[House Hearing, 109 Congress]
[From the U.S. Government Printing Office]




                               before the


                                 of the

                      COMMITTEE ON WAYS AND MEANS
                     U.S. HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION


                             MARCH 16, 2006


                           Serial No. 109-58


         Printed for the use of the Committee on Ways and Means

30-704                      WASHINGTON : 2006
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512�091800  
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001

                      COMMITTEE ON WAYS AND MEANS

                   BILL THOMAS, California, Chairman

E. CLAY SHAW, JR., Florida           CHARLES B. RANGEL, New York
NANCY L. JOHNSON, Connecticut        FORTNEY PETE STARK, California
WALLY HERGER, California             SANDER M. LEVIN, Michigan
JIM MCCRERY, Louisiana               BENJAMIN L. CARDIN, Maryland
DAVE CAMP, Michigan                  JIM MCDERMOTT, Washington
JIM RAMSTAD, Minnesota               JOHN LEWIS, Georgia
JIM NUSSLE, Iowa                     RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas                   MICHAEL R. MCNULTY, New York
PHIL ENGLISH, Pennsylvania           WILLIAM J. JEFFERSON, Louisiana
J.D. HAYWORTH, Arizona               JOHN S. TANNER, Tennessee
JERRY WELLER, Illinois               XAVIER BECERRA, California
KENNY C. HULSHOF, Missouri           LLOYD DOGGETT, Texas
RON LEWIS, Kentucky                  EARL POMEROY, North Dakota
MARK FOLEY, Florida                  STEPHANIE TUBBS JONES, Ohio
KEVIN BRADY, Texas                   MIKE THOMPSON, California
THOMAS M. REYNOLDS, New York         JOHN B. LARSON, Connecticut
PAUL RYAN, Wisconsin                 RAHM EMANUEL, Illinois
MELISSA A. HART, Pennsylvania
DEVIN NUNES, California

                    Allison H. Giles, Chief of Staff

                  Janice Mays, Minority Chief Counsel



                    JIM MCCRERY, Louisiana, Chairman

E. CLAY SHAW JR., Florida            SANDER M. LEVIN, Michigan
SAM JOHNSON, Texas                   EARL POMEROY, North Dakota
J.D. HAYWORTH, Arizona               XAVIER BECERRA, California
RON LEWIS, Kentucky                  RICHARD E. NEAL, Massachusetts
PAUL RYAN, Wisconsin

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Ways and Means are also published 
in electronic form. The printed hearing record remains the official 
version. Because electronic submissions are used to prepare both 
printed and electronic versions of the hearing record, the process of 
converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.

                            C O N T E N T S



Advisory of March 8, 2006 announcing the hearing.................     2


The Honorable Patrick P. O'Carroll, Inspector General, Social 
  Security Administration........................................     6
Richard Outland, Branch Chief, Questioned Document Branch, 
  Forensic Services Division, U.S. Secret Service................
Frederick G. Streckewald, Assistant Deputy Commissioner, 
  Disability and Income Security Programs, Social Security 
  Administration.................................................     9
Stephen T. Kent, Ph.D., Chairman, Committee on Authentication 
  Technologies and Their Privacy Implications, National Research 
  Council, The National Academies................................    18
Marc Rotenberg, President, Electronic Privacy Information Center.    24

                       SUBMISSION FOR THE RECORD

Severn Trent Services, Colmar, PA, Joint Letter..................    41

                         FOURTH IN A SERIES OF
                        SUBCOMMITTEE HEARINGS ON


                        THURSDAY, MARCH 16, 2006

             U.S. House of Representatives,
                       Committee on Ways and Means,
                           Subcommittee on Social Security,
                                                    Washington, DC.

    The Subcommittee met, pursuant to notice, at 10:03 a.m., in 
room B-318, Rayburn House Office Building, Hon. Jim McCrery 
(Chairman of the Subcommittee) presiding.
    [The advisory announcing the hearing follows:]



                                                CONTACT: (202) 225-9263
March 8, 2006

                     McCrery Announces Fourth in a

                   Series of Subcommittee Hearings on

                Social Security Number High-Risk Issues

    Congressman Jim McCrery, (R-LA), Chairman, Subcommittee on Social 
Security of the Committee on Ways and Means, today announced that the 
Subcommittee will hold the fourth in a series of Subcommittee hearings 
on Social Security number (SSN) high-risk issues. The hearing will 
examine expanding uses of the SSN card and measures to prevent SSN card 
fraud. The hearing will take place on Thursday, March 16, 2006, in room 
B-318 Rayburn House Office Building, beginning at 10:00 a.m.
    In view of the limited time available to hear witnesses, oral 
testimony at this hearing will be from invited witnesses only. However, 
any individual or organization not scheduled for an oral appearance may 
submit a written statement for consideration by the Committee and for 
inclusion in the printed record of the hearing.


    The SSN was created in 1936 to record earnings and benefits for the 
Social Security program. The sole purpose of the SSN card was to show 
that an SSN had been issued to the named individual. Originally, the 
SSN card had no security features other than the individual's 
    Within a decade, the SSN's use grew beyond its original narrow 
purpose, and has continued to expand. According to the Social Security 
Administration (SSA), the SSN is now the single most widely-used record 
identifier for both the government and the private sectors.
    As with the SSN, the SSN card's uses also have expanded over the 
decades. Currently, one of its most important roles is in work 
authorization. The U.S. Department of Homeland Security requires 
employers to document the identity and employment eligibility of their 
new hires. For U.S. citizens and some non-citizens, employers may 
accept the SSN card as proof of a person's eligibility to work in the 
United States.
    As the uses of the SSN and the SSN card have increased, security 
features have been added to the SSN card to prevent its fraudulent 
duplication or alteration. For example, legislation enacted in the 
early 1980s required specific changes to the SSN card, and the 
Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458) 
requires that standards be established and implemented to safeguard SSN 
cards from counterfeiting, tampering, alteration, and theft. However, 
the SSA does not replace all existing SSN cards when a new SSN card 
design is adopted, due to workload concerns and the potential burden on 
the public. As a result, since 1936, the SSA has issued more than 433 
million SSNs, with about 50 different versions of the SSN card--all of 
which are still valid.
    Despite its adoption for other purposes, the SSN card by itself is 
not a personal identity document. The SSN card does not contain 
information that would confirm that the person presenting the card is 
actually the person whose name and SSN appear on the card. Several 
bills introduced in the 109th Congress would mandate significant 
changes to the card for that purpose. For example, one proposal would 
enhance the security features in the SSN card as part of a package of 
changes to the process of confirming the identity and work eligibility 
of new hires. However, ideas such as adding photographs, machine-
readable electronic strips, and other features to SSN cards have raised 
concerns about the future purpose of the card. Some have expressed 
concerns that SSN card may evolve into a form of national 
    In announcing the hearing, Chairman McCrery stated, ``Because of 
the expanding use of SSNs and SSN cards, they are often transformed 
into tools to gain illegal employment and perpetrate identity theft and 
other crimes. We need a thorough examination of the appropriateness of 
using SSNs in certain roles. It is equally important for us to examine 
the potential impact on individual's security and privacy that could 
result from changes to the design of the SSN card.''


    The Subcommittee will examine the history of SSNs and SSN card use, 
the role of the SSN card in work authorization, measures to prevent SSN 
card fraud, and the potential effects of transforming the SSN card into 
an identification document.


    Please Note: Any person(s) and/or organization(s) wishing to submit 
for the hearing record must follow the appropriate link on the hearing 
page of the Committee website and complete the informational forms. 
From the Committee homepage, http://waysandmeans.house.gov, select 
``109th Congress'' from the menu entitled, ``Hearing Archives'' (http:/
/waysandmeans.house.gov/Hearings.asp?congress=17). Select the hearing 
for which you would like to submit, and click on the link entitled, 
``Click here to provide a submission for the record.'' Once you have 
followed the online instructions, completing all informational forms 
and clicking ``submit'' on the final page, an email will be sent to the 
address which you supply confirming your interest in providing a 
submission for the record. You MUST REPLY to the email and ATTACH your 
submission as a Word or WordPerfect document, in compliance with the 
formatting requirements listed below, by close of business Thursday, 
March 30, 2006. Finally, please note that due to the change in House 
mail policy, the U.S. Capitol Police will refuse sealed-package 
deliveries to all House Office Buildings. For questions, or if you 
encounter technical problems, please call (202) 225-1721.


    The Committee relies on electronic submissions for printing the 
official hearing record. As always, submissions will be included in the 
record according to the discretion of the Committee. The Committee will 
not alter the content of your submission, but we reserve the right to 
format it according to our guidelines. Any submission provided to the 
Committee by a witness, any supplementary materials submitted for the 
printed record, and any written comments in response to a request for 
written comments must conform to the guidelines listed below. Any 
submission or supplementary item not in compliance with these 
guidelines will not be printed, but will be maintained in the Committee 
files for review and use by the Committee.
    1. All submissions and supplementary materials must be provided in 
Word or WordPerfect format and MUST NOT exceed a total of 10 pages, 
including attachments. Witnesses and submitters are advised that the 
Committee relies on electronic submissions for printing the official 
hearing record.
    2. Copies of whole documents submitted as exhibit material will not 
be accepted for printing. Instead, exhibit material should be 
referenced and quoted or paraphrased. All exhibit material not meeting 
these specifications will be maintained in the Committee files for 
review and use by the Committee.
    3. All submissions must include a list of all clients, persons, 
and/or organizations on whose behalf the witness appears. A 
supplemental sheet must accompany each submission listing the name, 
company, address, telephone and fax numbers of each witness.
    Note: All Committee advisories and news releases are available on 
the World Wide Web at http://waysandmeans.house.gov.
    The Committee seeks to make its facilities accessible to persons 
with disabilities. If you are in need of special accommodations, please 
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four 
business days notice is requested). Questions with regard to special 
accommodation needs in general (including availability of Committee 
materials in alternative formats) may be directed to the Committee as 
noted above.


    Chairman MCCRERY. The hearing will come to order. Good 
morning, and welcome to our fourth in a series of hearings on 
high risk issues related to Social Security numbers (SSNs). 
Today, we will examine the expanding uses of the SSN and 
options to prevent fraud involving SSN cards, and in the 
interests of time, because we are going to have votes coming up 
pretty soon, I am going to submit the rest of my opening 
statement in writing for the record, and I would yield to my 
colleague, the Ranking Member, Mr. Levin.

    [The prepared statement of Chairman McCrery follows:]

    Opening Statement of The Honorable Jim McCrery, Chairman, and a 
         Representative in Congress from the State of Louisiana

    Good morning and welcome to our fourth in a series of hearings on 
high-risk issues related to Social Security numbers, or SSNs. Today, 
we'll examine the expanding uses of the SSN and options to prevent 
fraud involving SSN cards.
    Much of our discussion at this hearing will focus on the use of the 
SSN and SSN card in employment. Current law requires employers to 
verify the identity and employment eligibility of new hires. Employers 
may accept an SSN card as one of several documents that a person may 
present as proof of employment eligibility, if the card does not bear 
either of two legends: ``Not Valid for Employment'' or ``Valid for Work 
Only with DHS Authorization.''
    After examining a new hire's documents; the employer must accept 
them, if the documents reasonably appear to be genuine and belong to 
the worker. If an employee uses an SSN card to prove work 
authorization, he or she must provide another document to prove his or 
her identity, such as a driver's license.
    To simplify the process for employers and prevent unauthorized 
work, some legislators have proposed making the SSN card the single, 
counterfeit and tamper-resistant document employers would be required 
to see, replacing all the others. The SSN card would be modified to 
contain proof of identity. Employers would use it to access a 
government database to verify employment eligibility.
    Such a change would greatly expand the role of the SSN card in work 
authorization, and it raises a number of essential questions that I 
hope we will address today.
    First, how confident can we be that a particular SSN was issued 
based on accurate information? The answer, as we have learned from 
previous hearings, depends on when the SSN card was issued. It wasn't 
until 1978 that all SSN applicants were required to provide proof of 
their identity, age, and citizen or non-citizen status. Before 2002, 
the Social Security Administration did not consistently verify birth 
certificates or immigration documents with the issuing agency.
    Adding new security features to the SSN card today will not assure 
the accuracy of the data originally used to issue an SSN. To raise the 
level of accuracy, all SSN cardholders in the workforce would have to 
apply for new cards and provide full documentation of their identity, 
citizen or non-citizen status, and age. What would this cost? What 
impact would this have on the Social Security Administration?
    Second, what are the options for designing a counterfeit and 
tamper-resistant SSN card? As required by the Intelligence Reform and 
Terrorism Prevention Act of 2004, the Social Security Administration is 
working with the Department of Homeland Security to improve the 
security of SSNs and SSN cards and implement such improvements by June 
2006. It is important to establish the range of options for a 
counterfeit and tamper-resistant card, the costs of the options, 
whether the options will work, as well as non-SSN card options to 
verify identity and work authorization.
    Third, what are the ramifications of transforming the SSN card into 
an identity card? Currently, the SSN card serves only to show that an 
SSN was assigned to the individual named on the card. It does not 
contain features to prove that the cardholder is the individual named 
on the card.
    Changing the SSN card into an ID could encourage its use for other 
purposes, given the widespread use of the SSN itself in many personal 
and financial transactions. Adding identification features to the SSN 
card could duplicate efforts already underway to provide secure 
identity documentation--such as improved driver's licenses and State-
issued ID cards called for under the REAL ID Act.
    Finally, we must be mindful to examine these issues in a greater 
context. For example, if employers are ultimately required to verify 
SSNs and employment eligibility through a government database (as 
required under some proposals), then employers may only need proof of 
the worker's identity. The database could confirm the person's SSN and 
employment eligibility without the need for an enhanced SSN card.
    I look forward to hearing the testimony and recommendations of our 
witnesses and welcome the views of my colleagues on these complex 
issues. I believe that it is our responsibility as legislators to work 
for a balanced, thoughtful approach--one that will deter unauthorized 
employment without placing undue burdens on businesses, while 
protecting the privacy of our fellow Americans.


    Mr. LEVIN. I will do likewise, so we can hear your 
testimony and have an hour to think about it.
    Mr. LEVIN. Thank you.

    [The prepared statement of Mr. Levin follows:]

Opening Statement of The Honorable Sander M. Levin, a Representative in 
                  Congress from the State of Michigan

    Today our Subcommittee has the opportunity to examine two issues--
our ongoing, non-controversial effort to ensure that Social Security 
cards are not counterfeited, and the more controversial debate about 
whether it is appropriate to make the Social Security card into a 
national identification card.
    These are issues squarely within the jurisdiction of the Ways & 
Means Committee. I am pleased that the Chairman has provided this 
opportunity for us to discuss them and to learn more about the 
proposals and the issues from our colleagues and a panel of experts.
    As the Committee of jurisdiction, it is also our responsibility to 
oversee the efforts already underway. As required by the Intelligence 
Reform and Terrorism Prevention Act of 2004, the Social Security 
Administration and the Department of Homeland Security are currently 
identifying options for making Social Security cards more secure, with 
the goal of implementing improvements by this June. Each option imposes 
certain costs, both in dollars and in loss of personal privacy, so it 
is important for our Committee to weigh the costs and benefits and to 
keep in close touch with the agencies involved.
    I look forward to a frank and thoughtful discussion of these 
complex issues.


    Chairman MCCRERY. Thank you, Mr. Levin. We are also going 
to reverse the order of the panels this morning so that we can 
allow these gentlemen to get their testimony in and perhaps go 
through a few questions before votes are called, and then, the 
first panel, which consists of two of our colleagues, we will 
retrieve as we can and then finish the hearing, but that way, 
we will not have you all sitting around on your thumbs all 
    With that, I would introduce our first panel this morning: 
the Honorable Patrick O'Carroll, Inspector General, Social 
Security Administration (SSA), and he is accompanied this 
morning by Richard Outland, Branch Chief, Questioned Document 
Branch, Forensic Services Division, U.S. Secret Service; and 
Mr. Frederick G. Streckewald, Assistant Deputy Commissioner, 
Disability Income Security Programs, the SSA; welcome back, 
both of you gentlemen; Stephen Kent, Chairman, Committee on 
Authentication Technologies and their Privacy Implications, 
National Research Council, the National Academies; and Marc 
Rotenberg, President, Electronic Privacy Information Center. 
Welcome, all of you gentlemen, and we will begin with Mr. 


