New Bill Seeks to Eliminate Social Security Numbers as Uniform Identifiers


On January 7, 2011, Representative Ron Paul (R-TX) introduced a bill entitled the “Identity Theft Prevention Act of 2011” (H.R. 220). The Bill seeks to address the pervasive use of Social Security Numbers by various federal, state and local government agencies and to prevent identity theft by eliminating any use of those numbers in connection with government services. It prohibits governmental agencies from requiring mandatory or even voluntary disclosure of an individual’s Social Security Number in connection with documents filed by individuals.

The Bill includes amendments to the Social Security Act (42 U.S.C. 405(c)(2)), the Internal Revenue Code (26 U.S.C. §§ 6109(d)), and the Privacy Act of 1974 (5 U.S.C. 552a note, 88 Stat. 1909) in the following notable ways:

  • Social Security Act – H.R. 220 §§ 2(b) and (d)(2):
    • Requires that Social Security Account Numbers be randomly generated instead of confirming to a specific numbering system (the Social Security Numbering Scheme is described in detail on the Social Security Administration’s archive);
    • Provides that the Social Security Account Number be owned by the individual;
    • Prohibits the Social Security Administration from divulging that number to anyone (other than the account holder himself/herself); and
    • Requires that any pre-existing Social Security Numbers be declared null and void and reissued within 5 years of enactment of the Bill in accordance with the new “random generation” rules. Certain cross-references to the old numbers may be made, but these are limited.
  • Internal Revenue Code – § 2(c)(1):
  • Privacy Act – H.R. 220 § 3:
    • Section 7 of the Privacy Act (5 U.S.C. § 552a (note)) currently reads as follows:
      Sec. 7(a) (1) It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his social security account number.
      (2) the provisions of paragraph (1) of this subsection shall not apply with respect to—
      (A) any disclosure which is required by Federal statute, or
      (B) any disclosure of a social security number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual.
      (b) Any Federal, State or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.
    • Pursuant to H.R. 220, these provisions would be amended to read as follows:
      Sec. 7(a) (1) It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his social security account number.
      (2) The provisions of paragraph (1) of this subsection shall not apply with respect to any disclosure which is required under regulations of the Commissioner of Social Security pursuant to section 205(c)(2) of the Social Security Act or under regulations of the Secretary of the Treasury pursuant to section 6109(d) of the Internal Revenue Code of 1986.
      (b) Except with respect to disclosures described in subsection (a)(2), no agency or instrumentality of the Federal Government, a State, a political subdivision of a State, or any combination of the foregoing may request an individual to disclose his social security account number, on either a mandatory or voluntary basis.

The Bill also prohibits “Government Wide Uniform Identifying Numbers” (Section 4) and “Government Established Identifiers” (Section 5). These two prohibitions would go into effect on January 1, 2012.

Under Section 4, the Bill provides that “any two agencies or instrumentalities of the Federal Government may not implement the same identifying number with respect to any individual” except where authorized by 42 U.S.C. 405(c)(2) [the Social Security Act sections described above]. Id. § 4(a).

Under Section 5, the Bill prohibits any two federal agencies from implementing the same numbering system to assign individual identification numbers to any individual and from conditioning the receipt of any federal grant, contract, or funding on the adoption of a uniform numbering system by a state or local government entity or agency. The Bill makes it clear that “administrative simplification” cannot be the stated purpose in establishing or mandating a uniform standard for identification purposes. Id. § 5(b)(2).

Initial Purpose of Social Security Numbers

As initially implemented, the Social Security Numbering system was not intended as a universal numbering system, and indeed, was not adopted by other agencies as such until at least 1943, when an Executive Order mandated that if a numbering system was required to keep records on individuals, that the Social Security Numbering system be used. Executive Order 9397 (3 CFR (1943-1948 Comp.) 283-284). An interesting chronology of the history of policy changes to the Social Security Numbering System can be found at the Social Security Administration’s web site and the explanation of the meaning of each section of the Social Security Number can be found here.

Status of Legislation
Following its introduction on January 7, 2011, the Bill was referred to the House Ways and Means Committee and the House Oversight and Government Reform Committee.

Basic information about the Bill (except for the actual text) can be found through Thomas (Congress’s legislative portal) at this specific link. The actual text can be found here in a variety of formats, including text, XML and PDF.

