Social Security Numbers: Internet Resellers Provide Few Full SSNs, but Congress Should Consider Enacting Standards for Truncating SSNs (17-MAY-06, GAO-06-495). GAO previously reported on how large information resellers like consumer reporting agencies obtain and use Social Security numbers (SSNs). Less is known about information resellers that offer services to the general public over the Internet. Because these resellers provide access to personal information, SSNs could be obtained over the Internet. GAO was asked to examine (1) the types of readily identifiable Internet resellers that have SSN-related services and characteristics of their businesses, (2) the extent to which these resellers sell SSNs, and (3) the applicability of federal privacy laws to Internet resellers. -------------------------Indexing Terms------------------------- REPORTNUM: GAO-06-495 ACCNO: A54119 TITLE: Social Security Numbers: Internet Resellers Provide Few Full SSNs, but Congress Should Consider Enacting Standards for Truncating SSNs DATE: 05/17/2006 SUBJECT: Information security Internet Internet privacy Privacy law Right of privacy Social security number Information resellers Personal information ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Product. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** GAO-06-495 * Results in Brief * Background * Internet Resellers' Web Sites Shared Similar Characteristics * Internet Resellers Offered to Sell a Variety of Information * Internet Resellers Usually Identified Their Clients * Three-Quarters of Internet Resellers Identified Their Source * Most Attempts to Purchase SSNs Failed * Applicability of Federal Privacy Laws to Internet Resellers * Conclusions * Matter for Congressional Consideration * Agency Comments and Our Evaluation * GAO Contact * Staff Acknowledgments * GAO's Mission * Obtaining Copies of GAO Reports and Testimony * Order by Mail or Phone * To Report Fraud, Waste, and Abuse in Federal Programs * Congressional Relations * Public Affairs Report to Congressional Requesters United States Government Accountability Office GAO May 2006 SOCIAL SECURITY NUMBERS Internet Resellers Provide Few Full SSNs, but Congress Should Consider Enacting Standards for Truncating SSNs GAO-06-495 Contents Letter 1 Results in Brief 2 Background 4 Internet Resellers' Web Sites Shared Similar Characteristics 7 Most Attempts to Purchase SSNs Failed 12 Applicability of Federal Privacy Laws to Internet Resellers Cannot Be Determined 16 Conclusions 19 Matter for Congressional Consideration 19 Agency Comments and Our Evaluation 19 Appendix I Scope and Methodology 21 Appendix II Comments from the Social Security Administration 24 Appendix III GAO Contact and Staff Acknowledgments 25 Tables Table 1: Aspects of Selected Federal Laws Affecting Public and Private Sector Disclosure of Personal Information 7 Table 2: Categories and Examples of Information Provided by Internet Resellers 9 Table 3: Types of Clients to Which Internet Resellers Market Their Services 10 Table 5: Reasons Internet Resellers Did Not Provide SSNs 12 Table 6: Results of Attempted SSN Purchases 14 Figures Figure 1: Number of Services Provided by the 154 Internet Resellers 8 Figure 2: Combinations of the Sources of Information Used by Internet Resellers 11 Figure 3: Frequency of Federal Privacy Laws Cited by Internet Resellers 18 Abbreviations DCI data collection instrument DPPA Driver's Privacy Protection Act FACTA Fair and Accurate Credit Transactions Act FCRA Fair Credit Reporting Act FTC Federal Trade Commission GLBA Gramm-Leach-Bliley Act MSN Microsoft Network SSA Social Security Administration SSN Social Security number This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office Washington, DC 20548 May 17, 2006 May 17, 2006 The Honorable Jim McCrery Chairman Subcommittee on Social Security Committee on Ways and Means House of Representatives The Honorable Jim McCrery Chairman Subcommittee on Social Security Committee on Ways and Means House of Representatives The Honorable E. Clay Shaw, Jr. House of Representatives The Honorable E. Clay Shaw, Jr. House of Representatives The Social Security number (SSN) is a key piece of personal information and has come to be used for numerous non-Social Security purposes. In recent years, both public and private sector entities have increasingly used the SSN as a personal identifier and ask individuals to supply their SSNs. Consequently an individual's SSN can be found on a number of public documents such as land ownership records, birth certificates, and marriage licenses, and is advertised for sale. Private-sector entities known as information resellers are specializing in amassing personal information, including SSNs, from various public and private sources and providing information about someone for specific purposes for a fee. The Social Security number (SSN) is a key piece of personal information and has come to be used for numerous non-Social Security purposes. In recent years, both public and private sector entities have increasingly used the SSN as a personal identifier and ask individuals to supply their SSNs. Consequently an individual's SSN can be found on a number of public documents such as land ownership records, birth certificates, and marriage licenses, and is advertised for sale. Private-sector entities known as information resellers are specializing in amassing personal information, including SSNs, from various public and private sources and providing information about someone for specific purposes for a fee. More prominent or large information resellers limit their services to businesses and government entities that establish accounts with them and have a legitimate purpose for obtaining personal information on an individual. However, less is known about other information resellers, particularly those that are Internet-based and offer their services to the public at large for a fee. Such Internet information resellers (Internet resellers) make public and nonpublic information accessible to the public, raising concerns about how easy it would be for someone to obtain another person's SSN over the Internet. At your request, we (1) describe the types of readily identifiable Internet resellers that have SSN-related services and characteristics of their business, (2) determine the extent to which these Internet resellers sell SSNs, and (3) determine the applicability of federal privacy laws to Internet resellers. More prominent or large information resellers limit their services to businesses and government entities that establish accounts with them and have a legitimate purpose for obtaining personal information on an individual. However, less is known about other information resellers, particularly those that are Internet-based and offer their services to the public at large for a fee. Such Internet information resellers (Internet resellers) make public and nonpublic information accessible to the public, raising concerns