    Mr. O'CARROLL. Good morning, Chairman McCrery, Congressman 
Levin. Thank you for inviting me to be here today. I would like 
to focus on our investigative efforts with respect to SSN 
    With me today is Mr. Richard Outland, Assistant Chief, U.S. 
Secret Service, Forensic Services Division. Based on a 
longstanding interagency agreement, when our agents come across 
suspected counterfeited Social Security cards, they are 
referred to the Secret Service for further forensic 
examination. Mr. Outland is here today to answer any technical 
    No matter how carefully we protect the SSN, there will be 
those who find a way to turn the number to nefarious purposes, 
and when they do, our special agents will be there. Our 
statutory mission is to protect the SSA's programs and 
operations from fraud, and abuse. At the core of that mission 
is the protection of the Social Security Trust Funds that 
provide benefits to millions of Americans every month.
    To that end, 79 percent of our cases we investigated last 
year were for program fraud. Still, we are ever mindful of our 
obligation to protect the SSN from misuse. In fact, 16 percent 
of our investigations involved SSN misuse.
    To maximize our resources, we focus our overall SSN misuse 
energies in cooperative efforts with other Federal, State, and 
local task forces. At last count, we were involved in almost 
200 task forces and work groups across the country. For 
example, our agents on the Central Florida Identity Theft Task 
Force concluded a case last year in which they apprehended 15 
members of an identity theft ring. They would obtain lists of 
individuals with good credit histories and use the personal 
information of those individuals to defraud a variety of 
commercial entities in the Orlando area. Twelve of the 15 
individuals arrested were sentenced to prison, and all were 
ordered to repay more than $2 million to the victims.
    Our own internal caseload is no less daunting, and our solo 
work is equally impressive. We see allegations of SSN misuse in 
myriad forms every day. One such allegation from a SSA district 
office concerned a woman who was receiving disability benefits 
under two separate SSNs and insisted that she was one half of a 
set of identical twins. Our investigators asked her to provide 
a copy of her birth certificate, while unbeknownst to her, we 
were obtaining one directly from the State Bureau of Vital 
Statistics. The one we obtained showed a single birth, and the 
altered one she produced had the same control number and 
signatures but showed a twin birth.
    Before we confronted her with the fact that we had 
uncovered her forgery, she had asked her Congressman to 
intervene on her behalf and demanded that her nonexistent 
twin's benefits be reinstated. We were only too happy to share 
the forged birth certificate with the Congressman.
    We see SSN misuse cases like this every day. What we see 
less frequently, however, are cases involving counterfeit 
Social Security cards. While we take such cases very seriously 
and have recently disrupted several counterfeit identity 
operations, the reality is that the Social Security card serves 
as little more than a hard copy record of a number that we all 
memorize at an early age.
    While the SSN itself is necessary to obtain employment, to 
obtain a loan, and for countless other purposes, we rarely, if 
ever, are asked to show anyone our Social Security cards. The 
card was designed for a single purpose: to provide the holder 
with a number used to track earnings and pay benefits.
    While the uses of the number have expanded significantly 
over the decades, the uses of the card have remained more or 
less the same. There is no question that periodic security 
improvements to the card are necessary to stay one step ahead 
of tech savvy counterfeiters. As long as the use of the card 
remains as limited as it has been, it is difficult to justify 
the expense that would be incurred in creating a ``counterfeit 
    Of course, if Congress decides to expand the uses of the 
Social Security card, then, those expenses might become 
necessary. If this is Congress' ultimate decision, we will do 
everything possible to work with you and the SSA to make the 
card as counterfeit-proof as possible. Until then, we will 
continue our audit and investigative efforts to combat SSN 
misuse and provide the SSA and Congress with timely and 
accurate information.
    Thank you, and if you have any questions, I will be happy 
to answer them.

    [The prepared statement of Mr. O'Carroll follows:]

  Statement of The Honorable Patrick P. O'Carroll, Inspector General, 
  Social Security Administration; accompanied by Richard L. Outland, 
 Assistant Branch Chief--Questioned Document Branch, Forensic Services 
                     Division, U.S. Secret Service

    Good morning, Chairman McCrery, Congressman Levin, and Members of 
the Subcommittee. This is our fourth hearing in this series on high-
risk Social Security number (SSN) issues, and I applaud your efforts 
and dedication in giving these issues the attention they deserve. The 
SSN is a key to American life in many ways, and as we have seen 
throughout this series of hearings, its misuse has repercussions that 
cause a ripple effect across the American landscape.
    Much of my testimony in the first three hearings has centered on 
largely administrative issues. At the first hearing, we discussed 
enumeration, the process by which the Social Security Administration 
(SSA) issues SSNs; at the second hearing, we discussed SSN misuse in 
the context of misreported wages, particularly by foreign-born workers 
without authorization to work in the United States; and, at the third 
hearing earlier this month, we discussed enumeration of foreign-born 
individuals and the payment of benefits to those born or residing 
    Today, I would like to discuss our investigative efforts to combat 
SSN misuse in all forms. Our Office of Investigations (OI) is dedicated 
to preventing and detecting fraud against SSA's programs and 
operations, and SSN misuse is an important facet of that overall 
investigative effort. Obviously, with finite resources, and with many 
areas of responsibility, including program fraud, employee fraud, 
contract fraud, and others, we are mindful that our primary 
responsibility is to protect the Trust Funds that provide benefits to 
millions of Americans every month. At the same time, our responsibility 
to protect the integrity of the SSN cannot be overstated. We strive 
continuously to strike an appropriate balance.
    To give you some sense of how we strike that balance, consider that 
in Fiscal Year (FY) 2005, the Office of the Inspector General (OIG) 
received about 85,000 allegations of fraud, 84 percent of which 
involved fraud against a Social Security program, such as disability 
insurance benefits. Approximately 13 percent--almost 11,000 
allegations--involved SSN misuse. It is important to understand that 
these SSN misuse allegations are limited to incidents of SSN misuse 
involving a Social Security program or otherwise directly related to 
the administration of the Social Security Act. Allegations of pure 
identity theft, financial fraud, and other non-SSA-related crimes are 
referred to appropriate sources, and are not included in this total.
    Looking at actual investigations conducted during FY 2005, OI 
opened approximately 9,500 cases, of which 79 percent involved crimes 
against Social Security programs, while just over 16 percent involved 
SSN misuse. Thus, while we actually investigate a higher proportion of 
allegations in the SSN misuse category than in the program fraud 
category, we still invest more than four times more resources in 
program fraud than in SSN misuse. The results of an audit we will issue 
shortly, in which we provide an estimate of the rate of overpayments in 
Social Security's disability programs, underscores the importance of 
our emphasis on program fraud. Our statutory mission is to protect SSA 
programs and operations, and to the extent that an allegation of SSN 
misuse does not touch on those programs, our resources do not generally 
allow us to pursue it.
    We do, however, play a role in the overall government effort to 
protect against SSN misuse in a multijurisdictional context. Our 
affirmative and aggressive approach to SSN misuse of this type is 
designed to maximize our resources through the effective use of task 
forces, workgroups, and other cooperative efforts.
    At this time, our investigators across the country are members of 
almost 200 task forces and workgroups in all ten of our field 
divisions. These groups, comprised of Federal, State, and local law 
enforcement agencies, pool resources and, when permitted, share 
information to accomplish more than each member could ever accomplish 
on its own. The groups range from Joint Terrorism Task Forces run by 
United States Attorneys, to white collar crime groups, to financial 
fraud workgroups.
    The work done by these groups is astounding. For example, our 
agents on the Central Florida Identity Theft task force, a group 
comprised of ten law enforcement agencies, concluded a case last year 
in which they apprehended fifteen members of an identity fraud ring who 
would obtain lists of individuals with good credit histories, and use 
the personal information of those individuals to defraud a variety of 
commercial entities in the Orlando area. Twelve of the fifteen 
individuals arrested were sentenced to prison terms, and the total 
restitution ordered to victims exceeded $2 million.
    In another case, our New York Field Division, working on a task 
force with other agencies including the U.S. Secret Service, 
investigated the hijacking of a deceased Social Security beneficiary's 
bank account. The complex investigation revealed that the subjects not 
only continued to receive the deceased woman's benefits--totaling some 
$80,000--but also used her bank account to launder counterfeit checks 
created with the help of a corrupt bank employee. They then went on to 
steal other SSNs and identities and open additional accounts, which 
they would use both to create additional fraudulent checks and to 
launder them. In all, they cashed about $300,000 in bad checks and 
opened credit card accounts from which they stole another $100,000.
    Since cases like this represent an opportunity to achieve a 
significant return with only minimal investment of resources--our agent 
in this ten-agency task force still maintains a ``normal'' caseload--we 
can afford to contribute substantially to the overall effort to stop 
SSNs being used as instruments of a crime. If each of the 200 task 
forces in which we participate makes only a few cases like this each 
year, we are able to have a far greater effect than we could ever have 
working alone.
    However, our day-to-day program-related SSN misuse caseload is no 
less daunting, and our solo work is equally impressive. We see 
allegations of SSN misuse in its myriad forms come in every day by 
phone, fax, e-mail, and in electronic referrals from SSA employees. One 
such referral from an SSA District Office concerned a woman who was 
confronted by SSA with the fact that she appeared to be receiving 
disability benefits under two separate SSNs. Each set of benefits was 
going to the same name, the same address, and for the same disability, 
but under two different SSNs. The woman informed SSA, and subsequently 
our investigators, that she had a twin sister. Despite the fact that 
both sets of benefits were going to the same address, the woman alleged 
that she and her identical twin were estranged and did not speak.
    Our investigators obtained a copy of the woman's birth certificate 
from the state vital records office. It showed that hers had been a 
single birth, not a twin birth. Additional investigation uncovered no 
other evidence that a twin had ever existed. Our investigators asked 
the woman to provide a copy of her birth certificate, and she 
eventually provided the same document we had obtained from the state 
without her knowledge. It had the same control number and the same 
signatures, but the altered copy she provided showed a twin birth. We 
recontacted the vital statistics office and confirmed that no official 
change had been made since we'd obtained our copy. The woman, unaware 
that we had her original birth certificate, continued to demand that 
her duplicate benefits be reinstated, even going so far as to write to 
her Congressman to demand that he intercede on her behalf. We showed 
the Congressman the two versions of the birth certificate, and that 
ended the woman's ill-conceived mission.
    In another case, our investigation revealed that a woman had been 
working full-time since 1978 under one SSN and receiving Title XVI 
disability payments since 1973 under a second SSN. From 1978 until 
2001, she worked full-time for various healthcare agencies while 
certifying each year to SSA that she was not working. In 2001, the 
woman applied for Title II disability benefits under the first SSN, 
based on her extensive work history. A Title XVI claims representative 
recognized the woman during her appointment to apply for Title II 
benefits, and referred the case to OIG. She later admitted to OIG 
agents that she had been working for 23 years while receiving Title XVI 
payments. She eventually pled guilty to theft of government funds and 
making false statements, and was sentenced in May 2005 to 6 months' 
incarceration in federal prison, 6 months' home detention with an 
electronic monitoring device, and 5 years' probation, and was ordered 
to pay full restitution of $166,767.
    While SSN misuse cases like these are made by our investigators 
every day, we encounter cases involving counterfeit Social Security 
cards much less frequently. The practical reality is that most of us 
were issued our Social Security cards not long after we were born, and 
we long ago committed our SSNs to memory. But the cards themselves were 
probably placed in a drawer or box many years ago, and have rarely been 
seen or used since. Almost every entity imaginable, from government, to 
medical facilities and insurance carriers, to creditors, to employers 
and beyond may and often do ask for SSNs; but rarely, if ever, do they 
ask to see the card itself.
    Our work reviewing SSA's automated employee verification services, 
such as the Social Security Number Verification Service (SSNVS), 
further underscores this reality. Employers seeking to confirm the SSN 
of a current or prospective employee need only take advantage of this 
service to go online and match the employee's name, SSN, date of birth, 
and gender against SSA's records--all without ever laying eyes on an 
actual Social Security card. Of course, for verification services such 
as SSNVS to be truly effective, we must be confident that the 
information in SSA's databases is as accurate as possible, and our 
prior audit work has revealed that this may not always be the case. 
Nevertheless, SSNVS and other verification services even further 
minimize the need to carry or present the card. Indeed, today, the card 
is little more than a ``hard copy'' of a number that is already 
contained in various databases throughout society and government. This 
is consistent with the purpose for which the card was created 70 years 
ago, and while there should always be security enhancements made to 
stay one step ahead of tech-savvy counterfeiters, it would be hard to 
justify the expense involved in replacing all Social Security cards 
with ``hard'' cards as long as their utility remains as limited as it 
    From time to time, there is talk of expanding the card's use beyond 
its current functions, and obviously, this issue is one for Congress to 
debate. If a decision is made to transform the Social Security card 
into something more than it is, significant improvements may then have 
to made in the document. Moreover, it could create a significant new 
workload for SSA--one that might fall outside of the Agency's current 
and historical function, or even further heighten the tension between 
service and integrity.
    Whatever Congress may determine is an appropriate role for the 
Social Security card to play, our office is happy to provide whatever 
audit and investigative work might prove helpful. In the interim, we 
will continue our tireless efforts to prevent and detect misuse of the 
Social Security number as well as the Social Security card itself.


    Chairman MCCRERY. Thank you, Mr. O'Carroll. Mr. 


    Mr. STRECKEWALD. Thank you, Mr. Chairman, Mr. Levin. Thank 
you for inviting me here today to discuss the SSA's enumeration 
process. This is the process used to assign a SSN to an 
individual. This series of Subcommittee hearings highlights the 
importance of this core agency function. I will summarize my 
written statement and will ask that it be included for the 
    The Social Security card was never intended and does not 
serve as a personal identification document; that is, the card 
does not establish that the person presenting it is actually 
the person whose name and SSN appear on the card. Although the 
SSA has made many changes to make it counterfeit-resistant, the 
card does not contain information that would allow the card to 
be used as proof of identity.
    Beginning in 1983, the Social Security Act (P.L. 74-271) 
required that SSN cards be made of banknote paper and to the 
maximum extent practicable, be a card that cannot be 
counterfeited. The SSA worked with the Bureau of Engraving and 
Printing, the Secret Service, and the Federal Bureau of 
Investigation to design a card that met these requirements. All 
Social Security cards issued since October 1983 incorporate a 
number of security features intended to make the card 
counterfeit-resistant and tamper-proof.
    Some of these features include but are not limited to a 
tamper-proof, marbleized background, intaglio printing in some 
areas of the printing in the card, and colored planchets, which 
are small disks, randomly displayed on the card. Obviously, 
some security features have not been made public; other 
features--some features have been made public; others have not 
in order to protect the security of the card.
    As required by the Intelligence Reform and Terrorism 
Prevention Act of 2004 (IRTPA) (P.L. 108-458), the SSA, in 
consultation with the U.S. Department of Homeland Security 
(DHS), formed a task force to establish requirements that will 
further improve the security of SSNs and cards. The task force 
is considering a wide range of security features that would 
strengthen the Social Security card, and we will develop a plan 
for implementing the task force recommendations.
    Last year, we estimated that a card with enhanced security 
features, such as biometric identifiers, would cost 
approximately $25 per card, not including the startup 
investments associated with the purchase of equipment needed to 
produce and issue this type of card. While any estimate would 
ultimately depend upon the details of the proposal, last year's 
estimate of replacing cards for 240 million cardholders 
nationwide was approximately $9.5 billion.
    Currently, however, we know the cost of issuing an SSN card 
has increased by approximately $3 due to new requirements for 
additional verification of evidence. So, we anticipate an 
increase in the total cost estimate when we update our figures 
to reflect current dollar costs.
    It is important to note that just as a SSN card does 
establish identity, neither does it always reflect the 
individual's current authorization status. The SSN card only 
reflects an individual's work authorization status at the time 
the card was issued. It is a snapshot in time. An individual's 
work authorization status may change over the years, and DHS 
has sole jurisdiction over the work authorization for 
    Over the years, the SSA has made continued enhancements to 
the Social Security card. Due to the substantial cost of 
replacing all cards in use, older versions of the card remain 
valid. Thus, there are about 50 different variations of the SSN 
card in use that have been issued since 1936.
    In addition to the changes the SSA made after September 11, 
which I have outlined in previous hearings before the 
Subcommittee, the IRTPA contains several additional provisions 
to strengthen the integrity of our enumeration process. Two key 
provisions include the implementation of limits on the number 
of replacement cards an individual can receive, three per year 
and ten per lifetime.
    With limited exceptions and the addition of death and fraud 
indicators to SSN verification routines for employers, State 
agencies issuing drivers' licenses and identity cards and other 
verification routines as determined to be appropriate. The SSA 
implemented the restrictions on replacement SSN cards effective 
December 17, 2005, as required by the IRTPA law. In addition, 
we place death indicators on our SSN verification services with 
the Department of Motor Vehicles and employers on March 6, 
2006, also ahead of time, required by the law. We continue to 
work to ensure that fraud indicators will be addressed, added 
to the SSN verification by December 2007, which is the 
legislatively mandated date.
    In conclusion, we must remember that with all of the 
improvements in the assignment of SSNs, the Social Security 
card is still just a record of the SSN assigned to the 
individual, and it is not an identity document. I look forward 
to working with you to continue to improve the SSA's processes, 
and I will be happy to answer any questions you might have.

