Your Number's Up

IT HAS BECOME our modern-day dog-tag: Name/Address/Social Security number.

Everyone wants to know that number, from the tax collector to the doctor to the day-care center. You need to provide it to get electrical service, to rent a video, even to get married. It is requested on every type of form imaginable.

When a business asks for it, it's just intrusive. When a government agency requests it, it's usually illegal. When, as happened recently, a man posing as an IRS agent telephones and asked for the number, it's fraud.

Despite that, being the obedient sheep we are, we almost always acquiesce and provide the information without a fuss. We do so even though the use of the Social Security number as a universal identifier of personal, financial and social history is growing at an alarming rate. With all this information floating around in cyberspace, it just takes a few clicks of a mouse for someone's entire life story to be displayed on a computer screen.

Robert Ellis Smith, publisher of the monthly Privacy Journal, says the widespread use of the Social Security number for identification purposes is "demeaning to American citizens. It removes our freedoms and puts too much authority in the hands of police and others." That happens even though on the front of the Social Security card it plainly states, "For Social Security and Tax Purposes -- Not for Identification."

This trend toward a national I.D. certainly wasn't the intent of Congress a generation ago when they adopted the Privacy Act of 1974. On the heels of widespread Vietnam-era F.B.I. surveillance of U.S. citizens, the Watergate break-in, and Nixon's resignation, the need for legislation to protect Americans from snooping by their own government was obvious.

Congress, however, failed to outlaw the use of the SSN as a personal identifier. Pressured by big government and big business, they simply enacted simple rules for when and how the number could be requested by governments, excluding the private sector completely. This, despite the fact that the Senate committee which considered the Privacy Act concluded that "a common numerical identifier or symbol to designate and index each person is an essential feature of a national databank, or indeed, of any information system which allows creation of an instant dossier."

Citing the potential harm this could cause, the Privacy Act at least prevented all levels of government from denying benefits to anyone just because they refused to disclose their Social Security number unless it was federally mandated. The law also required that an individual being asked by a government to provide their SSN must be told:

· whether the disclosure was voluntary or mandatory;

· what authority the government had for asking for the number; and

· the use which would be made of it.

While a person's SSN could be requested, at least they could refuse, a small but meaningful victory for preserving personal privacy. It would be an informed public, not the government, deciding when SSN's would be provided.

In the more than 25 years since the passage of the Privacy Act, however, government requests for Social Security numbers have exploded. Meanwhile, in Pima County and across this entire law-abiding state, governments have never followed the requirements of the Privacy Act.

"The use of the Social Security number (as a universal identifier) is arguably one of the greatest and most insidious threats to freedom that we face in this country today," says Willy Bils, a consumer advocate with a law degree. "With one number, databanks can be mined to develop dossiers on individuals which will affect freedom of speech, privacy and assembly."

About three years ago, Bils launched a personal crusade to force governments to obey the provisions of the Privacy Act. "When a government doesn't want to follow the law, no one has to," Bils complains. "This is an example of governments telling us they make the laws, but that they'll only enforce those they like."

One of Bils' first targets was the Tucson Police Department, whose officers would ask traffic violators for their Social Security numbers, without disclosing the often voluntary nature of the request. After his persistent lobbying, former TPD Assistant Chief Danny Sharp issued an information directive to its officers advising them to continue requesting Social Security numbers for traffic infractions under state law. Believing TPD is still not in compliance with the Privacy Act, Bils sued the City of Tucson in federal court, but the case was dismissed on technical grounds that didn't address the merits of his case. He has appealed the decision.


THAT WAS JUST the start for Bils, who soon discovered numerous city forms that requested Social Security numbers without following the guidelines established by the Privacy Act. His complaints led to an internal review which found that almost 90 percent of 140 City forms were not in compliance. Bils' drive led the City Council last September to direct that city agencies come into conformity with the Privacy Act, 25 years after it was adopted.

Over the past several months, the city has been looking at every form on which it requests an SSN. City Procurement Director Wayne Casper says the review has resulted in a few forms having the request removed entirely and eight or nine others having a Privacy Act disclosure statement added. Lisa D'Oca, who is heading up the effort in the Tucson Police Department's Legal Advisor's Office, acknowledged that the process has been slow, but says the review won't go on indefinitely. "The sooner this project is finished, the better," she explains. "I don't want to drag this out into a year-long project."

