SSNs and the identity theft of children

The Social Security Administration has called for comments on their proposed rule changes as they relate to issuance and re-issuance of social security numbers to children.  I’ve previously written on SSN numbers but this gives me an opportunity to present my solution directly to the SSA.  I have no doubt they will not implement either of the solutions I’m proposing (too radical) but if it gets a bug in someone’s ear the tides may eventually change.  Below is my commentary. You still have until April 12th to submit your comments. I’d appreciate any feedback and I’ll wait in case any constructive criticism allows me to refine my commentary to the agency.

Background

 

As stated in the request for comments, the Social Security Administration began issuing social security numbers as a means of tracking persons within the administration of the social security program. Due to the widespread use of this identifier, it quickly became the de facto identifier when interacting with federal agencies and spread also to state agencies.  Due to its increased use by government agencies, in 1972 Congress passed the Privacy Act which, in part, restrict the collection  of social security numbers by government bodies to those that had specifically been authorized by law.

Because of the use of  social security numbers for tax purposes by the Internal Revenue Service and the necessity of filing tax forms with a employee’s social security numbers, they became natural near-unique identifiers for employers to track their employees.

For similar reasons, the financial industry, with similar reporting requirements, found that the near ubiquity of social security numbers within the US adult population made it also useful near-unique identifier for tracking customers, in addition to employees, in their information systems. With the inapplicability of the Privacy Act to private parties, businesses and other persons (such as landlords) routinely ask for social security numbers for a variety of purposes and uses. Most often the only restrictions on social security numbers concerns installing reasonable security against unauthorized disclosure.

As the use of social security numbers for tracking purposes continued to gain traction, it became routine for people to apply for social security numbers for minor children, sometimes even at birth, despite the fact that they would not interact with the social security administration for many years or would not engage in reportable financial transactions.

 

The purported problems

 

The Social Security Administration has recognized a problem exists when a minor receives a social security number and that social security number is used by someone who is not intended to be identified by that number. There are three classes of problems related to this type of situation.  The first is that the issued social security number is used by a person for employment purposes which erroneously places that number into service within the Social Security Administration’s information system for purposes of calculating payments and benefits. The second is the use of that number as an identifier when interacting with other government agencies and adversely affecting the intended recipient of the social security number (such as by associating them with criminal activity or depleting benefits due to them) . Finally, the third class of problem is when that number is fraudulently given to a private party and said use adversely affects the intended recipient of the social security number (such as a negative credit history).

 

The real problems

 

The real problems stem not from the adverse affects that misuse of the social security number have on certain minors but the extent to which our society has been allowed to misuse social security numbers for purposes for which they are not intended nor useful. Specifically,

 

Social security numbers are not inextricably tied to a unique individual

 

Though ostentatiously used to identify a unique person, nothing ties the actual person to the number and as the past 20 years of increasing identity theft has shown, many people may be linked (some legitimately but most illegitimately) to many social security numbers.  A name, with which we choose to identify ourselves (Robert, Rob, Bob, Bobby, etc) is closer in characteristics to an identifying number (123456789) than to a unique biometric trait which cannot be shared with others.

Before any solution can be consider, the lack of one to one correspondence must be accepted. Attempting to perpetuate the myth that social security numbers identify unique individuals only leaves us open to further problems.

 

Semi-private social security numbers are misused as an authentication token

 

Current law attempts to keep social security number only in the hands of the recipients and those parties with a need to know. However, the ubiquitous use of social security numbers means that those persons with access to them is exceedingly large. The problem is exacerbated in the case of minors, who may not themselves know their social security number, but their parents, siblings and other family members do.  The idea that they are semi-private has led businesses to accept an individual’s knowledge of a social security number as proof that they are the individual.  In security parlance, it has become an authentication token in addition to a identifier. However, as clear from recent history, the widespread availability of social security number means they should be treated as semi-public rather than semi-private.  While knowledge may to an extent infer one’s identity (similar to knowledge of semi-private facts like one’s mother’s maiden name), it can not be a wholesale authentication token.

 

 

 

The solutions

 

Make social security numbers public

 

All social security numbers should be publically published along with the name of the recipient. This would solve the problem of social security numbers inappropriately relied on as an authentication token. While the concern may be raised that governments and industry currently rely on the semi-private nature of social security numbers to authenticate the individuals they interact with, the explosion of identify theft and use of social security numbers to fraudulently access information, shows that government and industries reliance on social security numbers as an authentication token is unfounded and dangerous. Publicizing the social security number will prevent such inappropriate reliance.

Once this reliance has been severed, the public nature of tying social security numbers to names produces no more risks to the individual than publicizing their names.

 

Issue new social security numbers on demand and reuse old ones

 

Perhaps one of the biggest problems associated with the uniqueness of social security numbers is that they purport to tie and individual to a credit history.  Credit reporting agencies often store aliases, multiple addresses or other non-unique identifiers in their files yet have the ability to distinguish one John Smith from another so that one’s bad behavior doesn’t adversely affect the other’s credit.  The purported uniqueness of social security numbers allows one John Smith (or someone using that alias) to access the good credit of another if they know the number and can furnish it on a credit application.  The use of a social security number should not be the key that unlocks the credit kingdom. Businesses must use it only as one possible identifying element, not THE identifying element of a credit file (just as a name is not unique within a credit file).

This solution actually works only if the social security numbers are not public.  If they are public (per the proposed solution above), businesses may be inclined to track when numbers are issued to individuals and then reissued to new individuals thus allowing them to tie a number to an individual at a specific time.

This solution does not hinder the social security administration from tracking an individual within an its own system. Assumedly the administration already has the ability to track individuals with multiple numbers to facilitate the existing solutions to misuse of social security numbers.

 

Don’t issue social security numbers until necessary to begin tracking payments and benefits in the social security system

 

Finally, from the perspective of the social security administration there is no need to issue a number until such time as the individual interacts with the administration for the purpose of applying payments or applying for benefits. The problem identified with the misuse of minor’s social security numbers is part and partial a result of the administration’s issuance of number years before necessary. The mandate of the administration is to administer the social security program, not to manage a national identifier. Other’s misappropriation of the number for secondary purposes does not change this mandate and the administration should be attempting to role back these secondary uses, not exacerbate society’s reliance on them.

 

 

Questions posed

 

1. Is age 13 the appropriate cut off for  application of the revised policy?

No, the problems presented affect all persons with social security numbers regardless of age.  The solution should attack the entire threat in a systemic way not attempt to put band-aids on individual issues. The solution proposed by the social security administration is attacking the symptom not the disease.

 

2. Are the circumstances that we  propose for assigning a new SSN to  children age 13 and under appropriate?

While appropriate they are insufficient (see answer below).

 

3. Are there other circumstances that  would warrant assigning a new SSN to  children age 13 and under?

 

Per the solution proposed by me above, new social security numbers should be issued to all on demand. This approach would affect not only those children adversely affected by the misuse of their social security numbers but it would also attack the systemic mis-reliance on social security numbers which is the root cause of the identified problems. This would have a wider-ranging effect and social benefit than the solution proposed by the Social Security Administration.