    [The prepared statement of Mr. Streckewald follows:]

 Statement of Frederick G. Streckewald, Assistant Deputy Commissioner, 
Disability and Income Security Programs, Social Security Administration

Mr. Chairman and Members of the Committee:
    Thank you for inviting me today to discuss the Social Security 
Administration's (SSA's) enumeration process. This is the process used 
to assign a Social Security Number (SSN) to an individual. This series 
of hearings the Subcommittee is holding have served to highlight the 
importance of this core agency function. As stewards of the Social 
Security program, one of our strategic objectives is to strengthen the 
integrity of the enumeration process. We recognize that protection of 
the SSN is one of the top issues facing SSA management, and I am 
pleased to have the opportunity to discuss SSA's enumeration process.
History of the Social Security Number and Card
    The Social Security Number is a nine-digit number, used to identify 
the record of earnings an individual has in employment or self-
employment. A numbering system that is based on digits allows for the 
orderly assignment of numbers and for the potential assignment of as 
many as 900 million unique SSNs excluding the 900 series reserved for 
the use of the Internal Revenue Service (IRS). SSA has assigned over 
436 million SSNs since 1936.
    At the time the Social Security card was developed, its only 
purpose was to provide a record of the number that had been assigned to 
the individual so that employers could accurately report the earnings 
of people who worked in jobs covered under the new Social Security 
program. This is still the primary purpose for which SSA assigns a 
number and issues a card.
    The card was never intended and does not serve as a personal 
identification document--that is, the card does not establish that the 
person presenting it is actually the person whose name and SSN appear 
on the card. Although SSA has made many changes to make it counterfeit 
resistant, the card does not contain information that would allow the 
card to be used as proof of identity.
Use of the SSN Expands Over Time
    The purpose of the SSN and card was narrowly drawn at the beginning 
of the program. However, the use of the SSN as a convenient means of 
identifying records in large systems of records increased over the 
years. In 1943, Executive Order 9397 required Federal agencies to use 
the SSN in any new record system maintained on individuals. Using the 
SSN as an identifier in federal record systems proved to be an early 
reflection of what has become an enduring trend expanding the uses of 
the SSN.
    The simplicity and efficiency of using a seemingly unique number 
that most people already possessed encouraged widespread use of the SSN 
by both government agencies and private enterprises. As record-keeping 
and business systems moved to automated data processing, the 
characteristics of the SSN made it a popular choice for record 
identification. In 1961, the Federal Civil Service Commission 
established a numerical identification system for all Federal employees 
using the SSN as the identification number. The next year, the IRS 
decided to begin using the SSN as its taxpayer identification number 
(TIN) for individuals. In 1967, the Defense Department adopted the SSN 
as the service number for military personnel. At the same time, use of 
the SSN for computer and other accounting systems spread throughout 
State and local governments and to the private sector, especially to 
banks, credit bureaus, hospitals, and educational institutions. There 
were no legislative restrictions on the use of the SSN at that time.
Statutory Provision Relating to the Public Sector
    The first explicit statutory authority to issue SSNs was enacted in 
1972. Prior to that time, SSNs were issued pursuant to administrative 
procedures that the Agency had established. Subsequent Congresses have 
enacted legislation requiring individuals to have an SSN in order to 
receive Supplemental Security Income (SSI), Temporary Assistance for 
Needy Families (TANF), Medicaid, and food stamps. Additional 
legislation authorized States to use the SSN in the administration of 
tax, general public assistance, driver's license, and motor vehicle 
registration laws.
    Partly in response to concerns about the proliferation of the use 
of the SSN, Congress enacted the Privacy Act of 1974. It provided that, 
except when disclosure is required by Federal statute or by state or 
local statute or regulation adopted prior to January 1975, no Federal, 
State, or local government could withhold a right, privilege or benefit 
from a person simply because the person refused to furnish his or her 
    In the 1980s and 1990s, new legislation authorized additional 
governmental uses of the SSN, including income and eligibility 
verification, military draft registration, and for operators of stores 
that redeem food stamps. Legislation was also enacted that required 
taxpayers to provide the SSNs of dependents on tax returns.
    A further expansion of the government's use of the SSN was included 
in welfare reform legislation enacted in 1996. In order to improve 
child support enforcement, Congress required the SSN to be recorded in 
a broad array of records, including applications for professional 
licenses and marriage licenses, and placed in the record of divorce 
decrees, support orders, and paternity determinations.
Use of the SSN by the Private Sector
    Generally, there are no restrictions in Federal law on the use of 
the SSN by the private sector. Businesses may ask for a customer's SSN 
for such things as renting a video, applying for credit cards, 
obtaining medical services, and applying for public utilities. 
Customers may refuse to provide their number; however, a business may, 
in turn, decline to furnish the product or service.
    Continuing advances in computer technology, the ready availability 
of computerized data, and rapidly increasing use of the internet have 
encouraged the growth of information brokers who amass and sell large 
volumes of personal information, including SSNs collected by 
businesses. When possible, information brokers store and retrieve 
information about an individual by that individual's SSN because the 
SSN provides an easy method of maintaining computerized records and can 
be used to compare those records with other business systems which may 
also use the SSN as a file identifier.
Contemporary Challenges Regarding the Use of the SSN
    The use of the SSN has become widespread in our society. The 
cumulative effect has been that the SSN has become the most widely used 
identifier by both government and the private sector in establishing 
and maintaining information about a given individual in various public 
as well as private record systems. An unintended consequence is that 
the SSN has also become a tool used by those intent on stealing another 
person's identity or creating a false identity. We are very concerned 
about the misuse of the SSN, and we work closely with SSA's Inspector 
General, the Federal Trade Commission and the Department of Justice to 
help deter identity theft and assist in the apprehension and conviction 
of those who engage in this crime.
Assignment of the SSN
The Number
    Prior to 1972, SSNs and cards were issued in our local field 
offices. Since 1972, SSNs have been issued centrally.
    Generally, to obtain an SSN, individuals must apply for an SSN by 
filing a signed Form SS-5 ``Application for a Social Security Card'' 
and by submitting the required evidence. Currently, all applicants for 
an original number and card must submit evidence of age, identity, and 
United States citizenship or alien status to a Social Security field 
office (FO). FO personnel assist with the completion of the SS-5 
application. Applicants for replacement Social Security cards must 
submit evidence of identity, and foreign born applicants must also 
provide evidence of their immigration status. The SS-5 application 
includes information about the applicant's name, mailing address, 
citizenship, sex, race/ethnic description (optional), date and place of 
birth, mother's maiden name and SSN, and father's name and SSN. 
However, a parent's SSN is only required for applicants for an original 
SSN who are under age 18.
    While the information required on the SS-5 application has remained 
essentially the same over the years, the law and enumeration process 
have changed to ensure that SSA assigns SSNs only to eligible 
individuals. To strengthen the process, SSA has instituted additional 
safeguards to prevent a person from fraudulently obtaining an SSN. For 

      SSA verifies immigration status with DHS before assigning 
an SSN to a non-citizen.
      SSA requires a mandatory in-office interview with all 
applicants age 12 or older since the majority of individuals born in 
the U.S. have been assigned an SSN by the time they reached age 12.
      As a result of Intelligence Reform and Terrorism 
Prevention Act of 2004 (IRTPA), Public Law (P.L.)108-458, SSA 
implemented policy changes effective December 17, 2005 that restrict 
the issuance of replacement SSN cards to no more than three per year 
and no more than ten per lifetime; establish minimum verification 
standards for documents submitted in support of an application for an 
SSN; and require independent verification of birth records of 
individuals of all ages applying for an original SSN card.
      Effective November 2005, we added systems edits to our 
Enumeration at Birth (EAB) program so that children who have not yet 
been given a first name in the hospital are not assigned a Social 
Security Number until the parent submits documentation of the child's 
name. SSA has also implemented additional safeguards designed to 
prevent the assignment of multiple SSNs to the same child.

    I would also like to highlight some earlier changes that SSA 
implemented over the years to strengthen the enumeration process.
    At the inception of the program, all SSNs were assigned and cards 
issued based solely on information provided by the applicant. Evidence 
of identity was not required. Over time, as the use of the number was 
expanded for other purposes, SSA recognized that changes were necessary 
to protect the integrity of the card and enumeration process. Beginning 
in November 1971, persons age 55 and over applying for an SSN for the 
first time were required to submit evidence of identity. As of April 
1974, non-citizens were required to submit documentary evidence of age, 
identity and immigration status. This made it more difficult to obtain 
a card on the basis of a false identity. SSA was also concerned that 
individuals who had been assigned SSNs for purposes other than work 
might use the card to obtain unauthorized employment. Therefore, in 
July 1974, we began to annotate our records to reflect the fact that a 
non-citizen had been issued an SSN for nonwork purposes. Several years 
later, the integrity of the SSN was further improved. In May 1978, we 
began requiring all SSN applicants to provide evidence of age, identity 
and United States citizenship or non-citizen status.
Enumeration at Birth Process (EAB)
    Because of increased demand for SSNs for children at earlier ages 
due to tax and banking requirements, SSA developed the EAB process in 
1987. SSA recognized that all the information needed to process an SSN 
application for a newborn was gathered by hospital employees at the 
child's birth and verified with the respective bureaus of vital 
statistics. Nearly three-quarters of all requests for an original SSN 
are now completed through this process.
    This program is available in the fifty states, the District of 
Columbia, and Puerto Rico, and allows parents to indicate on the birth 
certificate form whether they want an SSN assigned to their newborn 
child. When a parent requests an SSN for a child, the State vital 
statistics office receives the request with the birth registration data 
from the hospital and then forwards this information to SSA. Under 
these procedures, the parent is not required to file a separate 
application for an SSN for the child. Based on the information the 
State forwards to SSA, we assign an SSN and issue a card for the child.
    It is important to note that EAB is a voluntary program on the part 
of the hospitals and the States and other jurisdictions. No law 
requires state or hospital participation. The program is administered 
under the provisions of a contract between each state and SSA. SSA 
reimburses the states for participation on a per item basis (currently 
$2.04 for each birth record). EAB is a far more secure way to enumerate 
newborns. In addition, the program provides significant savings to the 
Federal government and a convenient service option for the public.
Enumeration at Entry (EAE)
    To reduce fraud and improve government efficiency, SSA inaugurated 
our Enumeration-at-Entry process in October 2002. Under this process, 
SSA has entered into agreements with DHS and the Department of State 
(DOS) for those agencies to assist SSA in enumerating aliens. To assist 
SSA, DOS collects enumeration data as part of the immigration process. 
When the immigrant enters the United States, DHS notifies SSA and the 
card is issued.
Social Security Cards
    In the beginning of the Social Security program, no special efforts 
were needed to prevent the Social Security card from being 
counterfeited. However, as the card's use expanded and technology 
improved, counterfeiting became a concern. Beginning in 1983, the 
Social Security Act required that SSN cards be made of banknote paper, 
and to the maximum extent practicable be a card that cannot be 
counterfeited. SSA worked with the Bureau of Engraving and Printing, 
the Secret Service, and the Federal Bureau of Investigation to design a 
card that met these requirements.
    All Social Security cards issued since October 1983 incorporate a 
number of security features intended to make the card counterfeit-
resistant and tamper-proof. Some of these features include, but are not 
limited to, a tamper-proof marbleized background; Intaglio printing in 
some areas of the card; and colored planchettes (small discs) randomly 
displayed on the card. Obviously, while some security features have 
been made public, other features have not in order to protect the 
security of the card.
    The immigration and welfare reform legislation passed in 1996 
required SSA to develop a prototype of a new card as well as study and 
report on different methods for improving the Social Security card 
process. In 1997, SSA issued a report to Congress on ``Options for 
Enhancing the Social Security Card,'' and earlier this year provided 
the Subcommittee with an update on some of the findings in the report.
    As you are aware, the expertise of counterfeiters and the wide 
availability of state-of-the-art technology make it increasingly 
difficult to develop and maintain a document that cannot be 
counterfeited, despite best efforts to guard against such incidents. 
Therefore, SSA continues to evaluate new technology as it becomes 
available to determine if additional features should be included.
    As required by P.L. 108-458, SSA, in consultation with DHS, has 
formed a taskforce to establish requirements that will further improve 
the security of Social Security numbers and cards. Since current law 
requires the card to be printed on banknote paper, the taskforce is 
limited to consideration of improvements to this type of card. The 
taskforce includes representation from DHS and several other agencies, 
including the Federal Bureau of Investigation, Department of State and 
the Government Printing Office. The taskforce is considering a wide 
range of security features that would strengthen the Social Security 
card, and we will develop a plan for implementing the taskforce 
    The cost of replacing the current SSN card with a new version that 
includes enhanced security features would depend upon features to be 
included, e.g. biometric identifiers, and the universe of card-holders 
needing a new card. The cost of the card itself is minimal. The cost is 
driven by the cost of verifying the identity of the person applying for 
the card and, in the case of aliens, determining the immigration status 
and work authorization.
    Last year, we estimated a card with enhanced security features such 
as biometric identifiers would cost approximately $25.00 per card, not 
including the start-up investments associated with the purchase of 
equipment needed to produce and issue this type of card. While any 
estimate would ultimately depend on the details of the proposal, last 
year's estimate for replacing cards for 240 million cardholders 
nationwide was approximately $9.5 billion. Currently however we know 
that the cost of issuing SSN cards has increased by approximately 
$3.00, due to new requirements for additional verification of evidence, 
so we anticipate an increase in the total cost estimate when we update 
our figures to reflect current dollar costs.
Legends on the SSN Cards
    I would now like to discuss the relationship between the Social 
Security card and work authorization. The Immigration Reform and 
Control Act of 1986 (IRCA) makes it illegal for an employer to 
knowingly hire anyone not legally permitted to work in the United 
States. Under IRCA, all employers are required to verify the identity 
and employment eligibility of all new employees regardless of 
citizenship or national origin. There are a number of documents 
specified in the law and DHS regulations which may be used for this 
purpose. Some documents, such as a United States passport, establish 
both employment eligibility and identity. Others, including a Social 
Security card without a restrictive legend, can be used to establish 
employment eligibility but do not establish identity and must be 
accompanied by an identification document, such as a State driver's 
    It is important to note that, just as the Social Security number or 
card does not establish identity, neither does it always reflect an 
individual's current work authorization status. The SSN card only 
reflects an individual's work authorization status at the time the card 
was issued--it is a snapshot in time. An individual's work 
authorization status may change over the years, and the DHS has sole 
jurisdiction over work authorization determinations for noncitizens.
    The vast majority of original Social Security cards are issued to 
United States citizens or to non-citizens who have been permanently 
authorized to work in the United States. These cards show only the name 
and SSN of the individual.
    Unlike the cards issued to United States citizens or to non-
citizens who have been permanently authorized to work in the United 
States, cards issued to non-citizens who are not authorized to work or 
who are only temporarily authorized to work bear one of two legends 
describing work authorization status at the time the card was issued.
``Not Valid for Employment''
    Initially, SSA issued the same type of Social Security card to 
everyone, whether or not the individuals were authorized to work. In 
1974, SSA began assigning SSNs for nonwork purposes, but the card was 
not specifically annotated. Beginning in May 1982, SSA started issuing 
cards printed with the legend ``Not Valid for Employment'' to non-
citizens who are not authorized to work. This was due to the increasing 
need for individuals to have SSNs for nonwork purposes and concerns 
that such individuals might otherwise use their SSNs for work. With 
this restrictive legend appearing on a card, employers were able, for 
the first time, to determine whether the individual to whom the card 
was issued was authorized to work. Of course, an employer could not 
rely solely on the card to establish that the person presenting the 
card was the person to whom the SSN was assigned.
    Cards containing this legend are often referred to as ``nonwork 
SSNs.'' In October 2003, SSA significantly tightened the rules 
concerning issuance of nonwork SSNs. SSA only issues such an SSN when 
1)a Federal statute or regulation requires an SSN to receive a 
particular benefit or service, which an alien has otherwise established 
entitlement; or 2) a State or local law requires an SSN to get public 
assistance benefits, to which the alien has otherwise established 
entitlement and for which all other requirements have been met.
``Valid for Work Only with DHS Authorization''
    Beginning in September 1992, SSA began issuing cards with the 
legend ``Valid for Work Only with INS Authorization'' to noncitizens 
lawfully in the United States with temporary authorization to work. 
This legend has been changed to ``Valid for Work Only with DHS 
Authorization'' to reflect the change from ``INS'' to ``DHS''. In these 
cases, employers must look at the non-citizen's DHS documents to 
determine if the individual has current work authorization. In addition 
a participating employer may use the DHS employment eligibility 
verification service, known as the Basic Pilot, to confirm employment 
eligibility for newly hired employees, which includes verification with 
SSA records and for noncitizens, with DHS records.
    In Fiscal Year (FY) 2005, SSA issued approximately 5.4 million 
original cards. Of these, 4.3 million were issued to United States 
citizens. Approximately 1.1 million cards were issued to non-citizens 
with temporary or permanent work authorization.
    Over the years SSA has made continual enhancements to the Social 
Security card. Because of the substantial cost of replacing all cards 
in use, older versions of the card remain valid. Thus, there are about 
50 different variations of the SSN card that have been issued since 
NonWork SSNs
    SSA also issues cards to aliens legally in the United States but 
who are not authorized to work by DHS. Last year SSA issued fewer than 
15,000 of this type of non-work card. Each year as required by Section 
414 of the Illegal Immigration Reform Act of 1996, P.L. 104-208, SSA 
reports to Congress the number of SSNs assigned to aliens who were not 
authorized to work in the United States when the card was issued for 
whom we receive Form W-2s. The most recent report stated that earnings 
were credited to 555,227 SSNs assigned to non-citizens who did not have 
authority to work in the United States at the time the SSN was 
assigned. It is important to note that since the work authorization 
status of a non-citizen may change, an earnings report under a nonwork 
SSN does not necessarily mean that unauthorized work was performed.
Additional Efforts to Strengthen the Enumeration Process
    SSA has taken a number of steps to further strengthen the processes 
associated with assigning SSNs. You will recall that SSA formed a high-
level response team to develop recommendations on enumeration policy 
and procedure in the aftermath of the terrorist attacks of September 
11, 2001. As previously reported to this Subcommittee, implementation 
of many of the team's recommendations has strengthened our capability 
to prevent those with criminal intent from obtaining and using SSNs and 
SSN cards. As mentioned earlier in my testimony, beginning June 1, 
2002, SSA began verifying birth records with the issuing agency for all 
United States born SSN applicants age one or older. In addition, 
beginning in July 2002, SSA began verifying the authenticity of all 
immigration status with DHS before assigning SSNs to non-citizens.
    We also continue to look for additional ways to make the 
enumeration process more efficient and secure. In November 2002, SSA 
piloted a Social Security Card Center in Brooklyn, New York. The Card 
Center represents a joint effort by SSA, SSA's Office of the Inspector 
General (OIG) and Department of Homeland Security (DHS). The 
collaboration of these parties is intended to strengthen SSN 
application procedures, and to ensure that applications are processed 
with a high degree of integrity, efficiency and expertise.
    In April 2005, SSA established another Social Security Card Center 
in Las Vegas, Nevada. The Las Vegas Social Security Card Center is 
dedicated exclusively to helping Las Vegas Valley and southern Nevada 
residents apply for a new or replacement Social Security Card. SSA 
plans to open additional centers as resources permit over the next 
several years based on SSN workloads and other service delivery 
SSN Verification Processes
    Many diverse organizations request SSN verifications for various 
purposes. SSA must consider each request to determine whether to deny 
or permit verification and what information, if any, may be disclosed. 
SSA also must consider each request to ensure that the proper 
safeguards are in place to protect the information being disclosed. SSA 
must also be reimbursed for any work not related to the administration 
of our programs. Of course, by law, we cannot fulfill requests for non-
program purposes if doing so would impede our mission.
    For many years, most SSN verifications were processed in our field 
offices. This was a manual process which was highly labor intensive. In 
1983, SSA implemented the Employee Verification Service (EVS) in order 
to better manage the verification workloads. Since then SSA has 
provided additional ways to access SSN verification routines as 
technology has evolved.
    Employers are our primary requestors for SSN verifications because 
they must accurately report wage information for the people they 
employ. One of SSA's core business processes is maintaining the 
accuracy of earnings for all workers to ensure that they receive credit 
for the work on which FICA taxes were paid. Accurate earnings 
information is important because a worker's earnings record is the 
basis for computing retirement, survivors, and disability benefits.
    SSA has successfully provided SSN verification services to the 
employer community for many years. Employers can verify SSNs for their 
employees by telephone, by submitting paper listings or by magnetic 
    To further improve our service to employers, SSA piloted an online 
service, known as Social Security Number Verification Service (SSNVS), 
in April 2002. In June 2005, SSA expanded the availability of this 
service to all employers. This optional, free and secure Internet 
service provides employers with an immediate response for a limited 
number of SSN verification requests or a next business day response for 
high volume SSN verification requests.
    As mentioned earlier in my testimony, employers may participate in 
the Basic Pilot program, an ongoing joint initiative in which SSA 
supports DHS in assisting participating employers in confirming 
employment eligibility for newly hired employees. Participating 
employers may use the automated system to verify SSNs and alien 
registration or admission numbers through verification checks of SSA 
and DHS databases.
    In 2005, through the EVS, SSNVS, and Basic Pilot programs, we 
estimate we provided a total of 67 million employer verifications, up 
from 62 million in 2004.
Federal and State Agencies
    Many Federal, State, and local agencies request SSN verification 
services for numerous purposes, from issuing food stamps to tracking 
convicted felons. Some of the agencies receive information as a result 
of legislation. Some of these organizations include, but are not 
limited to:

