<DOC> [109th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:30704.wais] FOURTH IN A SERIES OF SUBCOMMITTEE HEARINGS ON SOCIAL SECURITY NUMBER HIGH-RISK ISSUES ======================================================================= HEARING before the SUBCOMMITTEE ON SOCIAL SECURITY of the COMMITTEE ON WAYS AND MEANS U.S. HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ MARCH 16, 2006 __________ Serial No. 109-58 __________ Printed for the use of the Committee on Ways and Means U.S. GOVERNMENT PRINTING OFFICE 30-704 WASHINGTON : 2006 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001 COMMITTEE ON WAYS AND MEANS BILL THOMAS, California, Chairman E. CLAY SHAW, JR., Florida CHARLES B. RANGEL, New York NANCY L. JOHNSON, Connecticut FORTNEY PETE STARK, California WALLY HERGER, California SANDER M. LEVIN, Michigan JIM MCCRERY, Louisiana BENJAMIN L. CARDIN, Maryland DAVE CAMP, Michigan JIM MCDERMOTT, Washington JIM RAMSTAD, Minnesota JOHN LEWIS, Georgia JIM NUSSLE, Iowa RICHARD E. NEAL, Massachusetts SAM JOHNSON, Texas MICHAEL R. MCNULTY, New York PHIL ENGLISH, Pennsylvania WILLIAM J. JEFFERSON, Louisiana J.D. HAYWORTH, Arizona JOHN S. TANNER, Tennessee JERRY WELLER, Illinois XAVIER BECERRA, California KENNY C. HULSHOF, Missouri LLOYD DOGGETT, Texas RON LEWIS, Kentucky EARL POMEROY, North Dakota MARK FOLEY, Florida STEPHANIE TUBBS JONES, Ohio KEVIN BRADY, Texas MIKE THOMPSON, California THOMAS M. REYNOLDS, New York JOHN B. LARSON, Connecticut PAUL RYAN, Wisconsin RAHM EMANUEL, Illinois ERIC CANTOR, Virginia JOHN LINDER, Georgia BOB BEAUPREZ, Colorado MELISSA A. HART, Pennsylvania CHRIS CHOCOLA, Indiana DEVIN NUNES, California Allison H. Giles, Chief of Staff Janice Mays, Minority Chief Counsel ______ SUBCOMMITTEE ON SOCIAL SECURITY JIM MCCRERY, Louisiana, Chairman E. CLAY SHAW JR., Florida SANDER M. LEVIN, Michigan SAM JOHNSON, Texas EARL POMEROY, North Dakota J.D. HAYWORTH, Arizona XAVIER BECERRA, California KENNY C. HULSHOF, Missouri STEPHANIE TUBBS JONES, Ohio RON LEWIS, Kentucky RICHARD E. NEAL, Massachusetts KEVIN BRADY, Texas PAUL RYAN, Wisconsin Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Ways and Means are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined. C O N T E N T S __________ Page Advisory of March 8, 2006 announcing the hearing................. 2 WITNESSES The Honorable Patrick P. O'Carroll, Inspector General, Social Security Administration........................................ 6 Richard Outland, Branch Chief, Questioned Document Branch, Forensic Services Division, U.S. Secret Service................ Frederick G. Streckewald, Assistant Deputy Commissioner, Disability and Income Security Programs, Social Security Administration................................................. 9 Stephen T. Kent, Ph.D., Chairman, Committee on Authentication Technologies and Their Privacy Implications, National Research Council, The National Academies................................ 18 Marc Rotenberg, President, Electronic Privacy Information Center. 24 SUBMISSION FOR THE RECORD Severn Trent Services, Colmar, PA, Joint Letter.................. 41 FOURTH IN A SERIES OF SUBCOMMITTEE HEARINGS ON SOCIAL SECURITY NUMBER HIGH-RISK ISSUES ---------- THURSDAY, MARCH 16, 2006 U.S. House of Representatives, Committee on Ways and Means, Subcommittee on Social Security, Washington, DC. The Subcommittee met, pursuant to notice, at 10:03 a.m., in room B-318, Rayburn House Office Building, Hon. Jim McCrery (Chairman of the Subcommittee) presiding. [The advisory announcing the hearing follows:] ADVISORY FROM THE COMMITTEE ON WAYS AND MEANS SUBCOMMITTEE ON SOCIAL SECURITY CONTACT: (202) 225-9263 FOR IMMEDIATE RELEASE March 8, 2006 SS-13 McCrery Announces Fourth in a Series of Subcommittee Hearings on Social Security Number High-Risk Issues Congressman Jim McCrery, (R-LA), Chairman, Subcommittee on Social Security of the Committee on Ways and Means, today announced that the Subcommittee will hold the fourth in a series of Subcommittee hearings on Social Security number (SSN) high-risk issues. The hearing will examine expanding uses of the SSN card and measures to prevent SSN card fraud. The hearing will take place on Thursday, March 16, 2006, in room B-318 Rayburn House Office Building, beginning at 10:00 a.m. In view of the limited time available to hear witnesses, oral testimony at this hearing will be from invited witnesses only. However, any individual or organization not scheduled for an oral appearance may submit a written statement for consideration by the Committee and for inclusion in the printed record of the hearing. BACKGROUND: The SSN was created in 1936 to record earnings and benefits for the Social Security program. The sole purpose of the SSN card was to show that an SSN had been issued to the named individual. Originally, the SSN card had no security features other than the individual's signature. Within a decade, the SSN's use grew beyond its original narrow purpose, and has continued to expand. According to the Social Security Administration (SSA), the SSN is now the single most widely-used record identifier for both the government and the private sectors. As with the SSN, the SSN card's uses also have expanded over the decades. Currently, one of its most important roles is in work authorization. The U.S. Department of Homeland Security requires employers to document the identity and employment eligibility of their new hires. For U.S. citizens and some non-citizens, employers may accept the SSN card as proof of a person's eligibility to work in the United States. As the uses of the SSN and the SSN card have increased, security features have been added to the SSN card to prevent its fraudulent duplication or alteration. For example, legislation enacted in the early 1980s required specific changes to the SSN card, and the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458) requires that standards be established and implemented to safeguard SSN cards from counterfeiting, tampering, alteration, and theft. However, the SSA does not replace all existing SSN cards when a new SSN card design is adopted, due to workload concerns and the potential burden on the public. As a result, since 1936, the SSA has issued more than 433 million SSNs, with about 50 different versions of the SSN card--all of which are still valid. Despite its adoption for other purposes, the SSN card by itself is not a personal identity document. The SSN card does not contain information that would confirm that the person presenting the card is actually the person whose name and SSN appear on the card. Several bills introduced in the 109th Congress would mandate significant changes to the card for that purpose. For example, one proposal would enhance the security features in the SSN card as part of a package of changes to the process of confirming the identity and work eligibility of new hires. However, ideas such as adding photographs, machine- readable electronic strips, and other features to SSN cards have raised concerns about the future purpose of the card. Some have expressed concerns that SSN card may evolve into a form of national identification. In announcing the hearing, Chairman McCrery stated, ``Because of the expanding use of SSNs and SSN cards, they are often transformed into tools to gain illegal employment and perpetrate identity theft and other crimes. We need a thorough examination of the appropriateness of using SSNs in certain roles. It is equally important for us to examine the potential impact on individual's security and privacy that could result from changes to the design of the SSN card.'' FOCUS OF THE HEARING: The Subcommittee will examine the history of SSNs and SSN card use, the role of the SSN card in work authorization, measures to prevent SSN card fraud, and the potential effects of transforming the SSN card into an identification document. DETAILS FOR SUBMISSION OF WRITTEN COMMENTS: Please Note: Any person(s) and/or organization(s) wishing to submit for the hearing record must follow the appropriate link on the hearing page of the Committee website and complete the informational forms. From the Committee homepage, http://waysandmeans.house.gov, select ``109th Congress'' from the menu entitled, ``Hearing Archives'' (http:/ /waysandmeans.house.gov/Hearings.asp?congress=17). Select the hearing for which you would like to submit, and click on the link entitled, ``Click here to provide a submission for the record.'' Once you have followed the online instructions, completing all informational forms and clicking ``submit'' on the final page, an email will be sent to the address which you supply confirming your interest in providing a submission for the record. You MUST REPLY to the email and ATTACH your submission as a Word or WordPerfect document, in compliance with the formatting requirements listed below, by close of business Thursday, March 30, 2006. Finally, please note that due to the change in House mail policy, the U.S. Capitol Police will refuse sealed-package deliveries to all House Office Buildings. For questions, or if you encounter technical problems, please call (202) 225-1721. FORMATTING REQUIREMENTS: The Committee relies on electronic submissions for printing the official hearing record. As always, submissions will be included in the record according to the discretion of the Committee. The Committee will not alter the content of your submission, but we reserve the right to format it according to our guidelines. Any submission provided to the Committee by a witness, any supplementary materials submitted for the printed record, and any written comments in response to a request for written comments must conform to the guidelines listed below. Any submission or supplementary item not in compliance with these guidelines will not be printed, but will be maintained in the Committee files for review and use by the Committee. 1. All submissions and supplementary materials must be provided in Word or WordPerfect format and MUST NOT exceed a total of 10 pages, including attachments. Witnesses and submitters are advised that the Committee relies on electronic submissions for printing the official hearing record. 2. Copies of whole documents submitted as exhibit material will not be accepted for printing. Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material not meeting these specifications will be maintained in the Committee files for review and use by the Committee. 3. All submissions must include a list of all clients, persons, and/or organizations on whose behalf the witness appears. A supplemental sheet must accompany each submission listing the name, company, address, telephone and fax numbers of each witness. Note: All Committee advisories and news releases are available on the World Wide Web at http://waysandmeans.house.gov. The Committee seeks to make its facilities accessible to persons with disabilities. If you are in need of special accommodations, please call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four business days notice is requested). Questions with regard to special accommodation needs in general (including availability of Committee materials in alternative formats) may be directed to the Committee as noted above. <F-dash> Chairman MCCRERY. The hearing will come to order. Good morning, and welcome to our fourth in a series of hearings on high risk issues related to Social Security numbers (SSNs). Today, we will examine the expanding uses of the SSN and options to prevent fraud involving SSN cards, and in the interests of time, because we are going to have votes coming up pretty soon, I am going to submit the rest of my opening statement in writing for the record, and I would yield to my colleague, the Ranking Member, Mr. Levin. [The prepared statement of Chairman McCrery follows:] Opening Statement of The Honorable Jim McCrery, Chairman, and a Representative in Congress from the State of Louisiana Good morning and welcome to our fourth in a series of hearings on high-risk issues related to Social Security numbers, or SSNs. Today, we'll examine the expanding uses of the SSN and options to prevent fraud involving SSN cards. Much of our discussion at this hearing will focus on the use of the SSN and SSN card in employment. Current law requires employers to verify the identity and employment eligibility of new hires. Employers may accept an SSN card as one of several documents that a person may present as proof of employment eligibility, if the card does not bear either of two legends: ``Not Valid for Employment'' or ``Valid for Work Only with DHS Authorization.'' After examining a new hire's documents; the employer must accept them, if the documents reasonably appear to be genuine and belong to the worker. If an employee uses an SSN card to prove work authorization, he or she must provide another document to prove his or her identity, such as a driver's license. To simplify the process for employers and prevent unauthorized work, some legislators have proposed making the SSN card the single, counterfeit and tamper-resistant document employers would be required to see, replacing all the others. The SSN card would be modified to contain proof of identity. Employers would use it to access a government database to verify employment eligibility. Such a change would greatly expand the role of the SSN card in work authorization, and it raises a number of essential questions that I hope we will address today. First, how confident can we be that a particular SSN was issued based on accurate information? The answer, as we have learned from previous hearings, depends on when the SSN card was issued. It wasn't until 1978 that all SSN applicants were required to provide proof of their identity, age, and citizen or non-citizen status. Before 2002, the Social Security Administration did not consistently verify birth certificates or immigration documents with the issuing agency. Adding new security features to the SSN card today will not assure the accuracy of the data originally used to issue an SSN. To raise the level of accuracy, all SSN cardholders in the workforce would have to apply for new cards and provide full documentation of their identity, citizen or non-citizen status, and age. What would this cost? What impact would this have on the Social Security Administration? Second, what are the options for designing a counterfeit and tamper-resistant SSN card? As required by the Intelligence Reform and Terrorism Prevention Act of 2004, the Social Security Administration is working with the Department of Homeland Security to improve the security of SSNs and SSN cards and implement such improvements by June 2006. It is important to establish the range of options for a counterfeit and tamper-resistant card, the costs of the options, whether the options will work, as well as non-SSN card options to verify identity and work authorization. Third, what are the ramifications of transforming the SSN card into an identity card? Currently, the SSN card serves only to show that an SSN was assigned to the individual named on the card. It does not contain features to prove that the cardholder is the individual named on the card. Changing the SSN card into an ID could encourage its use for other purposes, given the widespread use of the SSN itself in many personal and financial transactions. Adding identification features to the SSN card could duplicate efforts already underway to provide secure identity documentation--such as improved driver's licenses and State- issued ID cards called for under the REAL ID Act. Finally, we must be mindful to examine these issues in a greater context. For example, if employers are ultimately required to verify SSNs and employment eligibility through a government database (as required under some proposals), then employers may only need proof of the worker's identity. The database could confirm the person's SSN and employment eligibility without the need for an enhanced SSN card. I look forward to hearing the testimony and recommendations of our witnesses and welcome the views of my colleagues on these complex issues. I believe that it is our responsibility as legislators to work for a balanced, thoughtful approach--one that will deter unauthorized employment without placing undue burdens on businesses, while protecting the privacy of our fellow Americans. <F-dash> Mr. LEVIN. I will do likewise, so we can hear your testimony and have an hour to think about it. [Laughter.] Mr. LEVIN. Thank you. [The prepared statement of Mr. Levin follows:] Opening Statement of The Honorable Sander M. Levin, a Representative in Congress from the State of Michigan Today our Subcommittee has the opportunity to examine two issues-- our ongoing, non-controversial effort to ensure that Social Security cards are not counterfeited, and the more controversial debate about whether it is appropriate to make the Social Security card into a national identification card. These are issues squarely within the jurisdiction of the Ways & Means Committee. I am pleased that the Chairman has provided this opportunity for us to discuss them and to learn more about the proposals and the issues from our colleagues and a panel of experts. As the Committee of jurisdiction, it is also our responsibility to oversee the efforts already underway. As required by the Intelligence Reform and Terrorism Prevention Act of 2004, the Social Security Administration and the Department of Homeland Security are currently identifying options for making Social Security cards more secure, with the goal of implementing improvements by this June. Each option imposes certain costs, both in dollars and in loss of personal privacy, so it is important for our Committee to weigh the costs and benefits and to keep in close touch with the agencies involved. I look forward to a frank and thoughtful discussion of these complex issues. <F-dash> Chairman MCCRERY. Thank you, Mr. Levin. We are also going to reverse the order of the panels this morning so that we can allow these gentlemen to get their testimony in and perhaps go through a few questions before votes are called, and then, the first panel, which consists of two of our colleagues, we will retrieve as we can and then finish the hearing, but that way, we will not have you all sitting around on your thumbs all morning. With that, I would introduce our first panel this morning: the Honorable Patrick O'Carroll, Inspector General, Social Security Administration (SSA), and he is accompanied this morning by Richard Outland, Branch Chief, Questioned Document Branch, Forensic Services Division, U.S. Secret Service; and Mr. Frederick G. Streckewald, Assistant Deputy Commissioner, Disability Income Security Programs, the SSA; welcome back, both of you gentlemen; Stephen Kent, Chairman, Committee on Authentication Technologies and their Privacy Implications, National Research Council, the National Academies; and Marc Rotenberg, President, Electronic Privacy Information Center. Welcome, all of you gentlemen, and we will begin with Mr. O'Carroll. STATEMENT OF THE HONORABLE PATRICK O'CARROLL, INSPECTOR GENERAL, SOCIAL SECURITY ADMINISTRATION, ACCOMPANIED BY RICHARD OUTLAND, BRANCH CHIEF, QUESTIONED DOCUMENT BRANCH, FORENSIC SERVICES DIVISION, U.S. SECRET SERVICE Mr. O'CARROLL. Good morning, Chairman McCrery, Congressman Levin. Thank you for inviting me to be here today. I would like to focus on our investigative efforts with respect to SSN misuse. With me today is Mr. Richard Outland, Assistant Chief, U.S. Secret Service, Forensic Services Division. Based on a longstanding interagency agreement, when our agents come across suspected counterfeited Social Security cards, they are referred to the Secret Service for further forensic examination. Mr. Outland is here today to answer any technical questions. No matter how carefully we protect the SSN, there will be those who find a way to turn the number to nefarious purposes, and when they do, our special agents will be there. Our statutory mission is to protect the SSA's programs and operations from fraud, and abuse. At the core of that mission is the protection of the Social Security Trust Funds that provide benefits to millions of Americans every month. To that end, 79 percent of our cases we investigated last year were for program fraud. Still, we are ever mindful of our obligation to protect the SSN from misuse. In fact, 16 percent of our investigations involved SSN misuse. To maximize our resources, we focus our overall SSN misuse energies in cooperative efforts with other Federal, State, and local task forces. At last count, we were involved in almost 200 task forces and work groups across the country. For example, our agents on the Central Florida Identity Theft Task Force concluded a case last year in which they apprehended 15 members of an identity theft ring. They would obtain lists of individuals with good credit histories and use the personal information of those individuals to defraud a variety of commercial entities in the Orlando area. Twelve of