that authority to SSA or some other governmental agency. In
commenting on a draft of this report, SSA agreed that standardizing the
truncation of SSNs would be beneficial and supported our recommendation to
Congress.

                                   Background

The SSN was created in 1936 as a means of tracking workers' earnings and
eligibility for Social Security benefits. SSNs are issued to most U.S.
citizens, and to some noncitizens lawfully admitted to the United States.
Through a process known as enumeration, a unique nine-digit number is
created. The number is divided into three parts- first three digits
represent the geographic area where the SSN was assigned; the middle two
are the group number, which is assigned in a specified order for each area
number; and the last four are serial numbers ranging from 0001 to 9999.
Because of the number's uniqueness and broad applicability, SSNs have
become the identifier of choice for government agencies and private
businesses, and are used for a myriad of non-Social Security purposes.

Information resellers, sometimes referred to as information brokers, are
businesses that specialize in amassing personal information from multiple
sources and offering informational services. These entities may provide
their services to a variety of prospective buyers, either to specific
business clients or to the general public through the Internet. More
prominent or large information resellers such as consumer reporting
agencies and entities like LexisNexis provide information to their
customers for various purposes, such as building consumer credit reports,
verifying an individual's identity, differentiating records, marketing
their products, and preventing financial fraud. These large information
resellers limit their services to businesses and government entities that
establish accounts with them and have a legitimate purpose for obtaining
an individual's personal information. For example, law firms and
collection agencies may request information on an individual's bank
accounts and real estate holdings for use in civil proceedings, such as a
divorce. Information resellers that offer their services through the
Internet (Internet resellers) will generally advertise their services to
the general public for a fee.

Resellers, whether well-known or Internet-based, collect information from
three sources: public records, publicly available information, and
nonpublic information.

           o  Public records are available to anyone and obtainable from
           governmental entities. Exactly what constitutes public records
           depends on state and federal laws, but generally includes birth
           and death records, property records, tax lien records, voter
           registrations, and court records (including criminal records,
           bankruptcy filings, civil case files, and legal judgments).
           o  Publicly available information is information not found in
           public records but nevertheless available to the public through
           other sources. These sources include telephone directories,
           business directories, print publications such as classified ads or
           magazines, and other sources accessible by the general public.
           o  Nonpublic information is derived from proprietary or private
           sources, such as credit header data2 and application information
           provided by individuals-for example, information on a credit card
           application-directly to private businesses.

Information resellers provide information to their customers for various
purposes, such as building consumer credit reports, verifying an
individual's identity, differentiating records, marketing their products,
and preventing financial fraud. The aggregation of the general public's
personal information, such as SSNs, in large corporate databases and the
increased availability of information via the Internet may provide
unscrupulous individuals a means to acquire SSNs and use them for illegal
purposes.

Because of the myriad uses of the SSN, Congress has previously asked GAO
to review various aspects of SSN-use in both the public and private
sectors.3 In our previous work, our reports have looked at how private
businesses and government agencies obtain and use SSNs.4 In addition, we
have reported that the perceived widespread sharing of personal
information and instances of identity theft have heightened public concern
about the use of Social Security numbers.5 We have also noted that the SSN
is used, in part, as a verification tool for services such as child
support collection, law enforcement enhancement, and issuing credit to
individuals.6 Although these uses of SSNs are beneficial to the public,
SSNs are also key elements in creating false identities. We testified
before the Subcommittee on Social Security, House Committee on Ways and
Means, about SSA's enumeration and verification processes and also
reported that the aggregation of personal information, such as SSNs, in
large corporate databases, as well as the public display of SSNs in
various public records, may provide criminals the opportunity to commit
identity crimes.7

2Credit header data consist of the nonfinancial identifying information
located at the top of a credit report, such as name, current and prior
addresses, telephone number, Social Security number, and date of birth.

3See GAO, Social Security Numbers: Government Benefits from SSN Use but
Could Provide Better Safeguards, GAO-02-352 (Washington, D.C.: May 31,
2002), and Identity Theft: Prevalence and Cost Appear to Be Growing,
GAO-02-363 (Washington, D.C.: Mar. 1, 2002).

4GAO, Social Security: Government and Commercial Use of the Social
Security Number Is Widespread, GAO/HEHS-99-28 (Washington, D.C.: Feb. 16,
1999).