      The Department of Education
      The Department of Justice
      The Office of Child Support Enforcement
      The Internal Revenue Service
      The Department of Veterans Affairs
      The Selective Service System
      Any Federal agency which uses the SSN as a numerical 
identifier in their record system
      Federal, State, and local agencies for validating the SSN 
used in administering income or health maintenance programs
      Federal, State, and local agencies where SSN use is 
authorized under Federal statute and they are involved in programs such 
as Temporary Assistance for Needy Families, Food Stamps, Medicaid, and 
Unemployment Insurance
      State Motor Vehicle Agencies
      Law enforcement fugitive felon operations
      SSA OIG.

    SSA provides verifications to some State agencies, such as State 
motor vehicle licensing agencies via the American Association of Motor 
Vehicle Administrators (AAMVA).
Third Parties
    Under the Privacy Act, SSA may verify or release SSNs to third 
parties that have obtained the written consent of the number holder, 
regardless of the purpose of the request. SSA has been providing such 
third party verifications for many years through existing verification 
Impact of Public Law 108-458
    Section 7213 of P.L. 108-458 contains several provisions to 
strengthen the integrity of our enumeration process. Two key provisions 
include the implementation of limits on the number of replacement SSN 
cards an individual can receive to three per year and ten per lifetime 
with limited exceptions and the addition of death and fraud indicators 
to SSN verification routines for employers, State agencies issuing 
driver's licenses and identity cards, and other verification routines 
as determined to be appropriate.
    As I mentioned previously, SSA implemented the restrictions on 
replacement SSN cards effective December 17, 2005 as required by IRTPA. 
In addition, although most death records were already available to 
employers and DMVs through our SSN verification services, we have also 
added the State death records that were previously restricted as 
authorized by IRTPA. Those additional death records were added to SSN 
verification routines on March 6, 2006, well before the implementation 
deadline set by IRTPA. We continue to work to ensure that fraud 
indicators will be added to the SSN verification routines by December 
    Section 7213 of IRTPA also required SSA to establish minimum 
standards for verification of documents submitted in connection with an 
SSN. To this end, SSA established rigorous new standards for evidence 
of U.S. citizenship and identity submitted in connection with an 
application for an SSN.
    IRTPA also required SSA to form an interagency taskforce 
specifically charged with establishing security requirements, including 
standards for safeguarding SSN cards from counterfeiting, tampering, 
alteration and theft. This interagency taskforce is working to improve 
the security features included on the current banknote card. SSA will 
prepare for implementation of the taskforce recommendations by June 
    In conclusion, the Social Security number was originally intended 
as a means to provide a record of the earnings of people who worked in 
jobs covered under the new Social Security program. We must remember 
that with all the improvements in the assignment of SSNs, the Social 
Security card is still just a record of the SSN assigned to the 
individual and not an identity document.
    However, as we all know, the use of the SSN for other purposes has 
grown significantly over the years. The challenge we face is to balance 
SSA's commitment to assigning numbers quickly and accurately to 
individuals who qualify for them and need them to work, with the 
equally important need to maintain the integrity of the enumeration 
system to prevent SSN fraud and misuse.
    I want to thank the Chairman and members of the Subcommittee for 
inviting me here today, and I look forward to working with you to 
continue to improve SSA's processes.
    I will be happy to answer any questions you might have.


    Chairman MCCRERY. Thank you, Mr. Streckewald. Dr. Kent.


    Dr. KENT. Good morning, Chairman McCrery, Congressman 
Levin. I am Steve Kent, Vice President and Chief Scientist, for 
Information Security at BBN Technologies. I served as the Chair 
of the Committee on Authentication Technologies and their 
Privacy Implications for the National Research Council, the 
operating arm of the National Academy of Sciences.
    The study Committee authored two reports: ``IDs, Not That 
Easy, Questions About Nationwide Identity Systems,'' on which 
you have asked me to testify, and ``Who Goes There: 
Authentication Through The Lens Of Privacy.'' It is a pleasure 
to be here to discuss these reports with you. I will try to 
briefly summarize my written testimony which I submitted for 
the record.
    First, some general observations: developing identity 
systems is much more complex than it initially appears. Several 
key policy questions must first be answered, among them what 
problem is the system supposed to solve, and how will it try to 
solve the problem? How authentication will be achieved has to 
be looked at; who would be users of the system, who will rely 
on it, what types of uses will be allowed, and what legal 
structures protect the integrity of a system.
    Implicit in all these are that we are dealing with a 
system, not just ID cards. Success, therefore, depends not only 
on the card technology we use but on all of the ways the system 
components have to work together. The high cost of fixing or 
even abandoning a system makes it essential that potential 
ramifications are explored very thoroughly prior to making 
decisions about design details and deployment of a system.
    Let me address a few of the specific questions that you 
posed. There are a number of technical challenges associated 
with building a counterfeit resistant, long lasting, easily 
replaceable ID card. No method of ensuring that the person 
presenting the card is the proper owner can be completely 
reliable. A key decision for any system of this sort would be 
determining an acceptable threshold of false rejection and 
false acceptances, none of which are going to be zero in any 
practical technology.
    Second, any large scale identity system designed for a 
specific purpose is almost always used for other, secondary 
purposes. The ID may be used for verification unrelated to the 
original purposes. The data collected may be used in ways that 
have little to do with the original purpose.
    These unplanned uses often cause problems. For example, 
security and privacy protections that were designed for the 
original use might not align with the needs of a secondary use. 
Data collected for the primary use might not be appropriate in 
terms of quality or reliability for a secondary use.
    For the primary user, the existence of secondary uses can 
make it difficult to respond to a detected attack on the 
system. The range of possible reasons for the attack grows with 
secondary uses, making it more difficult to determine how to 
respond. The ID system databases hacked, for instance, was in 
an individual trying to get a fake ID for purchasing alcohol or 
someone with more nefarious purposes in mind.
    Third, the privacy implications of large scale identity 
systems are significant. A major challenge to privacy is the 
ability to cross-reference databases in different systems tied 
to an ID, even when the primary system is privacy-preserving. 
Another problem is that of identity theft. To lessen the impact 
on privacy, a number of steps can be taken, including being 
clear about the system's purpose, minimizing the scope and 
retention of collected data, and clarifying who will have 
access to data, and, of course, providing means for individuals 
to check on and correct information stored about them to 
rectify errors in the system.
    Fourth, identity establishment itself is a challenging but 
critical part of the process. Of particular concern is the fact 
that fundamental documents, foundational documents like birth 
certificates that are required to establish identity for other 
identity documents are themselves subject to fraud and forgery.
    Moving to digital credentials or biometrics will not change 
some of the basic avenues of attack against a large scale 
identity system. As a result, the issuing process itself will 
remain extremely vulnerable. The best any new system can 
provide is a compelling connection with some previous 
verification of identity, and that is usually imperfect.
    Finally, while our reports did not address the specific 
concerns you asked about with regard to modifying the SSN card 
to help prevent unauthorized immigrants from gaining lawful 
employment, the framework we presented in our study I think can 
be applied to this topic.
    It is important to note that layering a new system on top 
of the primary use of the SSN card would not intrinsically add 
to the testimony of the data that was collected for that 
original purpose. The data has the same quality and reliability 
that it had prior to the addition of the new system and the 
introduction of higher quality credentials in a physical sense.
    In conclusion, as the title of our report suggested, IDs, 
Not That Easy, none of the issues raised by development and 
deployment of large scale identity systems are simple. The 
questions posed in our report should be carefully and 
thoroughly applied, not only from a privacy perspective but 
from a security, usability and effectiveness perspective as 
    Thank you. That concludes my comments. I will be happy to 
take any questions.

    [The prepared statement of Dr. Kent follows:]

      Statement of Stephen T. Kent, Ph.D., Chairman, Committee on 
 Authentication Technologies and Their Privacy Implications, National 
                Research Council, The National Academies

    Good morning, Mr. Chairman and members of the Committee. My name is 
Stephen Kent. I am Vice President and Chief Scientist for Information 
Security at BBN Technologies and served as the chair of the Committee 
on Authentication Technologies and Their Privacy Implications of the 
National Research Council. This study committee authored the two 
reports, IDs--Not That Easy: Questions About Nationwide Identity 
Systems and Who Goes There? Authentication Through the Lens of Privacy, 
on which you have asked me to testify. The National Research Council is 
the operating arm of the National Academy of Sciences, National Academy 
of Engineering, and the Institute of Medicine of the National 
Academies, chartered by Congress in 1863 to advise the government on 
matters of science and technology.
    It is a pleasure to be here to discuss these reports on large-scale 
identity systems. By way of background: the study committee originally 
planned to do only the Who Goes There? report. We decided on the IDs 
report about half-way through our study process after the September 11, 
2001 terrorist attacks. In the wake of those attacks, numerous 
proposals for what identity systems could or should accomplish with 
respect to counterterrorism began circulating in the policy community 
and the media. The study committee believed that the persistence of 
public discussion about possible new ID systems and the expectation 
that other proposals would continue to be offered argued for an 
informed analysis and critique of the concept of a nationwide or large-
scale identity system. The brief report on IDs was the result. It was 
intended to catalyze a broader discussion, and I am happy to be here 
today to continue that discussion.
    I will start with a brief overview of the highlights of the IDs 
report and then address some of the specific issues that you asked me 
to consider in my testimony today.
    Perhaps the most important message of our work on ID systems is 
that designing and building systems to ascertain identity is much more 
complex than it might appear and is indeed why we titled our IDs report 
``Not That Easy.''
    A primary consideration is to understand the goals of a large-scale 
identity system. Before any decisions can be made about whether to 
attempt some kind of system, the question of precisely what is being 
discussed and what purpose it will serve must be answered. What problem 
or problems is the proposed system meant to solve? The high-level 
policy questions that the IDs report outlines include the following:

      What is the purpose of the system? What problem or 
problems is it attempting to address?
      What is the scope of the population that would be issued 
an ID? Related to this, how would the identities of these individuals 
be authenticated?
      What is the scope of the data that would be gathered 
about individuals in support of issuing an ID and how would it be 
correlated to data about them in any databases associated with the 
      Who would be the users of the system? By this we mean not 
only those who would be issued an ID, but the government agencies, 
perhaps state and local governments, or even the private sector 
organizations that might rely on the IDs. What entities would be 
allowed to use the system? Who could contribute, view, and/or edit the 
data in the system?
      What types of use would be allowed? Who could demand an 
ID? Under what circumstances? What types of database queries about 
individuals would be permitted? Would data mining or analysis of the 
information collected be permitted? Who would be allowed to do such 
analysis? For what purposes?
      Would enrollment in and/or identification by the system 
(even if the individual had not formally been enrolled) be mandatory or 
      What legal structures protect the system's integrity as 
well as the ID holder's privacy and due process rights? What structures 
determine the government and relying parties' liability for system 
misuse or failure?

    Answers to all of these questions (and more) will have 
ramifications for the technological underpinnings of the system, 
including what levels and kinds of system security will be required.
    Implicit in all of these questions is the notion of a ``system'' 
and not merely an ``ID card.'' The fact that any identity management 
proposal necessarily implies a ``system'' may be one of the most 
important (and less discussed) aspects of many of the identity system 
proposals that we have seen. These systems, at the scale that they are 
proposed, necessarily imply the linking together of many social, legal, 
and technological components in complex and interdependent ways. The 
success or failure of such a system is dependent not just on the 
individual components (for example, the ID cards that are used, or the 
biometric readers put in place) but on the ways they work, or do not 
work, together. For example, are card readers located where they need 
to be? How well do the readers operate under various environmental and 
load scenarios? Who will operate the systems and how will they be 
trained and vetted? Do enrollment policies align with the security 
needs envisioned for the system? And so on. How well these 
interdependencies are controlled along with the mitigation of security 
vulnerabilities and the unintended consequences of the deployment of a 
system, will be critical factors in its overall effectiveness.
    In addition to the questions above, the committee outlined several 
cautions to bear in mind when considering the deployment of a large-
scale identity system:

      Given the costs, design challenges, and risks to security 
and privacy, there should be broad agreement in advance on what problem 
or problems the system would address.
      The goals of the system should be clearly and publicly 
identified and agreed upon, with input sought from all stakeholders.
      Care must be taken to explore completely the potential 
ramifications of deploying a large-scale identity system, because the 
costs of fixing, redesigning, or even abandoning a system after broad 
deployment would likely be extremely high.

