InCommon Federation Discussions About Online Student Services

["Rodney Petersen" <>]

Well, in some small measure it is because state or federal laws and regulation increasingly restrict its use.  There are a handful (3 or 4 states) that outright prohibit its use as an identifier for employees and students and others that restrict it from being printed on ID cards and require other steps to minimize abuse.  The State of California, at the mandate of its state legislature, recently concluded a study of the use of SSN’s at institutions of higher education (see http://www.privacy.ca.gov/res/docs/pdf/SSN%20Report%20FINAL.pdf).  There is increasingly pressure from the federal government to limit its non-official uses - see the recommendations of the President’s Task Force on Identity Theft (http://www.identitytheft.gov/) and the FTC’s Report on “Security in Numbers:  SSN’s and Identity Theft” (http://www.ftc.gov/os/2008/12/P075414ssnreport.pdf).  The 1998 FERPA rules also contain extensive commentary on the use and disclosure of SSN’s.

 

I have to disagree with Brendan’s observation “that it is always bad practice to make public your internal unique identifier” for precisely the reason that others have mentioned (i.e., a unique identifier should be accompanied by an act of authentication; there should be no harm if the unique identifier is known by others.  In some cases, the “identifier” (for login purposes) and email alias are one in the same (e.g., is both my email alias and directory ID).  That is why we argued for some flexibility in the 1998 FERPA rules to NOT treat identifiers (other than SSN’s) as non-directory information – i.e., arguing to the Department of Education that they should permit the sharing and disclosure of them without penalty, assuming the identifier alone does not provide access to FERPA-protected information.  I recognize that there is a difference of opinion in this approach which is why we took the position that there should be flexibility.

 

EDUCAUSE maintains a resource page on The Elimination of Social Security Numbers as Primary Identifiers at http://www.educause.edu/Resources/Browse/Elimination%20of%20Social%20Security%20Numbers%20as%20Primary%20Identifiers/33362

 

Thanks,

 

-Rodney

 

 

From: [mailto:] On Behalf Of Keith Hazelton
Sent: Monday, January 10, 2011 7:48 AM
To: mace-dir; Valerie Vogel; InC-Student
Subject: [InC-Student] Why so much effort to minimize use of SSNs in the US?

 

I'm asking for a range of answers to the question "Why have we in the US spent so much time and resource into getting the SSN out of our systems and data files?"  I have recently seen opinions that it's really only because the SSN was used as part of an authentication solution.  It may seem obvious to some that there is more to it, but I'm asking you to state the various concerns that led us to push back so hard on their widespread use.

 

Why?  High-energy discussions around person identifiers are swirling around the US again.  A new push from several quarters for a "globally unique, persistent and portable identifier" is driving the discussion.  This is often jokingly introduced as "The SSN was perfect, but we can't use that, so..."

 

Help enrich the discussion by contributing your answers.  One place this will surface is on the InCommon, Internet2 and Educause-sponsored "IAM Online" series this Wednesday, Jan. 12 at 3:00 pm Eastern Standard Time, "A Panel Discussion about Persistent Identifiers for Education" (see http://www.incommon.org/iamonline/ for details).