What Price, Privacy?

Is there a way to balance the competing needs of access and privacy? Should the Social Security Administration try again to make some of their information available on the Web?

by / September 30, 1997
Not long ago, the Social Security Administration (SSA) asked me to testify as part of a series of national forums concerning access to Social Security account information on the agency's Web site. While it was painted in the media as being one fraught with privacy concerns, like most problems, there is more than one side to this issue. Because I follow issues pertaining to access to government information, I often become involved in issues where access and privacy intersect and, often, clash. The publicity concerning access to personally-identifiable Social Security account information on the SSA's Web site is just one in a continuing line of access/privacy issues that need to be addressed as we work out the ground rules for electronic dissemination of sensitive personal or economic information.

The privacy perspective of the issue was laid out in the very balanced testimony of Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C., when he testified before the House Social Security Subcommittee on this issue. As Rotenberg noted, the privacy issues presented here cut in both directions. As a general rule, personal information should not be disclosed to third parties without prior consent. On the other hand, fair information practices include the individual's ability to have access to his or her own personal information for purposes of verifying its accuracy and completeness. Through this access mechanism, government agencies may be assured that information is accurate and up-to-date by receiving input from the person most likely to know.

Because the privacy dimensions of this debate have been so ably presented and discussed by Rotenberg and others, I want to look somewhat more carefully at the access implications. A bedrock principle of statutes covering access to government information is that a requester should be given access to records unless they fall within one or more specific exemptions.

Under access policies pursued by the Clinton administration, even in those instances where information may be withheld because it meets the definition for protection under a specific exemption, such information should still be disclosed as a matter of discretion unless the agency can articulate a foreseeable harm from disclosure. Of course, it is worth pointing out in the context of this specific incident that agencies have no discretion to disclose personal information that falls within the confines of Exemption 6 or 7(C) of the Freedom of Information Act (FOIA). Exemption 6 protects information whose disclosure would constitute "a clearly unwarranted invasion of personal privacy," while Exemption 7(C) protects law enforcement information where disclosure would constitute "an unwarranted invasion of personal privacy."

In Dept. of Defense vs. FLRA, the Supreme Court made it clear that records falling under either of these categories would be exempt under the Privacy Act. That is because one of the Privacy Act's exceptions to the rule of prior consent is that disclosure is required under the FOIA. The disclosure of a record that falls within the confines of either privacy exemption of the FOIA would not be a required disclosure and, thus, would not be permitted under the law as it currently is interpreted.

While the Social Security Administration's program to allow access to an individual's personal account information is certainly not set up to be administered as if the agency is receiving individual FOIA or Privacy Act requests for the information, some of the same analytical exercises may be useful.

To access advocates like myself,
the disclosure of individual account information should not be restricted solely because of its electronic availability.
At the outset, it is important to be aware of the fear held by access advocates that somehow the technology of electronic access and dissemination will throw up obstacles to access that would not be present if the records were disseminated on paper. To access advocates like myself, the disclosure of individual account information should not be restricted solely because of its electronic availability.

I do not know the type of information an individual might need to provide to the SSA if a request for access to his or her account information were made by letter or phone. But the level of knowledge required to obtain the information through a letter or phone request should not need to be significantly different in an electronic access request.

While the danger of fraudulent entry into a third party's account is certainly present in an Internet transaction, it should be equally present in a low-tech transaction, like a letter or phone call. If the fear of misrepresentation is the driving issue, then it is present in any form of exchange and the only way to combat that would be to request so much specific information that only the correct individual would be likely to know it, or, at least in the electronic sphere, to encrypt or provide some form of password protection. Unfortunately, either of those solutions would incur so much expense and complication for the parties that they would likely destroy the viability of the access program.

It is abundantly clear under the case law that disclosure of individual Social Security numbers is considered a per se invasion of privacy. The Fourth Circuit examined the potential abuses of Social Security numbers in Greidinger vs. Davis, concluding that the state of Virginia could not require a Social Security number as a prerequisite for voting. While the court based its ruling on its finding that forced disclosure of Greidinger's Social Security number impeded his constitutional right to vote, the Ohio Supreme Court, using Greidinger's analysis, ruled in State ex rel. Beacon Journal Publishing Co. vs. Akron that disclosure of Social Security numbers would violate the U.S. Constitution's right of privacy. More recently, in McKay vs. Altobello, a federal judge in Louisiana ruled that use of Social Security numbers as a prerequisite for voting was prohibited by Section 7 of the Privacy Act.

But the SSA system is not about disclosure of Social Security numbers. It requires that the individual already have the needed Social Security number, along with other identifying information that satisfies the system that the requester is who he or she claims to be. Regardless of the possibility of fraud, the agency should at least consider the question of how private or confidential the account information is as a practical matter. As I understand the information, and I readily admit that my characterization may need correction, the information available shows an individual's contributions to Social Security and Medicare. Because contributions to both programs are required through the tax system and are unlikely to indicate an individual's earnings because of various ceilings on required contributions and the lag time between when this information is reported to the IRS and subsequently posted on the Web site by the SSA, there is a real question about the intimacy or economic value of such information to third parties.

Because contributions bear no resemblance to potential payouts, third parties looking for easy marks are unlikely to be able to determine an elderly individual's value by looking at his Social Security contribution account. In other words, while I am not advocating that anyone should be able to access this account information, for purposes of determining the level of protection, the agency ought to consider the potential harms flowing from occasional third-party disclosures.

Finally, the Social Security Administration should be applauded for trying to use technology to advance access to this information, which is obviously of potential interest to the individuals concerned. If the cost and practicality of instituting a high level of security proves insurmountable, the SSA may be best advised to use some kind of opt-in system to determine the extent of its electronic database. To accomplish this, account holders would be informed separately, or in some other mailing already being sent to them, that their information could be provided electronically subject to certain risks of fraudulent entry. Those who chose to participate would be making a determination that the potential convenience outweighed the potential risks.

Increasingly, government electronic dissemination schemes are raising red flags with privacy advocates. Many of them merit closer scrutiny, and the problems highlighted by privacy advocates have been largely responsible for a major series of hearings held by the Federal Trade Commission on dissemination of private databases made up of quantities of personal information, much of it collected from public sources. The privacy implications in these databases must be addressed during design, rather than trying to retrofit databases to resolve these issues at a later date. But the privacy issue should not be turned into a matter of mass hysteria that closes the door on public dissemination of useful public information. The fact that public information can be linked to individuals does not in itself mean that information should not be disseminated. When dealing with these issues, and agencies will continue to face them, we must remember to weigh both sides of the balance -- access on one side, privacy on the other.

Harry Hammitt is editor/publisher
of Access Reports, a newsletter published in Lynchburg, Va., covering open government laws and information policy issues. E-mail: <75111.743@compuserve.com>.

October Table of Contents

Harry Hammitt Contributing Writer