the 15 individuals arrested were sentenced to prison, and all were ordered to repay more than $2 million to the victims. Our own internal caseload is no less daunting, and our solo work is equally impressive. We see allegations of SSN misuse in myriad forms every day. One such allegation from a SSA district office concerned a woman who was receiving disability benefits under two separate SSNs and insisted that she was one half of a set of identical twins. Our investigators asked her to provide a copy of her birth certificate, while unbeknownst to her, we were obtaining one directly from the State Bureau of Vital Statistics. The one we obtained showed a single birth, and the altered one she produced had the same control number and signatures but showed a twin birth. Before we confronted her with the fact that we had uncovered her forgery, she had asked her Congressman to intervene on her behalf and demanded that her nonexistent twin's benefits be reinstated. We were only too happy to share the forged birth certificate with the Congressman. We see SSN misuse cases like this every day. What we see less frequently, however, are cases involving counterfeit Social Security cards. While we take such cases very seriously and have recently disrupted several counterfeit identity operations, the reality is that the Social Security card serves as little more than a hard copy record of a number that we all memorize at an early age. While the SSN itself is necessary to obtain employment, to obtain a loan, and for countless other purposes, we rarely, if ever, are asked to show anyone our Social Security cards. The card was designed for a single purpose: to provide the holder with a number used to track earnings and pay benefits. While the uses of the number have expanded significantly over the decades, the uses of the card have remained more or less the same. There is no question that periodic security improvements to the card are necessary to stay one step ahead of tech savvy counterfeiters. As long as the use of the card remains as limited as it has been, it is difficult to justify the expense that would be incurred in creating a ``counterfeit card.'' Of course, if Congress decides to expand the uses of the Social Security card, then, those expenses might become necessary. If this is Congress' ultimate decision, we will do everything possible to work with you and the SSA to make the card as counterfeit-proof as possible. Until then, we will continue our audit and investigative efforts to combat SSN misuse and provide the SSA and Congress with timely and accurate information. Thank you, and if you have any questions, I will be happy to answer them. [The prepared statement of Mr. O'Carroll follows:] Statement of The Honorable Patrick P. O'Carroll, Inspector General, Social Security Administration; accompanied by Richard L. Outland, Assistant Branch Chief--Questioned Document Branch, Forensic Services Division, U.S. Secret Service Good morning, Chairman McCrery, Congressman Levin, and Members of the Subcommittee. This is our fourth hearing in this series on high- risk Social Security number (SSN) issues, and I applaud your efforts and dedication in giving these issues the attention they deserve. The SSN is a key to American life in many ways, and as we have seen throughout this series of hearings, its misuse has repercussions that cause a ripple effect across the American landscape. Much of my testimony in the first three hearings has centered on largely administrative issues. At the first hearing, we discussed enumeration, the process by which the Social Security Administration (SSA) issues SSNs; at the second hearing, we discussed SSN misuse in the context of misreported wages, particularly by foreign-born workers without authorization to work in the United States; and, at the third hearing earlier this month, we discussed enumeration of foreign-born individuals and the payment of benefits to those born or residing abroad. Today, I would like to discuss our investigative efforts to combat SSN misuse in all forms. Our Office of Investigations (OI) is dedicated to preventing and detecting fraud against SSA's programs and operations, and SSN misuse is an important facet of that overall investigative effort. Obviously, with finite resources, and with many areas of responsibility, including program fraud, employee fraud, contract fraud, and others, we are mindful that our primary responsibility is to protect the Trust Funds that provide benefits to millions of Americans every month. At the same time, our responsibility to protect the integrity of the SSN cannot be overstated. We strive continuously to strike an appropriate balance. To give you some sense of how we strike that balance, consider that in Fiscal Year (FY) 2005, the Office of the Inspector General (OIG) received about 85,000 allegations of fraud, 84 percent of which involved fraud against a Social Security program, such as disability insurance benefits. Approximately 13 percent--almost 11,000 allegations--involved SSN misuse. It is important to understand that these SSN misuse allegations are limited to incidents of SSN misuse involving a Social Security program or otherwise directly related to the administration of the Social Security Act. Allegations of pure identity theft, financial fraud, and other non-SSA-related crimes are referred to appropriate sources, and are not included in this total. Looking at actual investigations conducted during FY 2005, OI opened approximately 9,500 cases, of which 79 percent involved crimes against Social Security programs, while just over 16 percent involved SSN misuse. Thus, while we actually investigate a higher proportion of allegations in the SSN misuse category than in the program fraud category, we still invest more than four times more resources in program fraud than in SSN misuse. The results of an audit we will issue shortly, in which we provide an estimate of the rate of overpayments in Social Security's disability programs, underscores the importance of our emphasis on program fraud. Our statutory mission is to protect SSA programs and operations, and to the extent that an allegation of SSN misuse does not touch on those programs, our resources do not generally allow us to pursue it. We do, however, play a role in the overall government effort to protect against SSN misuse in a multijurisdictional context. Our affirmative and aggressive approach to SSN misuse of this type is designed to maximize our resources through the effective use of task forces, workgroups, and other cooperative efforts. At this time, our investigators across the country are members of almost 200 task forces and workgroups in all ten of our field divisions. These groups, comprised of Federal, State, and local law enforcement agencies, pool resources and, when permitted, share information to accomplish more than each member could ever accomplish on its own. The groups range from Joint Terrorism Task Forces run by United States Attorneys, to white collar crime groups, to financial fraud workgroups. The work done by these groups is astounding. For example, our agents on the Central Florida Identity Theft task force, a group comprised of ten law enforcement agencies, concluded a case last year in which they apprehended fifteen members of an identity fraud ring who would obtain lists of individuals with good credit histories, and use the personal information of those individuals to defraud a variety of commercial entities in the Orlando area. Twelve of the fifteen individuals arrested were sentenced to prison terms, and the total restitution ordered to victims exceeded $2 million. In another case, our New York Field Division, working on a task force with other agencies including the U.S. Secret Service, investigated the hijacking of a deceased Social Security beneficiary's bank account. The complex investigation revealed that the subjects not only continued to receive the deceased woman's benefits--totaling some $80,000--but also used her bank account to launder counterfeit checks created with the help of a corrupt bank employee. They then went on to steal other SSNs and identities and open additional accounts, which they would use both to create additional fraudulent checks and to launder them. In all, they cashed about $300,000 in bad checks and opened credit card accounts from which they stole another $100,000. Since cases like this represent an opportunity to achieve a significant return with only minimal investment of resources--our agent in this ten-agency task force still maintains a ``normal'' caseload--we can afford to contribute substantially to the overall effort to stop SSNs being used as instruments of a crime. If each of the 200 task forces in which we participate makes only a few cases like this each year, we are able to have a far greater effect than we could ever have working alone. However, our day-to-day program-related SSN misuse caseload is no less daunting, and our solo work is equally impressive. We see allegations of SSN misuse in its myriad forms come in every day by phone, fax, e-mail, and in electronic referrals from SSA employees. One such referral from an SSA District Office concerned a woman who was confronted by SSA with the fact that she appeared to be receiving disability benefits under two separate SSNs. Each set of benefits was going to the same name, the same address, and for the same disability, but under two different SSNs. The woman informed SSA, and subsequently our investigators, that she had a twin sister. Despite the fact that both sets of benefits were going to the same address, the woman alleged that she and her identical twin were estranged and did not speak. Our investigators obtained a copy of the woman's birth certificate from the state vital records office. It showed that hers had been a single birth, not a twin birth. Additional investigation uncovered no other evidence that a twin had ever existed. Our investigators asked the woman to provide a copy of her birth certificate, and she eventually provided the same document we had obtained from the state without her knowledge. It had the same control number and the same signatures, but the altered copy she provided showed a twin birth. We recontacted the vital statistics office and confirmed that no official change had been made since we'd obtained our copy. The woman, unaware that we had her original birth certificate, continued to demand that her duplicate benefits be reinstated, even going so far as to write to her Congressman to demand that he intercede on her behalf. We showed the Congressman the two versions of the birth certificate, and that ended the woman's ill-conceived mission. In another case, our investigation revealed that a woman had been working full-time since 1978 under one SSN and receiving Title XVI disability payments since 1973 under a second SSN. From 1978 until 2001, she worked full-time for various healthcare agencies while certifying each year to SSA that she was not working. In 2001, the woman applied for Title II disability benefits under the first SSN, based on her extensive work history. A Title XVI claims representative recognized the woman during her appointment to apply for Title II benefits, and referred the case to OIG. She later admitted to OIG agents that she had been working for 23 years while receiving Title XVI payments. She eventually pled guilty to theft of government funds and making false statements, and was sentenced in May 2005 to 6 months' incarceration in federal prison, 6 months' home detention with an electronic monitoring device, and 5 years' probation, and was ordered to pay full restitution of $166,767. While SSN misuse cases like these are made by our investigators every day, we encounter cases involving counterfeit Social Security cards much less frequently. The practical reality is that most of us were issued our Social Security cards not long after we were born, and we long ago committed our SSNs to memory. But the cards themselves were probably placed in a drawer or box many years ago, and have rarely been seen or used since. Almost every entity imaginable, from government, to medical facilities and insurance carriers, to creditors, to employers and beyond may and often do ask for SSNs; but rarely, if ever, do they ask to see the card itself. Our work reviewing SSA's automated employee verification services, such as the Social Security Number Verification Service (SSNVS), further underscores this reality. Employers seeking to confirm the SSN of a current or prospective employee need only take advantage of this service to go online and match the employee's name, SSN, date of birth, and gender against SSA's records--all without ever laying eyes on an actual Social Security card. Of course, for verification services such as SSNVS to be truly effective, we must be confident that the information in SSA's databases is as accurate as possible, and our prior audit work has revealed that this may not always be the case. Nevertheless, SSNVS and other verification services even further minimize the need to carry or present the card. Indeed, today, the card is little more than a ``hard copy'' of a number that is already contained in various databases throughout society and government. This is consistent with the purpose for which the card was created 70 years ago, and while there should always be security enhancements made to stay one step ahead of tech-savvy counterfeiters, it would be hard to justify the expense involved in replacing all Social Security cards with ``hard'' cards as long as their utility remains as limited as it is. From time to time, there is talk of expanding the card's use beyond its current functions, and obviously, this issue is one for Congress to debate. If a decision is made to transform the Social Security card into something more than it is, significant improvements may then have to made in the document. Moreover, it could create a significant new workload for SSA--one that might fall outside of the Agency's current and historical function, or even further heighten the tension between service and integrity. Whatever Congress may determine is an appropriate role for the Social Security card to play, our office is happy to provide whatever audit and investigative work might prove helpful. In the interim, we will continue our tireless efforts to prevent and detect misuse of the Social Security number as well as the Social Security card itself. <F-dash> Chairman MCCRERY. Thank you, Mr. O'Carroll. Mr. Streckewald. STATEMENT OF FREDERICK G. STRECKEWALD, ASSISTANT DEPUTY COMMISSIONER FOR PROGRAM POLICY, OFFICE OF DISABILITY AND INCOME SECURITY PROGRAMS, SOCIAL SECURITY ADMINISTRATION Mr. STRECKEWALD. Thank you, Mr. Chairman, Mr. Levin. Thank you for inviting me here today to discuss the SSA's enumeration process. This is the process used to assign a SSN to an individual. This series of Subcommittee hearings highlights the importance of this core agency function. I will summarize my written statement and will ask that it be included for the record. The Social Security card was never intended and does not serve as a personal identification document; that is, the card does not establish that the person presenting it is actually the person whose name and SSN appear on the card. Although the SSA has made many changes to make it counterfeit-resistant, the card does not contain information that would allow the card to be used as proof of identity. Beginning in 1983, the Social Security Act (P.L. 74-271) required that SSN cards be made of banknote paper and to the maximum extent practicable, be a card that cannot be counterfeited. The SSA worked with the Bureau of Engraving and Printing, the Secret Service, and the Federal Bureau of Investigation to design a card that met these requirements. All Social Security cards issued since October 1983 incorporate a number of security features intended to make the card counterfeit-resistant and tamper-proof. Some of these features include but are not limited to a tamper-proof, marbleized background, intaglio printing in some areas of the printing in the card, and colored planchets, which are small disks, randomly displayed on the card. Obviously, some security features have not been made public; other features--some features have been made public; others have not in order to protect the security of the card. As required by the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) (P.L. 108-458), the SSA, in consultation with the U.S. Department of Homeland Security (DHS), formed a task force to establish requirements that will further improve the security of SSNs and cards. The task force is considering a wide range of security features that would strengthen the Social Security card, and we will develop a plan for implementing the task force recommendations. Last year, we estimated that a card with enhanced security features, such as biometric identifiers, would cost approximately $25 per card, not including the startup investments associated with the purchase of equipment needed to produce and issue this type of card. While any estimate would ultimately depend upon the details of the proposal, last year's estimate of replacing cards for 240 million cardholders nationwide was approximately $9.5 billion. Currently, however, we know the cost of issuing an SSN card has increased by approximately $3 due to new requirements for additional verification of evidence. So, we anticipate an increase in the total cost estimate when we update our figures to reflect current dollar costs. It is important to note that just as a SSN card does establish identity, neither does it always reflect the individual's current authorization status. The SSN card only reflects an individual's work authorization status at the time the card was issued. It is a snapshot in time. An individual's work authorization status may change over the years, and DHS has sole jurisdiction over the work authorization for noncitizens. Over the years, the SSA has made continued enhancements to the Social Security card. Due to the substantial cost of replacing all cards in use, older versions of the card remain valid. Thus, there are about 50 different variations of the SSN card in use that have been issued since 1936. In addition to the changes the SSA made after September 11, which I have outlined in previous hearings before the Subcommittee, the IRTPA contains several additional provisions to strengthen the integrity of our enumeration process. Two key provisions include the implementation of limits on the number of replacement cards an individual can receive, three per year and ten per lifetime. With limited exceptions and the addition of death and fraud indicators to SSN verification routines for employers, State agencies issuing drivers' licenses and identity cards and other verification routines as determined to be appropriate. The SSA implemented the restrictions on replacement SSN cards effective December 17, 2005, as required by the IRTPA law. In addition, we place death indicators on our SSN verification services with the Department of Motor Vehicles and employers on March 6, 2006, also ahead of time, required by the law. We continue to work to ensure that fraud indicators will be addressed, added to the SSN verification by December 2007, which is the legislatively mandated date. In conclusion, we must remember that with all of the improvements in the assignment of SSNs, the Social Security card is still just a record of the SSN assigned to the individual, and it is not an identity document. I look forward to working with you to continue to improve the SSA's processes, and I will be happy to answer any questions you might have. [The prepared statement of Mr. Streckewald follows:] Statement of Frederick G. Streckewald, Assistant Deputy Commissioner, Disability and Income Security Programs, Social Security Administration Mr. Chairman and Members of the Committee: Thank you for inviting me today to discuss the Social Security Administration's (SSA's) enumeration process. This is the process used to assign a Social Security Number (SSN) to an individual. This series of hearings the Subcommittee is holding have served to highlight the importance of this core agency function. As stewards of the Social Security program, one of our strategic objectives is to strengthen the integrity of the enumeration process. We recognize that protection of the SSN is one of the top issues facing SSA management, and I am pleased to have the opportunity to discuss SSA's enumeration process. History of the Social Security Number and Card The Social Security Number is a nine-digit number, used to identify the record of earnings an individual has in employment or self- employment. A numbering system that is based on digits allows for the orderly assignment of numbers and for the potential assignment of as many as 900 million unique SSNs excluding the 900 series reserved for the use of the Internal Revenue Service (IRS). SSA has assigned over 