Irrational Exuberance: The misuse of our SSN

In the days following the 9/11 events, the words cyber-privacy, cyber-crime and cyber-terrorism acquired new dimensions. Almost overnight, every institution and individual, all the way from major governments to politicians to the average citizens, became paranoid at the implications of having their private information compromised in one way or another. In America, pages from major government websites were removed immediately because apparently they revealed too much sensitive information (some famous examples being NASA, Department of Energy and FAA). Congressmen sent memorandums flying to institutions and to citizens to emphasize the need for better security and privacy of confidential data. Companies became more careful in their handling of employee records. And netizens became more wary when exchanging messages with the strangers they came across in a chat room. Yet, none of these came as a surprise to me, or to anyone else who was already aware of the vast availability of sensitive information over the Internet and in the offices, long before 9/11.

Over the past years, it was written over and over that personal confidential information was too easily available, not only on the Internet, but also in the common household and office environments, and that this situation had better be corrected. People listened and acted accordingly, but did so only gradually. The careless use of personal information did not decline fast enough to brake the dramatic rise in a certain category of crimes, now commonly known as cyber-crimes. According to the Federal Trade Commission's statistics for instance, identity theft has become the fastest-growing financial crime. ITRC (Identity Theft Resource Center) estimates that 700,000 people have been victimized in this fashion in 2001 in America alone. The growth of cyber-crimes is fueled at such explosive speeds because people have been lazy and careless at protecting their sensitive data, such as their addresses, telephone numbers and social security numbers. It may be a good brain exercise therefore, to question how Princeton University is respecting and protecting its students' private information. And, you will be thunderstruck to hear that the students' private information is being treated as if it were public.

Take the case of social security numbers. A Social Security Number in America is arguably among the most important piece of confidential information that one possesses. As I said previously, a name and a matching SSN is all that is required to become victimized by an identity thief. And given that, who is so blind to fail to notice that the SSNs are being used on the Princeton campus for the most ridiculous purposes?

Walk into a dining hall to have your lunch, and if the card reader happens to be offline, out comes a sheet of paper where everyone who wants to go in has to sign their names and SSNs. Only after you write your SSN are you allowed to eat; otherwise you can't. By the end of the lunch, the dining services has this long, long list of names of students along with their SSNs. Obviously, no one realizes that this list represents a danger as far as privacy of personal information is concerned. I have been an intern at various companies and have witnessed first hand how the employee information, including SSNs, is treated as confidential information of highest degree. When compared, several Princeton practices remain incomprehensible.

Go to the housing office, and within 10 seconds you are asked the inevitable question: What is your SSN? Why the SSNs are necessary to sign housing contracts or buy meal points, no one knows. Worse still, no one seems to get bothered. But the fact remains that both the dining and the housing offices use SSNs as their primary student identifiers.

The situation is no better in the registrar's office. You need to give up your SSN to obtain a student certification, to request a transcript or even to sign up for courses. In the beginning of each term, the registrar mails course cards to each one of the university's thousands of students. These cards, whose sole purpose is to make sure that you sign up for courses under approval of an academic adviser, come imprinted with the SSN of the recipient. Until picked up, they remain in open mailboxes, with the SSNs shining and ready for everyone to see. But why require SSNs to sign up for courses, and why not use the nine-digit student number instead? If, on the other hand, the student numbers are used for nothing, why bother assigning them?

To be fair, there are occasions where SSNs have no alternatives and must be used. But these are strictly limited to payroll for accounting and taxes, and maybe to the McCosh Health Center for medical records and insurance. I have no objection to such justified uses of SSNs, but who in blazes says that I need to disclose my SSN to renew my locker in the Dillon gym? That's right! The form you are required to fill out to renew your locker asks for your SSN before anything else.

It is clear that the students' private information is being treated without any real assurance of secrecy. The SSNs are being asked for and collected for trivial purposes, creating an inherently vulnerable environment. The lesson to be learned is twofold. First, the students need to learn the real purposes of a social security number and try to use it for those purposes only. Second, the university needs to realize that the SSNs are being used for purposes completely irrelevant to their real purposes and this is being done with irrational exuberance. It is therefore the responsibility of all university offices, from registrar to housing to dining to athletics, to identify and weed out all non-essential uses of students' social security numbers. Only then we may have an environment where our private information will be reasonably well-respected and protected, which will be a good thing for all. A. Murat Fiskiran, a graduate student in the department of electrical engineering, is from Princeton, N.J. He can be reached at fiskiran@princeton.edu.