GAO-06-495, Social Security Numbers: Internet Resellers Provide Few Full SSNs, but Congress Should Consider Enacting Standards for Truncating SSNs


This is the accessible text file for GAO report number GAO-06-495 
entitled 'Social Security Numbers: Internet Resellers Provide Few Full 
SSNs, but Congress Should Consider Enacting Standards for Truncating 
SSNs' which was released on May 17, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 

GAO: 

May 2006: 

Social Security Numbers: 

Internet Resellers Provide Few Full SSNs, but Congress Should Consider 
Enacting Standards for Truncating SSNs: 

GAO-06-495: 

GAO Highlights: 

Highlights of GAO-06-495, a report to congressional requesters. 

Why GAO Did This Study: 

GAO previously reported on how large information resellers like 
consumer reporting agencies obtain and use Social Security numbers 
(SSNs). Less is known about information resellers that offer services 
to the general public over the Internet. Because these resellers 
provide access to personal information, SSNs could be obtained over the 
Internet. GAO was asked to examine (1) the types of readily 
identifiable Internet resellers that have SSN-related services and 
characteristics of their businesses, (2) the extent to which these 
resellers sell SSNs, and (3) the applicability of federal privacy laws 
to Internet resellers. 

What GAO Found: 

We found 154 Internet information resellers with SSN-related services. 
Most of these resellers offered a range of personal information, such 
as dates of birth, drivers’ license information, and telephone records. 
Many offered this information in packages, such as background checks 
and criminal checks. Most resellers also frequently identified 
individuals, businesses, attorneys, and financial institutions as their 
typical clients, and public or nonpublic sources, or both as their 
sources of information. 

In attempting to purchase SSNs from 21 of the 53 resellers advertising 
the sale of such information, we received 1 full SSN, 4 truncated SSNs 
displaying only the first five digits, and no SSNs from the remaining 
16. In one case, we also received additional unrequested personal 
information including truncated SSNs of the search subject’s neighbors. 
We also found that some other entities truncate SSNs by displaying the 
last four digits. According to experts we spoke to, there are few 
federal laws and no specific industry standards on whether to display 
the first five or last four digits of the SSN, and SSA officials told 
us the agency does not have the authority to regulate how other public 
or private entities use SSNs, including how they are truncated. 

We could not determine if federal privacy laws were applicable to the 
Internet resellers because such laws depend on the type of entity and 
the source of information, and most of the resellers’ Web sites did not 
include this information. However, these laws could apply to resellers; 
4 of the resellers we examined had Web sites identifying the type of 
entity they were. About one-half of the resellers cited adherence to 
one or more federal privacy laws and a few referenced state laws. 

Figure: How the General Public Can Purchase Information from Internet 
Resellers. 

[See PDF for Image] 

[End of Figure] 

What GAO Recommends: 

Since there is no consistently practiced method for truncating SSNs and 
no federal agency has the authority to regulate how SSNs could be 
truncated, Congress may wish to consider enacting standards for 
truncating SSNs or delegating authority to the Social Security 
Administration (SSA) or some other governmental entity to issue 
standards for truncating SSNs. In commenting on a draft of this report, 
SSA agreed that standardizing the truncation of SSNs would be 
beneficial and supported our recommendation for congressional action. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-495]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Barbara D. Bovbjerg at 
(202) 512-7215 or bovbjergb@gao.gov. 

[End of Section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Internet Resellers' Web Sites Shared Similar Characteristics: 

Most Attempts to Purchase SSNs Failed: 

Applicability of Federal Privacy Laws to Internet Resellers Cannot Be 
Determined: 

Conclusions: 

Matter for Congressional Consideration: 

Agency Comments and Our Evaluation: 

Appendix I: Scope and Methodology: 

Appendix II: Comments from the Social Security Administration: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Aspects of Selected Federal Laws Affecting Public and Private 
Sector Disclosure of Personal Information: 

Table 2: Categories and Examples of Information Provided by Internet 
Resellers: 

Table 3: Types of Clients to Which Internet Resellers Market Their 
Services: 

Table 5: Reasons Internet Resellers Did Not Provide SSNs: 

Table 6: Results of Attempted SSN Purchases: 

Figures: 

Figure 1: Number of Services Provided by the 154 Internet Resellers: 

Figure 2: Combinations of the Sources of Information Used by Internet 
Resellers: 

Figure 3: Frequency of Federal Privacy Laws Cited by Internet 
Resellers: 

Abbreviations: 

DCI: data collection instrument: 

DPPA: Driver's Privacy Protection Act: 

FACTA: Fair and Accurate Credit Transactions Act: 

FCRA: Fair Credit Reporting Act: 

FTC: Federal Trade Commission: 

GLBA: Gramm-Leach-Bliley Act: 

MSN: Microsoft Network: 

SSA: Social Security Administration: 

SSN: Social Security number: 

United States Government Accountability Office: 

Washington, DC 20548: 

May 17, 2006: 

The Honorable Jim McCrery: 
Chairman: 
Subcommittee on Social Security: 
Committee on Ways and Means: 
House of Representatives: 

The Honorable E. Clay Shaw, Jr. 
House of Representatives: 

The Social Security number (SSN) is a key piece of personal information 
and has come to be used for numerous non-Social Security purposes. In 
recent years, both public and private sector entities have increasingly 
used the SSN as a personal identifier and ask individuals to supply 
their SSNs. Consequently an individual's SSN can be found on a number 
of public documents such as land ownership records, birth certificates, 
and marriage licenses, and is advertised for sale. Private-sector 
entities known as information resellers are specializing in amassing 
personal information, including SSNs, from various public and private 
sources and providing information about someone for specific purposes 
for a fee. 