We have also previously reported that certain federal and state laws help
information resellers limit the disclosure of personal information
including SSNs to their prescreened clients.8 Specifically, we described
how certain federal laws place restrictions on how some Internet
resellers' obtain, use, and disclose consumer information. The limitations
these laws afford are shown in table 1.

5GAO, Social Security: Government and Other Uses of the Social Security
Number Are Widespread, GAO/T-HEHS-00-120 (Washington, D.C.: May 18, 2000).

6 GAO/HEHS-99-28 .

7GAO, Social Security Numbers: Ensuring the Integrity of the SSN,
GAO-03-941T (Washington, D.C.: July 10, 2003).

8GAO, Social Security Numbers: Private Sector Entities Routinely Obtain
and Use SSNs, and Laws Limit the Disclosure of This Information, GAO-04-11
(Washington, D.C.: January 22, 2004).

Table 1: Aspects of Selected Federal Laws Affecting Public and Private
Sector Disclosure of Personal Information

Federal laws             Restrictions on disclosure    Entities affected   
Gramm-Leach-Bliley Act   Creates a new definition of   Financial           
                            nonpublic personal            institutions such   
(GLBA)                   information that includes     as credit bureaus   
                            SSNs and gives consumers the  and entities that   
                            right to limit some, but not  receive data from   
                            all, sharing of their         financial           
                            nonpublic personal            institutions        
                            information. Financial        
                            institutions can disclose     
                            consumers' nonpublic          
                            information without offering  
                            them an opt-out right under   
                            certain circumstances         
                            permissible under the law,    
                            such as to protect the        
                            confidentiality or security   
                            of the consumer's record and  
                            to prevent actual or          
                            potential fraud.              
Fair Credit Reporting    Limits access to consumer     Consumer reporting  
Act (FCRA)               reports, which generally      agencies and users  
                            include SSNs, to those who    of consumer reports 
                            have a permissible purpose    
                            under the law, such as state  
                            or local officials involved   
                            in the enforcement of child   
                            support cases or determining  
                            eligibility for employment.   
Fair and Accurate Credit Amends FCRA to allow, among   Consumer reporting  
Transactions Act (FACTA) other things, consumers who   agencies and users  
                            request a copy of their       of consumer reports 
                            credit report to also request 
                            that the first five digits of 
                            their SSN (or similar         
                            identification number) not be 
                            displayed; requires consumer  
                            reporting agencies and any    
                            business that uses consumer   
                            reports to adopt procedures   
                            for proper disposal of such   
                            reports.                      
Driver's Privacy         Prohibits disclosing personal State departments   
Protection Act (DPPA)    information from a motor      of motor vehicles,  
                            vehicle record, including     department of motor 
                            SSNs, except for purposes     vehicle employees   
                            permissible under the law.    or contractors, and 
                                                          recipients of       
                                                          personal            
                                                          information from    
                                                          motor vehicle       
                                                          records             

Source: GAO analysis.

          Internet Resellers' Web Sites Shared Similar Characteristics

The Web sites of the 154 Internet resellers we reviewed had similar
characteristics. Most resellers offered a variety of information that
could be purchased, from telephone records to credit reports. In addition,
Internet resellers also offered to sell information in various ways, from
packaged information, such as various information that would be collected
through a background check or a search of a person's criminal records to
single types of information, such as a credit score. These resellers
usually listed the types of clients that they market their services to and
broadly identified their sources of information.

Internet Resellers Offered to Sell a Variety of Information in Various Ways

We found that Internet resellers offered to sell a variety of information
to anyone willing to pay a fee. On average, resellers offered about 8
types of services and two offered 20 types of informational services. As
shown in figure 1, the majority of resellers offered to sell anywhere from
1 to 10 informational services.

Figure 1: Number of Services Provided by the 154 Internet Resellers

The Internet resellers offering the fewest services tended to specialize
in services provided to the public. For example, most of the resellers
offering only one service were resellers that specialized in helping
locate an individual. Others offered services related to employment or
background checks.

Internet resellers also offered different ways for buyers to purchase
their information. For example, some offered memberships that allowed
online access to the reseller's information, with the member performing
the search. Another reseller offered to sell a software package that would
allow a buyer to purchase access to the Internet reseller's information
through the purchased software and allowed many different types of
information searches. The majority of resellers would require selected
information about the buyer and then would perform the data search and
provide an information report to the buyer.

