Carnegie Mellon University

Data Privacy Center

Data Privacy Course

Social Security Numbers as Carnegie Mellon's Student ID

Social security numbers as Ids may leave students vulnerable

By Seth Mandel, The Tartan, 3/5/2001, p1

When Kevin Burns received an email containing the names, student identification numbers, and grades of all 467 students in his Principles of Economics class last year, he at first considered the incident to be a funny mistake. But as he thought about it more, he soon came to believe this mistake was a serious breach of privacy, especially because students’ identifications numbers at CMU are also typically their social security numbers (SSNs).

“It seems to me that a person could find out a fair amount of information about me if they knew my SSN,” said Burns, a junior computer science major.

SSNs are indeed commonly used for identification and CMU has used them as primary student identifiers since the current student information system was developed 13 years ago, according to Darleen LaBarbera, Director of Enrollment Systems. Recent changes in legislation, media attention about identity theft crimes, and increased concerns about privacy, however, have caused a number of people to question whether CMU should rethink its policy of using SSNs as student identification numbers.

“I think it is very dangerous and unnecessarily leaves the students vulnerable,” said Latanya Sweeney, director of CMU’s newly established Laboratory for International Data Privacy.

The Social Security Administration has also recently issued warnings to consumers about protecting the privacy of their SSNs.

“We’re saying to protect it and don’t give out if you don’t have to,” said Dan Majewski, Public Affairs Specialist for the Social Security Administration

Web of Numbers

A particular student’s ability to protect his SSN at CMU may be considered limited since SSNs are distributed to faculty and staff to identify students. Privacy groups that protest universities’ uses of SSNs as identifiers cite listing grades by SSN on the Web as a potential danger and breach of privacy.

Linda Anderson, Director of Enrollment Services, said that it is against recommended practices and guidelines to publish even part of an SSN on the Web. When presented with a privacy policy from the HUB Web site that suggested professors use the last four digits of the student ID to post grades, Anderson said that policy was incorrect and will be updated.

“The best approach is not to use any portion of the SSN, and that is our intent,” said Anderson.

She added that these policies are communicated to faculty through deans, associate deans, and administrative assistants. A Tartan investigation revealed several course Web sites that listed full or partial SSNs and grades associated with them, both from current courses and older courses that continue to have Web pages online.

When disclosure of SSNs occurs over the Web, removing the page does not always solve the problem because certain search engines make their own copies of Web pages for users to view. For example, The Tartan’s investigation located a course page for a fluid mechanics course from the Spring of 2000 listing full SSNs, which had been removed from the CMU server but could still be accessed through the Google search engine.

Posting grades by SSNs is considered dangerous because identity can be inferred from an SSN, according to Sweeney, who is also an Assistant Professor of Computer Science and of Public Policy. The first three digits of the number identify the state in which it was issued and the next two identify the approximate time when it was given. In the fluid mechanics class, there were 11 states from which there was exactly one student. Additionally, the two international students in the class stood out numbers starting with 999 to people without SSNs, according to LaBarbera.

A further Web search revealed a personal Web site of a student who identified himself as being a student of that course for that semester. This student’s Web page also suggested the state in which he originated, which provided enough information to attach a name to the SSN, since there was only one SSN that could have come from that state.

The Tartan contacted this individual and he confirmed that this investigation correctly linked his name with his SSN and therefore, his grades.

The economics class mistake that Burns described, where names and SSNs were sent to the entire class, is obviously an example of a more direct disclosure of name and SSNs. An additional danger associated with such a disclosure is that the information contained in the email can be used to link data even further. When The Tartan crossed the economics course email it obtained with the fluid mechanics web page, three students were found in common between the two classes, which provided the ability to associate names with grades for that class as well.

SSNs Everywhere

Additional threats exist within the CMU community itself. LaBarbera said that one attempt to protect students involved removing student identification numbers from Student Information Online so that individuals who accidentally leave themselves logged into a public computer are not vulnerable.

