SSA.gov to reopen PEBES reporting site

Rohit Khare (khare@mci.net)
Thu, 04 Sep 1997 02:28:41 -0400


[Instead, they are using a mail-back verification loop -- emailback, that
is... and taking the most sensitive data offline, the earnings history. -RK]

September 4, 1997

Web Site on Social Security Benefits to Be Revived
By ROBERT PEAR

ASHINGTON -- Wrestling with one of the largest test cases of how to protect
the privacy of electronic information, the Clinton administration will soon
re-establish an Internet site where people can see how much they are
entitled to receive in future Social Security benefits, federal officials
said Wednesday. But the government will impose new safeguards to enhance
personal privacy.

The decision to provide Social Security data electronically, with
safeguards, holds implications for commerce over the Internet. Indeed,
federal officials solicited advice from banks, credit card companies and
other businesses as they struggled to balance the convenience of electronic
transactions with the need to maintain the privacy of personal information.

The Social Security Administration is setting an important precedent. The
program touches the lives of almost all Americans, and Social Security is
apparently the first federal agency to provide consumers with detailed
personal information over the Internet.

In a report to be issued at a news conference Thursday, the Social Security
Administration says it will offer its new Internet service by the end of
this year. It describes the service as "the beginning of where the
government will be in the next century in allowing consumers to serve
themselves."

The Social Security agency opened its Internet service in March but shut it
down down four weeks later, on April 9, because of concern that sensitive
financial information, including a person's earnings history, could be
obtained and misused by former spouses, landlords, employers, co-workers,
intrusive neighbors or credit agencies. The agency received 71,000 requests
in the four weeks.

When he announces resumption of the Internet service Thursday, Acting
Social Security Commissioner John J. Callahan plans to disclose two major
changes.

First, officials said, a person's earnings history will no longer be
available over the World Wide Web. People will still be able to use the Web
to learn the amount of benefits they would receive if they retired or
became disabled.

In addition, the officials said, anyone who wants to use Social Security's
Internet site to get an estimate of future benefits will need a
"verification code."

The code will be sent on request to a person's electronic mail address.
People without a registered e-mail account, with an employer or an Internet
service provider, will not be able to obtain an electronic estimate of
their Social Security benefits.

Both earnings history and benefit estimates will still be available to
everyone through the mail.

After the uproar over its Web site in April, Social Security held hearings
in six cities to analyze the potential advantages and hazards of
transacting government business with citizens over the Internet.

In the report on its conclusions, the Social Security Administration said,
"There are no absolute guarantees of complete confidentiality." But, it
added, "Social Security should not step back from its strategic commitment
to electronic services," which many consumers now demand.

Social Security officials said that greater use of the Internet could save
money for the government. In coming years, the agency's administrative
budget and its staff will be growing much more slowly than the number of
beneficiaries.

Initial reaction Wednesday appeared to be favorable. Rep. Barbara Kennelly
of Connecticut, the ranking Democrat on the Ways and Means Subcommittee on
Social Security, welcomed the agency's initiative as "a good-faith effort
to provide some additional safeguards against the fraudulent use of
personal information."

She added: "The Social Security Administration will not place the most
sensitive information -- annual earnings statements -- online. That
represents a common-sense precaution. Ultimately, the public will have to
decide what balance it wants between guaranteed privacy and access to
useful information."

Robert M. Gellman, a privacy expert who works as a consultant to the Social
Security Administration, said: "This is a nice balance. If people insist on
100 percent security, we'll never do business on the Internet. As far as I
know, Social Security is the first federal agency providing personal
information on the Internet. If this system couldn't go back online because
of privacy concerns, other agencies would say, 'Why should we take any risk
in supplying personal information and services on the Internet?' "

In fact, the Social Security agency's experience providing information to
millions of people on the Internet is being watched closely by private
industry, whose online operations could be influenced by any success or
failure in the government program.

Marc Rotenberg, director of the Electronic Privacy Information Center, a
Washington-based research organization, said, "Social Security officials
came up with a smart interim solution until stronger technical methods are
available to authenticate the identity of people requesting information
from their Web site."

Callahan's report gives this example of how the new system will work. An
Internet user, Jane Smith, enters Social Security's Web site
(http://www.ssa.gov).

She completes an online form with five pieces of information: name, Social
Security number, date of birth, place of birth and mother's maiden name.
She provides her e-mail address as well. She reads a notice saying that,
"while the system has appropriate security safeguards, no Internet system
is 100 percent secure." Ms. Smith submits her request.

"The next time she opens her e-mail," the agency said, she will find a
message from Social Security containing what it called an "activation
code." She must return to the agency's Web site and complete the online
form again, with her code. She will then receive an online statement
showing her retirement and disability benefits, as well as the benefits
that would be paid to survivors if she died.

Once she has obtained her activation code and examined her records, Ms.
Smith can get access to her records as often as she wants until she sends
instructions to Social Security to deactivate, or lock up, her records. She
would need a new code to obtain her retirement benefits again.

The Social Security agency's plan does not rely primarily on the use of
sophisticated encryption techniques to scramble information made available
at the agency's Web site.

The government has generally discouraged the use and export of strong
encryption techniques, fearing that they would allow criminals and
terrorists to hide illegal activity.

---
Rohit Khare /// MCI Internet Architecture (BOS) /// khare@mci.net
Voice+Pager: (617) 960-5131  VNet: 370-5131   Fax: (617) 960-1009