    That is a brief overview of some of the highlights from the IDs 
report. The study committee urged that proponents of large-scale 
identity systems present a compelling case addressing the issues raised 
in these reports and solicit input from a broad range of stakeholder 
communities. The IDs report elaborates on these issues and also 
considers some of the technological and security challenges inherent in 
large-scale identity systems. Some of the issues you asked me to 
address in my testimony today are more specific than what I have 
presented here so far, and to the extent that our reports address them, 
I will briefly discuss them.
Tamper-Proof ID Cards
    Cards are often suggested as a means of binding an ``identity'' 
within a system to an individual. The question being: if someone 
presents a valid card, how do you know first, that the card is valid, 
and second, that the card belongs to the person presenting it? To the 
first question, the goal of a counterfeit-resistant, long-lasting, 
easily-replaceable ID card presents difficult technical challenges. 
Magnetic stripe cards are trivially easy to counterfeit. Memory cards 
or smart cards are more difficult, but not impossible, to duplicate or 
forge. Use of cryptographic technologies and digital signatures can 
help, but for any technology, some degree of imperfection will exist. I 
have already mentioned that a key notion to keep in mind is that these 
systems are in fact systems--they would likely encompass databases, 
processes and procedures, cards, card readers, architectural 
requirements, security needs, and much more, not to mention the people 
who are a part of any technical system. Any ID card that is issued is 
only a component of the system. One question that must always be asked 
is what is the perceived threat? By threat I mean what set of 
adversaries do we believe we need to thwart, what are their 
capabilities, and what are their goals? If we cannot answer that 
question, we have no rational basis for deciding if any proposed system 
will likely be adequate, or whether it will be overkill.
    To the question of ensuring that the person presenting the card is 
the same person identified with the card, a picture on the front of the 
card might be some assurance, but people sometimes have a hard time 
matching faces to pictures. ``Two-factor authentication'' in which an 
individual presents a card along with additional information (such as a 
PIN or thumbprint--either of which could be compared to data on the 
card) is another possibility. Another scenario might be to have the 
person interact with a biometric scanner and present the card that 
contains reference information for the biometric in question. Both 
pieces of information are validated in combination against a backend 
server. This, however, creates a requirement for high availability and 
a dependence on a secure, reliable network and communications 
infrastructure. Also, unless the scanner is itself a secure device (and 
known to be so through some kind of formal evaluation process) or the 
scanner is closely monitored, the system may be compromised. Even then, 
the system will not be fool-proof. (I am informed, by the way, that the 
NRC is conducting a large study on biometric systems that should be 
released later this year)
    A decision on thresholds for false rejection and false acceptance 
rates (which is, first, a policy decision) will need to be made--and 
those thresholds cannot really be zero for any technology. Moreover, 
even the best-designed systems are subject to social engineering (there 
are numerous examples of personnel being tricked into issuing 
credentials without adequate proof of identity or authorization) and 
insider threat attacks--and thus one cannot rely on technological 
solutions alone. The entire system and implications of policy decisions 
at all levels must be thought through carefully.
Secondary Uses
    One of the challenges that arises repeatedly with a large-scale 
identity system designed for a specific purpose (or set of purposes) is 
that there are almost always forces in play that push the systems to be 
used for things that they were not originally designed for. A familiar 
example of this is the state driver's license, which does not merely 
enable one to legally drive on public roads, but is also relied on to 
provide ``proof of age'' for alcohol purchases and ``proof of 
identity'' to board an aircraft for domestic travel in the U.S.
    Most systems do not explicitly guard against secondary uses, 
although occasionally there are legal requirements or contractual 
relationships that limit secondary use (such as credit card 
agreements.) There are at least two ways in which secondary use might 
happen. In some cases, the card presented may be used for additional 
verification purposes in contexts unrelated to the original purposes. 
In other instances, the data collected in support of card issuance may 
be used in ways that have little to do with the original purpose. 
Unintended uses of an identity system and its associated technologies 
can always have inadvertent side effects. There are numerous examples 
in the literature of this, and the expansion over time in use of the 
Social Security Number (SSN) is a well-known instance. For example, the 
proposed ID might become the new, de facto photo ID for individuals, 
potentially exposing SSNs to a very wide range of organizations at a 
time when states are eliminating the SSN from driver's licenses.
    If any new ID system is deployed, chances are that there will be 
uses found for it that were not originally intended. While this might 
seem an efficiency on the surface, in fact, such unplanned-for multiple 
uses may cause problems.

      A particular challenge resulting from unplanned-for uses 
is when technology or an ID system designed for a specific security 
context, user population, and so on is used (intentionally or 
unintentionally) without a determination as to whether the original 
security, privacy, and usage assumptions still hold in the new context. 
Secondary uses are implicitly relying on whatever assurances, security 
models, and privacy protections the original designers and implementers 
were working with. These may not align with the needs of the secondary 
user. For example, access to a health club may require a different 
usability or privacy model than access to secured facilities at an 
airport. One size cannot fit all.
      A significant context consideration is the security of 
the system. The original system was designed with a particular threat 
model in mind; this threat model may not apply to secondary uses of the 
      Another problem is that the data collected for the 
original purposes may not be what is needed, or at the appropriate 
quality or reliability levels, for the new secondary uses.
      Depending on inappropriate assumptions is not a challenge 
just for the secondary user, but also for the primary users of the 
system. An ID system that is used for multiple purposes with multiple 
types of threats, not all of which were designed or planned for, can 
make it difficult to respond to a known attack on the system. This is 
because with secondary uses, the universe of possible motivations 
behind the attack is much larger, making it difficult to ascertain what 
is an appropriate response to an attack. If your database is hacked, 
was it individuals desiring a fake ID to purchase alcohol, for example, 
or individuals with more nefarious purposes in mind?
Privacy Consequences
    The privacy implications of large-scale identity systems can be 
significant. While casual discussions of IDs or ID cards may assume 
simple, unique pairings of information and individuals, the reality is 
often more complicated. A major privacy challenge, even when a given 
system has been designed and is operating in a secure and privacy-
sensitive fashion, is the ability to cross-reference and link 
information across databases in different systems. In many cases, an 
identity in a given system will include a common cross-reference, such 
as a Social Security Number, that makes it trivially easy to link it to 
other identities associated with other systems (presumably designed for 
other purposes.) In addition, questions arise as to how reliable the 
linking would be--some institutions may not mind if suggested linkages 
are only approximate (for example, a vendor attempting to do targeted 
marketing), whereas others demand high levels of accuracy.
    Identity theft is also a major concern, especially in the case of 
centralized databases or systems used for multiple purposes--the more 
useful or ``powerful'' an ID is the more tempting it is as a target. 
Identity theft is an individual's fraudulent claim that he or she is 
the person to whom the information in the system refers, allowing him 
or her to derive some benefit from another party who is relying on that 
claim. One reason for the problem is the expanded use of SSNs for 
purposes that were not originally intended coupled with the assumption 
that they are `secret' or should act as a `key.'
    When designing a system to lessen impacts on personal privacy, the 
study committee made a number of recommendations, including:

      Be clear about the purposes of the system.
      Minimize the scope of the data collected to that which is 
essential for the purpose of the ID system.
      Minimize the retention interval for data collected in 
association with use of the card.
      Clarify who will have access to the collected data.
      Clarify what kinds of access to and use of the data are 
      Ensure that use of the system is audited to protect 
against illegitimate uses as well as to monitor for security threats.
      Provide means for individuals to check on and correct the 
information stored about them.

    All of that said, many times there are important uses of data that 
are unanticipated when the data are collected. For these as for other 
important uses, it is a question of balancing the risks to privacy and 
confidentiality against the benefits of the uses, especially when the 
uses are for research to inform public policies or for national 
security. The Academies have long studied the issues here for important 
research uses of data. A recent study is Expanding Access to Research 
Data: Reconciling Risks and Opportunities from the Academies' Committee 
on National Statistics. For the case of national security purposes, the 
Computer Science and Telecommunications Board has joined with the 
Committee on Law and Justice and the Committee on National Statistics 
to launch a major study to balance the risks and benefits. The 
Academies would be pleased to offer more information on these and other 
studies that may be relevant to your inquiry or to help with further 
investigations of interest to you.
Identity Establishment
    The establishment of an identity in an identity-system is another 
challenging but critical part of the process. There is a tangled web of 
government-issued identity documents used as foundational documents 
that allow the government and other organizations to issue other 
identity documents. Many of these foundational documents, used to 
acquire an SSN or Passport, for example, are subject to fraud and 
forgery themselves. Birth certificates are particularly problematic, in 
that they are issued by thousands of different jurisdictions across the 
country, making them both easy to forge and difficult to verify and 
thus very poor to use as an identification document from a security 
perspective. Moreover, no aspect of a birth certificate binds it to an 
individual in any strong security sense. The types of possible attacks 
on identity documents vary and include the following:

      An individual acting as an impostor.
      Forged or fraudulent documents.
      Tampering with existing documents.
      Compromise of confidential information (for example, in 
an identity system database) that is then used to create a false 
      Modification of computerized records to support a false 

    Moving to, for example, digital credentials or biometrics will not 
change these basic avenues of attack and fraud. As technology and 
perhaps ID cards become ever more sophisticated, the issuing process 
will remain extremely important. All the security in the world cannot 
overcome deficiencies in this step--the system will only be as good as 
the data that goes into it. The best that any system can provide is a 
compelling connection with some previous verification of identity. 
Essentially, trust in the integrity of the system is based not so much 
on any single verification when an individual presents a claim of 
identity as it is on increasing confidence when multiple transactions 
happen over time and all previous transactions with that particular 
individual have worked out.
Other Questions
    You asked me to comment in particular on the issue of modifying the 
SSN card so that it is tamper- and counterfeit-resistant as part of 
efforts to prevent unauthorized immigrants from gaining lawful 
employment in the United States. While the National Research Council's 
reports did not address this specific question, such an approach 
clearly falls within the realm of large-scale identity systems that the 
study committee was considering. The framework that we presented can be 
applied to this question.
    For example, once the purpose of a system is clearly articulated--
in this case the prevention of unauthorized people from gaining lawful 
employment in the United States--then a next question to ask is what 
information would accomplish the goal of ascertaining whether an 
individual is qualified to work in the United States? Who has that 
data? Who collects it? Who can access it? If a system with that sort of 
data were deployed, how would it be regulated? What penalties or 
liabilities would be associated with misuse? How could individuals 
correct their own data within the system? What kinds of security would 
be needed? What are the likely threat models for such a system? How 
could potential threats of identity theft (in this case ``worker-
identity'') be mitigated? Who would be authorized to ask to see the ID 
card associated with this system? Are there other likely abuses and how 
could the possibility of those be mitigated? If the system is to be 
built on top of another existing identity system (such as the SSN)--
which poses its own very serious challenges since this basically would 
be an unintended, unplanned-for, not designed-for use of the SSN--then 
what can be assumed about the underlying data in the current system? 
Layering even the best current security on top of old data only gives 
the old data an appearance of being more trustworthy--the data has the 
same quality and reliability that it had prior to the security being 
    Mr. Chairman and members of the committee, our study committee 
wrestled with questions of identity, authentication, identification, 
and large identity systems for many months--not new issues, but ones 
that were brought into sharp focus after September 11, 2001. In the 
study I have described, we have attempted to lay out our thinking and 
analysis of these issues. As the report title, IDs--Not That Easy, 
suggests, none of these issues is simple, and any large-scale identity 
system poses numerous questions that should be carefully thought 
through--not only from a privacy perspective, but also from security, 
usability, and effectiveness perspectives. Our reports attempt to lay 
out some of these questions that must be addressed and to illustrate 
the complexities that can arise.
    You can find more information about these and related studies on 
the Web site of the Computer Science and Telecommunications Board of 
the National Research Council at http://www.cstb.org.
    Thank you. That concludes my comments. I would be happy to take any 
questions you may have.


    Chairman MCCRERY. Thank you, Dr. Kent. Mr. Rotenberg.


    Mr. ROTENBERG. Thank you, Mr. Chairman, Congressman Levin. 
Thank you for the opportunity to testify. My name is Marc 
Rotenberg. I am President of the Electronic Privacy Information 
Center. We are a public interest research group here in 
Washington. We have done a lot of work related to the SSN. I 
also teach privacy law at Georgetown Law Center.
    I would like to briefly summarize my testimony and ask that 
the statement be included in the record.
    The key points I would like to make this morning concern 
the history of the effort to restrict the use of the SSN 
precisely so that it would not form the basis for a national 
identity card. As you well know, when the number was first 
established for the purpose of accounting for the SSA 
contributions, the first regulation that was issued by the the 
SSA was to make clear that this was not a card for 
identification purposes.
    Now, the particular concern about the possible misuse of 
the SSN was taken up in 1973 in a very important report by the 
U.S. Department of Health, Education, and Welfare. This report 
more than 30 years ago identified the possible misuse of the 
SSN to link together record systems across government agencies 
and with private sector record systems.
    As a consequence of that investigation, Congress enacted in 
1974 the Privacy Act (P.L. 93-579). The Privacy Act, among the 
various things that it did, set out clear prohibitions on the 
collection and use of the SSN. Although people at that point in 
time did not use the phrase identity theft, I think it was a 
very wise decision on the part of the Congress to limit the use 
of the SSN, because what we have seen now, 30 years later, is 
that the broad dissemination of the Social Security number 
within the United States has contributed to what is now the 
number one crime. The crime of identity theft is a $53 billion 
crime, according to a 2004 report of the U.S. Federal Trade 
Commission (FTC).
    Now, since the passage of the Privacy Act, it is obviously 
the case that the uses of the SSN have expanded by both 
government agencies and in the private sector, but I think it 
is important to note at the same time that the Congress and the 
States and the FTC have taken measures to try to limit the use 
of the SSN, recognizing that it does create an increased risk 
of identity theft. I think one of the witnesses spoke earlier 
about the provision that in effect took the SSN off the State 
driver's license so that the driver's license would not become 
the link to other record systems.
    Now, certainly, steps can be taken to enhance the Social 
Security card so that the likelihood of counterfeiting and 
tampering are diminished, and I think everyone including 
privacy organizations would favor those measures. The concern 
here on the privacy side is that the number becomes the basis 
for linking together different record systems; so, for example, 
if it becomes the basis for employment eligibility 
determinations, which could be made by DHS, every employee in 
the United States, not just immigrants to this country, would 
be required to present their Social Security card as a 
condition of establishing eligibility for employment, and I 
think this is something that was clearly never anticipated in 
the use of the number. I very much support the testimony of Dr. 
Kent and the work of the National Research Council.
    As these uses are expanded to determine citizenship, for 
example, or to determine employment eligibility, the increasing 
risks of misuse expand as well, as do the targets of 
opportunity and incentives for people to take advantage of the 
SSN and use it in ways that will cause actual harm and crime to 
    So, our recommendation to you today, particularly in the 
context of a series of hearings that look at high risk issues 
associated with the use of the SSN, is to ensure that there are 
adequate security and privacy safeguards for current uses and 
to avoid new uses that might introduce new risks and new 
dangers to American consumers.
    There is a good reason, I believe, that people in this 
country in particular are very uneasy about a national identity 
card, and it is part of our longstanding traditional that we 
would not, as a general matter, expect to live in a country 
where the government could say in effect please present your 
identity and prove to us who you are.
    Thank you very much for the opportunity to testify this 

    [The prepared statement of Mr. Rotenberg follows:]

           Statement of Marc Rotenberg, President, Electronic
                       Privacy Information Center

