[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]





                         EMPLOYMENT ELIGIBILITY
                          VERIFICATION SYSTEMS

=======================================================================

                                HEARING

                               before the

                    SUBCOMMITTEE ON SOCIAL SECURITY

                                 of the

                      COMMITTEE ON WAYS AND MEANS
                     U.S. HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                              JUNE 7, 2007

                               __________

                           Serial No. 110-45

                               __________

         Printed for the use of the Committee on Ways and Means















                   U.S. GOVERNMENT PRINTING OFFICE
47-008                      WASHINGTON : 2009
----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, 
Washington, DC 20402-0001








                      COMMITTEE ON WAYS AND MEANS

                 CHARLES B. RANGEL, New York, Chairman

FORTNEY PETE STARK, California       JIM MCCRERY, Louisiana
SANDER M. LEVIN, Michigan            WALLY HERGER, California
JIM MCDERMOTT, Washington            DAVE CAMP, Michigan
JOHN LEWIS, Georgia                  JIM RAMSTAD, Minnesota
RICHARD E. NEAL, Massachusetts       SAM JOHNSON, Texas
MICHAEL R. MCNULTY, New York         PHIL ENGLISH, Pennsylvania
JOHN S. TANNER, Tennessee            JERRY WELLER, Illinois
XAVIER BECERRA, California           KENNY HULSHOF, Missouri
LLOYD DOGGETT, Texas                 RON LEWIS, Kentucky
EARL POMEROY, North Dakota           KEVIN BRADY, Texas
STEPHANIE TUBBS JONES, Ohio          THOMAS M. REYNOLDS, New York
MIKE THOMPSON, California            PAUL RYAN, Wisconsin
JOHN B. LARSON, Connecticut          ERIC CANTOR, Virginia
RAHM EMANUEL, Illinois               JOHN LINDER, Georgia
EARL BLUMENAUER, Oregon              DEVIN NUNES, California
RON KIND, Wisconsin                  PAT TIBERI, Ohio
BILL PASCRELL, JR., New Jersey       JON PORTER, Nevada
SHELLEY BERKLEY, Nevada
JOSEPH CROWLEY, New York
CHRIS VAN HOLLEN, Maryland
KENDRICK MEEK, Florida
ALLYSON Y. SCHWARTZ, Pennsylvania
ARTUR DAVIS, Alabama

             Janice Mays, Chief Counsel and Staff Director
                  Brett Loper, Minority Staff Director

                                 ______

                    SUBCOMMITTEE ON SOCIAL SECURITY

                 MICHAEL R. MCNULTY, New York, Chairman

SANDER M. LEVIN, Michigan            SAM JOHNSON, Texas
EARL POMEROY, North Dakota           RON LEWIS, Kentucky
ALLYSON Y. SCHWARTZ, Pennsylvania    KEVIN BRADY, Texas
ARTUR DAVIS, Alabama                 PAUL RYAN, Wisconsin
XAVIER BECERRA, California           DEVIN NUNES, California
LLOYD DOGGETT, Texas
STEPHANIE TUBBS JONES, Ohio

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Ways and Means are also published 
in electronic form. The printed hearing record remains the official 
version. Because electronic submissions are used to prepare both 
printed and electronic versions of the hearing record, the process of 
converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.











                            C O N T E N T S

                               __________

                                                                   Page

Advisory of June 7, 2007, announcing the hearing.................     2

                               WITNESSES

Frederick G. Streckewald, Assistant Deputy Commissioner for 
  Program Policy Office of Disability and Income Security 
  Programs, Social Security Administration.......................     6
Steve Schaeffer, Assistant Inspector General for the Office of 
  Audit, Social Security Administration Office of the Inspector 
  General........................................................     9
Richard Stana, Director of Homeland Security and Justice, 
  Government Accountability Office...............................    11
Tyler Moran, Employment Policy Director, National Immigration Law 
  Center, Boise, Idaho...........................................    34
Angelo I. Amador, Director of Immigration Policy, U.S. Chamber of 
  Commerce.......................................................    46
Sue Meisinger, The Human Resource Initiative for a Legal 
  Workforce, Society for Human Resource Management, Alexandria, 
  Virginia.......................................................    63
Peter Neumann, Principal Scientist, Computer Science Laboratory, 
  SRI International, Menlo Park, California, on behalf of U.S. 
  Public Policy Committee of the Association for Computing 
  Machinery......................................................    68
Marc Rotenberg, Executive Director, Electronic Privacy 
  Information Center.............................................    77

                       SUBMISSIONS FOR THE RECORD

National Border Patrol, statement................................    96

 
                         EMPLOYMENT ELIGIBILITY
                          VERIFICATION SYSTEMS

                              ----------                              


                         THURSDAY, JUNE 7, 2007

             U.S. House of Representatives,
                       Committee on Ways and Means,
                            Subcommittee on Social Security
                                                    Washington, DC.

    The Subcommittee met, pursuant to notice, at 10:01 a.m., in 
Room B-318, Rayburn House Office Building, Hon. Michael R. 
McNulty (Chairman of the Subcommittee) presiding.
    [The Advisory of the hearing follows:]

ADVISORY

FROM THE 
COMMITTEE
 ON WAYS 
AND 
MEANS

                    SUBCOMMITTEE ON SOCIAL SECURITY

                                                CONTACT: (202) 225-1721
FOR IMMEDIATE RELEASE
June 07, 2007
SS-3

               McNulty Announces A Hearing on Employment

                    Eligibility Verification Systems

    Congressman Michael R. McNulty (D-NY), Chairman, Subcommittee on 
Social Security of the Committee on Ways and Means, today announced 
that the Subcommittee will hold a hearing on current and proposed 
employment eligibility verification systems and the role of the Social 
Security Administration in authenticating employment eligibility. The 
hearing will take place on Thursday, June 7, in room B-318 Rayburn 
House Office Building, beginning at 10 a.m.
    In view of the limited time available to hear witnesses, oral 
testimony at this hearing will be from invited witnesses only. However, 
any individual or organization not scheduled for an oral appearance may 
submit a written statement for consideration by the Subcommittee and 
for inclusion in the printed record of the hearing.
      

BACKGROUND:

      
    Since 1986, United States immigration law has prohibited employers 
from knowingly hiring or continuing to employ aliens who are not 
authorized to work under the Immigration and Nationality Act (INA). All 
employers are required to request that employees, once hired, produce 
documents that show they are authorized to work in the United States. 
Verification of the validity of the documents is not mandatory. The 
Social Security card is one of a number of items that an employee may 
use in combination with other identity documents to demonstrate work 
authorization.
      
    While the Department of Homeland Security (DHS) is responsible for 
enforcing the INA prohibitions on unauthorized employment, the Social 
Security Administration (SSA) plays a key role in the verification 
process. Since 1996, employers have had the option of verifying names 
and Social Security numbers (SSNs) of new hires against SSA's database 
through an employment eligibility verification system (EEVS, formerly 
known as the Basic Pilot) operated jointly by SSA and DHS. Until 2003, 
the Basic Pilot was restricted to operate in only five states, but has 
since been expanded nationally. Currently, about 16,700 employers at 
73,000 hiring sites (less than 1 percent of all establishments) 
participate in the EEVS. Most participating employers do so 
voluntarily, but some are required to use the EEVS by law or because of 
prior immigration violations.
      
    In 2006, the system received over 1.6 million requests for 
verification. Of these, 1.4 million cases were resolved by SSA. The 
bulk of the remaining cases were referred to DHS for further 
verification of work-eligibility.
      
    The Government Accountability Office (GAO) and the SSA Inspector 
General have found that the current system is hampered by inaccuracies 
in the records maintained by DHS and SSA. GAO and other auditors also 
have found that the current EEVS is vulnerable to identification 
document fraud, prohibited and privacy-violating uses by employers, as 
well as discriminatory abuse.
      
    Recent immigration reform proposals have included provisions to 
expand some version of an employment eligibility verification system. 
Some of the proposals would build on the current EEVS and require 
employers to verify all new hires, making the system mandatory for all 
7.4 million private and 90,000 public sector employers in the United 
States. These employers account for 60 million hires per year, 
according to SSA. Other proposals include a requirement that the Social 
Security card be enhanced with tamper-proof, counterfeit-resistant or 
biometric features.
      
    In announcing the hearing, Chairman McNulty stated ``If employment 
eligibility verification is to be a key enforcement tool for 
immigration policy, we must ensure the system is effective, efficient 
and feasible. We need a better understanding of the possible 
consequences and impact on the Social Security Administration if they 
are to undertake this expanded responsibility without compromising 
their core mission of administering Social Security.''
      
FOCUS OF THE HEARING:
      
    The hearing will examine the current EEVS system and proposed 
expansions, including the potential costs and increased workloads that 
would be faced by SSA. The hearing also will examine the potential 
impact on workers and employers; how it would interact with REAL ID and 
other identification methods; and the privacy implications, especially 
in light of proposed data-sharing arrangements between agencies.
      
DETAILS FOR SUBMISSION OF WRITTEN COMMENTS::
      
    Please Note: Any person(s) and/or organization(s) wishing to submit 
for the hearing record must follow the appropriate link on the hearing 
page of the Committee website and complete the informational forms. 
From the Committee homepage, http://waysandmeans.house.gov, select 
``110th Congress'' from the menu entitled, ``Committee Hearings'' 
(http:waysandmeans.house.gov/Hearings.asp?congress=18). Select the 
hearing for which you would like to submit, and click on the link 
entitled, ``Click here to provide a submission for the record.'' Once 
you have followed the online instructions, completing all informational 
forms and clicking ``submit'' on the final page, an email will be sent 
to the address which you supply confirming your interest in providing a 
submission for the record. You MUST REPLY to the email and ATTACH your 
submission as a Word or WordPerfect document, in compliance with the 
formatting requirements listed below, by close of business Thursday, 
June 21, 2007. Finally, please note that due to the change in House 
mail policy, the U.S. Capitol Police will refuse sealed-package 
deliveries to all House Office Buildings. For questions, or if you 
encounter technical problems, please call (202) 225-1721.
      
FORMATTING REQUIREMENTS:
      
    The Committee relies on electronic submissions for printing the 
official hearing record. As always, submissions will be included in the 
record according to the discretion of the Committee. The Committee will 
not alter the content of your submission, but we reserve the right to 
format it according to our guidelines. Any submission provided to the 
Committee by a witness, any supplementary materials submitted for the 
printed record, and any written comments in response to a request for 
written comments must conform to the guidelines listed below. Any 
submission or supplementary item not in compliance with these 
guidelines will not be printed, but will be maintained in the Committee 
files for review and use by the Committee.
      
    1. All submissions and supplementary materials must be provided in 
Word or WordPerfect format and MUST NOT exceed a total of 10 pages, 
including attachments. Witnesses and submitters are advised that the 
Committee relies on electronic submissions for printing the official 
hearing record.
      
    2. Copies of whole documents submitted as exhibit material will not 
be accepted for printing. Instead, exhibit material should be 
referenced and quoted or paraphrased. All exhibit material not meeting 
these specifications will be maintained in the Committee files for 
review and use by the Committee.
      
    3. All submissions must include a list of all clients, persons, 
and/or organizations on whose behalf the witness appears. A 
supplemental sheet must accompany each submission listing the name, 
company, address, telephone and fax numbers of each witness.

      
    Note: All Committee advisories and news releases are available on 
the World Wide Web at http://waysandmeans.house.gov.

      
    The Committee seeks to make its facilities accessible to persons 
with disabilities. If you are in need of special accommodations, please 
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four 
business days notice is requested). Questions with regard to special 
accommodation needs in general (including availability of Committee 
materials in alternative formats) may be directed to the Committee as 
noted above.

                                

      
    Chairman MCNULTY. I want to welcome all of our witnesses 
and all of our guests here today. Our hearing today will focus 
on current and proposed systems for verifying the employment 
eligibility of American workers under immigration law.
    We are particularly interested in the impact of these 
proposals on the Social Security Administration, an agency in 
which this Subcommittee has a keen interest, and which already 
is very busy administering retirement, disability, and survivor 
benefits.
    The employment eligibility verification process relies 
heavily on SSA to confirm the validity of Social Security 
numbers assigned to workers. We currently have a modest 
employment eligibility verification system, formerly called 
Basic Pilot and now called EEVS. It is used by about 17,000 
employers at 73,000 hiring sites.
    The major immigration reform proposals being considered all 
envision a massive expansion of the system to cover all 
employers, at an estimated 7\1/2\ million hiring sites. These 
employers account for about 60 million hiring decisions per 
year.
    This expansion would present a very substantial new burden 
on SSA, which would receive upward of 60 million queries per 
year. If an employee's information does not match SSA's 
records, he or she must contact SSA, often in person, to 
present documentation and correct the record in order to keep 
their job.
    We will hear from SSA and other experts about how there are 
errors and discrepancies in the databases that would be used by 
the system. Even a low error rate of 4 percent, the estimated 
percentage of errors in a key SSA database, would result in 
millions of American workers having to contact SSA before they 
can be hired. Most of them would be U.S. citizens.
    We will also hear from an EPR panel of witnesses who will 
testify on how the proposed system would impact workers, their 
employers, and the privacy rights of American taxpayers, all of 
whom will be affected by the proposed EEVS legislation.
    Finally, we must also be wary of proposals that depend on 
the Social Security Administration to create a new national ID 
card, which is very costly and runs counter to efforts here and 
in the states to combat identity theft.
    If EEVS is to be a key enforcement tool for immigration 
policy, we must ensure that the system is effective, efficient, 
and feasible for SSA, for employers, and for employees. We must 
also ensure that if SSA is going to be given a major new role 
in enforcing immigration law, it must be provided with adequate 
resources to fulfill this new charge without compromising its 
core duty to administer Social Security.
    At this time I would like to yield to my very good friend, 
distinguished veteran, and colleague, Sam Johnson, for an 
opening statement.
    Mr. JOHNSON. Thank you, Mr. Chairman. I thank my colleague 
from New York. With New York and Texas on board, we can 
probably get it done. What do you think, Sandy?
    Mr. LEVIN. I think so. That is called power.
    Mr. JOHNSON. I appreciate you holding this hearing on 
current and proposed employment eligibility verification 
systems. I support helping employers who want to do the right 
thing and obey our immigration laws. I want to see our 
immigration laws enforced to deter those employers from 
knowingly breaking the law and hiring illegal immigrants.
    Because ID verification is an essential component of 
worksite enforcement, I want to protect workers from having 
their identities stolen by someone working under their name and 
their Social Security number.
    Right now the Social Security Administration works with the 
Department of Homeland Security to help employers voluntarily 
verify the identifying information and employment eligibility 
of their new hires. This verification system, known as the 
Employment Eligibility Verification System, or EEVS, formerly 
referred to as the Basic Pilot Program. Now any employer can 
use it for free if they choose.
    Our colleagues in the Senate are now debating immigration 
overhaul. One section of the Senate bill would require 
employers to verify that all their employees are work-
authorized. In other words, for the first time, businesses 
would be required to obtain Federal approval for their 
employees from a law enforcement agency.
    I find this to be a little chilling, and I think most 
Americans would oppose having to go through a law enforcement 
agency to gain work authorization. Also, this new and unfunded 
employer mandate would place significant burdens on employers, 
particularly small business, and the Social Security 
Administration.
    GAO and others have raised concerns regarding the accuracy 
of the underlying databases this system would rely on and 
whether responses would be timely if all employers were 
required to use the system, as opposed to less than 1 percent 
of employers using the system today.
    Worse, the current system relies on a number of so-called 
identity documents which don't stop identity thieves or the 
creation of false documents. We need to find common sense 
solutions to these problems.
    The lure of employment opportunities in the United States 
has long been acknowledged as a major reason for immigration, 
both legal and illegal. Cutting off the demand for illegal 
workers through enforcement of employment laws will help us 
secure our borders.
    This Subcommittee has had eight hearings in the past 4 
years focusing on Social Security number verification as well 
as ID issues. It is now time for us to improve the employment 
eligibility verification process so that American employers can 
confidently hire people to work. Today's witnesses will help us 
determine the best way how.
    Thank you, Mr. Chairman.
    Chairman MCNULTY. I thank the distinguished Ranking Member. 
Without objection, any additional opening statements by Members 
of the Committee will be included in the record. Of course, the 
statements by the witnesses will be included in the record in 
their entirety. We would ask, as usual, that in your testimony, 
you summarize your testimony within about 5 minutes so that we 
can allow for a maximum amount of time for the various 
questions.
    Panel No. 1 consists of Frederick Streckewald, Assistant 
Deputy Commissioner for Program Policy, Office of Disability 
and Income Security Programs, of SSA; Steve Schaeffer, 
Assistant Inspector General for the Office of Audit, Social 
Security Administration, Office of the Inspector General; and 
Richard Stana, Director of Homeland Security and Justice, 
Government Accountability Office.
    I thank all of you for being here today. We will start with 
Mr. Streckewald, and take all of your testimony together, and 
then proceed to questions.
    Mr. Streckewald.

    STATEMENT OF FREDERICK G. STRECKEWALD, ASSISTANT DEPUTY 
   COMMISSIONER FOR PROGRAM POLICY, OFFICE OF DISABILITY AND 
    INCOME SECURITY PROGRAMS, SOCIAL SECURITY ADMINISTRATION

    Mr. STRECKEWALD. Mr. Chairman and Members of the 
Subcommittee, thank you for inviting me here today to discuss 
SSA's role in helping to administer the Department of Homeland 
Security's Employment Eligibility Verification System or EEVS. 
This system, formerly known as the Basic Pilot Program, allows 
employers to verify the employment eligibility information 
provided by newly hired employees.
    Worksite enforcement is key to successful immigration 
reform, and a critical component of worksite enforcement is a 
strong employer verification system. The Administration 
supports mandatory participation in an employment eligibility 
verification system by all United States employers. We are 
pleased that you are holding the hearing today to discuss the 
impact of the expansion of EEVS on SSA, employers, and their 
employees.
    Let me begin with a little background on the current 
system. In 1996, Congress enacted the Immigration Reform and 
Immigrant Responsibility Act, which required testing three 
alternative methods of providing an effective, 
nondiscriminatory employment eligibility confirmation process. 
The current EEVS was one of these methods.
    Today there are more than 17,000 employers participating in 
EEVS at more than 77,000 worksites. So, far in 2007, we have 
handled more than 1.8 million queries, an increase of 96 
percent over the same period last year.
    Employers participate voluntarily, and they register with 
DHS to use the automated system to verify an employee's Social 
Security number and work authorization status. The employer 
submits to the system information from the employee Form I-9. 
DHS then sends this information to SSA to verify for all new 
employees that the Social Security number, name, and date of 
birth match SSA records.
    For individuals alleging U.S. citizenship, SSA will also 
confirm citizenship status, thereby confirming work 
authorization. For all non-citizens, if there is a match with 
SSA, DHS then determines the current work authorization status. 
DHS then notifies the employer of the result. Ninety-two 
percent of initial verification queries are confirmed within 
seconds.
    Proposals pending in Congress would require all employers 
in the United States to use the EEVS to verify employment 
eligibility and the identity of all new hires. These proposals 
would phase in participation over a period of time. Every year, 
however, approximately 60 million individuals start a new job. 
Therefore, we would expect mandatory participation to have a 
substantial effect on our Agency.
    SSA's role in EEVS relies upon the information in our 
Numident database, which houses the name, date of birth, and 
Social Security number of more than 441 million individuals. We 
have great confidence in the integrity of the Numident, but in 
any large system of records there will be some that require 
updating or correcting.
    Our current experience with voluntary EEVS shows that for 
every 100 queries submitted to the system, SSA field offices or 
phone representatives are contacted three times. We anticipate 
that in a mandatory system, the percentage of individuals 
coming to us will be higher than in the current voluntary 
system.
    If Congress enacts a mandatory EEVS, it is crucial that the 
tools and resources be in place to ensure that the system works 
efficiently and effectively, and that the proper safeguards are 
built in to guarantee that United States citizens and work-
authorized non-citizens receive prompt confirmation of their 
work authorization status.
    Again, thank you for inviting me here today. We are 
grateful for your ongoing efforts to ensure the Agency has the 
funding it needs to accomplish its mission. On behalf of SSA, I 
want to thank you for your continuing support for the Agency, 
for our mission, and for our dedicated workforce.
    I will be happy to answer any questions you may have.
    [The prepared statement of Mr. Streckewald follows:]
    Chairman MCNULTY. Thank you.
   Prepared Statement of Frederick G. Streckewald, Assistant Deputy 
   Commissioner for Program Policy, Office of Disability and Income 
           Security Programs, Social Security Administration
    Mr. Chairman and Members of the Subcommittee:
    Thank you for inviting me here today to discuss the Social Security 
Administration's (SSA's) role in helping to administer the Department 
of Homeland Security's (DHS) Employment Eligibility Verification System 
(EEVS). This system, formerly known as the Basic Pilot Program, allows 
employers to verify the employment eligibility information provided by 
newly hired employees.
    Worksite enforcement is key to successful immigration reform, and a 
critical component of worksite enforcement is a strong employer 
verification system. The Administration supports--and proposals 
currently pending before Congress incorporate--mandatory participation 
in an employment eligibility verification system by all United States 
employers. We are pleased that you are holding this hearing today to 
discuss the impact of the expansion of EEVS on SSA, employers and their 
employees. We are keenly aware of the need to ensure that the system 
works the way it is intended.
The History of the Current Voluntary System
    The Immigration Reform and Control Act (IRCA) of 1986 required 
employers for the first time to examine worker documents to check the 
employment eligibility of newly hired employees. Ten years later, in 
1996, Congress enacted the Illegal Immigration Reform and Immigrant 
Responsibility Act (IIRIRA), which required testing three alternative 
methods of providing an effective, nondiscriminatory employment 
eligibility confirmation process; the current EEVS was one of the three 
methods.
    The law required the voluntary EEVS to be implemented in a minimum 
of 5 of the 7 States with the highest estimated population of 
noncitizens not lawfully present in the United States. The five states 
were California, Florida, Illinois, New York and Texas.
    In March 1999, Nebraska was added to assist employers in the 
meatpacking industry. Employers in those six states were also allowed 
to include their work sites located in other states. In 2002, Congress 
extended authorization for the system for an additional 2 years. In 
2003, Congress again extended the EEVS and expanded the voluntary 
participation to include employers in all 50 States. The system will 
expire in 2008 under current law.
    In December 2004, before the nationwide expansion, there were 2,924 
participating employers. Today, there are more than 17,000 employers 
participating in the EEVS at more than 77,000 sites, and participation 
is growing by more than 1,000 employers every month. As the number of 
participating employers has grown, so has the number of queries we 
handle. In Fiscal Year (FY) 2005, SSA handled approximately 980,000 
queries; in FY 2006, we handled over 1,740,000. So far, in FY 2007, we 
have handled more than 1,800,000 queries, an increase of 96 percent 
over the same period last year.
The Process
    Employers participate voluntarily and register with DHS to use the 
automated system to verify an employee's SSN and work authorization 
status. The employer inputs information into the system from the Form 
I-9, the Employment Eligibility Verification Form. DHS then sends this 
information to SSA to verify for all new employees that the Social 
Security number, name, and date of birth submitted match information in 
SSA records. For individuals alleging United States citizenship, SSA 
will also confirm citizenship status, thereby confirming work 
authorization. For all non-citizens, if there is a match with SSA, DHS 
then determines the current work authorization status. Within three to 
five seconds, through the system, DHS notifies the employer of the 
result; employment authorized, SSA tentative nonconfirmation, DHS 
verification in progress, or DHS tentative nonconfirmation.
    Ninety-two percent of initial verification queries are confirmed 
within seconds. If SSA cannot confirm that the information matches SSA 
records or cannot confirm United States citizenship, DHS will notify 
the employer of the SSA tentative nonconfirmation. The employer must 
notify the employee of the tentative nonconfirmation in order to 
provide the employee the opportunity to contest that finding. If the 
employee contests the tentative nonconfirmation, he or she has eight 
days to visit an SSA office with the required documents to correct the 
SSA record. The employer must re-query the system to verify that the 
tentative nonconfirmation has been resolved.
    SSA has a good ongoing working relationship with DHS. Together, we 
continue to work to improve upon the operation of the current system--
to make it work more efficiently and more smoothly for employers and 
their employees. We have begun laying the groundwork to increase our 
capacity to handle substantially heavier volumes of verification 
transactions, as the voluntary program continues to grow. If Congress 
mandates the use of the system, these improvements will facilitate 
nationwide expansion.
Mandatory Participation
    There are several proposals now pending in Congress that would 
require all employers in the United States to use the EEVS to verify 
the employment eligibility and identity of all new hires. The bills we 
have seen provide for some kind of phased-in approach to mandatory 
participation and require employers operating in the Nation's critical 
infrastructures to be the first participants. Some proposals also 
require employers to verify the employment eligibility and identity of 
their entire workforce and to periodically re-verify the work 
authorization status of individuals whose temporary work authorization 
is set to expire.
    As I mentioned earlier, SSA and DHS are already working to lay the 
groundwork for broader employer participation in the current EEVS. 
Every year, approximately 60 million individuals start a new job. 
Therefore, we would expect mandatory participation to have a 
substantial effect on our Agency. It is vitally important that, when 
Congress makes a decision regarding the implementation of a mandatory 
program, we have adequate lead-time and resources. With these tools, we 
can effectively expand the EEVS and ensure that it works successfully 
without impinging on our ability to handle our other workloads.
SSA Records
    SSA matches information submitted by the employer against the 
information in our Numident database, which houses the identifying 
information, including name, date of birth, and SSN of more than 441 
million individuals. We have great confidence in the integrity of the 
Numident information. In fact, in a December 2006 report issued to 
Congress, SSA's Office of Inspector General (OIG) commended the 
accuracy of Numident information.
    Of course, in any large system of records, there will be records 
that require updating or correcting. For example, the OIG found 
discrepancies in 4.1 percent of Numident records that might lead to 
tentative nonconfirmations and that 7 percent of naturalized citizens 
had not updated their Numident records to reflect their new citizenship 
status. In the administration of our programs, we update or correct our 
records at the time an individual applies for a replacement card, 
requests a change in the record--a name change, for example--or applies 
for a Social Security benefit. As part of the process to correct our 
records, we need to verify the identity of the individual whose records 
we are updating and the information we are adding to the individual's 
records. That is why virtually all of these changes are made during a 
face-to-face interview in our field offices.
    One way we provide individuals the opportunity to review and, if 
necessary, correct their wage records is the annual Social Security 
Statement that goes to each worker 25 years or older. The Statement 
provides individuals with an annual report of wages recorded. In FY 
2006, SSA mailed approximately 145 million Statements.
    Our current experience with voluntary EEVS shows that for every 100 
queries submitted to the System, SSA field offices or phone 
representatives are contacted three times. As the number of 
participating employers increases, the number of related contacts with 
SSA will also increase. We anticipate that in a mandatory system the 
percentage of individuals coming to us will be higher than in the 
current voluntary system.
    As you know, the Agency is currently facing substantial challenges 
in meeting the workloads of our core programs. With timely and adequate 
funding, we will be able to meet the demands of a phased-in approach to 
mandatory participation. We are grateful for your ongoing efforts to 
ensure the Agency has the funding it needs to accomplish its missions.
Conclusion
    At SSA, we have a proven performance record and can and will do 
what we are called upon to do. The Administration supports a strong 
employer verification system as a critical element of a successful and 
comprehensive approach to immigration reform. As increasing numbers of 
employers participate in the current voluntary EEVS, and considering 
the even greater number that will participate if mandated by Congress, 
it is crucial that the tools and resources be in place to ensure that 
the system works efficiently and effectively and that the proper 
safeguards are built in to guarantee that United States citizens and 
work authorized noncitizens receive prompt confirmation of their work 
authorization status.
    I want to thank the Chairman and members of the Subcommittee for 
inviting me here today. On behalf of SSA, I want to thank the 
Subcommittee for its continuing support for the Agency, for our 
mission, and for our dedicated workforce.
    I will be happy to answer any questions you might have.
    Mr. Schaeffer.

