In what is widely viewed as one of the biggest tests of online privacy protection to date, the US Social Security Administration (SSA) has announced that it will offer a revised version of a controversial system that lets workers view their benefits information via the Internet.
The system has been modified to take into account a flood of criticism that forced the SSA to close it on April 9, a little more than a month after it was first offered.
"Nothing is more important to Social Security than maintaining the public's confidence in our ability to protect the privacy of personal information we maintain in our records," said acting Social Security commissioner, John Callahan, in remarks prepared for a press conference today. Callahan spoke today in Washington, D.C., to unveil the modified system.
By the end of the year, workers will once again be able to view information pertaining to the SSA's Personal Earnings and Benefit Estimate Statement online at http://www.ssa.gov/, according to Callahan.
The PEBES is one of the most important personal financial planning tools available from the U.S. government, according to Callahan. The PEBES includes information regarding year-by-year earnings history, Social Security taxes paid, and estimates of retirement, disability and survivor benefits payable to workers and family members.
In 1996 alone, 3.4 million workers requested a paper copy of their PEBES, according to the SSA. In the four weeks that it was offered online, more than 70,000 people requested to view the information on the Internet.
However, the SSA received a great deal of criticism about the online request system, and closed it temporarily to consult with the public, Internet service providers and banks on how to make it more secure. In May and June, the SSA held six public forums in cities throughout the U.S., and fielded 6,000 email suggestions about the system.
"Despite our careful preparations to protect confidentiality ... concerns were expressed that we had not done enough to protect the PEBES statement from the eyes of other users of the Internet," said Callahan in his prepared remarks today.
The primary fault found with the first version of the online PEBES system was that one person could access another individual's personal record if the first individual knew the second person's personal authenticating information, according to the SSA. Also, information needed to answer the questions to authenticate identification was relatively easy to get, according to criticism received by the SSA.
New features of the revised system include the following:
-- Individual Social Security records will be locked out of the Internet unless an individual opts into the new service, and those who request online service will be able to opt in only after being informed of benefits and risks of unlocking their personal information online;
-- Delivery of information will be available only to those who have a registered email account such as one with an employer or ISP;
-- Users will be required to provide five authenticating pieces of information (name on Social Security card, Social Security number, date of birth, state of birth, and mother's maiden name). A verification code will then be sent to the user, who only then will be able to obtain the PEBES information online; and
-- The modified online PEBES will show benefit estimates, number of work credits earned and whether the requester is insured for benefits, but it will not show earnings history.
The SSA also plans to offer other information online, and will work to integrate leading-edge encryption techniques into its online data delivery systems, according to Callahan. For example, in 1998 SSA plans to accepts Internet requests for annual statements of Social Security benefits paid and for letters verifying benefits amounts for beneficiaries to use with third-party organisations.
Part of the SSA push into online data delivery comes from a regulation that will require the organization, by 1999, to send PEBES statements to all workers age 25 and older. One way of cutting down costs for the effort will be to offer PEBES statements via the Internet, according to the SSA. The SSA will experiment with using public-key encryption techniques to offer this service, making use of computer-generated public and private keys to assure secure Internet data delivery, according to the SSA.
The SSA's grappling with online privacy issues is a good test case for organizations that offer or expect to offer or receive personal information online, said industry watchers. Commercial organizations are sure to monitor what the SSA does, to gauge what kind of privacy safeguards will be accepted or deemed necessary by the public.
Like many commercial enterprises, the government is looking to the Internet as a cost-efficient way of disseminating information, pointed out Lori Fena, executive director of the Electronic Frontier Foundation, a San Francisco-based nonprofit group that tracks Internet privacy and civil liberties issues.
"I think the initial issues they face are just like the issues faced by other Internet pioneers," Fena said. "They too are pioneers, but face a much broader test than most organisations. I think it's very positive that they are trying to figure out the process rather than stepping away, and it sounds like they've gone through a good review process."
The EFF is promoting a system whereby Web sites tell users whether information is being collected by the site, and whether the information will be shared by other organizations. The EFF is trying to get government sites interested in the system, said Fena.
The Social Security Administration can be reached at http://www.ssa.gov/.