By Simson L. Garfinkel
On April 7, 1997, USA Today ran a front-page story about how the
actions of the Social Security Administration were potentially compromising
the privacy of millions of Americans. The story was picked up nationally,
touched off tens of thousands of calls to Congress, sparked a round of hearings,
and in less than a week resulted in forcing the Social Security Administration
to reverse its policy and take the information off the Internet.
"Social Insecurity: Your salary history is on the Net, and it's not hard to read. What was the government thinking?" read the headline.
Social Security hadn't intended to violate the privacy of millions of Americans, of course. The agency was simply trying to take advantage of the Internet to cut costs and improve customer service, in line with Vice President Al Gore's "reinventing government" project. But something had gone wrong. In its effort to improve customer service, Social Security failed to anticipate the ways that the information might be misused.
As the author of the story, I didn't start out planning to write a major article about privacy issues. I didn't even start out writing an article for USA Today. Things just sort of worked out that way.
In March, an editor of mine from the San Jose Mercury News took a job with Microsoft's online service, MSN, as the editor of a new online financial magazine. My editor asked me if I would like to have a weekly column. I jumped at the opportunity. The first column that I decided to write was about the Social Security Administration's Personal Earnings Benefit Estimate Statement (PEBES), a statement that the Administration can prepare for taxpayers to tell them how much money they've earned during their lifetime and their expected retirement and death benefits. Besides being a good tool for helping to plan retirement, the PEBES is a good way to find out if somebody else is using your social security number.
In the past, getting a PEBES was a complicated procedure. First you had to call up SSA and request the form. Once you got the form in the mail, you had to fill it out, mail it in, and wait for statement to be sent to you by mail. It took anywhere from two weeks to a month. The process was also expensive, costing SSA an estimated $5.23 to answer a single inquiry.
In 1996 the Internal Revenue Service took a big step forward into the information age and put all the US tax forms on the Internet. In March, I thought that the Social Security Administration might have done the same with the PEBES request form, so I clicked into the web site at http://www.ssa.gov/ to look around. Instead of finding a way to download the form, I found an electronic form, ready for me to fill out. I went through the steps, clicked a button, and less than two minutes later I saw my complete earnings history displayed on the computer's screen.
Immediately, I knew that I had a big story--one far bigger than a small 500-word column on Microsoft's web site. If I could access my own PEBES report, what was to stop me from viewing Bill Gates' report, or President Clinton's, or anybody else's report, for that matter?
I called up SSA's public affairs office and was eventually granted an interview with Bruce Carter, the SSA's webmaster. To prepare for the interview, I sent Carter a list of questions by e-mail. I wanted to know what security checks they had in place to prevent me from accessing some else's report. By this point, I was particularly worried about the use of the information on the web site for credit fraud. I was also worried about people overseas, like Nigerian credit fraud rings or unscrupulous Asian businessmen using the system to get information on American citizens.
In total, I asked Carter about a dozen questions. The responses surprised
me even more. Although the electronic PEBES request form asked for a person's
address, the amount of earnings that they reported on last year's tax return,
and other information, only five pieces of data were used to verify the
identity of a person trying to view their report. Those pieces were the
person's name, social security number, date of birth, state of birth, and
mother's maiden name. The site had been fully functional for about a month,
he said. When I asked him about security concerns, he brushed them off.
"A few people have expressed concern over the security but most people
are very pleased to be able to get this information online. We do get a
lot of complaints [and] expressions of concern from people who are unable
to match their information. We give them alternatives for receiving their
PEBES information and suggest that they call our 800 number if they have
any concerns."
At this point, I knew I had a great story. After shopping around a bit, I decided to sell the piece to USA Today. I told my editor there that I would interview a few privacy experts, to get their side of the story, but that I was pretty confident with my own interpretation. After all, I've been covering privacy issues for more than a decade. This seemed to be a clear case in which a federal agency had violated one of the fundamental principles of data protection: the responsibility of an organization holding personal information to make sure that it is not disseminated to unauthorized individuals.
When I called Marc Rotenberg, director of the Electronic Privacy Information Center in Washington DC, I got a completely different interpretation. Rotenberg said that he had concerns about the website, but he didn't want to see it taken down, because he thought that it was important to grant people easy access to their data.
A few more calls proved to me that Rotenberg was in the minority. Evan
Hendricks, publisher of The Privacy Times, thought that there was
a high potential for abuse. "Most people are not going to suffer, but
the wolves are going to sniff this out and abuse it," he said. Beth
Givens, who runs the Privacy Rights Clearinghouse, confirmed for me that
the information which the Social Security Administration was using for verifying
the identity of individuals--social security numbers, mother's maiden names,
and state of birth--could easily be learned from a variety of public records.
And I dropped an e-mail message to Mark Welch, an engineer at Netscape Communications
Corp., which developed the web technology used by the SSA, and asked him
how he felt about the personal information being disclosed. "I just
got my own information online. Yikes!" he wrote back, and then proceeded
to give me a long list of many ways that the information could be abused.
My editor at USA Today also wanted me to interview a private detective.
At first I didn't want to, but eventually I gave in and started going through
the yellow pages. The first person I reached gave me a great quote--"Investigators
would love this"--which ended up being the headline of the second-page
jump.
The day after the story ran, my editor at USA Today sent me a note: "Simson... you have accomplished something many journalists wait a lifetime for: The Senate Finance Committee, even as I write this, is faxing a letter to the commissioner of Social Security asking them to shut down the website until it can be made more secure. Well done."
Looking back, it's clear to me that the Social Security Administration was in a no-win situation. On the one hand, they wanted to make information in their computers more widely available. But they had a problem: There is no good way to verify the identity of people on the Internet. So the Social Security Administration tried to invent its own identification system--one which relied on information stored in SSA's own computers. What SSA failed to realize was that this same information was available through many other sources.
I am presently working on a new book that explores issues of privacy
in great detail. As for the column with MSN, I changed my mind about
writing the column when I received a contract that said "MICROSOFT
CONFIDENTIAL." I realized that in my chosen field, even though my editor
at the Boston Globe saw no problem with it, I would have a hard time
keeping my reader's trust if I was also on Microsoft's payroll.
Simson L. Garfinkel is returning to his base in Vineyard Haven, MA. Email: simsong@vineyard.net