One city document which has yet to be corrected: a "Request for Court Records" form which doesn't ask for the SSN of the person filling it out; rather, it requests the number of the person about whom information is being sought.

As a temporary measure, City Court officials have put up signs stating "Disclosure of Social Security Number is Optional." But that's not enough for Bils, who gripes that "people don't read walls." He's pressing for city officials to use an inexpensive rubber stamp to add the necessary disclosure statement to the form until they're reprinted.

Even though Bils wrote both Pima County Attorney Barbara LaWall and Superior Court Presiding Judge Gordon Alley some time ago about the provisions of the Privacy Act, it was a newspaper story which finally spurred Pima County into action. Having seen what city officials were doing, county administrators decided to take similar steps.

Pima County's Human Resources Department has collected over 150 forms on which Social Security numbers are requested. Each county department will now have to explain why it requests the number and what it does with it. Eventually, administrators will make a legal determination regarding which forms need to be revised to comply with the Privacy Act. County officials optimistically hope to have the needed revisions made within six months.

Early last year, Bils also contacted Arizona Attorney General Janet Napolitano about the Privacy Act. The state's Department of Administration subsequently produced a lengthy memorandum on the issue in November. Director J. Elliot Hibbs stated that he had "initiated a review of all the Arizona Department of Administration's requests and uses of Social Security numbers" and urged other state agencies to do the same. Hibbs' own department is trying to complete their evaluation by April 1.

According to administration spokeswoman Victoria Clark, however, her agency doesn't have the power to force compliance with the Privacy Act by other departments of state government. "Everyone should do it," Clark says, but adds that each agency is on its own.

It is partially because of this "What-We Worry?" attitude by governments toward obeying the law that led many political conservatives to conclude that legislation was the only way to end the abuse of the Social Security number. Last year, Congressman Ron Paul of Texas introduced H.R. 220 to address the problem. If eventually enacted, the law would radically change how SSN's are used.

The bill is intended "to protect the integrity and confidentiality of Social Security account numbers" while prohibiting "the establishment in the Federal Government of any uniform national identifying number." It would do this by limiting the SSN to tax and Social Security purposes only. No other government use of the number would be allowed. In fact, governments couldn't even ask for the number except for these two purposes.

Both of Tucson's congressmen support the idea of limiting the widespread dissemination of Social Security numbers. While not endorsing H.R. 220, Ed Pastor says he opposes the use of SSN's as a universal identifier, believing a person's privacy needs to be protected.

Congressman Jim Kolbe goes further. He supports Paul's bill because he believes "there is a danger from big government. When the government has that much information, it is just dangerous," Kolbe warns. "The use of the Social Security number as an identifier is something all of us should be concerned about."

While H.R. 220 would represent a dramatic change in the way governments do business, a spokesman for Paul holds out hope it will eventually pass. "Maybe not in this Congress," Norman Singleton said, "but eventually. There is a lot of grassroots public support for it."


BUT EVEN IF the bill does become law, it doesn't address the enormous part of the privacy protection equation represented by the use of Social Security numbers by the business community. Nothing prevents any company or corporation from asking, or even demanding, that a customer provide their SSN to receive service.

Kolbe acknowledges this shortcoming of Paul's bill, but says, "Let's start with the government before extending it. That is a lot more complicated issue."

It was thought to be more complicated all the way back in 1974. When Congress was considering passage of the Privacy Act, "Numerous private business(es), banks and industries uniformly opposed" limiting the use of the Social Security number. With the ever-growing influence that big business has on Congress, it would be surprising indeed if the private sector was ever prohibited from using SSNs.

Just a few years ago, Congress itself created a huge loophole in any attempt to substantially curtail the use of Social Security numbers as identifiers. Instead, it took a giant step toward the implementation of a national information bank when it passed the "Personal Responsibility and Work Opportunity Reconciliation Act of 1996." That welfare reform law led to a nationwide computer system which contains "the names, addresses, Social Security numbers and wages of nearly every working adult in the United States," along with information about their financial accounts and their various governmental license applications.

Intended to catch deadbeat dads who don't make child support payments, this computer system has been called the "Holy Grail of data collection" by Robert Gellman, an attorney and privacy specialist who was interviewed by the Washington Post last year. It is very close to being a central point for information on almost every American.