about how easy it would be for someone to obtain another person's SSN over the Internet. At your request, we (1) describe the types of readily identifiable Internet resellers that have SSN-related services and characteristics of their business, (2) determine the extent to which these Internet resellers sell SSNs, and (3) determine the applicability of federal privacy laws to Internet resellers. To identify Internet resellers and their characteristics, we developed an initial list of over 1,000 potential Internet resellers by searching the Internet with popular Web-based search engines, such as Google, and using keywords and phrases that members of the general public would use if they were trying to find Web sites that would allow them to obtain To identify Internet resellers and their characteristics, we developed an initial list of over 1,000 potential Internet resellers by searching the Internet with popular Web-based search engines, such as Google, and using keywords and phrases that members of the general public would use if they were trying to find Web sites that would allow them to obtain someone else's SSN and other personal information. We narrowed the list of Internet resellers to 154 distinct Web sites that had services that either required the customer to provide the reseller with an SSN or sold an SSN. We then used a data collection instrument (DCI) to capture information posted on resellers' Web sites about their characteristics, such as the types of information available for sale, the types of clients resellers market to, and the sources of information they stated they used. To determine the extent to which the Internet resellers sell SSNs, we analyzed the data obtained from the DCI about Internet resellers with SSN-related services and attempted to purchase the SSNs of consenting GAO staff members from a nonprobability sample of 21 resellers on the list.1 The criteria we used to select the resellers for our attempted purchases included (1) Web sites that advertise the sale of an SSN without the customer's having to provide the SSN of the subject of our inquiry, (2) Web sites that advertise the sale of an SSN to the general public, and (3) the Web sites where the transaction could be made online through use of a credit card. We also interviewed staff from the Federal Trade Commission (FTC), officials from the Social Security Administration (SSA), industry representatives, and privacy experts to get their views about the use of SSN truncation. To determine the applicability of federal privacy laws to the Internet resellers, we reviewed federal privacy laws and examined pertinent information on the resellers' Web sites, including their references to privacy laws. Appendix I explains the scope and methodology of our work in greater detail. We conducted our work between April 2005 and May 2006 in accordance with generally accepted government auditing standards. Results in Brief Although numerous Internet resellers exist, resellers' Web sites we reviewed generally had similar characteristics. Most advertised a selection of personal information ranging from previous and current addresses and dates of birth to drivers' license information, telephone records, and credit reports. In addition, many of them offered to sell personal information in various packages, such as criminal checks and background checks. Web sites most frequently identified individuals, businesses, attorneys, and financial institutions as their typical clients and public or nonpublic sources, or both as their sources of information. 1We selected these Web sites using a nonprobability sample-a sample in which some items in the population have no chance, or an unknown chance, of being selected. Results from nonprobability samples cannot be used to make inferences about a population. Thus, the information we obtained cannot be generalized to the other Web sites we studied. We generally failed in our attempts to purchase full SSNs, although we did receive other personal information. Of the 53 Web sites that offered to sell a person's SSN, we tried to purchase SSNs of consenting GAO employees from 21 of these resellers and received one complete SSN for the person whose number we requested; four truncated SSNs, where only the first five digits were disclosed (123-45-XXXX); and no SSN from the remaining 16. In our discussions with privacy experts, private sector representatives, and federal officials, we found that entities in other industries, such as credit reporting, sometimes truncate the SSN by masking the first five digits of the SSN but displaying the last four (XXX-XX-1234). These experts added there are few federal laws, and no specific industry standards, about which digits of an SSN are displayed in a truncated format. According to SSA officials, SSA does not have the authority to regulate how other public and private entities use SSNs, including how they are truncated. Furthermore, when we were successful in purchasing truncated SSNs as part of a background check, we also received personal information such as an individual's address, date of birth, and list of neighbors. In one case, we received unrequested information including the truncated SSNs of the person's current and past neighbors. We could not determine if federal privacy laws were applicable to the Internet resellers because such laws depend on the type of entity involved and the source of information, and most of the resellers' Web sites did not include this information. Certain federal privacy laws-such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), and the Driver's Privacy Protection Act (DPPA)-restrict the disclosure of personal information based on the type of entity or the specific source of the information. We found that most of the Internet resellers' Web sites we reviewed had insufficient information on their Web sites for us to determine the type of entity the reseller was or the source of the reseller's information. However, federal privacy laws could apply to these resellers. In four cases, we found that the resellers stated on their Web sites the type of entity they were-consumer reporting agencies and credit bureau-which are subject to FCRA or GLBA. We also found that about 79, or one-half, of the resellers referenced one or more federal privacy laws on their Web sites, indicating some awareness of these laws, while others referenced certain state laws, such as those of California, Florida, and Michigan. Because different entities truncate SSNs in different ways and no federal agency has the authority to regulate how SSNs should be truncated, Congress may wish to consider enacting standards for truncating SSNs or delegating that authority to SSA or some other governmental agency. In commenting on a draft of this report, SSA agreed that standardizing the truncation of SSNs would be beneficial and supported our recommendation to Congress. Background The SSN was created in 1936 as a means of tracking