More prominent or large information resellers limit their services to 
businesses and government entities that establish accounts with them 
and have a legitimate purpose for obtaining personal information on an 
individual. However, less is known about other information resellers, 
particularly those that are Internet-based and offer their services to 
the public at large for a fee. Such Internet information resellers 
(Internet resellers) make public and nonpublic information accessible 
to the public, raising concerns about how easy it would be for someone 
to obtain another person's SSN over the Internet. At your request, we 
(1) describe the types of readily identifiable Internet resellers that 
have SSN-related services and characteristics of their business, (2) 
determine the extent to which these Internet resellers sell SSNs, and 
(3) determine the applicability of federal privacy laws to Internet 
resellers. 

To identify Internet resellers and their characteristics, we developed 
an initial list of over 1,000 potential Internet resellers by searching 
the Internet with popular Web-based search engines, such as Google, and 
using keywords and phrases that members of the general public would use 
if they were trying to find Web sites that would allow them to obtain 
someone else's SSN and other personal information. We narrowed the list 
of Internet resellers to 154 distinct Web sites that had services that 
either required the customer to provide the reseller with an SSN or 
sold an SSN. We then used a data collection instrument (DCI) to capture 
information posted on resellers' Web sites about their characteristics, 
such as the types of information available for sale, the types of 
clients resellers market to, and the sources of information they stated 
they used. To determine the extent to which the Internet resellers sell 
SSNs, we analyzed the data obtained from the DCI about Internet 
resellers with SSN-related services and attempted to purchase the SSNs 
of consenting GAO staff members from a nonprobability sample of 21 
resellers on the list.[Footnote 1] The criteria we used to select the 
resellers for our attempted purchases included (1) Web sites that 
advertise the sale of an SSN without the customer's having to provide 
the SSN of the subject of our inquiry, (2) Web sites that advertise the 
sale of an SSN to the general public, and (3) the Web sites where the 
transaction could be made online through use of a credit card. We also 
interviewed staff from the Federal Trade Commission (FTC), officials 
from the Social Security Administration (SSA), industry 
representatives, and privacy experts to get their views about the use 
of SSN truncation. To determine the applicability of federal privacy 
laws to the Internet resellers, we reviewed federal privacy laws and 
examined pertinent information on the resellers' Web sites, including 
their references to privacy laws. Appendix I explains the scope and 
methodology of our work in greater detail. We conducted our work 
between April 2005 and May 2006 in accordance with generally accepted 
government auditing standards. 

Results in Brief: 

Although numerous Internet resellers exist, resellers' Web sites we 
reviewed generally had similar characteristics. Most advertised a 
selection of personal information ranging from previous and current 
addresses and dates of birth to drivers' license information, telephone 
records, and credit reports. In addition, many of them offered to sell 
personal information in various packages, such as criminal checks and 
background checks. Web sites most frequently identified individuals, 
businesses, attorneys, and financial institutions as their typical 
clients and public or nonpublic sources, or both as their sources of 
information. 

We generally failed in our attempts to purchase full SSNs, although we 
did receive other personal information. Of the 53 Web sites that 
offered to sell a person's SSN, we tried to purchase SSNs of consenting 
GAO employees from 21 of these resellers and received one complete SSN 
for the person whose number we requested; four truncated SSNs, where 
only the first five digits were disclosed (123-45-XXXX); and no SSN 
from the remaining 16. In our discussions with privacy experts, private 
sector representatives, and federal officials, we found that entities 
in other industries, such as credit reporting, sometimes truncate the 
SSN by masking the first five digits of the SSN but displaying the last 
four (XXX-XX-1234). These experts added there are few federal laws, and 
no specific industry standards, about which digits of an SSN are 
displayed in a truncated format. According to SSA officials, SSA does 
not have the authority to regulate how other public and private 
entities use SSNs, including how they are truncated. Furthermore, when 
we were successful in purchasing truncated SSNs as part of a background 
check, we also received personal information such as an individual's 
address, date of birth, and list of neighbors. In one case, we received 
unrequested information including the truncated SSNs of the person's 
current and past neighbors. 

We could not determine if federal privacy laws were applicable to the 
Internet resellers because such laws depend on the type of entity 
involved and the source of information, and most of the resellers' Web 
sites did not include this information. Certain federal privacy laws-- 
such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley 
Act (GLBA), and the Driver's Privacy Protection Act (DPPA)--restrict 
the disclosure of personal information based on the type of entity or 
the specific source of the information. We found that most of the 
Internet resellers' Web sites we reviewed had insufficient information 
on their Web sites for us to determine the type of entity the reseller 
was or the source of the reseller's information. However, federal 
privacy laws could apply to these resellers. In four cases, we found 
that the resellers stated on their Web sites the type of entity they 
were--consumer reporting agencies and credit bureau--which are subject 
to FCRA or GLBA. We also found that about 79, or one-half, of the 
resellers referenced one or more federal privacy laws on their Web 
sites, indicating some awareness of these laws, while others referenced 
certain state laws, such as those of California, Florida, and Michigan. 

Because different entities truncate SSNs in different ways and no 
federal agency has the authority to regulate how SSNs should be 
truncated, Congress may wish to consider enacting standards for 
truncating SSNs or delegating that authority to SSA or some other 
governmental agency. In commenting on a draft of this report, SSA 
agreed that standardizing the truncation of SSNs would be beneficial 
and supported our recommendation to Congress. 

Background: 

The SSN was created in 1936 as a means of tracking workers' earnings 
and eligibility for Social Security benefits. SSNs are issued to most 
U.S. citizens, and to some noncitizens lawfully admitted to the United 
States. Through a process known as enumeration, a unique nine-digit 
number is created. The number is divided into three parts--first three 
digits represent the geographic area where the SSN was assigned; the 
middle two are the group number, which is assigned in a specified order 
for each area number; and the last four are serial numbers ranging from 
0001 to 9999. Because of the number's uniqueness and broad 
applicability, SSNs have become the identifier of choice for government 
agencies and private businesses, and are used for a myriad of non- 
Social Security purposes. 

