SSR 96-10p
EFFECTIVE/PUBLICATION DATE: 12/30/96
SSR 96-10p: POLICY INTERPRETATION RULING ELECTRONIC SERVICE DELIVERY
PURPOSE: This Policy Interpretation Ruling represents the Social Security Administration's (SSA) policy for allowing our customers to communicate with us electronically through access methods such as the Internet, video conferencing, and dial-up phone systems. By such methods, we will be able to accept reports, requests, applications, and other information. The Ruling also sets out our policy making electronic and digital signatures the functional equivalent of traditional handwritten signatures in certain situations which will be separately specified by SSA. We call these efforts to provide electronic service options to our customers electronic service delivery (ESD).
ESD includes the use of the specific technologies noted above, other current technologies, and future and as yet unidentified technologies which allow SSA's customers to transact business with us via Agency-approved methods. By expanding our service delivery options, we are continuing our efforts to provide world class service to our customers.
Information submitted by our customers using ESD technologies which are consistent with the principles described below and meet
- accepted industry standards; and
- SSA privacy, security, fraud detection and prevention, and authentication standards
will be considered by SSA to be the functional equivalent of information submitted using traditional paper-based methods.
Determination of the appropriate ESD technologies for a given service will be based upon our evaluation of the sensitivity of the information, potential service impacts on our customers, and the risk factors including fraud detection, prevention, and prosecution, and cost/benefit considerations.
AUTHORITY: This Ruling is published under the authority of the Commissioner of Social Security in accordance with 20 CFR 422.406.
PART I
INTRODUCTION: As noted in the Agency's Strategic Plan [1] and described in more detail in our Business Plan[2], SSA is expanding the service options available to our customers in new and innovative ways as technological advances allow. Agency ESD initiatives, based on proven secure technology, will provide our customers with access to SSA to conduct their business in new ways which are convenient for them and efficient for both them and SSA.
SSA has historically relied upon paper-based systems of information collection. Technological advances have reached the point where the use of electronic information collection is efficient, cost-effective, and frequently our customers' preferred method of doing business.
Paper-based information collection systems are perceived as being secure largely because they are the only information collection systems with which most individuals are familiar.
The following excerpt from a law journal article provides a historical perspective of the security features of paper- based information collection:
-
Traditional paper-based communications accompanied by handwritten
signatures provide three essential security characteristics: message
integrity, originator authentication, and non-repudiation. Depending on
the nature of the communication, an additional security characteristic,
confidentiality, may be desired. The efficacy of the various techniques
used to ensure the desired level of security in turn depends on the
adequacy of the administrative controls associated with their use.
- Message integrity is the assurance that the content of a communication is complete and has not been changed prior to receipt.
- Originator authentication provides assurance that the communication originated from the named source. This is most commonly provided by the handwritten signature, or historically, by the seal of the author.
- Non-repudiation is a stronger form of authentication which relates to the ability of a disinterested third party to reasonably conclude that the identified originator intended to be bound by the substance of the communication. This function is most commonly performed by the original autograph signature affixed to a document having facially adequate message integrity.
- Confidentiality is the ability to limit access to the information contained in a communication. This has generally been accomplished with some combination of security markings, envelopes, seals, trusted messengers, and by the use of codes and ciphers.[3]
-
The transfer of information in traditional paper-based systems is known as "writing." ESD technologies allow the transfer of information by other than traditional paper- based methods. SSA is adopting a definition of writing which is consistent with modern legal usage and includes electronic information transfer. For example, the U.S. Code includes a definition of writing which is consistent with SSA's purposes:
- "[W]riting" includes printing and typewriting and reproductions of visual symbols by photographing, multigraphing, mimeographing, manifolding, or otherwise.[4]
- The Federal Rules of Evidence, which apply to many of the proceedings in the Courts of the United States, define writing as follows:
- "Writings" and "recordings" consist of letters, words, or numbers, or their equivalent, set down by handwriting, typewriting, printing, photostating, photographing, magnetic impulse, mechanical or electronic recording, or other form of data compilation.[5]
This SSA policy making electronic information collection and distribution the functional equivalent of traditional handwritten information collection and distribution is in accord with U.S. law and the Federal Rules of Evidence as shown in these definitions. Accordingly, as SSA approves the use of specific ESD technologies, the products of those technologies will be considered writings by us.