workers' earnings and eligibility for Social Security benefits. SSNs are issued to most U.S. citizens, and to some noncitizens lawfully admitted to the United States. Through a process known as enumeration, a unique nine-digit number is created. The number is divided into three parts- first three digits represent the geographic area where the SSN was assigned; the middle two are the group number, which is assigned in a specified order for each area number; and the last four are serial numbers ranging from 0001 to 9999. Because of the number's uniqueness and broad applicability, SSNs have become the identifier of choice for government agencies and private businesses, and are used for a myriad of non-Social Security purposes. Information resellers, sometimes referred to as information brokers, are businesses that specialize in amassing personal information from multiple sources and offering informational services. These entities may provide their services to a variety of prospective buyers, either to specific business clients or to the general public through the Internet. More prominent or large information resellers such as consumer reporting agencies and entities like LexisNexis provide information to their customers for various purposes, such as building consumer credit reports, verifying an individual's identity, differentiating records, marketing their products, and preventing financial fraud. These large information resellers limit their services to businesses and government entities that establish accounts with them and have a legitimate purpose for obtaining an individual's personal information. For example, law firms and collection agencies may request information on an individual's bank accounts and real estate holdings for use in civil proceedings, such as a divorce. Information resellers that offer their services through the Internet (Internet resellers) will generally advertise their services to the general public for a fee. Resellers, whether well-known or Internet-based, collect information from three sources: public records, publicly available information, and nonpublic information. o Public records are available to anyone and obtainable from governmental entities. Exactly what constitutes public records depends on state and federal laws, but generally includes birth and death records, property records, tax lien records, voter registrations, and court records (including criminal records, bankruptcy filings, civil case files, and legal judgments). o Publicly available information is information not found in public records but nevertheless available to the public through other sources. These sources include telephone directories, business directories, print publications such as classified ads or magazines, and other sources accessible by the general public. o Nonpublic information is derived from proprietary or private sources, such as credit header data2 and application information provided by individuals-for example, information on a credit card application-directly to private businesses. Information resellers provide information to their customers for various purposes, such as building consumer credit reports, verifying an individual's identity, differentiating records, marketing their products, and preventing financial fraud. The aggregation of the general public's personal information, such as SSNs, in large corporate databases and the increased availability of information via the Internet may provide unscrupulous individuals a means to acquire SSNs and use them for illegal purposes. Because of the myriad uses of the SSN, Congress has previously asked GAO to review various aspects of SSN-use in both the public and private sectors.3 In our previous work, our reports have looked at how private businesses and government agencies obtain and use SSNs.4 In addition, we have reported that the perceived widespread sharing of personal information and instances of identity theft have heightened public concern about the use of Social Security numbers.5 We have also noted that the SSN is used, in part, as a verification tool for services such as child support collection, law enforcement enhancement, and issuing credit to individuals.6 Although these uses of SSNs are beneficial to the public, SSNs are also key elements in creating false identities. We testified before the Subcommittee on Social Security, House Committee on Ways and Means, about SSA's enumeration and verification processes and also reported that the aggregation of personal information, such as SSNs, in large corporate databases, as well as the public display of SSNs in various public records, may provide criminals the opportunity to commit identity crimes.7 2Credit header data consist of the nonfinancial identifying information located at the top of a credit report, such as name, current and prior addresses, telephone number, Social Security number, and date of birth. 3See GAO, Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards, GAO-02-352 (Washington, D.C.: May 31, 2002), and Identity Theft: Prevalence and Cost Appear to Be Growing, GAO-02-363 (Washington, D.C.: Mar. 1, 2002). 4GAO, Social Security: Government and Commercial Use of the Social Security Number Is Widespread, GAO/HEHS-99-28 (Washington, D.C.: Feb. 16, 1999). We have also previously reported that certain federal and state laws help information resellers limit the disclosure of personal information including SSNs to their prescreened clients.8 Specifically, we described how certain federal laws place restrictions on how some Internet resellers' obtain, use, and disclose consumer information. The limitations these laws afford are shown in table 1. 5GAO, Social Security: Government and Other Uses of the Social Security Number Are Widespread, GAO/T-HEHS-00-120 (Washington, D.C.: May 18, 2000). 6 GAO/HEHS-99-28 . 7GAO, Social Security Numbers: Ensuring the Integrity of the SSN, GAO-03-941T (Washington, D.C.: July 10, 2003). 