436 million SSNs since 1936. At the time the Social Security card was developed, its only purpose was to provide a record of the number that had been assigned to the individual so that employers could accurately report the earnings of people who worked in jobs covered under the new Social Security program. This is still the primary purpose for which SSA assigns a number and issues a card. The card was never intended and does not serve as a personal identification document--that is, the card does not establish that the person presenting it is actually the person whose name and SSN appear on the card. Although SSA has made many changes to make it counterfeit resistant, the card does not contain information that would allow the card to be used as proof of identity. Use of the SSN Expands Over Time The purpose of the SSN and card was narrowly drawn at the beginning of the program. However, the use of the SSN as a convenient means of identifying records in large systems of records increased over the years. In 1943, Executive Order 9397 required Federal agencies to use the SSN in any new record system maintained on individuals. Using the SSN as an identifier in federal record systems proved to be an early reflection of what has become an enduring trend expanding the uses of the SSN. The simplicity and efficiency of using a seemingly unique number that most people already possessed encouraged widespread use of the SSN by both government agencies and private enterprises. As record-keeping and business systems moved to automated data processing, the characteristics of the SSN made it a popular choice for record identification. In 1961, the Federal Civil Service Commission established a numerical identification system for all Federal employees using the SSN as the identification number. The next year, the IRS decided to begin using the SSN as its taxpayer identification number (TIN) for individuals. In 1967, the Defense Department adopted the SSN as the service number for military personnel. At the same time, use of the SSN for computer and other accounting systems spread throughout State and local governments and to the private sector, especially to banks, credit bureaus, hospitals, and educational institutions. There were no legislative restrictions on the use of the SSN at that time. Statutory Provision Relating to the Public Sector The first explicit statutory authority to issue SSNs was enacted in 1972. Prior to that time, SSNs were issued pursuant to administrative procedures that the Agency had established. Subsequent Congresses have enacted legislation requiring individuals to have an SSN in order to receive Supplemental Security Income (SSI), Temporary Assistance for Needy Families (TANF), Medicaid, and food stamps. Additional legislation authorized States to use the SSN in the administration of tax, general public assistance, driver's license, and motor vehicle registration laws. Partly in response to concerns about the proliferation of the use of the SSN, Congress enacted the Privacy Act of 1974. It provided that, except when disclosure is required by Federal statute or by state or local statute or regulation adopted prior to January 1975, no Federal, State, or local government could withhold a right, privilege or benefit from a person simply because the person refused to furnish his or her SSN. In the 1980s and 1990s, new legislation authorized additional governmental uses of the SSN, including income and eligibility verification, military draft registration, and for operators of stores that redeem food stamps. Legislation was also enacted that required taxpayers to provide the SSNs of dependents on tax returns. A further expansion of the government's use of the SSN was included in welfare reform legislation enacted in 1996. In order to improve child support enforcement, Congress required the SSN to be recorded in a broad array of records, including applications for professional licenses and marriage licenses, and placed in the record of divorce decrees, support orders, and paternity determinations. Use of the SSN by the Private Sector Generally, there are no restrictions in Federal law on the use of the SSN by the private sector. Businesses may ask for a customer's SSN for such things as renting a video, applying for credit cards, obtaining medical services, and applying for public utilities. Customers may refuse to provide their number; however, a business may, in turn, decline to furnish the product or service. Continuing advances in computer technology, the ready availability of computerized data, and rapidly increasing use of the internet have encouraged the growth of information brokers who amass and sell large volumes of personal information, including SSNs collected by businesses. When possible, information brokers store and retrieve information about an individual by that individual's SSN because the SSN provides an easy method of maintaining computerized records and can be used to compare those records with other business systems which may also use the SSN as a file identifier. Contemporary Challenges Regarding the Use of the SSN The use of the SSN has become widespread in our society. The cumulative effect has been that the SSN has become the most widely used identifier by both government and the private sector in establishing and maintaining information about a given individual in various public as well as private record systems. An unintended consequence is that the SSN has also become a tool used by those intent on stealing another person's identity or creating a false identity. We are very concerned about the misuse of the SSN, and we work closely with SSA's Inspector General, the Federal Trade Commission and the Department of Justice to help deter identity theft and assist in the apprehension and conviction of those who engage in this crime. Assignment of the SSN The Number Prior to 1972, SSNs and cards were issued in our local field offices. Since 1972, SSNs have been issued centrally. Generally, to obtain an SSN, individuals must apply for an SSN by filing a signed Form SS-5 ``Application for a Social Security Card'' and by submitting the required evidence. Currently, all applicants for an original number and card must submit evidence of age, identity, and United States citizenship or alien status to a Social Security field office (FO). FO personnel assist with the completion of the SS-5 application. Applicants for replacement Social Security cards must submit evidence of identity, and foreign born applicants must also provide evidence of their immigration status. The SS-5 application includes information about the applicant's name, mailing address, citizenship, sex, race/ethnic description (optional), date and place of birth, mother's maiden name and SSN, and father's name and SSN. However, a parent's SSN is only required for applicants for an original SSN who are under age 18. While the information required on the SS-5 application has remained essentially the same over the years, the law and enumeration process have changed to ensure that SSA assigns SSNs only to eligible individuals. To strengthen the process, SSA has instituted additional safeguards to prevent a person from fraudulently obtaining an SSN. For example: <bullet> SSA verifies immigration status with DHS before assigning an SSN to a non-citizen. <bullet> SSA requires a mandatory in-office interview with all applicants age 12 or older since the majority of individuals born in the U.S. have been assigned an SSN by the time they reached age 12. <bullet> As a result of Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), Public Law (P.L.)108-458, SSA implemented policy changes effective December 17, 2005 that restrict the issuance of replacement SSN cards to no more than three per year and no more than ten per lifetime; establish minimum verification standards for documents submitted in support of an application for an SSN; and require independent verification of birth records of individuals of all ages applying for an original SSN card. <bullet> Effective November 2005, we added systems edits to our Enumeration at Birth (EAB) program so that children who have not yet been given a first name in the hospital are not assigned a Social Security Number until the parent submits documentation of the child's name. SSA has also implemented additional safeguards designed to prevent the assignment of multiple SSNs to the same child. I would also like to highlight some earlier changes that SSA implemented over the years to strengthen the enumeration process. At the inception of the program, all SSNs were assigned and cards issued based solely on information provided by the applicant. Evidence of identity was not required. Over time, as the use of the number was expanded for other purposes, SSA recognized that changes were necessary to protect the integrity of the card and enumeration process. Beginning in November 1971, persons age 55 and over applying for an SSN for the first time were required to submit evidence of identity. As of April 1974, non-citizens were required to submit documentary evidence of age, identity and immigration status. This made it more difficult to obtain a card on the basis of a false identity. SSA was also concerned that individuals who had been assigned SSNs for purposes other than work might use the card to obtain unauthorized employment. Therefore, in July 1974, we began to annotate our records to reflect the fact that a non-citizen had been issued an SSN for nonwork purposes. Several years later, the integrity of the SSN was further improved. In May 1978, we began requiring all SSN applicants to provide evidence of age, identity and United States citizenship or non-citizen status. Enumeration at Birth Process (EAB) Because of increased demand for SSNs for children at earlier ages due to tax and banking requirements, SSA developed the EAB process in 1987. SSA recognized that all the information needed to process an SSN application for a newborn was gathered by hospital employees at the child's birth and verified with the respective bureaus of vital statistics. Nearly three-quarters of all requests for an original SSN are now completed through this process. This program is available in the fifty states, the District of Columbia, and Puerto Rico, and allows parents to indicate on the birth certificate form whether they want an SSN assigned to their newborn child. When a parent requests an SSN for a child, the State vital statistics office receives the request with the birth registration data from the hospital and then forwards this information to SSA. Under these procedures, the parent is not required to file a separate application for an SSN for the child. Based on the information the State forwards to SSA, we assign an SSN and issue a card for the child. It is important to note that EAB is a voluntary program on the part of the hospitals and the States and other jurisdictions. No law requires state or hospital participation. The program is administered under the provisions of a contract between each state and SSA. SSA reimburses the states for participation on a per item basis (currently $2.04 for each birth record). EAB is a far more secure way to enumerate newborns. In addition, the program provides significant savings to the Federal government and a convenient service option for the public. Enumeration at Entry (EAE) To reduce fraud and improve government efficiency, SSA inaugurated our Enumeration-at-Entry process in October 2002. Under this process, SSA has entered into agreements with DHS and the Department of State (DOS) for those agencies to assist SSA in enumerating aliens. To assist SSA, DOS collects enumeration data as part of the immigration process. When the immigrant enters the United States, DHS notifies SSA and the card is issued. Social Security Cards In the beginning of the Social Security program, no special efforts were needed to prevent the Social Security card from being counterfeited. However, as the card's use expanded and technology improved, counterfeiting became a concern. Beginning in 1983, the Social Security Act required that SSN cards be made of banknote paper, and to the maximum extent practicable be a card that cannot be counterfeited. SSA worked with the Bureau of Engraving and Printing, the Secret Service, and the Federal Bureau of Investigation to design a card that met these requirements. All Social Security cards issued since October 1983 incorporate a number of security features intended to make the card counterfeit- resistant and tamper-proof. Some of these features include, but are not limited to, a tamper-proof marbleized background; Intaglio printing in some areas of the card; and colored planchettes (small discs) randomly displayed on the card. Obviously, while some security features have been made public, other features have not in order to protect the security of the card. The immigration and welfare reform legislation passed in 1996 required SSA to develop a prototype of a new card as well as study and report on different methods for improving the Social Security card process. In 1997, SSA issued a report to Congress on ``Options for Enhancing the Social Security Card,'' and earlier this year provided the Subcommittee with an update on some of the findings in the report. As you are aware, the expertise of counterfeiters and the wide availability of state-of-the-art technology make it increasingly difficult to develop and maintain a document that cannot be counterfeited, despite best efforts to guard against such incidents. Therefore, SSA continues to evaluate new technology as it becomes available to determine if additional features should be included. As required by P.L. 108-458, SSA, in consultation with DHS, has formed a taskforce to establish requirements that will further improve the security of Social Security numbers and cards. Since current law requires the card to be printed on banknote paper, the taskforce is limited to consideration of improvements to this type of card. The taskforce includes representation from DHS and several other agencies, including the Federal Bureau of Investigation, Department of State and the Government Printing Office. The taskforce is considering a wide range of security features that would strengthen the Social Security card, and we will develop a plan for implementing the taskforce recommendations. The cost of replacing the current SSN card with a new version that includes enhanced security features would depend upon features to be included, e.g. biometric identifiers, and the universe of card-holders needing a new card. The cost of the card itself is minimal. The cost is driven by the cost of verifying the identity of the person applying for the card and, in the case of aliens, determining the immigration status and work authorization. Last year, we estimated a card with enhanced security features such as biometric identifiers would cost approximately $25.00 per card, not including the start-up investments associated with the purchase of equipment needed to produce and issue this type of card. While any estimate would ultimately depend on the details of the proposal, last year's estimate for replacing cards for 240 million cardholders nationwide was approximately $9.5 billion. Currently however we know that the cost of issuing SSN cards has increased by approximately $3.00, due to new requirements for additional verification of evidence, so we anticipate an increase in the total cost estimate when we update our figures to reflect current dollar costs. Legends on the SSN Cards I would now like to discuss the relationship between the Social Security card and work authorization. The Immigration Reform and Control Act of 1986 (IRCA) makes it illegal for an employer to knowingly hire anyone not legally permitted to work in the United States. Under IRCA, all employers are required to verify the identity and employment eligibility of all new employees regardless of citizenship or national origin. There are a number of documents specified in the law and DHS regulations which may be used for this purpose. Some documents, such as a United States passport, establish both employment eligibility and identity. Others, including a Social Security card without a restrictive legend, can be used to establish employment eligibility but do not establish identity and must be accompanied by an identification document, such as a State driver's license. It is important to note that, just as the Social Security number or card does not establish identity, neither does it always reflect an individual's current work authorization status. The SSN card only reflects an individual's work authorization status at the time the card was issued--it is a snapshot in time. An individual's work authorization status may change over the years, and the DHS has sole jurisdiction over work authorization determinations for noncitizens. The vast majority of original Social Security cards are issued to United States citizens or to non-citizens who have been permanently authorized to work in the United States. These cards show only the name and SSN of the individual. Unlike the cards issued to United States citizens or to non- citizens who have been permanently authorized to work in the United States, cards issued to non-citizens who are not authorized to work or who are only temporarily authorized to work bear one of two legends describing work authorization status at the time the card was issued. ``Not Valid for Employment'' Initially, SSA issued the same type of Social Security card to everyone, whether or not the individuals were authorized to work. In 1974, SSA began assigning SSNs for nonwork purposes, but the card was not specifically annotated. Beginning in May 1982, SSA started issuing cards printed with the legend ``Not Valid for Employment'' to non- citizens who are not authorized to work. This was due to the increasing need for individuals to have SSNs for nonwork purposes and concerns that such individuals might otherwise use their SSNs for work. With this restrictive legend appearing on a card, employers were able, for the first time, to determine whether the individual to whom the card was issued was authorized to work. Of course, an employer could not rely solely on the card to establish that the person presenting the card was the person to whom the SSN was assigned. Cards containing this legend are often referred to as ``nonwork SSNs.'' In October 2003, SSA significantly tightened the rules concerning issuance of nonwork SSNs. SSA only issues such an SSN when 1)a Federal statute or regulation requires an SSN to receive a particular benefit or service, which an alien has otherwise established entitlement; or 2) a State or local law requires an SSN to get public assistance benefits, to which the alien has otherwise established entitlement and for which all other requirements have been met. ``Valid for Work Only with DHS Authorization'' Beginning in September 1992, SSA began issuing cards with the legend ``Valid for Work Only with INS Authorization'' to noncitizens lawfully in the United States with temporary authorization to work. This legend has been changed to ``Valid for Work Only with DHS Authorization'' to reflect the change from ``INS'' to ``DHS''. In these cases, employers must look at the non-citizen's DHS documents to determine if the individual has current work authorization. In addition a participating employer may use the DHS employment eligibility verification service, known as the Basic Pilot, to confirm employment eligibility for newly hired employees, which includes verification with SSA records and for noncitizens, with DHS records. In Fiscal Year (FY) 2005, SSA issued approximately 5.4 million original cards. Of these, 4.3 million were issued to United States citizens. Approximately 1.1 million cards were issued to non-citizens with temporary or permanent work authorization. Over the years SSA has made continual enhancements to the Social Security card. Because of the substantial cost of replacing all cards in use, older versions of the card remain valid. Thus, there are about 50 different variations of the SSN card that have been issued since 1936. NonWork SSNs SSA also issues cards to aliens legally in the United States but who are not authorized to work by DHS. Last year SSA issued fewer than 15,000 of this type of non-work card. Each year as required by Section 414 of the Illegal Immigration Reform Act of 1996, P.L. 104-208, SSA reports to Congress the number of SSNs assigned to aliens who were not authorized to work in the United States when the card was issued for whom we receive Form W-2s. The most recent report stated that earnings were credited to 555,227 SSNs assigned to non-citizens who did not have authority to work in the United States at the time the SSN was assigned. It is important to note that since the work authorization status of a non-citizen may change, an earnings report under a nonwork SSN does not necessarily mean that unauthorized