Information resellers, sometimes referred to as information brokers, 
are businesses that specialize in amassing personal information from 
multiple sources and offering informational services. These entities 
may provide their services to a variety of prospective buyers, either 
to specific business clients or to the general public through the 
Internet. More prominent or large information resellers such as 
consumer reporting agencies and entities like LexisNexis provide 
information to their customers for various purposes, such as building 
consumer credit reports, verifying an individual's identity, 
differentiating records, marketing their products, and preventing 
financial fraud. These large information resellers limit their services 
to businesses and government entities that establish accounts with them 
and have a legitimate purpose for obtaining an individual's personal 
information. For example, law firms and collection agencies may request 
information on an individual's bank accounts and real estate holdings 
for use in civil proceedings, such as a divorce. Information resellers 
that offer their services through the Internet (Internet resellers) 
will generally advertise their services to the general public for a 
fee. 

Resellers, whether well-known or Internet-based, collect information 
from three sources: public records, publicly available information, and 
nonpublic information. 

* Public records are available to anyone and obtainable from 
governmental entities. Exactly what constitutes public records depends 
on state and federal laws, but generally includes birth and death 
records, property records, tax lien records, voter registrations, and 
court records (including criminal records, bankruptcy filings, civil 
case files, and legal judgments). 

* Publicly available information is information not found in public 
records but nevertheless available to the public through other sources. 
These sources include telephone directories, business directories, 
print publications such as classified ads or magazines, and other 
sources accessible by the general public. 

* Nonpublic information is derived from proprietary or private sources, 
such as credit header data[Footnote 2] and application information 
provided by individuals--for example, information on a credit card 
application--directly to private businesses. 

Information resellers provide information to their customers for 
various purposes, such as building consumer credit reports, verifying 
an individual's identity, differentiating records, marketing their 
products, and preventing financial fraud. The aggregation of the 
general public's personal information, such as SSNs, in large corporate 
databases and the increased availability of information via the 
Internet may provide unscrupulous individuals a means to acquire SSNs 
and use them for illegal purposes. 

Because of the myriad uses of the SSN, Congress has previously asked 
GAO to review various aspects of SSN-use in both the public and private 
sectors.[Footnote 3] In our previous work, our reports have looked at 
how private businesses and government agencies obtain and use 
SSNs.[Footnote 4] In addition, we have reported that the perceived 
widespread sharing of personal information and instances of identity 
theft have heightened public concern about the use of Social Security 
numbers.[Footnote 5] We have also noted that the SSN is used, in part, 
as a verification tool for services such as child support collection, 
law enforcement enhancement, and issuing credit to 
individuals.[Footnote 6] Although these uses of SSNs are beneficial to 
the public, SSNs are also key elements in creating false identities. We 
testified before the Subcommittee on Social Security, House Committee 
on Ways and Means, about SSA's enumeration and verification processes 
and also reported that the aggregation of personal information, such as 
SSNs, in large corporate databases, as well as the public display of 
SSNs in various public records, may provide criminals the opportunity 
to commit identity crimes.[Footnote 7] 

We have also previously reported that certain federal and state laws 
help information resellers limit the disclosure of personal information 
including SSNs to their prescreened clients.[Footnote 8] Specifically, 
we described how certain federal laws place restrictions on how some 
Internet resellers' obtain, use, and disclose consumer information. The 
limitations these laws afford are shown in table 1. 

Table 1: Aspects of Selected Federal Laws Affecting Public and Private 
Sector Disclosure of Personal Information: 

Federal laws: Gramm-Leach-Bliley Act (GLBA); 
Restrictions on disclosure: Creates a new definition of nonpublic 
personal information that includes SSNs and gives consumers the right 
to limit some, but not all, sharing of their nonpublic personal 
information. Financial institutions can disclose consumers' nonpublic 
information without offering them an opt-out right under certain 
circumstances permissible under the law, such as to protect the 
confidentiality or security of the consumer's record and to prevent 
actual or potential fraud; 
Entities affected: Financial institutions such as credit bureaus and 
entities that receive data from financial institutions. 

Federal laws: Fair Credit Reporting Act (FCRA); 
Restrictions on disclosure: Limits access to consumer reports, which 
generally include SSNs, to those who have a permissible purpose under 
the law, such as state or local officials involved in the enforcement 
of child support cases or determining eligibility for employment; 
Entities affected: Consumer reporting agencies and users of consumer 
reports. 

Federal laws: Fair and Accurate Credit Transactions Act (FACTA); 
Restrictions on disclosure: Amends FCRA to allow, among other things, 
consumers who request a copy of their credit report to also request 
that the first five digits of their SSN (or similar identification 
number) not be displayed; requires consumer reporting agencies and any 
business that uses consumer reports to adopt procedures for proper 
disposal of such reports; 
Entities affected: Consumer reporting agencies and users of consumer 
reports. 

Federal laws: Driver's Privacy Protection Act (DPPA); 
Restrictions on disclosure: Prohibits disclosing personal information 
from a motor vehicle record, including SSNs, except for purposes 
permissible under the law; 
Entities affected: State departments of motor vehicles, department of 
motor vehicle employees or contractors, and recipients of personal 
information from motor vehicle records. 

Source: GAO analysis.

[End of table] 

Internet Resellers' Web Sites Shared Similar Characteristics: 

The Web sites of the 154 Internet resellers we reviewed had similar 
characteristics. Most resellers offered a variety of information that 
could be purchased, from telephone records to credit reports. In 
addition, Internet resellers also offered to sell information in 
various ways, from packaged information, such as various information 
that would be collected through a background check or a search of a 
person's criminal records to single types of information, such as a 
credit score. These resellers usually listed the types of clients that 
they market their services to and broadly identified their sources of 
information. 