8GAO, Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information, GAO-04-11 (Washington, D.C.: January 22, 2004). Table 1: Aspects of Selected Federal Laws Affecting Public and Private Sector Disclosure of Personal Information Federal laws Restrictions on disclosure Entities affected Gramm-Leach-Bliley Act Creates a new definition of Financial nonpublic personal institutions such (GLBA) information that includes as credit bureaus SSNs and gives consumers the and entities that right to limit some, but not receive data from all, sharing of their financial nonpublic personal institutions information. Financial institutions can disclose consumers' nonpublic information without offering them an opt-out right under certain circumstances permissible under the law, such as to protect the confidentiality or security of the consumer's record and to prevent actual or potential fraud. Fair Credit Reporting Limits access to consumer Consumer reporting Act (FCRA) reports, which generally agencies and users include SSNs, to those who of consumer reports have a permissible purpose under the law, such as state or local officials involved in the enforcement of child support cases or determining eligibility for employment. Fair and Accurate Credit Amends FCRA to allow, among Consumer reporting Transactions Act (FACTA) other things, consumers who agencies and users request a copy of their of consumer reports credit report to also request that the first five digits of their SSN (or similar identification number) not be displayed; requires consumer reporting agencies and any business that uses consumer reports to adopt procedures for proper disposal of such reports. Driver's Privacy Prohibits disclosing personal State departments Protection Act (DPPA) information from a motor of motor vehicles, vehicle record, including department of motor SSNs, except for purposes vehicle employees permissible under the law. or contractors, and recipients of personal information from motor vehicle records Source: GAO analysis. Internet Resellers' Web Sites Shared Similar Characteristics The Web sites of the 154 Internet resellers we reviewed had similar characteristics. Most resellers offered a variety of information that could be purchased, from telephone records to credit reports. In addition, Internet resellers also offered to sell information in various ways, from packaged information, such as various information that would be collected through a background check or a search of a person's criminal records to single types of information, such as a credit score. These resellers usually listed the types of clients that they market their services to and broadly identified their sources of information. Internet Resellers Offered to Sell a Variety of Information in Various Ways We found that Internet resellers offered to sell a variety of information to anyone willing to pay a fee. On average, resellers offered about 8 types of services and two offered 20 types of informational services. As shown in figure 1, the majority of resellers offered to sell anywhere from 1 to 10 informational services. Figure 1: Number of Services Provided by the 154 Internet Resellers The Internet resellers offering the fewest services tended to specialize in services provided to the public. For example, most of the resellers offering only one service were resellers that specialized in helping locate an individual. Others offered services related to employment or background checks. Internet resellers also offered different ways for buyers to purchase their information. For example, some offered memberships that allowed online access to the reseller's information, with the member performing the search. Another reseller offered to sell a software package that would allow a buyer to purchase access to the Internet reseller's information through the purchased software and allowed many different types of information searches. The majority of resellers would require selected information about the buyer and then would perform the data search and provide an information report to the buyer. We identified over 50 types of information offered for purchase by these resellers, which we categorized into six major categories including personal, legal, financial, employment, driver or vehicle, and telephone. Table 2 gives examples of the types of information found in these categories. Table 2: Categories and Examples of Information Provided by Internet Resellers Information categories Types of Information in these categories Personal Name, SSN, aliases, current and previous addresses, telephone number, and date of birth or age Legal Federal, state, and county criminal records checks Financial Credit reports, credit cards, bank accounts, and bankruptcy records search Employment Employment history and salary or income verification Driver or vehicle Driver's license number and driver's history report Telephone Telephone and cell phone records and name and address of an individual based on his telephone or cell phone number Source: GAO analysis. All the resellers offered to sell information from at least one of the six categories. However, not all resellers offered to sell driver or vehicle information, or telephone information. For example, only 85 of the 154 resellers we reviewed offered to sell some type of driver's information, while 56 resellers offered to sell telephone information. We found that Internet resellers either sold their information as a part of a package or sold single pieces of information. For example, resellers sold packaged information such as background checks, criminal checks, or employment checks/tenant screenings. Of the packaged information, we found that background checks provided the most extensive information. A background check may include personal, legal, and financial information, such as name, SSN, address, neighbors, relatives, and associates information. Such checks may include national, state, or county criminal records searches and bankruptcy and lien information.9 Other packages, such as criminal records packages, may include national, state, and county criminal records searches, sex offender searches, and civil litigation. Employment checks/tenant screenings may include current and past employment, SSN verifications, and national, state, and county criminal records searches. 9A lien is a charge upon real or personal property for the satisfaction of some debt or duty. Internet Resellers Usually Identified Their Clients Over 80 percent of Internet resellers identified the clients to whom they marketed their information. Internet resellers identified their clients in several ways. About 60 percent of the time, resellers used the information sections of their Web sites to identify their clients. Web pages such as "Frequently Asked Questions," "Help," or "About Us" were frequently used to identify their clients. For example, the "About Us" Web page generally provided a brief description about the Internet reseller's business and would often describe the clients it marketed to. Other ways in which resellers marketed to their clients were through testimonials or in a separate section on their Web page. Internet resellers marketed their services to a variety of clients. As shown in table 3, individuals, businesses, and attorneys were the most frequently identified clients. Some of the businesses resellers identified were Fortune 500 companies and retailers. For the financial institution clients, resellers mostly identified banks. In addition, most of the Internet resellers' clients were from the private sector, although some had government and law enforcement agency clients. Finally, we found that most of the resellers had multiple types of clients. About 30 percent of the resellers identified only one type of client. Table 3: Types of Clients to Which Internet Resellers Market Their Services Internet resellers that marketed to these Types of clients clients Individuals 84 Businesses 72 Attorneys 42 Financial institutions 29 