We identified over 50 types of information offered for purchase by these
resellers, which we categorized into six major categories including
personal, legal, financial, employment, driver or vehicle, and telephone.
Table 2 gives examples of the types of information found in these
categories.

Table 2: Categories and Examples of Information Provided by Internet
Resellers

Information categories Types of Information in these categories            
Personal               Name, SSN, aliases, current and previous addresses, 
                          telephone number, and date of birth or age          
Legal                  Federal, state, and county criminal records checks  
Financial              Credit reports, credit cards, bank accounts, and    
                          bankruptcy records search                           
Employment             Employment history and salary or income             
                          verification                                        
Driver or vehicle      Driver's license number and driver's history report 
Telephone              Telephone and cell phone records and name and       
                          address of an individual based on his telephone or  
                          cell phone number                                   

Source: GAO analysis.

All the resellers offered to sell information from at least one of the six
categories. However, not all resellers offered to sell driver or vehicle
information, or telephone information. For example, only 85 of the 154
resellers we reviewed offered to sell some type of driver's information,
while 56 resellers offered to sell telephone information.

We found that Internet resellers either sold their information as a part
of a package or sold single pieces of information. For example, resellers
sold packaged information such as background checks, criminal checks, or
employment checks/tenant screenings. Of the packaged information, we found
that background checks provided the most extensive information. A
background check may include personal, legal, and financial information,
such as name, SSN, address, neighbors, relatives, and associates
information. Such checks may include national, state, or county criminal
records searches and bankruptcy and lien information.9 Other packages,
such as criminal records packages, may include national, state, and county
criminal records searches, sex offender searches, and civil litigation.
Employment checks/tenant screenings may include current and past
employment, SSN verifications, and national, state, and county criminal
records searches.

9A lien is a charge upon real or personal property for the satisfaction of
some debt or duty.

Internet Resellers Usually Identified Their Clients

Over 80 percent of Internet resellers identified the clients to whom they
marketed their information. Internet resellers identified their clients in
several ways. About 60 percent of the time, resellers used the information
sections of their Web sites to identify their clients. Web pages such as
"Frequently Asked Questions," "Help," or "About Us" were frequently used
to identify their clients. For example, the "About Us" Web page generally
provided a brief description about the Internet reseller's business and
would often describe the clients it marketed to. Other ways in which
resellers marketed to their clients were through testimonials or in a
separate section on their Web page.

Internet resellers marketed their services to a variety of clients. As
shown in table 3, individuals, businesses, and attorneys were the most
frequently identified clients. Some of the businesses resellers identified
were Fortune 500 companies and retailers. For the financial institution
clients, resellers mostly identified banks. In addition, most of the
Internet resellers' clients were from the private sector, although some
had government and law enforcement agency clients. Finally, we found that
most of the resellers had multiple types of clients. About 30 percent of
the resellers identified only one type of client.

Table 3: Types of Clients to Which Internet Resellers Market Their
Services

                                    Internet resellers that marketed to these 
Types of clients                                                   clients 
Individuals                                                             84 
Businesses                                                              72 
Attorneys                                                               42 
Financial institutions                                                  29 
Insurance agents or agencies                                            26 
Private investigators                                                   23 
Government or law enforcement                                           21 
agencies                      
Collection agencies                                                     12 
Landlords                                                               11 
Health services                                                          8 
Other                                                                   16 

Source: GAO analysis.

Three-Quarters of Internet Resellers Identified Their Sources of Information

About 75 percent, or 115, Internet resellers identified the source of
their information on their Web sites. Most of these resellers obtained
their information from public or nonpublic sources or a combination of
both sources. For example, a few resellers offered to conduct a background
investigation on an individual, which included compiling information on
the individual from court records and using a credit bureau to obtain
consumer credit data. Some used only public records as their only source
of information. The most frequently identified public records were court
records, department of motor vehicle records, real property records, legal
judgments, and bankruptcy records. We found about one-third of the
Internet resellers used only one source of information. More often, they
used a combination of the three sources. Figure 2 below shows the various
combinations of sources of information.

