Speech by Beth Givens, PRC Director
Privacy and Customer Service in the Electronic Age:
Internet Access to the Personal Earnings and Benefits Statement
San Jose, CA
Thank you for the opportunity to participate in this forum. I am Beth Givens, Project Director of the Privacy Rights Clearinghouse. The PRC is a nonprofit consumer education and advocacy project serving primarily the state of California. It is affiliated with the Utility Consumers' Action Network in San Diego, California.
The PRC has been in existence for nearly five years. We operate a hotline which consumers can call with their privacy-related questions and complaints. We have developed a series of 20 publications covering such topics as credit reporting, identity theft, unsolicited mail, telemarketing, workplace privacy, medical records privacy, as well as the topic of this forum -- privacy in cyberspace. Our publications are available in paper form and on our Internet Web site, www.privacyrights.org. The outcry that greeted the Social Security Administration's launch of the Personal Earnings and Benefits Statement on the Internet was a sign of the times. When many members of the public learned that information as sensitive as their annual wages and the amounts of their contributions to the SSA and Medicare would be available on the Internet, it brought up their concerns about control.
Who asked me?
Who else but me might be able to access that information?
What other uses can be made of that data that might harm me?
What safeguards are in place to ensure that this information does not get into the wrong hands?
What if I don't want my record on the Internet -- can I say 'no'?
We heard a similar outcry when the information vendor Lexis-Nexis introduced the people-finding service P-Trak last year. And a few years ago it was the product Lotus Marketplace that drew the ire of tens of thousands of consumers who didn't want their name, address, phone number and consumer profile sold to anyone willing to buy the CD-ROM.
Granted, these controversies were fueled in part by some misinformation and some missing information. But there are lessons that can be learned nonetheless.
I will discuss six issues:
- The need to conduct a privacy impact assessment.
- Giving individuals a choice regarding whether or not the PEBS is online.
- Security.
- Secondary usage, also called "function creep."
- Public education.
- The need for adequate oversight.
Point one is the need to conduct a "privacy impact assessment" whenever any product or service is to be launched in which personally identifiable information is involved. In the early 1970s we saw the passage of the landmark National Environmental Policy Act, which required the implementation of environmental impact statements to examine every possible implication of projects affecting our environment, not only the impacts on the natural environment, but also the social environment.
Now that we're fully ensconced in the information age, doesn't it also make sense for the federal government to require that its agencies conduct privacy impact assessments which look at the intended as well as the unintended consequences of the proposed service or product? By the way, I don't think privacy impact statements should be limited to federal government agencies -- that happens to be the focus of today's forum. If such assessments were conducted at all levels of government and in the private sector as well, we would likely avoid the controversies that I mentioned earlier.
The second point deals with choice. We recommend that individuals be given the opportunity to "opt in" to having their PEBS on the Internet. After all, it is not a public record, and it contains information that many individuals feel is sensitive.
Third, is security. The elements that individuals needed to provide in order to access the report are too easily obtained by those who might want to improperly obtain the report -- like Social Security number, mother's maiden name and date of birth.
The Social Security Administration might want to consider PIN number access to thwart illegitimate access. An option which takes advantage of the convenience of the Internet but also adds a measure of security is to offer online ordering ability, but to mail the document using the postal service. Another security measure would be to install an electronic audit trail on the PEBS and allow individuals to learn when their PEBS has been accessed -- much like the inquiry process on our credit reports. I look forward to hearing from the next panel of technical experts on ways that security of the data base can be ensured.
My fourth point is what privacy advocates call "secondary usage." We heard the following "what if's" from those concerned about having their PEBS on the Internet without the protection of extra security measures:
Could my landlord learn my annual income and decide to increase the rent?
Could my employer gain access in order find out if I'm moonlighting and earning extra income?
Could a credit card company or loan officer use it to verify income?
In other words, could the PEBS become a required document to receive some other kind of a service or benefit?
Another term used to describe what happens when information is used for purposes other than the original intent is "function creep." A virtual truism is that information compiled for one purpose is bound to be used for other purposes unless there are strong barriers and meaningful penalties in place to prevent the phenomenon of "function creep" -- especially when that information is accessible in the fluid, easy-access environment of the Internet.
If I understand correctly, there ARE limitations bound in laws and regulations prohibiting the secondary use scenarios that I have mentioned -- and please correct me if I'm wrong. And that brings up my fifth point, the need for more public education surrounding the PEBS. I'm a typical consumer, I think, in that I was totally unaware of the PEBS until I began my privacy work nearly five years ago. And now that I've ordered it several times, I realize that the information it contains is not particularly robust -- at least not as robust as many individuals think it is.
For example, it does not contain employers names; it does not include income from investments, just from wages and salaries; and if you earn more than $64,500, that number is the maximum amount of earnings reported on the PEBS. One reporter mentioned to me, wouldn't it be great if we could access the income of Bill Gates or Warren Buffet. Well if we did, we'd see the unimpressive figure of $64,500, which is the amount that correlates with the maximum annual contribution to one's Social Security benefit.
One of the blessings to come from the "PEBS on the Internet" discussion is that many individuals ARE now aware of the PEBS that formerly were not. We recommend that people order their PEBS once a year, just like their credit report. This is to ensure that their record is accurate, and to watch for possible fraudulent use of their Social Security number for employment purposes. If it is not already doing so, the SSA might want to explore ways in which it can increase public awareness of the PEBS and the need for individuals to request it on a regular basis.
Part of the public awareness campaign should be discussion of just what it contains and does not contain, what are the limitations in place for its use (in other words, how is secondary use prohibited) and what penalties exist for illegitimate access to and use of the PEBS. I realize this information is on the Internet, but that reaches a minority of U.S. households at this time.
The sixth and final point which I which to raise is the need for adequate oversight of the PEBS data base and meaningful penalties for illegitimate access -- penalties that are actually enforced. Over the past three years the Privacy Rights Clearinghouse has seen a significant increase in the problem of identity theft. The key piece of information that identity thieves use is the Social Security number. Yet, when victims of this crime contact the Social Security Administration to ask for help, they are almost always told there is nothing the SSA can do about this situation.
I realize that identity theft is not a topic on today's agenda. But I raise the issue to make a point. If the PEBS is going to be made available on the Internet, is there adequate staffing in place to conduct effective oversight? Will investigations of illegitimate access be conducted and will wrongdoers be prosecuted? My sense from talking with many individuals in the past few years is that they perceive that little to nothing is being done to investigate and prosecute those who abuse the Social Security system.
In closing, I want to thank the Social Security Administration for holding this forum and inviting discuss of Internet access to the PEBS. I appreciate the opportunity to participate. No doubt what is learned from these public forums will be useful in future deliberations by other government agencies involving the question of placing personally identifiable information contained in government data bases on the Internet. I look forward to the report that is generated from these forums. Please feel free to call on the Privacy Rights Clearinghouse if we can be of help.