Insurance agents or agencies 26 Private investigators 23 Government or law enforcement 21 agencies Collection agencies 12 Landlords 11 Health services 8 Other 16 Source: GAO analysis. Three-Quarters of Internet Resellers Identified Their Sources of Information About 75 percent, or 115, Internet resellers identified the source of their information on their Web sites. Most of these resellers obtained their information from public or nonpublic sources or a combination of both sources. For example, a few resellers offered to conduct a background investigation on an individual, which included compiling information on the individual from court records and using a credit bureau to obtain consumer credit data. Some used only public records as their only source of information. The most frequently identified public records were court records, department of motor vehicle records, real property records, legal judgments, and bankruptcy records. We found about one-third of the Internet resellers used only one source of information. More often, they used a combination of the three sources. Figure 2 below shows the various combinations of sources of information. Figure 2: Combinations of the Sources of Information Used by Internet Resellers Most Attempts to Purchase SSNs Failed Most of our attempts to purchase SSNs from a select group of resellers failed. Of the 154 Internet resellers' Web sites we reviewed, 53, almost 35 percent, offered to sell SSNs. We attempted to purchase SSNs from 21 resellers that were chosen because they required minimal information about prospective buyers or about the person whose SSN we wanted to obtain. Of the 21 resellers from which we tried to purchase SSNs, only 5 provided some form of an SSN. As shown in table 5, the reasons for being unable to obtain SSNs from 16 of the 21 resellers varied. Table 5: Reasons Internet Resellers Did Not Provide SSNs Reason Internet reseller Required additional legal documentation of permissible 4 purpose for obtaining the information Refused because of state privacy laws 1 Required forms of payment other than a credit card 1 No record found on subject 1 Reason unknown 9 Total 16 Source: GAO analysis. Nine resellers, a majority of the resellers that did not sell SSNs to us, did not explain why but simply did not provide the information we sought. Four of the remaining resellers attempted to contact us to request legal documentation to support a permissible purpose for obtaining the information. However, since we attempted to purchase SSNs as a member of the general public, we could not provide the requested information. One of these resellers sent us an e-mail asking us to fax a signed letter stating our reason for obtaining a person's SSN and a copy of our driver's license to verify our identity, which we could not provide. We contacted the other three to find out why prospective buyers were required to have a permissible purpose. One reseller told us that the company is audited every year by the government and that a legal document request was part of its security screening of its customers. The other two stated that some form of legal documentation, such as a certified copy of a court order, was required in order for their companies to release the information. In addition to receiving one full and four truncated SSNs, we also received other information related to our purchases. Given that we only received SSNs as a part of packaged information, we were not surprised that we received additional information about the person whose SSN we were trying to obtain. For example, the two Internet resellers that provided some form of SSN in a background check report also provided the following information: o the person's current and previous addresses, o date of birth, o a list of other names associated with the person, o a list of their neighbors, o tax liens and judgments against the person, and o properties owned by the person.10 However, in one case we received unexpected and unrequested information. In this case, we did not receive the SSN of the person whose number we requested, but instead received the truncated SSNs of the person's past and present neighbors, information we did not request. Five of the 21 resellers from whom we attempted to purchase SSNs did provide us with some form of an SSN. We received one full nine-digit SSN and four truncated SSNs. All five resellers that supplied an SSN provided the SSN as a part of a package of information. As shown in table 6, the full SSN was obtained as a part of a background check, and the four truncated SSNs were provided as a part of a "people locator" package, a background package, and an employment trace. We attempted to order SSNs from five resellers that offered to sell the SSN alone, and we were unable to obtain an SSN from those resellers. 10The list of personal information represents some of the information the two resellers provided in background check reports. Table 6: Results of Attempted SSN Purchases Orders Received full Received SSN services placeda SSN truncated SSN SSN alone 5 0 0 (e.g., Locate an SSN, search for Social Security numbers, and SSN search) Background check or investigation 6 1 1 People locator or search 5 0 2 Employment trace 1 0 1 Other information packages 4 0 0 Total 21 1 4 Source: GAO analysis. a.Does not include three attempted orders where we received an error message after submitting our information that terminated our transaction. We also found a wide range of the costs for information services when we tried to purchase SSNs. The packages of information we attempted to purchase ranged from about $4 to $200 compared to the costs to purchase individual SSNs that ranged from about $15 to $150. The range of costs from the five resellers that provided some form of the SSN was about $20 to $200. The Internet reseller that provided the full SSN did so for $95. Of the four resellers that gave us truncated SSNs, three of these disclosed on their Web sites that they would provide full SSNs, but only under certain circumstances. For example, one reseller said that, by law, it cannot provide a person's SSN to any third party. Another required the customer to have a legitimate reason for requesting the information under laws such as GLBA. This reseller said it may not provide the full SSN if the customer did not meet those requirements. None explained why they only provided the first five digits. All resellers that provided truncated SSNs showed the first five digits and masked the last four digits. We interviewed industry representatives and privacy experts to determine if this way of truncating the SSN was the standard practice among private sector entities. Industry representatives and privacy experts told us that entities in other industries may truncate the SSN differently from the truncated SSNs we bought from Internet resellers. For example, consumer data industry representatives said that members of their association decide for themselves