 STATEMENT OF STEVEN L. SCHAEFFER, ASSISTANT INSPECTOR GENERAL 
FOR THE OFFICE OF AUDIT, SOCIAL SECURITY ADMINISTRATION OFFICE 
                    OF THE INSPECTOR GENERAL

    Mr. SCHAEFFER. Good morning, Chairman McNulty, Mr. Johnson, 
and Members of the Subcommittee. It is a pleasure to be here 
today to provide the Social Security Administration's Office of 
Inspector General's perspective on Employment Eligibility 
Verification Systems, or EEVS.
    Each agency involved in EEVS has its own contribution to 
make to the system's success. The SSA OIG's role is to evaluate 
the use of SSA data within the EEVS process and recommend 
improvements with respect to the accuracy and the security of 
such data.
    SSA's information constitutes the foundation of EEVS. The 
purpose of our evaluations and reviews is to assist SSA in 
improving the accuracy of the employer wage reporting and 
reducing SSN misuse and identity theft.
    In 2006, the former Chairman of this Subcommittee, Mr. 
McCrery, asked us to conduct several reviews relative to EEVS. 
First, to assess the accuracy of the data used by EEVS, we 
turned to SSA's Numident file. This file contains relevant 
information about Social Security number holders, including 
name, date of birth, place of birth, and citizenship status, 
and these data are used in the EEVS.
    Although we found SSA's information to be generally 
accurate, we identified discrepancies in an estimated 18 
million, or 4 percent, of the Numident records that could 
result in incorrect feedback to employers attempting to 
determine the employment eligibility of their workers.
    This incorrect feedback could lead to both false positives 
and false negatives for employees. In addition, verification 
problems may delay the hiring process and lead to an increase 
in visits to SSA's field offices.
    In our second review, to assess the functionality of EEVS, 
we gathered information on the experience of employers who had 
used EEVS, as well as those who had used SSA's Social Security 
number verification service or SSNVS. We found that 100 percent 
of the EEVS users interviewed rated the programs as excellent, 
very good, or good. In addition, at least 98 percent of the 
users indicated that their employers were very likely to 
continue to use the programs.
    About 10 percent of the EEVS users reported that they 
experienced minor problems using the two programs. In most of 
the cases, the user reported that SSA and/or DHS staff were 
able to resolve their problems timely.
    We also found, however, that approximately 42 percent of 
EEVS users were not using the program as intended. While the 
program is intended to verify the work authorization of newly 
hired employees within 3 days after they are hired, some 
employers conducted verifications for longstanding employees or 
individuals who were not yet hired. Monitoring appropriate use 
should be part of any enhanced system.
    In the third review conducted at the Subcommittee's 
request, we assessed controls over EEVS and SSA's SSNVS to 
monitor potential abuse by employers, as well as SSA and DHS's 
experience to date with this monitoring. We found that SSA had 
established effective controls over access and use of sensitive 
data in its SSNVS program, as well as effective controls to 
detect anomalies in SSNVS usage and potential misuse of the 
program.
    While we found that EEVS did not have the same level of 
controls, we reported that DHS officials were meeting with 
counterparts from SSA and the IRS to discuss potential 
enhancements to EEVS, avenues for greater cooperation, and the 
potential for adopting some of the monitoring and applicant 
verification activities already being performed under SSNVS.
    We are now completing a fourth review where we are 
assessing controls over all of SSA's employee verification 
programs as well as EEVS. This review will also highlight best 
practices, and as a part of the audit, we will determine 
whether employers are receiving a consistent reply from all of 
these services. We expect to issue this report in the next few 
months, and as always, will share a copy with the Committee.
    Through reports such as these, our efforts to ensure the 
reliability of the data used by EEVS and the functionality and 
security of EEVS helps employers report accurate wages to SSA 
and minimize the improper use of SSNs.
    Thank you, and I will be happy to answer any questions.
    Chairman MCNULTY. Thank you, Mr. Schaeffer.
    Mr. Stana.

 STATEMENT OF RICHARD M. STANA, DIRECTOR OF HOMELAND SECURITY 
         AND JUSTICE, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. STANA. Thank you, Chairman McNulty, Mr. Johnson, 
Members of the Subcommittee. I appreciate the opportunity to 
participate in today's hearing on EEVS. As we and others have 
reported in the past, the opportunity for employment is a key 
magnet attracting illegal aliens to the United States. In 1986, 
Congress passed the Immigration Reform and Control Act, which 
established an employment verification process for employers to 
verify all new hired employees' work eligibility, and a 
sanctions program for fining employers who do not comply with 
the Act. The availability and use of counterfeit documents, and 
the fraudulent use of valid documents belonging to others, have 
made it difficult for employers who want to comply with current 
employment verification processes to ensure that they hire only 
authorized workers. Counterfeit documents have also made it 
easier for employers who don't want to comply and knowingly 
hire unauthorized workers to do so without fear of sanction.
    Over the years, immigration experts have said that the 
single most important step that could be taken to manage lawful 
immigration and reduce unlawful migration is to develop an 
effective system for verifying work authorization. DHS and SSA 
currently operate the EEVS program, which is a voluntary 
automated system authorized by the 1996 Immigration Act, for 
employers to electronically check employees' work eligibility 
information against information in DHS and SSA databases. Of 
the 5.9 million employers in the U.S., about 17,000 employers 
are now registered to use the program, and only about half of 
these are active users. This program shows promise to help 
identify the use of counterfeit documents and assist U.S. 
Immigration and Customs Enforcement in better targeting its 
worksite enforcement efforts, but the following areas would 
need to be addressed before it is expanded to all employers and 
is effectively implemented as envisioned in various immigration 
reform proposals.
    First, program capacity would need to be expanded. DHS 
estimated that increasing EEVS capacity could cost it $70 
million annually for program management and $300 million to 
$400 million annually for compliance activities and staff. SSA 
officials estimated that expansion of the EEVS program to 
100,000 participants from the current 17,000 would cost $5 to 
$6 million, and noted that the cost of a mandatory EEVS would 
be much higher and driven by increased workload of its field 
office staff who resolve queries that SSA cannot immediately 
confirm.
    Second, data reliability issues would need to be addressed. 
The majority of EEVS queries entered by employers, about 92 
percent, are confirmed within seconds that the employee is 
work-authorized. About 7 percent of the queries cannot be 
immediately confirmed by SSA, and about 1 percent cannot be 
immediately confirmed by DHS. Resolving these nonconfirmations 
can take several days, or in a few cases even weeks. DHS and 
SSA are considering options for using additional automated 
checks to immediately confirm work authorization, which may be 
important should EEVS be made mandatory for all employers.
    Third, while EEVS may help to reduce document fraud, it 
cannot yet fully address identity fraud issues, for example, 
when employees present borrowed or stolen genuine documents. 
The current EEVS program is piloting a photograph screening 
tool, whereby an employer can more easily identify fraudulent 
documentation. DHS expects to expand the use of this tool to 
all participating employers by September 2007. Although 
mandatory EEVS and the associated use of the photograph 
screening tool offer some remedy, limiting the number of 
acceptable work authorization documents and making them more 
secure would help to better address identity fraud issues.
    Finally, EEVS is vulnerable to employer fraud, such as 
entering the same identity information to authorize multiple 
workers. EEVS is also vulnerable to employer misuse that 
adversely affects employees, such as employers limiting work 
assignments or pay while employees are undergoing the 
verification process. Currently there is no formal mechanism 
for sharing compliance data with ICE agents. DHS is 
establishing a new compliance and monitoring program to help 
reduce employer fraud and misuse by, for example, identifying 
patterns in employer noncompliance with program requirements. 
Information suggesting employers' fraud and misuse of the 
system could be useful in targeting limited worksite 
enforcement resources and promoting employer compliance with 
employment laws.
    As an aside, our report last summer on selected countries' 
experiences with foreign worker programs found that while 
different approaches were used, and no country we studied did 
everything perfectly or effectively, many of the same issues 
existed in these countries as exist here. These include 
ensuring only that those authorized to work could obtain 
employment; that employers comply with laws governing worksite 
conditions; that taxes and social insurance payments are 
collected; and that appropriate mechanisms are available, 
including data matching and sharing among agencies, to help 
reduce immigration and labor law violations.
    In closing, both DHS and SSA have taken a number of steps 
to address weaknesses in the current EEVS program, but much 
more needs to be done if this is going to be expanded to all 
employers. This will require a substantial investment in staff 
and other resources, at least in the near term, in both 
agencies. Implementing an EEV program that ensures that all 
individuals working in the country are doing so legally, and 
that undue burdens are not placed on employers or employees, 
will not be an easy task within the timelines suggested in 
immigration reform proposals.
    This concludes my oral statement, and I would be happy to 
answer any questions that Members of the Subcommittee may have.
    [The prepared statement of Mr. Stana follows:]
Prepared Statement of Richard Stana, Director of Homeland Security and 
               Justice, Government Accountability Office

    Mr. Chairman and Members of the Subcommittee:
    I appreciate the opportunity to be here today to participate in 
this hearing on electronic employment verification. As we and others 
have reported in the past, the opportunity for employment is one of the 
most powerful magnets attracting unauthorized immigrants to the United 
States. To help address this issue, in 1986 Congress passed the 
Immigration Reform and Control Act (IRCA),\1\ which made it illegal for 
individuals and entities to knowingly hire, continue to employ, or 
recruit or refer for a fee unauthorized workers. The act established a 
two-pronged approach for helping to limit the employment of 
unauthorized workers: (1) an employment verification process through 
which employers verify all newly hired employees' work eligibility and 
(2) a sanctions program for fining employers who do not comply with the 
act.\2\
---------------------------------------------------------------------------
    \1\ Pub. L. No. 99-603, 8 U.S.C. Sec. 1324a.
    \2\ IRCA provided for sanctions against employers who do not follow 
the employment verification (Form I-9) process. Employers who fail to 
properly complete, retain, or present for inspection a Form I-9 may 
face civil or administrative fines ranging from $110 to $1,100 for each 
employee for whom the form was not properly completed, retained, or 
presented. Employers who knowingly hire or continue to employ 
unauthorized aliens may be fined from $275 to $11,000 for each 
employee, depending on whether the violation is a first or subsequent 
offense. Employers who engage in a pattern or practice of knowingly 
hiring or continuing to employ unauthorized aliens are subject to 
criminal penalties consisting of fines up to $3,000 per unauthorized 
employee and up to 6 months' imprisonment for the entire pattern or 
practice.
---------------------------------------------------------------------------
    Following the passage of IRCA, the U.S. Commission on Immigration 
Reform and various immigration experts indicated a number of problems 
with the implementation of immigration policies and concluded that 
deterring illegal immigration requires, among other things, strategies 
that focus on disrupting the ability of illegal immigrants to gain 
employment through a more reliable employment eligibility verification 
process. In particular, the commission report and other studies found 
that the single most important step that could be taken to reduce 
unlawful migration is the development of a more effective system for 
verifying work authorization. In the over 20 years since passage of 
IRCA, the employment eligibility verification process has remained 
largely unchanged. The House and Senate are considering legislation to 
reform immigration laws and strengthen electronic employment 
verification. Some of this legislation includes proposals that would 
require implementing a mandatory, functional electronic employment 
verification program for all employers before other immigration-related 
reforms could be initiated. Currently, the U.S. Citizenship and 
Immigration Services (USCIS) administers, and Social Security 
Administration (SSA) supports, a voluntary electronic employment 
verification program, called the Employment Eligibility Verification 
(EEV) program.
    My testimony today is an update of our prior work regarding 
employment verification and worksite enforcement. Specifically, I will 
discuss our observations on the current electronic employment 
verification program and challenges to making the program mandatory for 
all employers.
    In preparing this testimony, we reviewed our past work on 
employment verification and worksite enforcement efforts.\3\ We 
analyzed updated information provided by U.S. Immigration and Customs 
Enforcement (ICE), USCIS, and SSA officials on steps they are taking to 
address weaknesses identified in our prior work, as well as challenges 
their agencies may face if an electronic employment verification 
program were made mandatory. We examined regulations, guidance, and 
other studies on the employment verification process. We also analyzed 
a report on the results of an independent evaluation of the electronic 
employment eligibility verification program, then known as the Basic 
Pilot program, conducted by the Institute for Survey Research at Temple 
University and Westat in June 2004.\4\ Furthermore, we received updated 
data on employer use of the current electronic employment eligibility 
verification system. We reviewed these data for accuracy and 
completeness and determined that these data were sufficiently reliable 
for the purposes of our review. We conducted the work reflected in this 
statement from September 2004 through July 2005 and updated this 
information in May and June 2007 in accordance with generally accepted 
government auditing standards.
---------------------------------------------------------------------------
    \3\ GAO, Immigration Enforcement: Weaknesses Hinder Employment 
Verification and Worksite Enforcement Efforts, GAO-05-813 (Washington, 
D.C.: Aug. 31, 2005).
    \4\ Institute for Survey Research and Westat, Findings of the Basic 
Pilot Program Evaluation (Washington, D.C.: June 2004).
---------------------------------------------------------------------------
Summary
    A mandatory EEV would necessitate an increased capacity at both 
USCIS and SSA to accommodate the estimated 5.9 million employers in the 
United States.\5\ As of May 2007, about 17,000 employers have 
registered for the EEV program, about half of which are active users. 
USCIS has estimated that a mandatory EEV could cost USCIS $70 million 
annually for program management and $300 million to $400 million 
annually for compliance activities and staff, depending on the method 
for implementing the program. The costs associated with other 
programmatic and system enhancements are currently unknown. SSA is 
currently refining its estimates and was not yet able to provide 
estimates for the cost of a mandatory EEV. According to SSA officials, 
the cost of a mandatory EEV would be driven by the field offices' 
increased workload required to resolve queries that SSA cannot 
immediately confirm.
---------------------------------------------------------------------------
    \5\ In 2004, the most recent year for which data are available, 
there were approximately 5.9 million firms in the United States. A firm 
is a business organization consisting of one or more domestic 
establishments in the same state and industry that were specified under 
common ownership or control. Under EEV, one employer may have multiple 
worksites that use the system. For example, a hotel chain could have 
multiple individual hotels using EEV. This hotel chain would represent 
one employer using the pilot program.
---------------------------------------------------------------------------
    USCIS and SSA are exploring options to reduce delays in the EEV 
process. According to USCIS, the majority of EEV queries entered by 
employers--about 92 percent--confirm within seconds that the employee 
is authorized to work. About 7 percent of the queries cannot be 
immediately confirmed by SSA, and about 1 percent cannot be immediately 
confirmed by USCIS. With regard to the SSA-issued tentative 
nonconfirmations,\6\ USCIS and SSA officials told us that the majority 
occur because employees' citizenship or other information, such as name 
changes, is not up to date in the SSA database. Resolving some DHS 
nonconfirmations can take several days, or in a few cases even weeks. 
USCIS and SSA are examining ways to improve the system's ability to use 
additional automated checks to immediately confirm work authorization.
---------------------------------------------------------------------------
    \6\ In general, in cases when the EEV system cannot confirm an 
employee's work authorization status through the initial automatic 
check, the system issues the employer either an SSA or a DHS tentative 
nonconfirmation of the employee's work authorization status, which 
requires the employee to resolve any data inaccuracies if he or she is 
able or chooses to do so.
---------------------------------------------------------------------------
    EEV may help reduce document fraud, but it cannot yet fully address 
identity fraud issues, for example, when employees present borrowed or 
stolen genuine documents. The current EEV program is piloting a 
photograph screening tool, whereby an employer can more easily identify 
fraudulent documentation. This tool is currently being used by over 70 
employers, and USCIS expects to expand the use of the tool to all 
participating employers by the end of summer 2007. Although mandatory 
EEV and the associated use of the photograph screening tool offer some 
remedy, further actions, such as limiting the number of acceptable work 
authorization documents and making them more secure, may be required to 
more fully address identity fraud.
    EEV is vulnerable to employer fraud that diminishes its 
effectiveness and misuse that adversely affects employees. ICE 
officials stated that EEV program data could indicate cases in which 
employers may be fraudulently using the system and therefore would help 
the agency better target its limited worksite enforcement resources 
toward those employers. EEV is also vulnerable to employer misuse that 
adversely affects employees, such as limiting work assignments or pay 
while employees are undergoing the verification process. USCIS is 
establishing a new Compliance and Monitoring program to help reduce 
employer fraud and misuse by, for example, identifying patterns in 
employer compliance with program requirements. Information suggesting 
employers' fraud or misuse of the system could be useful to other DHS 
components in targeting limited worksite enforcement resources and 
promoting employer compliance with employment laws.
Background
    In 1986, IRCA established the employment verification process based 
on employers' review of documents presented by employees to prove 
identity and work eligibility. On the Form I-9, employees must attest 
that they are U.S. citizens, lawfully admitted permanent residents, or 
aliens authorized to work in the United States. Employers must then 
certify that they have reviewed the documents presented by their 
employees to establish identity and work eligibility and that the 
documents appear genuine and relate to the individual presenting them. 
In making their certifications, employers are expected to judge whether 
the documents presented are obviously counterfeit or fraudulent. 
Employers generally are deemed in compliance with IRCA if they have 
followed the Form I-9 process in good faith, including when an 
unauthorized alien presents fraudulent documents that appear genuine. 
Following the passage of IRCA in 1986, employees could present 29 
different documents to establish their identity and/or work 
eligibility. In a 1997 interim rule, the former U.S. Immigration and 
Naturalization Service (INS) reduced the number of acceptable work 
eligibility documents from 29 to 27.\7\
---------------------------------------------------------------------------
    \7\ Eight of these documents establish both identity and employment 
eligibility (e.g., U.S. passport or permanent resident card); 12 
documents establish identity only (e.g., driver's license); and 7 
documents establish employment eligibility only (e.g., Social Security 
card).
---------------------------------------------------------------------------
    The Illegal Immigration Reform and Immigrant Responsibility Act 
(IIRIRA) \8\ of 1996 required the former INS and SSA to operate three 
voluntary pilot programs to test electronic means for employers to 
verify an employee's eligibility to work, one of which was the Basic 
Pilot Program.\9\ The Basic Pilot Program was designed to test whether 
pilot verification procedures could improve the existing employment 
verification process by reducing (1) false claims of U.S. citizenship 
and document fraud, (2) discrimination against employees, (3) 
violations of civil liberties and privacy, and (4) the burden on 
employers to verify employees' work eligibility.
---------------------------------------------------------------------------
    \8\ U.S.C. 1324a(b). IIRIRA was enacted within a larger piece of 
legislation, the Omnibus Consolidated Appropriations Act, 1997, Pub. L. 
No. 104-208, 110 Stat. 3009.
    \9\ The other two pilot programs mandated by IIRIRA--the Citizen 
Attestation Verification Pilot Program and the Machine-Readable 
Document Pilot Program--were discontinued in 2003 due to technical 
difficulties and unintended consequences identified in evaluations of 
the programs. See Institute for Survey Research and Westat, Findings of 
the Citizen Attestation Verification Pilot Program Evaluation 
(Washington, D.C.: April 2003) and Institute for Survey Research and 
Westat, Findings of the Machine-Readable Document Pilot Program 
Evaluation (Washington, D.C.: May 2003).
---------------------------------------------------------------------------
    In 2007, USCIS renamed the Basic Pilot Program the Employment 
Eligibility Verification (EEV) program. EEV provides participating 
employers with an electronic method to verify their employees' work 
eligibility. Employers may participate voluntarily in EEV, but are 
still required to complete Forms I-9 for all newly hired employees in 
accordance with IRCA. After completing the forms, these employers query 
EEV's automated system by entering employee information provided on the 
forms, such as name and Social Security number, into the EEV Web site 
within 3 working days of the employees' hire date. The program then 
electronically matches that information against information in SSA's 
NUMIDENT database and, for noncitizens, DHS databases to determine 
whether the employee is eligible to work. EEV electronically notifies 
employers whether their employees' work authorization was confirmed. 
Those queries that the DHS automated check cannot confirm are referred 
to DHS immigration status verifiers, who check employee information 
against information in other DHS databases. The EEV process is shown in 
figure 1.
Figure 1: Electronic Employment Verification Program Verification 
        Process


