Statement by Mary J. Culnan, Ph.D.
Commissioner, President's Commission on Critical Infrastructure Protection
Testimony to the Social Security Administration
June 10, 1997
Privacy and Internet Access to
Personal Earnings and Benefits Information (PEBES)
The Social Security Administration had good intentions when it made Personal Earnings and Benefit Estimate Statements (PEBES) available on the Worldwide Web. Internet access to Social Security benefits information without a phone call or visiting a Social Security office means taxpayers enjoy better service provided at a dramatically reduced cost. Social Security also did the right thing first by taking the database down when privacy concerns were raised by the media and the public, and now by holding these public meetings to solicit input from the system's stakeholders before reaching a final decision about making the PEBES database accessible on the Internet once again.
In my opinion, making the current PEBES available on the Internet raises legitimate privacy concerns that may be difficult for the Social Security Administration to address in a cost-effective way absent a reliable method for authenticating the identity of the person requesting their records online. The Social Security Administration can address some of these concerns by modifying the format of the PEBES that is displayed online and reducing the number of unsuccessful attempts at authentication before a user is blocked from receiving a PEBES online. In the end, however, the central issue that the Social Security Administration must address is less about privacy and more about assuring public confidence in the ability of SSA and the federal government to deliver electronic services to the public securely and reliably.
Information Privacy and PEBES
Information privacy exists when people are able to control the disclosure and subsequent use of their personal information. Personal information is any information that can be associated with an identifiable individual. There are two ways that an individual's privacy can be violated. The first occurs when someone gains unauthorized access to another individual's personal information as a result of a security breach or inadequate internal controls. The second occurs when personal information is collected for one purpose and used for a different purpose without the individual's knowledge or consent. The privacy concerns raised by electronic access to PEBES relate to unauthorized access: the perception that a stranger or other unauthorized individual could access our information and that this could lead to identity fraud or other undesirable outcomes. Before reaching a final decision, it is important that Social Security unpack the specific concerns raised by potential unauthorized access to determine if the public concerns are legitimate and if so, how they should be addressed. There are two such issues: (1) the nature of the information contained in the record and the incentives it creates for fraudulent access to PEBES, and (2) the ability of the Social Security Administration to ensure that unauthorized access to PEBES does not occur.
Nature of the Information
The fact that the PEBES contains the same personal information the requestor disclosed to authenticate their request does not raise privacy concerns. In my opinion, potentially serious privacy concerns are raised by the salary history information contained in the report. Americans typically consider medical and financial information to be highly sensitive. For example, a 1994 Louis Harris survey conducted for Privacy and American Business found that 89% of the respondents felt that it would be "extremely serious" if their bank account information were disclosed without authorization. Unauthorized disclosure of Social Security numbers was rated as "very serious" by 85% of the respondents compared with 36% who felt it would be very serious if their religious affiliation (or non-affiliation) were disclosed without authorization. For the majority of the public who earn less than the cutoff for FICA withholding, the PEBES provides a year-by-year summary of their earnings history.
 For more affluent individuals, the report only reports the withholding cutoff point. However, beginning in 1994, the earnings ceiling was lifted on Medicare withholding, meaning from this point forward, the PEBES will report annual salary for everyone.
 I personally would not be comfortable having the salary history information in my own statement accessible to anyone who did not have a need to know the information and I suspect others would feel the same way.
Preventing Unauthorized Access
The main vulnerability of Internet access to PEBES results from the fact that there is currently no way for the Social Security Administration to ensure that the individual who requests their PEBES report online is in fact the individual who is entitled to receive the information. While the identifying information required to issue the PEBES makes it unlikely that the casual web surfer could obtain another person's PEBES, it would still be possible for someone determined to acquire another person's record to assemble the necessary facts from one of many commercial information brokers without much difficulty. There exists no system for authenticating that the requester is the record subject rather than someone else who has managed to gather the data currently required to authenticate the requester. The most secure way to authenticate requests over the web would be through the use of a digital identity.
 However, there is currently no infrastructure in place for issuing digital identities to the general public and for managing their use, nor is it likely such a system will be implemented in the short term.
Passwords can also serve as a means of limiting unauthorized access to PEBES records, but issuing these electronically or by phone without a picture ID or other firm proof of identity runs the same risks as providing the PEBES itself as the same information would be requested to issue the password as to issue the report. Further, if an unauthorized person were the first to be issued such a password, they could prevent the legitimate requester from accessing their own record. The costs of SSA implementing a program for widespread controlled password distribution would appear on the surface to exceed the benefits.
The Social Security Administration reports that it has implemented appropriate security procedures to prevent hackers from breaking into the database and there is no reason to dispute this claim. However, the Internet is inherently insecure and Social Security needs to be vigilant in monitoring use of its web site if it does reinstate PEBES online in order to identify any suspicious activity and to assure that the PEBES database is protected from potential attacks. The fact that 24,000 of 71,000 or approximately one-third of the requests for on-line PEBES data failed the security screening suggests that the database is an attractive target.
A Privacy-Friendly Solution
There is no evidence that digital identities for the public to use in conducting business with the Federal government will be implemented on a widespread basis in the near term and that the authentication problem will remain persist. One obvious solution is for Social Security to continue to allow people to their PEBES online with the report sent through the mail, but not make to make the PEBES itself available online. A better solution which more effectively balances the risks of unauthorized disclosure with the benefits of reduced costs and enhanced service to the public would be to change the report format and to make a summarized version of the report available online instead of the full report currently provided. Prior to this hearing, I requested my PEBES to see what my total benefits would be when I retired. I suspect this is the same information that the majority of people are seeking unless a member of the public has a reason to believe there is an error in their records. This summarized information about expected benefits could be provided without displaying the salary history contained in the section "Your Social Security Earnings" which contains the sensitive personal financial information. The section "Your Estimated Social Security Benefits" and the "Facts You Gave Us" section containing the individual's name and the assumptions used to drive these estimates could continue to be displayed. Given the practical obstacles to implementing additional safeguards for authenticating requests in the near term, I believe this proposal represents a solution that effectively balances many of the competing interests of convenience and privacy.
