Ms. Leveta Ray, CPA Executive Director Arkansas State Board of Public Accountancy 101 East Capitol, Suite 450 Little Rock, AR 72201
Dear Ms. Ray:
I am writing in response to your request for an opinion on the following:
The purpose of this letter is to request on behalf of the Arkansas State Board of Public Accountancy [("Board")] an official opinion of the Attorney General in regard to the use of a portion of [an] individual's social security number.
The last four digits of an applicant's or licensee's social security number would be combined with a person's birth date and this combination will be "hashed" into a unique identifier to be used in a national licensee database. The database will be information about applicants and licensees, maintained by the National Association of State Boards of Accountancy, for use by the licensing boards of the various states, and to a limited extent, to be available to the public. Information about "hashing" is available at www.partow.com/programming/hasfunctions. The issue is whether the use of the last four digits of an individual's social security numbers as described above would be in violation of Ark. Code Ann. § 17-1-104 or other applicable state or federal law or regulation?
RESPONSE
With respect to potential federal law implications, I recommend that you contact the United States Attorney's Office for the Eastern District of Arkansas. With respect to state law issues, in my opinion the process described in your request for an opinion, applying a "hash function" to a portion of an individual's social security number in addition to his or her date of birth, and disseminating or publishing the resulting number does not appear to violate any state law.
In addition to A.C.A. § 17-1-104 (Repl. 2001), Act 1295 of 2005, now codified at A.C.A. § 4-86-107 (Supp. 2005), is also implicated.
A.C.A. § 17-1-104
In my opinion, use of the last four digits of a licensee or applicant's social security number to generate a unique identification number through a hash program algorithm would not violate A.C.A. § 17-1-104.
Section 104 states:
17-1-104. Collection of personal information for the purpose of child support enforcement.
(a) On and after July 1, 1997, all persons, agencies, boards, commissions, or other licensing entities issuing any occupational, professional, or business license pursuant to titles 2-6, 8, 9, 14, 15, 17, 20, 22, 23, and 27 of the Arkansas Code Annotated shall record the name, address, and social security number of each person applying for such a license.
(b)(1) The name, address, and social security number of the person shall appear on the application. However, where an application is not required, the name, address, and social security number shall appear on the occupational, professional, or business license.
(2) On and after October 1, 2000, the name, address, and social security number of each person issued a noncommercial driver's license under § 27-1-101 et seq. shall appear on the application for the noncommercial driver's license. This information shall be maintained by the Revenue Division of the Department of Finance and Administration as confidential information not subject to disclosure under any commercial agreement, request under the Freedom of Information Act of 1967, § 25-19-101 et seq., as well as all applicable state and federal confidentiality requirements.
(c) The name, address, and social security number of each person issued a license pursuant to titles 2-6, 8, 9, 14, 15, 17, 20, 22, 23, and 27 of the Arkansas Code Annotated shall be stored by the person, agency, board, commission, or other licensing entity in an electronic automated data system capable of transferring the information to electronic media. On a quarterly basis, the licensee database shall be transmitted to or made available to the Office of Child Support Enforcement of the Revenue Division of the Department of Finance and Administration for the purposes of cross matching, location, and enforcement of child support obligations.
(d)(1) Only those persons, agencies, boards, departments, commissions, or other licensing entities that issue five hundred (500) or more licenses each year, or that have a membership of five hundred (500) or more, are required to implement an automated data system as set forth in subsection (c) of this section.
(2) Those persons, agencies, boards, departments, commissions, or their licensing entities that issue fewer than five hundred (500) licenses each year, or that have a membership of fewer than five hundred (500), shall not be required to transmit licensee information to the Office of Child Support Enforcement on an automated basis.
(e) The name of any member or representative of a licensing entity who refuses to provide license information to the Office of Child Support Enforcement shall be certified by the Office of Child Support Enforcement to the office of the Governor and to the Legislative Council.
(f)(1) Member and applicant social security information required to be collected under this section shall be maintained in a confidential manner by the licensing entity.
(2) Except as authorized herein, such social security number information shall not be released publicly and shall be excepted from the open public record requirements of the Freedom of Information Act of 1967, § 25-19-101 et seq.
(3) Disclosure of such social security information without the consent of the individual or without court authorization shall be a Class B misdemeanor.
(4) Confidentiality requirements associated with the collection and maintenance of social security numbers by the licensing entity shall be appropriately disseminated and posted in the licensing entity's offices.