        [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

        

    In cases when EEV cannot confirm an employee's work authorization 
status either through the automatic check or the check by an 
immigration status verifier, the system issues the employer a tentative 
nonconfirmation of the employee's work authorization status. In this 
case, the employers must notify the affected employees of the finding, 
and the employees have the right to contest their tentative 
nonconfirmations by contacting SSA or USCIS to resolve any inaccuracies 
in their records within 8 days. During this time, employers may not 
take any adverse actions against those employees, such as limiting 
their work assignments or pay. After 10 days, employers are required to 
either immediately terminate the employment or notify DHS of the 
continued employment of workers who do not successfully contest the 
tentative nonconfirmation and those who the pilot program finds are not 
work-authorized.
    The EEV program is a part of USCIS's Systematic Alien Verification 
for Entitlements Program, which provides a variety of verification 
services for federal, state, and local government agencies. USCIS 
estimates that there are more than 150,000 federal, state, and local 
agency users that verify immigration status through the Systematic 
Alien Verification for Entitlements Program. SSA also operates various 
verification services. Among these are the Employee Verification 
Service (EVS) and the Web-based SSN Verification Service (SSNVS), which 
can be used to provide verification that employees' names and Social 
Security numbers match SSA's records. These services, designed to 
ensure accurate employer wage reporting, are offered free of charge. 
Employer use is voluntary, and the services are not widely used.
EEV Would Require An Increase in Capacity at USCIS and SSA
    Mandatory electronic employment verification would substantially 
increase the number of employers using the EEV system, which would 
place greater demands on USCIS and SSA resources. As of May 2007, about 
17,000 employers have registered to use the program, 8,863 of which 
were active users,\10\ and USCIS has estimated that employer 
registration is expected to greatly increase by the end of fiscal year 
2007. If participation in the EEV program were made mandatory, the 
program may have to accommodate all of the estimated 5.9 million 
employers in the United States. USCIS officials estimate that to meet a 
December 2008 implementation date, this could require about of 30,000 
employers to register with the system per day. The mandatory use EEV 
can affect the capacity of the system because of the increased number 
of employer queries.
---------------------------------------------------------------------------
    \10\ Active users are those employers who have run at least one 
query in fiscal year 2007.
---------------------------------------------------------------------------
    USCIS has estimated that a mandatory EEV could cost USCIS $70 
million annually for program management and $300 million to $400 
million annually for compliance activities and staff. The costs 
associated with other programmatic and system enhancements are 
currently unknown. According to USCIS, cost estimates will rise if the 
number of queries rises, although officials noted that the estimates 
may depend on the method for implementing a mandatory program. SSA 
officials told us they have estimated that expansion of the EEV program 
to levels predicted by the end of fiscal year 2007 would cost $5 to $6 
million, but SSA was not yet able to provide us estimates for the cost 
of a mandatory EEV. According to SSA officials, the cost of a mandatory 
EEV would be driven by the increased workload of its field office staff 
due to resolving SSA tentative nonconfirmations.\11\
---------------------------------------------------------------------------
    \11\ In general, in cases when the EEV system cannot confirm an 
employee's work authorization status through the initial automatic 
check, the system issues the employer a tentative nonconfirmation of 
the employee's work authorization status.
---------------------------------------------------------------------------
    A mandatory EEV would require an increase in the number of USCIS 
and SSA staff to operate the program. For example, USCIS had 13 
headquarters staff members in 2005 to run the program and 38 
immigration status verifiers available for secondary verification.\12\ 
USCIS plans to increase staff levels to 255 to manage a mandatory 
program, which includes increasing the number of immigration status 
verifiers who conduct secondary verifications.\13\ USCIS officials 
expressed concern about the difficulty in hiring these staff due to 
lengthy hiring processes, which may include government background 
checks. In addition, according to SSA officials, a mandatory EEV 
program would require additional staff at SSA field offices to 
accommodate an increase in the number of individuals visiting SSA field 
offices to resolve tentative nonconfirmations. According to SSA 
officials, the number of new staff required would depend on both the 
legislative requirements for implementing mandatory EEV and the 
effectiveness of efforts USCIS has under way to decrease the need for 
individuals to visit SSA field offices. For this reason, SSA officials 
told us they have not yet estimated how many additional staff they 
would need for a mandatory EEV.
---------------------------------------------------------------------------
    \12\ Thirty-eight immigration status verifiers were available for 
completing secondary verifications. According to USCIS, at any one time 
about 3 to 5 immigration status verifiers work to resolve tentative 
nonconfirmations. The other immigration status verifiers work on other 
verification programs, such as the Systematic Alien Verification for 
Entitlements Program.
    \13\ USCIS officials noted that this does not include staff for 
monitoring and compliance functions.
---------------------------------------------------------------------------
USCIS and SSA Are Exploring Options to Reduce Delays in the EEV Process
    In prior work, we reported that secondary verifications lengthen 
the time needed to complete the employment verification process. The 
majority of EEV queries entered by employers--about 92 percent--confirm 
within seconds that the employee is authorized to work. About 7 percent 
of the queries are not confirmed by the initial automated check and 
result in SSA-issued tentative nonconfirmations, while about 1 percent 
result in DHS-issued tentative nonconfirmations. With regard to the 
SSA-issued tentative nonconfirmations, USCIS and SSA officials told us 
that the majority occur because employees' citizenship status or other 
information, such as name changes, is not up to date in the SSA 
database. SSA does not update records unless an individual requests the 
update in person and submits the required evidence to support the 
change in its records. USCIS officials stated that, for example, when 
aliens become naturalized citizens, their citizenship status is often 
not updated in the SSA database. In addition, individuals who have 
changed their names for various reasons, such as marriage, without 
notifying SSA in person may also be issued an SSA tentative 
nonconfirmation. According to SSA officials, although SSA instructs 
individuals to report any changes in name, citizenship, or immigration 
status, many do not do so. When these individuals' information is 
queried through EEV, a tentative nonconfirmation would be issued, 
requiring them to go to an SSA field office to show proof of the change 
and to correct their records in SSA's database.
    USCIS and SSA are exploring some options to improve the efficiency 
of the verification process. For example, USCIS is exploring ways to 
automatically check for naturalized citizens' work authorization using 
DHS databases before the EEV system issues a tentative nonconfirmation. 
Furthermore, USCIS is planning to provide naturalized citizens with the 
option, on a voluntary basis, to provide their Alien Number or 
Naturalization Certification Number so that employers can query that 
information through the EEV system before referring the employees to 
SSA to resolve tentative nonconfirmations.\14\ SSA is also coordinating 
with USCIS to develop an automated secondary verification capability, 
which may reduce the need for employers to take additional steps after 
the employee resolves the SSA tentative nonconfirmation.\15\ USCIS and 
SSA officials told us that the agencies are planning to provide SSA 
field office staff with access to the EEV system so that field office 
staff can resolve the SSA tentative nonconfirmation directly in the 
system at the time the employee's record is updated at the field 
office. According to SSA officials, the automated secondary 
verification capability is tentatively scheduled to be implemented by 
October 2007. While these steps may help improve the efficiency of the 
verification process, including eliminating some SSA tentative 
nonconfirmations, they will not entirely eliminate the need for some 
individuals to visit SSA field offices to update records when 
individuals' status or other information changes.
---------------------------------------------------------------------------
    \14\ According to USCIS, providing these data to employers would be 
voluntary to help ensure that naturalized citizens are not subject to 
discrimination.
    \15\ Currently, once an individual resolves the reason for the SSA 
tentative nonconfirmation, the employer must then re-query the EEV 
system in order to finalize the verification.
---------------------------------------------------------------------------
    USCIS and SSA officials noted that because the current EEV program 
is voluntary, the percentage of individuals who are referred to SSA 
field offices to resolve tentative nonconfirmations may not accurately 
indicate the number of individuals who would be required to do so under 
a mandatory program. SSA and USCIS officials expressed concern about 
the effect on SSA field offices' workload of the number of individuals 
who would be required to physically visit a field office if EEV were 
made mandatory.
May Help Reduce Employee Document Fraud, but Cannot Yet Fully Address 
        Identity Fraud Issues
    In our prior work, we reported that EEV enhances the ability of 
participating employers to reliably verify their employees' work 
eligibility and assists participating employers with identification of 
false documents used to obtain employment.\16\ If newly hired employees 
present false information, EEV would not confirm the employees' work 
eligibility because their information, such as a false name or social 
security number, would not match SSA and DHS database information. 
However, the current EEV program is limited in its ability to help 
employers detect identity fraud, such as cases in which an individual 
presents borrowed or stolen genuine documents.
---------------------------------------------------------------------------
    \16\ GAO-05-813.
---------------------------------------------------------------------------
    USCIS has taken steps to reduce fraud associated with the use of 
documents containing valid information on which another photograph has 
been substituted for the document's original photograph. In March 2007, 
USCIS began piloting a photograph screening tool as an addition to the 
current EEV system. According to USCIS officials, the photograph 
screening tool is intended to allow an employer to verify the 
authenticity of a Lawful Permanent Resident card (green card) or 
Employment Authorization Document that contain photographs of the 
document holder by comparing individuals' photographs on the documents 
presented during the I-9 process to those maintained in DHS databases. 
As of May 2007, about 70 employers have been participating during the 
pilot phase of the photograph screening tool, and EEV has processed 
about 400 queries through the tool. USCIS expects to expand the program 
to all employers participating in EEV by the end of summer 2007.
    The use of the photograph screening tool is currently limited 
because newly hired citizens and noncitizens presenting forms of 
documentation other than green cards or Employment Authorization 
Documents to verify work eligibility are not subject to the tool. 
Expansion of the pilot photograph screening tool would require 
incorporating other forms of documentation with related databases. In 
addition, efforts to expand the tool are still in the initial planning 
stages. For example, according to USCIS officials, USCIS and the 
Department of State have begun exploring ways to include visa and U.S. 
passport documents in the tool, but these agencies have not yet reached 
agreement regarding the use of these documents. USCIS is also exploring 
a possible pilot program with state Departments of Motor Vehicles.
    In prior work we reported that although not specifically or 
comprehensively quantifiable, the prevalence of identity fraud seemed 
to be increasing, a development that may affect employers' ability to 
reliably verify employment eligibility in a mandatory EEV program. The 
large number and variety of acceptable work authorization documents--27 
under the current employment verification process--along with inherent 
vulnerabilities to counterfeiting of some of these documents, may 
complicate efforts to address identity fraud. Although mandatory EEV 
and the associated use of the photograph screening tool offers some 
remedy, further actions, such as reducing the number of acceptable work 
eligibility documents and making them more secure, may be required to 
more fully address identity fraud.
Most Employers Complied with EEV Procedures, the Program Is Vulnerable 
        to Employer Fraud That Diminishes Its Effectiveness and Misuse 
        That Adversely Affects Employees
    While Most Employers Complied with EEV Procedures, the Program Is 
Vulnerable to Employer Fraud That Diminishes Its Effectiveness and 
Misuse That Adversely Affects Employees.
    EEV is vulnerable to acts of employer fraud, such as entering the 
same identity information to authorize multiple workers. Although ICE 
has no direct role in monitoring employer use of EEV and does not have 
direct access to program information, which is maintained by USCIS, ICE 
officials told us that program data could indicate cases in which 
employers may be fraudulently using the system and therefore would help 
the agency better target its limited worksite enforcement resources 
toward those employers. ICE officials noted that, in a few cases, they 
have requested and received EEV data from USCIS on specific employers 
who participate in the program and are under ICE investigation. USCIS 
is planning to use its newly created Compliance and Monitoring program 
to refer information on employers who may be fraudulently using the EEV 
system, although USCIS and ICE are still determining what information 
is appropriate to share.
    Employees queried through EEV may be adversely affected if 
employers violate program obligations designed to protect the 
employees, by taking actions such as limiting work assignments or pay 
while employees are undergoing the verification process. The 2004 
Temple University Institute for Survey Research and Westat evaluation 
of EEV concluded that the majority of employers surveyed appeared to be 
in compliance with EEV procedures. However, the evaluation and our 
prior review found evidence of some noncompliance with these 
procedures. In 2005, we reported that EEV provided a variety of reports 
that could help USCIS determine whether employers followed program 
requirements, but that USCIS lacked sufficient staff to do so. Since 
then, USCIS has added staff to its verification office and created a 
Compliance and Monitoring program to review employers' use of the EEV 
system. However, while USCIS has hired directors for these functions, 
the program is not yet fully staffed. According to USCIS officials, 
USCIS is still in the process of determining how this program will 
carry out compliance and monitoring functions, but its activities may 
include sampling employer usage data for evidence of noncompliant 
practices, such as identifying employers who do not appear to refer 
employees contesting tentative nonconfirmations to SSA or USCIS. USCIS 
estimates that the Compliance and Monitoring program will be 
sufficiently staffed to begin identifying employer noncompliance by 
late summer 2007.
    USCIS's newly created Compliance and Monitoring program could help 
ICE better target its worksite enforcement efforts by indicating cases 
of employers' egregious misuse of the system. Currently, there is no 
formal mechanism for sharing compliance data between USCIS and ICE. ICE 
officials noted that proactive reduction of illegal employment through 
the use of functional, mandatory EEV may help reduce the need for and 
better focus worksite enforcement efforts. Moreover, these officials 
told us that mandatory use of an automated system like EEV could limit 
the ability of employers who knowingly hired unauthorized workers to 
claim that the workers presented false documents to obtain employment, 
which could assist ICE agents in proving employer violations of IRCA.
Concluding Observations
    Although efforts to reduce the employment of unauthorized workers 
in the United States necessitate a strong employment eligibility 
verification process and a credible worksite enforcement program and 
other immigration reforms may be dependent on it, a number of 
challenges face its successful implementation. The EEV program shows 
promise for enhancing the employment verification process and reducing 
document fraud if implemented on a much larger scale, and USCIS and SSA 
have undertaken a number of steps to address many of the weaknesses we 
identified in the EEV program. USCIS has also spent the last several 
years planning for an expanded or mandatory program, and has made 
progress in several areas, but it is unclear at this time the extent to 
which USCIC's efforts will be successful under mandatory EEV. It is 
clear, however, that a mandatory EEV system will require a substantial 
investment in staff and other resources, at least in the near term, in 
both agencies. There are also issues, such as identity fraud and 
intentional misuse, that will remain a challenge to the system. 
Implementing an EEV system to ensure that all individuals working in 
this country are doing so legally and that undue burdens are not placed 
on employers or employees will not be an easy task within the timelines 
suggested in reform proposals.
    This concludes my prepared statement. I would be pleased to answer 
any questions you and the subcommittee members may have.

                                 