Figure 2: Combinations of the Sources of Information Used by Internet
Resellers

                     Most Attempts to Purchase SSNs Failed

Most of our attempts to purchase SSNs from a select group of resellers
failed. Of the 154 Internet resellers' Web sites we reviewed, 53, almost
35 percent, offered to sell SSNs. We attempted to purchase SSNs from 21
resellers that were chosen because they required minimal information about
prospective buyers or about the person whose SSN we wanted to obtain. Of
the 21 resellers from which we tried to purchase SSNs, only 5 provided
some form of an SSN. As shown in table 5, the reasons for being unable to
obtain SSNs from 16 of the 21 resellers varied.

Table 5: Reasons Internet Resellers Did Not Provide SSNs

Reason                                                   Internet reseller 
Required additional legal documentation of permissible                   4 
purpose for obtaining the information                    
Refused because of state privacy laws                                    1 
Required forms of payment other than a credit card                       1 
No record found on subject                                               1 
Reason unknown                                                           9 
Total                                                                   16 

Source: GAO analysis.

Nine resellers, a majority of the resellers that did not sell SSNs to us,
did not explain why but simply did not provide the information we sought.
Four of the remaining resellers attempted to contact us to request legal
documentation to support a permissible purpose for obtaining the
information. However, since we attempted to purchase SSNs as a member of
the general public, we could not provide the requested information. One of
these resellers sent us an e-mail asking us to fax a signed letter stating
our reason for obtaining a person's SSN and a copy of our driver's license
to verify our identity, which we could not provide. We contacted the other
three to find out why prospective buyers were required to have a
permissible purpose. One reseller told us that the company is audited
every year by the government and that a legal document request was part of
its security screening of its customers. The other two stated that some
form of legal documentation, such as a certified copy of a court order,
was required in order for their companies to release the information.

In addition to receiving one full and four truncated SSNs, we also
received other information related to our purchases. Given that we only
received SSNs as a part of packaged information, we were not surprised
that we received additional information about the person whose SSN we were
trying to obtain. For example, the two Internet resellers that provided
some form of SSN in a background check report also provided the following
information:

           o  the person's current and previous addresses,
           o  date of birth,
           o  a list of other names associated with the person,
           o  a list of their neighbors,
           o  tax liens and judgments against the person, and
           o  properties owned by the person.10

However, in one case we received unexpected and unrequested information.
In this case, we did not receive the SSN of the person whose number we
requested, but instead received the truncated SSNs of the person's past
and present neighbors, information we did not request.

Five of the 21 resellers from whom we attempted to purchase SSNs did
provide us with some form of an SSN. We received one full nine-digit SSN
and four truncated SSNs. All five resellers that supplied an SSN provided
the SSN as a part of a package of information. As shown in table 6, the
full SSN was obtained as a part of a background check, and the four
truncated SSNs were provided as a part of a "people locator" package, a
background package, and an employment trace. We attempted to order SSNs
from five resellers that offered to sell the SSN alone, and we were unable
to obtain an SSN from those resellers.

10The list of personal information represents some of the information the
two resellers provided in background check reports.

Table 6: Results of Attempted SSN Purchases

                                           Orders Received full      Received 
SSN services                           placeda           SSN truncated SSN 
SSN alone                                    5             0             0 
                                                                
(e.g., Locate an SSN, search for                             
Social Security numbers, and SSN                             
search)                                                      
Background check or investigation            6             1             1 
People locator or search                     5             0             2 
Employment trace                             1             0             1 
Other information packages                   4             0             0 
Total                                       21             1             4 

Source: GAO analysis.

a.Does not include three attempted orders where we received an error
message after submitting our information that terminated our transaction.

We also found a wide range of the costs for information services when we
tried to purchase SSNs. The packages of information we attempted to
purchase ranged from about $4 to $200 compared to the costs to purchase
individual SSNs that ranged from about $15 to $150. The range of costs
from the five resellers that provided some form of the SSN was about $20
to $200. The Internet reseller that provided the full SSN did so for $95.

Of the four resellers that gave us truncated SSNs, three of these
disclosed on their Web sites that they would provide full SSNs, but only
under certain circumstances. For example, one reseller said that, by law,
it cannot provide a person's SSN to any third party. Another required the
customer to have a legitimate reason for requesting the information under
laws such as GLBA. This reseller said it may not provide the full SSN if
the customer did not meet those requirements. None explained why they only
provided the first five digits.

