Social Security Numbers and User Authentication

Byron C. Mayes bcmayes at shiva.hunter.cuny.edu
Tue Nov 4 11:02:20 EST 1997


On Mon, 3 Nov 1997, Kathy Mcgreevy wrote:

> At a recent workshop, three librarians mentioned that they thought
> it was *illegal* to use the social security number for user
> authentication. (Not to mention that few people will want to anyway.)
> Does anyone know anything about the legality of using SSNs for
> authentication? (Haven't found anything in the archives of this list.)

Several institutions, including CUNY, use "SSN" (note the quotes)
authentification for access to a variety of services, from paid databases to
online student information. It's hard to imagine that with such widespread
use that the practice would be illegal. We'd have heard about it with
certainty by now. 

The potential illegality surrounding SSNs (and here I am not speaking as a
lawyer, but as a librarian who has dealt with the issue in the past and as an
educated citizen...laws and/or procedures may have changed since my last
encounter) has to do with requiring someone to give the number to the
institution in the first place when there is no proven necessity for it
(e.g., a student receiving no Federal or Federally-assisted financial aid).
It does not have to do with its use as a unique identification number once
provided. 

And here is why I used the quotes above. From the scenario given:

> online authentication process, i.e. a user will key in his/her SSN, a
> computer on campus will check it to verify that s/he is currently enrolled
> or employed here, and s/he'll be cleared for access to whatever we want
> them to have access to.

...it looks like what you're planning to do is use a *student/employee
number* for authentification and not specifically a SSN. If you have foreign
students, many of them probably don't have a SSN and were assigned a number
in the 3-2-4 format -- often beginning with 999- or 998- -- by the College
(it's also possible that a domestic student with objections to giving out the
SSN could have a similar assignment). This is the number that would be used
for verification in such a case, correct? Requiring an actual SSN when not
everyone even has one might also present legal problems. 

As for everyone else, the College already has the SSN, is using it for
identification purposes, and presumably has made the students/staff are aware
of this (if not, someone official might want to make it known). If this is
the case, perhaps your Computing Department should call it by the "official"
name, "student/employee number", and avoid double controversy that way.  A
possibility for placating those who might not want to use their SSN even if
the College already has it would be using a "dummy" number as listed above. 

If your College already has a separate unique identification number (in the
same format for students and staff) that is not equivalent to the SSN,
perhaps Computing should consider using that number instead. You're not
providing access to sensitive information (like student records) so a number
which is supposed to be kept confidential (though in a past job, students
would just hand over their SSN's to another for access to certain things
without thinking..."Would you check my overdue books for me while you're at
the computing center? My ID number is...") isn't strictly necessary. All you
probably need to meet your license agreement is a way of verification
(perhaps a method could be devised to block out a specific ID once it is in
use...this would reduce fraudulent use from someone handing out his/her ID to
anyone around the world, and it would allow use of a non-SSN identifier). 

Again, I'm not a lawyer, just practical.

Byron

 Prof. Byron C. Mayes
 Systems Librarian/Assistant Professor
 Hunter College of the City University of New York
 695 Park Avenue * New York, New York 10021
 bcmayes at shiva.hunter.cuny.edu  * 212-772-4168 * Fax: 212-772-5113






More information about the Web4lib mailing list