    Chairman MCNULTY. We thank all of the witnesses for their 
testimony. Let me just begin by generally framing the issue, 
and then we will go to some of my colleagues for questions.
    This Committee has been working for some time, and as a 
matter of fact for some years, on the whole issue of the 
backlog in the disability claims and so on, and all of the 
problems related to that. And the situation as it exists right 
now I believe is a national embarrassment. When people are 
legitimately entitled to a government benefit and come to the 
government to apply for that benefit, and are told, you have to 
wait a year and a half or two years just to get an answer, I 
think that is a disgrace.
    So we are working on that as a separate issue, and we made 
some progress in the budget resolution this year, and we hope 
to have some results during the appropriations process.
    With that as a backdrop, when I look at this issue I see a 
massive new undertaking here that is going to cost an awful lot 
of money and require an awful lot of additional backup. I just 
want to elicit from you your views as to how effective you 
think we can be in a reasonable timeframe in setting up such a 
new system.
    Now, Mr. Schaeffer, you mentioned additional visits to 
field offices. If we were to expand this program to the 
estimated 60 million new hires this year, how many additional 
field office visits do you think that would entail?
    Mr. SCHAEFFER. I would hesitate to put an exact number, but 
it would be a substantial increase on the visits that are now 
taking place, and without increased staff, would obviously lead 
to the disability backlog problem probably being exacerbated as 
opposed to being addressed timely.
    Chairman MCNULTY. Based upon how past Administrations and 
Congresses have addressed the backlog issue, how confident are 
you that the resources would be there?
    Mr. SCHAEFFER. I would refer to Mr. Streckewald to answer 
that question.
    Chairman MCNULTY. That is fine.
    Mr. STRECKEWALD. I really can't hazard a guess, but our 
position is that we can do whatever Congress asks us. We always 
have, but need to be funded for it. This, as you said, Mr. 
Chairman, is a huge new workload for us if we go to mandatory 
EEVS. I think the estimate of 2 or 3,000 more work years, more 
people, hundreds of millions of dollars of more money each 
year, is in the ballpark.
    We need time to hire, equip and train new people so that 
they can do this. We don't know if we would expand our field 
offices. We would probably try to fit them into the existing 
field offices and tele-service centers. Our position is we hope 
Congress does see the need to fund us for this workload so that 
it doesn't disrupt our other critical workloads. As you 
mentioned, one of them is a top priority--the disability 
hearings.
    Chairman MCNULTY. Could you be any more specific with 
regard to the additional number of work years that would be 
involved?
    Mr. STRECKEWALD. We are still working on our final figures. 
We are looking at a couple of key elements that get us to that 
figure. One critical element is the fallout rate. Right now, 
for every 100 queries, we have three contacts to the field 
office or the tele-service centers.
    So, we are trying to use these key elements as a base and 
think through what a mandatory system would look like instead 
of a voluntary system because our assumption is that companies 
that volunteer for EEVS probably have fewer people trying to 
pass off as legal workers.
    So, we have roughly, in our estimates for mandatory EEVS 
that we are working on now, doubled the full-out rate. So, we 
figured it may be as high as 6 percent fallout rate. That 
fallout rate means that 6 percent of, let's say, 60 million new 
hires per year will be 3.6 million extra visits or phone calls 
to our field offices.
    Each one of those takes 15 to 20 minutes to resolve, and 
most of them will be resolved, as my colleague said, in 
probably just a short period of time. Some of them may take a 
little longer if we have to go through some additional 
verification processes.
    That is the business process that we already are set up to 
do. It would just greatly increase the volume of that business 
process. That is why the funding is so critical.
    Chairman MCNULTY. As we move along further in this process 
and you do your additional analysis, can you give us more 
specific information?
    Mr. STRECKEWALD. I would be glad to do that, and work with 
the Committee to do that.
    Chairman MCNULTY. Great.
    Mr. Johnson.
    Mr. JOHNSON. Thank you, Mr. Chairman.
    I would like to follow up on that, Mr. Streckewald. Why do 
you need more money and employees if it is all computerized? 
Theoretically, according to the way I am told it operates, you 
punch a button and a guy gets an instant response. You just 
said that.
    Mr. STRECKEWALD. Now, 92 percent of the time, you are 
right. Employers get an instant response. What we are looking 
at is the ones that don't have an instant response, the ones 
that don't match our records. It is about 7 percent for our 
records, I think 1 percent for DHS records.
    So, if you look at 7 percent, out of that, some people 
would never contact SSA because they are illegal workers. A lot 
of them are legal workers, are citizens, where their records 
just don't match our records. So, they come into our offices. 
They show us the proofs that they need to show. We change our 
records to make sure that they are up to date and then they fit 
what the employer has. Then employees are authorized to work, 
and life goes on.
    There is a lot of work, depending on the volume, if we go 
to a mandatory EEVS.
    Mr. JOHNSON. How do you report the ones that don't check 
out? Do you report them to----
    Mr. STRECKEWALD. The ones that come through the system and 
are verified?
    Mr. JOHNSON. That aren't verified.
    Mr. STRECKEWALD. Well, we do have a system for reporting 
those, and we are working on a system that allows us to report 
back to the employer to tell them the status of the resolution 
of the mis-match. So, we are building that system so that the 
employers will know and we will know and DHS will know how many 
cases we get and what the resolution of each case is.
    Mr. JOHNSON. Thank you. It is amazing to me that MasterCard 
and Visa can do it instantly all over the world, and you can't 
do it here.
    Mr. Stana, Mr. Rotenberg, a witness on our next panel, 
tells us last month the Department of Homeland Security lost 
the employment records of 100,000 Federal employees containing 
names, Social Security numbers, dates of birth, and bank 
account information.
    At a time when we are considering a massive expansion of 
the collection of personal information by DHS, how can we be 
sure that DHS can adequately safeguard workers' personal 
information?
    Mr. STANA. Well, let me say right up front that GAO has not 
done a stress test, a privacy test, or we haven't done any 
penetration testing of the system. We have spoken with DHS 
about their system, and they capture this sensitive information 
on an Oracle database. They have done privacy testing, and they 
are of the opinion that they can safeguard the records. They 
have done the privacy checks in accordance with law.
    Now, having said that, any time you collect data on 
hundreds of thousands or millions of people, there is always 
the chance that something may go awry. By the way, the 100,000 
example you used, I believe, was a TSA laptop. This is a little 
bit different. This is a mainframe application, mainly.
    Now, we have watched--as Members of the Subcommittee may 
have--watched USCIS test the EEVS system using a phony name to 
see what happens. The EEVS system is password protected, and it 
does have the certain kinds of protections that you would 
expect to see in remote applications.
    So, I guess it would remain to be seen exactly how safe it 
is. They do need to keep information in these databases because 
they do want to do pattern testing over time. So, another issue 
is how long do they keep the information? and DHS hasn't really 
resolved that yet, either.
    Mr. JOHNSON. Well, thank you. According to what I 
understand, less than 1 percent of the employers are 
participating in that program now. On page 8 of your testimony, 
you say that according to DHS, in order to begin implementation 
for all employers beginning in December 2008, you need 30,000--
or 30,000 employers would be required to register with the 
system per day.
    With that, substantial investment will be needed in staffs, 
systems, resources. Can you assure the Congress that such an 
enormous data collection processing system can be established?
    Mr. STANA. If you ask them to put something in place, 
something will be in place. Something is in place right now, 
and it has 17,000 registrants, and 8800 consistent users.
    Mr. JOHNSON. Is the ``something'' going to work? Is that 
system going to work?
    Mr. STANA. They are trying to expand EEVS to about 6 
million businesses. It is a very hard thing to do. If I could 
just put it into perspective, everyone on the dais is working 
on a two-year term, and there are approximately 18 months left 
in your term.
    So, if you figure it that way, by the end of your term of 
office for this term--whether you go on to the next term is 
another thing--DHS has to hire 255 program staff, 1800 
monitoring staff, procure office space, develop operating 
procedures, inform employers how to work the system, support 
worksite enforcement areas, register approximately 30,000 
businesses per day starting now. The longer you wait----
    Mr. JOHNSON. Well, how did you get those figures? You said 
GAO hasn't even looked at it yet.
    Mr. STANA. Oh, no. We looked at the program. We did not 
look at the stress testing on the computer system. These are 
all things that would have to be done so that by December 2008, 
it is ready to service 5.9 million employers.
    Now, there are ways to manage that. You can phase it in, or 
you could enroll certain industries first, perhaps those 
involving critical infrastructure. That is what it would take.
    Mr. JOHNSON. I am over my time. Thank you, Mr. Chairman.
    Chairman MCNULTY. Thank you, Mr. Johnson.
    Mr. Levin may inquire.
    Mr. LEVIN. So, what would be the cost of what you just 
read?
    Mr. STANA. What USCIS estimated for the first year of 
operation, I believe, was $70 million in management costs and 
about $300 to $400 million for compliance and investigative 
staff. That doesn't include computer upgrades that would be 
necessary. It doesn't include ICE investigators that follow up 
on any leads of employer abuse of employees or misuse. It is 
going to be substantial.
    Now, having said that, any immigration expert would 
probably tell you that of the handful of things that are must-
haves in an immigration reform proposal, this would be one of 
them. So, it is probably more a question of what type of a 
verification program you have, not whether you would have one.
    Mr. LEVIN. I think the Senate is going to be acting. They 
may act this week. And the odds seem to be that they are going 
to pass a bill. And so the odds are that we are going to need 
to address this in the House. And so we need to begin to 
prepare for the possibility, if not the probability.
    To pick up what the Chairman said, who is doing the hard 
work of itemizing the costs of this? Who is doing that?
    Mr. STRECKEWALD. In Social Security, we have a budget shop 
that works with the systems people and the programs people, and 
our field office people, everybody that has a role in this. 
They have a process they go through for any new workload. They 
try to budget it and figure what the total cost would be. They 
are just now revising those figures, so we don't have them here 
today. We will be happy to, again, submit them when they are 
available.
    Mr. LEVIN. When is that going to be?
    Mr. STRECKEWALD. When is that going to be?
    Mr. LEVIN. More or less?
    Mr. STRECKEWALD. More or less, it should be shortly. I 
don't know exactly when, but in the next few weeks or shorter, 
I would guess.
    Mr. LEVIN. No. I think if it is a few weeks, it will be 
before we pass the bill.
    Mr. STRECKEWALD. What has been very helpful to us in 
getting ready for this has been the expansion of the system 
that DHS and SSA have partnered in. DHS is registering more 
employers onto the system, which means we both have to build 
greater capacity, and we have to make sure our business 
processes are sound, and we have to move forward on building 
additional functionality into the system.
    So, that is in essence preparing us for great expansion, 
just by preparing for moderate expansion.
    Mr. LEVIN. Yes, but there is a cost to that, too. Right?
    Mr. STRECKEWALD. Yes, there is. We have a reimbursable 
agreement that we have developed between DHS and SSA that is 
not yet signed, but at this point I think it is with the 
lawyers from each agency, looking to make sure everything is 
right from their agency's perspective.
    Mr. LEVIN. And it has a cost estimate?
    Mr. STRECKEWALD. It has a cost estimate in there for this 
year. It is based upon----
    Mr. LEVIN. When you say for this year, you mean----
    Mr. STRECKEWALD. 2007.
    Mr. LEVIN. This fiscal year?
    Mr. STRECKEWALD. Right.
    Mr. LEVIN. And who is making the projection for next fiscal 
year?
    Mr. STRECKEWALD. Well, that is the budget shop that I was 
talking about a little bit earlier. They are waiting to see 
what the exact elements of a bill will be, and then they will 
plug in those provisions and do the math and come up with an 
estimate.
    Mr. LEVIN. So, you would expect that there will be 
available to the Congress within the next short period a 
detailed itemization of what this would cost, assuming there is 
complete coverage. What kind of timeline is being assumed, and 
which bill?
    Mr. STRECKEWALD. For getting it implemented, from our 
perspective? I think the timeline--the ramp-up approach--that 
is in the current bill is probably sufficient for us. It kind 
of starts slowly, then builds up.
    Mr. LEVIN. When you say the current bill, you mean?
    Mr. STRECKEWALD. The Senate bill.
    Mr. LEVIN. The Senate bill.
    Mr. STRECKEWALD. It starts over a several-year period, 
starts with critical infrastructure, moves to new hires, and 
then moves to everybody, your whole payroll. So, that allows 
us--as long as we get the money early in the fiscal year--it 
allows us to hire, train, and equip new employees to deal with 
the increased business and increased workload.
    As that ramps up, so will our efforts to hire, train, and 
equip new employees. So, we think that that is very doable with 
the appropriate funding at the beginning of each year.
    Mr. LEVIN. The appropriate funding is going to be major, is 
it not?
    Mr. STRECKEWALD. Well, as I mentioned, in the neighborhood, 
if you will, without giving any specific figures yet because 
they are not done with our estimates, it could be in the peak 
years as much as 2 to 3,000 work years or, as I say, people, 
extra people, new hires, and up to $300 million a year during 
the peak years. So, that is significant for us.
    Mr. LEVIN. Two to 3,000? That is included in the figure you 
gave?
    Mr. STRECKEWALD. Yes. I tried to convert it to millions of 
dollars. Basically--the major cost of that is people.
    Mr. LEVIN. As I close, Mr. Chairman, I think that 
underlines the need for this Congress and the Administration to 
face up to the additional costs, because we do not want it to 
deter the effort to get hold of the disability issue. You are 
going to be very blunt and direct about what is needed, right?
    Mr. STRECKEWALD. We are going to have our estimates 
shortly, and I will make sure that everybody is aware of them.
    Mr. LEVIN. Thank you.
    Chairman MCNULTY. Mr. Streckewald, what about the old 
estimate I saw here of the agency estimating that it would cost 
approximately $10 billion to issue these new cards?
    Mr. STRECKEWALD. That estimate----
    Chairman MCNULTY. That estimate is in the budget of Social 
Security.
    Mr. STRECKEWALD. Yes. We were talking about a different 
process here. If we are talking about issuing new cards--I 
think the $10 billion was reference to new cards----
    Chairman MCNULTY. Right.
    Mr. STRECKEWALD [continuing]. What we had been talking 
about was the fallout from the employer verification system. If 
we go to issuing new cards to all new workers of all people in 
the United States over 14 years of age. Yes, that figure is 
still approximately right. If you did it over 2 years or 5 
years, it is going to take about $10 billion to issue new cards 
to most of the people in the United States. I don't think it is 
much different today. It might be a little higher today than 
when that was estimated a year ago.
    Chairman MCNULTY. And I would again state for the record 
that is more than the entire SSA operating budget right now.
    Mr. STRECKEWALD. That is right.
    Chairman MCNULTY. Mr. Lewis may inquire.
    Mr. LEWIS. Thank you, Mr. Chairman.
    I just want to go back to the privacy issue just for a 
minute here. Mr. Schaeffer, your office supports data sharing 
and disclosure restrictions between the Social Security 
Administration and the Department of Homeland Security. At the 
same time, I am sure you would agree that the importance of 
protecting the privacy of taxpayers is important.
    So, what information should be shared with the Department 
of Homeland Security?
    Mr. SCHAEFFER. Well, currently there is a limit on the 
information that we can share because of IRS rules and 
regulations. Some of the information that may be useful to 
share if you really want to get a handle on people working in 
the country illegally would be to focus on the employers that 
consistently have a large number of items going into the 
earnings suspense file, which means that the name and the 
Social Security number could not match up within SSA's records 
to a legitimate number holder; and then have the appropriate 
enforcement action take place.
    It is really difficult to try to go after the individuals 
because you are really talking about millions of items that are 
going into the ESF. So, the number of employers are much more 
finite, and that is where it starts with. These employers are 
giving individuals a job where their name and Social Security 
number do not match up to SSA's records.
    Mr. LEWIS. Mr. Stana, would you like to comment?
    Mr. STANA. You know, I would be a little cautious about 
sharing a lot of data quickly with DHS if I were in SSA's 
shoes. The reasons are that, first, we haven't had the full 
certification testing of the databases, and we'd just want to 
make sure that they are in good shape security-wise.
    Second, the data that has been available to DHS in the 
past, hasn't been used. So, why would you want to release a lot 
of information that they are not likely to use? Certainly SSA 
would want to, on a case by case basis, at least, start out and 
to DHS say, what is most useful to you, how can we help you, 
and let's limit it to that initially.
    Once, DHS ramps up its compliance units, maybe there will 
be opportunities for more broadly sharing information. I think 
the kind of information that would be most useful to them, 
knowing how their worksite and employer/employee compliance 
efforts work, the kind of information that would be most useful 
would be information dealing with Social Security numbers over 
time that keep being used again and again by workers or 
employers.
    Information about patterns over 10 years of noncompliance 
might be in the earnings suspense file, maybe in other 
documents or databases. I would be very carefully initially 
about opening it up wholesale until we really had a better 
sense of what is useful.
    Mr. LEWIS. Very good. Thank you.
    Chairman MCNULTY. Thank you.
    Mr. Becerra may inquire.
    Mr. BECERRA. Thank you, Mr. Chairman. Thank you to all of 
you for your testimony. And Mr. Chairman, thank you for this 
timely hearing. I think it is important for us to move on this 
as quickly as we can in the event there is comprehensive 
immigration reform.
    Gentlemen, let me ask a question, and first focus on the 
cost of the current EEVS system. I suspect I should probably 
first ask Mr. Streckewald this: How much did the EEVS system 
cost the SSA to administer or to conduct last year, in 2006?
    Mr. STRECKEWALD. It cost us $891,000.
    Mr. BECERRA. Under an agreement you have with DHS, Homeland 
Security, you are to be reimbursed for those costs of doing 
those inquiries?
    Mr. STRECKEWALD. Yes.
    Mr. BECERRA. Have you yet been reimbursed?
    Mr. STRECKEWALD. No. Not for that money.
    Mr. BECERRA. Are you expecting to be reimbursed?
    Mr. STRECKEWALD. We hope to be reimbursed.
    [Laughter.]
    Mr. STRECKEWALD. I assume our lawyers are still working to 
resolve it, but that is almost a million dollars. That is a lot 
of money. Actually, it is a million if you count a little bit 
of money left over from 2005 that they weren't able to pay us. 
So, approximately a million dollars, and to us every million 
counts. So, we do hope to get that money reimbursed.
    Mr. BECERRA. You mentioned a scary word, lawyers. Is there 
a reason why a Federal Government agency, SSA, is having to 
employ its lawyers to talk to another Federal Government 
agency, the Department of Homeland Security, when it has an 
agreement, a document, that says that it is to be reimbursed?
    Mr. STRECKEWALD. I can't speak to that. I know that DHS 
felt that it didn't get the funding in order to be able to 
reimburse us, and we said, well, we are doing work here. So 
there has been a friendly, so far, exchange of arguments. I 
hope that it does get resolved where we are reimbursed for the 
money. I don't disagree with the point you are making.
    Mr. BECERRA. Mr. Chairman, we may want to inquire of DHS 
when we have that opportunity.
    My understanding is, and you can correct me, Mr. 
Streckewald, if I am wrong, but that for every million dollars, 
you could conduct some 565 additional disability hearings to 
help reduce that backlog of over 1.3 million cases of Americans 
waiting to have their disability claim processed through SSA.
    Mr. STRECKEWALD. That is true.
    Mr. BECERRA. So for every million dollars that DHS doesn't 
reimburse you, under which they have an agreement to do so, 
then you have to either cut back on services or allow those 
individuals to wait even longer as they wait for their hearing 
to determine if they should be receiving disability benefits.
    Mr. STRECKEWALD. You are right.
    Mr. BECERRA. How much have you spent so far to date doing 
the inquiries that are required under the EEVS system, the 
employment verification system, for DHS?
    Mr. STRECKEWALD. This year?
    Mr. BECERRA. Yes.
    Mr. STRECKEWALD. We have had 1.8 million inquiries, or 
queries. So, what we are doing is setting up a reimbursable 
agreement for the rest of the year because this was----
    Mr. BECERRA. If you could try to just give me the answer. I 
apologize. It is just that I am going to run out of time. How 
much do you estimate you have spent to date conducting EEVS 
services for DHS?
    Mr. STRECKEWALD. Well, I think it would be in the 
neighborhood of $2 million that SSA has not been reimbursed 
because last year it was nearly a million. This year, so far, 
we are about the pace of last year. So, approximately $2 
million. We could probably submit the exact number for the 
record. [INSERT]
    Mr. BECERRA. Could you do that? My understanding from some 
of the information we received from Committee staff was that it 
was now exceeding $5 million.
    Mr. STRECKEWALD. $5.9 million is the amount for all of FY 
2007. We have a reimbursable agreement that we are working on 
with DHS. They say they are going to sign it and that they have 
the money this year. So, for FY 2007, it is about $5.9 million, 
and that would cover us.
    Mr. BECERRA. I see. So, that is the projection for the 
entire year 2007?
    Mr. STRECKEWALD. Yes. Yes.
    Mr. BECERRA. Maybe we can help because I think it is 
outrageous that you are conducting a service that is outside 
the core mission of your work for an agency under which you 
have an agreement to do this, which is essential work, yet you 
are having to underfund your programs that are helping lots of 
Americans who are in desperate need in some cases of this 
assistance.
    So, perhaps, Mr. Chairman, we can try to lend a hand to SSA 
to try to get reimbursed for the monies it is due for the work 
that it is done.
    Let me ask a question with regard to error rates. I know 
this has always been an issue with regard to the SSA and the 
Social Security card because the Social Security number was 
never meant to be a data-confirming number other than for 
purposes of Social Security benefits.
    Tell me when I am wrong. I understand from an inspector 
general report that was done back in December 2006--and Mr. 
Schaeffer, please tell me if I am incorrect on this--I 
understand that there are about 17.8 million employees who are 
erroneously categorized as nonconfirmed in these checks that 
are done simply as a result of discrepancies that are related 
to their name, birth date, or citizenship status.
    So, if someone gets married, the current file doesn't 
reflect that that individual has changed his or her her name as 
a result of marriage. There are 17.8 million employees who 
don't check out. That is about 4.1 percent.
    Mr. SCHAEFFER. That is basically correct. I wouldn't say 
they are all employees. That is of the active Social Security 
numbers in SSA's database, which theoretically they all could 
be employees, but they all may not be employees.
    Mr. BECERRA. Thank you for that correction. There are 
approximately about 5 million new hires per month in this 
country, more or less?
    Mr. SCHAEFFER. Right.
    Mr. BECERRA. So, if you take that 4 percent error rate and 
apply it to the 5 million or so new hires that occur every 
year, and you are talking about somewhere close to--or over 
200,000 Americans on a monthly basis, about 2.5 million people 
on a yearly basis, who could, based on discrepancies, be 
misidentified as not eligible to work using the current Social 
Security database with its current list of errors. Have I said 
anything wrong here?
    Mr. SCHAEFFER. No. That is theoretically possible. One 
would hope that things would get better over time.
    Mr. BECERRA. And, of course the error rate is higher, my 
understanding is, for foreign-born U.S. citizens. So, if you 
happen to be born in another country but you have citizenship 
by birthright, by your parentage, or for individuals who have 
come to this country and have since become citizens, the error 
rates are even higher for them.
    Mr. SCHAEFFER. That is correct.
    Mr. BECERRA. Mr. Streckewald, you wanted to say something?
    Mr. STRECKEWALD. Yes. I don't disagree with your figures. I 
would maybe just clarify by saying that it is tentative 
nonconfirmation. You are right, they are going to be told 
tentatively it looks like you don't have authorization to work. 
They come in to us, we straighten it out, and then they are 
authorized to work.
    So, it is not pleasant to have to do that, but it gets 
updated and they get to work.
    Mr. BECERRA. Mr. Chairman, I know my time has expired so I 
won't ask any more questions other than to just make the 
following point. My understanding is that your field offices 
serve some 42 million visitors a year. You have lost--Social 
Security Administration has lost--some 2,400 positions in the 
past 19 months, and you are at your lowest staffing level now 
that you have been since the 1970s.
    Your processing time in most cases in most offices takes 
over 900 days. You requested a budget of President Bush 
totaling $10.4 billion. The President's budget allotted Social 
Security Administration $9.6 million. That is an $800 million 
loss right there.
    With all of these tasks that are placed upon you and with 
the burdens fiscally that you have, Mr. Chairman, I think it 
becomes very obvious that we have to really examine this and 
try to help make sure that SSA not only gets reimbursed from 
DHS for money that it is due, but also that we get the 
resources to the agency to make sure that if we do move forward 
on immigration reform, they are able to do this, and not at the 
expense of Social Security applicants for disability benefits 
or Social Security benefits.
    Thank you.
    Chairman MCNULTY. Mr. Ryan may inquire.
    Mr. RYAN. Thank you. First of all, Mr. Chairman, I want to 
thank you for having this hearing. Very good timing on this. We 
need to do this.
    As I look at this and I see this immigration bill most 
likely passing the Senate, it seems, and probably next week, is 
what we hear, and then coming our way, we really have to get 
our hands around this. I think most Members of Congress believe 
we need comprehensive immigration reform.
    Then when you look at comprehensive immigration reform, 
most people conclude a central premise of that is an airtight 
worker verification system. So, we all kind of agree that that 
is necessary.
    Then when we look at this system, the word fiasco comes to 
my mind, to be honest with you. I guess here is the couple 
questions I want to ask. Number one, do you really believe we 
could get this thing up and running in 18 months and have a 
minuscule error rate? Do you really believe that?
    Mr. STRECKEWALD. From Social Security's perspective, I 
think we will. Again, the funding is critical, but we have 
risen to challenges that we have been faced with. We will get 
it done.
    I can't speak to what the error rate will be, but right now 
it is at about three contacts for every hundred queries. We 
would like to get that down, but it is unknown in the future 
what that will be if all employees must go through the system. 
We can get it done with the proper funding.
    Mr. RYAN. Then what pieces of personal information does 
Homeland Security think they are going to need at the end of 
the day to make this work?
    Mr. STANA. First, if I might address the question this way.
    Mr. RYAN. Sure. I would appreciate that.
    Mr. STANA. To say the least, this is going to be a 
tremendous challenge. You are talking about signing up 30,000 
employers per day from now until December 2008. What if 
employers wait until fall 2008 to enroll? Then there's the need 
to hire staff. Do background checks. Get office space. Procure 
new computer equipment. You never say never, and something will 
probably be available in December 2008. Is it going to be 
something that 5.9 million employers can use? It is going to be 
a challenge for DHS.
    Now, your other question was dealing with the----
    Mr. RYAN. The pieces of information, all the pieces you 
think they need.
    Mr. STANA. The information that goes to Social Security for 
EEVS, I believe, are name, Social Security number, and date of 
birth. That is what goes, and it is checked against the 
Numident database. The information for checking against DHS 
databases include the name and the A number, alien number, or 
the employment authorization number. That is the extent of the 
information used. They get either a confirm or nonconfirm.
    Mr. RYAN. The goal of the system is twofold. Right? You are 
who you say you are, and you are eligible to work in this 
country.
    Mr. STANA. Also you are work-authorized.
    Mr. RYAN. Right?
    Mr. STANA. Yes.
    Mr. RYAN. Have you ever considered the idea of maybe having 
a private-based identity system for identifying who you are, 
and then referencing the Social Security database to see if you 
are eligible to work or not? Have you ever considered those 
kinds of ideas, those kinds of systems?
    Mr. STANA. GAO hasn't seen those kinds of things being 
seriously considered. I have heard discussions of using other 
means. Mr. Johnson mentioned, swiping a credit card, and why 
can't you get the verification done quicker?
    Mr. RYAN. Yes. Right.
    Mr. STANA. I have heard of using private sector facilities 
like credit card terminals but one of the stoppers, frankly, is 
getting the right equipment out to the employers to use for 
this quick verification. Right now it just requires a computer 
and Internet access. If you want to do something more with 
biometrics, it may require something more sophisticated. I have 
heard the ``credit card'' solution tossed around, but not 
seriously considered.
    Mr. RYAN. So, $370 million is the number I just heard when 
I added up all that you said you think you need, Mr. 
Streckewald. So, $370 million I am taking as sort of the 
minimum up-front cost annually to get a system like this going. 
You are going to give us----
    Mr. STRECKEWALD. We don't have the exact figures yet, but--
--
    Mr. RYAN. But you are going to give us a budget estimate in 
about three or four weeks, you told Mr. Levin?
    Mr. STRECKEWALD. I hope to be able to. We will get it to 
you as soon as it is done.
    Mr. RYAN. So, that number will probably go up to half a 
billion?
    Mr. STRECKEWALD. That was the figure for DHS. Three to $400 
million for compliance staff, and another $70 million for 
program management. So, it could be $370 to $470 million.
    Mr. RYAN. By the end of our terms, we are going to be--I 
don't see a clock so I don't know what my time is--but by the 
end of our terms here, by 18 months, we are expecting every 
employer to verify every--actually, it is a four-year staggered 
process. Correct? So, can you walk me through that? I am not 
precisely familiar with the Senate bill, but it is--how do they 
roll in who all is checked?
    Mr. STRECKEWALD. If I recall----
    Mr. STANA. I have got that.
    Mr. STRECKEWALD. Why don't you go ahead. It does ramp up.
    Mr. STANA. There are two----
    Mr. RYAN. What is the ramp-up?
    Mr. STANA. Gutierrez-Flake is a different version, but I 
can give you both, if you like. The Senate version is in six 
months you want all new employees hired after the act is passed 
in critical infrastructure and government to be verified. By 18 
months, you want new employees in all sectors to be verified. 
After three years, you want all employees, old and new to be 
verified. That is the Senate proposal.
    Mr. RYAN. Three years? Okay.
    Mr. STANA. On the Gutierrez-Flake proposal, the STRIVE Act, 
it is in year one, all employees working in critical 
infrastructure are to be verified. In year two, all large firms 
with 5,000 or more employees would have their employees 
verified. In the third year, mid-size firms would be added. In 
the fourth year, employees in small firms would be verified. 
Those criteria could probably be adjusted if need be.
    This gets to the stress that is put on the field offices. 
It depends on how you manage EEVS implementation. Once an 
employee's data is validated in NUMIDENT, he or she is probably 
not going to get nonconfirms when seeking employment in the 
future unless there is a name change due to marriage, for 
example.
    Mr. RYAN. Well, I would simply just say, Mr. Chairman, I 
think we owe it to our constituents, our colleagues, and our 
country to try and fix this or figure this out if this train is 
really coming on the rails as fast as it looks like it might 
be.
    I would like to look into the possibility of not 
necessarily having a centralized database but a decentralized 
database, where we can use some of the ingenuity that is going 
out there in the private sector.
    So, with that, I yield. Thanks.
    Chairman MCNULTY. Ms. Tubbs Jones may inquire.
    Ms. TUBBS JONES. Thank you, Mr. Chairman. Gentlemen, I 
apologize for being late. In Congress they give us lots of 
things to do.
    I want to speak to Mr. Streckewald. You are real 
optimistic. You oversee the disability and income security 
programs. Do you know how many people there are in America that 
are waiting for a disability determination? We haven't fixed 
that yet, to then give you a greater responsibility of doing an 
employment verification system.
    How many people do you need to fix that part before you do 
employment verification?
    Mr. STRECKEWALD. Well, we are still looking at what 
approach will work best. My understanding, we have come up with 
a multi-faceted approach that not only looks at the old cases 
to try to get them out and get decisions on them, but also 
tries to sort through the new ones so that they don't become 
the old cases. So, I think the Commissioner is coming out with 
a plan shortly on that.
    Ms. TUBBS JONES. Then we are trying to figure out how we 
hire the employees to do the work that needs to be done. The 
issue was that there is a 10-year-old list of hearing officers 
and we have to hire some new ones.
    So, in employment verification, it is likely there is going 
to be a list, that we have to put the list together to hire the 
people from the list, and on and on and on? Come on. Be real 
with us. I know the Administration is saying what you can do, 
but the reality is that this is not going to happen. I know you 
don't want to say it. I am going to say it for you. This ain't 
going to happen.
    [Laughter.]
    Mr. STRECKEWALD. We like to think with proper funding, this 
particular business process is doable. I apologize for seeming 
overly optimistic.
    Ms. TUBBS JONES. You know, that is what we heard about--and 
I am not pointing individually at you or any of your colleagues 
at the table. Realism has to set in somewhere in this process 
so that there is not an anticipation by the people of America 
that we can do what people are talking about doing within 18 
months.
    I am more of a person that would say I love individual 
ingenuity, and privatization is something that could happen, 
but I also like people having jobs that are guaranteed and 
secure. There are people who would love to come and work at the 
Government till and have an opportunity to pursue this.
    So, I would like to encourage you to figure out, if 
everybody else is doing it, why can't the Federal Government do 
it? Why can't we come up with a system by which we can do the 
work of employment verification?
    I could ask a lot of questions, but the bottom line for me 
is, tell me the truth. Don't--and I am not saying you are 
lying--don't misunderstand me, but don't make me anticipate 
more than I am really going to get.
    Mr. Chairman, Ranking Member, thank you so much for the 
opportunity to ask the questions. I am running. Thanks.
    Chairman MCNULTY. The Ranking Member has an additional 
question.
    Mr. JOHNSON. Mr. Schaeffer and Mr. Stana, I would like to 
ask you this one question: Is it possible to achieve a tamper-
proof, fraud-resistant ID card?
    Mr. STANA. Is it possible?
    Mr. JOHNSON. Yes. I want to listen to him first.
    Mr. SCHAEFFER. I would say anything is possible. However, 
the probability of achieving that, I think, would be very 
difficult. Most things that happen in that, once the card is 
out there and the people that want to circumvent that, once 
they start reverse engineering, almost always they develop the 
ability to do so.
    So, you may have a tamper-proof card today and it may last 
for a period of time. It may not be--to me, the probability 
that the tamper-proof card that you develop today, for it 
lasting forever, I would say a very small probability, that you 
would have to continually be revising that card, with the 
associated cost associated with it, to have to stay one step 
ahead of those who would be looking at a way to defeat it.
    Mr. JOHNSON. Mr. Stana?
    Mr. STANA. I would say it is possible. If you put the right 
security features on an identity card, it might be useful for 
some time. Those security features would be mainly biometric--
retina scans, enhanced fingerprints, other digital information.
    I would also note for this purpose of verifying that the 
person who is sitting in front of you, if you are the 
employer--is the individual who they say they are--would 
probably require some expensive equipment for employers to 
maintain. So, that is the other aspect of it.
    There are secure cards that are used to verify identity in 
top secret locations, and I suppose you could use those kinds 
of cards. I agree with my friend here that it is a matter of 
time before secure cards and systems get hacked. You would have 
to probably renew a card periodically to keep it reliable and 
secure.
    Mr. JOHNSON. Thank you, Mr. Chairman.
    Chairman MCNULTY. I thank all of the members of the panel. 
Members may have additional questions that they want to submit 
to you in writing, and I would ask that you would reply to 
them. I would ask you to respond to some staff inquiries that 
we may have as a result of your testimony at the hearing today, 
too.
    Mr. Streckewald mentioned that the Social Security 
Administration has risen to past challenges. I believe he is 
correct, when--and you had that big qualifier there--when the 
proper resources are made available.
    So that is a big qualifier on this whole issue. I would 
submit to you that the resources have not been made available 
with regard to the disability backlog. That is why that is an 
unmitigated disaster.
    There is no reason why a citizen of the United States of 
America should come to the Social Security agency or to a 
Member of Congress with an application for benefits, and be 
told, we will get back to you in a year and a half or two 
years.
    That is a disgrace. That is because you don't have the 
proper resources to do that. So, before we embark on any new 
big expanded program, one of my main concerns is going to be to 
make sure that if we do this, that we do have the proper 
resources.
    We thank all the members of the panel. We will now hear 
from panel two.
    [Pause.]
    Chairman MCNULTY. We thank all of the panel members for 
being here. Let me just begin by introducing the panel members.
    Tyler Moran, Employment Policy Director of the National 
Immigration Law Center.
    Angelo Amador, Director of Immigration Policy, U.S. Chamber 
of Commerce.
    Sue Meisinger, President and CEO, Society for Human 
Resource Management, on behalf of the Human Resource Initiative 
for Illegal Workforce.
    Peter Neumann, Principal Scientist, SRI International, on 
behalf of U.S. Public Policy Committee of the Association for 
Computing Machinery.
    Marc Rotenberg, Executive Director, Electronic Privacy 
Information Center.
    So, we thank all of you for being here. Your entire 
testimony will be included in the official record. We ask that 
you summarize your comments to stay within 5 minutes. You see 
the little prompter in front of you; when the amber light comes 
on, we ask you to try to wrap up and conclude when the red 
light appears.
    Again, we thank you for taking time out of your busy 
schedules to help us address this issue. We will start with Ms. 
Moran.