Both LaBarbera and Anderson said SSNs should not appear on printed materials, except when necessary. They said that the numbers should have been removed from cash register receipts a year ago. The Tartan presented Enrollment Services with recent receipts from purchases made at Subway and Entropy using Campus Xpress that included the account number, which was also the student’s SSN. Anderson said that she was unaware of that situation and said that the printing of the SSN on such a receipt should not happen.

“We will do an inventory to find out why that is happening in some places but not others,” said Anderson, who added that the problem will be corrected.

LaBarbera and Anderson agreed that printing of receipts is particularly a problem at Entropy because students rarely take their receipts, leaving a long stream of paper hanging out of the register. SSNs are also inadvertently exposed when students whose cards will not swipe properly verbally state their SSN to the cashier. Often, the student is holding their identification card, which reveals their name to those standing near the register. Since cashiers do not ask for proof of identity, it is also possible for someone to fraudulently make purchases using an SSN they obtained.

Dangers, Vulnerabilities Exposed

When SSNs and names are released in a public way, experts agree that danger exists. These two pieces of information could result in the disclosure of more personal information, including access to bank records.

Sweeney explained that criminals who engage in identity theft look for names and SSNs and get credit cards issued under the victim’s name. By the time the bills come in the mail and the victim realizes what happens, the criminal has moved on to his next victim.

“For an individual to clear that off their record can take a lifetime,” said Sweeney.

Majewski said that the Social Security Administration recommends that people do not even carry their SSN in their wallet because of the serious threat of identity theft. This threat is even more serious for students, according to Sweeney.

“Students pose good examples for identify theft because [a criminal] can get a large number of SSNs and associate them with individual,” said Sweeney, adding that while students do not necessarily have good credit, many have no credit, which makes it easier for criminals to steal identities.

She added that since students typically change their residences frequently, credit card companies are not surprised when an application is filed with a new address.

Sweeney said that releasing even a fragment of the SSN could be dangerous. As an illustration, she mentioned a local bank’s online banking system, which requires part of an SSN to gain entry. She said that a computer program could be written to go through permutations of missing digits to obtain access to a student’s bank account, including the individual’s name and transaction information. She said that when the online banking system was first announced, such a procedure was successfully performed to obtain access to a customer’s account. According to Sweeney, performing such a task is bank fraud and illegal.

To obtain the identity of an SSN from a cash register receipt or web page, an individual willing to spend a little money could do a credit check on the number for about ten dollars, said Sweeney. She said that the inquirer could make up a name to associate with the SSN and many credit agencies will return a report mentioning the error and stating the correct name associated with the SSN.

A Temporary Solution?

CMU does provide students with the ability to change their identification number to a numeric sequence other than their SSN, according to Anderson. When asked about the process, a HUB representative said it would take approximately two to three weeks and might cause complications for those students receiving financial aid. The representative also said about one or two students typically make such a request each semester.

“If you want to [make that change] we will do it and accommodate you and make sure financial aid disperses correctly. We are upfront in saying there may be a processing delay. However, this should not discourage those wanting to do that,” said Anderson.

The potential problem associated with financial aid is the basis of why CMU uses SSN as identifiers in the first place, according to LaBarbera. Many of the agencies CMU associates with, ranging from the College Board to the federal government’s financial aid programs, also relay on SSN as an identifier. This commonality allows information coming into and out of CMU to be associated with the correct individual.

Campus Link Use of “Student ID”

Most of these releases of the SSN are legal and in some cases required, as with regard to payroll. The national Family Educational Rights and Privacy Act (FERPA) does, however, place restrictions on the release of personally identifiable information from educational records, which includes SSN. CMU may have violated this act.

A call to Campus Link, the company that provides long distance service to CMU students in University housing, revealed that the company can and does use SSNs to look up student account information.

CMU provides a list of names, student Ids, and addresses to Campus Link each year, according to Mary Pretz-Lawson, Assistant Director for Computing Services. She said that her department does not generate the identification numbers themselves, but uses the numbers supplied by Enrollment Services.