Internet Resellers Offered to Sell a Variety of Information in Various 
Ways: 

We found that Internet resellers offered to sell a variety of 
information to anyone willing to pay a fee. On average, resellers 
offered about 8 types of services and two offered 20 types of 
informational services. As shown in figure 1, the majority of resellers 
offered to sell anywhere from 1 to 10 informational services. 

Figure 1: Number of Services Provided by the 154 Internet Resellers: 

[See PDF for image] 

[End of figure] 

The Internet resellers offering the fewest services tended to 
specialize in services provided to the public. For example, most of the 
resellers offering only one service were resellers that specialized in 
helping locate an individual. Others offered services related to 
employment or background checks. 

Internet resellers also offered different ways for buyers to purchase 
their information. For example, some offered memberships that allowed 
online access to the reseller's information, with the member performing 
the search. Another reseller offered to sell a software package that 
would allow a buyer to purchase access to the Internet reseller's 
information through the purchased software and allowed many different 
types of information searches. The majority of resellers would require 
selected information about the buyer and then would perform the data 
search and provide an information report to the buyer. 

We identified over 50 types of information offered for purchase by 
these resellers, which we categorized into six major categories 
including personal, legal, financial, employment, driver or vehicle, 
and telephone. Table 2 gives examples of the types of information found 
in these categories. 

Table 2: Categories and Examples of Information Provided by Internet 
Resellers: 

Information categories: Personal; 
Types of Information in these categories: Name, SSN, aliases, current 
and previous addresses, telephone number, and date of birth or age. 

Information categories: Legal; 
Types of Information in these categories: Federal, state, and county 
criminal records checks. 

Information categories: Financial; 
Types of Information in these categories: Credit reports, credit cards, 
bank accounts, and bankruptcy records search. 

Information categories: Employment; 
Types of Information in these categories: Employment history and salary 
or income verification. 

Information categories: Driver or vehicle; 
Types of Information in these categories: Driver's license number and 
driver's history report. 

Information categories: Telephone; 
Types of Information in these categories: Telephone and cell phone 
records and name and address of an individual based on his telephone or 
cell phone number. 

Source: GAO analysis.

[End of table] 

All the resellers offered to sell information from at least one of the 
six categories. However, not all resellers offered to sell driver or 
vehicle information, or telephone information. For example, only 85 of 
the 154 resellers we reviewed offered to sell some type of driver's 
information, while 56 resellers offered to sell telephone information. 

We found that Internet resellers either sold their information as a 
part of a package or sold single pieces of information. For example, 
resellers sold packaged information such as background checks, criminal 
checks, or employment checks/tenant screenings. Of the packaged 
information, we found that background checks provided the most 
extensive information. A background check may include personal, legal, 
and financial information, such as name, SSN, address, neighbors, 
relatives, and associates information. Such checks may include 
national, state, or county criminal records searches and bankruptcy and 
lien information.[Footnote 9] Other packages, such as criminal records 
packages, may include national, state, and county criminal records 
searches, sex offender searches, and civil litigation. Employment 
checks/tenant screenings may include current and past employment, SSN 
verifications, and national, state, and county criminal records 
searches. 

Internet Resellers Usually Identified Their Clients: 

Over 80 percent of Internet resellers identified the clients to whom 
they marketed their information. Internet resellers identified their 
clients in several ways. About 60 percent of the time, resellers used 
the information sections of their Web sites to identify their clients. 
Web pages such as "Frequently Asked Questions," "Help," or "About Us" 
were frequently used to identify their clients. For example, the "About 
Us" Web page generally provided a brief description about the Internet 
reseller's business and would often describe the clients it marketed 
to. Other ways in which resellers marketed to their clients were 
through testimonials or in a separate section on their Web page. 

Internet resellers marketed their services to a variety of clients. As 
shown in table 3, individuals, businesses, and attorneys were the most 
frequently identified clients. Some of the businesses resellers 
identified were Fortune 500 companies and retailers. For the financial 
institution clients, resellers mostly identified banks. In addition, 
most of the Internet resellers' clients were from the private sector, 
although some had government and law enforcement agency clients. 
Finally, we found that most of the resellers had multiple types of 
clients. About 30 percent of the resellers identified only one type of 
client. 

Table 3: Types of Clients to Which Internet Resellers Market Their 
Services: 

Types of clients: Individuals; 
Internet resellers that marketed to these clients: 84. 

Types of clients: Businesses; 
Internet resellers that marketed to these clients: 72. 

Types of clients: Attorneys; 
Internet resellers that marketed to these clients: 42. 

Types of clients: Financial institutions; 
Internet resellers that marketed to these clients: 29. 

Types of clients: Insurance agents or agencies; 
Internet resellers that marketed to these clients: 26. 

Types of clients: Private investigators; 
Internet resellers that marketed to these clients: 23. 

Types of clients: Government or law enforcement agencies; 
Internet resellers that marketed to these clients: 21. 

Types of clients: Collection agencies; 
Internet resellers that marketed to these clients: 12. 

Types of clients: Landlords; 
Internet resellers that marketed to these clients: 11. 

Types of clients: Health services; 
Internet resellers that marketed to these clients: 8. 

Types of clients: Other; 
Internet resellers that marketed to these clients: 16. 

Source: GAO analysis.

[End of table] 

Three-Quarters of Internet Resellers Identified Their Sources of 
Information: 

About 75 percent, or 115, Internet resellers identified the source of 
their information on their Web sites. Most of these resellers obtained 
their information from public or nonpublic sources or a combination of 
both sources. For example, a few resellers offered to conduct a 
background investigation on an individual, which included compiling 
information on the individual from court records and using a credit 
bureau to obtain consumer credit data. Some used only public records as 
their only source of information. The most frequently identified public 
records were court records, department of motor vehicle records, real 
property records, legal judgments, and bankruptcy records. We found 
about one-third of the Internet resellers used only one source of 
information. More often, they used a combination of the three sources. 
Figure 2 below shows the various combinations of sources of 
information. 