    Chairman McCrery, Ranking Member Levin, and Members of the 
Subcommittee, thank you for the opportunity to testify on the high-risk 
issues surrounding Social Security numbers.
    My name is Marc Rotenberg and I am Executive Director of the 
Electronic Privacy Information Center. EPIC is a non-partisan research 
organization based in Washington, D.C.\1\ Founded in 1994, EPIC has 
participated in leading cases involving the privacy of the Social 
Security Number (SSN) and has frequently testified in Congress about 
the need to establish privacy safeguards for the Social Security Number 
to prevent the misuse of personal information.\2\ Last year, I 
testified on H.R. 98, the Illegal Immigration Enforcement and Social 
Security Protection Act of 2005 and urged Members to reject the use of 
the SSN as a national identifier and to ensure the development of 
adequate privacy and security safeguard to address the growing crisis 
of identity theft.\3\
    \1\ EPIC maintains an archive of information about the SSN online 
at http://www.epic.org/privacy/ssn/.
    \2\ See, e.g., Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993) 
(``Since the passage of the Privacy Act, an individual's concern over 
his SSN's confidentiality and misuse has become significantly more 
compelling''); Beacon Journal v. Akron, 70 Ohio St. 3d 605 (Ohio 1994) 
(``the high potential for fraud and victimization caused by the 
unchecked release of city employee SSNs outweighs the minimal 
information about governmental processes gained through the release of 
the SSNs''); Testimony of Marc Rotenberg, Executive Director, 
Electronic Privacy Information Center, at a Joint Hearing on Social 
Security Numbers and Identity Theft, Joint Hearing Before the House 
Financial Services Subcommittee on Oversight and Investigations and the 
House Ways and Means Subcommittee on Social Security (Nov. 8, 2001) 
available at http://www.epic.org/privacy/ssn/testimony_11_08_2001.html; 
Testimony of Chris Jay Hoofnagle, Legislative Counsel, EPIC, at a Joint 
Hearing on Preserving the Integrity of Social Security Numbers and 
Preventing Their Misuse by Terrorists and Identity Thieves Before the 
House Ways and Means Subcommittee on Social Security and the House 
Judiciary Subcommittee on Immigration, Border Security, and Claims 
(Sept. 19, 2002) available at http://www.epic.org/privacy/ssn/
ssntestimony 9.19.02.html.
    \3\ Testimony of Marc Rotenberg, President, Electronic Privacy 
Information Center, at a Hearing on H.R. 98, the ``Illegal Immigration 
Enforcement and Social Security Protection Act of 2005'' before the 
House Judiciary Committee Subcommittee on Immigration, Border Security, 
and Claims (May 12, 2005) available at http://www.epic.org/privacy/ssn/
    Social Security numbers have become a classic example of ``mission 
creep,'' where a program designed for a specific, limited purpose has 
been transformed for additional, unintended purposes, some times with 
disastrous results. The pervasiveness of the SSN and its use to both 
identify and authenticate individuals threatens privacy and financial 
security. Recent efforts to expand employment verification programs 
based upon SSN identification would turn the SSN into a national 
identifier, subjecting Americans to a national tracking systems and 
also heightening the risks of identity theft. There are additional 
risks associated with some of the technological features that the 
proponents of an ``upgraded'' Social Security card have suggested. As 
the New York Times reported yesterday, RFID chips that are being added 
to identity cards including the U.S. passport, are apparently subject 
to computer viruses and other forms of attack.\4\ These risks 
associated with the expanded use of the Social Security Number and 
identification cards underscore the importance of the hearing today.
    \4\ John Markoff, ``Study Says Chips in ID Tags Are Vulnerable to 
Viruses,'' New York Times, March 15, 2005.
History of SSN Use
    The Social Security Number (SSN) was created in 1936 for the 
purpose of administering the Social Security laws. SSNs were intended 
solely to track workers' contributions to the social security fund. 
Legislators and the public were immediately distrustful of such a 
tracking system, which can be used to index a vast amount of personal 
information and track the behavior of citizens. Public concern over the 
potential abuse of the SSN was so high that the first regulation issued 
by the new Social Security Board declared that the SSN was for the 
exclusive use of the Social Security system.
    Over time, however, legislation allowed the SSN to be used for 
purposes unrelated to the administration of the Social Security system. 
For example, in 1961 Congress authorized the Internal Revenue Service 
to use SSNs as taxpayer identification numbers.
    A major government report on privacy in 1973 outlined many of the 
concerns with the use and misuse of the Social Security Number that 
show a striking resemblance to the problems we face today. Although the 
term ``identify theft'' was not yet in use, Records Computers and the 
Rights of Citizens described the risks of a ``Standard Universal 
Identifier,'' how the number was promoting invasive profiling, and that 
many of the uses were clearly inconsistent with the original purpose of 
the 1936 Act. The report recommended several limitations on the use of 
the SSN and specifically said that legislation should be adopted 
``prohibiting use of an SSN, or any number represented as an SSN for 
promotional or commercial purposes.'' \5\
    \5\ ``Records, Computers, and the Rights of Citizens,'' Report of 
the Secretary's Advisory Committee on Automated Personal Data Systems, 
U.S. Department of Health, Education & Welfare 125-35 (MIT 1973).
    In enacting the landmark Privacy Act of 1974, Congress recognized 
the dangers of widespread use of SSNs as universal identifiers, and 
enacted provisions to limit the uses of the SSN. The Senate Committee 
report stated that the widespread use of SSNs as universal identifiers 
in the public and private sectors is ``one of the most serious 
manifestations of privacy concerns in the Nation.'' Short of 
prohibiting the use of the SSN outright, Section 7 of the Privacy Act 
provides that any agency requesting an individual to disclose his SSN 
must ``inform that individual whether that disclosure is mandatory or 
voluntary, by what statutory authority such number is solicited, and 
what uses will be made of it.'' This provision attempts to limit the 
use of the number to only those purposes where there is clear legal 
authority to collect the SSN. It was hoped that citizens, fully 
informed that the disclosure was not required by law and facing no loss 
of opportunity in failing to provide the SSN, would be unlikely to 
provide an SSN and institutions would not pursue the SSN as a form of 
The SSN as a National ID Number Erodes Privacy
    Contrary to the clear intent of the Privacy Act, legislation 
considered this term has proposed to build the SSN and the Social 
Security card into a national ID. H.R. 98, for example, would create a 
de facto national identity card. Despite any disclaimers that the card 
was not to be used for identification, employers required to verify the 
information on the card (which would bear a photograph and a machine-
readable unique identifier) would likely rely upon these ``fraud 
prevention measures'' as practical identification requirements. It is 
important to note that the SSN and its basic card are not intended to 
be used for authentication and identification purposes today, and yet 
far too many entities rely upon it for just those purposes. Adding the 
trappings of an identification document to it, including photographs 
and machine-readable technology, only reinforces the card's status as a 
badge of identity.
    Furthermore, using the SSN for employment verification would 
necessarily require the building of a vast database of nearly all 
people employed within the country, which could be easily indexed and 
correlated with other databases via the SSN. It is precisely this use 
of the SSN that the drafters of the Privacy Act sought to prevent. H.R. 
98 proposed that the database be available to Homeland Security for 
``any other purpose the Secretary of Homeland Security deems to be an 
the national security interests of the United States.'' This vague 
clause perfectly illustrates ``mission creep,'' and highlights the risk 
that a national database, based on SSNs, established for one purpose 
could quickly be transformed into an open-ended system of national 
    A mandatory, national index of all people employed within the U.S. 
would allow the tracking of individuals on an unprecedented scale. Each 
person applying for a job would be subject to a status determination by 
a government agency with each application. In essence, a person's life 
and livelihood would be determined by a database kept by the federal 
government--a database grounded in a flawed system of identification 
never intended for the purpose.
Identity Theft
    Nor are the uses of a universal identifier limited to government 
uses. In fact, it is commercial enterprises that have made the SSN 
synonymous with an individual's identity. Despite the fact that the 
cards were never intended to be used for identification purposes, they 
are considered the ``keys to the kingdom'' for records about individual 
    The financial services sector, for instance, has created a system 
of files containing personal and financial information on nearly ninety 
percent of the American adult population, keyed to individuals' SSNs. 
This information is sold and traded freely, with virtually no legal 
limitations. This widespread use, combined with lax verification 
procedures and aggressive credit marketing that lead to widespread 
identity theft.
    Credit grantors rely upon the SSN to authenticate a credit 
applicant's identity; many cases of identity theft occur when thieves 
apply using a stolen SSN and their own name. Despite the fact that the 
names, addresses, or telephone numbers of the thief and victim do not 
match, accounts are opened and credit granted using only the SSN as a 
means of authentication. EPIC has detailed many of these cases in other 
    \6\ See, e.g., TRW, Inc. v. Andrews, 534 U.S. 19 (2001) (Credit 
reporting agencies issued credit reports to identity thief based on SSN 
match despite address, birth date, and name discrepancies); Dimezza v. 
First USA Bank, Inc., 103 F. Supp.2d 1296 (D. N.M. 2000) (same). See 
also United States v. Peyton, 353 F.3d 1080 (9th Cir. 2003) (Credit 
issued based solely on SSN and name, despite clear location 
discrepancies); Aylward v. Fleet Bank, 122 F.3d 616 (8th Cir. 1997) 
(same); Vazquez-Garcia v. Trans Union De P.R., Inc., 222 F. Supp.2d 150 
(D. P.R. 2002) (same).
    The root of this problem is that the SSN is used not only to tell 
the credit issuer who the applicant is, but also to verify the 
applicant's identity. This would be like using the exact same series of 
characters as both the username and password on an email account. The 
fact that this practice provides little security should not be a 
    The printing of SSNs on government-issued drivers licenses provided 
yet another opening for identity thieves. A thief who stole your wallet 
could also easily steal your identity, with name, address, diver's 
license number, and SSN in one easy place. Congress recognized this 
threat and in the Intelligence Reform and Terrorism Prevention Act of 
2004, prevented the printing of SSNs on drivers licenses and other 
government-issued ID.\7\
    \7\ Pub. L. No. 108-408  7211-7214, 118 Stat. 3638, 3825-3832 
International Experiences
    The debate on national identification cards is not restricted to 
the United States. Fierce debates have erupted in other countries over 
the adoption of national ID cards. The problems presented by such cards 
in the UK, France, and many other nations are the same problems that we 
would face here--convenient categorization of individuals' records, to 
be used or abused by governments or those who obtain access to 
government records.
    The protests against the UK national ID cards are strong, and from 
esteemed sources such as the London School of Economics,\8\ yet they 
address a system that is even less problematic than one that could use 
the SSN as a national ID. In the UK, for example, the national ID card 
would be a voluntary document. And in Ireland, a proposal to establish 
national was recently rejected.\9\ Here in the U.S., SSNs are most 
frequently assigned at birth. We would be putting in place a system 
mandating ownership of a machine-readable photo ID, a step that other 
parts of the world, even those less opposed to government interference 
in personal affairs, seem loath to take.
    \8\ London School of Economics, The Identity Report: an assessment 
of the UK Identity Cards Bill and its implications (2005) at http://
    \9\ EPIC prepares an extensive annual survey of international 
developments concerning privacy protection, including the debates over 
identity documents. See Privacy and Human Rights: An International 
Survey of Privacy Laws and Developments (EPIC 2004), available at 
and%20Human%20Rights&headline=PHR2004#_Toc396491834 (``Identity 
Measures to Prevent Fraud
    The need to present such a card at every employment encounter, and 
possibly also for homeland security purposes, would also likely 
increase the need to carry the card on one's person, rolling back the 
benefits achieved by taking the SSN off of driver's licenses. The 
reason that the SSN can so easily be used for fraud is not that the 
card lacks anti-counterfeiting measures; it is the fact that the card 
is being used as an identifier in so many contexts that it should not 
be. Efforts to protect the SSN and its holders should therefore be 
focused upon limiting its uses and disclosures.
    Several states have, in recent years, established new privacy 
protections for SSNs. These laws demonstrate that major government and 
private sector entities can still operate in environments where 
disclosure and use of the SSN is limited. They also provide examples of 
protections that should be considered at the federal level. For 
example, Colorado, Arizona, and California all have laws that broadly 
restrict the disclosure and use of the SSN by both government and 
private actors. These laws encourage agencies and businesses to use 
different identifiers for their specific purposes, reducing the 
vulnerability that the disclosure of any one identifier may create.\10\ 
Arizona's law also prohibits the printing of the SSN on material mailed 
to Arizona residents, reducing the threat of fraud from intercepted 
    \10\ Colo. Rev. Stat  24-72.3-102; Ariz. Rev. Stat.  44-1373; 
Cal. Civ. Code  1798.85.
    Other states, including New York and West Virginia, have statutes 
that limit the use of the SSN as a student ID number.\11\ This reduces 
the vulnerability of students to identity theft and protecting the 
privacy of students whose personal information is collected in 
databases, and whose grades are often publicly posted, indexed by their 
student ID numbers.Similar laws exist in Arizona, Rhode Island, 
Wisconsin, and Kentucky.\12\
    \11\ N.Y. Educ. Law  2-b; W. Va. Code Ann.  18-2-5f.
    \12\ Ariz. Rev. Stat.  15-1823; R.I. Gen. Laws  16-38-5.1; Wis. 
Stat. Ann.  36.11(35); Ky. Rev. Stat. Ann.  156.160.
    Congress and this Committee has likewise moved to protect the SSN; 
just this session, Chairman Shaw and many other members of this 
Committee introduced legislation that would have added protections on a 
federal level. We hope that the Committee will be able to act on these 
proposals this session
    These various proposals all tend towards limiting the uses of the 
SSN, in notable contrast to proposals that expand SSN uses and thus 
expand individuals' vulnerability. We therefore urge the Committee to 
regard cautiously any attempt to expand the use of the SSN beyond its 
already overextended purposes.
    The expanded use of the Social Security Number is fueling the 
increase in identity theft in the United States and placing the privacy 
of American citizens are great risk. The widespread use of the SSN has 
made it too easy for government agencies, businesses, and even 
criminals to create detailed profiles of individuals Americans. 
Congress wisely sought to limit the use of the Social Security Number 
when it passed the Privacy Act of 1974, and the states have since 
established additional safeguards. While new techniques may address 
some of the security and privacy issues associated with the expanded 
use of the Social Security card, it clear that these techniques also 
create new privacy and security risks. We urge the Committee to 
consider very carefully the high-risk issues associated with the use of 
the Social Security Number. Every system of identification is subject 
to error, misuse, and exploitation.
Inside Risks: Real ID, Real Trouble?
by Marc Rotenberg
    According to the report of the 9/11 Commission, all but one of the 
911 1 hijackers acquired some form of U.S. identification, some by 
fraud. Acquisition of these forms of identification would have assisted 
them in boarding commercial flights, renting cars, and other 
activities. As a result, the Commission and some lawmakers concluded it 
was necessary for the federal government to set technical standards for 
the issuance of birth certificates and sources of identification, such 
as driver's licenses. The result was the Real ID Act of 2005.
    The new law states that beginning in 2008, ``a Federal agency may 
not accept, for any official purpose, a driver's license or 
identification card issued by a State to any person unless the State is 
meeting the requirements of this section.'' This means the Department 
of Homeland Security will issue the technical standards for the 
issuance of the state driver's license. The practical impact, as CNET 
explained, is that ``Starting three years from now, if you live or work 
in the United States, you'll need a federally approved ID card to 
travel on an airplane, open a bank account, collect Social Security 
payments, or take advantage of nearly any government service.'' And 
even some of the more conservative commentators in the U.S. have 
expressed concerns about ``mission creep.''
    Several objections have been raised about the plan, including 
privacy and cost, but the most significant concern may be security. As 
Bruce Schneier has explained, ``The biggest risk of a national ID 
system is the database. Any national ID card assumes the existence of a 
national database . . . large databases always have errors and outdated 
information.'' Even if the identity documents are maintained in the 
states, problems are likely.
    One example concerns the vulnerability of the state agencies that 
collect the personal information used to produce the license. In 2005, 
the burglary of a Las Vegas Department of Motor Vehicles put thousands 
of driver's license holders at risk for identity theft. The information 
of at least 8,738 license and ID card holders was stolen, and reports 
of identity theft have already surfaced. Another report uncovered 10 
``license-for-bribe'' schemes in state DMVs in 2004.
    Not surprisingly, the administrators of the state license systems 
are among those most concerned about the proposal. As the director of 
Driver Services in Iowa said, ``It's one thing to present a document; 
it's another thing to accept the document as valid. Verifying digital 
record information is going to be difficult.'' The National Conference 
of State Legislatures was more emphatic, ``The Real ID Act would cause 
chaos and backlogs in thousands of state offices across the country, 
making the nation less secure.''
    The National Academy of Sciences anticipated many of these 
challenges in 2002, stating that the U.S. should carefully consider the 
goals of nationwide ID system: ``The goals of a nationwide 
identification system should be clarified before any proposal moves 
forward. Proposals should be subject to strict public scrutiny and a 
thorough engineering review, because the social and economic costs of 
fixing an ID system after it is in place would be enormous.''
    The problems of building reliable systems for identification are 
not unique to the U.S. Many countries are confronting similar 
questions. In Great Britain, a national debate continues about the 
creation of a new identity card. The government contends the card is 
essential for combating crime, illegal immigration, and identity theft, 
and can be achieved for an operating cost of 584million pounds per 
year. But a report from the London School of Economics challenged a 
number of the government positions and a subsequent report found 
further problems with the ID plan.
    The U.K. group concluded, ``ID requirements may actually make 
matters worse.'' The LSE report cited a recent high-profile breach: 
``Even as cards are promised to be more secure, attacks become much 
more sophisticated. Most recently, Russian security agents arrested 
policemen and civilians suspected of forging Kremlin security passes 
that guaranteed entrance to President Vladimir Putin's offices.''
    Systems of identification remain central to many forms of security 
But designing secure systems that do not introduce new risks is proving 
more difficult than many policymakers had imagined. Perhaps it's time 
for the proponents of expanded identification systems to adopt the 
cautionary line from Hippocrates: ``First, do no harm.''
    Marc Rotenberg ([email protected]) is executive director of the 
Electronic Privacy Information Center (EPIC) and the former director of 
the ACM Washington Office: an expanded version of this column appears 
at www.epic.org.