STATEMENT OF TYLER MORAN, EMPLOYMENT POLICY DIRECTOR, NATIONAL 
              IMMIGRATION LAW CENTER, BOISE, IDAHO

    Ms. MORAN. Good morning, Chairman and Mr. Johnson, Members 
of the Committee. Thank you for the opportunity to allow me to 
address the critical issue of EEVS, or EEVS. This issue has not 
received the attention it deserves, and so it is critical that 
this Committee is holding a hearing today.
    My name is Tyler Moran. I am the Employment Policy Director 
for the National Immigration Law Center. NILC is a nonpartisan 
national legal advocacy organization that works to promote and 
advance the rights of low-income immigrants and their families.
    NILC has tracked the Basic Pilot Program since it was 
implemented in 1997, and we have extensive experience assisting 
immigrant advocates in responding to problems with the program, 
including the way in which it has been used to adversely affect 
workers.
    Because of this experience, we do not support a mandatory 
EEVS. However, because it enjoys almost universal support in 
Congress, we want to work with you all to ensure that a system 
is implemented that is accurate and that avoids negative 
consequences for workers, both U.S.-born and immigrant.
    While the focus of the Basic Pilot and the immigration 
reform debate has largely focused on DHS, as you heard this 
morning, SSA plays an integral role in its functionality. If it 
were to become mandatory, SSA would have to process 60 million 
queries per year versus the 1.8 it currently does.
    So, a number of studies have found that the Basic Pilot 
Program has significant weaknesses, including its reliance on 
government databases that have unacceptably high error rates, 
and employer misuse of the program to take adverse action 
against workers. The significant weaknesses that exist in the 
current program, which serves approximately 17,000 employers, 
would be greatly exacerbated if the program were to surge to 
over six million.
    Improvements to the Basic Pilot have been made in the past 
10 years, but they are not sufficient enough for a mandatory 
program that, because of database errors, could take away 
people's livelihood. Additionally, if the current flaws are not 
addressed before it is made mandatory, it could lead to 
noncompliance, which would result in certain businesses and 
workers moving into the underground, unregulated cash economy, 
which could result in billion-dollar losses in Federal, state, 
and local tax revenues. A similar situation would occur if an 
EEVS were to be implemented outside the context of 
comprehensive immigration reform.
    So, the database errors: As you heard this morning, we have 
got a 4.1 percent error rate. The error rate affects all 
workers, but it disproportionately affects immigrants. The 
impact is the most on foreign-born naturalized citizens.
    Most people don't know when you naturalize to tell SSA that 
they changed their status. So, there are over three million 
records that have incorrect information on those folks. So they 
are going to have to go into SSA field offices to correct the 
information. So, the burden on your constituents could be 
enormous.
    When workers receive a tentative nonconfirmation, they 
can't call the SSA field office. They actually have to 
physically go into the SSA field office. Right now, one-third 
of people simply applying for an SSN have to go back to the 
office with additional documentation. They have to make two 
trips.
    From testimony from the National Council of Social Security 
Management Associations, wait times in field offices are 
running 2 to 3 hours, with some over 4 hours. So, if you think 
you are getting calls on disability right now, just wait until 
this is implemented.
    So, the independent evaluation also found that employers 
misuse the Basic Pilot. For example, the law requires that you 
first extend a job offer and then you put the person's 
information through the system. In violation of this 
requirement, 42 percent of employers put workers through Basic 
Pilot before extending a job offer.
    Why is this a problem? It is a problem because, because of 
these high error rates, most people who get tentative 
nonconfirmations are actually authorized to work. So, if they 
are not hired because of a tentative nonconfirmation, they 
never know that there is a problem, they are never hired, and 
then they can't go and fix the database errors. It might happen 
again at their next job.
    Employers also penalize workers who receive tentative 
nonconfirmations, and 45 percent of employers subject people to 
pay cuts, delays in job training, and other restrictions on 
working.
    So, what do we need to do to have a workable system? First, 
I want to start out and say the STRIVE Act in the House is what 
we consider the best effort at addressing an EEVS in a 
meaningful and thoughtful way. I do want to mention, too, that 
there is an independent evaluation commissioned by USCIS that 
has not been released to the public, and I would urge you all 
to get a copy of that report before you move forward. It is by 
the Westat Corporation.
    So, one, we need to phase in the system at a reasonable 
rate, and we need to have objective benchmarks. So, SSA and DHS 
have to prove to us they can meet certain levels of database 
accuracy, privacy, employer compliance with the system, and low 
error rates before the system is implemented. It is simple: 
Prove the system works before you implement it.
    Two, include meaningful due process protections because for 
the first time in the history of this country, your 
constituents are going to have to ask the Federal Government 
for permission to work. If they are wrongly denied, they are 
going to be mad, and there should be a way for them to correct 
those errors.
    Last, include workable documentation requirements that do 
not require a real ID license or a hardened SSN card, neither 
of which exist. Fifteen states thus far have said they will not 
implement the REAL ID Act.
    Last, I forgot, strong anti-discrimination protections that 
prohibit employers from misusing the EEVS to penalize workers.
    So, I just want to conclude by saying the House of 
Representatives is going to move forward on a immigration bill 
after the Senate finishes up this week. It is critical that it 
be guided by the lessons learned of the last 10 years of Basic 
Pilot. Since so much of the focus is on DHS, it will be 
critical for this Committee to work with the Judiciary 
Committee to help inform them about the impact of the system on 
SSA, and what resources will be needed to fix those database 
errors, and also how the agency can work with DHS to make sure 
that employers are following the rules and not taking adverse 
action against workers.
    So, I would be happy to answer any questions, particularly 
about any of the proposals before Congress right now.
    [The prepared statement of Ms. Moran follows:]

