Social Security says Web site was designed to be safe
But Congressional critics were unconvinced
April 9, 1997
Web posted at: 9:41 p.m. EDT (0141 GMT)
In this story:
WASHINGTON (CNN) -- Bowing to fears about potential pirating
of personal data, the Social Security Administration pulled the plug Wednesday on a World Wide Web site that people could use to check information about their earnings and benefits.
The service was discontinued after several members of
Congress questioned whether personal information was secure on the Internet -- despite safeguards put in place by the agency to protect the data.
In turning off the site, Acting Social Security Commissioner John Callahan said nothing was more important than maintaining the public's confidence in the agency's ability to keep data confidential.
"That confidence has been called into question," Callahan
The question, however, is how likely it ever was that
information on the Social Security site could have been
In March, the agency launched a service on its main Web site
that allowed people to receive their Personal Earnings and
Benefit Estimate Statement electronically.
The statement shows the salary history of an individual, upon
which Social Security payments are based. The agency now
spends millions of dollars each year mailing out those
statements to Americans who ask for them. The electronic
system was designed to reduce those costs.
In order to obtain their report, people had to send in, via
e-mail, a form containing their name, Social Security number,
date and place of birth, and mother's maiden name. The Social
Security Administration would then e-mail them the earnings
There were several important safeguards built into the system
to prevent personal data from falling into unauthorized
- E-mail messages were encrypted. That is, they were
electronically scrambled between the sender and receiver so
if a computer hacker intercepted them, the result would be
"gibberish," according to Social Security spokesman Phil
The encryption process Social Security used works with at
least a 40-bit electronic key. In a January test, an e-mail
message encoded with a 40-bit key was cracked. But it took
250 computers, with the capability to test 100 billion code
combinations an hour, more than three hours to break the code
-- a substantial amount of work to obtain someone's earnings
And the site had the capacity to use a 128-bit or higher key even more difficult to decipher. In fact, systems that use
an electronic key 56 bits or higher are so difficult to
decipher that the United States forbids their export to other
countries on national security grounds.
- In order to request the statement of another person
without their authorization, a pirate would have to know all
five of the pieces of information Social Security requires.
And if they have that data, they don't need the Internet
because, they can already request a benefits statement
through conventional mail.
Written requests require a signature, but Social Security
officials admit they don't keep individual signatures on file
to cross check.
- The system was set up so that Social Security auditors
can trace any request for information back to the computer
that made it. So if an attempt to obtain unauthorized
information were successful, the perpetrator could be caught.
- Users are warned not to use public computer terminals to
access earnings information, because the information could be
stored and copied by others.
However, the argument that receiving a benefits statement
electronically was as secure -- perhaps even more secure --
than getting one through the mail didn't fly with some
members of Congress.
A bipartisan group of four senators, including Senate
Minority Leader Tom Daschle, sent a letter to Social Security
officials asking that the program be suspended.
U.S. Rep. Paul Kanjorski, D-Pennsylvania, wants to go even
further. He says he'll introduce legislation that would ban
sending Social Security information over the Internet.
Callahan said his agency will spend the next 60 days
investigating the security concerns surrounding transfer of
information over the Internet, including the possibility of
adding even more safeguards. Public hearings also will be
held in Washington and around the country, he said.
In the meantime, anyone who wants to get a written report
showing their earnings and benefits can request it via e-mail
but will receive it from the Postal Service, a process that
can take up to six weeks.
Watch these shows on CNN for more sci-tech stories:
CNN Computer Connection | Future Watch | Science & Technology Week
© 1997 Cable News Network, Inc.
All Rights Reserved.
Terms under which this
service is provided to you.