work was performed. Additional Efforts to Strengthen the Enumeration Process SSA has taken a number of steps to further strengthen the processes associated with assigning SSNs. You will recall that SSA formed a high- level response team to develop recommendations on enumeration policy and procedure in the aftermath of the terrorist attacks of September 11, 2001. As previously reported to this Subcommittee, implementation of many of the team's recommendations has strengthened our capability to prevent those with criminal intent from obtaining and using SSNs and SSN cards. As mentioned earlier in my testimony, beginning June 1, 2002, SSA began verifying birth records with the issuing agency for all United States born SSN applicants age one or older. In addition, beginning in July 2002, SSA began verifying the authenticity of all immigration status with DHS before assigning SSNs to non-citizens. We also continue to look for additional ways to make the enumeration process more efficient and secure. In November 2002, SSA piloted a Social Security Card Center in Brooklyn, New York. The Card Center represents a joint effort by SSA, SSA's Office of the Inspector General (OIG) and Department of Homeland Security (DHS). The collaboration of these parties is intended to strengthen SSN application procedures, and to ensure that applications are processed with a high degree of integrity, efficiency and expertise. In April 2005, SSA established another Social Security Card Center in Las Vegas, Nevada. The Las Vegas Social Security Card Center is dedicated exclusively to helping Las Vegas Valley and southern Nevada residents apply for a new or replacement Social Security Card. SSA plans to open additional centers as resources permit over the next several years based on SSN workloads and other service delivery factors. SSN Verification Processes Many diverse organizations request SSN verifications for various purposes. SSA must consider each request to determine whether to deny or permit verification and what information, if any, may be disclosed. SSA also must consider each request to ensure that the proper safeguards are in place to protect the information being disclosed. SSA must also be reimbursed for any work not related to the administration of our programs. Of course, by law, we cannot fulfill requests for non- program purposes if doing so would impede our mission. For many years, most SSN verifications were processed in our field offices. This was a manual process which was highly labor intensive. In 1983, SSA implemented the Employee Verification Service (EVS) in order to better manage the verification workloads. Since then SSA has provided additional ways to access SSN verification routines as technology has evolved. Employers Employers are our primary requestors for SSN verifications because they must accurately report wage information for the people they employ. One of SSA's core business processes is maintaining the accuracy of earnings for all workers to ensure that they receive credit for the work on which FICA taxes were paid. Accurate earnings information is important because a worker's earnings record is the basis for computing retirement, survivors, and disability benefits. SSA has successfully provided SSN verification services to the employer community for many years. Employers can verify SSNs for their employees by telephone, by submitting paper listings or by magnetic media. To further improve our service to employers, SSA piloted an online service, known as Social Security Number Verification Service (SSNVS), in April 2002. In June 2005, SSA expanded the availability of this service to all employers. This optional, free and secure Internet service provides employers with an immediate response for a limited number of SSN verification requests or a next business day response for high volume SSN verification requests. As mentioned earlier in my testimony, employers may participate in the Basic Pilot program, an ongoing joint initiative in which SSA supports DHS in assisting participating employers in confirming employment eligibility for newly hired employees. Participating employers may use the automated system to verify SSNs and alien registration or admission numbers through verification checks of SSA and DHS databases. In 2005, through the EVS, SSNVS, and Basic Pilot programs, we estimate we provided a total of 67 million employer verifications, up from 62 million in 2004. Federal and State Agencies Many Federal, State, and local agencies request SSN verification services for numerous purposes, from issuing food stamps to tracking convicted felons. Some of the agencies receive information as a result of legislation. Some of these organizations include, but are not limited to: <bullet> The Department of Education <bullet> The Department of Justice <bullet> The Office of Child Support Enforcement <bullet> The Internal Revenue Service <bullet> The Department of Veterans Affairs <bullet> The Selective Service System <bullet> Any Federal agency which uses the SSN as a numerical identifier in their record system <bullet> Federal, State, and local agencies for validating the SSN used in administering income or health maintenance programs <bullet> Federal, State, and local agencies where SSN use is authorized under Federal statute and they are involved in programs such as Temporary Assistance for Needy Families, Food Stamps, Medicaid, and Unemployment Insurance <bullet> State Motor Vehicle Agencies <bullet> Prisons <bullet> Law enforcement fugitive felon operations <bullet> SSA OIG. SSA provides verifications to some State agencies, such as State motor vehicle licensing agencies via the American Association of Motor Vehicle Administrators (AAMVA). Third Parties Under the Privacy Act, SSA may verify or release SSNs to third parties that have obtained the written consent of the number holder, regardless of the purpose of the request. SSA has been providing such third party verifications for many years through existing verification processes. Impact of Public Law 108-458 Section 7213 of P.L. 108-458 contains several provisions to strengthen the integrity of our enumeration process. Two key provisions include the implementation of limits on the number of replacement SSN cards an individual can receive to three per year and ten per lifetime with limited exceptions and the addition of death and fraud indicators to SSN verification routines for employers, State agencies issuing driver's licenses and identity cards, and other verification routines as determined to be appropriate. As I mentioned previously, SSA implemented the restrictions on replacement SSN cards effective December 17, 2005 as required by IRTPA. In addition, although most death records were already available to employers and DMVs through our SSN verification services, we have also added the State death records that were previously restricted as authorized by IRTPA. Those additional death records were added to SSN verification routines on March 6, 2006, well before the implementation deadline set by IRTPA. We continue to work to ensure that fraud indicators will be added to the SSN verification routines by December 2007. Section 7213 of IRTPA also required SSA to establish minimum standards for verification of documents submitted in connection with an SSN. To this end, SSA established rigorous new standards for evidence of U.S. citizenship and identity submitted in connection with an application for an SSN. IRTPA also required SSA to form an interagency taskforce specifically charged with establishing security requirements, including standards for safeguarding SSN cards from counterfeiting, tampering, alteration and theft. This interagency taskforce is working to improve the security features included on the current banknote card. SSA will prepare for implementation of the taskforce recommendations by June 2006. Conclusion In conclusion, the Social Security number was originally intended as a means to provide a record of the earnings of people who worked in jobs covered under the new Social Security program. We must remember that with all the improvements in the assignment of SSNs, the Social Security card is still just a record of the SSN assigned to the individual and not an identity document. However, as we all know, the use of the SSN for other purposes has grown significantly over the years. The challenge we face is to balance SSA's commitment to assigning numbers quickly and accurately to individuals who qualify for them and need them to work, with the equally important need to maintain the integrity of the enumeration system to prevent SSN fraud and misuse. I want to thank the Chairman and members of the Subcommittee for inviting me here today, and I look forward to working with you to continue to improve SSA's processes. I will be happy to answer any questions you might have. <F-dash> Chairman MCCRERY. Thank you, Mr. Streckewald. Dr. Kent. STATEMENT OF STEPHEN T. KENT, VICE PRESIDENT AND CHIEF SCIENTIST, INFORMATION SECURITY, BBN TECHNOLOGIES; AND CHAIRMAN, COMMITTEE ON AUTHENTICATION TECHNOLOGIES AND THEIR PRIVACY IMPLICATIONS, NATIONAL RESEARCH COUNCIL, THE NATIONAL ACADEMIES Dr. KENT. Good morning, Chairman McCrery, Congressman Levin. I am Steve Kent, Vice President and Chief Scientist, for Information Security at BBN Technologies. I served as the Chair of the Committee on Authentication Technologies and their Privacy Implications for the National Research Council, the operating arm of the National Academy of Sciences. The study Committee authored two reports: ``IDs, Not That Easy, Questions About Nationwide Identity Systems,'' on which you have asked me to testify, and ``Who Goes There: Authentication Through The Lens Of Privacy.'' It is a pleasure to be here to discuss these reports with you. I will try to briefly summarize my written testimony which I submitted for the record. First, some general observations: developing identity systems is much more complex than it initially appears. Several key policy questions must first be answered, among them what problem is the system supposed to solve, and how will it try to solve the problem? How authentication will be achieved has to be looked at; who would be users of the system, who will rely on it, what types of uses will be allowed, and what legal structures protect the integrity of a system. Implicit in all these are that we are dealing with a system, not just ID cards. Success, therefore, depends not only on the card technology we use but on all of the ways the system components have to work together. The high cost of fixing or even abandoning a system makes it essential that potential ramifications are explored very thoroughly prior to making decisions about design details and deployment of a system. Let me address a few of the specific questions that you posed. There are a number of technical challenges associated with building a counterfeit resistant, long lasting, easily replaceable ID card. No method of ensuring that the person presenting the card is the proper owner can be completely reliable. A key decision for any system of this sort would be determining an acceptable threshold of false rejection and false acceptances, none of which are going to be zero in any practical technology. Second, any large scale identity system designed for a specific purpose is almost always used for other, secondary purposes. The ID may be used for verification unrelated to the original purposes. The data collected may be used in ways that have little to do with the original purpose. These unplanned uses often cause problems. For example, security and privacy protections that were designed for the original use might not align with the needs of a secondary use. Data collected for the primary use might not be appropriate in terms of quality or reliability for a secondary use. For the primary user, the existence of secondary uses can make it difficult to respond to a detected attack on the system. The range of possible reasons for the attack grows with secondary uses, making it more difficult to determine how to respond. The ID system databases hacked, for instance, was in an individual trying to get a fake ID for purchasing alcohol or someone with more nefarious purposes in mind. Third, the privacy implications of large scale identity systems are significant. A major challenge to privacy is the ability to cross-reference databases in different systems tied to an ID, even when the primary system is privacy-preserving. Another problem is that of identity theft. To lessen the impact on privacy, a number of steps can be taken, including being clear about the system's purpose, minimizing the scope and retention of collected data, and clarifying who will have access to data, and, of course, providing means for individuals to check on and correct information stored about them to rectify errors in the system. Fourth, identity establishment itself is a challenging but critical part of the process. Of particular concern is the fact that fundamental documents, foundational documents like birth certificates that are required to establish identity for other identity documents are themselves subject to fraud and forgery. Moving to digital credentials or biometrics will not change some of the basic avenues of attack against a large scale identity system. As a result, the issuing process itself will remain extremely vulnerable. The best any new system can provide is a compelling connection with some previous verification of identity, and that is usually imperfect. Finally, while our reports did not address the specific concerns you asked about with regard to modifying the SSN card to help prevent unauthorized immigrants from gaining lawful employment, the framework we presented in our study I think can be applied to this topic. It is important to note that layering a new system on top of the primary use of the SSN card would not intrinsically add to the testimony of the data that was collected for that original purpose. The data has the same quality and reliability that it had prior to the addition of the new system and the introduction of higher quality credentials in a physical sense. In conclusion, as the title of our report suggested, IDs, Not That Easy, none of the issues raised by development and deployment of large scale identity systems are simple. The questions posed in our report should be carefully and thoroughly applied, not only from a privacy perspective but from a security, usability and effectiveness perspective as well. Thank you. That concludes my comments. I will be happy to take any questions. [The prepared statement of Dr. Kent follows:] Statement of Stephen T. Kent, Ph.D., Chairman, Committee on Authentication Technologies and Their Privacy Implications, National Research Council, The National Academies Good morning, Mr. Chairman and members of the Committee. My name is Stephen Kent. I am Vice President and Chief Scientist for Information Security at BBN Technologies and served as the chair of the Committee on Authentication Technologies and Their Privacy Implications of the National Research Council. This study committee authored the two reports, IDs--Not That Easy: Questions About Nationwide Identity Systems and Who Goes There? Authentication Through the Lens of Privacy, on which you have asked me to testify. The National Research Council is the operating arm of the National Academy of Sciences, National Academy of Engineering, and the Institute of Medicine of the National Academies, chartered by Congress in 1863 to advise the government on matters of science and technology. It is a pleasure to be here to discuss these reports on large-scale identity systems. By way of background: the study committee originally planned to do only the Who Goes There? report. We decided on the IDs report about half-way through our study process after the September 11, 2001 terrorist attacks. In the wake of those attacks, numerous proposals for what identity systems could or should accomplish with respect to counterterrorism began circulating in the policy community and the media. The study committee believed that the persistence of public discussion about possible new ID systems and the expectation that other proposals would continue to be offered argued for an informed analysis and critique of the concept of a nationwide or large- scale identity system. The brief report on IDs was the result. It was intended to catalyze a broader discussion, and I am happy to be here today to continue that discussion. I will start with a brief overview of the highlights of the IDs report and then address some of the specific issues that you asked me to consider in my testimony today. Perhaps the most important message of our work on ID systems is that designing and building systems to ascertain identity is much more complex than it might appear and is indeed why we titled our IDs report ``Not That Easy.'' A primary consideration is to understand the goals of a large-scale identity system. Before any decisions can be made about whether to attempt some kind of system, the question of precisely what is being discussed and what purpose it will serve must be answered. What problem or problems is the proposed system meant to solve? The high-level policy questions that the IDs report outlines include the following: <bullet> What is the purpose of the system? What problem or problems is it attempting to address? <bullet> What is the scope of the population that would be issued an ID? Related to this, how would the identities of these individuals be authenticated? <bullet> What is the scope of the data that would be gathered about individuals in support of issuing an ID and how would it be correlated to data about them in any databases associated with the system? <bullet> Who would be the users of the system? By this we mean not only those who would be issued an ID, but the government agencies, perhaps state and local governments, or even the private sector organizations that might rely on the IDs. What entities would be allowed to use the system? Who could contribute, view, and/or edit the data in the system? <bullet> What types of use would be allowed? Who could demand an ID? Under what circumstances? What types of database queries about individuals would be permitted? Would data mining or analysis of the information collected be permitted? Who would be allowed to do such analysis? For what purposes? <bullet> Would enrollment in and/or identification by the system (even if the individual had not formally been enrolled) be mandatory or voluntary? <bullet> What legal structures protect the system's integrity as well as the ID holder's privacy and due process rights? What structures determine the government and relying parties' liability for system misuse or failure? Answers to all of these questions (and more) will have ramifications for the technological underpinnings of the system, including what levels and kinds of system security will be required. Implicit in all of these questions is the notion of a ``system'' and not merely an ``ID card.'' The fact that any identity management proposal necessarily implies a ``system'' may be one of the most important (and less discussed) aspects of many of the identity system proposals that we have seen. These systems, at the scale that they are proposed, necessarily imply the linking together of many social, legal, and technological components in complex and interdependent ways. The success or failure of such a system is dependent not just on the individual components (for example, the ID cards that are used, or the biometric readers put in place) but on the ways they work, or do not work, together. For example, are card readers located where they need to be? How well do the readers operate under various environmental and load scenarios? Who will operate the systems and how will they be trained and vetted? Do enrollment policies align with the security needs envisioned for the system? And so on. How well these interdependencies are controlled along with the mitigation of security vulnerabilities and the unintended consequences of the deployment of a system, will be critical factors in its overall effectiveness. In addition to the questions above, the committee outlined several cautions to bear in mind when considering the deployment of a large- scale identity system: <bullet> Given the costs, design challenges, and risks to security and privacy, there should be broad agreement in advance on what problem or problems the system would address. <bullet> The goals of the system should be clearly and publicly identified and agreed upon, with input sought from all stakeholders. <bullet> Care must be taken to explore completely the potential ramifications of deploying a large-scale identity system, because the costs of fixing, redesigning, or even abandoning a system after broad deployment would likely be extremely high. That is a brief overview of some of the highlights from the IDs report. The study committee urged that proponents