Prepared Statement of Tyler Moran, Employment Policy Director, National 
                  Immigration Law Center, Boise, Idaho
    Members of the Committee, thank you for the opportunity to address 
the critical issue of current and proposed electronic employment 
verification systems (EEVS). My name is Tyler Moran, and I am the 
Employment Policy Director at the National Immigration Law Center 
(NILC). NILC is a nonpartisan national legal advocacy organization that 
works to advance and promote the rights of low-income immigrants and 
their family members. Since its inception in 1979, NILC has earned a 
national reputation as a leading expert on the intersection of 
immigration law and the employment rights of low-income immigrants. 
NILC's extensive knowledge of the complex interplay between immigrants' 
legal status and their rights under U.S. employment laws is an 
important resource for immigrant rights coalitions and community 
groups, as well as national advocacy groups, policymakers, attorneys 
and legal aid groups, workers' rights advocates, labor unions, 
government agencies, and the media.
Overview
    My testimony today will focus on (1) the limitations of the current 
electronic employment verification system--the Basic Pilot program--
upon which most proposed EEVS are based; (2) a summary of the impact of 
a flawed EEVS on the Social Security Administration (SSA) and on 
foreign-born workers; (3) an explanation of what provisions must be 
included in any mandatory EEVS; and (4) an analysis of the EEVS 
proposed in the 2007 House and Senate comprehensive immigration reform 
bills.
    NILC has tracked the Basic Pilot program since it was implemented 
in 1997 and has extensive experience assisting immigrant advocates, 
attorneys, unions and other worker advocates in responding to problems 
with the program, including the way in which it has adversely affected 
workers. Because of this experience, we do not support expansion of a 
mandatory EEVS. However, because the concept enjoys almost universal 
support in Congress, and therefore will almost certainly be 
incorporated into any comprehensive immigration reform bill, we want to 
ensure that any proposed system be designed so as to avoid negative 
consequences for workers--both immigrant and U.S.-born.
    While the focus of Basic Pilot has largely been on the Department 
of Homeland Security (DHS) and its agency that administers the 
program--the U.S. Citizenship and Immigration Services (USCIS)--the SSA 
also plays an integral role in ensuring its functionality. In fact, SSA 
must verify the name, Social Security number (SSN), and date of birth 
(and citizenship status of U.S. citizens) of every worker in the 
country whose employer participates in the Basic Pilot. If Basic Pilot 
were to become mandatory (and apply only to new hires), this would mean 
that SSA would need to process 50-60 million queries per year, versus 
the 1.8 million queries that the agency processed in 2006.\1\
---------------------------------------------------------------------------
    \1\ According to former Commissioner Barnhart, SSA averaged 150,000 
queries per month in 2006. See Jo Anne B. Barnhart, Testimony before 
the House Committee on Ways and Means (Social Security Administration, 
July 26, 2006), http://waysandmeans.house.gov/hearings.asp? 
formmode=printfriendly&id=5172.
---------------------------------------------------------------------------
    It is therefore essential that this Committee understand what it 
will take to create a system that functions with a high level of data 
accuracy, is properly monitored, and does not unintentionally promote 
employment discrimination. If implemented using the existing 
technology, procedures, and databases, the financial costs would be 
high and the inaccurate results would have a human cost borne by U.S.-
born and immigrant workers. In addition, an expanded system would 
result in dangerous privacy breaches and increased discrimination 
against individuals who look or sound foreign.
The Social Security Administration's Role in the Basic Pilot Program
    The Basic Pilot Program is an Internet-based program that allows 
employers to electronically verify new workers' employment eligibility 
by directly checking the records maintained by SSA and DHS. The program 
is one of the three pilots created by the Illegal Immigration Reform 
and Immigrant Responsibility Act of 1996, which began operating in six 
states in 1997. The other two pilot programs were discontinued. 
However, in December 2004 Congress extended the Basic Pilot to all 50 
states, and it is now available to employers who voluntarily choose to 
participate in the program, although certain employers who have been 
found to unlawfully hire unauthorized workers or who have discriminated 
against workers on the basis of national origin or citizenship status 
may be required to participate. According to DHS, 16,000 employers are 
currently enrolled in the program.\2\
---------------------------------------------------------------------------
    \2\ Jock Scharfen, Testimony before the Subcommittee on 
Immigration, Citizenship, Refugees, Border Security, and International 
Law, Committee on the Judiciary, U.S. House of Representatives: 
Problems in The Current Employment Verification and Worksite 
Enforcement System (USCIS, U.S. Dept. of Homeland Security, April 24, 
2007), http://judiciary.house.gov/media/pdfs/Scharfen070424.pdf.
---------------------------------------------------------------------------
How the Verification Process Works at SSA \3\
    Before employers can use the Basic Pilot program, they must first 
sign a memorandum of understanding (MOU), which sets forth the points 
of agreement between SSA, DHS, and the employer regarding the 
employer's participation in the program. Employers must also complete 
an online training and display a notice at the workplace from DHS 
indicating the employer's participation in the program, and an 
antidiscrimination notice from the Office of Special Council for 
Immigration-Related Unfair Employment Practices, Department of Justice.
---------------------------------------------------------------------------
    \3\ For more information on the entire Basic Pilot process, see 
Basic Information Brief: DHS Basic Pilot Program (National Immigration 
Law Center, March 2007), www.nilc.org/immsemplymnt/ircaempverif/
basicpilot_infobrief_brief_2007-03-21.pdf.
---------------------------------------------------------------------------
1. Step 1: Employer completes I-9 form.
    Employers participating in the Basic Pilot must still complete an 
I-9 employment eligibility verification form for each new employee 
hired as is required of all employers, but with one change to those 
procedures: Basic Pilot employers can accept a document as proof of a 
worker's identity only if the document includes a photograph. It is 
still the employee's choice, however, which documents to present to 
establish identity and employment eligibility.
2. Step 2: Employer verifies identity and employment eligibility using 
        the Basic Pilot.
    For each newly hired worker, the employer must enter the worker's 
information provided on the I-9 form--such as name, SSN, and 
citizenship status or alien number--into a form on the Basic Pilot 
website within three days of the worker's hire date. If a worker has 
not yet been assigned an SSN (as can be the case with newly-arrived 
immigrants), however, the employer has to wait to enter that person's 
information into the Basic Pilot form after the SSN is obtained. This 
procedure is in conflict with the requirements outlined in the MOU 
stating that the employer will put the worker's information into the 
Basic Pilot within three days of hire. There continue to be delays in 
issuing SSNs at field offices--delays that can last for months. 
According to the American Immigration Lawyers Association, some of the 
delays arise from ``front desk'' errors, where an application is 
rejected for lack of a document that is not required.\4\
---------------------------------------------------------------------------
    \4\ Minutes of the Social Security Administration and CIS AILA 
Liaison Meeting on SSA Related Issues (American Immigration Lawyers 
Association, May 8, 2006).
---------------------------------------------------------------------------
    The information that is entered on the Basic Pilot website is first 
checked against information contained in SSA's database, the Numerical 
Identification File (``Numident''). SSA verifies that the name, SSN, 
and date of birth are correct, regardless of the worker's immigration 
status. SSA also confirms whether, if the employee has stated that he 
or she is a U.S. citizen, this is in fact the case; if it is, this 
establishes that the employee is employment-eligible. In the cases of 
naturalized citizens, however, SSA is sometimes unable to confirm their 
U.S. citizenship and must forward the inquiry to USCIS.
    For any non-U.S. citizen employee, USCIS verifies that the worker 
currently has employment-authorization. If the information provided by 
the worker matches the information in the SSA and USCIS records, the 
employer will receive a ``confirmation'' and no further action will 
generally be required, and the worker may continue employment.
    If SSA is unable to verify information presented by the worker, the 
employer will receive an ``SSA tentative nonconfirmation'' notice. 
Employers can receive an SSA tentative nonconfirmation notice for a 
variety of reasons, including lags in data entry in SSA's database, 
inaccurate entry of information into the form on the Basic Pilot 
website, or name changes or changes in immigration status that are not 
reflected in SSA's database. An SSA tentative nonconfirmation is also 
issued when the person attests to being a U.S. citizen but SSA records 
indicate that the person is a noncitizen with unknown work-
authorization status. For example, a foreign-born U.S. citizen may have 
naturalized, but if the person does not inform SSA of this fact, SSA 
records will reflect his or her former immigration status.
3. Step 3: Employee can challenge a ``tentative nonconfirmation.''
    If the individual's information initially does not match SSA's 
records, the employer must first double-check that the information was 
entered correctly into the system. If the employer did not make an 
error, the employer must give the employee written notice of that fact, 
called a ``Notice to Employee of Tentative Nonconfirmation.'' The 
worker must then check a box on the notice stating that he/she contests 
or does not contest the tentative nonconfirmation notice, and both the 
worker and employer must sign the notice. If the worker chooses to 
contest the tentative nonconfirmation notice, the employer must print a 
second notice, called a ``Referral Letter,'' which contains information 
about resolving the tentative nonconfirmation notice, as well as the 
contact information for SSA. The worker then has eight Federal 
Government work days to visit an SSA office to try to resolve the 
discrepancy. SSA then has 10 Federal Government work days after the 
worker receives the referral notice to resolve the case.
    Under the MOU, if the worker contacts SSA (or USCIS) to resolve the 
tentative nonconfirmation, the employer is prohibited from terminating 
or otherwise taking adverse action against the worker while he/she 
awaits a final resolution from the Government agency--even if it takes 
more than 10 Federal Government work days for SSA to resolve the 
matter. In the case of an SSA tentative nonconfirmation notice, the 
employer must wait 24 hours after the worker visits SSA to resubmit the 
inquiry to the Basic Pilot program, and no later than 10 Federal 
Government work days after the date that the worker was referred to 
SSA. If the worker does not contest the tentative nonconfirmation 
notice, it automatically becomes a ``final nonconfirmation'' and the 
employer is required to fire the worker.
Concerns about Expanding the Basic Pilot Program
    Numerous entities, including those that researched and wrote an 
independent report commissioned by the former Immigration and 
Naturalization Service, the Government Accountability Office, and the 
Social Security Administration's Office of the Inspector General (SSA-
OIG), have found that the Basic Pilot program has significant 
weaknesses, including (1) its reliance on government databases that 
have unacceptably high error rates and (2) employer misuse of the 
program to take adverse action against workers.\5\ It is our 
understanding that the research corporation, Westat, has recently 
concluded another evaluation of the Basic Pilot for USCIS, though the 
results of that study have yet to be released to the public. It is 
critical that Congress review this evaluation before proceeding with 
any proposal to create a mandatory EEVS.
---------------------------------------------------------------------------
    \5\ See Findings of the Basic Pilot Program Evaluation (Temple 
University Institute for Survey 
Research and Westat, June, 2002), www.uscis.gov/portal/site/uscis/
menuitem.5af9bb95919f35e66f 614176543f6d1a/
?vgnextoid=9cc5d0676988d010VgnVCM10000048f3d6a1RCRD&vgnextchannel= 
2c039c7755cb9010VgnVCM10000045f3d6a1RCRD; Immigration Enforcement: 
Weaknesses Hinder Employer Verification and Worksite Enforcement 
Efforts (Government Accountability Office, Aug. 2005) (hereafter 
``GAO''), www.gao.gov/new.items/d05813.pdf; and Congressional Response 
Report: Accuracy of the Social Security Administration's Numident File 
(Office of the Inspector General, Social Security Administration, Dec. 
2006), (hereafter ``SSA''), www.socialsecurity.gov/oig/ADOBEPDF/
audittxt/A-08-06-26100.htm; Congressional Response Report: Employer 
Feedback on the Social Security Administration's Verification Programs 
(Office of the Inspector General, Social Security Administration, Dec. 
2006), www.ssa.gov/oig/ADOBEPDF/A-03-06-26106.pdf; and Congressional 
Response Report: Monitoring the Use of Employee Verification Programs 
(Office of the Inspector General, Social Security Administration, Sept. 
2006), www.ssa.gov/oig/ADOBEPDF/A-03-06-36122.pdf.
---------------------------------------------------------------------------
    The significant weaknesses that exist in the current program, which 
serves approximately 16,000 employers, would be greatly exacerbated if 
the program were to surge to over 7 million. In Fiscal Year 2005, when 
the latest evaluation took place, only half as many employers used the 
program as use it now. While improvements to the Basic Pilot have been 
made since its inception, they are not sufficient for a mandatory 
program that, because of inaccurate nonconfirmations, could cause 
workers and businesses irreparable harm. Additionally, if the current 
flaws in the Basic Pilot are not addressed before it is made mandatory, 
it will lead to flawed implementation, frustration, and even 
noncompliance, which will result in certain businesses and industries 
moving into the unregulated underground cash economy.
    When employers and workers move into the underground economy, the 
societal and economic costs are enormous. If enough of them abandon the 
``above-ground'' economy, it could result in billion-dollar losses in 
federal, state, and local tax revenues, unfair competition, and further 
exploitation and abuse of all workers by unscrupulous employers. The 
similar situation would result if a mandatory EEVS were to be 
implemented outside the context of comprehensive immigration reform. In 
that case, the new system would start out with the insurmountable 
handicap of 8 million unauthorized workers and their employers seeking 
to uncover and exploit the weaknesses inherent in any system.
Database inaccuracies
    One of the most significant problems identified in independent 
evaluations of the Basic Pilot program is that it is seriously hindered 
by inaccuracies and outdated information in SSA and DHS databases. For 
example, a sizeable number of workers who are identified as not having 
work authorization are in fact authorized, but for a variety of reasons 
the databases do not have up-to-date information on them. The SSA 
database used for the Basic Pilot program is the Numident file, which 
contains information on 435 million SSN holders, including name, date 
of birth, and place of birth, parents' names, citizenship status, date 
of death (if applicable), and the office where the SSN application was 
processed and approved.\6\ As referenced earlier in this testimony, the 
Numident file is the first point of verification in the Basic Pilot 
process.
---------------------------------------------------------------------------
    \6\ SSA, Accuracy of the Social Security Administration's Numident 
File, supra note 5.
---------------------------------------------------------------------------
    According to a December 2006 report by SSA-OIG, 17.8 million (or 
4.1 percent) of SSA's records in the Numident file contain 
discrepancies related to name, date of birth, or citizenship status 
that could result in tentative nonconfirmation notices from Basic 
Pilot.\7\ Any time that SSA's database conflicts with information 
presented by a worker, that worker must follow up with one of SSA's 
field offices. According to the Bureau of Labor Statistics, there are 
4.9 million new hires per month in the U.S.\8\ If 4.1 percent of these 
new hires received a tentative nonconfirmation notice from SSA, field 
offices could potentially see 100,900 additional citizens and lawful 
immigrants per month seeking assistance with these alleged 
discrepancies.
---------------------------------------------------------------------------
    \7\ Id.
    \8\ Job Openings and Labor Turnover: February 2007 (U.S. Dept. of 
Labor, Bureau of Labor Statistics, February 2007), www.bls.gov/
news.release/pdf/jolts.pdf.
---------------------------------------------------------------------------
    In 2006 testimony before the Senate Finance Committee, the 
Inspector General of Social Security expressed concerns about an 
``increased workload in the field offices and teleservice centers'' 
that would result from workers challenging erroneous database 
findings.\9\ At a recent Senate Finance hearing, the President of the 
National Council of Social Security Management Associations, Inc., 
testified that if a mandatory EEVS and hardened SSN card are instituted 
as part of an immigration reform bill without necessary funding, ``it 
could cripple SSA's service capabilities.'' \10\ This problem is 
compounded by the fact that the agency is at its lowest staffing level 
since the early 1970s, and SSA field offices have lost 2,400 positions 
in the past 19 months.\11\ As noted in the December 2006 OIG report, 
``[I]f use of an employment verification service such as the Basic 
Pilot becomes mandatory, the workload of SSA and DHS may significantly 
increase--even if only a portion of these 17.8 million numberholders 
need to correct their records with one of these agencies.'' \12\ 
Already, SSA field offices serve 42 million visitors per year.\13\
---------------------------------------------------------------------------
    \9\ Patrick P. O'Carroll Jr., Testimony before the U.S. Senate 
Committee on Finance: Administrative Challenges Facing the Social 
Security Administration (Office of the Inspector General, Social 
Security Administration, March 14, 2006), http://finance.senate.gov/
hearings/31699.pdf.
    \10\ Richard Warsinskey, Testimony before the U.S. Senate Committee 
on Finance: Funding Social Security's Administrative Costs: Will the 
Budget Meet the Mission? (National Council of Social Security 
Management Associations, Inc., May 23, 2007), http://
finance.senate.gov/hearings/testimony/2007test/052307testrw.pdf.
    \11\ Id.
    \12\ SSA, Accuracy of the Social Security Administration's Numident 
File, supra note 5.
    \13\ Barnhart, supra note 1.
---------------------------------------------------------------------------
    The cost and burden of SSA tentative nonconfirmation notices not 
only affects local SSA offices, but also workers. Although U.S. 
citizens' records do have discrepancies, a disproportionate number of 
the database errors affect foreign-born U.S. citizens and work-
authorized noncitizens. According to the December 2006 OIG report, 
approximately 4.8 million noncitizen records and 8 million foreign-born 
U.S. citizen records contain discrepancies that may result in a 
tentative nonconfirmation notice from the Basic Pilot.\14\ And, 3.3 
million of foreign-born U.S. citizen records do not contain updated 
information on their citizenship status, so when they claim U.S. 
citizenship on their I-9 employment eligibility verification form, 
these workers receive a tentative nonconfirmation notice because their 
information does not match that in the SSA database.
---------------------------------------------------------------------------
    \14\ SSA, Accuracy of the Social Security Administration's Numident 
File, supra note 5.
---------------------------------------------------------------------------
    When workers receive a tentative nonconfirmation notice, they often 
have to take unpaid time off from work to follow up with SSA, which may 
take more than one trip. Waiting time at field offices are running two 
to three hours, with some visits lasting over four hours.\15\ According 
to the National Council of Social Security Management Associations, 
Inc., nearly one-third of the people currently coming into SSA Field 
Offices to apply for an original or duplicate SSN have to return with 
additional documentation.\16\ Additionally, an unknown number of work-
authorized job applicants are not notified of tentative 
nonconfirmations by their employer or are wrongfully terminated by 
their employer before they even have the opportunity to prove that they 
are indeed authorized to work in the U.S. (For more information on this 
problem, see the section below regarding employer misuse of the 
program).
---------------------------------------------------------------------------
    \15\ Warsinskey supra note 10.
    \16\ Richard Warsinskey, Testimony before the U.S. Senate Committee 
on Finance: Administrative Challenges Facing the Social Security 
Administration (National Council of Social Security Management 
Associations, Inc., March 14, 2006), http://finance.senate.gov/
hearings/31699.pdf.
---------------------------------------------------------------------------
    Equally concerning is the fact that when workers do go to an SSA 
field office to correct their records, their information is sometimes 
not updated in a timely manner. Additionally, Basic Pilot rules 
instruct employers to wait 24 hours after a worker has updated his or 
her records to re-query the system; however, many times the employer 
will re-query the system before the 24-hour period has passed, or check 
before the employee visits SSA. In these instances, the employer will 
receive a default final nonconfirmation. According to Basic Pilot 
rules, the employer is then required to fire the worker.
Employer misuse of the program
    The independent evaluations of Basic Pilot have also revealed that 
employers use the Basic Pilot program to engage in prohibited 
employment practices.\17\ According to the SSA-OIG, ``We learned that a 
significant number of the Basic Pilot employers in our sample verified 
individuals outside the scope of the signed agreement between the 
employer, SSA and DHS.'' \18\ For example, the law requires that 
employers first extend a job offer to a worker and then complete the 
employment eligibility verification process, including the Basic Pilot 
procedure. In violation of this requirement, many employers put workers 
through Basic Pilot before extending the job offer, to avoid the 
potential costs of hiring and training employees who are not eligible 
to work (a practice known as ``pre-screening''). This practice is a 
problem because most workers who receive a tentative nonconfirmation 
are, in fact, authorized to work. If workers are not hired because of a 
tentative nonconfirmation and are never informed that there is a 
problem with their records, they not only are denied a job but also the 
opportunity to contest database inaccuracies. Moreover, pre-screening 
increases the likelihood that an employer may be discriminatorily 
selecting foreign-looking or foreign-sounding individuals for such 
screening, resulting in increased discrimination without the person 
even knowing he or she has been subjected to this unlawful practice.
---------------------------------------------------------------------------
    \17\ GAO, SSA, and Temple University Institute for Survey Research 
and Westat, supra note 5.
    \18\ SSA, Employer Feedback on the Social Security Administration's 
Verification Programs, supra note 5.

     In 2002, among employees who received a tentative 
nonconfirmation from the Basic Pilot, 23 percent said that they were 
not offered a job.\19\
---------------------------------------------------------------------------
    \19\ Temple University Institute for Survey Research and Westat, 
supra note 5.
---------------------------------------------------------------------------
     Four years later, in 2006, 42 percent of employees 
surveyed reported that employers used the Basic Pilot to verify their 
employment authorization before hire.\20\
---------------------------------------------------------------------------
    \20\ SSA, Employer Feedback on the Social Security Administration's 
Verification Programs, supra note 5.
---------------------------------------------------------------------------
     The 2002 evaluation found that 73 percent of employees who 
should have been informed of work authorization problems were not 
notified.\21\
---------------------------------------------------------------------------
    \21\ Temple University Institute for Survey Research and Westat, 
supra note 5.

    Employers also illegally use the Basic Pilot to verify the 
employment eligibility of their existing workforce. The immigration 
regulations require employers to reverify workers' employment 
authorization in very limited circumstances (including when their work 
authorization expires). This has helped minimize the potential 
discrimination that may ensue from employers constantly reverifying 
only noncitizens or from using the reverification system in a 
retaliatory manner. According to the September 2006 SSA-OIG report, 30 
percent of Basic Pilot users admitted they had verified the employment 
authorization of existing employees.\22\
---------------------------------------------------------------------------
    \22\ SSA, Monitoring the Use of Employee Verification Programs, 
supra note 5.
---------------------------------------------------------------------------
    Employers also take adverse employment action based on tentative 
nonconfirmation notices, which penalizes workers while they and the 
appropriate agency (SSA or DHS) work to resolve database errors. For 
example, the 2002 independent evaluation found that 45 percent of 
employees surveyed who contested a tentative nonconfirmation were 
subject to pay cuts, delayed job training, and other restrictions on 
working.\23\ Some employers also compromised the privacy of workers in 
various ways, such as by failing to safeguard access to the computer 
used to maintain the pilot system, e.g., leaving passwords and 
instructions in plain view for other personnel to potentially access 
the system and employees' private information.
---------------------------------------------------------------------------
    \23\ Temple University Institute for Survey Research and Westat, 
supra note 5.
---------------------------------------------------------------------------
    Although employers are prohibited from engaging in these practices 
under the MOU they sign, USCIS officials have told the GAO that their 
efforts to review and oversee employers' use of the Basic Pilot program 
have been limited by lack of staff.\24\
---------------------------------------------------------------------------
    \24\ Richard M. Stana, Testimony before the Subcommittee on 
Immigration, Border Security, and Citizenship, Committee on the 
Judiciary, U.S. Senate, Immigration Enforcement: Weaknesses Hinder 
Worksite Enforcement Efforts (Government Accountability Office, June 
2006), www.gao.gov/new.items/d06895t.pdf.
---------------------------------------------------------------------------
Provisions That Must Accompany Any Nationwide, Mandatory Employment 
        Eligibility Verification System
    After nearly a decade of experience with the Basic Pilot Program, 
it is clear that the existing program has significant flaws that must 
be addressed if Congress is to pursue the creation of a new EEVS. The 
creation of such a system without addressing the fundamental flaws in 
the current program is inadvisable and will result in severe negative 
consequences for immigrants and U.S. workers on a much larger scale 
than they currently experience.
    The following features would address the flaws in the existing 
Basic Pilot program.

     Phase-in with objective benchmarks.

    The best way to ensure implementation of an EEVS that is accurate 
and implemented in a nondiscriminatory manner is to set standards and 
expectations for system performance up front and to hold DHS and SSA 
accountable for meeting those standards. Experience confirms that 
federal agencies do not meet expectations if the standards they are 
given are vague and optional. Therefore, the EEVS should be phased in 
at a reasonable rate, by size of employer, and provide for 
certification by the Comptroller General that it meets benchmarks 
regarding database accuracy, low error rates, privacy, and measurable 
employer compliance with system requirements before implementation and 
each phase of expansion.
    The EEVS program is particularly vulnerable to poor planning 
because of its unprecedented scope and the disconnect between the 
agency mandate to get something up and running quickly and the 
requirements that would ultimately determine whether it is successful, 
such as the need for speed, efficiency, reliability, and information 
security. It is much easier to make design changes in a system before 
it goes fully online than afterwards. That is why software 
manufacturers produce ``beta'' versions of their programs to be tested 
in the real world before mass public marketing distribution. Once a 
system is designed and put in place for all employers and workers in 
our economy, it will be costly and difficult to implement needed 
changes.

     Antidiscrimination protections.

    Experience has taught us that unscrupulous employers will use the 
system to unlawfully pre-screen potential employees, reverify work 
authorization, and engage in other unlawful activities when an employee 
lodges a complaint or engages in collective organizing. It has also 
demonstrated that DHS has not prioritized monitoring of employer misuse 
of the system, since 10 years after it was first implemented there is 
still no system in place for monitoring it. Thus, stronger enforcement 
and monitoring efforts and higher penalties for noncompliance are 
necessary to compel reluctant employers to comply with the law.
    Employers also must be explicitly prohibited from (1) conducting 
employment eligibility verification before offering employment; (2) 
unlawfully reverifying workers' employment eligibility; (3) using the 
system to deny workers' employment benefits or otherwise interfere with 
their labor rights, or to engage in any other unlawful employment 
practice; (4) taking adverse action against workers whose status cannot 
initially be confirmed by the EEVS; or (5) selectively excluding 
certain people from consideration for employment due to the perceived 
likelihood that additional employment eligibility verification might be 
required, beyond what is required for other job applicants.

     Due process protections against erroneous determinations.

    For the first time in the history of this country, workers will 
need to seek approval from the federal government to secure their 
livelihood. If the database errors are not improved before the EEVS is 
implemented, it is likely that millions of workers could be wrongly 
identified as not authorized for employment. It is therefore critical 
that workers have access to a meaningful administrative and judicial 
review process that provides for remedies such as back pay and 
attorney's fees if it is determined that a worker was terminated due to 
SSA or DHS error. Additionally, the EEVS must allow individuals to view 
their own records and correct any errors through an expedited process 
established by SSA and DHS.

     Privacy and identity theft protections.

    The EEVS must protect information in the database from unauthorized 
use or disclosure. It is critical that privacy protections be included 
so that the information contained in the databases is not used for 
nonemployment eligibility verification purposes. The 2002 evaluation 
found several instances where employers or other unauthorized 
individuals gained access to the Basic Pilot program for uses other 
than the designated purpose. Civil and criminal penalties for unlawful 
use of information in the EEVS should also be included.

     Studies of and reports on EEVS performance.

    Any EEVS should be independently evaluated to ensure that the 
program is meeting the needs of both employers and employees. Reports 
should specifically evaluate the accuracy of DHS and SSA databases, the 
privacy and confidentiality of information in the databases, EEVS's 
impact on workers, and whether the program has been implemented in a 
nondiscriminatory manner.

     Workable documentation requirements.

    Proposals to further limit which documents are acceptable to 
establish employees' identity must be flexible enough to recognize the 
fact that not all work-authorized individuals have the same documents. 
Under no circumstances should a REAL ID-compliant driver's license or 
ID card be required. No state is currently in compliance with REAL ID, 
and indeed 11 states thus far have decided not to implement the law or 
have placed significant conditions on their participation.\25\ In 
eleven additional states, legislation opposing REAL ID has passed one 
or more chambers of the state's legislature.
---------------------------------------------------------------------------
    \25\ States include Arkansas, Colorado, Georgia, Hawaii, Idaho, 
Maine, Missouri, Montana, Nevada, North Dakota, and Washington.
---------------------------------------------------------------------------
Employment Eligibility Verification Systems in the Context of 
        Comprehensive Immigration Reform
    The two most significant immigration reform bills introduced in the 
House and Senate in 2007 include the ``Security Through Regularized 
Immigration and a Vibrant Economy (STRIVE) Act of 2007'' (H.R. 1645), 
introduced by Representatives Gutierrez and Flake, and the ``Secure 
Borders, Economic Opportunity and Immigration Reform Act of 2007'' (S. 
1348) currently being negotiated in the Senate. Both bills include a 
mandatory EEVS, but there are significant differences between these two 
proposals. Most notably, the STRIVE Act makes a real attempt to address 
the shortcomings of the Basic Pilot program by including benchmarks, as 
well as privacy, antidiscrimination, and due process protections. 
Although it is unlikely that the STRIVE Act will be the immigration 
bill taken up by the House Judiciary Committee, it is helpful to 
analyze its EEVS provisions through the lens of accuracy, workability, 
and minimizing the harm to all workers.
The ``Security Through Regularized Immigration and a Vibrant Economy 
        (STRIVE) Act of 2007''
    The STRIVE Act represents the best legislative effort to date to 
address the shortcomings of the Basic Pilot program.\26\ Unfortunately, 
the bill contains a couple of provisions that would limit its 
workability. First, the STRIVE Act significantly limits the documents 
that individuals can present to prove their identity when seeking 
employment. Most concerning is the requirement that workers present 
documents that do not exist, such as a REAL ID-compliant driver's 
license and a biometric, machine-readable, tamper-resistant Social 
Security card. Former Commissioner Barnhart testified in July 2006 that 
the cost of issuing new cards with enhanced security features could 
cost approximately $9.5 billion and require 67,000 work years.\27\ This 
means that if U.S. citizens, including foreign-born U.S. citizens, do 
not have a REAL ID license or hardened SSN, they will have to present 
either a passport (passports are held by only approximately 20 percent 
of the U.S. population\28\) or a passport card, which is not yet 
available. The Brennan Center for Justice estimates that as many as 13 
million U.S. citizens do not have ready access to citizenship 
documents, such as U.S. passports, naturalization papers, or birth 
certificates.\29\
---------------------------------------------------------------------------
    \26\ For a summary of the EEVS provisions in the STRIVE Act, see 
Employment Eligibility Verification System in the STRIVE Act of 2007 
(National Immigration Law Center, April 2007), www.nilc.org/
immsemplymnt/cir/strive_eevs_2007-04-02.pdf.
    \27\ Barnhart, supra note 1.
    \28\ Phil Gyford, ``How Many Americans Own Passports?,'' 
www.gyford.com/phil/writing/2003/01/31/how_many_america.php.
    \29\ Citizens Without Proof: A Survey of Americans' Possession Of 
Documentary Proof of Citizenship and Photo Identification (Brennan 
Center for Justice at NYU School of Law, November 2006), 
www.brennancenter.org/dynamic/subpages/download_file_39242.pdf.
---------------------------------------------------------------------------
    Second, the STRIVE Act requires SSA to disclose private taxpayer 
identity information of employers and employees to DHS when DHS 
requests this information. Use of confidential tax information to 
enforce immigration law can have a negative affect on tax compliance 
and has the potential to increase discrimination against foreign-
looking or -sounding workers.
    Provisions in the STRIVE Act that should be included in any EEVS 
proposal:

     Benchmarks for system performance. Before the EEVS is 
implemented (and before any subsequent phase-in), the Comptroller 
General must study and certify that certain standards have been met, 
including database accuracy, measurable employer compliance with the 
EEVS requirements, protection of workers' privacy, and adequate agency 
staffing and funding. In conducting the studies, the Comptroller 
General must consult with representatives from immigrant communities, 
among others. The Comptroller General is also required to submit 
reports to DHS and Congress on the impact of the EEVS on employers and 
employees.
     Protections against discrimination. The STRIVE Act amends 
section 274B of the Immigration and Nationality Act (INA), relating to 
unfair immigration-related employment practices, to explicitly apply to 
employment decisions related to the new EEVS. Additionally, it 
prohibits employers from misusing the EEVS, increases fines for 
violations, brings the INA into line with other civil rights laws, such 
as Title VII of the Civil Rights Act, and provides funding to educate 
employers and employees about antidiscrimination policies.
     Privacy protections. The STRIVE Act requires that 
information in the EEVS be safeguarded and that only minimum data 
elements be stored. It creates penalties for unlawfully accessing the 
EEVS and for using information in the EEVS to commit identity theft for 
financial gain.
     Due process provisions. The STRIVE Act requires that 
workers can view their own records and correct or update information in 
the EEVS. DHS also must establish a 24-hour hotline to receive 
inquiries from workers and employers concerning determinations made by 
the EEVS. The STRIVE Act also creates an administrative and judicial 
review process to challenge a finding that a worker is not authorized 
for employment (a ``final nonconfirmation''). If, after the process, 
the worker is found to be authorized for employment and the error was 
DHS's, the worker is entitled to back wages (although not during any 
period that the worker was not authorized for employment). However, 
attorney's fees and costs are not included--even though employers can 
recover up to $50,000 in attorney's fees when they challenge a finding 
that they violated immigrant law. Low-income workers are far less 
equipped than better-off workers to represent themselves or hire 
counsel, and the availability of fees is critical to their ability to 
pursue their rights. STRIVE also prohibits a private right of action, 
which also would drastically limit workers' ability to correct abuses 
and errors of the system.
     Annual study and report. The STRIVE Act requires the 
Comptroller General to conduct annual studies to be submitted to 
Congress that determine whether the EEVS meets the following 
requirements: demonstrated accuracy of the databases; low error rates 
and incidences of delays in verification; measurable employer 
compliance with EEVS requirements; protection of workers' private 
information; adequate agency staffing and funding for SSA and DHS.