    Chairman MCCRERY. Thank you, Mr. Rotenberg, and thank you 
all for providing excellent testimony and raising some good 
questions and considerations as we try to sort our way through 
sometimes conflicting national needs and the desires of our 
constituents and folks that are concerned about immigration, 
about illegal immigration, and about terrorism.
    We find ourselves kind of going in circles, it seems to me, 
as we talk about these issues. On the one hand, we all want to 
protect our border. We want to make sure that people are here 
legally and working legally, but we also recognize the dangers 
that Mr. Rotenberg and Dr. Kent pointed out of expanding the 
uses of the SSN and thereby increasing the opportunity for 
    So, it is a complex question, and I appreciate the sunlight 
that you all have brought to this question. Let us assume for 
the moment that we could make a card that is much more 
foolproof than the current card, and that would be very 
difficult to copy. Even if we had that, let us look at the 
question of employment eligibility and using that in employment 
eligibility, because several Members of Congress have already 
introduced proposals that would require employers to check a 
government database to confirm an employee's work 
    Some of those proposals combine that with an enhanced SSN 
card that could be used to access the employment eligibility 
verification system. How effective do you all think such a 
system would be in preventing unauthorized noncitizens from 
illegally obtaining employment? Would we get the desired result 
from the bucks that we expend to put that system in place?
    Mr. ROTENBERG. Well, one of the key issues, Mr. Chairman, 
in that question, and this is also addressed in the National 
Research Council report, concerns the quality of the underlying 
data. The proposal which you are referring to, which I think is 
H.R. 98, would try to, in effect, transform the SSN card into 
an identity document and enable employers to query a national 
database, which I believe would be maintained by DHS, to 
determine the eligibility of a person who is seeking employment 
in the United States.
    It is possible, certainly, to enhance the card through 
photographs and biometric means to make it into a quasi-
identity document. I think it would raise privacy issues, but 
it would not resolve the question as to the accuracy of the 
underlying data. I think it is very easy to imagine, 
particularly with a lot of foreign names, that misspellings and 
mispronunciations could easily lead to errors in these systems.
    Now, that is not necessarily a reason not for doing it, but 
I think it does underscore the need to, as Dr. Kent said, look 
beyond the card and to establish this as a system problem and 
to understand whether or not those databases would support good 
    Chairman MCCRERY. Let me just interject for a moment, 
because we ought not too easily set aside these suggestions in 
today's world of extremely capable technology. You have 
mentioned foreign names, and it is easy to get them mixed up. 
On a computer it is pretty specific. You have to type in 
exactly the right name. So, if you do that, and you send it to 
this database, it is not going to get confused; it is going to 
spit back exactly that name and whether it is authorized or 
not. So, I do not buy that.
    Do you have any other problems that you see with this 
system being able to correctly identify whether a person in 
this--I understand the underlying data may be wrong. I do not 
think we can ever fix that. Well, I do not think as a practical 
matter we can ever fix that. Assuming that the--well, never 
mind the underlying data; we can at least say whether the 
database has this person in it as authorized to work, can't we? 
It might be expensive, but we can do that, can we not? These 
gentlemen are nodding. Dr. Kent.
    Dr. KENT. Well, Mr. Chairman, one question that would come 
to mind immediately is whether everyone would be issued such a 
credential or only whether people who were immigrants were 
supposed to have such a credential.
    Chairman MCCRERY. That is a good question, and we will get 
to that.
    Dr. KENT. If we assume that only people who were immigrants 
are supposed to have it, then the burden, I would assume, on 
the employer is to make an initial determination of whether or 
not somebody applying for a job is or is not a citizen. Then 
the question is what existing credentials do they use for that 
    If I have to present a birth certificate, then, we 
encounter all of the residual vulnerabilities associated with 
birth certificate forgery when people do not go to the extent 
that the earlier witnesses testified that you can do if you are 
working hard in a forensic case to deal with fraud or something 
like that, which the average employer would not be able to do.
    So, there are a lot of questions we would have to answer to 
really be able to determine that.
    Chairman MCCRERY. Admittedly, people could find ways to 
fabricate authentication and thereby get on the database as an 
authorized worker. Would this system reduce the likelihood that 
somebody could get a job in the country if that person were 
here illegally and unauthorized to work?
    Dr. KENT. It is hard to say----
    Chairman MCCRERY. Sure.
    Dr. KENT. --without looking at all the details, but----
    Chairman MCCRERY. The next question is how much would it 
reduce it?
    Dr. KENT. Yes.
    Chairman MCCRERY. That is an easy question to answer. Sure 
it would, but would the bang for the buck be worth it? That is 
the real question.
    Dr. KENT. I think that is where an extensive study needs to 
be undertaken to try to predict whether or not you would be 
getting, as you say, good bang for the buck out of such a 
    Chairman MCCRERY. Mr. O'Carroll, Mr. Outland, do you have 
thoughts on this?
    Mr. O'CARROLL. Yes, Mr. Chairman, it's sort of a twofold 
question, the first part asking in terms of designing a card 
that would be tamper-resistant, difficult to counterfeit, 
    What we are finding is basically anything that has been 
engineered can be reengineered, and that is kind of our take on 
any of the expense that would go into coming up with a more 
counterfeit-proof card. It is really going to be pretty 
difficult, and the result on it is probably not going to be as 
good as one would hope.
    So, what we are kind of in agreement with you on is that it 
is the underlying data that is the most important. Right now, 
what Social Security is using with DHS as the basic pilot, the 
SSA is verifying the SSN. The DHS is verifying the work status 
on it. There are other documents the employer can ask for, as 
an example, a DHS I-9. They are running the SSN. They are 
getting a verification back on it, and we are finding that that 
type of information is going to be much more current than 
anything you could embed on a card that is going to keep 
requiring people to come back to have their cards updated and 
information like that, which is a whole other workload, 
assuming that we could come up with a tamper-proof card.
    Mr. OUTLAND. Yes, Congressman, adding a photograph or a 
machine readable technology to the current card would obviously 
include changing the substrate from the banknote paper to a 
plastic substrate, say a polycarbonate or even a Teslin.
    Now, while I have seen counterfeit documents produced on 
driver's licenses on Teslin and PVC, there are security 
features that are available that will make it more difficult 
for the counterfeiter to reproduce those. So, I agree with you. 
It can be done. You can produce a more difficult card. Given 
the document as it is right now on banknote paper, there are 
security features that can be added to that today at a nominal 
cost to also make it----
    Chairman MCCRERY. Yes, a $10 bill, for example.
    Mr. OUTLAND. Correct.
    Chairman MCCRERY. We have just done it. I saw one the other 
day. It is very weird looking.
    Chairman MCCRERY. I suppose it is better.
    Mr. OUTLAND. Yes.
    Chairman MCCRERY. Well, I want to give--you heard that. 
That is the House Democratic Cloakroom advising Republicans and 
Democrats we have votes.
    Mr. LEVIN. You can stay if you want.
    Chairman MCCRERY. I am going to yield. I have more 
questions, but I am going to yield to my good friend and 
colleague from Michigan, Mr. Levin, for any questions he might 
    Mr. LEVIN. Just a few, and then, I guess--maybe I will be 
very brief so Mr. Pomeroy can--the more I hear of this, in a 
sense the more confusing it is, though you are very articulate. 
It is not very--it is not clear to me what the issues really 
are. I take it there are numbers of citizens in the United 
States, of the United States, who do not have a SSN.
    Mr. STRECKEWALD. There are--I am sorry, there are many, did 
you say? I could not quite hear you.
    Mr. LEVIN. There are many.
    Mr. STRECKEWALD. We do not believe there are too many 
people, citizens of the United States that do not have a Social 
Security card, because most parents get them right away for 
their newborn babies for tax purposes, and everybody else has 
one for work and for Social Security purposes.
    Mr. LEVIN. Before that started, I take it there are some 
people here, citizens, who do not have a SSN, maybe older 
people, right?
    Mr. STRECKEWALD. Well, most of our elderly, at one point or 
another, came into our offices to get benefits. Even those that 
did not work, there were some early provisions in Social 
Security for spouses' benefits if they did not work which still 
exist today. There were some for Medicare. So, I believe that 
you would find that most elderly citizens----
    Mr. LEVIN. Most.
    Mr. STRECKEWALD. --have SSNs, if not all.
    Mr. LEVIN. If we had an ID program, it would mean that 
there would be people who would not otherwise seek a SSN who 
would have to become participants in the program, right?
    Mr. STRECKEWALD. Yes; I think what I hear you saying is, if 
we decided to issue a new card, there would be some people who 
normally would not be coming in to get a card, and we would not 
see them, because they are perfectly fine. Right now they do 
not need to show their card. They are retired or whatever. If 
they were asked to come in and get a new card, we would see a 
lot more people than we normally see for the general 
replacement card traffic.
    Mr. LEVIN. Okay; secondly, if there were not an issue in 
this country about people who are working here, who are not 
here legally, would there be this issue of a national ID card? 
You are not sure.
    Mr. STRECKEWALD. At Social Security, from that perspective, 
I am not sure. I would defer to the investigators and the 
experts at the table.
    Mr. LEVIN. Well, maybe you do not want to answer that.
    Mr. LEVIN. It is okay. The next thing that is rather 
confusing is that part of the problem seems to be that a lot of 
employers do not want to check the status, legal or illegal. Is 
that not true? Yes, it is true.
    Mr. STRECKEWALD. I mean, in our experience, I think, the 
Inspector General's experience, that is definitely true.
    Mr. LEVIN. So, if we have a card, it does not matter what 
you call it, it does not get at the issue of whether we are 
going to have an effective system of requirement when there is 
a larger issue as to whether or not people want to accurately 
and effectively check the status of people, right?
    Mr. STRECKEWALD. For things to change from where they are 
now, there would probably have to be more enforcement on that 
part of the process; that they would have to check it and 
verify it.
    Mr. LEVIN. Just to finish, let us say we had an ID card 
today, and we had a system that any employer who did not verify 
and use the system, punch into the computer would be guilty of 
a high misdemeanor, let us say, for example--I assume that 
would be a somewhat controversial proposition, would it not?
    Mr. O'CARROLL. Yes, I would agree, because as it stands 
now, there are laws requiring employers to verify SSNs and 
provide valid numbers, and employers do not. There has not been 
very much enforcement done on that.
    Mr. LEVIN. Thank you.
    Chairman MCCRERY. Mr. Pomeroy.
    Mr. POMEROY. Thank you, Mr. Chairman. I will be brief. 
Thank you for putting together this hearing, and the very 
interesting panel that majority staff selected has really done 
a nice job here of collecting a range of views on the proposal.
    When I was in the State Legislature, now 25 years ago, we 
passed a law that the North Dakota driver's license number is 
the SSN. It was simple, easy, everyone remembers.
    They changed that law. They really, upon further 
reflection, we really did not want Social Security kind of 
being a national ID, a national identifier; privacy today, 
privacy issues, identity theft issues, lots of things led the 
legislature to correctly, in my view, make that change.
    I do think this issue presents in front of us very 
squarely, this would be moving the Social Security card to a 
national ID card. Now, whether or not that is the full intent 
of the proposal, I think that that is the effect of it. I have 
concerns about it in that respect, and I think that the panel 
has given voice to some of the reasons why one might want to 
think twice about that.
    Another concern I have got is budgetary. This $9 billion 
cost of implementation is advanced at a time when the 
Administration has proposed changes in Social Security that 
would kick out of eligibility for survivors' benefits 16- and 
17-year-olds. When my father died, I was 19, but I got benefits 
all the way through college. That was pre-1983. In 1983, we 
limited it to the 18th year.
    I think depriving Social Security benefits to someone 16 is 
just wrong, absolutely wrong. If we cannot afford to pay 16-
year-olds when they lose their Dad, I do not think we can 
afford $9 billion in these fancy cards; simple as that.
    So, I have got some very deep reservations about this 
proposal. I thank the Chairman for letting me express them. I 
yield back.
    Chairman MCCRERY. Thank you, Mr. Pomeroy. Gentlemen, we are 
going to have some other questions that we would like to submit 
to you in writing if that is okay, and that would allow you to 
leave when we recess in just a few minutes and not just hang 
around, because we are going to have votes until at least noon, 
it looks like.
    However, I do want to point out to Mr. Pomeroy my 
observation that what some are proposing and what we are 
discussing here today is an enhanced SSN card, and then using 
that for purposes of employment verification or work 
authorization verification. I do not view that as a national ID 
card. I do not think it would be tantamount to a national ID 
card necessarily, because unlike, say, a driver's license, 
which we have to carry on our person if we drive or if we want 
to cash a check or whatever, one would not have to carry their 
Social Security card.
    Only when he is applying for employment would he have to 
get it out of his safe in his house, or his drawer, or 
whatever, and take it down to that place of employment and say 
``here.'' Then, once that is done, he takes it back, and puts 
it back in his house in a safe place under his underwear or 
    Unless he is burglarized, his SSN is safe with him, just as 
safe as it is today, where the employer has to have it in any 
event; he does not have to see the card, but he has to have 
that number.
    So, I think it is perhaps a bit of a jump to equate what we 
are talking about today with a national ID card and all of the 
ramifications of that. Would you disagree with my observations?
    Mr. POMEROY. I think you make your point well, but my 
thought is in the end, if you need this identification card 
before you can get a job that we have taken a big step toward a 
national ID card concept, I think. I also do not know about, 
well, what other--unless we prohibit it in the legislation 
itself, what other groups may require the use of this 
particular card, because it would have--it would be the most 
advanced card in the marketplace, what other groups might 
require it for other purposes unless, again, we restrict it.
    Chairman MCCRERY. Yes, well, that is a potential problem, 
but anyway, this is an interesting subject and an important 
subject, so I thank the witnesses very much for your testimony, 
and if you all have any thoughts on what I and Mr. Pomeroy just 
talked about, feel free to include those in your responses to 
written questions. Thank you very much. The hearing will be in 
recess until votes are concluded and we can muster the first 


    Chairman MCCRERY. The Committee will come to order. The 
hearing is adjourned.

    [Whereupon, at 10:48 a.m., the hearing was adjourned.]

    [Questions submitted by Chairman McCrery to the Honorable 
Jo Anne B. Barnhart and her responses follow:]

    Question: If Congress were to require employers to verify an 
employee's name, SSN, and employment eligibility through a government 
database, would we still need to enhance the SSN card to prevent 
unauthorized work by non-citizens? Would some form of identification, 
(e.g., a driver's license or immigration card from the U.S. Department 
of Homeland Security) plus confirmation from the system be enough to 
identify individuals who do not have authorization to work in the 
United States? How much value would an enhanced SSN card add to such a 
    Answer: By using the Basic Pilot or a similar government database 
which accesses the Department of Homeland Security's (DHS) work 
authorization information, employers have access to the most current 
work authorization data available, because DHS' work authorization data 
is more current than the information on the Social Security number 
(SSN) card. Therefore, requiring employers to verify employees' work 
authorization through such a database, would render the SSN card, 
enhanced or not, of little additional value in proving current work 
    To address the issue of identity, employers would still need to 
verify an employee's identity by examining an identity document listed 
on the Form 1-9 and be alert for identity fraud situations. The Social 
Security card itself was never intended and does not serve as a 
personal identification document; that is, the card does not establish 
that the person presenting the card is actually the person whose name 
and SSN appear on the card.