of large-scale identity systems present a compelling case addressing the issues raised in these reports and solicit input from a broad range of stakeholder communities. The IDs report elaborates on these issues and also considers some of the technological and security challenges inherent in large-scale identity systems. Some of the issues you asked me to address in my testimony today are more specific than what I have presented here so far, and to the extent that our reports address them, I will briefly discuss them. Tamper-Proof ID Cards Cards are often suggested as a means of binding an ``identity'' within a system to an individual. The question being: if someone presents a valid card, how do you know first, that the card is valid, and second, that the card belongs to the person presenting it? To the first question, the goal of a counterfeit-resistant, long-lasting, easily-replaceable ID card presents difficult technical challenges. Magnetic stripe cards are trivially easy to counterfeit. Memory cards or smart cards are more difficult, but not impossible, to duplicate or forge. Use of cryptographic technologies and digital signatures can help, but for any technology, some degree of imperfection will exist. I have already mentioned that a key notion to keep in mind is that these systems are in fact systems--they would likely encompass databases, processes and procedures, cards, card readers, architectural requirements, security needs, and much more, not to mention the people who are a part of any technical system. Any ID card that is issued is only a component of the system. One question that must always be asked is what is the perceived threat? By threat I mean what set of adversaries do we believe we need to thwart, what are their capabilities, and what are their goals? If we cannot answer that question, we have no rational basis for deciding if any proposed system will likely be adequate, or whether it will be overkill. To the question of ensuring that the person presenting the card is the same person identified with the card, a picture on the front of the card might be some assurance, but people sometimes have a hard time matching faces to pictures. ``Two-factor authentication'' in which an individual presents a card along with additional information (such as a PIN or thumbprint--either of which could be compared to data on the card) is another possibility. Another scenario might be to have the person interact with a biometric scanner and present the card that contains reference information for the biometric in question. Both pieces of information are validated in combination against a backend server. This, however, creates a requirement for high availability and a dependence on a secure, reliable network and communications infrastructure. Also, unless the scanner is itself a secure device (and known to be so through some kind of formal evaluation process) or the scanner is closely monitored, the system may be compromised. Even then, the system will not be fool-proof. (I am informed, by the way, that the NRC is conducting a large study on biometric systems that should be released later this year) A decision on thresholds for false rejection and false acceptance rates (which is, first, a policy decision) will need to be made--and those thresholds cannot really be zero for any technology. Moreover, even the best-designed systems are subject to social engineering (there are numerous examples of personnel being tricked into issuing credentials without adequate proof of identity or authorization) and insider threat attacks--and thus one cannot rely on technological solutions alone. The entire system and implications of policy decisions at all levels must be thought through carefully. Secondary Uses One of the challenges that arises repeatedly with a large-scale identity system designed for a specific purpose (or set of purposes) is that there are almost always forces in play that push the systems to be used for things that they were not originally designed for. A familiar example of this is the state driver's license, which does not merely enable one to legally drive on public roads, but is also relied on to provide ``proof of age'' for alcohol purchases and ``proof of identity'' to board an aircraft for domestic travel in the U.S. Most systems do not explicitly guard against secondary uses, although occasionally there are legal requirements or contractual relationships that limit secondary use (such as credit card agreements.) There are at least two ways in which secondary use might happen. In some cases, the card presented may be used for additional verification purposes in contexts unrelated to the original purposes. In other instances, the data collected in support of card issuance may be used in ways that have little to do with the original purpose. Unintended uses of an identity system and its associated technologies can always have inadvertent side effects. There are numerous examples in the literature of this, and the expansion over time in use of the Social Security Number (SSN) is a well-known instance. For example, the proposed ID might become the new, de facto photo ID for individuals, potentially exposing SSNs to a very wide range of organizations at a time when states are eliminating the SSN from driver's licenses. If any new ID system is deployed, chances are that there will be uses found for it that were not originally intended. While this might seem an efficiency on the surface, in fact, such unplanned-for multiple uses may cause problems. <bullet> A particular challenge resulting from unplanned-for uses is when technology or an ID system designed for a specific security context, user population, and so on is used (intentionally or unintentionally) without a determination as to whether the original security, privacy, and usage assumptions still hold in the new context. Secondary uses are implicitly relying on whatever assurances, security models, and privacy protections the original designers and implementers were working with. These may not align with the needs of the secondary user. For example, access to a health club may require a different usability or privacy model than access to secured facilities at an airport. One size cannot fit all. <bullet> A significant context consideration is the security of the system. The original system was designed with a particular threat model in mind; this threat model may not apply to secondary uses of the system. <bullet> Another problem is that the data collected for the original purposes may not be what is needed, or at the appropriate quality or reliability levels, for the new secondary uses. <bullet> Depending on inappropriate assumptions is not a challenge just for the secondary user, but also for the primary users of the system. An ID system that is used for multiple purposes with multiple types of threats, not all of which were designed or planned for, can make it difficult to respond to a known attack on the system. This is because with secondary uses, the universe of possible motivations behind the attack is much larger, making it difficult to ascertain what is an appropriate response to an attack. If your database is hacked, was it individuals desiring a fake ID to purchase alcohol, for example, or individuals with more nefarious purposes in mind? Privacy Consequences The privacy implications of large-scale identity systems can be significant. While casual discussions of IDs or ID cards may assume simple, unique pairings of information and individuals, the reality is often more complicated. A major privacy challenge, even when a given system has been designed and is operating in a secure and privacy- sensitive fashion, is the ability to cross-reference and link information across databases in different systems. In many cases, an identity in a given system will include a common cross-reference, such as a Social Security Number, that makes it trivially easy to link it to other identities associated with other systems (presumably designed for other purposes.) In addition, questions arise as to how reliable the linking would be--some institutions may not mind if suggested linkages are only approximate (for example, a vendor attempting to do targeted marketing), whereas others demand high levels of accuracy. Identity theft is also a major concern, especially in the case of centralized databases or systems used for multiple purposes--the more useful or ``powerful'' an ID is the more tempting it is as a target. Identity theft is an individual's fraudulent claim that he or she is the person to whom the information in the system refers, allowing him or her to derive some benefit from another party who is relying on that claim. One reason for the problem is the expanded use of SSNs for purposes that were not originally intended coupled with the assumption that they are `secret' or should act as a `key.' When designing a system to lessen impacts on personal privacy, the study committee made a number of recommendations, including: <bullet> Be clear about the purposes of the system. <bullet> Minimize the scope of the data collected to that which is essential for the purpose of the ID system. <bullet> Minimize the retention interval for data collected in association with use of the card. <bullet> Clarify who will have access to the collected data. <bullet> Clarify what kinds of access to and use of the data are allowed. <bullet> Ensure that use of the system is audited to protect against illegitimate uses as well as to monitor for security threats. <bullet> Provide means for individuals to check on and correct the information stored about them. All of that said, many times there are important uses of data that are unanticipated when the data are collected. For these as for other important uses, it is a question of balancing the risks to privacy and confidentiality against the benefits of the uses, especially when the uses are for research to inform public policies or for national security. The Academies have long studied the issues here for important research uses of data. A recent study is Expanding Access to Research Data: Reconciling Risks and Opportunities from the Academies' Committee on National Statistics. For the case of national security purposes, the Computer Science and Telecommunications Board has joined with the Committee on Law and Justice and the Committee on National Statistics to launch a major study to balance the risks and benefits. The Academies would be pleased to offer more information on these and other studies that may be relevant to your inquiry or to help with further investigations of interest to you. Identity Establishment The establishment of an identity in an identity-system is another challenging but critical part of the process. There is a tangled web of government-issued identity documents used as foundational documents that allow the government and other organizations to issue other identity documents. Many of these foundational documents, used to acquire an SSN or Passport, for example, are subject to fraud and forgery themselves. Birth certificates are particularly problematic, in that they are issued by thousands of different jurisdictions across the country, making them both easy to forge and difficult to verify and thus very poor to use as an identification document from a security perspective. Moreover, no aspect of a birth certificate binds it to an individual in any strong security sense. The types of possible attacks on identity documents vary and include the following: <bullet> An individual acting as an impostor. <bullet> Forged or fraudulent documents. <bullet> Tampering with existing documents. <bullet> Compromise of confidential information (for example, in an identity system database) that is then used to create a false identity. <bullet> Modification of computerized records to support a false identity. Moving to, for example, digital credentials or biometrics will not change these basic avenues of attack and fraud. As technology and perhaps ID cards become ever more sophisticated, the issuing process will remain extremely important. All the security in the world cannot overcome deficiencies in this step--the system will only be as good as the data that goes into it. The best that any system can provide is a compelling connection with some previous verification of identity. Essentially, trust in the integrity of the system is based not so much on any single verification when an individual presents a claim of identity as it is on increasing confidence when multiple transactions happen over time and all previous transactions with that particular individual have worked out. Other Questions You asked me to comment in particular on the issue of modifying the SSN card so that it is tamper- and counterfeit-resistant as part of efforts to prevent unauthorized immigrants from gaining lawful employment in the United States. While the National Research Council's reports did not address this specific question, such an approach clearly falls within the realm of large-scale identity systems that the study committee was considering. The framework that we presented can be applied to this question. For example, once the purpose of a system is clearly articulated-- in this case the prevention of unauthorized people from gaining lawful employment in the United States--then a next question to ask is what information would accomplish the goal of ascertaining whether an individual is qualified to work in the United States? Who has that data? Who collects it? Who can access it? If a system with that sort of data were deployed, how would it be regulated? What penalties or liabilities would be associated with misuse? How could individuals correct their own data within the system? What kinds of security would be needed? What are the likely threat models for such a system? How could potential threats of identity theft (in this case ``worker- identity'') be mitigated? Who would be authorized to ask to see the ID card associated with this system? Are there other likely abuses and how could the possibility of those be mitigated? If the system is to be built on top of another existing identity system (such as the SSN)-- which poses its own very serious challenges since this basically would be an unintended, unplanned-for, not designed-for use of the SSN--then what can be assumed about the underlying data in the current system? Layering even the best current security on top of old data only gives the old data an appearance of being more trustworthy--the data has the same quality and reliability that it had prior to the security being added. Conclusion Mr. Chairman and members of the committee, our study committee wrestled with questions of identity, authentication, identification, and large identity systems for many months--not new issues, but ones that were brought into sharp focus after September 11, 2001. In the study I have described, we have attempted to lay out our thinking and analysis of these issues. As the report title, IDs--Not That Easy, suggests, none of these issues is simple, and any large-scale identity system poses numerous questions that should be carefully thought through--not only from a privacy perspective, but also from security, usability, and effectiveness perspectives. Our reports attempt to lay out some of these questions that must be addressed and to illustrate the complexities that can arise. You can find more information about these and related studies on the Web site of the Computer Science and Telecommunications Board of the National Research Council at http://www.cstb.org. Thank you. That concludes my comments. I would be happy to take any questions you may have. <F-dash> Chairman MCCRERY. Thank you, Dr. Kent. Mr. Rotenberg. STATEMENT OF MARC ROTENBERG, PRESIDENT AND EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER Mr. ROTENBERG. Thank you, Mr. Chairman, Congressman Levin. Thank you for the opportunity to testify. My name is Marc Rotenberg. I am President of the Electronic Privacy Information Center. We are a public interest research group here in Washington. We have done a lot of work related to the SSN. I also teach privacy law at Georgetown Law Center. I would like to briefly summarize my testimony and ask that the statement be included in the record. The key points I would like to make this morning concern the history of the effort to restrict the use of the SSN precisely so that it would not form the basis for a national identity card. As you well know, when the number was first established for the purpose of accounting for the SSA contributions, the first regulation that was issued by the the SSA was to make clear that this was not a card for identification purposes. Now, the particular concern about the possible misuse of the SSN was taken up in 1973 in a very important report by the U.S. Department of Health, Education, and Welfare. This report more than 30 years ago identified the possible misuse of the SSN to link together record systems across government agencies and with private sector record systems. As a consequence of that investigation, Congress enacted in 1974 the Privacy Act (P.L. 93-579). The Privacy Act, among the various things that it did, set out clear prohibitions on the collection and use of the SSN. Although people at that point in time did not use the phrase identity theft, I think it was a very wise decision on the part of the Congress to limit the use of the SSN, because what we have seen now, 30 years later, is that the broad dissemination of the Social Security number within the United States has contributed to what is now the number one crime. The crime of identity theft is a $53 billion crime, according to a 2004 report of the U.S. Federal Trade Commission (FTC). Now, since the passage of the Privacy Act, it is obviously the case that the uses of the SSN have expanded by both government agencies and in the private sector, but I think it is important to note at the same time that the Congress and the States and the FTC have taken measures to try to limit the use of the SSN, recognizing that it does create an increased risk of identity theft. I think one of the witnesses spoke earlier about the provision that in effect took the SSN off the State driver's license so that the driver's license would not become the link to other record systems. Now, certainly, steps can be taken to enhance the Social Security card so that the likelihood of counterfeiting and tampering are diminished, and I think everyone including privacy organizations would favor those measures. The concern here on the privacy side is that the number becomes the basis for linking together different record systems; so, for example, if it becomes the basis for employment eligibility determinations, which could be made by DHS, every employee in the United States, not just immigrants to this country, would be required to present their Social Security card as a condition of establishing eligibility for employment, and I think this is something that was clearly never anticipated in the use of the number. I very much support the testimony of Dr. Kent and the work of the National Research Council. As these uses are expanded to determine citizenship, for example, or to determine employment eligibility, the increasing risks of misuse expand as well, as do the targets of opportunity and incentives for people to take advantage of the SSN and use it in ways that will cause actual harm and crime to individuals. So, our recommendation to you today, particularly in the context of a series of hearings that look at high risk issues associated with the use of the SSN, is to ensure that there are adequate security and privacy safeguards for current uses and to avoid new uses that might introduce new risks and new dangers to American consumers. There is a good reason, I believe, that people in this country in particular are very uneasy about a national identity card, and it is part of our longstanding traditional that we would not, as a general matter, expect to live in a country where the government could say in effect please present your identity and prove to us who you are. Thank you very much for the opportunity to testify this morning. [The prepared statement of Mr. Rotenberg follows:] Statement of Marc Rotenberg, President, Electronic Privacy Information Center Introduction Chairman McCrery, Ranking Member Levin, and Members of the Subcommittee, thank you for the opportunity to testify on the high-risk issues surrounding Social Security numbers. My name is Marc Rotenberg and I am Executive Director of the Electronic Privacy Information Center. EPIC is a non-partisan research organization based in Washington, D.C.\1\ Founded in 1994, EPIC has participated in leading cases involving the privacy of the Social Security Number (SSN) and has frequently testified in Congress about the need to establish privacy safeguards for the Social Security Number to prevent the misuse of personal information.