Kiss your old SSN goodbye
By Declan McCullagh
Some good might actually come out of all of these recent data mishaps.
Politicians are starting to realize that permitting data brokers like Acxiom and ChoicePoint to buy and sell your Social Security number like a raffle ticket may not be that wise after all.
Some members of Congress, like Rep. Ron Paul, R-Texas, have been warning about the dangers of SSN misuse for years. The surprise now is that some key congressional figures are agreeing.
Rep. Joe Barton, another Texas Republican who happens to chair the House Energy and Commerce Committee, said last week that he plans to "outlaw the use of Social Security numbers for any purposes other than government purposes."
Purloining someone's SSN can permit a criminal to empty the bank accounts and run up the credit cards of the hapless victim. The politics go something like this: Some type of legislation is likely to be enacted this year in response to the string of security snafus involving companies like ChoicePoint, Bank of America, payroll provider PayMaxx, and Reed Elsevier Group's LexisNexis service.
The big question is what the details of that law will look like. Barton, a conservative but idiosyncratic Republican who represents the Dallas-Fort Worth Metroplex, could have the final say in that process.
"The time has come to tip the balance in favor of individual privacy and find another way to help businesses determine the identity of the people they want to give credit to," Barton said at last week's hearing.
This would represent a new campaign for Barton, first elected to the House in 1984, whose other top causes have been an unsuccessful attempt to preserve the Superconductor Supercollider that was to have been built in Waxahachie, Texas, and enacting a balanced budget amendment. He's also known for being sympathetic to oil and gas companies and for holding hearings that investigated the fund-raising and travel practices of the Clinton administration.
The history of the SSN is the history of a government program run amok, creating what has become a national ID number.
In 1935, Congress enacted the Social Security Act, which authorized only the creation of some record-keeping scheme and not the SSN itself. But the Treasury Department decided SSNs were the best way to create those records, and things have gone downhill ever since.
By executive order, President Franklin Delano Roosevelt required all federal agencies to use the SSN "exclusively" to identify individuals, and the IRS began to employ it as a tax ID number in the early 1960s. Later that decade, divulging your SSN became necessary to buy Treasury bonds, obtain Medicare benefits, and join the military. The Social Security Amendments of 1972 slapped SSNs on school children and foreign workers with visas, and a 1983 law required banks to obtain SSNs for savings accounts.
Nowadays, the SSN has mercilessly extruded its way into the private sector. Many corporations and universities use the SSN as a unique identifier, as does everyone from physicians to insurance companies to mutual funds.
That's why the SSN has become so valuable for identity thieves. Even though the SSN was never intended as a password--it lacks an important feature of a password, which is an ability to change it--companies and government agencies routinely use it that way. Purloining someone's SSN can permit a criminal to empty the bank accounts and run up the credit cards of the hapless victim.
Support for some type of SSN reform this year seems to be growing in a thoroughly bipartisan way. It's true that Barton's proposal, if enacted into law, would inconvenience companies that have inadvisably come to rely on SSNs to identify records in a database. But it's possible for them to generate random, custom IDs for the identification purposes. Quite a few universities and corporations already do.
Support for some type of SSN reform this year seems to be growing in a thoroughly bipartisan way. There's the Social Security Number Privacy and Identity Theft Prevention Act, the Social Security Number Misuse Prevention Act, the Social Security Number Protection Act, Social Security On-line Privacy Protection Act for starters, and that's not even counting what Barton plans to do.
One way to accomplish his goal would be to eliminate the public SSN in nearly all cases. The Social Security Administration would still generate the numbers and use them internally--but generally would not release them even to the person associated with each SSN.
Here's how it could work: The only legitimate use for an SSN is to match an individual with his or her supposed "retirement account." As long as the Social Security Administration can find a match and allocate payroll taxes accurately based on information like name, birth date, address, birth location and employment history, there's no need for someone to know what their SSN actually is.
A more radical reform would be to permit younger Americans to opt out of the Social Security system entirely. Perhaps they'd still be required to fork over half of their current payroll taxes to fund today's retirees, but the rest would be returned to them to invest freely. No SSN would be attached and no long-term tracking would be necessary.
That would take more flexible thinking, true, and it would certainly outrage defenders of the status quo. But today's SSN system is so diseased that radical therapy may be the only cure.
Declan McCullagh is CNET News.com's Washington, D.C., correspondent. He chronicles the busy intersection between technology and politics. Before that, he worked for several years as Washington bureau chief for Wired News. He has also worked as a reporter for The Netly News, Time magazine and HotWired.