Figure 2: Combinations of the Sources of Information Used by Internet 
Resellers: 

[See PDF for image] 

[End of figure] 

Most Attempts to Purchase SSNs Failed: 

Most of our attempts to purchase SSNs from a select group of resellers 
failed. Of the 154 Internet resellers' Web sites we reviewed, 53, 
almost 35 percent, offered to sell SSNs. We attempted to purchase SSNs 
from 21 resellers that were chosen because they required minimal 
information about prospective buyers or about the person whose SSN we 
wanted to obtain. Of the 21 resellers from which we tried to purchase 
SSNs, only 5 provided some form of an SSN. As shown in table 5, the 
reasons for being unable to obtain SSNs from 16 of the 21 resellers 
varied. 

Table 4: Reasons Internet Resellers Did Not Provide SSNs: 

Reason: Required additional legal documentation of permissible purpose 
for obtaining the information; 
Internet reseller: 4. 

Reason: Refused because of state privacy laws; 
Internet reseller: 1. 

Reason: Required forms of payment other than a credit card; 
Internet reseller: 1. 

Reason: No record found on subject; 
Internet reseller: 1. 

Reason: Reason unknown; 
Internet reseller: 9. 

Reason: Total; 
Internet reseller: 16. 

Source: GAO analysis.

[End of table] 

Nine resellers, a majority of the resellers that did not sell SSNs to 
us, did not explain why but simply did not provide the information we 
sought. Four of the remaining resellers attempted to contact us to 
request legal documentation to support a permissible purpose for 
obtaining the information. However, since we attempted to purchase SSNs 
as a member of the general public, we could not provide the requested 
information. One of these resellers sent us an e-mail asking us to fax 
a signed letter stating our reason for obtaining a person's SSN and a 
copy of our driver's license to verify our identity, which we could not 
provide. We contacted the other three to find out why prospective 
buyers were required to have a permissible purpose. One reseller told 
us that the company is audited every year by the government and that a 
legal document request was part of its security screening of its 
customers. The other two stated that some form of legal documentation, 
such as a certified copy of a court order, was required in order for 
their companies to release the information. 

In addition to receiving one full and four truncated SSNs, we also 
received other information related to our purchases. Given that we only 
received SSNs as a part of packaged information, we were not surprised 
that we received additional information about the person whose SSN we 
were trying to obtain. For example, the two Internet resellers that 
provided some form of SSN in a background check report also provided 
the following information: 

* the person's current and previous addresses, 

* date of birth, 

* a list of other names associated with the person, 

* a list of their neighbors, 

* tax liens and judgments against the person, and: 

* properties owned by the person.[Footnote 10] 

However, in one case we received unexpected and unrequested 
information. In this case, we did not receive the SSN of the person 
whose number we requested, but instead received the truncated SSNs of 
the person's past and present neighbors, information we did not 
request. 

Five of the 21 resellers from whom we attempted to purchase SSNs did 
provide us with some form of an SSN. We received one full nine-digit 
SSN and four truncated SSNs. All five resellers that supplied an SSN 
provided the SSN as a part of a package of information. As shown in 
table 6, the full SSN was obtained as a part of a background check, and 
the four truncated SSNs were provided as a part of a "people locator" 
package, a background package, and an employment trace. We attempted to 
order SSNs from five resellers that offered to sell the SSN alone, and 
we were unable to obtain an SSN from those resellers. 

Table 5: Results of Attempted SSN Purchases: 

SSN services: SSN alone; (e.g., Locate an SSN, search for Social 
Security numbers, and SSN search); 
Orders placed[A]: 5; 
Received full SSN: 0; 
Received truncated SSN: 0. 

SSN services: Background check or investigation; 
Orders placed[A]: 6; 
Received full SSN: 1; 
Received truncated SSN: 1. 

SSN services: People locator or search; 
Orders placed[A]: 5; 
Received full SSN: 0; 
Received truncated SSN: 2. 

SSN services: Employment trace; 
Orders placed[A]: 1; 
Received full SSN: 0; 
Received truncated SSN: 1. 

SSN services: Other information packages; 
Orders placed[A]: 4; 
Received full SSN: 0; 
Received truncated SSN: 0. 

SSN services: Total; 
Orders placed[A]: 21; 
Received full SSN: 1; 
Received truncated SSN: 4. 

Source: GAO analysis. 

[A] Does not include three attempted orders where we received an error 
message after submitting our information that terminated our 
transaction. 

[End of table] 

We also found a wide range of the costs for information services when 
we tried to purchase SSNs. The packages of information we attempted to 
purchase ranged from about $4 to $200 compared to the costs to purchase 
individual SSNs that ranged from about $15 to $150. The range of costs 
from the five resellers that provided some form of the SSN was about 
$20 to $200. The Internet reseller that provided the full SSN did so 
for $95. 

Of the four resellers that gave us truncated SSNs, three of these 
disclosed on their Web sites that they would provide full SSNs, but 
only under certain circumstances. For example, one reseller said that, 
by law, it cannot provide a person's SSN to any third party. Another 
required the customer to have a legitimate reason for requesting the 
information under laws such as GLBA. This reseller said it may not 
provide the full SSN if the customer did not meet those requirements. 
None explained why they only provided the first five digits. 

All resellers that provided truncated SSNs showed the first five digits 
and masked the last four digits. We interviewed industry 
representatives and privacy experts to determine if this way of 
truncating the SSN was the standard practice among private sector 
entities. Industry representatives and privacy experts told us that 
entities in other industries may truncate the SSN differently from the 
truncated SSNs we bought from Internet resellers. For example, consumer 
data industry representatives said that members of their association 
decide for themselves how and when to truncate SSNs. One consumer 
reporting agency we spoke to told us that it truncates the SSN by 
masking the first five digits on reports it provides directly to 
consumers, by displaying only the last four digits. Some privacy 
experts said that certain entities that use SSNs as identifiers on 
lists, such as universities, also truncate the number by masking the 
first five digits. In addition, SSA also masks the first five digits of 
the SSN on the Social Security Statements mailed to individuals over 
the age of 25 who have an SSN and have wages or earnings from self- 
employment. 