\2\ Last year, I testified on H.R. 98, the Illegal Immigration Enforcement and Social Security Protection Act of 2005 and urged Members to reject the use of the SSN as a national identifier and to ensure the development of adequate privacy and security safeguard to address the growing crisis of identity theft.\3\ --------------------------------------------------------------------------- \1\ EPIC maintains an archive of information about the SSN online at http://www.epic.org/privacy/ssn/. \2\ See, e.g., Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993) (``Since the passage of the Privacy Act, an individual's concern over his SSN's confidentiality and misuse has become significantly more compelling''); Beacon Journal v. Akron, 70 Ohio St. 3d 605 (Ohio 1994) (``the high potential for fraud and victimization caused by the unchecked release of city employee SSNs outweighs the minimal information about governmental processes gained through the release of the SSNs''); Testimony of Marc Rotenberg, Executive Director, Electronic Privacy Information Center, at a Joint Hearing on Social Security Numbers and Identity Theft, Joint Hearing Before the House Financial Services Subcommittee on Oversight and Investigations and the House Ways and Means Subcommittee on Social Security (Nov. 8, 2001) available at http://www.epic.org/privacy/ssn/testimony_11_08_2001.html; Testimony of Chris Jay Hoofnagle, Legislative Counsel, EPIC, at a Joint Hearing on Preserving the Integrity of Social Security Numbers and Preventing Their Misuse by Terrorists and Identity Thieves Before the House Ways and Means Subcommittee on Social Security and the House Judiciary Subcommittee on Immigration, Border Security, and Claims (Sept. 19, 2002) available at http://www.epic.org/privacy/ssn/ ssntestimony 9.19.02.html. \3\ Testimony of Marc Rotenberg, President, Electronic Privacy Information Center, at a Hearing on H.R. 98, the ``Illegal Immigration Enforcement and Social Security Protection Act of 2005'' before the House Judiciary Committee Subcommittee on Immigration, Border Security, and Claims (May 12, 2005) available at http://www.epic.org/privacy/ssn/ 51205.pdf. --------------------------------------------------------------------------- Social Security numbers have become a classic example of ``mission creep,'' where a program designed for a specific, limited purpose has been transformed for additional, unintended purposes, some times with disastrous results. The pervasiveness of the SSN and its use to both identify and authenticate individuals threatens privacy and financial security. Recent efforts to expand employment verification programs based upon SSN identification would turn the SSN into a national identifier, subjecting Americans to a national tracking systems and also heightening the risks of identity theft. There are additional risks associated with some of the technological features that the proponents of an ``upgraded'' Social Security card have suggested. As the New York Times reported yesterday, RFID chips that are being added to identity cards including the U.S. passport, are apparently subject to computer viruses and other forms of attack.\4\ These risks associated with the expanded use of the Social Security Number and identification cards underscore the importance of the hearing today. --------------------------------------------------------------------------- \4\ John Markoff, ``Study Says Chips in ID Tags Are Vulnerable to Viruses,'' New York Times, March 15, 2005. --------------------------------------------------------------------------- History of SSN Use The Social Security Number (SSN) was created in 1936 for the purpose of administering the Social Security laws. SSNs were intended solely to track workers' contributions to the social security fund. Legislators and the public were immediately distrustful of such a tracking system, which can be used to index a vast amount of personal information and track the behavior of citizens. Public concern over the potential abuse of the SSN was so high that the first regulation issued by the new Social Security Board declared that the SSN was for the exclusive use of the Social Security system. Over time, however, legislation allowed the SSN to be used for purposes unrelated to the administration of the Social Security system. For example, in 1961 Congress authorized the Internal Revenue Service to use SSNs as taxpayer identification numbers. A major government report on privacy in 1973 outlined many of the concerns with the use and misuse of the Social Security Number that show a striking resemblance to the problems we face today. Although the term ``identify theft'' was not yet in use, Records Computers and the Rights of Citizens described the risks of a ``Standard Universal Identifier,'' how the number was promoting invasive profiling, and that many of the uses were clearly inconsistent with the original purpose of the 1936 Act. The report recommended several limitations on the use of the SSN and specifically said that legislation should be adopted ``prohibiting use of an SSN, or any number represented as an SSN for promotional or commercial purposes.'' \5\ --------------------------------------------------------------------------- \5\ ``Records, Computers, and the Rights of Citizens,'' Report of the Secretary's Advisory Committee on Automated Personal Data Systems, U.S. Department of Health, Education & Welfare 125-35 (MIT 1973). --------------------------------------------------------------------------- In enacting the landmark Privacy Act of 1974, Congress recognized the dangers of widespread use of SSNs as universal identifiers, and enacted provisions to limit the uses of the SSN. The Senate Committee report stated that the widespread use of SSNs as universal identifiers in the public and private sectors is ``one of the most serious manifestations of privacy concerns in the Nation.'' Short of prohibiting the use of the SSN outright, Section 7 of the Privacy Act provides that any agency requesting an individual to disclose his SSN must ``inform that individual whether that disclosure is mandatory or voluntary, by what statutory authority such number is solicited, and what uses will be made of it.'' This provision attempts to limit the use of the number to only those purposes where there is clear legal authority to collect the SSN. It was hoped that citizens, fully informed that the disclosure was not required by law and facing no loss of opportunity in failing to provide the SSN, would be unlikely to provide an SSN and institutions would not pursue the SSN as a form of identification. The SSN as a National ID Number Erodes Privacy Contrary to the clear intent of the Privacy Act, legislation considered this term has proposed to build the SSN and the Social Security card into a national ID. H.R. 98, for example, would create a de facto national identity card. Despite any disclaimers that the card was not to be used for identification, employers required to verify the information on the card (which would bear a photograph and a machine- readable unique identifier) would likely rely upon these ``fraud prevention measures'' as practical identification requirements. It is important to note that the SSN and its basic card are not intended to be used for authentication and identification purposes today, and yet far too many entities rely upon it for just those purposes. Adding the trappings of an identification document to it, including photographs and machine-readable technology, only reinforces the card's status as a badge of identity. Furthermore, using the SSN for employment verification would necessarily require the building of a vast database of nearly all people employed within the country, which could be easily indexed and correlated with other databases via the SSN. It is precisely this use of the SSN that the drafters of the Privacy Act sought to prevent. H.R. 98 proposed that the database be available to Homeland Security for ``any other purpose the Secretary of Homeland Security deems to be an the national security interests of the United States.'' This vague clause perfectly illustrates ``mission creep,'' and highlights the risk that a national database, based on SSNs, established for one purpose could quickly be transformed into an open-ended system of national surveillance. A mandatory, national index of all people employed within the U.S. would allow the tracking of individuals on an unprecedented scale. Each person applying for a job would be subject to a status determination by a government agency with each application. In essence, a person's life and livelihood would be determined by a database kept by the federal government--a database grounded in a flawed system of identification never intended for the purpose. Identity Theft Nor are the uses of a universal identifier limited to government uses. In fact, it is commercial enterprises that have made the SSN synonymous with an individual's identity. Despite the fact that the cards were never intended to be used for identification purposes, they are considered the ``keys to the kingdom'' for records about individual consumers. The financial services sector, for instance, has created a system of files containing personal and financial information on nearly ninety percent of the American adult population, keyed to individuals' SSNs. This information is sold and traded freely, with virtually no legal limitations. This widespread use, combined with lax verification procedures and aggressive credit marketing that lead to widespread identity theft. Credit grantors rely upon the SSN to authenticate a credit applicant's identity; many cases of identity theft occur when thieves apply using a stolen SSN and their own name. Despite the fact that the names, addresses, or telephone numbers of the thief and victim do not match, accounts are opened and credit granted using only the SSN as a means of authentication. EPIC has detailed many of these cases in other testimony.\6\ --------------------------------------------------------------------------- \6\ See, e.g., TRW, Inc. v. Andrews, 534 U.S. 19 (2001) (Credit reporting agencies issued credit reports to identity thief based on SSN match despite address, birth date, and name discrepancies); Dimezza v. First USA Bank, Inc., 103 F. Supp.2d 1296 (D. N.M. 2000) (same). See also United States v. Peyton, 353 F.3d 1080 (9th Cir. 2003) (Credit issued based solely on SSN and name, despite clear location discrepancies); Aylward v. Fleet Bank, 122 F.3d 616 (8th Cir. 1997) (same); Vazquez-Garcia v. Trans Union De P.R., Inc., 222 F. Supp.2d 150 (D. P.R. 2002) (same). --------------------------------------------------------------------------- The root of this problem is that the SSN is used not only to tell the credit issuer who the applicant is, but also to verify the applicant's identity. This would be like using the exact same series of characters as both the username and password on an email account. The fact that this practice provides little security should not be a surprise. The printing of SSNs on government-issued drivers licenses provided yet another opening for identity thieves. A thief who stole your wallet could also easily steal your identity, with name, address, diver's license number, and SSN in one easy place. Congress recognized this threat and in the Intelligence Reform and Terrorism Prevention Act of 2004, prevented the printing of SSNs on drivers licenses and other government-issued ID.\7\ --------------------------------------------------------------------------- \7\ Pub. L. No. 108-408 7211-7214, 118 Stat. 3638, 3825-3832 (2004). --------------------------------------------------------------------------- International Experiences The debate on national identification cards is not restricted to the United States. Fierce debates have erupted in other countries over the adoption of national ID cards. The problems presented by such cards in the UK, France, and many other nations are the same problems that we would face here--convenient categorization of individuals' records, to be used or abused by governments or those who obtain access to government records. The protests against the UK national ID cards are strong, and from esteemed sources such as the London School of Economics,\8\ yet they address a system that is even less problematic than one that could use the SSN as a national ID. In the UK, for example, the national ID card would be a voluntary document. And in Ireland, a proposal to establish national was recently rejected.\9\ Here in the U.S., SSNs are most frequently assigned at birth. We would be putting in place a system mandating ownership of a machine-readable photo ID, a step that other parts of the world, even those less opposed to government interference in personal affairs, seem loath to take. --------------------------------------------------------------------------- \8\ London School of Economics, The Identity Report: an assessment of the UK Identity Cards Bill and its implications (2005) at http:// is2.lse.ac.uk/IDcard/identityreport.pdf. \9\ EPIC prepares an extensive annual survey of international developments concerning privacy protection, including the debates over identity documents. See Privacy and Human Rights: An International Survey of Privacy Laws and Developments (EPIC 2004), available at http://www.privacyinternational.org/article.shtml?cmd[347]=x-347- 82586&als[theme]=Privacy%20 and%20Human%20Rights&headline=PHR2004#_Toc396491834 (``Identity systems''). --------------------------------------------------------------------------- Measures to Prevent Fraud The need to present such a card at every employment encounter, and possibly also for homeland security purposes, would also likely increase the need to carry the card on one's person, rolling back the benefits achieved by taking the SSN off of driver's licenses. The reason that the SSN can so easily be used for fraud is not that the card lacks anti-counterfeiting measures; it is the fact that the card is being used as an identifier in so many contexts that it should not be. Efforts to protect the SSN and its holders should therefore be focused upon limiting its uses and disclosures. Several states have, in recent years, established new privacy protections for SSNs. These laws demonstrate that major government and private sector entities can still operate in environments where disclosure and use of the SSN is limited. They also provide examples of protections that should be considered at the federal level. For example, Colorado, Arizona, and California all have laws that broadly restrict the disclosure and use of the SSN by both government and private actors. These laws encourage agencies and businesses to use different identifiers for their specific purposes, reducing the vulnerability that the disclosure of any one identifier may create.\10\ Arizona's law also prohibits the printing of the SSN on material mailed to Arizona residents, reducing the threat of fraud from intercepted correspondence. --------------------------------------------------------------------------- \10\ Colo. Rev. Stat 24-72.3-102; Ariz. Rev. Stat. 44-1373; Cal. Civ. Code 1798.85. --------------------------------------------------------------------------- Other states, including New York and West Virginia, have statutes that limit the use of the SSN as a student ID number.\11\ This reduces the vulnerability of students to identity theft and protecting the privacy of students whose personal information is collected in databases, and whose grades are often publicly posted, indexed by their student ID numbers.Similar laws exist in Arizona, Rhode Island, Wisconsin, and Kentucky.\12\ --------------------------------------------------------------------------- \11\ N.Y. Educ. Law 2-b; W. Va. Code Ann. 18-2-5f. \12\ Ariz. Rev. Stat. 15-1823; R.I. Gen. Laws 16-38-5.1; Wis. Stat. Ann. 36.11(35); Ky. Rev. Stat. Ann. 156.160. --------------------------------------------------------------------------- Congress and this Committee has likewise moved to protect the SSN; just this session, Chairman Shaw and many other members of this Committee introduced legislation that would have added protections on a federal level. We hope that the Committee will be able to act on these proposals this session These various proposals all tend towards limiting the uses of the SSN, in notable contrast to proposals that expand SSN uses and thus expand individuals' vulnerability. We therefore urge the Committee to regard cautiously any attempt to expand the use of the SSN beyond its already overextended purposes. Conclusion The expanded use of the Social Security Number is fueling the increase in identity theft in the United States and placing the privacy of American citizens are great risk. The widespread use of the SSN has made it too easy for government agencies, businesses, and even criminals to create detailed profiles of individuals Americans. Congress wisely sought to limit the use of the Social Security Number when it passed the Privacy Act of 1974, and the states have since established additional safeguards. While new techniques may address some of the security and privacy issues associated with the expanded use of the Social Security card, it clear that these techniques also create new privacy and security risks. We urge the Committee to consider very carefully the high-risk issues associated with the use of the Social Security Number. Every system of identification is subject to error, misuse, and exploitation. ______ Attachment Inside Risks: Real ID, Real Trouble? by Marc Rotenberg According to the report of the 9/11 Commission, all but one of the 911 1 hijackers acquired some form of U.S. identification, some by fraud. Acquisition of these forms of identification would have assisted them in boarding commercial flights, renting cars, and other activities. As a result, the Commission and some lawmakers concluded it was necessary for the federal government to set technical standards for the issuance of birth certificates and sources of identification, such as driver's licenses. The result was the Real ID Act of 2005. The new law states that beginning in 2008, ``a Federal agency may not accept, for any official purpose, a driver's license or identification card issued by a State to any person unless the State is meeting the requirements of this section.'' This means the Department of Homeland Security will issue the technical standards for the issuance of the state driver's license. The practical impact, as CNET explained, is that ``Starting three years from now, if you live or work in the United States, you'll need a federally approved ID card to travel on an airplane, open a bank account, collect Social Security payments, or take advantage of nearly any government service.'' And even some of the more conservative commentators in the U.S. have expressed concerns about ``mission creep.'' Several objections have been raised about the plan, including privacy and cost, but the most significant concern may be security. As Bruce Schneier has explained, ``The biggest risk of a national ID system is the database. Any national ID card assumes the existence of a national database . . . large databases always have errors and outdated information.'' Even if the identity documents are maintained in the states, problems are likely. One example concerns the vulnerability of the state agencies that collect the personal information used to produce the license. In 2005, the burglary of a Las Vegas Department of Motor Vehicles put thousands of driver's license holders at risk for identity theft. The information of at least 8,738 license and ID card holders was stolen, and reports of identity theft have already surfaced. Another report uncovered 10 ``license-for-bribe'' schemes in state DMVs in 2004. Not surprisingly, the administrators of the state license systems are among those most concerned about the proposal. As the director of Driver Services in Iowa said, ``It's one thing to present a document; it's another thing to accept the document as valid. Verifying digital record information is going to be difficult.'' The National Conference of State Legislatures was more emphatic, ``The Real ID Act would cause chaos and backlogs in thousands of state offices across the country, making the nation less secure.'' The National Academy of Sciences anticipated many of these challenges in 2002, stating that the U.S. should carefully consider the goals of nationwide ID system: ``The goals of a nationwide identification system should be clarified before any proposal moves forward. Proposals should be subject to strict public scrutiny and a thorough engineering review, because the social and economic costs of fixing an ID system after it is in place would be enormous.'' The problems of building reliable systems for identification are not unique to the U.S. Many countries are confronting similar questions. In Great Britain, a national debate continues about the creation of a new identity card. The government contends the card is essential