Personal Privacy in an Information Society. Identification and Authentication


Before the issues surrounding the use of the SSN are described, it is necessary to understand precisely what identification and authentication mean; their role in record keeping; and the way the SSN is used in identifying and authenticating individuals and records.

Identification is the process by which an individual asserts who he is or by which an organization initially determines that a record pertains to a particular individual. Although the first process can be achieved by visual recognition, people usually identify themselves by stating or showing a label; typically an individual introduces himself to an organization by stating his name. For a record-keeping organization a label is essential to select a record that pertains to a particular individual from a set of records.

Authentication is the process of confirming that a person is who he claims to be, or that a particular record does indeed pertain to a particular individual. Typically, an individual authenticates his identity by providing a fact about himself, or another label in addition to his identifier, that is known both to the individual and to the organization. An organization authenticates that it has correctly associated a record with an individual by comparing what it learns about the individual with information already in the record.

An example of how these processes work may be helpful. When Arthur Klein goes to his bank to make a withdrawal from his savings account, the bank first asks him for his name and then for his account number. His name is used in this instance as an identifier; the account number is used as an authenticator. The bank maintains a list of all customer names with cross-references to account numbers and when Arthur recites his number, the bank employee locates it on the list to ascertain that Arthur is who he purports to be. Before Arthur's withdrawal is processed, his account record must be located. The records clerk goes to the file containing records about customers with last names beginning with "K." There are, however, three records identified by the name "Arthur Klein." Thus, the records clerk must use Arthur's account number to discriminate among the three records identified by the label "Arthur Klein" and to authenticate the fact that a particular record pertains to the Arthur Klein in question.

After Arthur makes his withdrawal, he asks the bank to use some of the money he has withdrawn to make a payment on his mortgage. Because mortgages are handled by another bank employee, information about the mortgage payment must be transferred from one part of the bank to another. When the information is transferred, it is labelled with Arthur's name and account number. When the mortgage section receives the information about the payment, it includes it in another previously compiled record about Arthur. In the process of doing so, it locates records about three Arthur Klein's and uses Arthur's account number to assure itself that the record finally selected does indeed pertain to the Arthur Klein in question.

Finally, when the bank reports information about the interest on Arthur's account to the Internal Revenue Service each year, it labels the information with Arthur's name and Taxpayer Identification Number. When the IRS receives the information and wishes to add it to a record it already maintains about Arthur, it will use his Taxpayer Identification Number to discriminate among the 100 Arthur Klein's on whom it maintains records.

As this example illustrates, identification and authentication processes are essential in almost any transaction that involves an individual and an organization, an organization's employees and its record systems, and the record system of one organization and that of another. For ease of reference, the process will be called personal identification and personal authentication in the first instance, and record identification and record authentication in the latter two instances. Record identification and authentication can be intra-organizational or inter-organizational; that is, they can take place between two record systems maintained by the same organization, or by separate organizations.

In some cases, notably where there is an automated record system involved, a label normally used as an authenticator can serve also as a record identifier and so either eliminate the authentication step altogether or require yet another label for authentication. In the above illustration, if the bank's savings and mortgage records were automated, the right Arthur Klein's record could be located by using his account number alone without reference to his name, so that the account number would be the record identifier, not the authenticator. Another label, Arthur's address, for example, could be used for record authentication purposes, or an authenticator may not be needed, especially if the identifier is known to be unique and accurate. The point here is that the same label can serve as an identifier in some instances, and as an authenticator in others. The development of automated record systems has, to a large extent, provided the impetus for widespread use of numerical labels such as the SSN for identification purposes.

As long as individuals have established relationships with organizations, personal identification and authentication have been important processes. For organizations which maintain records in order to facilitate their relationships with individuals, a record identification and authentication procedure within the organization is essential. As organizations and the populations served by them increase in size, the importance of identifying and authenticating the records which document and mediate interactions between organizations and individuals grows correspondingly. And, whenever organizations exchange records about an individual, inter-organizational identification and authentication become crucial. In such cases, the identifiers and authenticators used by the organizations between which exchanges of records take place must be common to both. This is one important reason why the use of a few widely available labels, such as the SSN, has become pervasive.

The genesis of the Social Security number offers a good example of the compelling need of organizations for accurate identification and authentication. Shortly after the Social Security Act of 1935 became effective, the Bureau of Internal Revenue issued a regulation requiring the issuance of an account number to each employee covered by the Social Security program, called a "Social Security account number." The need for the regulation is obvious. In order to carry out its program, the Social Security Administration would have to keep records about millions of workers for the rest of their lives. A worker's career could span more than half a century and could include many different employers in different locations. A separate account of the wages paid to, and the taxes withheld from, each worker had to be kept so that his eligibility for benefits, and the amount of those benefits, could be correctly established at retirement and paid thereafter.