Although CMU uses the term “student ID,” Campus Link realizes that these numbers are SSNs and refers to them as such. When a Tartan reporter called Campus Link asking for his personal identification number (PIN), the representative asked the student for his name and SSN and then released the information.

“If [a representative] was able to look up [an] account by SSN, CMU probably does give us SSNs,” said Ian Wilson, Campus Link’s Regional Account Manager responsible for CMU.

Wilson said that SSNs are only used for debt collection and security. He added that Campus Link never sells any student information. Wilson acknowledged that someone possessing a student’s name and SSN could indeed use the information to fraudulently make calls from the student’s account. It would be illegal to do so, he said.

Wilson added that the ease of obtaining the name and matching SSN means it might be necessary to add in some further protections for customers such as assigning additional PINS for security.

“People can get [names and SSNs] really anywhere, but the largest issue is where people can gather this information,” said Wilson, who added that someone obtaining a name and matching SSN would have obtained that information from a source other than Campus Link.

When SSNs and names are released in a public way, experts agree that danger exists. These two pieces of information could result in the disclosure Of more personal information, including access to bank records

If students did not give the University permission to release their SSNs to Campus Link, it is likely a violation of FERPA, according to Phyllis Knight, Program Support Assistant for the Family Policy Compliance Office, which is part of the United States Department of Education. Knight said a further investigation would be necessary to confirm that a violation did occur.

Questionable Future of SSNs at CMU

CMU has taken some initial steps to downgrade the danger of using SSNs, including instructing university personnel to always use the phrase “student identification number” rather than “social security number” and removing the numbers from student ID cards two years ago, according to Anderson. When asked if juniors and seniors who have their original card with the SSN printed on the front could get a new card printed free of charge, Anderson said they could do so by going to the HUB.

According to LaBarbera, it may be several years until CMU stops using SSNs in this manner.

“Conversations are ongoing at different levels about stopping use of SSN as an identifier in the system and using a system-assigned student ID,” said LaBarbera.

In addition to these discussions, which have come up occasionally during the past 18 months, a study was done to determine what would be involved to make such a change under the current system.

“We’ve estimated that the work to change the existing process would take anywhere between three and six months,” said LaBarbera.

She added that since a new student information system will be developed in a few years, one option is to wait until that system is designed. There is no formal plan to move away from using SSNs as an identifier and such a change is not currently on any prioritized list, according to LaBarbera.

“I don’t know how much it will cost to change from SSN to a made up number solely for use by the University, but I think it is well worth it given the downside risks,” said Sweeney.

Universities Respond to Problem

Throughout the nation, many institutions and legislators seem to agree with Sweeney’s idea that using a random number is safer than using the SSN.

Boston University moved away from using SSNs as identification numbers in 1998, according to Colin Riley, a spokesman for the University. The Web page announcement of the change stated that decision addressed concerns of maintaining individuals’ privacy and protecting their identities from being compromised.

At MIT, randomly generated numbers replaced SSNs as identifiers in 1994, according to Mary Callahan, a spokeswoman for the University.

A number of other universities do us SSNs as student identifiers. These schools include Case Western University, according to the school’s Registrar Amy Hammett. She said future versions of the student information system may phase out that practice.

Legislators in the state of Washington are currently considering a bill that would prohibit institutions of higher education from using SSNs for identification, except when required for employment or financial aid. The bill’s premise is that occurrences of identity theft are increasing that the widespread use of SSNs “has made identity theft more likely to occur.”

An article in the Washington publication Spokesman Review mentions a Central Washington University professor who was indicted on 33 counts of mail fraud for using students’ SSNs. The professor allegedly obtained new social security cards for students and used the numbers to obtain credit cards and birth certificates.

The state of Arizona already has a law that prohibits universities from using identification numbers that are identical to SSNs.

According to Majeswki, there is not currently any legislation in the works at the federal level regarding this issue.

See next article in sequence.

Copyright © 2011. President and Fellows Harvard University.   |   IQSS   |    Data Privacy Lab   |    []