The ``Secure Borders, Economic Opportunity and Immigration Reform Act 
        of 2007'' (S. 1348) \30\
    S. 1348 falls well short of creating a workable system. Its most 
troubling provision is the requirement that the guest worker and 
legalization programs for which it provides may not be implemented 
until the EEVS (including the use of ``secure'' documentation and 
digitized photographs that do not currently exist) is implemented. 
Because of this pressure, the focus will be on getting the EEVS up and 
running as quickly as possible, rather than on implementing an accurate 
system that actually works without adversely impacting authorized 
workers.
---------------------------------------------------------------------------
    \30\ Amendment 1150 to S. 1348 is the actual text of the bill being 
debated; however, there has not yet been a vote on the amendment, so S. 
1348 still stands. This analysis refers to amendment 1150.
---------------------------------------------------------------------------
    It is expected that an amendment will be introduced this week (to 
amendment 1150; see footnote 30) that will improve the EEVS provisions 
in S. 1348. Although the amendment will significantly improve the 
underlying bill, it will not address the database inaccuracies and will 
fall short on due process protections. Concerns with S. 1348 as 
introduced include the following:

     The implementation timeline is unreasonable and 
unworkable. All employers must participate in the EEVS within 18 months 
of enactment, with respect to new hires and those with expiring work 
authorization documents or immigration status; and within 3 years, all 
employers must use the EEVS for all new and continuing employees, 
including those in ``Z'' status who have not previously presented 
secure documentation. DHS is also given the sole discretion to require 
employers to participate at an earlier date than outlined. This rigid 
timetable must be met regardless of whether the EEVS actually works and 
whether the technology exists to implement it; nor is the timetable 
subject to performance benchmarks.
     The antidiscrimination protections are weaker than current 
law. Current law regarding ``impermissible'' uses of the EEVS would be 
weakened under the Senate bill (existing requirements are outlined in 
the MOU that employers sign under the Basic Pilot) because the bill 
specifically prohibits these ``impermissible'' practices from being 
covered under the antidiscrimination protections in the INA by giving 
DHS exclusive enforcement authority and funding. Section 274B of the 
INA prohibits discrimination based on national origin and citizenship 
status, and provides a process for complaints, investigations, 
administrative and judicial review, and remedies. It is unlikely that 
DHS's policy will include such procedures, since DHS has no expertise 
in this area.
     The due process protections are insufficient. Under the 
administrative review provisions, a final nonconfirmation is stayed 
pending the administrative review decision unless SSA or DHS decides 
that the ``petition for review is frivolous, unlikely to succeed on the 
merits, or filed for purposes of delay.'' This means that the agency 
whose administrative decision is being appealed has sole authority to 
issue or deny a stay of a nonconfirmation notice while an appeal is 
pending. The employee appealing the decision faces irreparable harm 
through loss of employment if a stay is denied, and the legislation 
does not provide a method for recovery of back pay, costs or attorney's 
fees for those who are wrongfully terminated due to SSA or DHS database 
errors, including where the agency fails to issue a stay during the 
appeal process.

    Workers have 30 days from the completion of the administrative 
appeal to file for judicial review in the U.S. Court of Appeals. 
However, the court can decide the petition based only on the 
administrative record, which may be limited. The burden is on the 
worker to demonstrate that the agency decision was ``arbitrary, 
capricious, not supported by substantial evidence, or otherwise not in 
accordance with law.'' Moreover, ``findings of fact are conclusive 
unless any reasonable adjudicator would be compelled to conclude to the 
contrary.'' That deferential review standard for factual findings is 
unwarranted. As with the administrative review process, the court must 
stay the final nonconfirmation notice, unless it determines that the 
``petition for review is frivolous, unlikely to succeed on the merits, 
or filed for purposes of delay.''

     The documentation requirements are unattainable. Like the 
STRIVE Act, the documentation requirements are heavily focused on state 
compliance with the REAL ID Act and a biometrically-enhanced Social 
Security card.
     Employers, state and federal government agencies, and SSA 
are required to turn over to DHS confidential information about 
workers. The bill permits data mining of SSA files, tax records, and 
other federal, state, and territorial databases covering everyone in 
the U.S. Multiple provisions requiring information-sharing give DHS 
expansive access to (a) personal employee information held by 
employers; (b) birth and death records maintained by states, passport 
and visa records, and state driver's license or identity card 
information; and (c) as an exception to tax code confidentiality 
provisions, SSA records of taxpayers when the taxpayer's SSN or name or 
address (for whatever reason) does not match SSA records, or when just 
two taxpayers have the same SSN. It also allows DHS to access 
``information'' from SSA that DHS ``may require.'' The provisions do 
not require independent review, monitoring of disclosure, privacy 
protections, notice to workers that their private information or 
records have been disclosed, or recourse if overbroad information is 
sought or misused.
Conclusion
    As stated in the first part of this testimony, based on our 
experience, NILC does not support the creation of a mandatory EEVS. 
However, when the House of Representatives moves forward with its 
immigration reform bill, which will inevitably include a mandatory 
EEVS, it is critical that it be guided by the lessons learned from ten 
years of experience with the Basic Pilot program. Put simply, if the 
shortcomings of the Basic Pilot are not addressed before it is expanded 
into a mandatory program, it will be a disaster for workers and 
employers, and will put an enormous strain on already overburdened SSA 
field offices. Because so much of the focus of EEVS proposals is on 
DHS, it will be important for this committee to work closely with the 
Judiciary Committee on any comprehensive immigration reform bill that 
creates a mandatory EEVS to ensure that SSA has the necessary funding 
and resources to carry out its duties. It will also be critical to 
ensure that the weaknesses of the Basic Pilot are addressed before it 
is expanded, including correcting SSA's database errors, and 
implementing a monitoring system so employers do not use the system to 
take adverse action against workers.

                                 

    Chairman MCNULTY. Thank you.
    Mr. Amador.

STATEMENT OF ANGELO I. AMADOR, DIRECTOR OF IMMIGRATION POLICY, 
                    U.S. CHAMBER OF COMMERCE

    Mr. AMADOR. Thank you. Good morning, Chairman McNulty, 
Ranking Member Johnson, and distinguished Members of the 
Committee. Thank you for inviting me to testify on EEVS today. 
My name is Angelo Amador. I am the Director of Immigration 
Policy for the Chamber.
    We also chair the Essential Workers Immigration Coalition, 
and are on the executive Committee of the Electronic Employment 
Verification System working group. That is a business group, 
but actually, as Tyler knows, we work very closely with groups 
on the left, unions, and this is a system that really is going 
to affect everyone, and we really need to work together to make 
sure that all of the main issues are addressed.
    The concerns of the business community about how this new 
mandate is going to affect us cannot be overstated. The 
Government Accountability Office, as was said earlier, estimate 
that the cost of a new EEVS system that would apply to all 
employees would cost about $11.7 billion per year, with 
employers bearing most of the cost. Still, the Chamber is 
willing to support a new EEVS as a necessary part of 
comprehensive immigration reform.
    While most of the press has concentrated on the issues of 
the undocumented and the new worker programs with regards to 
comprehensive reform, employers view the employer verification 
system provisions as equally important. In fact, some of my 
members view it as the most important part of comprehensive 
reform.
    As stated in my written testimony, the three issues are 
interrelated, and comprehensive reform remains crucial to both 
economic and national security for our country. Noted national 
security experts have also reinforced that enforcement alone at 
any level is not sufficient, and it would not be the solution.
    Everyone agrees that the current immigration system is 
broken and the status quo is unacceptable. But agreement on a 
solution has been harder to find. States and localities have 
responded to the lack of action at the Federal level with a 
patchwork of immigration laws and enforcement, exposing 
employers most deal with a broken legal structure of unfair 
liability.
    Many states and local governments are attempting to either 
force employers and retailers to bear the costs of helping 
shield undocumented workers, or are attempting to impose 
additional worksite enforcement provisions. must know what 
their responsibilities are, and having one Federal law with 
strong state law preemption language will help alleviate any 
confusion about employers' role under the law.
    There are things that can be done immediately without 
legislation, such as limiting the number of documents accepted 
for verification under the I-9 system. Also, current documents 
should be retooled so as to provide employers with a clear and 
functional way to verify that they are accurate and relate to 
the prospective employee.
    As you know, there are more than 27 documents and 
combinations of documents that you can use to prove your 
employment eligibility. Some of them don't even have pictures. 
So, you could technically get a job without showing an ID that 
has a picture, and the employer is forbidden, because of the 
current anti-discrimination provisions, from asking for other 
pieces of ID.
    In addition, I would like to mention seven other critical 
things that are very crucial for the employer community. There 
are some others that are in my testimony, and actually some are 
addressed by Tyler as well, that I think are very important.
    Just for the time being, I want to mention that, first, 
enforcement of employment verification law resides properly 
within the Federal Government. Accordingly, the Chamber 
maintains that DHS, as the Federal enforcement authority with 
responsibility in enforcement of section 274A, which is the one 
that we are talking about, should remain.
    You may be aware that the Federal RICO statute has recently 
been used by private attorneys seeking to enforce immigration 
law. Not only does this invade the province of the Federal 
Government as sole enforcer of Federal immigration policy, it 
also perverts the Federal RICO statute into a use that is 
contrary to the intent of the statute. We do not want to create 
a trial attorneys relief act.
    Second, the power to investigate labor and employment 
violations should be kept out a system created exclusively for 
the purpose of verifying employment eligibility. The system 
needs to be implemented with full acknowledgment that employers 
already have to comply with a variety of employment laws. The 
Code of Federal Regulations--actually, I looked at it this 
morning--is more than 5,000 pages long.
    Third, a new verification system should only apply to new 
hires. Trying to re-verify the entire existing workforce of 
over 140 million employees is a burden that is too high. Again, 
I will be happy to talk about the different versions, but the 
version of the Senate requires that you re-verify more than 140 
million employees.
    What we hear from our members, especially those that are 
large, is that that is a monumental task. And there are other 
ways of doing this. Again, with the turnover today, everybody 
will be verified under the system in a couple of years.
    Fourth, an employer should also be responsible only to 
verify the work authorization of its own employees.
    Fifth, an employer needs to be able to affirmatively rely 
on the response as soon as possible. We think that 30 days 
should be more than enough for DHS or Social Security or 
somebody to tell us whether this person is authorized to work 
or not.
    There are concerns, as you might have heard, and it is in 
the testimony, of the cuts that are implied when you have a 
tentative nonconfirmation. For one, you cannot fire the worker. 
Second, DHS wants to use the fact that this individual that 
they told you not to fire to come and investigate and do raids 
and other things.
    Sixth, penalties must be tailored to the offense, and the 
system must be fair. Automatic debarment from Federal contract 
is not an authority that should be given to DHS. Indeed, a work 
in process already exists in current law under the Federal 
Acquisition Regulations.
    Finally, let me know that we are concerned about undue 
expansion of liability and new causes of actions which we have 
seen in some formulations of electronic employer verification 
systems. For example, the STRIVE Act, which I agree with Tyler 
is probably the best effort right now at trying to address a 
workable EEVS, but it still has--it would even make it illegal 
for an employer to hire an American or a legal permanent 
resident over a temporary worker that should be in the United 
States only when employers cannot find enough of the first two.
    Discrimination protections should be retained, as in 
current law, to comport with the purposes of the program, 
monitoring the hiring and firing process, not other terms and 
conditions of employment.
    Thank you for giving me the opportunity to come before you 
today, and I look forward to your questions.
    [The prepared statement of Mr. Amador follows:]


        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman MCNULTY. Thank you.
    Ms. Meisinger.

STATEMENT OF SUSAN R. MEISINGER, PRESIDENT AND CEO, SOCIETY FOR 
        HUMAN RESOURCE MANAGEMENT, ALEXANDRIA, VIRGINIA

    Ms. MEISINGER. Mr. Chairman, Ranking Member Johnson, 
Members of the Committee, my name is Sue Meisinger and I am 
President and CEO of the Society for Human Resource Management. 
I appear today on behalf of the more than 200,000 members of 
the society, as well as being co-chair of the HR Initiative for 
a Legal Workforce. I am grateful for this opportunity.
    Our members represent the frontlines on workforce 
verification, and therefore offer a crucial viewpoint on the 
matter. We fully support and we are committed to the hiring of 
only work-authorized individuals through an effective, 
efficient, electronic employment verification system.
    We also recognize that the current employment verification 
system is in need of real reform. In fact, we believe that 
verification is the linchpin of really, truly reforming the 
immigration system.
    As the debate on immigration reform continues, we urge 
Congress to carefully consider the implications of any new 
employment verification system, keeping in mind that this is 
not just a debate about immigration reform. This is a debate 
about workplace management, which impacts all employers and all 
American workers, not just those who are foreign born.
    My remarks will focus on the current employment 
verification process, as well as our proposal to create a 
potentially alternative effective employment verification 
system.
    As you know, under IRCA, employers are required to review 
documents presented by employees, and after review, required to 
attest on a Form I-9 that they have reviewed the documents and 
that they appear genuine and authentic.
    Even under the best of circumstances, HR professionals 
encounter numerous challenges with the employment verifications 
of IRCA. They include maintaining the I-9 records when an 
employee presents a document that has an expiration date; 
verifying the authenticity, the quality, the quantity of 
documents presented by an employee for work authorization and 
identification purposes; and simply managing the current I-9 
system, which is burdensome and time-consuming.
    The system is prone to fraud, forgeries, and identity 
theft. It is difficult if not impossible for an employer to 
differentiate between the legal and illegal worker in this 
process. In addition, if an employer questions the validity of 
documents too much, they are also vulnerable to potential 
claims of discrimination.
    Attempting to address the shortcomings of the paper-based 
system, Congress created the Basic Pilot Program that we have 
heard of this morning in great detail. Under this system, 
employers can voluntarily check each new employee's work 
eligibility using the electronic verification system, while 
also having to do the paper check and maintaining the paper 
records.
    The system is supposed to respond to the employer within 
three days with either a confirmation or a tentative 
nonconfirmation of the employee's work eligibility. In the 
cases of tentative nonconfirmation, a secondary verification 
process lasting 10 days is initiated to confirm the validity of 
the information provided and to provide the employer with a 
confirmation of nonverification of worker eligibility.
    Although it has been operational since 1997, and despite 
the best efforts of the people in the government agencies 
managing it, we think it is just flat-out inadequate to meet 
the U.S. employer's needs in a global verification system.
    As we heard this morning, over 92 percent of inquiries from 
employers receive an instantaneous employment authorized 
response. This means there is a no verification 8 percent of 
the time. With 60 million new hires each year, this makes 
mandating the system having an impact on about 5 million people 
a year, as we have heard as well.
    Since a significant percentage of the Basic Pilot queries 
require human intervention, a lot of resources are going to be 
needed to purge the various agency databases and improve 
communication between the agencies. We think this is going to 
be problematic.
    Employers need the right tools to verify a legal workforce, 
but we cannot have HR, and we should not have HR, be America's 
surrogate Border Patrol agents. Rather, employers are entitled 
to a clear answer to the query whether an employee is 
authorized to work, and be able to reply to that response.
    We believe that Congress must transform the current paper-
based verification process into a state-of-the-art electronic 
system. Specifically, we advocate a system that would verify 
identity through additional background checks and the voluntary 
use of biometric enrollment conducted by government-certified 
private vendors.
    The system would be built upon background checks currently 
conducted by many employers. Our own survey shows that 85 
percent of our members do employment verification checks, 
reference checks, to include forensic document examines and 
tailored data mining in publicly available databases. An 
individual's identity could be locked to biometric or other 
secure identifiers through the process. Employees would not 
need to present an identity card, just themselves.
    Under our proposal, employers would be required to 
participate in one or two electronic employment verification 
systems. The first would be the current EEVS, but permitting 
employers to access the system via phone and internet. The 
second would be SEEVS, a more secure electronic employment 
verification system. The state-of-the-art system would 
identify, through additional background checks and voluntary 
biometric enrollment conducted by private employers.
    This system, we think, would answer two important 
questions: Is the person identified by name, date of birth, and 
Social Security authorized to work? Is the person actually who 
he or she claims to be?
    In the interests of time, I would like to conclude by 
encouraging Congress to look at this carefully. We are very 
concerned that in the rush to deal with immigration reform, 
which we believe needs to happen, that there is a push to just 
simply push this verification system through. And the word 
chaos, I thought, was apt in describing what we think is going 
to happen when this rolls forward.
    Thank you.
    [The prepared statement of Ms. Meisinger follows:]

Prepared Statement of Sue Meisinger, The Human Resource Initiative for 
 a Legal Workforce, Society for Human Resource Management, Alexandria, 
                                Virginia