    Question: In his testimony, Mr. Streckewald said that replacing 
cards for 240 million cardholders nationwide would cost approximately 
$9.5 billion. How much would it cost if the agency issues new cards 
only to people in the workforce? What are your thoughts on allowing the 
SSA to charge a fee to offset some or all of those costs--what are the 
arguments for and against such an option?
    Answer: Last year we estimated a card with enhanced security 
features, such as biometric identifiers, would cost approximately 
$25.00 per card. This estimate does not include the startup investments 
associated with the purchase of equipment needed to produce and issue 
such a card. Based on this information, our most recent 5-year estimate 
regarding the issuance of new enhanced cards to 170 million current 
workers and 5 million new workers annually is approximately $6.7 
billion to replace the cards within 5 years and $7.4 billion to replace 
the cards within 2 years. This estimate includes all startup and 
ongoing costs.
    More recent data, however, shows that the cost of issuing Social 
Security cards has increased by at least $3.00, due, in part, to new 
requirements for verification of evidence. We will update our estimate 
when we have accumulated sufficient baseline data. In addition, when 
formulating an estimate based on a particular proposal, we would have 
to consider the details of the proposal, including the type of card 
enhancements required and the amount of time given to issue the 
enhanced card.
    Finally, charging a fee for issuing these new Social Security 
cards, while ultimately a policy decision, would result in significant 
additional costs for the Social Security Administration (SSA). It would 
involve explaining and collecting the fee, obtaining credit card 
authorization if necessary, entering remittance of the payment into an 
automated system, and issuing a receipt of payment. In addition, 
charging a fee would involve SSA periodically setting a fee schedule 
and reconciling these offsetting collections. All of these actions 
would result in a considerable increase in the cost of issuing a Social 
Security card.

    Question: What would be the effect on SSA's workloads of issuing 
enhanced SSN cards to everybody who is seeking employment in the United 
States? How many employees would it require to process the workload?
    Answer: Issuing new enhanced cards to everyone seeking employment 
in the United States would have a significant impact on SSA's workloads 
until all individuals in the workforce have been issued a new card. We 
estimate that the initial workload would require about 13,000 
additional employees. This equates to approximately 20 percent of SSA's 
current workforce. Absorbing this work without additional staff would 
require a reduction of 20 percent of the work we currently process, 
including retirement claims, disability claims and eligibility reviews. 
This estimate does not reflect the increased time our employees must 
spend with Social Security card applicants due to the new requirements 
for verification of documents which began in December 2005. We 
anticipate our workforce requirement would increase as a result of this 
recent change, but we need to develop a longitudinal baseline of actual 
data before revising our estimates.

    Question: Another witness at the hearing, Dr. Kent, stated that 
``layering even the best current security on top of old data only gives 
the old data an appearance of being more trustworthy.'' Is the SSN 
system a good database upon which to build an employment authorization 
card? What changes, if any, would need to be made to the SSA's data to 
provide reliable validation of identity and employment authorization?
    Answer: Social Security's databases do not contain current 
information about employment eligibility, because there is no SSA 
program need to maintain such information. SSA is able to verify 
current work authorization only when SSA records reflect that the 
individual is a U.S. citizen, because U.S. citizens have permanent work 
authorization. For all non-citizens, SSA's databases contain only a 
``snapshot in time'' of employment eligibility as of the date the SSN 
card was issued. SSA's records are updated only when a non-citizen 
submits a new application requesting a change to the information in his 
or her record and provides evidence supporting the change. Therefore, 
DHS' work authorization data is the only reliable source for validating 
the current employment eligibility of non-citizens.
    We believe an employment eligibility verification system, such as 
the current Basic Pilot, is the best tool for employers to verify 
employees' current work authorization status. Such a system uses the 
data contained in SSA and DHS databases in a way that allows each 
agency to maintain only the data necessary for the administration of 
their respective programs. As a result, each agency is able to focus on 
its own business processes, including the collection, integrity and 
accuracy of certain information. If these databases were to be 
combined, one agency would be burdened with the management of data 
which it does not collect, cannot verify and which is not related to 
its business purposes.
    In addition, a combined database would be less accurate than two 
separate databases since combining the data would involve transmitting 
updated information from the source data base. At any point in time, 
some data on the combined database would be out of sync with the source 
database that contains the most current information.
    Finally, we note that an essential component of any employment 
verification system is to confirm the identity of the individual 
seeking employment verification. SSA databases do not contain identity 
information and, thus, are not suited to this critical function.

    Question: Currently the SSA issues a special series of SSNs to non-
citizens who are assigned SSNs through the ``enumeration-at-entry'' 
program. If the SSA were to dedicate a special series of SSNs to 
individuals who have no authorization to work, or only temporary 
authorization to work, at the time the SSN is issued, would that help 
employers identify non-citizens who are unauthorized to work in the 
United States?
    Answer: SSA has considered using special series numbers for 
temporary non-citizen workers and those non-citizens admitted without 
work authorization. Our analysis showed that a special series for 
temporary workers would be of limited value in providing meaningful 
work authorization information to employers because immigration and 
authorization to work status may expire, be renewed or changed to 
another status by DHS. Thus, employers looking at a card or SSN with a 
special series designated for temporary workers would still need to 
verify current work authorization.
    Other concerns to be considered with numbers that identify certain 
categories of non-citizens include the following:

      Providing new, special series SSNs for all aliens in the 
United States who have no work authorization or temporary work 
authorization, and who have already been issued an SSN, would present a 
staggering workload for SSA.
      SSA would also be required to assign new SSNs to non-
citizens when their immigration status changes. The volume of new SSNs 
which would be required to assign multiple numbers to many non-citizens 
would create a number of issues, including:
            Running out of numbers. (SSA currently has enough 
        SSNs for nearly 70 years. Assigning multiple numbers to non-
        citizens would require setting aside large blocks of numbers, 
        which would significantly deplete the supply of SSNs available 
        to citizens.)
            Complex cross-referencing of multiple numbers by 
        SSA and all other governmental and non-governmental agencies 
        that use the SSN.

    Question: If Congress were to require the SSA to record information 
on when a temporary immigrant's authorization to work in the United 
States expired as part of its voluntary SSN verification services, 
would that help employers identify non-citizens who are unauthorized to 
work in the United States?
    Answer: In keeping with DHS' mission and authority, DHS has the 
most current information on immigration and work authorization status. 
We believe that giving employers access to DHS' work authorization 
data, through an employment eligibility verification system such as the 
Basic Pilot, would be the most accurate way for an employer to 
determine an employee's current work authorization status.
    While such information might be helpful to employers, requiring SSA 
to maintain such information would be problematic. Maintaining work 
authorization expiration information in SSA's records would expand 
SSA's mission to include a business purpose that would concurrently 
fall under the purview of DHS. Even if SSA were required to maintain 
such information in its records, SSA would not be responsible for 
granting work authorization status or determining the duration of such 
status. Therefore, SSA would be unable to respond to employer questions 
or to resolve issues related to the verification of that information.

    [Questions submitted by Chairman McCrery to the Honorable Patrick 
P. O'Carroll and his responses follow:]

    Question: Is there such a thing as a counterfeit proof card? How 
would you define a minimum threshold for a counterfeit and tamper 
``resistant'' card?
    Answer: We do not believe there is such a thing as a perfectly 
counterfeit-proof Social Security card. Certainly, with each new 
security feature, the card would be more tamper-resistant. However, we 
are uncertain as to whether trying to make the card more counterfeit-
resistant is worth the costs of improving and reissuing such cards.
    As a person ages, there are modifications in appearance such as 
weight gain or loss, changes in hair and facial appearance, and so on. 
Because of this, photographs often are not as reliable as other 
biometric alternatives. We believe that digitized fingerprints would be 
more reliable than photographs as scientific data suggests that a 
person's fingerprints do not substantially change after age 3. In 
addition, new photographs would need to be taken periodically to stay 
current with an individual's physiological changes. We also are 
concerned about the effect on SSA's Enumeration at Birth program of 
requiring such a card.
    The Social Security Administration (SSA) will need sufficient time 
to design an enhanced card. It will need to determine which biometric 
features are to be captured, ensure proper data linkage with the 
Department of Homeland Security, and issue the new card to tens of 
millions of individuals. This will create a significant administrative 
and cost burden for SSA. A more viable alternative might be to issue 
the new card only to new applicants, to those current number holders 
who apply for benefits in the future, and to those current number 
holders who request the new biometric card.
    If the Social Security card is machine readable, then other public 
and private sector entities will need to procure equipment that can 
read the biometrics on the new cards. The costs to these entities, in 
terms of equipment and training, would need to be considered.

    Question: There is much concern that non-citizens who are 
unauthorized to work are using counterfeit SSN cards and false or 
stolen SSNs in order to illegally gain employment in the United States. 
Is it the SSNs themselves, or SSN cards, that are most often used in 
connection with unauthorized employment?
    Answer: Under current law, the SSN card is not a required document 
when an individual is applying for a job. If an applicant submits an 
SSN card to an employer, that employer may not identify a counterfeit 
card. Whether or not the employer views the actual SSN card, real-time 
verification with SSA of the name and SSN the applicant provides could 
assist in preventing theft of an individual's SSN or use of a false 
number. In addition, active deterrence, in the form of possible 
apprehension for false use of an SSN, would further decrease SSN 
    Although we do not capture this specific information about SSN 
misuse in our case management system, it has been the experience of our 
investigators that SSNs themselves, rather than Social Security cards, 
are most often used in connection with unauthorized employment.

    Question: In your testimony, you said that your prior audit work 
has revealed inaccuracies in the SSA's SSN database that could affect 
the Agency's ability to provide employment eligibility verification 
services. Could you elaborate on what you found?
    Answer: In our audit Compliance with Policies and Procedures When 
Processing Noncitizen Social Security Number Applications at Foreign 
Service Posts (A-08-04-14060, August 30, 2004), we found that SSA 
personnel classified 12 percent of the applicants enumerated at Foreign 
Service posts during our audit period as noncitizens, even though 
documents provided by the applicants showed them to be United States 
citizens. For these cases, the SSA employee recorded that United States 
citizens born abroad were noncitizens. We have additional audits that 
have identified similar issues. However, we have not performed a review 
of the overall accuracy of SSA's enumeration database. We do have a 
review ongoing in this area and will report the results when we have 
completed our review.

    [Questions submitted by Chairman McCrery to the Dr. Peter Blair of 
the National Research Council and his responses follow:]

    Question: Dr. Kent stated in his testimony that there are almost 
always forces that push identification systems to be used in ways for 
which they were not originally designed or intended. What do you think 
could be some of the unintended consequences of adding identity 
information, such as a photograph or other biometric information, to 
SSN cards?
    Answer: The general issue of unintended consequences from the 
deployment of any large-scale identity system is described in the 
reports that Dr. Kent cited in his earlier testimony. Absent strong 
technical and policy countermeasures and disincentives, the use of an 
ID card, ID number, or ID system can expand greatly, just as has 
happened with the SSN and the state driver's license. Potential 
unplanned-for uses depend in part on the purpose of the system, what 
information is contained in any related databases, and what possession 
of an ID is meant to signify. Adding biometric information to the ID 
system implies another level of complexity with all of the attendant 
challenges surrounding enrollment, capture of biometric information, 
reliability, accuracy, and so on. To the extent that an ID system is 
made reliable and accurate, it is that much more tempting a target for 
attacks or simply for uses for which it was not designed. Predicting 
what specific secondary uses might arise for any particular ID system 
is difficult absent a more complete description of that system.

    Question: If the role of the SSN card was expanded so that it 
provided proof of identity, would it become a more desirable target for 
identity thieves or others who seek to commit crimes using the SSN? 
Would the potential damage that could be done if an SSN is stolen by 
greater? How could we protect individuals, businesses, and the 
government against this?
    Answer: To the extent that an expanded SSN card becomes more 
valuable--in this case ``proof'' of identity would be a valuable 
commodity--the more likely it is to be a target for identity thieves as 
they seek to take advantage of the new functionality. Increasing the 
value of the SSN card might also raise its profile, even apart from any 
new credentialing that it could offer, and thus increase the frequency 
with which it is a target of traditional sorts of identity theft and 
fraud. Identity theft is already a major challenge by virtue of the 
link between the SSN and other readily available types of personal 
information and access to credit. Finding ways to cut these links so 
that identity credentials in one system cannot be easily used in 
another might offer some protection. On the other hand, this could 
insert friction and decrease efficiency of some transactions.

    Question: What documents available today should employers use to 
verify the identity of their employees?
    Answer: Our reports do not address this question specifically. To 
the extent that employers need to use an ad hoc or formalized identity 
system when hiring, questions that would help guide the choice of 
documents to use include: what specific problems need to be addressed 
(in this case, presumably, establishing work eligibility), what is the 
extent of the problem (affording some sense of costs and benefits), how 
could a particular identity system address that problem, and what other 
solutions (apart from a formalized new identity system) might address 
the problem?

    Question: How would you define a national identification system? If 
Congress were to add certain features to the SSN card, such as a photo 
or other biometric information, and to require its use to obtain 
employment, do you think it would meet that definition?
    Answer: Our reports do not draw a clear distinction because any 
large-scale identify system poses numerous challenges and policy 
questions that must be addressed. For some systems, such as those 
deployed only to allow access to a particular business building for 
example, the scope and scale is fairly limited and the policy issues 
are primarily specific to that business or that location. However, in 
any system that is deployed to encompass large portions of the 
population for more general purposes much more rigor and attention to 
the questions outlined in IDs--Not That Easy are needed. In this sense, 
then, there are already several nationwide identity systems, each 
serving different purposes, including passports, driver licenses, and 
present-day SSN cards/numbers. In short, changing the SSN card's 
features and functionality would create a national identification 
system much as the existing systems listed above have, but the label is 
much less important than is sorting through the policy and technical 
challenges of any large-scale identity system.

    Question: Members of Congress have introduced proposals that would 
require millions of employers across the United States to access an 
employment eligibility verification database operated by the 
government. What concerns would you have about the privacy and security 
of such a database? What is the track record on maintaining the 
security of such a database?
    Answer: Such a database would presumably be one element of a large-
scale identity system and all of the issues raised in our two reports 
would apply. Securing the database is only part of the challenge. 
Depending on the purposes of the system and the specific content of the 
database, such a database could be an extremely high-value target for a 
wide variety of people ranging from tax avoiders to identity thieves to 
national security risks. Just as with a state driver's license system, 
the value of this database as a target will be dependent on what value 
the credential offers; the more things the credential is useful for, 
the higher value target the database is likely to be.
    An early question to ask is how is membership in the database 
ascertained and verified? That is, what process determines whether an 
individual is eligible to work? Then, additional questions include: 
What individuals, organizations, and institutions would have legitimate 
access to the database? How would that access be facilitated? Who would 
verify the legitimacy of these individuals, organizations, and 
institutions? What opportunities for redress would there be if 
erroneous data ends up in the database? Where would liability for 
mistakes reside? All of these points, and many others, introduce 
various sorts of privacy and security vulnerabilities into the system. 
And, experience suggests that even applying the best security and 
privacy protections available will not protect against so-called 
``social engineering'' attacks or hacks (such as bribes). That said, 
protection against attacks is only one part of the challenge. Having 
policies, procedures, and technical capabilities in place to discover 
that an attack has taken or is taking place as well as procedures in 
place to respond effectively is also critically important. Virtually 
any large, valuable database will be the target of some kind of attack 
and no such database can be 100% secure; therefore clearly thinking 
through how to respond in the event of an attack, disclosure, or simple 
failure is a key component of building secure and reliable systems.


    [Submissions for the record follow:]

                                              Severn Trent Services
                                         Colmar, Pennsylvania 18915
                                                     March 27, 2006
The Honorable Bill Thomas
Committee on Ways and Means
U.S. House of Representatives
Washington, D.C. 20515

Dear Chairman Thomas:

    I am writing on behalf of our company in support of H.R. 1708, the 
Clean Water Investment and Infrastructure Security Act. Severn Trent 
Services has a global presence and is a $600 million business employing 
2,350 personnel providing water and wastewater equipment and services 
to communities and industrial customers around the world. The company's 
broad range of products and services is concentrated around 
disinfection, instrumentation, and filtration technologies, pipeline 
analysis, rehabilitation and repair services, contract operating 
services and state-of-the-art residential metering products and 
services. Severn Trent Services is a member of the Severn Trent Plc 
(London: SVT.L) group of companies. An international environmental 
services leader, Severn Trent is a FTSE 100 company.
    We should all be concerned about the deteriorating state of our 
nation's water and wastewater infrastructure. Nearly $1 trillion 
dollars need to be invested over the next 20 years to repair, 
rehabilitate, replace and upgrade our nation's network of water and 
wastewater treatment plants, collection systems and distribution lines. 
Failure to stem this looming crisis will cause significant public 
health and economic harm to our country.
    H.R. 1708 will allow communities across the nation to partner with 
the private sector in funding critical water infrastructure activities 
by removing water and wastewater projects from the state volume caps 
for private activity bonds. This is the least expensive option for 
addressing a growing national crisis and ensuring that all Americans 
are guaranteed a safe, reliable water infrastructure system. We urge 
Congress to move expeditiously on this proposal and thank you for your 
leadership in this matter.
                                                       Steve Hinkle
                                                     Credit Manager
                                                 Michael P. Isabell
                                              Business Unit Manager
                                                     Linda D. Slack
                                            Administative Assistant
                                                       Nadia Abbott
                                                  Marketing Manager
                                                      Barbara Ferns
                             Principal Electrochlorination Engineer