All resellers that provided truncated SSNs showed the first five digits
and masked the last four digits. We interviewed industry representatives
and privacy experts to determine if this way of truncating the SSN was the
standard practice among private sector entities. Industry representatives
and privacy experts told us that entities in other industries may truncate
the SSN differently from the truncated SSNs we bought from Internet
resellers. For example, consumer data industry representatives said that
members of their association decide for themselves how and when to
truncate SSNs. One consumer reporting agency we spoke to told us that it
truncates the SSN by masking the first five digits on reports it provides
directly to consumers, by displaying only the last four digits. Some
privacy experts said that certain entities that use SSNs as identifiers on
lists, such as universities, also truncate the number by masking the first
five digits. In addition, SSA also masks the first five digits of the SSN
on the Social Security Statements mailed to individuals over the age of 25
who have an SSN and have wages or earnings from self-employment.

On the basis of our discussions with government officials and industry
representatives, we could not identify any industry standards or
guidelines for truncating SSNs. None of the officials we spoke to knew for
certain why either method-masking the first five digits or the last four
digits-was used or how such methods came into use. In addition, when we
asked officials which way of truncating the SSN better protects it from
misuse, there was no consensus among them, and no one knew of any research
regarding this issue. Some officials said that although truncation could
provide some protection for SSNs, it is unlikely to be foolproof. There
are also few, if any, federal laws that require or regulate truncating the
SSN. Currently, FCRA has a specific provision relating to truncating SSNs.
Under this law consumers can request that their SSN be truncated to
display only the last four digits on any consumer report they request
about themselves. The Judicial Conference of the United States issued
rules, effective in December 2003, requiring that SSNs be truncated to
mask the first five digits in newly filed electronically available
bankruptcy court documents.

Federal agency officials whom we spoke to said that Congress or SSA should
decide how SSNs should be truncated. The Social Security Act of 1935
authorized SSA to establish a record-keeping system to help manage the
Social Security program and resulted in the creation of the SSN. Through a
process known as enumeration, unique numbers are created for every person
as a work and retirement benefit record for the Social Security program.
According to SSA officials, the law does not address the use of the number
by private and public sector entities. SSA officials said that SSA
regulates only the agency's use of SSNs and does not have legal authority
over SSNs used by others.

Applicability of Federal Privacy Laws to Internet Resellers Cannot Be Determined

Federal privacy laws that restrict the disclosure of personal information
could be applicable to Internet resellers, but there was insufficient
evidence on the resellers' Web sites we reviewed to determine if they met
specific statutory definitions. Federal privacy laws such as the FCRA,
GLBA, and DPPA apply primarily to entities that meet specific statutory
definitions. For example, FCRA applies primarily to a consumer reporting
agency, which is defined as any person which, for monetary fees, dues, or
on a cooperative nonprofit basis, regularly engages in whole or in part in
the practice of assembling or evaluating consumer credit information or
other information on consumers for the purpose of furnishing consumer
reports to third parties, and which uses any means or facility of
interstate commerce for the purpose of preparing or furnishing "consumer
reports."11 In addition, these laws allow for disclosure of personal
information for certain permissible purposes, and those who request or
receive information from an entity meeting those statutory definitions may
also have obligations under these laws. For example, FCRA generally
prohibits "consumer reporting agencies" from furnishing "consumer reports"
to third party users unless it is for a permissible purpose; before
providing "consumer report" information to prospective users, however, the
prospective user must certify the purposes for which the information is
sought and that it will be used for no other purpose.12 GLBA and DPPA also
contain prohibitions against re-disclosure of personal information covered
by those laws.13

FCRA, GLBA, and DPPA could apply to Internet resellers that identify
themselves as one of the statutorily defined entities covered under the
laws-which are consumer reporting agencies for FCRA, financial
institutions for GLBA, and state motor vehicle departments for DPPA-or
that received information from such entities. We found four resellers that
identified themselves as one of the statutorily defined entities. Three
stated on their Web sites that they were consumer reporting agencies and
the other stated it was a credit bureau. However, we did not find similar
information on the remaining 150 resellers' Web sites to determine what
type of entity they were. In addition, we found that some resellers
identified the source of their information generally, but did not link
information sources to particular pieces of information. For example,
about 7 percent of the resellers identified "Department of Motor Vehicle
records" as the source of some of their information and offered to search
for personal information based on a driver's license number, license plate
number, or vehicle identification number. However, most did not specify
which personal information came from the "Department of Motor Vehicle
records" or any state motor vehicle departments. Therefore, we could not
determine if FCRA, GLBA, and DPPA were applicable to the majority of
resellers we reviewed.