how and when to truncate SSNs. One consumer reporting agency we spoke to told us that it truncates the SSN by masking the first five digits on reports it provides directly to consumers, by displaying only the last four digits. Some privacy experts said that certain entities that use SSNs as identifiers on lists, such as universities, also truncate the number by masking the first five digits. In addition, SSA also masks the first five digits of the SSN on the Social Security Statements mailed to individuals over the age of 25 who have an SSN and have wages or earnings from self-employment. On the basis of our discussions with government officials and industry representatives, we could not identify any industry standards or guidelines for truncating SSNs. None of the officials we spoke to knew for certain why either method-masking the first five digits or the last four digits-was used or how such methods came into use. In addition, when we asked officials which way of truncating the SSN better protects it from misuse, there was no consensus among them, and no one knew of any research regarding this issue. Some officials said that although truncation could provide some protection for SSNs, it is unlikely to be foolproof. There are also few, if any, federal laws that require or regulate truncating the SSN. Currently, FCRA has a specific provision relating to truncating SSNs. Under this law consumers can request that their SSN be truncated to display only the last four digits on any consumer report they request about themselves. The Judicial Conference of the United States issued rules, effective in December 2003, requiring that SSNs be truncated to mask the first five digits in newly filed electronically available bankruptcy court documents. Federal agency officials whom we spoke to said that Congress or SSA should decide how SSNs should be truncated. The Social Security Act of 1935 authorized SSA to establish a record-keeping system to help manage the Social Security program and resulted in the creation of the SSN. Through a process known as enumeration, unique numbers are created for every person as a work and retirement benefit record for the Social Security program. According to SSA officials, the law does not address the use of the number by private and public sector entities. SSA officials said that SSA regulates only the agency's use of SSNs and does not have legal authority over SSNs used by others. Applicability of Federal Privacy Laws to Internet Resellers Cannot Be Determined Federal privacy laws that restrict the disclosure of personal information could be applicable to Internet resellers, but there was insufficient evidence on the resellers' Web sites we reviewed to determine if they met specific statutory definitions. Federal privacy laws such as the FCRA, GLBA, and DPPA apply primarily to entities that meet specific statutory definitions. For example, FCRA applies primarily to a consumer reporting agency, which is defined as any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing "consumer reports."11 In addition, these laws allow for disclosure of personal information for certain permissible purposes, and those who request or receive information from an entity meeting those statutory definitions may also have obligations under these laws. For example, FCRA generally prohibits "consumer reporting agencies" from furnishing "consumer reports" to third party users unless it is for a permissible purpose; before providing "consumer report" information to prospective users, however, the prospective user must certify the purposes for which the information is sought and that it will be used for no other purpose.12 GLBA and DPPA also contain prohibitions against re-disclosure of personal information covered by those laws.13 FCRA, GLBA, and DPPA could apply to Internet resellers that identify themselves as one of the statutorily defined entities covered under the laws-which are consumer reporting agencies for FCRA, financial institutions for GLBA, and state motor vehicle departments for DPPA-or that received information from such entities. We found four resellers that identified themselves as one of the statutorily defined entities. Three stated on their Web sites that they were consumer reporting agencies and the other stated it was a credit bureau. However, we did not find similar information on the remaining 150 resellers' Web sites to determine what type of entity they were. In addition, we found that some resellers identified the source of their information generally, but did not link information sources to particular pieces of information. For example, about 7 percent of the resellers identified "Department of Motor Vehicle records" as the source of some of their information and offered to search for personal information based on a driver's license number, license plate number, or vehicle identification number. However, most did not specify which personal information came from the "Department of Motor Vehicle records" or any state motor vehicle departments. Therefore, we could not determine if FCRA, GLBA, and DPPA were applicable to the majority of resellers we reviewed. 1115 U.S.C. S: 1681a(f). FCRA defines a "consumer report" as any written, oral, or other communication of "any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for: (1) credit or insurance to be used primarily for personal, family, or household purposes; (2) employment purposes; or (3) any other purpose authorized under section 1681b of this title." 15 U.S.C. S: 1681a(d). 1215 U.S.C. S: 1681e. 1315 U.S.C. S: 6802(c); 18 U.S.C. S: 2721(c). Our review of the resellers' Web sites found 79 of them, about 50 percent, referenced one or more federal privacy laws. As shown in figure 3, the most frequently mentioned laws were FCRA, GLBA, and DPPA. Figure 3: Frequency of Federal Privacy Laws Cited by Internet Resellers We also found 5 out of the 154 Internet resellers referenced state laws on their Web sites. Two stated adherence to the California Investigative Consumer Reporting Act, which allows a consumer to review any files concerning that consumer maintained by an "investigative reporting agency." One cited two California consumer laws. One law allows California consumers to remove their names from credit bureau mailing lists used for unsolicited pre-approved credit offers for a minimum of 2 years. It also provides identity theft victims and other consumers with increased rights regarding consumer credit reports, including requiring the deletion of inquiries resulting from identity theft. The other California law prohibits consumer credit reporting agencies that furnish reports for employment purposes from reporting information on the age, marital status, race, color, or creed of any consumer and requires the user of the report to provide written notice to the consumer. The law also requires that the consumer be provided a free copy of the report upon request. Another reseller cited a Florida