On the basis of our discussions with government officials and industry 
representatives, we could not identify any industry standards or 
guidelines for truncating SSNs. None of the officials we spoke to knew 
for certain why either method--masking the first five digits or the 
last four digits--was used or how such methods came into use. In 
addition, when we asked officials which way of truncating the SSN 
better protects it from misuse, there was no consensus among them, and 
no one knew of any research regarding this issue. Some officials said 
that although truncation could provide some protection for SSNs, it is 
unlikely to be foolproof. There are also few, if any, federal laws that 
require or regulate truncating the SSN. Currently, FCRA has a specific 
provision relating to truncating SSNs. Under this law consumers can 
request that their SSN be truncated to display only the last four 
digits on any consumer report they request about themselves. The 
Judicial Conference of the United States issued rules, effective in 
December 2003, requiring that SSNs be truncated to mask the first five 
digits in newly filed electronically available bankruptcy court 
documents. 

Federal agency officials whom we spoke to said that Congress or SSA 
should decide how SSNs should be truncated. The Social Security Act of 
1935 authorized SSA to establish a record-keeping system to help manage 
the Social Security program and resulted in the creation of the SSN. 
Through a process known as enumeration, unique numbers are created for 
every person as a work and retirement benefit record for the Social 
Security program. According to SSA officials, the law does not address 
the use of the number by private and public sector entities. SSA 
officials said that SSA regulates only the agency's use of SSNs and 
does not have legal authority over SSNs used by others. 

Applicability of Federal Privacy Laws to Internet Resellers Cannot Be 
Determined: 

Federal privacy laws that restrict the disclosure of personal 
information could be applicable to Internet resellers, but there was 
insufficient evidence on the resellers' Web sites we reviewed to 
determine if they met specific statutory definitions. Federal privacy 
laws such as the FCRA, GLBA, and DPPA apply primarily to entities that 
meet specific statutory definitions. For example, FCRA applies 
primarily to a consumer reporting agency, which is defined as any 
person which, for monetary fees, dues, or on a cooperative nonprofit 
basis, regularly engages in whole or in part in the practice of 
assembling or evaluating consumer credit information or other 
information on consumers for the purpose of furnishing consumer reports 
to third parties, and which uses any means or facility of interstate 
commerce for the purpose of preparing or furnishing "consumer 
reports."[Footnote 11] In addition, these laws allow for disclosure of 
personal information for certain permissible purposes, and those who 
request or receive information from an entity meeting those statutory 
definitions may also have obligations under these laws. For example, 
FCRA generally prohibits "consumer reporting agencies" from furnishing 
"consumer reports" to third party users unless it is for a permissible 
purpose; before providing "consumer report" information to prospective 
users, however, the prospective user must certify the purposes for 
which the information is sought and that it will be used for no other 
purpose.[Footnote 12] GLBA and DPPA also contain prohibitions against 
re-disclosure of personal information covered by those laws.[Footnote 
13] 

FCRA, GLBA, and DPPA could apply to Internet resellers that identify 
themselves as one of the statutorily defined entities covered under the 
laws--which are consumer reporting agencies for FCRA, financial 
institutions for GLBA, and state motor vehicle departments for DPPA--or 
that received information from such entities. We found four resellers 
that identified themselves as one of the statutorily defined entities. 
Three stated on their Web sites that they were consumer reporting 
agencies and the other stated it was a credit bureau. However, we did 
not find similar information on the remaining 150 resellers' Web sites 
to determine what type of entity they were. In addition, we found that 
some resellers identified the source of their information generally, 
but did not link information sources to particular pieces of 
information. For example, about 7 percent of the resellers identified 
"Department of Motor Vehicle records" as the source of some of their 
information and offered to search for personal information based on a 
driver's license number, license plate number, or vehicle 
identification number. However, most did not specify which personal 
information came from the "Department of Motor Vehicle records" or any 
state motor vehicle departments. Therefore, we could not determine if 
FCRA, GLBA, and DPPA were applicable to the majority of resellers we 
reviewed. 

Our review of the resellers' Web sites found 79 of them, about 50 
percent, referenced one or more federal privacy laws. As shown in 
figure 3, the most frequently mentioned laws were FCRA, GLBA, and DPPA. 

Figure 3: Frequency of Federal Privacy Laws Cited by Internet 
Resellers: 

[See PDF for image] 

[End of figure] 

We also found 5 out of the 154 Internet resellers referenced state laws 
on their Web sites. Two stated adherence to the California 
Investigative Consumer Reporting Act, which allows a consumer to review 
any files concerning that consumer maintained by an "investigative 
reporting agency." One cited two California consumer laws. One law 
allows California consumers to remove their names from credit bureau 
mailing lists used for unsolicited pre-approved credit offers for a 
minimum of 2 years. It also provides identity theft victims and other 
consumers with increased rights regarding consumer credit reports, 
including requiring the deletion of inquiries resulting from identity 
theft. The other California law prohibits consumer credit reporting 
agencies that furnish reports for employment purposes from reporting 
information on the age, marital status, race, color, or creed of any 
consumer and requires the user of the report to provide written notice 
to the consumer. The law also requires that the consumer be provided a 
free copy of the report upon request. Another reseller cited a Florida 
statute that governs divulging investigative information, and yet 
another reseller stated adherence to the Michigan Private Detective 
License Act. Both state laws regulate the activities of private 
investigators. 

