The Social Security Administration has the obligation to make benefit information available to its many clients. Social Security benefits are a major factor in retirement planning for U.S. residents, and also play a role in determining adequate levels of insurance with respect to pre-retirement risks, as disability or loss of family members. While general formulas are available to all, the rules depend on prior earnings, age at retirement, and accumulated earnings in prior year windows, and are hard to assess for many individuals.
A Personal Earnings and Benefits Estimate Statement (PEBES) has been made available for a number of years now. The paper form can be requested by postcard or on the web, and is mailed about 4 weeks after receipt of request. Earlier this year, PEBES information could also be obtained on-line from the web (see www.SSA.GOV). On-line access has raised many concerns about the protection of privacy of information in the Social Security Administration's systems. While the PEBES information is limited, the concerns raised are broader.
The files of the Social Security Administration contain information about the earnings of most U.S. residents (up to the statutory maximum of about $65,000), indications about their employment history, and, for beneficiaries of disability and old-age benefits, much data about their health status. While the information is not very deep, it also can provide pointers for further mining of personal information, since the Social Security Number has become a ubiquitous identifier for residents of the U.S.A.
Protecting the privacy of SSA information is a legitimate concern to ward off excessive prying, both by governmental investigations, legal beagles, competitors in politics and the professions, and by marketing agencies. Rational analysis may minimize the problem, but the system has to deal with perception, and even a few cases of misuse will cause poor publicity far beyond its real cost. Traditional protection analysis weighs cost of improper access and divulgence versus benefit to the receiver. Such an analysis will be comforting to the SSA, but will ignore the perceived cost to the clients. For instance, avoidance of embarrassment has a value that is hard to assess.
To protect the privacy of information captured in the files of the Social Security system requires authenticated access, reliable systems, and validation of the information being returned. The emphasis in security protection has been on authentication, on determination of the derived authorization, and on provision of the appropriate access rights. Many problems remain in those topics, not the least being the assignment and maintenance of identifiers and passwords by individuals. The current PEBES system has only used name, SSN, Date-of-birth, place-of-birth, and mothers maiden name. Unfortunately these are generally obtainable by anyone even moderately determined to gain access. The large family tree files accessible through Broderbund, the Church of Latter-Day Saints, and other organizations provide access to much of this information.
Use of a personal identification number (PIN) is problematical, since their use in accessing PEBES information will be infrequent. If the client can chose them, they are likely to be identical to other PINs used to access ATMs, electronic wallets, and other computerized services, creating leaks in the security system. Practical issues occurring in large-scale systems have not been addressed as intensely. For a population of hundreds of millions there are bound to be a substantial number of erroneous or mislaid identifiers. Even banks, where the PIN use is frequent, there is a significant load to clarify PIN problems. There will also be instances of duplicate names and PIN combinations in a system of the size of the SSA.
Furthermore, in a system of this size, there is bound to be a considerable amount of misfiled information, even if the error rate is smaller than that achieved today in well-managed commercial operations. There hence has also to be a validation of information that is legitimately accessed, before it can be returned to the requestor, and a validation that receiver is identical to the authenticated requestor.
Technology to achieve these objectives in the scale needed is not routinely available, and the primary technology for protecting information, namely cryptography, cannot solve issues of system architecture and maintenance by itself. A compromise will be needed to balance the legitimate need for access to all the information on individuals held in the files of the Social Security Administration (SSA) and reasonable protection of privacy. Once acceptable policies are set, the technology can be assessed that will support these policies in a realistic, large-scale environment.
Filtering of results is currently uncommon. Our research into protecting healthcare information on the Internet has demonstrated the function and utility of security mediators, and initial commercial implementations are now in progress. But any system, if it is to be responsive, must be augmented by responsible individuals, both for monitoring of correct operations and to avoid frustration by clients who encounter problems.
Since it is unlikely that the SSA can handle the load directly there will have to be intermediate, mediating agents to handle the load, considering the problems that will arise in this scale of operation. The technology has to consider human agents with high quality tools if am acceptable level of service is to be provided.
It is unclear what organization, internal or external, to the SSA should provide these mediating services. Suggested were access in public libraries, post offices, and, of course, local SSA offices. At those sites an authenticated personal identification number (PIN) could be provided, so that repeat inquiries could be made from home or other sites without human mediation.