Conclusion: The Threats to Public Confidence
Public confidence is created when people's experiences match their expectations for service quality. It reflects a perception that institutions or third parties can be trusted to act in the best interests of the people they represent. As public trust is socially constructed, perceptions are more important than reality. Consider the example of P-TRAK:
P-TRAK is a Lexis-Nexis database used by attorneys and others to locate individuals. The records in the database are based on header information from a credit report database. Social security numbers could be used to retrieve a record, but were not displayed based on complaints from subscribers after the product was first introduced in June 1996. In September 1996, a message about the privacy risks inherent in P-TRAK were posted to an Internet discussion group. Word about the database including a great deal of misinformation spread quickly, creating a public relations crisis for Lexis-Nexis. The issue was picked up by the print media including the Washington Post which published an editorial focusing on the public unease caused by "having your every public or commercial transaction on file.retrievable at the touch of a button." P-TRAK also attracted the attention of Congress with three Senators requesting a Federal Trade Commission investigation and a proposal for any legislation the FTC deemed appropriate based on the results of its study.
P-TRAK has some important lessons for the Social Security Administration: public confidence can be eroded quickly if there are sensational media reports of unauthorized access or attempts at unauthorized access to online records, or if someone brags online that they were able to access the records of a celebrity. Truth and misinformation spread with equal speed on the Internet. Any instances of unauthorized access are likely to result in unwanted Congressional scrutiny and the introduction of knee-jerk legislation. If the public does not have confidence they can do business electronically with the Social Security Administration, these perceptions are likely to further decrease public confidence in the Federal government overall and to poison the water for other federal agencies who plan to offer electronic services to the public. It behooves the Social Security Administration, therefore, to take whatever steps are necessary to assure public confidence in whatever electronic services they offer. These include additional research and public education, appointing a privacy advisory board, and making privacy considerations part of the business case for all electronic commerce applications involving personal information.
Summary: Privacy and Internet Access to PEBES
- SSA cannot insure the person requesting PEBES online is the record subject
- Authentication data is known to others or available commercially
- There are no other facts known solely to SSA and the record subject that could be used to ensure unauthorized access cannot occur. The costs of assigning passwords exceed the benefits.
- Casual surfer is unlikely to be able to gain unauthorized access; same is not true for a determined individual.
- Only bullet-proof method of authentication is a digital identity. However, there is currently no infrastructure in place for issuing digital identities to the general public and for managing their use, nor is it likely such a system will be implemented in the short term.
- The most sensitive personal information in PEBES is the salary history.
- Focus on the information in PEBES, not on authentication
Reinstating Online PEBES and Beyond
- A modified version of PEBES should be offered on the Internet
- Eliminate the salary history from the report. Display only requestor's name, assumptions used in the analysis and expected benefits.
- Set a low threshold for number of failed authentication attempts before blocking a record.
- Critical issue for SSA is less about privacy and more about public confidence. If the public does not have confidence they can do business electronically with SSA, these perceptions are likely to further decrease public confidence in the Federal government overall, and to poison the water for other federal agencies who plan to offer electronic services to the public.
- For the future, appoint a privacy advisory board and make privacy part of the business case for all new electronic commerce applications involving personal information.
1. In July 1996, President Clinton signed
Executive Order 13010 which established the
Commission on Critical Infrastructure Protection (PCCIP). Critical infrastructures are systems and services that make up the nation's "life support systems" including banking and finance, communications and information, physical distribution, energy and vital human services. The Commission's mission is to make policy recommendations to the President about ways to assure America's critical infrastructures from physical and cyber threats in the 21st century. Additional information about the Commission and our activities is available from our web site
(http://www.pccip.gov). The views expressed in this statement do not necessarily reflect the views of the Commission.
2. In 1995, the withholding cutoff point was $61,200. Approximately 69% of the population earned less than $60,000 that year. See Table 3, "Persons in Household by Total Household Income in 1995," U.S. Bureau of the Census, Money Income in the United States: 1995. Washington: U.S. Government Printing Office, 1996.
3. See Statement of John J. Callahan, "Personal Earning and Benefits Statements on the Internet" before the Social Security Subcommittee, U.S. House of Representatives Ways and Means Committee, May 6, 1997.
4. See Peter G. Neumann, The Social Security Internet Website: Technology and Privacy Implications, May 1997 available at <http://www.csl.sri.com/neumann/ssa.html>.
5. Statement of John J. Callahan, p. 6. See also U.S. General Accounting Office, "Internet Access to Personal Earnings and Benefits Information" before the Social Security Subcommittee, U.S. House of Representatives Ways and Means Committee, May 6, 1997 which reported that as of April 7, 1997, 9,000 of 27,000 requests failed to pass SSA authentication requirements. Online access was disabled on April 9, 1997.
6. "Awash in Information," The Washington Post, September 28, 1996, p. A16.
7. A public opinion survey conducted by Princeton Survey Research Associates for the Pew Research center in February 1997 found only 6% of the public feels it can trust the federal government "a lot" compared with 78% for their local fire department.