Conclusions: 

Although personal information is widely available on the Internet to 
anyone willing to pay a fee, SSNs appear to be difficult to obtain from 
the Internet resellers we contacted. Few of the Internet resellers' Web 
sites we reviewed offered to sell an individual's SSN outright, and 
even those that did make such an offer did not follow through. Thus, 
the perception that anyone willing to pay a fee can easily obtain 
someone's SSN does not appear to be valid. Our experiences indicate 
that it is more likely that a buyer would not be able to purchase an 
SSN or would receive a truncated version of an SSN from Internet 
resellers. 

However, our work does suggest that someone seeking an SSN may be able 
to obtain a truncated SSN, and depending on the entity, the SSN may be 
truncated in various ways. Standardizing the truncation of the SSN 
could provide some protection from SSNs being misused. Under a 
standardized approach, the same digits of the SSN would be the only 
information transmitted, no matter the source from which the SSN is 
obtained. Given SSA's role in assigning SSNs, SSA is in the best 
position to determine whether and if truncation should be standardized, 
but because the agency does not have specific authority to regulate 
truncation, SSN truncation will continue to vary. 

Matter for Congressional Consideration: 

Since there is no consistently practiced method for truncating SSNs, 
and no federal agency has the authority to regulate how SSNs should be 
truncated, Congress may wish to consider enacting standards for 
truncating SSNs or delegating authority to SSA or some other 
governmental entity to issue standards for truncating SSNs. 

Agency Comments and Our Evaluation: 

We provided a draft of this report to the Social Security 
Administration for comment and received a written response from the 
administration (included as app. II). SSA agreed that standardizing the 
truncation of SSNs would be beneficial and supported our recommendation 
for congressional action. In addition, SSA stated that while it does 
not have the legal authority to compel organizations to truncate SSNs 
or to specify how such truncating should be done, it would be willing 
to publish information on best practices for truncating SSNs on SSA's 
Web site. We also provided a draft of this report to the Federal Trade 
Commission for technical review and received comments that were 
incorporated as appropriate. 

We are sending copies of this report to the Chairman of the Federal 
Trade Commission, the Commissioner of the Social Security 
Administration, appropriate congressional committees, and other 
interested parties. In addition, the report will be available at no 
charge on GAO's Web site at http://www.gao.gov/. 

If you have any questions concerning this report, please contact me at 
(202) 512-7215. Contact points for our offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. Other contacts and acknowledgments are listed in appendix III. 

Barbara D. Bovbjerg Director, Education, Workforce, and Income Security 
Issues: 

[End of section] 

Appendix I: Scope and Methodology: 

To describe readily identifiable Internet resellers, we created a list 
of Internet reseller Web sites. To create a list of readily 
identifiable Internet reseller Web sites, we used Internet search 
techniques and keyword search terms that we thought the members of 
general public would use if they were trying to obtain someone else's 
Social Security Number (SSN). We conducted our searches using three 
major Internet search engines--Google, Microsoft Network (MSN), and 
Yahoo. Within each of these search engines we conducted our searches 
using keywords such as, "find social security number," "find ssn," 
"purchase social security number," and "public records search." We 
chose these keywords based on the advice of privacy experts and the 
team's judgment on terms that would yield Web sites that sell personal 
information including the SSN. Our searches resulted in 1,036 Web sites 
that we then reviewed to determine whether they were live 
sites,[Footnote 14] redirected sites,[Footnote 15] or duplicate sites 
that were operated by the same reseller. Nineteen percent of the 1,036 
Web sites took us to another Internet reseller Web site that was 
included in our list. Most of these redirected sites took us to two 
Internet resellers that offered online membership--allowing access to 
their databases and affiliate programs, which allowed others to link 
their Web sites to the resellers' Web sites. More than one-half of the 
1,036 Web sites were inactive at the time a GAO analyst attempted to 
access the site. In addition, we found a few Web sites were operated by 
the same reseller and were similar in appearance. As a result, we ended 
up with a list of 226 sites that we included in our review. We 
recognize that had we used different search engines, different 
keywords, and a different point in time we may have identified a 
different list of sites. 

To describe the types of readily identifiable Internet resellers that 
have SSN-related services and characteristics of their businesses, we 
developed a Web-based data collection instrument (DCI) for GAO analysts 
to document selected information contained on the Internet resellers' 
Web sites. We used the DCI to record information from the Web pages 
that contained items that addressed the types of SSN-related services 
and information that the resellers sold, the sources of the 
information, and the types of clients to whom the site marketed. To 
ensure that the entry of the DCI data conformed to GAO's data quality 
standards, each DCI was reviewed by one of the other GAO analysts. 
Tabulations of the DCI items were automatically generated from the Web- 
based DCI software. Supplemental analyses were conducted using a 
statistical software package. For these analyses, the computer programs 
were checked by a second, independent analyst. Our analyses found 154 
Internet resellers with SSN-related services. 

To determine the extent to which Internet resellers sell Social 
Security numbers, we analyzed data collected from the review of 
Internet resellers just described, attempted to purchase SSNs from a 
nonprobability sample of Internet resellers, and collected data about 
the transactions. We used information collected from the DCI to derive 
a nonprobability sample of Internet resellers to purchase SSNs. The 
criteria we used to select the resellers for our attempted purchases 
included the following (1) the Web site advertised the sale of an SSN 
without the customer's having to provide the SSN of the subject of our 
inquiry, (2) the Web site advertised the sale of an SSN to the general 
public, and (3) the transaction could be made online through the 
Internet reseller's Web site using a credit card. We collected 
information about the purchases including cost, the information that 
was required about the search subject and the purchaser (including the 
permissible purpose), whether the site contacted us to verify our 
information or our permissible purpose, and whether the SSN was 
provided and, if it was, whether the full or a truncated SSN was 
provided. In addition, we interviewed staff from the Federal Trade 
Commission, officials from the Social Security Administration, one of 
the three national consumer reporting agencies, the Consumer Data 
Industry Association (an international trade association that 
represents consumer information companies), and five privacy experts to 
obtain their views about the use of SSN truncation as a means for 
safeguarding the number. We also reviewed prior GAO work and performed 
literature and Internet searches about SSN truncation. 