New Law in Utah Prohibits Certain Internet Crimes

On March 26, 2010, the governor of Utah signed into law the Utah E-Commerce Integrity Act (S.B. 26), which prohibits certain Internet-related conduct, including phishing, pharming, spyware and cybersquatting that involves “a computer, software, or an advertisement located in, sent to, or displayed in” Utah. (Legislative history of the bill, and alternate text versions can be found here.)

Essentially, the bill provides the following:

  • Prohibits the facilitation of “certain types of fraud and injury through use of electronic communications;”
  • “Allows for the removal of domain names and online content by an Internet registrar or [ISP] under certain circumstances;”
  • “Forbids the use of various types of software, commonly called spyware, if used for certain purposes;”
  • “Provides exceptions from spyware provisions for various types of communications and interactions, including authorized diagnostics;”
  • “Prohibits the registration of domain names under certain circumstances, commonly referred to as cybersquatting;” and
  • “Provides civil penalties for a violation of cybersquatting provisions”.

It also prohibits the passage of contrary laws by subdivisions of the state and makes other technical changes.

Key among the provisions are definitions of what activities constitute phishing, pharming, spyware and cybersquatting. Notably, the statute only applies to activities that occur after July 1, 2010 (although for cybersquatting and infringement, the effective date is May 11, 2010).

Any ISP that is “adversely affected by the violation”; “an owner of a web page, computer server or trademark that is used without authorization by the violation;” or 3) the attorney general may file suit to recover damages for phishing or pharming activities. Either actual damages or “a civil penalty not to exceed $150,000” per violation can be awarded.

In the case of spyware, not only are the ISP, attorney general and trademark owner whose mark was used to deceive others able to file suit, but the owner of “a software company that expends resources in good faith assisting authorized users harmed by a violation” of this provision can also sue. The damages awarded in these instances can be actual and liquidated damages of between $1,000 and $1,00,000 as well as attorneys fees and costs. There are certain exceptions to the damages thresholds, depending on the circumstances.

The cybersquatting provisions are structured similarly to the AntiCybersquatting Consumer Protection Act (15 USC § 1125(d)), and permit the transfer of an affected domain name in the case of a successful judgment against the defendant, but also differ in certain ways from the federal provisions. Specifically, they allow personal names to be included in the scope of protection under the act and exempt domain name registrars from legal action except in cases of bad faith or reckless disregard. There are other differences as well, but these were the most obvious.

Netflix Sued for Alleged Privacy Violations

Part 2 of the “Two New Privacy Lawsuits Filed” Topic

Also on December 17, 2009, (see prior post about Facebook complaint), a Jane Doe plaintiff and three other individual plaintiffs filed a Class Action Complaint in the Northern District of California against Netflix and John Doe defendants 1-50, alleging violations of the Video Privacy Protection Act (18 U.S.C. § 2710), various California consumer protection statutes and common law claims for unjust enrichment and public disclosure of private facts in connection with Netflix’s “Prize” offered to the computer developer who succeeded in creating computer algorithms that improve Netflix’s recommendations tool by the largest margin. Valdez-Marquez et al. v. Netflix, Inc., et al., Case No. C 09-05903 (N.D. Cal.); see also WSJ Law Blog, “Did Netflix Violate Subscribers’ Privacy? Lawsuit Says Yes,” posted Dec. 18, 2009.

As the company’s web site explained, “The Netflix Prize sought to substantially improve the accuracy of predictions about how much someone is going to enjoy a movie based on their movie preferences.” Netflix Prize (last visited Jan. 14, 2010). The best algorithm would win the $1 million grand prize, and indeed was awarded on September 21, 2009.

A copy of the complaint can be found on the Wall Street Journal’s site, and an article about the complaint (with a separate link to the complaint) was also published on Wired.com’s Threat Level Blog: Ryan Singel, “Netflix Spilled Your Brokeback Mountain Secret, Lawsuit Claims,” Wired.com, Dec. 17, 2009.

Interestingly, a university professor identified a problem with the anonymizing tools Netflix used in 2006 and argued that Netflix should not move forward with its newest contest, “Netflix Prize 2”, which would again release “anonymous” data on which the new algorithms would be based. See Paul Ohm, “Netflix’s Impending (But Still Avoidable) Multi-Million Dollar Privacy Blunder,” posted on Freedom to Tinker (hosted by Princeton University’s Center for Information Technology Policy) on Sept. 21, 2009.