This and other moves by the federal government have led some commentators to proclaim it is too late; we must simply learn to live with the Social Security number as a national identifier. Washington State privacy advocate Gary Gardner recently told the Spokan Spokesman/Review that the SSN "has become an I.D. number. That horse is out of the barn." A columnist in the British newsweekly The Economist wrote last year that "attempts to protect privacy through new laws will fail -- as they have done in the past...People will have to start assuming they simply have no privacy. This will constitute one of the greatest social changes of modern times."

Proponents of limiting the use of Social Security numbers continue to fight the tide. Hawaii has outlawed its use on driver's licenses and state identification cards. The University of Wisconsin has done away with using the number for student I.D.

Here in Tucson, Bils is continuing his efforts, despite what he describes as repeated acts of bureaucratic retaliation against him because of his passionate involvement with the issue. He's turning his attention to the collection of Social Security numbers by social service and other agencies which contract for government funds.

Bils is also trying to get governments to purge the numbers they have illegally collected in the past while urging people to no longer supply their SSN's unless absolutely necessary. "Everyone should be refusing to provide these numbers unless federally required to do so," Bils advises.

"Often people chicken out before pressuring governments or businesses not to use their Social Security number as an identifier," says the Privacy Journal's Smith. "But the grassroots effort to end the practice is growing."


Cat Tracked

BY FAR THE largest flap related to Social Security numbers in recent Tucson history was the University of Arizona's CatCard fiasco. Two years ago, university officials released the numbers of 40,000-plus students, faculty and staff members to CyberMark, a company contracted to develop the all-purpose credit card. In turn, the numbers were given to both MCI Telecommunications and Saguaro Credit Union.

When word of the disclosure leaked, an uproar swept the campus. The reaction grew even more intense when university officials admitted that they knew releasing the numbers to MCI and Saguaro was illegal under the federal Family Educational Rights and Privacy Act (FERPA), but they did it anyway.

University President Peter Likins defused the situation when he admitted the university broke the law. Likins begged forgiveness and promised it would never happen again. He claimed MCI and Saguaro had returned the numbers without copying them, telling people they had to "trust" him on that one. Likins also appointed a university information security officer and named a special committee to review and report on campus information security issues.

Despite those steps, a university student filed a complaint with the U.S. Department of Education concerning the violation of FERPA. The complaint claimed, in part, that the university violated his rights "when it disclosed information from his education records, including his name, Social Security number, and other information, to Cybermark, MCI, and Saguaro Credit Union."

After the complaint was filed, U.S. Department of Education spokesman Jim Bradshaw said a finding on it "should be made in a few months." If the university were found to have violated FERPA, presumably a given since officials have admitted doing so, the federal government would likely do little more than slap the university on the wrist by working with campus administrators to bring it into compliance with the law.

More than a year after Bradshaw said a final determination would be made within a few months, the Department of Education is still working on the complaint. Skeptics contend the delay is due to the statute of limitations running out in March on a potentially massive lawsuit against the UA. Blaming a "backlog of other cases" for the long delay, Bradshaw initially indicated a decision could be reached by last week, but now will not commit to any date.

The federal government, the UA and Congressman Jim Kolbe's office are all criticized by some on campus for their lack of follow-through in this case. Terrence Bressi, an engineer in the Lunar and Planetary Lab during the CatCard flare-up, believes the university has "done as little as possible since the CatCard problems occurred." He says people must still explicitly ask for their Social Security number not to be used on the card in order to keep it off.

As for the federal government, Bressi tried to file his own complaint with the U.S. Department of Education. They refused it, saying he wasn't a student, but he believes the law covered him anyway. Bressi also says that Kolbe's office was of no help in pressing his case. "As soon as the issue was out of the limelight, Kolbe turned my complaint over to an aide who did nothing," he says. "It was an eye-opening experience for me."

But some positives did come out of the CatCard goof. Partially because of it, the Arizona Legislature last year passed a law which requires state universities to assign identification numbers different from SSNs by 2002.

Likins' Information Security Advisory Council also recently issued a report which contained a recommendation to "discontinue the use of the Social Security Number as a primary common identifier for both students and employees...as soon as practical."


Code of Fair Information Practices

THE CODE OF Fair Information Practices is based on five principles:

· There must be no personal data record-keeping systems whose very existence is secret.

· There must be a way for a person to find out what information about the person is in a record and how it is used.

· There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent.

· There must be a way for a person to correct or amend a record of identifiable information about the person.

· Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.

Source: Department of Health, Education, and Welfare, 1973.