A.C.A. § 17-1-104.
This section applies to the Board because the Board regulates public accountants and certified public accountants in Arkansas pursuant to A.C.A. §§ 17-12-101 through -702 (Repl. 2001 Supp. 2005). As I understand "hashing" functions, a hash function algorithm1 is an algorithm, or mathematical function in this instance, that generates a pseudorandom2 number from certain sets of input. See, e.g., Arash Partow, General Purpose Hash Function Algorithms, available at http://www.partow.net/programming/hashfunctions (last visited on Dec. 16, 2005). A cryptographic hash function "has the property of being very difficult to reverse the result of the hash and hence reproduce the original piece of data." Id. The resulting "hashed" number is a pseudorandom number that bears only a mathematical relationship to the original data, which is not readily discernible from the original input.Id.; see also Viega, Practical Random Number Generator Software, supra.
In my opinion, although it may to some degree involve a question of fact based upon the sophistication of the particular hash function used, generating a unique identifying number through a hashing algorithm based on a portion of the individual's social security number and birth date would not appear to violate A.C.A. § 17-1-104(f)(2). The prohibition contained in A.C.A. § 17-1-104(f)(2) prohibits the publication of an individual's "social security number" and does not prohibit a mathematical derivative of a social security number that is theoretically cryptographically secure from being disseminated in the manner described in your request for an opinion. Again, however, the issue may depend upon the cryptographic security of the hashed identification number.
Regardless of the use of a hashed personal identification number as described in your request for an opinion, the Board must still comply with the provisions of A.C.A. § 17-1-104 requiring the collection of social security numbers and subsequent transmission to the State to facilitate the enforcement of child support orders. That information, of course, is required to be kept confidential under A.C.A. § 17-1-104(f).
Act 1295 of 2005
Act 1295 of 2005, now codified at A.C.A. § 4-86-107, designed to prevent the misappropriation of social security numbers, states:
4-86-107. Prohibiting the misappropriation of social security numbers.SECTION 1. Arkansas Code Title 4, Chapter 86, Subchapter 1 is amended to add an additional section to read as follows:
(a) As used in this section:
(1) "Person" means an individual, corporation, partnership, organization, or any other entity; and
(2) "Publicly post" or "publicly display" means to intentionally communicate or otherwise make available to the general public.
(b) Except as provided in subsection (c) of this section, a person may not do any of the following:
(1) Publicly post or publicly display in any manner an individual's social security number; [or]
* * *
(4) Require an individual to transmit his or her social security number over the Internet unless the connection is secure or the social security number is encrypted.
* * *
(c) This section does not prevent the collection, use, or release of a social security number as required or explicitly authorized by federal or state law, or pursuant to state or federal court rules.
* * *
(g) This section shall become effective on January 1, 2007, and apply to acts occurring on or after January 1, 2007.
Id.
Again, assuming that the particular facts show a cryptographically secure number, the proposed course of action does not appear to violate this prohibition against publication of an individual's social security number. This is true if the identification number to be disseminated is a unique number created by use of a mathematical function generating a pseudorandom result. This would not, in my opinion, amount to a public posting of the "social security number."
With respect to your request for an opinion regarding applicable federal law or regulations, I note that the federal privacy act protects against the disclosure of an individual's social security number. See5 U.S.C. § 552a. Additional questions regarding the interpretation or research of federal law should be directed to the United States Attorney's Office for the Eastern District of Arkansas at 425 West Capitol Avenue, Little Rock, Arkansas 72201, or at (501) 340-2600.
Assistant Attorney General Joel DiPippa prepared the foregoing opinion, which I hereby approve.
Sincerely,
MIKE BEEBE Attorney General
MB:JMD/cyh
1 An algorithm is "a statement or conclusion based on a sequence of steps involving mathematical, logical, or natural rules or principles."Black's Law Dictionary, 7th Ed., Bryan Garner, Ed., 71.
2 Pseudorandom numbers are numbers that, in theory, will appear to be a random string of numbers, which are generated through a mathematical formula using a set value of "entropy" deviations from the input data.See, e.g., John Viega, Practical Random Number Generator Software, Proc. 19th Annual Computer Security Applications Conference, Dec. 2003, available at http://www.acsac.org/2003/papers/79.pdf (last visited on Dec. 16, 2005).