Professor Ohm’s analysis identifying potential risks of data breach was further discussed in an article on Network World. Ian Paul, “Netflix Prize 2: What You Need to Know,” Network World, Sept. 23, 2009.

Apparently, Netflix has not yet rolled out the data associated with Netflix Prize 2 – at least, according to its web site, the details of the contest would be announced “shortly,” and prizes would be awarded for the “best results at 6 months and 18 months” instead of the 3 years associated with the original contest.

Two New Privacy Lawsuits Filed — Part One, Facebook

Within the last few weeks, two major companies have been sued for alleged violations of privacy laws – one filed before the Federal Trade Commission seeking an investigation into Facebook’s privacy settings and the other filed in federal court, styled as a class action against Netflix. (The Netflix suit will be analyzed separately, in Part 2 of this topic.)

Facebook Complaint

On December 17, 2009, privacy advocates filed a complaint with the Federal Trade Commission, requesting that “the FTC open an investigation into Facebook’s revised privacy settings.” In the Matter of Facebook, Inc., Docket Number —- (FTC); see also EPIC’s Press Release, “EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission,” Dec. 17, 2009.

Facebook announced its privacy policy revisions in a December 9 Press Release, “Facebook Asks More Than 350 Million Users Around the World To Personalize Their Privacy; Service Gives Users New Tools to Control Their Information” – which suggested that the changes would actually benefit users, and help them protect their information. In fact, however, these changes potentially undo the restrictive settings that users may have applied to keep their profiles closely guarded and viewable only by “friends.”

A copy of the Complaint, Request for Investigation, Injunction and Other Relief can be found on EPIC’s site, but EPIC is not the only plaintiff. Nine other consumer protection organizations have joined, namely the American Library Association (see also their privacy resources), The Center for Digital Democracy (see also a Dec. 17 blog post that explains CDD’s reasons for joining the complaint), Consumer Federation of America, FoolProof Financial Education, Patient Privacy Rights (see also their Dec. 11 criticism of Facebook’s privacy policy changes and their Feb. 18 analysis of the Complaint Almost Filed Against Facebook), Privacy Activism, Privacy Rights Now Coalition, The Privacy Rights Clearinghouse and the U.S. Bill of Rights Foundation. (If the organization name is not hyperlinked, it’s because I could not find an updated web site for the organization. If you find one, please post it in the Comments section below.)

Other Information about Facebook’s Privacy Policies

* EPIC has also developed an “In Re Facebook” page, on which it summarizes all of the actions it has taken to date relating to privacy issues faced by Facebook participants, provides a background to the debate, and chronicles various articles that have been written about the complaint. (Last updated on Dec. 30, although it appears to be kept current, so keep checking back.)

* The Electronic Frontier Foundation (EFF) has also posted (Dec. 21) an interesting article on its Deep Links Blog entitled, “Who Knows Who Your Facebook Friends Are?”, discussing how Facebook’s changes to its privacy policies have exposed users’ list of friends – thus causing real problems for political activists operating under oppressive regimes. Another EFF article worth reviewing in detail is “Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly” (Dec. 9).

* The New York Times’s Brad Stone blogged about the lawsuit in an article entitled “Privacy Group Files Complaint on Facebook Changes,” (Dec. 17) which has been updated to include Facebook’s response to the Complaint. The response notes that Facebook “discussed” the revisions to its privacy policies with regulators, including the FTC.

FTC Releases its Staff Report on its 2/09 Fraud Forum

On December 29, 2009, the Federal Trade Commission’s Division of Marketing Practices released its “Staff Report on the [FTC]’s Fraud Forum.” See Report. The report analyzes the recommendations and conclusions made during the FTC’s February 2009 meeting on the topic of preventing consumer fraud. See 12/29/09 Press Release.

The report analyzes the types of scam artists, some of the common scams that have been (at least marginally) successful, the types of victims, reasons why these crimes might be unreported or underreported, and upcoming challenges such as payment system frauds or phishing, spoofing and keystroke logging. The report also makes several proposals for improving the FTC’s anti-fraud program.