POLICY INTERPRETATION: It is the policy of SSA to treat information received and distributed via Agency- approved ESD technologies as the functional equivalent of information received and distributed using traditional paper-based methods.
SSA s approval of ESD technologies for use by our customers will mean that the approved technologies provide a sufficient level of security and reliability that they can be an acceptable substitute for traditional paper-based information collection systems as described above, for the purpose of conducting the business of the Agency. Decisions about which ESD technologies are suitable for use with SSA will be made with appropriate input from the SSA components involved in the proposed activity.
PART II
This Policy Interpretation Ruling also addresses the use ofelectronic and digital signatures. Electronic and digitalsignatures are an integral factor in many ESD initiatives. Just as technology makes possible the electronictransmission of information for which SSA requires asignature, other technologies provide the means for adocument to be "signed" without a traditional handwrittensignature.SSA requires a handwritten signature in only a limited number of situations (e.g., applications for benefits). The circumstances where a signature is required is an issue that is beyond the scope of this Ruling. We are expanding the meaning of the term "signature" to include electronic and digital methods that serve the purpose of originator identification, authentication, and non-repudiation to the extent that is technologically possible and feasible for SSA s activities.
POLICY INTERPRETATION: It is the policy of SSA that information for which SSA requires a signature may be signed using SSA-approved signature methods including handwritten, electronic, or digital methods. Approved signature methods will reasonably ensure, to the extent technologically possible and feasible for SSA s activities, that the signer can be identified and that the signer cannot later repudiate the submission of the information.
CONCLUSION: The early paragraphs of this Policy Interpretation Ruling listed the four essential security characteristics of paper-based information collection. These two policy interpretations were developed to ensure that the four security characteristics described earlier are maintained in all ESD technologies approved by SSA. Originator authentication and non-repudiation are addressed as aspects of the electronic and digital signature policy. Message integrity and confidentiality, although not specifically described in the policy statement endorsing ESD, are implicitly contained in the limitation statement that all ESD technologies must be approved by SSA.[6]
SSA approval of a particular ESD technology will require assurance that the technology is consistent with all appropriate laws and directives. Since the appropriate technology and levels of security will vary based upon the sensitivity of the business application, SSA's selection of the appropriate technology or technologies for a given usage will be based upon consideration of the service impacts on our customers, a risk analysis including fraud detection, prevention, and prosecution concerns, and an analysis of the costs and benefits related to the technology.
In summation, it is SSA policy that all information received and distributed via Agency-approved ESD technologies is the functional equivalent of information received and distributed using traditional paper-based methods. It is also the policy of SSA that information for which a signature is required, can be signed using electronic or digital technologies approved by SSA, provided that the electronic or digital signature reasonably ensures that the signer can be identified and that the signer cannot later repudiate the submission of the information.
These two policy interpretations are being issued to facilitate the Agency's attempts to better serve our customers through the use of ESD technologies. It is not intended that our customers always must conduct business with SSA electronically. Rather, we are providing our customers with an optional way of doing business with us while ensuring that the information provided to, or distributed by, SSA through electronic methods is as secure and reliable as it must be for the purpose for which it is used.
EFFECTIVE DATE: This Policy Interpretation Ruling is effective December 30, 1996.
[1] SSA Pub. No. 01-001 (September 1991).
[2] SSA Pub. No. 01-008 (April 1996).
[3] Peter N. Weiss, Security Requirements and Evidentiary Issues in the Interchange of Electronic Documents: Steps Toward Developing a Security Policy, The John Marshall Journal of Computer & Information Law, Vol. XII, No. 3, pp. 431-432 (October 1993).
[4] 1 U.S.C. § 1.
[5] Fed. R. Evid. 1001(1). The Advisory Committee notes to this rule make it clear that writings can be created by mechanical or electronic techniques or other forms of information compilation.
[6] For a detailed description of the security features of electronic information transfers in general and digital signatures in particular see generally, M. Baum, Federal Certification Authority Liability and Policy (U.S. Dept. of Commerce, NIST-GCR-94-654 (June 1994)).