1115 U.S.C. S: 1681a(f). FCRA defines a "consumer report" as any written,
oral, or other communication of "any information by a consumer reporting
agency bearing on a consumer's credit worthiness, credit standing, credit
capacity, character, general reputation, personal characteristics, or mode
of living which is used or expected to be used or collected in whole or in
part for the purpose of serving as a factor in establishing the consumer's
eligibility for: (1) credit or insurance to be used primarily for
personal, family, or household purposes; (2) employment purposes; or (3)
any other purpose authorized under section 1681b of this title." 15 U.S.C.
S: 1681a(d).

1215 U.S.C. S: 1681e.

1315 U.S.C. S: 6802(c); 18 U.S.C. S: 2721(c).

Our review of the resellers' Web sites found 79 of them, about 50 percent,
referenced one or more federal privacy laws. As shown in figure 3, the
most frequently mentioned laws were FCRA, GLBA, and DPPA.

Figure 3: Frequency of Federal Privacy Laws Cited by Internet Resellers

We also found 5 out of the 154 Internet resellers referenced state laws on
their Web sites. Two stated adherence to the California Investigative
Consumer Reporting Act, which allows a consumer to review any files
concerning that consumer maintained by an "investigative reporting
agency." One cited two California consumer laws. One law allows California
consumers to remove their names from credit bureau mailing lists used for
unsolicited pre-approved credit offers for a minimum of 2 years. It also
provides identity theft victims and other consumers with increased rights
regarding consumer credit reports, including requiring the deletion of
inquiries resulting from identity theft. The other California law
prohibits consumer credit reporting agencies that furnish reports for
employment purposes from reporting information on the age, marital status,
race, color, or creed of any consumer and requires the user of the report
to provide written notice to the consumer. The law also requires that the
consumer be provided a free copy of the report upon request. Another
reseller cited a Florida statute that governs divulging investigative
information, and yet another reseller stated adherence to the Michigan
Private Detective License Act. Both state laws regulate the activities of
private investigators.

                                  Conclusions

Although personal information is widely available on the Internet to
anyone willing to pay a fee, SSNs appear to be difficult to obtain from
the Internet resellers we contacted. Few of the Internet resellers' Web
sites we reviewed offered to sell an individual's SSN outright, and even
those that did make such an offer did not follow through. Thus, the
perception that anyone willing to pay a fee can easily obtain someone's
SSN does not appear to be valid. Our experiences indicate that it is more
likely that a buyer would not be able to purchase an SSN or would receive
a truncated version of an SSN from Internet resellers.

However, our work does suggest that someone seeking an SSN may be able to
obtain a truncated SSN, and depending on the entity, the SSN may be
truncated in various ways. Standardizing the truncation of the SSN could
provide some protection from SSNs being misused. Under a standardized
approach, the same digits of the SSN would be the only information
transmitted, no matter the source from which the SSN is obtained. Given
SSA's role in assigning SSNs, SSA is in the best position to determine
whether and if truncation should be standardized, but because the agency
does not have specific authority to regulate truncation, SSN truncation
will continue to vary.

                     Matter for Congressional Consideration

Since there is no consistently practiced method for truncating SSNs, and
no federal agency has the authority to regulate how SSNs should be
truncated, Congress may wish to consider enacting standards for truncating
SSNs or delegating authority to SSA or some other governmental entity to
issue standards for truncating SSNs.

                       Agency Comments and Our Evaluation

We provided a draft of this report to the Social Security Administration
for comment and received a written response from the administration
(included as app. II). SSA agreed that standardizing the truncation of
SSNs would be beneficial and supported our recommendation for
congressional action. In addition, SSA stated that while it does not have
the legal authority to compel organizations to truncate SSNs or to specify
how such truncating should be done, it would be willing to publish
information on best practices for truncating SSNs on SSA's Web site. We
also provided a draft of this report to the Federal Trade Commission for
technical review and received comments that were incorporated as
appropriate.

We are sending copies of this report to the Chairman of the Federal Trade
Commission, the Commissioner of the Social Security Administration,
appropriate congressional committees, and other interested parties. In
addition, the report will be available at no charge on GAO's Web site at
http://www.gao.gov/ .

If you have any questions concerning this report, please contact me at
(202) 512-7215. Contact points for our offices of Congressional Relations
and Public Affairs may be found on the last page of this report. Other
contacts and acknowledgments are listed in appendix III.

Barbara D. Bovbjerg Director, Education, Workforce, and Income Security
Issues

Appendix I: Scope and Methodology Appendix I: Scope and Methodology

To describe readily identifiable Internet resellers, we created a list of
Internet reseller Web sites. To create a list of readily identifiable
Internet reseller Web sites, we used Internet search techniques and
keyword search terms that we thought the members of general public would
use if they were trying to obtain someone else's Social Security Number
(SSN). We conducted our searches using three major Internet search
engines-Google, Microsoft Network (MSN), and Yahoo. Within each of these
search engines we conducted our searches using keywords such as, "find
social security number," "find ssn," "purchase social security number,"
and "public records search." We chose these keywords based on the advice
of privacy experts and the team's judgment on terms that would yield Web
sites that sell personal information including the SSN. Our searches
resulted in 1,036 Web sites that we then reviewed to determine whether
they were live sites,1 redirected sites,2 or duplicate sites that were
operated by the same reseller. Nineteen percent of the 1,036 Web sites
took us to another Internet reseller Web site that was included in our
list. Most of these redirected sites took us to two Internet resellers
that offered online membership-allowing access to their databases and
affiliate programs, which allowed others to link their Web sites to the
resellers' Web sites. More than one-half of the 1,036 Web sites were
inactive at the time a GAO analyst attempted to access the site. In
addition, we found a few Web sites were operated by the same reseller and
were similar in appearance. As a result, we ended up with a list of 226
sites that we included in our review. We recognize that had we used
different search engines, different keywords, and a different point in
time we may have identified a different list of sites.

To describe the types of readily identifiable Internet resellers that have
SSN-related services and characteristics of their businesses, we developed
a Web-based data collection instrument (DCI) for GAO analysts to document
selected information contained on the Internet resellers' Web sites. We
used the DCI to record information from the Web pages that contained items
that addressed the types of SSN-related services and information that the
resellers sold, the sources of the information, and the types of clients
to whom the site marketed. To ensure that the entry of the DCI data
conformed to GAO's data quality standards, each DCI was reviewed by one of
the other GAO analysts. Tabulations of the DCI items were automatically
generated from the Web-based DCI software. Supplemental analyses were
conducted using a statistical software package. For these analyses, the
computer programs were checked by a second, independent analyst. Our
analyses found 154 Internet resellers with SSN-related services.

1A live site is a Web site that is currently in operation and offers
online services. The Web sites were live when GAO analyst reviewed the
uniform resource locator (URL) for the survey. Those Web sites considered
not live displayed an error message noting that the Web site was no longer
in operation.

2A redirected Web site is a site that acts as a portal to other Web sites.
Several reseller Web sites have links to other individual reseller sites.
For this survey, we reviewed the individual reseller sites and not the
portal sites.

To determine the extent to which Internet resellers sell Social Security
numbers, we analyzed data collected from the review of Internet resellers
just described, attempted to purchase SSNs from a nonprobability sample of
Internet resellers, and collected data about the transactions. We used
information collected from the DCI to derive a nonprobability sample of
Internet resellers to purchase SSNs. The criteria we used to select the
resellers for our attempted purchases included the following (1) the Web
site advertised the sale of an SSN without the customer's having to
provide the SSN of the subject of our inquiry, (2) the Web site advertised
the sale of an SSN to the general public, and (3) the transaction could be
made online through the Internet reseller's Web site using a credit card.
We collected information about the purchases including cost, the
information that was required about the search subject and the purchaser
(including the permissible purpose), whether the site contacted us to
verify our information or our permissible purpose, and whether the SSN was
provided and, if it was, whether the full or a truncated SSN was provided.
In addition, we interviewed staff from the Federal Trade Commission,
officials from the Social Security Administration, one of the three
national consumer reporting agencies, the Consumer Data Industry
Association (an international trade association that represents consumer
information companies), and five privacy experts to obtain their views
about the use of SSN truncation as a means for safeguarding the number. We
also reviewed prior GAO work and performed literature and Internet
searches about SSN truncation.

To determine the applicability of federal privacy laws to Internet
resellers, we reviewed federal laws and the resellers' Web sites for
information about the resellers' type of entity and sources of
information. However, in most instances these resellers did not have
sufficient information on their Web sites to determine if they were in
compliance with these laws. Specifically, we were unable to determine
whether most of these resellers met the definitions specified by these
laws such as "financial institution," "consumer reporting agency," or an
"officer, employee, or contractor" of a "State Motor Vehicle Department."
We also were unable to determine the resellers' specific sources for
particular pieces of information. Although Internet resellers generally
did not provide information about the entity and sources of information,
they generally cited, and we recorded, whether they stated adherence to
any federal privacy laws.

Appendix II: Comments from the Social Security Administration Appendix II:
Comments from the Social Security Administration

Appendix III: GAOA Appendix III: GAO Contact and Staff Acknowledgments

GAO Contact

Barbara D. Bovbjerg (202) 512-7215

Staff Acknowledgments

In addition to the contact above, Tamara Cross, Assistant Director,
Margaret Armen, Patrick Bernard, Richard Burkard, Ellen Chu, John Cooney,
Benjamin Federlein, Evan Gilman, Richard Harada, Joel Marus, Andrew
O'Connell, Stanley Stenersen, Jacquelyn Stewart, and Lacy Vong made
important contributions to this report.

(130470)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548

www.gao.gov/cgi-bin/getrpt? GAO-06-495 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Barbara D. Bovbjerg at (202) 512-7215 or
[email protected].

Highlights of GAO-06-495 , a report to congressional requesters

May 2006

SOCIAL SECURITY NUMBERS

Internet Resellers Provide Few Full SSNs, but Congress Should Consider
Enacting Standards for Truncating SSNs

We found 154 Internet information resellers with SSN-related services.
Most of these resellers offered a range of personal information, such as
dates of birth, drivers' license information, and telephone records. Many
offered this information in packages, such as background checks and
criminal checks. Most resellers also frequently identified individuals,
businesses, attorneys, and financial institutions as their typical
clients, and public or nonpublic sources, or both as their sources of
information.

In attempting to purchase SSNs from 21 of the 53 resellers advertising the
sale of such information, we received 1 full SSN, 4 truncated SSNs
displaying only the first five digits, and no SSNs from the remaining 16.
In one case, we also received additional unrequested personal information
including truncated SSNs of the search subject's neighbors. We also found
that some other entities truncate SSNs by displaying the last four digits.
According to experts we spoke to, there are few federal laws and no
specific industry standards on whether to display the first five or last
four digits of the SSN, and SSA officials told us the agency does not have
the authority to regulate how other public or private entities use SSNs,
including how they are truncated.

We could not determine if federal privacy laws were applicable to the
Internet resellers because such laws depend on the type of entity and the
source of information, and most of the resellers' Web sites did not
include this information. However, these laws could apply to resellers; 4
of the resellers we examined had Web sites identifying the type of entity
they were. About one-half of the resellers cited adherence to one or more
federal privacy laws and a few referenced state laws.

How the General Public Can Purchase Information from Internet Resellers

GAO previously reported on how large information resellers like consumer
reporting agencies obtain and use Social Security numbers (SSNs). Less is
known about information resellers that offer services to the general
public over the Internet. Because these resellers provide access to
personal information, SSNs could be obtained over the Internet. GAO was
asked to examine (1) the types of readily identifiable Internet resellers
that have SSN-related services and characteristics of their businesses,
(2) the extent to which these resellers sell SSNs, and (3) the
applicability of federal privacy laws to Internet resellers.

What GAO Recommends

Since there is no consistently practiced method for truncating SSNs and no
federal agency has the authority to regulate how SSNs could be truncated,
Congress may wish to consider enacting standards for truncating SSNs or
delegating authority to the Social Security Administration (SSA) or some
other governmental entity to issue standards for truncating SSNs. In
commenting on a draft of this report, SSA agreed that standardizing the
truncation of SSNs would be beneficial and supported our recommendation
for congressional action.
*** End of document. ***