|
Social Security says Web site was designed to be safe
But Congressional critics were unconvinced
April 9, 1997
Web posted at: 9:41 p.m. EDT (0141 GMT)In this story:
- Safeguards designed to prevent theft
- Bill would end e-mail transfers of data
- Related stories and sites
WASHINGTON (CNN) -- Bowing to fears about potential pirating of personal data, the Social Security Administration pulled the plug Wednesday on a World Wide Web site that people could use to check information about their earnings and benefits.
The service was discontinued after several members of Congress questioned whether personal information was secure on the Internet -- despite safeguards put in place by the agency to protect the data.
In turning off the site, Acting Social Security Commissioner John Callahan said nothing was more important than maintaining the public's confidence in the agency's ability to keep data confidential.
"That confidence has been called into question," Callahan said.
Safeguards designed to prevent theft
The question, however, is how likely it ever was that information on the Social Security site could have been pirated.
In March, the agency launched a service on its main Web site that allowed people to receive their Personal Earnings and Benefit Estimate Statement electronically.
The statement shows the salary history of an individual, upon which Social Security payments are based. The agency now spends millions of dollars each year mailing out those statements to Americans who ask for them. The electronic system was designed to reduce those costs.
In order to obtain their report, people had to send in, via e-mail, a form containing their name, Social Security number, date and place of birth, and mother's maiden name. The Social Security Administration would then e-mail them the earnings statement.
There were several important safeguards built into the system to prevent personal data from falling into unauthorized hands:
- E-mail messages were encrypted. That is, they were electronically scrambled between the sender and receiver so if a computer hacker intercepted them, the result would be "gibberish," according to Social Security spokesman Phil Gambino.
The encryption process Social Security used works with at least a 40-bit electronic key. In a January test, an e-mail message encoded with a 40-bit key was cracked. But it took 250 computers, with the capability to test 100 billion code combinations an hour, more than three hours to break the code -- a substantial amount of work to obtain someone's earnings history.
And the site had the capacity to use a 128-bit or higher key even more difficult to decipher. In fact, systems that use an electronic key 56 bits or higher are so difficult to decipher that the United States forbids their export to other countries on national security grounds.
- In order to request the statement of another person without their authorization, a pirate would have to know all five of the pieces of information Social Security requires. And if they have that data, they don't need the Internet because, they can already request a benefits statement through conventional mail.
Written requests require a signature, but Social Security officials admit they don't keep individual signatures on file to cross check.
- The system was set up so that Social Security auditors can trace any request for information back to the computer that made it. So if an attempt to obtain unauthorized information were successful, the perpetrator could be caught.
- Users are warned not to use public computer terminals to access earnings information, because the information could be stored and copied by others.
Bill would end e-mail transfers of data
However, the argument that receiving a benefits statement electronically was as secure -- perhaps even more secure -- than getting one through the mail didn't fly with some members of Congress.
A bipartisan group of four senators, including Senate Minority Leader Tom Daschle, sent a letter to Social Security officials asking that the program be suspended.
U.S. Rep. Paul Kanjorski, D-Pennsylvania, wants to go even further. He says he'll introduce legislation that would ban sending Social Security information over the Internet.
Callahan said his agency will spend the next 60 days investigating the security concerns surrounding transfer of information over the Internet, including the possibility of adding even more safeguards. Public hearings also will be held in Washington and around the country, he said.
In the meantime, anyone who wants to get a written report showing their earnings and benefits can request it via e-mail but will receive it from the Postal Service, a process that can take up to six weeks.
Related stories:
- AllPolitics - Social Security Off The Web - April 9, 1997
- Social Security officials insist Web info is secure - April 8, 1997
Watch these shows on CNN for more sci-tech stories:
CNN Computer Connection | Future Watch | Science & Technology Week
Tell us what you think!
You said it...
© 1997 Cable News Network, Inc.
All Rights Reserved.