statute that governs divulging investigative information, and yet another reseller stated adherence to the Michigan Private Detective License Act. Both state laws regulate the activities of private investigators. Conclusions Although personal information is widely available on the Internet to anyone willing to pay a fee, SSNs appear to be difficult to obtain from the Internet resellers we contacted. Few of the Internet resellers' Web sites we reviewed offered to sell an individual's SSN outright, and even those that did make such an offer did not follow through. Thus, the perception that anyone willing to pay a fee can easily obtain someone's SSN does not appear to be valid. Our experiences indicate that it is more likely that a buyer would not be able to purchase an SSN or would receive a truncated version of an SSN from Internet resellers. However, our work does suggest that someone seeking an SSN may be able to obtain a truncated SSN, and depending on the entity, the SSN may be truncated in various ways. Standardizing the truncation of the SSN could provide some protection from SSNs being misused. Under a standardized approach, the same digits of the SSN would be the only information transmitted, no matter the source from which the SSN is obtained. Given SSA's role in assigning SSNs, SSA is in the best position to determine whether and if truncation should be standardized, but because the agency does not have specific authority to regulate truncation, SSN truncation will continue to vary. Matter for Congressional Consideration Since there is no consistently practiced method for truncating SSNs, and no federal agency has the authority to regulate how SSNs should be truncated, Congress may wish to consider enacting standards for truncating SSNs or delegating authority to SSA or some other governmental entity to issue standards for truncating SSNs. Agency Comments and Our Evaluation We provided a draft of this report to the Social Security Administration for comment and received a written response from the administration (included as app. II). SSA agreed that standardizing the truncation of SSNs would be beneficial and supported our recommendation for congressional action. In addition, SSA stated that while it does not have the legal authority to compel organizations to truncate SSNs or to specify how such truncating should be done, it would be willing to publish information on best practices for truncating SSNs on SSA's Web site. We also provided a draft of this report to the Federal Trade Commission for technical review and received comments that were incorporated as appropriate. We are sending copies of this report to the Chairman of the Federal Trade Commission, the Commissioner of the Social Security Administration, appropriate congressional committees, and other interested parties. In addition, the report will be available at no charge on GAO's Web site at http://www.gao.gov/ . If you have any questions concerning this report, please contact me at (202) 512-7215. Contact points for our offices of Congressional Relations and Public Affairs may be found on the last page of this report. Other contacts and acknowledgments are listed in appendix III. Barbara D. Bovbjerg Director, Education, Workforce, and Income Security Issues Appendix I: Scope and Methodology Appendix I: Scope and Methodology To describe readily identifiable Internet resellers, we created a list of Internet reseller Web sites. To create a list of readily identifiable Internet reseller Web sites, we used Internet search techniques and keyword search terms that we thought the members of general public would use if they were trying to obtain someone else's Social Security Number (SSN). We conducted our searches using three major Internet search engines-Google, Microsoft Network (MSN), and Yahoo. Within each of these search engines we conducted our searches using keywords such as, "find social security number," "find ssn," "purchase social security number," and "public records search." We chose these keywords based on the advice of privacy experts and the team's judgment on terms that would yield Web sites that sell personal information including the SSN. Our searches resulted in 1,036 Web sites that we then reviewed to determine whether they were live sites,1 redirected sites,2 or duplicate sites that were operated by the same reseller. Nineteen percent of the 1,036 Web sites took us to another Internet reseller Web site that was included in our list. Most of these redirected sites took us to two Internet resellers that offered online membership-allowing access to their databases and affiliate programs, which allowed others to link their Web sites to the resellers' Web sites. More than one-half of the 1,036 Web sites were inactive at the time a GAO analyst attempted to access the site. In addition, we found a few Web sites were operated by the same reseller and were similar in appearance. As a result, we ended up with a list of 226 sites that we included in our review. We recognize that had we used different search engines, different keywords, and a different point in time we may have identified a different list of sites. To describe the types of readily identifiable Internet resellers that have SSN-related services and characteristics of their businesses, we developed a Web-based data collection instrument (DCI) for GAO analysts to document selected information contained on the Internet resellers' Web sites. We used the DCI to record information from the Web pages that contained items that addressed the types of SSN-related services and information that the resellers sold, the sources of the information, and the types of clients to whom the site marketed. To ensure that the entry of the DCI data conformed to GAO's data quality standards, each DCI was reviewed by one of the other GAO analysts. Tabulations of the DCI items were automatically generated from the Web-based DCI software. Supplemental analyses were conducted using a statistical software package. For these analyses, the computer programs were checked by a second, independent analyst. Our analyses found 154 Internet resellers with SSN-related services. 1A live site is a Web site that is currently in operation and offers online services. The Web sites were live when GAO analyst reviewed the uniform resource locator (URL) for the survey. Those Web sites considered not live displayed an error message noting that the Web site was no longer in operation. 2A redirected Web site is a site that acts as a portal to other Web sites. Several reseller Web sites have links to other individual reseller sites. For this survey, we reviewed the individual reseller sites and not the portal sites. To determine the extent to which Internet resellers sell Social Security numbers, we analyzed data collected from the review of Internet resellers just described, attempted to purchase SSNs from a nonprobability sample of Internet resellers, and collected data about the transactions. We used information collected from the DCI to derive a nonprobability sample of Internet resellers to purchase SSNs. The criteria we used to select the resellers for our attempted purchases included the following (1) the Web site advertised the sale of an SSN without the customer's having to provide the SSN of the subject of our inquiry, (2) the Web site advertised the sale of an SSN to the general public, and (3) the transaction could be made online through the Internet reseller's Web site using a credit card. We collected information about the purchases including cost, the information that was required about the search subject and the purchaser (including the permissible purpose), whether the site contacted us to verify our information or our permissible purpose, and whether the SSN was provided and, if it was, whether the full or a truncated SSN was provided. In addition, we interviewed staff from the Federal Trade Commission, officials from the Social Security Administration, one of the three national consumer reporting agencies, the Consumer Data Industry Association (an international trade association that represents consumer information companies), and five privacy experts to obtain their views about the use of SSN truncation as a means for safeguarding the number. We also reviewed prior GAO work and performed literature and Internet searches about SSN truncation. To determine the applicability of federal privacy laws to Internet resellers, we reviewed federal laws and the resellers' Web sites for information about the resellers' type of entity and sources of information. However, in most instances these resellers did not have sufficient information on their Web sites to determine if they were in compliance with these laws. Specifically, we were unable to determine whether most of these resellers met the definitions specified by these laws such as "financial institution," "consumer reporting agency," or an "officer, employee, or contractor" of a "State Motor Vehicle Department." We also were unable to determine the resellers' specific sources for particular pieces of information. Although Internet resellers generally did not provide information about the entity and sources of information, they generally cited, and we recorded, whether they stated adherence to any federal privacy laws. Appendix II: Comments from the Social Security Administration Appendix II: Comments from the Social Security Administration Appendix III: GAOA Appendix III: GAO Contact and Staff Acknowledgments GAO Contact Barbara D. Bovbjerg (202) 512-7215 Staff Acknowledgments In addition to the contact above, Tamara Cross, Assistant Director, Margaret Armen, Patrick Bernard, Richard Burkard, Ellen Chu, John Cooney, Benjamin Federlein, Evan Gilman, Richard Harada, Joel Marus, Andrew O'Connell, Stanley Stenersen, Jacquelyn Stewart, and Lacy Vong made important contributions to this report. (130470) GAO's Mission The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to www.gao.gov and select "Subscribe to Updates." Order by Mail or Phone The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548 To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061 To Report Fraud, Waste, and Abuse in Federal Programs Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected] Automated answering system: (800) 424-5454 or (202) 512-7470 Congressional Relations Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, D.C. 20548 Public Affairs Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548 www.gao.gov/cgi-bin/getrpt? GAO-06-495 . To view the full product, including the scope and methodology, click on the link above. For more information, contact Barbara D. Bovbjerg at (202) 512-7215 or [email protected]. Highlights of GAO-06-495 , a report to congressional requesters May 2006 SOCIAL SECURITY NUMBERS Internet Resellers Provide Few Full SSNs, but Congress Should Consider Enacting Standards for Truncating SSNs We found 154 Internet information resellers with SSN-related services. Most of these resellers offered a range of personal information, such as dates of birth, drivers' license information, and telephone records. Many offered this information in packages, such as background checks and criminal checks. Most resellers also frequently identified individuals, businesses, attorneys, and financial institutions as their typical clients, and public or nonpublic sources, or both as their sources of information. In attempting to purchase SSNs from 21 of the 53 resellers advertising the sale of such information, we received 1 full SSN, 4 truncated SSNs displaying only the first five digits, and no SSNs from the remaining 16. In one case, we also received additional unrequested personal information including truncated SSNs of the search subject's neighbors. We also found that some other entities truncate SSNs by displaying the last four digits. According to experts we spoke to, there are few federal laws and no specific industry standards on whether to display the first five or last four digits of the SSN, and SSA officials told us the agency does not have the authority to regulate how other public or private entities use SSNs, including how they are truncated. We could not determine if federal privacy laws were applicable to the Internet resellers because such laws depend on the type of entity and the source of information, and most of the resellers' Web sites did not include this information. However, these laws could apply to resellers; 4 of the resellers we examined had Web sites identifying the type of entity they were. About one-half of the resellers cited adherence to one or more federal privacy laws and a few referenced state laws. How the General Public Can Purchase Information from Internet Resellers GAO previously reported on how large information resellers like consumer reporting agencies obtain and use Social Security numbers (SSNs). Less is known about information resellers that offer services to the general public over the Internet. Because these resellers provide access to personal information, SSNs could be obtained over the Internet. GAO was asked to examine (1) the types of readily identifiable Internet resellers that have SSN-related services and characteristics of their businesses, (2) the extent to which these resellers sell SSNs, and (3) the applicability of federal privacy laws to Internet resellers. What GAO Recommends Since there is no consistently practiced method for truncating SSNs and no federal agency has the authority to regulate how SSNs could be truncated, Congress may wish to consider enacting standards for truncating SSNs or delegating authority to the Social Security Administration (SSA) or some other governmental entity to issue standards for truncating SSNs. In commenting on a draft of this report, SSA agreed that standardizing the truncation of SSNs would be beneficial and supported our recommendation for congressional action. *** End of document. ***