for combating crime, illegal immigration, and identity theft, and can be achieved for an operating cost of 584million pounds per year. But a report from the London School of Economics challenged a number of the government positions and a subsequent report found further problems with the ID plan. The U.K. group concluded, ``ID requirements may actually make matters worse.'' The LSE report cited a recent high-profile breach: ``Even as cards are promised to be more secure, attacks become much more sophisticated. Most recently, Russian security agents arrested policemen and civilians suspected of forging Kremlin security passes that guaranteed entrance to President Vladimir Putin's offices.'' Systems of identification remain central to many forms of security But designing secure systems that do not introduce new risks is proving more difficult than many policymakers had imagined. Perhaps it's time for the proponents of expanded identification systems to adopt the cautionary line from Hippocrates: ``First, do no harm.'' ______ Marc Rotenberg (rotenberg@epic.org) is executive director of the Electronic Privacy Information Center (EPIC) and the former director of the ACM Washington Office: an expanded version of this column appears at www.epic.org. <F-dash> Chairman MCCRERY. Thank you, Mr. Rotenberg, and thank you all for providing excellent testimony and raising some good questions and considerations as we try to sort our way through sometimes conflicting national needs and the desires of our constituents and folks that are concerned about immigration, about illegal immigration, and about terrorism. We find ourselves kind of going in circles, it seems to me, as we talk about these issues. On the one hand, we all want to protect our border. We want to make sure that people are here legally and working legally, but we also recognize the dangers that Mr. Rotenberg and Dr. Kent pointed out of expanding the uses of the SSN and thereby increasing the opportunity for fraud. So, it is a complex question, and I appreciate the sunlight that you all have brought to this question. Let us assume for the moment that we could make a card that is much more foolproof than the current card, and that would be very difficult to copy. Even if we had that, let us look at the question of employment eligibility and using that in employment eligibility, because several Members of Congress have already introduced proposals that would require employers to check a government database to confirm an employee's work authorization. Some of those proposals combine that with an enhanced SSN card that could be used to access the employment eligibility verification system. How effective do you all think such a system would be in preventing unauthorized noncitizens from illegally obtaining employment? Would we get the desired result from the bucks that we expend to put that system in place? Mr. ROTENBERG. Well, one of the key issues, Mr. Chairman, in that question, and this is also addressed in the National Research Council report, concerns the quality of the underlying data. The proposal which you are referring to, which I think is H.R. 98, would try to, in effect, transform the SSN card into an identity document and enable employers to query a national database, which I believe would be maintained by DHS, to determine the eligibility of a person who is seeking employment in the United States. It is possible, certainly, to enhance the card through photographs and biometric means to make it into a quasi- identity document. I think it would raise privacy issues, but it would not resolve the question as to the accuracy of the underlying data. I think it is very easy to imagine, particularly with a lot of foreign names, that misspellings and mispronunciations could easily lead to errors in these systems. Now, that is not necessarily a reason not for doing it, but I think it does underscore the need to, as Dr. Kent said, look beyond the card and to establish this as a system problem and to understand whether or not those databases would support good decisions. Chairman MCCRERY. Let me just interject for a moment, because we ought not too easily set aside these suggestions in today's world of extremely capable technology. You have mentioned foreign names, and it is easy to get them mixed up. On a computer it is pretty specific. You have to type in exactly the right name. So, if you do that, and you send it to this database, it is not going to get confused; it is going to spit back exactly that name and whether it is authorized or not. So, I do not buy that. Do you have any other problems that you see with this system being able to correctly identify whether a person in this--I understand the underlying data may be wrong. I do not think we can ever fix that. Well, I do not think as a practical matter we can ever fix that. Assuming that the--well, never mind the underlying data; we can at least say whether the database has this person in it as authorized to work, can't we? It might be expensive, but we can do that, can we not? These gentlemen are nodding. Dr. Kent. Dr. KENT. Well, Mr. Chairman, one question that would come to mind immediately is whether everyone would be issued such a credential or only whether people who were immigrants were supposed to have such a credential. Chairman MCCRERY. That is a good question, and we will get to that. Dr. KENT. If we assume that only people who were immigrants are supposed to have it, then the burden, I would assume, on the employer is to make an initial determination of whether or not somebody applying for a job is or is not a citizen. Then the question is what existing credentials do they use for that purpose? If I have to present a birth certificate, then, we encounter all of the residual vulnerabilities associated with birth certificate forgery when people do not go to the extent that the earlier witnesses testified that you can do if you are working hard in a forensic case to deal with fraud or something like that, which the average employer would not be able to do. So, there are a lot of questions we would have to answer to really be able to determine that. Chairman MCCRERY. Admittedly, people could find ways to fabricate authentication and thereby get on the database as an authorized worker. Would this system reduce the likelihood that somebody could get a job in the country if that person were here illegally and unauthorized to work? Dr. KENT. It is hard to say---- Chairman MCCRERY. Sure. Dr. KENT. --without looking at all the details, but---- Chairman MCCRERY. The next question is how much would it reduce it? Dr. KENT. Yes. Chairman MCCRERY. That is an easy question to answer. Sure it would, but would the bang for the buck be worth it? That is the real question. Dr. KENT. I think that is where an extensive study needs to be undertaken to try to predict whether or not you would be getting, as you say, good bang for the buck out of such a system. Chairman MCCRERY. Mr. O'Carroll, Mr. Outland, do you have thoughts on this? Mr. O'CARROLL. Yes, Mr. Chairman, it's sort of a twofold question, the first part asking in terms of designing a card that would be tamper-resistant, difficult to counterfeit, whatever. What we are finding is basically anything that has been engineered can be reengineered, and that is kind of our take on any of the expense that would go into coming up with a more counterfeit-proof card. It is really going to be pretty difficult, and the result on it is probably not going to be as good as one would hope. So, what we are kind of in agreement with you on is that it is the underlying data that is the most important. Right now, what Social Security is using with DHS as the basic pilot, the SSA is verifying the SSN. The DHS is verifying the work status on it. There are other documents the employer can ask for, as an example, a DHS I-9. They are running the SSN. They are getting a verification back on it, and we are finding that that type of information is going to be much more current than anything you could embed on a card that is going to keep requiring people to come back to have their cards updated and information like that, which is a whole other workload, assuming that we could come up with a tamper-proof card. Rick? Mr. OUTLAND. Yes, Congressman, adding a photograph or a machine readable technology to the current card would obviously include changing the substrate from the banknote paper to a plastic substrate, say a polycarbonate or even a Teslin. Now, while I have seen counterfeit documents produced on driver's licenses on Teslin and PVC, there are security features that are available that will make it more difficult for the counterfeiter to reproduce those. So, I agree with you. It can be done. You can produce a more difficult card. Given the document as it is right now on banknote paper, there are security features that can be added to that today at a nominal cost to also make it---- Chairman MCCRERY. Yes, a $10 bill, for example. Mr. OUTLAND. Correct. Chairman MCCRERY. We have just done it. I saw one the other day. It is very weird looking. [Laughter.] Chairman MCCRERY. I suppose it is better. Mr. OUTLAND. Yes. Chairman MCCRERY. Well, I want to give--you heard that. That is the House Democratic Cloakroom advising Republicans and Democrats we have votes. [Laughter.] Mr. LEVIN. You can stay if you want. [Laughter.] Chairman MCCRERY. I am going to yield. I have more questions, but I am going to yield to my good friend and colleague from Michigan, Mr. Levin, for any questions he might have. Mr. LEVIN. Just a few, and then, I guess--maybe I will be very brief so Mr. Pomeroy can--the more I hear of this, in a sense the more confusing it is, though you are very articulate. It is not very--it is not clear to me what the issues really are. I take it there are numbers of citizens in the United States, of the United States, who do not have a SSN. Mr. STRECKEWALD. There are--I am sorry, there are many, did you say? I could not quite hear you. Mr. LEVIN. There are many. Mr. STRECKEWALD. We do not believe there are too many people, citizens of the United States that do not have a Social Security card, because most parents get them right away for their newborn babies for tax purposes, and everybody else has one for work and for Social Security purposes. Mr. LEVIN. Before that started, I take it there are some people here, citizens, who do not have a SSN, maybe older people, right? Mr. STRECKEWALD. Well, most of our elderly, at one point or another, came into our offices to get benefits. Even those that did not work, there were some early provisions in Social Security for spouses' benefits if they did not work which still exist today. There were some for Medicare. So, I believe that you would find that most elderly citizens---- Mr. LEVIN. Most. Mr. STRECKEWALD. --have SSNs, if not all. Mr. LEVIN. If we had an ID program, it would mean that there would be people who would not otherwise seek a SSN who would have to become participants in the program, right? Mr. STRECKEWALD. Yes; I think what I hear you saying is, if we decided to issue a new card, there would be some people who normally would not be coming in to get a card, and we would not see them, because they are perfectly fine. Right now they do not need to show their card. They are retired or whatever. If they were asked to come in and get a new card, we would see a lot more people than we normally see for the general replacement card traffic. Mr. LEVIN. Okay; secondly, if there were not an issue in this country about people who are working here, who are not here legally, would there be this issue of a national ID card? You are not sure. Mr. STRECKEWALD. At Social Security, from that perspective, I am not sure. I would defer to the investigators and the experts at the table. Mr. LEVIN. Well, maybe you do not want to answer that. [Laughter.] Mr. LEVIN. It is okay. The next thing that is rather confusing is that part of the problem seems to be that a lot of employers do not want to check the status, legal or illegal. Is that not true? Yes, it is true. Mr. STRECKEWALD. I mean, in our experience, I think, the Inspector General's experience, that is definitely true. Mr. LEVIN. So, if we have a card, it does not matter what you call it, it does not get at the issue of whether we are going to have an effective system of requirement when there is a larger issue as to whether or not people want to accurately and effectively check the status of people, right? Mr. STRECKEWALD. For things to change from where they are now, there would probably have to be more enforcement on that part of the process; that they would have to check it and verify it. Mr. LEVIN. Just to finish, let us say we had an ID card today, and we had a system that any employer who did not verify and use the system, punch into the computer would be guilty of a high misdemeanor, let us say, for example--I assume that would be a somewhat controversial proposition, would it not? Mr. O'CARROLL. Yes, I would agree, because as it stands now, there are laws requiring employers to verify SSNs and provide valid numbers, and employers do not. There has not been very much enforcement done on that. Mr. LEVIN. Thank you. Chairman MCCRERY. Mr. Pomeroy. Mr. POMEROY. Thank you, Mr. Chairman. I will be brief. Thank you for putting together this hearing, and the very interesting panel that majority staff selected has really done a nice job here of collecting a range of views on the proposal. When I was in the State Legislature, now 25 years ago, we passed a law that the North Dakota driver's license number is the SSN. It was simple, easy, everyone remembers. They changed that law. They really, upon further reflection, we really did not want Social Security kind of being a national ID, a national identifier; privacy today, privacy issues, identity theft issues, lots of things led the legislature to correctly, in my view, make that change. I do think this issue presents in front of us very squarely, this would be moving the Social Security card to a national ID card. Now, whether or not that is the full intent of the proposal, I think that that is the effect of it. I have concerns about it in that respect, and I think that the panel has given voice to some of the reasons why one might want to think twice about that. Another concern I have got is budgetary. This $9 billion cost of implementation is advanced at a time when the Administration has proposed changes in Social Security that would kick out of eligibility for survivors' benefits 16- and 17-year-olds. When my father died, I was 19, but I got benefits all the way through college. That was pre-1983. In 1983, we limited it to the 18th year. I think depriving Social Security benefits to someone 16 is just wrong, absolutely wrong. If we cannot afford to pay 16- year-olds when they lose their Dad, I do not think we can afford $9 billion in these fancy cards; simple as that. So, I have got some very deep reservations about this proposal. I thank the Chairman for letting me express them. I yield back. Chairman MCCRERY. Thank you, Mr. Pomeroy. Gentlemen, we are going to have some other questions that we would like to submit to you in writing if that is okay, and that would allow you to leave when we recess in just a few minutes and not just hang around, because we are going to have votes until at least noon, it looks like. However, I do want to point out to Mr. Pomeroy my observation that what some are proposing and what we are discussing here today is an enhanced SSN card, and then using that for purposes of employment verification or work authorization verification. I do not view that as a national ID card. I do not think it would be tantamount to a national ID card necessarily, because unlike, say, a driver's license, which we have to carry on our person if we drive or if we want to cash a check or whatever, one would not have to carry their Social Security card. Only when he is applying for employment would he have to get it out of his safe in his house, or his drawer, or whatever, and take it down to that place of employment and say ``here.'' Then, once that is done, he takes it back, and puts it back in his house in a safe place under his underwear or whatever. [Laughter.] Unless he is burglarized, his SSN is safe with him, just as safe as it is today, where the employer has to have it in any event; he does not have to see the card, but he has to have that number. So, I think it is perhaps a bit of a jump to equate what we are talking about today with a national ID card and all of the ramifications of that. Would you disagree with my observations? Mr. POMEROY. I think you make your point well, but my thought is in the end, if you need this identification card before you can get a job that we have taken a big step toward a national ID card concept, I think. I also do not know about, well, what other--unless we prohibit it in the legislation itself, what other groups may require the use of this particular card, because it would have--it would be the most advanced card in the marketplace, what other groups might require it for other purposes unless, again, we restrict it. Chairman MCCRERY. Yes, well, that is a potential problem, but anyway, this is an interesting subject and an important subject, so I thank the witnesses very much for your testimony, and if you all have any thoughts on what I and Mr. Pomeroy just talked about, feel free to include those in your responses to written questions. Thank you very much. The hearing will be in recess until votes are concluded and we can muster the first panel. [Recess.] Chairman MCCRERY. The Committee will come to order. The hearing is adjourned. [Whereupon, at 10:48 a.m., the hearing was adjourned.] [Questions submitted by Chairman McCrery to the Honorable Jo Anne B. Barnhart and her responses follow:] Question: If Congress were to require employers to verify an employee's name, SSN, and employment eligibility through a government database, would we still need to enhance the SSN card to prevent unauthorized work by non-citizens? Would some form of identification, (e.g., a driver's license or immigration card from the U.S. Department of Homeland Security) plus confirmation from the system be enough to identify individuals who do not have authorization to work in the United States? How much value would an enhanced SSN card add to such a system? Answer: By using the Basic Pilot or a similar government database which accesses the Department of Homeland Security's (DHS) work authorization information, employers have access to the most current work authorization data available, because DHS' work authorization data is more current than the information on the Social Security number (SSN) card. Therefore, requiring employers to verify employees' work authorization through such a database, would render the SSN card, enhanced or not, of little additional value in proving current work authorization. To address the issue of identity, employers would still need to verify an employee's identity by examining an identity document listed on the Form 1-9 and be alert for identity fraud situations. The Social Security card itself was never intended and does not serve as a personal identification document; that is, the card does not establish that the person presenting the card is actually the person whose name and SSN appear on the card. Question: In his testimony, Mr. Streckewald said that replacing cards for 240 million cardholders nationwide would cost approximately $9.5 billion. How much would it cost if the agency issues new cards only to people in the workforce? What are your thoughts on allowing the SSA to charge a fee to offset some or all of those costs--what are the arguments for and against such an option? Answer: Last year we estimated a card with enhanced security features, such as biometric identifiers, would cost approximately $25.00 per card. This estimate does not include the startup investments associated with the purchase of equipment needed to produce and issue such a card. Based on this information, our most recent 5-year estimate regarding the issuance of new enhanced cards to 170 million current workers and 5 million new workers annually is approximately $6.7 billion to replace the cards within 5 years and $7.4 billion to replace the cards within 2 years. This estimate includes all startup and ongoing costs. More recent data, however, shows that the cost of issuing Social Security cards has increased by at least $3.00, due, in part, to new requirements for verification of evidence. We will update our estimate when we have accumulated sufficient baseline data. In addition, when formulating an estimate based on a particular proposal, we would have to consider the details of the proposal, including the type of card enhancements required and the amount of time given to issue the enhanced card. Finally, charging a fee for issuing these new Social Security cards, while ultimately a policy decision, would result in significant additional