Because the information in a single record might come from many different sources, because many workers share the same name, and because an individual may assume more than one name in the course of a lifetime, there had to be some way of uniquely labelling each worker. The solution adopted was to issue each worker a different number, and require a worker to report his number to his employers. Employers, in turn, were required to report to the Social Security Administration (SSA) certain information regarding the wages paid to, and the taxes withheld from, every worker. This information had to be labelled with the worker's Social Security number, which would enable the Social Security Administration to keep accurate accounts of each worker's earnings over the years. Then when a worker applied for benefits, the SSN would help SSA to match worker to record, and confirm that the worker was, in fact, the person he claimed to be.

A great many other organizations with large numbers of customers, beneficiaries, or employees also found it necessary to use labels other than names. Credit-card issuers, for example, assign unique numbers to individuals when they extend credit. When an individual uses his card to charge purchases at a wide variety of organizations in many different geographical locations, each charge on an account is reported to a central location so that the client can be billed at one time for all of his purchases. Like the Social Security Administration, credit-card issuers must consolidate information about individuals received from many different sources. It is important to know which of two John J. Smiths charged $1,000 to his account and which charged $50. This kind of discrimination is more easily and accurately made if each John J. Smith has a unique credit-card account number.

There are also exchanges of personal information about individuals between organizations. Here, accurate identification and authentication is especially important. If, for example, an individual is incorrectly billed for a credit-card purchase because of name confusion, he can probably identify the source of the error easily and attempt to get it corrected. If, however, the credit-card issuer has reported information about the wrong individual to a credit bureau, and the credit bureau then reports it to still another credit grantor, it can take much time and effort even to locate the source of the error.

As long as organizations have relationships with individuals, most of whom are not known personally by someone within the organization, effective personal identification and authentication is an essential social mechanism. As long as organizations make decisions about individuals on the basis of recorded information, some means of assuring that the information being used does indeed pertain to the individual affected by the decision is necessary. It should also be clear that while accurate identification and authentication facilitates the work of organizations, it also benefits individuals who seek fair and prompt decisions from them. If individuals and records are not correctly identified and authenticated, an individual may be unfairly denied a right, benefit, or opportunity as a result. Society as a whole also suffers when a benefit is given to an undeserving individual. In sum, accurate identification and authentication are an essential component of fairness in record keeping.


Because names are sometimes inadequate as identifiers-many individuals may possess the same name, a single individual may change his name-and because a different label must be used as an authenticator when a name is used as an identifier, alternative labels had to be developed. There are essentially two processes that can be used to develop these alternative labels. First, a government body can decree a system of labelling and registering citizens and either mandate the use of the new labels or make them available to organizations on a voluntary basis. Some European countries have used this method and, during World War II, the United States considered adopting it to facilitate draft registration and commodities rationing.2 Second, without such government action, the needed labelling systems grow up on an ad hoc basis to serve the special needs of particular private organizations and government agencies.

The United States did not choose the first alternative and thus, by default, has many systems of unique individual identification and authentication. Thus, today's typical American adult has a wide array of labels in addition to his or her name-a credit-card number, bank account number, driver's license number, license plate number, health insurance number, utilities account number, employee identification number, library card number, as well as a Social Security number.

Although the SSN is only one of many labels used for identification and authentication in America, it is relied on for these purposes more widely than any other kind of label except name; but the SSN is, at best, an imperfect identifier and authenticator. One reason is that until 1972, an applicant for an SSN was not asked if he had already been issued a number, nor was he asked to produce proof of identity. The result is that several million individuals now have more than one SSN-clearly a source of confusion. Another reason is that one SSN is sometimes used by more than one individual-as when a son, confused about how the system operates, uses his father's number when he goes to work. These problems are gradually being resolved in part because a Federal law [Section 205(c)(2)(B)(ii) of the Social Security Act] now gives the Department of Health, Education, and Welfare (DHEW) the authority to require verification of the identity of SSN applicants and to determine whether an applicant has previously been issued an SSN. Experience is slowly clearing up confusion about the system's operation.

An individual's SSN may be used for personal identification, although the instances in which an individual identifies himself with his SSN appear to be rare. The SSN is more often used for personal authentication, as when an individual wants to cash a check. The use of the SSN in record identification and authentication, both within and between organizations, however, is common. Most of these uses of the SSN have nothing at all to do with the purpose for which the SSN was originally created-the administration of the Social Security Act.3