As fallout from the Equifax hack continues to raise questions about how to protect Americans' personal information, one option on the table is getting rid of Social Security numbers altogether.
"I feel very strongly that the Social Security number has outlived its usefulness," Rob Joyce, the White House's cybersecurity coordinator said at The Washington Post's Cybersecurity Summit on Tuesday. "Every time we use the Social Security number, you put it at risk." He made similar comments at the Cambridge Cyber Summit on Wednesday, while ex-Equifax CEO Richard Smith said basically the same thing during testimony to the U.S. House Committee on Energy and Commerce.
To understand why the government's Social Security numbers can't be trusted anymore, it helps to understand how attitudes toward and uses of those nine-digit numbers have changed over the years.
At first, people would quite literally wear their personal information on their sleeves. Social Security numbers started being issued in 1936 to keep track of American workers' earnings for the purpose of calculating how much Social Security — then a new concept — they'd be entitled to when they retired. People proudly tattooed them to their arms, chests and backs or engraved them on the backs of their watches. The priority was keeping the number handy, not keeping it secret, and many Americans didn't quite understand the implications of each citizen having a personal ID number.
In one infamous incidence, Douglas Patterson, an executive at the E. H. Ferree company in Lockport, N.Y., thought it would be a good idea to, in 1938, enclose a fake Social Security card in the company's leather wallets to show that they could keep the valuable documents safe. The only problem was that the card displayed his secretary Hilda Schrader Whitcher's real Social Security number for the gimmick. Even though the piece of paper said "specimen" on it, thousands of confused Americans who bought the wallet at Woolworth's stores used the digits as their own. The FBI showed up at her house to tell her the news. "I can't understand it," she later said.
"In the peak year of 1943, 5,755 people were using Hilda's number," according to the Social Security Administration's website. The Social Security Administration voided the number, but "in all, over 40,000 people reported this as their SSN. As late as 1977, 12 people were found to still be using the SSN 'issued by Woolworth.'" The agency even added to the confusion when it sent out pamphlets about how to prevent such problems: The pamphlets included a mock Social Security card as an example, and many people mistakenly interpreted that as the agency issuing them a new number. The agency has reported that at least 20 numbers like the Woolworth's number — which the agency nicknamed "pocketbook numbers" — have been in circulation at various times.
But, because the Social Security number had limited uses at the time, the damage from these mistakes was much less than it would be today.
Americans would start to become more concerned about keeping track of their Social Security number when it started becoming a more crucial way to identify them. For example, the Internal Revenue Service started using the Social Security number as its official taxpayer identification number in 1962, and Medicare started requiring one for enrollment in 1965.
And, as the numbers became more widely used as a way to keep track of people, citizens started not only to keep the numbers close to the vest but also to see how lumping so much information together could be risky.
In 1965, the Bureau of the Budget considered a proposal for a "National Data Center" that would link up various federal databases that gathered individuals' personal information. The proposal was rejected "on the grounds of this being an invasion of privacy and government having too much information at its fingertips about citizens," says Sarah Igo, a professor of History at Vanderbilt University and an expert on the history of privacy issues. "At that point, you start getting people being much more cautious about releasing the number."
On top of that, it's not a coincidence that these concerns came up during a period characterized by antiwar protests.
"The government is not necessarily seen as a trustworthy keeper of information in the '60s and '70s, the consciousness and worry about data merging is all wrapped up with distrust of the government in society," she says.
But it wasn't just government databases that Americans had to worry about. "Congressional hearings revealed the extent to which private organizations—like credit reporting agencies—maintained their own databanks filled by dossiers that could have powerful impacts on individual's lives, through access to credit, insurance or job opportunities," says Dan Bouk, author of How Our Days Became Numbered: Risk and the Rise of the Statistical Individual and professor of History at Colgate University. "That did not stop government agencies or all manner of private entities from building their own databases. Efforts to discourage the use of the SSN around 1971 can be explained as a result of those hearings and controversies."
The Privacy Act of 1974, which gave citizens the right to review and fix their own records and to protect that information from certain kinds of disclosures, was one result of those early discussions.
"However, the law was hard to enforce and had many exceptions," Igo says. "It also didn’t address the private sector uses of SSNs at all—only uses by federal agencies—meaning that businesses and other agencies continued to use them freely. The law did require the government to disclose whether requests for the number were voluntary or mandatory but relied on individuals to refuse giving over their number rather than putting teeth into restrictions on asking for or using the number."
While 1990 amendments to the Social Security Act would limit the disclosure of SSNs by federal, state and local governments, for the most part since the mid-1970s, she argues, "attention turned to other things" and privacy issues were put on the back burner. They've returned to the forefront, she says, "only recently, in the rise of cybercrime and data breaches."