costs for the Social Security Administration (SSA). It would involve explaining and collecting the fee, obtaining credit card authorization if necessary, entering remittance of the payment into an automated system, and issuing a receipt of payment. In addition, charging a fee would involve SSA periodically setting a fee schedule and reconciling these offsetting collections. All of these actions would result in a considerable increase in the cost of issuing a Social Security card. Question: What would be the effect on SSA's workloads of issuing enhanced SSN cards to everybody who is seeking employment in the United States? How many employees would it require to process the workload? Answer: Issuing new enhanced cards to everyone seeking employment in the United States would have a significant impact on SSA's workloads until all individuals in the workforce have been issued a new card. We estimate that the initial workload would require about 13,000 additional employees. This equates to approximately 20 percent of SSA's current workforce. Absorbing this work without additional staff would require a reduction of 20 percent of the work we currently process, including retirement claims, disability claims and eligibility reviews. This estimate does not reflect the increased time our employees must spend with Social Security card applicants due to the new requirements for verification of documents which began in December 2005. We anticipate our workforce requirement would increase as a result of this recent change, but we need to develop a longitudinal baseline of actual data before revising our estimates. Question: Another witness at the hearing, Dr. Kent, stated that ``layering even the best current security on top of old data only gives the old data an appearance of being more trustworthy.'' Is the SSN system a good database upon which to build an employment authorization card? What changes, if any, would need to be made to the SSA's data to provide reliable validation of identity and employment authorization? Answer: Social Security's databases do not contain current information about employment eligibility, because there is no SSA program need to maintain such information. SSA is able to verify current work authorization only when SSA records reflect that the individual is a U.S. citizen, because U.S. citizens have permanent work authorization. For all non-citizens, SSA's databases contain only a ``snapshot in time'' of employment eligibility as of the date the SSN card was issued. SSA's records are updated only when a non-citizen submits a new application requesting a change to the information in his or her record and provides evidence supporting the change. Therefore, DHS' work authorization data is the only reliable source for validating the current employment eligibility of non-citizens. We believe an employment eligibility verification system, such as the current Basic Pilot, is the best tool for employers to verify employees' current work authorization status. Such a system uses the data contained in SSA and DHS databases in a way that allows each agency to maintain only the data necessary for the administration of their respective programs. As a result, each agency is able to focus on its own business processes, including the collection, integrity and accuracy of certain information. If these databases were to be combined, one agency would be burdened with the management of data which it does not collect, cannot verify and which is not related to its business purposes. In addition, a combined database would be less accurate than two separate databases since combining the data would involve transmitting updated information from the source data base. At any point in time, some data on the combined database would be out of sync with the source database that contains the most current information. Finally, we note that an essential component of any employment verification system is to confirm the identity of the individual seeking employment verification. SSA databases do not contain identity information and, thus, are not suited to this critical function. Question: Currently the SSA issues a special series of SSNs to non- citizens who are assigned SSNs through the ``enumeration-at-entry'' program. If the SSA were to dedicate a special series of SSNs to individuals who have no authorization to work, or only temporary authorization to work, at the time the SSN is issued, would that help employers identify non-citizens who are unauthorized to work in the United States? Answer: SSA has considered using special series numbers for temporary non-citizen workers and those non-citizens admitted without work authorization. Our analysis showed that a special series for temporary workers would be of limited value in providing meaningful work authorization information to employers because immigration and authorization to work status may expire, be renewed or changed to another status by DHS. Thus, employers looking at a card or SSN with a special series designated for temporary workers would still need to verify current work authorization. Other concerns to be considered with numbers that identify certain categories of non-citizens include the following: <bullet> Providing new, special series SSNs for all aliens in the United States who have no work authorization or temporary work authorization, and who have already been issued an SSN, would present a staggering workload for SSA. <bullet> SSA would also be required to assign new SSNs to non- citizens when their immigration status changes. The volume of new SSNs which would be required to assign multiple numbers to many non-citizens would create a number of issues, including: <bullet> Running out of numbers. (SSA currently has enough SSNs for nearly 70 years. Assigning multiple numbers to non- citizens would require setting aside large blocks of numbers, which would significantly deplete the supply of SSNs available to citizens.) <bullet> Complex cross-referencing of multiple numbers by SSA and all other governmental and non-governmental agencies that use the SSN. Question: If Congress were to require the SSA to record information on when a temporary immigrant's authorization to work in the United States expired as part of its voluntary SSN verification services, would that help employers identify non-citizens who are unauthorized to work in the United States? Answer: In keeping with DHS' mission and authority, DHS has the most current information on immigration and work authorization status. We believe that giving employers access to DHS' work authorization data, through an employment eligibility verification system such as the Basic Pilot, would be the most accurate way for an employer to determine an employee's current work authorization status. While such information might be helpful to employers, requiring SSA to maintain such information would be problematic. Maintaining work authorization expiration information in SSA's records would expand SSA's mission to include a business purpose that would concurrently fall under the purview of DHS. Even if SSA were required to maintain such information in its records, SSA would not be responsible for granting work authorization status or determining the duration of such status. Therefore, SSA would be unable to respond to employer questions or to resolve issues related to the verification of that information. [Questions submitted by Chairman McCrery to the Honorable Patrick P. O'Carroll and his responses follow:] Question: Is there such a thing as a counterfeit proof card? How would you define a minimum threshold for a counterfeit and tamper ``resistant'' card? Answer: We do not believe there is such a thing as a perfectly counterfeit-proof Social Security card. Certainly, with each new security feature, the card would be more tamper-resistant. However, we are uncertain as to whether trying to make the card more counterfeit- resistant is worth the costs of improving and reissuing such cards. As a person ages, there are modifications in appearance such as weight gain or loss, changes in hair and facial appearance, and so on. Because of this, photographs often are not as reliable as other biometric alternatives. We believe that digitized fingerprints would be more reliable than photographs as scientific data suggests that a person's fingerprints do not substantially change after age 3. In addition, new photographs would need to be taken periodically to stay current with an individual's physiological changes. We also are concerned about the effect on SSA's Enumeration at Birth program of requiring such a card. The Social Security Administration (SSA) will need sufficient time to design an enhanced card. It will need to determine which biometric features are to be captured, ensure proper data linkage with the Department of Homeland Security, and issue the new card to tens of millions of individuals. This will create a significant administrative and cost burden for SSA. A more viable alternative might be to issue the new card only to new applicants, to those current number holders who apply for benefits in the future, and to those current number holders who request the new biometric card. If the Social Security card is machine readable, then other public and private sector entities will need to procure equipment that can read the biometrics on the new cards. The costs to these entities, in terms of equipment and training, would need to be considered. Question: There is much concern that non-citizens who are unauthorized to work are using counterfeit SSN cards and false or stolen SSNs in order to illegally gain employment in the United States. Is it the SSNs themselves, or SSN cards, that are most often used in connection with unauthorized employment? Answer: Under current law, the SSN card is not a required document when an individual is applying for a job. If an applicant submits an SSN card to an employer, that employer may not identify a counterfeit card. Whether or not the employer views the actual SSN card, real-time verification with SSA of the name and SSN the applicant provides could assist in preventing theft of an individual's SSN or use of a false number. In addition, active deterrence, in the form of possible apprehension for false use of an SSN, would further decrease SSN misuse. Although we do not capture this specific information about SSN misuse in our case management system, it has been the experience of our investigators that SSNs themselves, rather than Social Security cards, are most often used in connection with unauthorized employment. Question: In your testimony, you said that your prior audit work has revealed inaccuracies in the SSA's SSN database that could affect the Agency's ability to provide employment eligibility verification services. Could you elaborate on what you found? Answer: In our audit Compliance with Policies and Procedures When Processing Noncitizen Social Security Number Applications at Foreign Service Posts (A-08-04-14060, August 30, 2004), we found that SSA personnel classified 12 percent of the applicants enumerated at Foreign Service posts during our audit period as noncitizens, even though documents provided by the applicants showed them to be United States citizens. For these cases, the SSA employee recorded that United States citizens born abroad were noncitizens. We have additional audits that have identified similar issues. However, we have not performed a review of the overall accuracy of SSA's enumeration database. We do have a review ongoing in this area and will report the results when we have completed our review. [Questions submitted by Chairman McCrery to the Dr. Peter Blair of the National Research Council and his responses follow:] Question: Dr. Kent stated in his testimony that there are almost always forces that push identification systems to be used in ways for which they were not originally designed or intended. What do you think could be some of the unintended consequences of adding identity information, such as a photograph or other biometric information, to SSN cards? Answer: The general issue of unintended consequences from the deployment of any large-scale identity system is described in the reports that Dr. Kent cited in his earlier testimony. Absent strong technical and policy countermeasures and disincentives, the use of an ID card, ID number, or ID system can expand greatly, just as has happened with the SSN and the state driver's license. Potential unplanned-for uses depend in part on the purpose of the system, what information is contained in any related databases, and what possession of an ID is meant to signify. Adding biometric information to the ID system implies another level of complexity with all of the attendant challenges surrounding enrollment, capture of biometric information, reliability, accuracy, and so on. To the extent that an ID system is made reliable and accurate, it is that much more tempting a target for attacks or simply for uses for which it was not designed. Predicting what specific secondary uses might arise for any particular ID system is difficult absent a more complete description of that system. Question: If the role of the SSN card was expanded so that it provided proof of identity, would it become a more desirable target for identity thieves or others who seek to commit crimes using the SSN? Would the potential damage that could be done if an SSN is stolen by greater? How could we protect individuals, businesses, and the government against this? Answer: To the extent that an expanded SSN card becomes more valuable--in this case ``proof'' of identity would be a valuable commodity--the more likely it is to be a target for identity thieves as they seek to take advantage of the new functionality. Increasing the value of the SSN card might also raise its profile, even apart from any new credentialing that it could offer, and thus increase the frequency with which it is a target of traditional sorts of identity theft and fraud. Identity theft is already a major challenge by virtue of the link between the SSN and other readily available types of personal information and access to credit. Finding ways to cut these links so that identity credentials in one system cannot be easily used in another might offer some protection. On the other hand, this could insert friction and decrease efficiency of some transactions. Question: What documents available today should employers use to verify the identity of their employees? Answer: Our reports do not address this question specifically. To the extent that employers need to use an ad hoc or formalized identity system when hiring, questions that would help guide the choice of documents to use include: what specific problems need to be addressed (in this case, presumably, establishing work eligibility), what is the extent of the problem (affording some sense of costs and benefits), how could a particular identity system address that problem, and what other solutions (apart from a formalized new identity system) might address the problem? Question: How would you define a national identification system? If Congress were to add certain features to the SSN card, such as a photo or other biometric information, and to require its use to obtain employment, do you think it would meet that definition? Answer: Our reports do not draw a clear distinction because any large-scale identify system poses numerous challenges and policy questions that must be addressed. For some systems, such as those deployed only to allow access to a particular business building for example, the scope and scale is fairly limited and the policy issues are primarily specific to that business or that location. However, in any system that is deployed to encompass large portions of the population for more general purposes much more rigor and attention to the questions outlined in IDs--Not That Easy are needed. In this sense, then, there are already several nationwide identity systems, each serving different purposes, including passports, driver licenses, and present-day SSN cards/numbers. In short, changing the SSN card's features and functionality would create a national identification system much as the existing systems listed above have, but the label is much less important than is sorting through the policy and technical challenges of any large-scale identity system. Question: Members of Congress have introduced proposals that would require millions of employers across the United States to access an employment eligibility verification database operated by the government. What concerns would you have about the privacy and security of such a database? What is the track record on maintaining the security of such a database? Answer: Such a database would presumably be one element of a large- scale identity system and all of the issues raised in our two reports would apply. Securing the database is only part of the challenge. Depending on the purposes of the system and the specific content of the database, such a database could be an extremely high-value target for a wide variety of people ranging from tax avoiders to identity thieves to national security risks. Just as with a state driver's license system, the value of this database as a target will be dependent on what value the credential offers; the more things the credential is useful for, the higher value target the database is likely to be. An early question to ask is how is membership in the database ascertained and verified? That is, what process determines whether an individual is eligible to work? Then, additional questions include: What individuals, organizations, and institutions would have legitimate access to the database? How would that access be facilitated? Who would verify the legitimacy of these individuals, organizations, and institutions? What opportunities for redress would there be if erroneous data ends up in the database? Where would liability for mistakes reside? All of these points, and many others, introduce various sorts of privacy and security vulnerabilities into the system. And, experience suggests that even applying the best security and privacy protections available will not protect against so-called ``social engineering'' attacks or hacks (such as bribes). That said, protection against attacks is only one part of the challenge. Having policies, procedures, and technical capabilities in place to discover that an attack has taken or is taking place as well as procedures in place to respond effectively is also critically important. Virtually any large, valuable database will be the target of some kind of attack and no such database can be 100% secure; therefore clearly thinking through how to respond in the event of an attack, disclosure, or simple failure is a key component of building secure and reliable systems. <F-dash> [Submissions for the record follow:] Severn Trent Services Colmar, Pennsylvania 18915 March 27, 2006 The Honorable Bill Thomas Chairman Committee on Ways and Means U.S. House of Representatives Washington, D.C. 20515 Dear Chairman Thomas: I am writing on behalf of our company in support of H.R. 1708, the Clean Water Investment and Infrastructure Security Act. Severn Trent Services has a global presence and is a $600 million business employing 2,350 personnel providing water and wastewater equipment and services to communities and industrial customers around the world. The company's broad range of products and services is concentrated around disinfection, instrumentation, and filtration technologies, pipeline analysis, rehabilitation and repair services, contract operating services and state-of-the-art residential metering products and services. Severn Trent Services is a member of the Severn Trent Plc (London: SVT.L) group of companies. An international environmental services leader, Severn Trent is a FTSE 100 company. We should all be concerned about the deteriorating state of our nation's water and wastewater infrastructure. Nearly $1 trillion dollars need to be invested over the next 20 years to repair, rehabilitate, replace and upgrade our nation's network of water and wastewater treatment plants, collection systems and distribution lines. Failure to stem this looming crisis will cause significant public health and economic harm to our country. H.R. 1708 will allow communities across the nation to partner with the private sector in funding critical water infrastructure activities by removing water and wastewater projects from the state volume caps for private activity bonds. This is the least expensive option for addressing a growing national crisis and ensuring that all Americans are guaranteed a safe, reliable water infrastructure system. We urge Congress to move expeditiously on this proposal and thank you for your leadership in this matter. Sincerely, Steve Hinkle Credit Manager Michael P. Isabell Business Unit Manager Linda D. Slack Administative Assistant Nadia Abbott Marketing Manager Barbara Ferns Principal Electrochlorination Engineer <all>