To determine the applicability of federal privacy laws to Internet 
resellers, we reviewed federal laws and the resellers' Web sites for 
information about the resellers' type of entity and sources of 
information. However, in most instances these resellers did not have 
sufficient information on their Web sites to determine if they were in 
compliance with these laws. Specifically, we were unable to determine 
whether most of these resellers met the definitions specified by these 
laws such as "financial institution," "consumer reporting agency," or 
an "officer, employee, or contractor" of a "State Motor Vehicle 
Department." We also were unable to determine the resellers' specific 
sources for particular pieces of information. Although Internet 
resellers generally did not provide information about the entity and 
sources of information, they generally cited, and we recorded, whether 
they stated adherence to any federal privacy laws. 

[End of section] 

Appendix II: Comments from the Social Security Administration: 

Social Security: 
The Commissioner: 

May 05, 2006: 

Ms. Barbara D. Bovbjerg: 
Director, Education, Workforce, and Income Security Issues: 
Room 5968: 
U.S. Government Accountability Office: 
Washington, D.C. 20548: 

Dear Ms. Bovbjerg: 

Thank you for the opportunity to review and comment on the draft report 
"Social Security Numbers (SSN): Internet Resellers Provide Few Full 
SSNs, But Congress Should Consider Enacting Standards for Truncating 
SSNs" (GAO-06-495). 

We agree that the issue of truncating SSNs (for organizations wishing 
to do so) would benefit from standardization and we support the 
recommendation being made to Congress. The results of this review 
indicate that without a standard truncating method that is widely 
adhered to, it would be possible for an individual to obtain entire 
SSNs by purchasing truncated information from one organization that 
uses the "first five digit" method and purchasing information 
concerning the same individual from a second organization that uses the 
"last four digit" method. 

Although, as the report accurately states, we do not possess the legal 
authority to compel organizations to truncate SSNs, or to specify how 
such truncating should be done, we would be willing to publish 
information on best practices for truncating SSNs on our Internet site. 
It would take a few months for this work to be completed. 

If you have any questions, please contact Ms. Candace Skurnik, 
Director, Audit Management and Liaison Staff, at (410) 965-4636. 

Sincerely, 

Signed by: 

Jo Anne B. Barnhart: 

Social Security Administration: 
Baltimore Md 21235-0001:

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Barbara D. Bovbjerg (202) 512-7215: 

Staff Acknowledgments: 

In addition to the contact above, Tamara Cross, Assistant Director, 
Margaret Armen, Patrick Bernard, Richard Burkard, Ellen Chu, John 
Cooney, Benjamin Federlein, Evan Gilman, Richard Harada, Joel Marus, 
Andrew O'Connell, Stanley Stenersen, Jacquelyn Stewart, and Lacy Vong 
made important contributions to this report. 

FOOTNOTES 

[1] We selected these Web sites using a nonprobability sample--a sample 
in which some items in the population have no chance, or an unknown 
chance, of being selected. Results from nonprobability samples cannot 
be used to make inferences about a population. Thus, the information we 
obtained cannot be generalized to the other Web sites we studied. 

[2] Credit header data consist of the nonfinancial identifying 
information located at the top of a credit report, such as name, 
current and prior addresses, telephone number, Social Security number, 
and date of birth. 

[3] See GAO, Social Security Numbers: Government Benefits from SSN Use 
but Could Provide Better Safeguards, GAO-02-352 (Washington, D.C.: May 
31, 2002), and Identity Theft: Prevalence and Cost Appear to Be 
Growing, GAO-02-363 (Washington, D.C.: Mar. 1, 2002). 

[4] GAO, Social Security: Government and Commercial Use of the Social 
Security Number Is Widespread, GAO/HEHS-99-28 (Washington, D.C.: Feb. 
16, 1999). 

[5] GAO, Social Security: Government and Other Uses of the Social 
Security Number Are Widespread, GAO/T-HEHS-00-120 (Washington, D.C.: 
May 18, 2000). 

[6] GAO/HEHS-99-28. 

[7] GAO, Social Security Numbers: Ensuring the Integrity of the SSN, 
GAO-03-941T (Washington, D.C.: July 10, 2003). 

[8] GAO, Social Security Numbers: Private Sector Entities Routinely 
Obtain and Use SSNs, and Laws Limit the Disclosure of This Information, 
GAO-04-11 (Washington, D.C.: January 22, 2004). 

[9] A lien is a charge upon real or personal property for the 
satisfaction of some debt or duty. 

[10] The list of personal information represents some of the 
information the two resellers provided in background check reports. 

[11] 15 U.S.C. § 1681a(f). FCRA defines a "consumer report" as any 
written, oral, or other communication of "any information by a consumer 
reporting agency bearing on a consumer's credit worthiness, credit 
standing, credit capacity, character, general reputation, personal 
characteristics, or mode of living which is used or expected to be used 
or collected in whole or in part for the purpose of serving as a factor 
in establishing the consumer's eligibility for: (1) credit or insurance 
to be used primarily for personal, family, or household purposes; (2) 
employment purposes; or (3) any other purpose authorized under section 
1681b of this title." 15 U.S.C. § 1681a(d). 

[12] 15 U.S.C. § 1681e. 

[13] 15 U.S.C. § 6802(c); 18 U.S.C. § 2721(c). 

[14] A live site is a Web site that is currently in operation and 
offers online services. The Web sites were live when GAO analyst 
reviewed the uniform resource locator (URL) for the survey. Those Web 
sites considered not live displayed an error message noting that the 
Web site was no longer in operation. 

[15] A redirected Web site is a site that acts as a portal to other Web 
sites. Several reseller Web sites have links to other individual 
reseller sites. For this survey, we reviewed the individual reseller 
sites and not the portal sites. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: