Social Security Numbers: Subcommittee Questions Concerning the Use of the
Number for Purposes Not Related to Social Security (Correspondence,
07/07/2000, GAO/HEHS/AIMD-00-253R).

Pursuant to a congressional request, GAO provided information on the
usage of the social security number (SSN) for purposes not related to
social security and the implication of restricting such usage, focusing
on: (1) whether the SSN should become a national identifier; (2) whther
it is feasible to enact, administer, and enforce a law that restricts
the use of SSNs; (3) how have SSN proof requirements changed over time;
(4) does the public benefit from the widespread use of SSNs and the
sharing of personal information; (5) whether a private business can
decline to provide service to someone who refused to disclose his or her
SSN; (6) what are the possible effects on businesses of restricting
their use of SSNs; (7) how has the high-tech economy affected SSN use;
(8) why information brokers need people's SSNs; and (9) whether another
identifier would take its place should the use of SSNs be restricted by
federal law.

GAO noted that: (1) the SSN has become a "de facto" identifier used by
federal and state governments; (2) widespread use of the SSN beyond its
original purpose has raised privacy concerns; (3) while privacy concerns
should not be discounted, it is important to note that the use of SSNs
to link individuals to information about them enhances the
administration of federal and state programs, makes credit more
accessible to consumers, and allows medical care to be integrated across
providers and insurers: (4) whether a law regulating the overall use of
SSNs is needed depends on a number of factor's including:  the extent to
which such a law could effectively curb identity theft and address
privacy concerns; (b) how additional restrictions on the use of SSNs
might hamper government and businesses' ability to conduct routine
business; and (c) the feasibility of administering and enforcing such a
law would depend on how restrictive it was and its scope--whether it was
intended to change existing practices or limit uses of the SSN beyond
those currently practiced; (5) the Social Security Administration
collects only certain information about applicants for SSNs, and the
documentation required as proof of this information has changed over
time; (6) no federal law imposes broad restrictions on businesses' use
of SSNs; (7) consequently, businesses that request SSNs as a condition
for receiving services may deny such services to individuals who refuse;
(8) limits on the use of SSNs could make it harder for health care
service providers to track patients' medical histories, make it less
easy for employers to do background checks, and lessen the certainty
with which credit information could be matched to specific individuals;
(9) in 1997, 13 of the self-identified leaders in the information
brokerage industry agreed to limit their disclosure of the SSNs they
obtain from nonpublic sources to those customers who have legitimate
uses for this information, such as law enforcement officials; (10) GAO's
work to date has not included assessing the uses of SSNs within the
high-tech economy or the effects of their restricted usage on
electronic-Commerce; (11) information brokers buy personal information,
amass it in databases, and then resell it to clients; (12) however, some
of the information they buy is already available to the public; and (13)
if the SSN were not available for identity concerns, some other
mechanism for doing the same would eventually take its place.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  HEHS/AIMD-00-253R
     TITLE:  Social Security Numbers: Subcommittee Questions Concerning
	     the Use of the Number for Purposes Not Related to
	     Social Security
      DATE:  07/07/2000
   SUBJECT:  Social security number
	     Social security benefits
	     Confidential communication
	     Right of privacy
	     Federal aid programs
	     Computer matching
IDENTIFIER:  Social Security Program
	     Internet

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

GAO/HEHS/AIMD-00-253R

GAO/ HEHS/ AIMD- 00- 253R SSN Use Questions

United States General Accounting Office Washington, DC 20548

Health, Education, and Human Services Division

B- 285802 July 7, 2000 The Honorable E. Clay Shaw, Jr. Chairman,
Subcommittee on Social Security Committee on Ways and Means House of
Representatives

Subject: Social Security Numbers: Subcommittee Questions Concerning the Use
of the Number for Purposes Not Related to Social Security

Dear Mr. Chairman: This letter responds to your request that we provide
answers to questions relating to our May 9, 2000 testimony. 1 In that
testimony we discussed the usage of the Social Security number (SSN) for
purposes not related to social security and the implication of restricting
such usage. Your questions, along with our responses, follow.

1. The term “national identifier” has a very bad connotation to
many people. In your opinion, has the Social Security number become a
national identifier?

The SSN is widely used by governments and businesses to maintain and
exchange information. The Office of the Inspector General of the Social
Security Administration (SSA) has noted that, over time, the SSN has become
a “de facto” identifier used by federal and state governments.
Banks, credit bureaus, insurance companies, and health care providers also
use the SSN for identification purposes. This widespread use of the SSN
beyond its original purpose has raised privacy concerns. While privacy
concerns should not be discounted, it is important to note that the use of
SSNs to link individuals to information about them enhances the
administration of federal and state programs, makes credit more accessible
to consumers, and allows medical care to be integrated across providers and
insurers.

1 Social Security: Use of the Social Security Number is Widespread( GAO/ T-
HEHS- 00- 111, May 9, 2000).

B- 285802 2 GAO/ HEHS/ AIMD- 00- 253R SSN Use Questions 2. In your
testimony, you indicated that there is no federal law that regulates the
overall use of SSNs. In your view, is such a law needed? Is it feasible to
enact,

administer, and enforce such a law? Whether a law regulating the overall use
of SSNs is needed depends on a number of factors. The first of these is the
extent to which such a law could effectively curb identity theft and address
privacy concerns. Secondly, these potential benefits would have to be
weighed against how additional restrictions on the use of SSNs might hamper
government and businesses' ability to conduct routine business. The
feasibility of administering and enforcing such a law would depend on how
restrictive it was and its scope- whether it was intended to change existing
practices or limit uses of the SSN beyond those currently practiced. In
addition, it would be necessary to decide what agency or agencies would be
responsible for administration and enforcement and the resources those
agencies would have to carry out those duties.

3. As you pointed out in your testimony, the Social Security number was
created as a means of tracking workers' earnings and eligibility for Social
Security benefits. It was never intended to serve as a personal
identification document. Only certain information is maintained by SSA as a
part of its Social Security number database.

What information is available? What proof is required to obtain a Social
Security number? How have the proof requirements changed over time?

SSA collects only certain information about applicants for SSNs, and the
documentation required as proof of this information has changed over time.
Originally, SSA assigned an SSN to applicants based solely on individuals'
unverified statements regarding age, identity, and place of birth. However,
since 1978, applicants for new SSNs must provide proof of age, identity, and
U. S. citizenship or proof that they are lawfully residing in the U. S. In
addition, applicants must provide other information such as their place of
birth, mother's maiden name, and father's name. Those applicants who are not
U. S. citizens must also provide Immigration and Naturalization Service
documentation showing whether they are allowed to work or provide a valid
non- work reason for needing an SSN.

4. Despite public concerns about sharing personal information in today's
electronic world, does the public benefit from the widespread use of SSNs
and the sharing of personal information? Can you provide some examples?

When consumers want to be uniquely identified, particularly in the health
care and consumer credit service industries, the use of SSNs to share
personal information accomplishes this purpose with one uniform number.
Using SSNs to link individuals to their medical records allows doctors,
hospitals, and HMO's to coordinate a person's health care among health
providers and with insurers. Similarly, because up- to- date consumer
payment histories linked to SSNs are available through national credit
bureaus, the use of SSNs helps individuals instantly demonstrate their
credit worthiness anywhere in the country when requesting credit.

B- 285802 3 GAO/ HEHS/ AIMD- 00- 253R SSN Use Questions 5. If someone
refused to disclose his or her SSN to a private business, can the business,
by law, decline to provide the service? For example, if someone refuses

to provide his or her SSN on a loan application, can the bank deny the loan?
No federal law imposes broad restrictions on businesses' use of SSNs;
consequently, businesses that request SSNs as a condition for receiving
services may deny such services to individuals who refuse. However,
practices vary by industry. Health care providers generally request
patients' SSNs, but we were told that they do not require them as a
condition for treatment. In contrast, most credit card companies request
clients' SSNs as a condition for extending credit and may refuse service to
those who do not comply. States vary in whether they require an SSN as part
of the application for non- commercial driver licenses. Some require it for
inclusion in a database, some do not, and in some states it is optional.

6. What are the possible effects on businesses of restricting their use of
SSNs? Federal restrictions on using SSNs could hamper businesses' ability to
conduct routine internal activities and their ability to exchange data.
Correctly matching a specific individual to a corresponding record of
information is an important concern for health care providers, information
brokers, and credit agencies. Limits on the use of SSNs could make it harder
for health care service providers to track patients' medical histories, make
it less easy for employers to do background checks, and lessen the certainty
with which credit information could be matched to specific individuals.

7. You mentioned in your testimony that many businesses and agencies are
voluntarily restricting the use of SSNs to help protect their customers'
privacy and reduce SSN misuse. Can you please elaborate on some of these
self- regulatory policies?

In 1997, 13 of the self- identified leaders in the information brokerage
industry agreed to limit their disclosure of the SSNs they obtain from
nonpublic sources to those customers who have legitimate uses for this
information, such as law enforcement officials. In addition, they agreed to
annual compliance reviews by an independent contractor. The Federal Trade
Commission can cite them for unfair and deceptive business practices if they
do not do as they have agreed. While recent reports indicate that the
companies have generally complied with the agreement to limit their sale of
SSNs that they obtain from nonpublic sources, it should be noted that the
SSNs contained in the records they acquire are more likely to come from
public sources, according to an information broker.

Some states have taken steps to protect individuals' privacy by changing
whether they display SSNs on driver licenses. For example, according to
driver license officials in Georgia and Massachusetts, these states no
longer automatically use SSNs as driver license numbers. They give drivers
the option of using a state generated license number, instead of their SSN.
Similarly, driver license officials in Ohio told us that the state
previously printed SSNs along with state- assigned numbers on driver
licenses, but now allows drivers the option of not having SSNs printed on
their licenses. According to an

B- 285802 4 GAO/ HEHS/ AIMD- 00- 253R SSN Use Questions American Association
of Motor Vehicle Administrators official, only Hawaii still requires

that SSNs be used as a driver's license number, but the state plans to
discontinue this requirement next year.

8. One area not discussed in your written testimony is e- commerce. How has
the high- tech economy affected SSN use? In general, can people conduct
business on the Internet without providing their SSNs? How would restricting
the use of SSNs affect e- commerce?

Our work to date has not included assessing the uses of SSNs within the
high- tech economy or the effects of their restricted usage on e- commerce.
However, in visits to two of the existing e- commerce sites, we found that
certain consumer purchases can currently be made via the Internet without
requiring the use of an SSN. Instead, these sites typically required new and
repeat customers to register for on- line services by providing an
identifier such as the user's name, and by selecting a password.
Additionally, they require a credit card number to cover purchases of goods
or services. Certain other e- commerce sites that we observed, however, such
as those that sell securities or insurance policies, did require SSNs for
tax or identification purposes.

9. You indicated that “information brokers” collect SSNs for the
sole purpose of selling them. What exactly is an information broker? How are
consumers served by this industry? What is the downside of limiting their
activities? Why do information brokers need people's SSNs?

Information brokers buy personal information, amass it in databases, and
then resell it to clients. Brokers buy some of this information from private
sources. However, some of the information they buy is already available to
the public. Brokers offer customers convenient one- stop shopping for
information that might otherwise by widely dispersed. For example, an
employer can obtain information about a person's driving history and
criminal history from an information broker, rather than attempt to locate
and access public records containing the same information. Information
brokers serve a variety of clients- a lawyer may request information needed
for a civil proceeding; a pension plan administrator may request information
to locate pension beneficiaries; or an individual may ask for information to
help locate a birth parent. Information brokers may use SSNs to search
databases. Limiting information brokers' use of SSNs might make it more
difficult for them to conduct searches that produce records unique to a
given individual.

10. According to your testimony, the Social Security Act declares that SSNs
obtained by authorized individuals after October 1, 1990 are confidential
and cannot be disclosed. If the Social Security Act prohibits the disclosure
of SSNs why is their

use so widespread and why are businesses allowed to ask for the SSN? The
Social Security Act provision to which you refer, section 205( c), protects
against unauthorized disclosure of SSNs, but does not restrict the many
legally authorized uses

B- 285802 5 GAO/ HEHS/ AIMD- 00- 253R SSN Use Questions of the SSN.
Businesses are allowed to ask for and use SSNs because section 205( c)

generally only applies to governmental use of SSNs. Section 205( c)
generally does not apply to business transactions. It prohibits disclosure
by "authorized persons," and it defines that term in part to mean those who
gain access to SSNs "pursuant to any provision of law....” Someone who
comes into possession of an SSN as part of a business relationship- for
example, the bank that requires it as part of a credit card application- has
not gained access to it pursuant to a provision of law, and is therefore not
subject to the section 205( c) restriction on disclosure.

11. If the use of the SSN were restricted by federal law, is it likely that
another personal identifier would take its place?

Although privacy concerns should not be discounted, exchanges of
computerized data are important to the functioning of governments and
businesses, and these exchanges can benefit the public. Given the large
amount of such data available, in general, accuracy in linking the correct
individual with information about him or her is desirable in the
administration of some programs and in cases where people want to be
uniquely identified. The SSN provides a convenient and effective method for
doing this. If the SSN were not available for this purpose, in all
likelihood, some other mechanism for doing the same would eventually take
its place.

---- We

are sending copies of this letter to other interested parties. If you have
any questions on matters discussed in this letter, please contact Kay Brown
or me on 512- 7215. Key contributors to this assignment were Jacquelyn
Stewart, Patrick di Battista, Valerie Melvin and Roger Thomas.

Sincerely, Barbara Bovbjerg, Associate Director, Education,

Workforce, and Income Security Issues (207101)
*** End of document. ***