    Mr. Chairman, Ranking Member Johnson, Members of the Committee. My 
name is Susan R. Meisinger and I am the President and CEO of the 
Society for Human Resource Management. I appear today on behalf of the 
Society for Human Resource Management. I am also the Co-chair of HR 
Initiative for a Legal Workforce. I am grateful for the opportunity to 
provide our views on this important issue.
    The Society for Human Resource Management (SHRM) is the world's 
largest association devoted to human resource management. Representing 
more than 217,000 individual members, the Society's mission is both to 
serve human resource management professionals and to advance the 
profession.
    The Human Resource Initiative for a Legal Workforce is a coalition 
of human resource organizations and business groups, representing 
thousands of small and large U.S. employers from a broad range of 
sectors. The HR Initiative includes SHRM, the American Council on 
International Personnel, the College and University Professional 
Association for Human Resources, the Food Marketing Institute, the HR 
Policy Association, the International Public Management Association for 
Human Resources, and the National Association of Manufacturers. Our 
objective is to improve the current employment verification process by 
creating a secure, efficient and reliable system that will ensure a 
legal workforce and help prevent unauthorized employment.
    Our collective members represent the front lines on workforce 
verification, and therefore offer a crucial viewpoint on the matter. We 
fully support and are committed to the hiring of only work-authorized 
individuals through an effective, efficient electronic employment 
verification system.
    We also recognize that the current employment verification system 
is in need of real reform. In fact, we believe verification is the 
lynchpin for true immigration reform. Unfortunately, the current paper-
based employment verification system is inadequate to meet current and 
future demands, and current proposals before Congress fall far short of 
what is needed.
    As the debate on immigration reform continues, we urge Congress to 
carefully consider the implications of any new employment verification 
system, keeping in mind that this is not just a debate about 
immigration reform, it is a debate about workplace management, which 
impacts all U.S. employers and all American workers, not just those who 
are foreign born.
    My remarks will focus on the employment verification process 
established in the Immigration Reform and Control Act (IRCA) of 1986, 
the state of the current electronic verification system, the Basic 
Pilot Program that was enacted in The Illegal Immigration Reform and 
Immigrant Responsibility Act (IIRIRA) of 1996, as well as our proposal 
to create an effective electronic employment verification system in the 
effort to ensure compliance with immigration laws at the worksite, and 
to protect the civil rights and privacy of employees.
    Mr. Chairman, under IRCA employers are required to review documents 
presented by employees within three business days of hire demonstrating 
identity and authorization to work in the United States. After 
reviewing these documents, employers are required to attest on Form I-9 
that they have reviewed the documents and that they appear genuine and 
authentic. Under current law, 27 paper-based documents are available to 
employees to demonstrate work eligibility, with 12 different documents 
authorized under law to prove identity.
    Even under the best of circumstances, HR professionals encounter 
numerous challenges with the employment verification requirements under 
IRCA. These include: maintaining the I-9 records when an employee 
presents a document that has an expiration date; verifying the 
authenticity, quality, and quantity of documents presented by an 
employee for work authorization and identification purposes; and 
managing the current I-9 process, which is burdensome and time-
consuming.
    According to SHRM's 2006 Access to Human Capital and Employment 
Verification survey, 60 percent of responding HR professionals 
indicated that they continue to experience problems with the current 
verification requirements of IRCA 20 years after its enactment. The 
most common challenge cited is ascertaining the authenticity of 
documents presented for employment (40 percent).
    The current document-based system is prone to fraud, forgeries and 
identity theft, making it difficult, if not impossible, for an employer 
to differentiate between the legal and illegal worker in this process.
    U.S. employers, whether large or small, cannot be expected to 
consistently identify unauthorized workers using the existing system, 
but they are liable for severe sanctions if these workers find their 
way onto the payroll. Conversely, they are subject to claims of 
discrimination if they question the validity of documents too much.
    The proliferation of false or stolen documents can and does cause 
reputable employers to mistakenly hire individuals who are not eligible 
to work. At the same time, the lack of certainty and threat of 
government-imposed penalties may lead some employers to delay or forego 
hiring legal workers who are eligible. In either case, the costs are 
high for both U.S. employers and legal workers.
    In an attempt to address the shortcoming of the paper-based system, 
Congress created the Basic Pilot program for employers to voluntarily 
confirm an employee's eligibility to work using an electronic 
verification system. Under the Basic Pilot program, employers are 
required to review an employee's identity and work authorization 
documents consistent with IRCA requirements, including completing all 
Form I-9 paperwork. Employers are then required to check each new 
employee's work eligibility using the electronic verification system.
    The Basic Pilot system is supposed to respond to the employer 
within three days with either a confirmation or a tentative non-
confirmation of the employee's work eligibility. In the cases of a 
tentative non-confirmation, a secondary verification process lasting 
ten days is initiated to confirm the validity of the information 
provided and to provide the employer with a confirmation or non-
verification of work eligibility. Employers are not permitted to 
terminate individuals that have received a tentative non-confirmation 
until the employer has received a final non-verification or the ten-day 
period has elapsed.
    Although the Basic Pilot has been operational since 1997, and 
despite the best efforts of the men and women who administer this 
program in the USCIS, we believe it is inadequate to meet the needs of 
all U.S. employers in the employment verification process. According to 
the Government Accountability Office (GAO), in June of 2005, only 2,300 
out of 5.6 million U.S. employers participated in the Basic Pilot in 
2004. Even with the relatively low participation rate, the GAO found 
that about 15 percent of all queries required additional verification 
because the automated system was unable to provide confirmation 
responses on the initial attempt.
    In April 2007, the United States Citizen Immigration Services 
(USCIS) testified before the House Judiciary Subcommittee that that the 
total number of participating employers has risen to about 16,000 
employers and that ``over 92 percent of inquiries from employers 
receive an instantaneous employment authorized response.''
    However, these numbers represent only a fraction of the nearly 6 
million employers in the United States. According to USCIS, if all 
employers were required to enroll in the Basic Pilot within 18 months, 
as called for by some proposals in Congress, USCIS would need to enroll 
approximately 20,000 employers a day. Expanding this system to cover 
all employers as proposed--absent federal certification that the system 
is adequately staffed and prepared to handle the increased workload--
will undoubtedly cause confusion, harm productivity, and deny eligible 
workers employment opportunities.
    Since a significant percentage of the Basic Pilot queries require 
human intervention, substantial resources will be needed to purge the 
various agency databases and improve communication between agencies. 
This problem is likely to be exacerbated if participation increases 
from 16,000 to all 6 million-plus employers. As we have seen in other 
aspects of immigration adjudication, a substantial increase in 
immigration-related caseload without corresponding increases in 
resources can lead to major processing delays. Using USCIS's own 
numbers of a 92 percent verification rate, millions of authorized 
employees' verification for employment could be in jeopardy.
    As evidenced in several recent high profile situations, there are 
major concerns that the Basic Pilot's accuracy is severely limited by 
the proliferation of fraudulent identity documents. This is because the 
Basic Pilot system does not verify the authenticity of the identity 
being presented for employment purposes, only that the identity 
presented matches information in the Social Security and DHS databases.
    In testimony to House Judiciary Subcommittee in April, Jack 
Shadley, Senior Vice President for Human Resources for Swift & Company 
detailed the shortcomings of the ``Basic Pilot'' employment 
verification system. Despite the company's hiring processes, which 
included participation in Basic Pilot, the government raided six Swift 
production facilities on the morning of December 12th, 2006, and 
detained 1,282 employees. Many were using stolen identities that could 
not be detected by Basic Pilot. This event cost the company more than 
$30 million and disrupted communities that Swift has worked hard to 
enrich. As Mr. Shadley stated in his testimony:
    ``It is particularly galling to us that an employer who played by 
all the rules and used the only available government tool to screen 
employee eligibility would be subjected to adversarial treatment by our 
government. These ICE raids once again highlight significant weaknesses 
in the Basic Pilot program.''
    In addition to concerns with premature expansion of the Basic 
Pilot, several Congressional proposals also expose employers to 
liability for actions beyond their control, such as the actions of 
subcontractors. We strongly believe that U.S. employers should be 
liable for their own hiring decisions, not those made outside their 
control. Enforcement needs to be vigorous and fair, and should focus on 
employers that blatantly ignore the law as opposed to employers who 
commit paperwork or technical violations in their attempt to comply.
    Employers need the right tools to verify a legal workforce. 
However, HR cannot--and should not--be America's surrogate border 
patrol agents. Rather, employers are entitled to an unambiguous answer 
to the query whether an employee is authorized to accept an offer of 
employment. Unfortunately, mandating the current Basic Pilot system 
will not meet the needs of employers or employees.
    We believe that Congress must transform the current paper-based 
verification process into a state-of-the-art electronic system that is 
accurate, reliable, cost-efficient, easy-to-use, and shares 
responsibility among government, employers and employees. Specifically, 
we advocate a system that would verify identity through additional 
background checks and the voluntary use of biometric enrollment 
conducted by government certified private vendors. According to SHRM's 
2006 Weapons in the Workplace, 85 percent of responding HR 
professionals indicated their organizations conduct background checks 
of potential employees.
    This system would build upon background checks currently conducted 
by many employers, to include forensic document examination and 
tailored data mining in publicly available databases. An individual's 
identity could be ``locked'' to biometric or other secure identifiers 
through this process. Employees would not need to present a card as 
some have advocated, just themselves.
    Under our proposal, employers would be required to participate in 
one of two electronic employment verification systems:

        EEVS--A completely electronic employment verification system 
        (EEVS) which improves upon the current Basic Pilot system and 
        permits employers to access the system via phone and internet. 
        Employers would verify identity by visually examining a limited 
        number of documents presented by the employee. Employers would 
        verify work authorization by submitting employee data to the 
        SAVE system. The verification process can be initiated either 
        post offer or acceptance of a job by an employee but prior to 
        the commencement of work or within the first 3 days after work 
        commences. The databases feeding into the SAVE system must be 
        upgraded to ensure all information is accurate and updated and 
        that secondary verifications are completed within 10 days. 
        Employers would continue to make subjective determinations that 
        the person presenting the documents is who he claims to be and 
        that the documents are valid on their face. The current I-9 
        form would be eliminated. Employers in this system would be 
        subject to the current range of enforcement efforts and 
        penalties.

        SEEVS--A more secure electronic employment verification system 
        (SEEVS) that guard against identity theft would be available to 
        employers on a voluntary basis. This state-of-the-art system 
        would verify identity through additional background checks and 
        voluntary biometric enrollment conducted by private vendors. 
        The employee's work authorization would continue to be verified 
        through the SAVE databases. By eliminating subjective 
        determinations of work authorization documents, this system 
        will eliminate discrimination and simplify enforcement. There 
        will be only two enforcement questions for the government: 1) 
        Did you check every employee through the system in a fair and 
        equal manner? 2) Did the employer make his/her hiring decisions 
        consistent with information they received through the system? 
        Employers participating in this system would be deemed to be in 
        compliance absent a showing of bad faith.

    The proposed SEEVS system would prevent identity fraud by 
automatically recognizing an individual based on measurable biological 
(anatomical and physiological) and behavioral characteristics. The new 
system would be able to answer two vital questions:

    1.  Is the person identified by name, date of birth, and social 
security number authorized to accept the employment being offered?
    2.  Is the person actually who he or she claims to be?

    We also believe that any such secure electronic employment 
verification system as described above needs to meet standards set by 
the National Institute of Standards and Technology (NIST) from a 
technology and a privacy standpoint. The SEEVS model for prevention of 
identity theft lies in authorizing competing private entities, 
certified by the Government with the involvement of NIST, to develop 
and conduct the process necessary to verify the identity. The privately 
held databases would be protected from disclosure by law and held in a 
segregated fashion that would prevent linking of identity to biometrics 
without the enrolled person presenting his or her biometrics as the 
key.
    We do not believe a biometric card is necessary to have an 
effective employment verification system. A new biometric card, such as 
a Social Security card, would cost billions of dollars to create, 
foster visions of a national ID card, and would tax the current 
capabilities of the Social Security system. Finally, as we have 
discussed and has been demonstrated before through cases such as the 
Swift, government-issued identity and work authorization cards 
eventually can be counterfeited by those who want to circumvent the 
system.
    If adequately funded and fairly administered, SHRM and the HR 
Initiative believe this new system could eradicate virtually all 
unauthorized employment--thereby eliminating a huge incentive for 
illegal immigration. It will also eliminate discrimination by taking 
the subjectivity out of the verification process.
    Finally, we strongly recommend that the Federal Government, 
specifically the Department of Homeland Security, take sole ownership 
of enforcing immigration laws at the worksite. Recently, partially due 
to an understandable frustration on the part of state and local 
governments over the lack of immigration control, many jurisdictions 
have enacted their own laws on employment eligibility verification. 
With all due respect to these states and municipalities, it is the U.S. 
Congress that has plenary authority, and the expertise, to deal with 
this issue. Moreover, it is extremely hard on employers, especially 
ones with presence in several states, to keep up with the various 
requirements. Ironically, while law-abiding employers risk exposure 
because of inadvertent mistakes or confusion over the different and 
possibly contradictory requirements, unscrupulous businesses can 
continue to hire off the books with virtual impunity. We suggest that 
worksite enforcement must be vigilant, and that the Federal Government 
must hold all employers to the same standards and same set of 
requirements.
    True employment verification is the only way to ensure fair and 
equitable treatment for those individuals who should have access to 
legitimate jobs. It is essential for a legal workforce and for 
America's national and economic security.
    Both SHRM and the HR Initiative coalition look forward to working 
with the committee on a new verification system that is effective, 
secure, easy to use, and in which both employees and employers can 
place their trust.

                                 

    Chairman MCNULTY. Thank you very much.
    We have two votes on the House floor. Since this is a 15-
minute vote and we are just at the beginning of it, we are 
going to try to hear Mr. Neumann's testimony, perhaps Mr. 
Rotenberg. We will get as far as we can before we have to run 
over to vote. Then we will do two votes back to back and 
reconvene here as quickly as possible, hopefully only detaining 
for a 15-minute break.
    So, Mr. Neumann may start.

 STATEMENT OF PETER G. NEUMANN, PRINCIPAL SCIENTIST, COMPUTER 
SCIENCE LABORATORY, SRI INTERNATIONAL, MENLO PARK, CALIFORNIA, 
     ON BEHALF OF THE U.S. PUBLIC POLICY COMMITTEE OF THE 
              ASSOCIATION FOR COMPUTING MACHINERY

    Mr. NEUMANN. Thank you very much for the invitation to be 
here. It is a very important topic, and I hope I can shed some 
constructive background on it.
    I am speaking on behalf of the USACM, the U.S. Public 
Policy Committee of the Association for Computing Machinery, 
which is a nonprofit group, over 80,000 people dedicating to 
constructive use of computer technology. I also speak as 
someone who has over 50 years of experience in research and 
development, and a sideline interest of collecting stories on 
things that failed.
    If you ask me questions about it, I will talk about the IRS 
failure, the air traffic control modernization failure, the FBI 
virtual case file problems, the deadbeat dads, and so on. There 
are just an enormous number of cases in which large systems 
collapsed. The first two of those were $4 billion efforts that 
were eventually canceled after it was recognized that they 
could never succeed.
    The task that you are embarking on with a modernization or 
upgrading of EEVS reminds me of a metaphor, because if you look 
under the eaves, you typically see rodents and termites and dry 
rot from roof leaks in a badly built house, or even some of the 
well-built houses. You also have ongoing maintenance problems 
of having to clean out the gutters, and the liability lawsuits 
when the maintenance guy falls off the ladder.
    [Laughter.]
    Mr. NEUMANN. So it is a much bigger problem than it is 
normally conceived. When somebody tells you, yes, we can build 
this system, I will give you hundreds of examples of things 
that have gone wrong over the years, and reasons why most of 
the systems don't work.
    If Ranking Member Johnson will ask me about tamper-proof 
systems, there are no such things. There might be some tamper-
resistant ones and tamper-evident systems, but some of my 
colleagues can break just about anything that has ever been 
built.
    I would like to very briefly outline some of the more 
critical issues. In my written testimony, I go through 
considerable detail on things that have to be fixed before this 
could possibly work, assuming that it ever possibly could work.
    In particular, the sensitive information needs to be 
protected. This is an extremely different problem--difficult 
problem, rather--because many of the privacy problems are 
extrinsic to the system. They involve insiders who have 
legitimate access and who can misuse that access, for example. 
They are based on computer systems that are not secure, which 
means, since you put it on the Internet, you have a great many 
problems.
    Authentication: Passwords are mentioned. Passwords are an 
extremely weak form of protection. We need something much 
greater than that, especially when we start sharing across the 
Internet.
    One of the biggest problems that you are going to face is 
the scalability problem. I will give you two examples. The 
simplest example is the man who starts out with a hamburger 
stand and expands it into a worldwide chain. The logistic 
problems, the financial problems, the health problems, and so 
on are orders and orders of magnitude more complex. It does not 
scale in any reasonable sense.
    A more computer-related example is taking MS DOS, which had 
no security in it whatsoever, and suddenly saying, we are going 
to build a variant of that that is accessible to everybody in 
the world over the Internet. There is no security in the 
Internet. There is very little security in some of the systems 
that we are dealing with. The result of all of that is that we 
are living in a world where you cannot really guarantee 
anything about protection.
    Authentication and accountability are absolutely 
fundamental. Oversight. Audit trails. It represents an enormous 
problem, but then you have the problem of who can look at the 
audit trail, who can modify the audit trail. It should never be 
modifiable, of course.
    You then have all of the level playing field issues that 
smaller organizations may be very seriously disadvantaged, 
especially by the realtime requirement, where they don't even 
have access to computers at the time that they need it.
    So, I think the bottom line here is that experience has 
taught us over the years, for those of us who have been deeply 
involved in building systems and analyzing them and analyzing 
why they don't work, that systems like EEVS are subject to an 
enormous number of pitfalls. those are anticipated from the 
very beginning, they can never be overcome in an incremental 
way.
    I think the real problem here is that we tend not to 
anticipate all of the problems. We said, oh, let's go and build 
this thing. We are told that it can work. Our subcontractors 
are all very happy to take our money and build it. And, in 
fact, when it doesn't work and it get canceled years later, the 
same guys go off and build another system.
    So, I think the problems here are ones that you really need 
to look at proactively before you engage in any legislation. 
So, on one hand, as a technologist, I can say, well, I could 
build something that might work in the small. However, when you 
scale it up to the massive number of uses over the Internet, 
where they are accessible from anywhere in the world, from any 
hacker, cracker, terrorist, or anybody else who can either 
bring down the system or access it, you have a totally 
different ball game than the one that you think you are dealing 
with.
    Thank you very much for inviting me, and I look forward to 
your questions.
    [The prepared statement of Mr. Neumann follows:]

  Prepared Statement of Peter Neumann, Principal Scientist, Computer 
   Science Laboratory, SRI International, Menlo Park, California, on 
behalf of U.S. Public Policy Committee of the Association for Computing 
                               Machinery

Security and Privacy in the Employment Eligibility Verification System 
        (EEVS) and Related Systems
    This testimony addresses some of the potential pitfalls that should 
be considered when planning systems with extensive computer database 
applications containing personal information, such as the Employment 
Eligibility Verification Systems (EEVS). Many of these concerns are 
also applicable to related programs such as US-VISIT and REAL-ID and to 
peripheral systems that may depend on EEVS or result from 
interconnections among those other systems. Widespread problems have 
arisen in efforts to develop complex systems that must satisfy critical 
requirements for security and privacy; these problems are also 
considered. Furthermore, there is a pervasive tendency to overestimate 
the benefits of computer-related technologies as would-be solutions to 
societal problems. We should not expect easy technological answers to 
inherently difficult problems. People are almost always the weakest 
links, although in many cases the system design and implementation 
create further weak links. A deep awareness of the long-term problems 
is essential before adopting legislation that might promise to help in 
the short term.
1. Introduction
    Thank you, Chairman McNulty and Ranking Member Johnson, for the 
opportunity to testify at today's hearing exploring issues related to 
proposed changes to the EEVS. I commend you for exploring the policy 
and technology issues associated with current proposals to expand and 
make this program mandatory. The computing community has often seen 
problems that resulted from policies established without careful 
consideration of the inherent limitations of technology. This can 
result in serious technical and social hurdles, and can lead to 
problems that are difficult to remediate once they have occurred, but 
that could have been prevented proactively. We hope that your efforts 
can help to avoid such difficulties.
    As Principal Scientist in the Computer Science Laboratory at SRI 
International (formerly Stanford Research Institute), where I have been 
since 1971, and as someone with 54 years of experience related to 
computer and communication technologies, I have explored the 
intersection of technology and policy in numerous contexts, with a 
particular focus on system trustworthiness, security, and privacy 
issues. These areas are particularly relevant to the technology and 
policy nexus because privacy and equal treatment under law are 
fundamental rights; technology can at the same time help secure and 
also undermine those rights--depending on the policies and practices 
for its use. Privacy and security are inextricably linked. One cannot 
ever guarantee complete privacy, but the difficulties are severely 
complicated by systems that are not adequately secure. Creating complex 
systems that are dependably trustworthy (secure, reliable, survivable 
in the face of many adversities, and so on) remains a grand challenge 
of computer science. As we review a proposed expansion to the EEVS, 
USACM sees a number of issues that should be explored, debated, and 
resolved before adopting this massive new system for identity 
verification.
    This statement represents my own personal position as well as that 
of the Association for Computing Machinery's (ACM) Committee on U.S. 
Public Policy (USACM). ACM is a non-profit educational and scientific 
computing society of more than 80,000 computer scientists, educators, 
senior managers, and other computer professionals in government, 
industry, and academia, committed to the open interchange of 
information concerning computing and related disciplines. The Committee 
on U.S. Public Policy acts as the focal point for ACM's interaction 
with the U.S. Congress and government organizations. It seeks to 
educate and assist policy-makers on legislative and regulatory matters 
of concern to the computing community. (See http://www.acm.org and 
http://www.acm.org/usacm.) A brief biographical paragraph is appended.
2. Issues of Specific Concern in the EEVS
    The information transmitted to and stored in EEVS includes all of 
the primary personal identifiers in the U.S. As such, any compromise, 
leak, theft, destruction, or alteration of this data would have severe 
consequences to the individuals involved, including, but not limited 
to, identity theft and impersonation. It is thus essential that the 
system be designed, constructed, and operated with the quality of 
protection that is essentially that required for classified national 
security information.
2.1. Transmission of Information
    Any legislation requiring the transmission of personal information 
across the Internet should require secure transmission of this 
information. Employers and agencies participating in the program should 
be required to have strong encryption, strong authentication, or even 
elementary security (such as Secure Socket Layer, SSL) for 
transmissions to and from employers. Calling out such specific 
technologies and details would be inappropriate for statutory language; 
however, the legislation should include performance-based standards for 
security that limit the exposure of personal information and provide 
accountability for every step in handling and processing this 
information. This will make it clear to agencies that implement the 
system, and employers who use the system, that the security of personal 
information is as valued by policymakers as the reliability and 
timeliness of responses. In the case of EEVS and many other important 
systems, it is much more important to have continuing trust in the 
security and accuracy of the information rather than to get results in 
the shortest possible time.
    We recommend that legislation require that the system be designed 
to protect the integrity and confidentiality of information, that an 
independent security review evaluation be conducted before the system 
is deployed, and periodically after deployment, and that the results of 
these evaluations be made public. The systems and their operation 
should be required to follow Fair Information Practices. See also 
USACM's recommendations for database design (http://www.acm.org/usacm/
Issues/Privacy.htm).
    We further recommend that the legislation require security breach 
notification: if administrators become aware of any breaches that could 
potentially affect personally identifiable information, then they must 
publish a disclosure and must notify all individuals who may be 
affected. Congress could model this after various state disclosure 
laws, such as one recently passed in California.
    We also recommend that individuals be notified whenever someone 
accesses their records. The cost would be small, relative to other 
costs of the system: one letter or e-mail per job application.
2.2. Accountability for Access to Information
    Accountability from the end user to the system administrator is 
vital in a computing system for ensuring the integrity of the system. 
If people are not held accountable for their actions, then policies 
intended to curb abuse will be undermined as users circumvent policies 
to make their jobs easier. One way of improving accountability in any 
computing system is by requiring strong user authentication and access 
controls coupled with thorough tamper-resistant and tamper-evident 
logging of all activity. In addition, all system accesses should log 
who accessed which records, and individuals whose information is stored 
should be informed who has accessed their records. This would then 
allow concerned individuals to detect misfeasance and improper access 
to their records. Each employer should identify a compliance officer 
(distinct from EEVS users). The system should automatically detect 
unusual user behaviors (to the extent technically feasible) and report 
them to compliance officers.
    Some strong controls are clearly needed to explicitly bind the 
access of a particular request to a specific authorized requestor 
acting in a specific role for a specific employer. The same controls 
should be applied to the operators of the system. Names, titles, and 
SSNs of authorized system users are not enough.
    Access controls are also critical if individual employees are going 
to access the system to check their own information. Procedures and 
policy need to be in place to restrict employees' access to only their 
own information. The ability to check the accuracy of one's own 
information is very important. However, such accesses also need to be 
controlled and audited, at least as extensively as the accesses on 
behalf of an employer--particularly to be able to identify systematic 
misuses.
2.3. Scalability
    To date the system has functioned as a pilot program. The pilot has 
about 8,600 employers (June 2006 number) registered, with about half of 
those employers considered active users. This is out of about 5.6 
million employers (as of 2002) that would eventually use the system 
once the law is fully implemented. Just because it seems to work for a 
small number of employers does not imply that it would work for all 
employers. The scalability of EEVS is a very serious architectural 
issue, because it will have to handle at least a thousand-fold increase 
in users, queries, transactions, and communications volumes. As a 
general rule, each time a system grows even ten times larger, serious 
new technical issues arise that were not previously significant.
    At present, eight percent of confirmation requests cannot be 
handled immediately. This percentage needs to be reduced significantly 
as the number of employers increases. This would reduce the frustration 
with the system as well as the additional time required for manual 
confirmation for those records that could not be immediately verified. 
The additional human resources and associated costs necessary to handle 
this burden must be taken into account and included in budgets.
    In general, it is risky to operate a system outside its intended 
design capacity and rely upon it to work under all circumstances, 
unless it has been carefully designed and implemented with scalability 
specifically in mind. Issues relating to inadequate scalability could 
completely compromise the effectiveness of the resulting system.
2.4. Accuracy of Information
    The system has weaknesses about the accuracy of information 
presented to the system by an employee or employer as well as the 
accuracy of the underlying databases.
    Speaking to the first kind of inaccuracies--fraudulent documents--
the GAO has indicated that the Basic Pilot cannot effectively detect 
identity fraud. Proposals to add a digitized photograph to any 
employment authorization document would help make sure the employer 
could confirm that the photograph on the documents matched the employee 
presenting them. However, it is unclear how much this would reduce 
identity theft.
    The inevitable cat-and-mouse game that always occurs in security 
(an ever upward escalating spiral in measures and countermeasures) is 
likely to occur between the security control and those seeking to 
commit fraud. As it becomes known that photo verification is a security 
feature, obtaining official documents under false pretenses will become 
more valuable. This could be done by bribing an insider or providing 
fraudulent documents to obtain the identification. The fraud is simply 
moved to a different part of the system. We also note that requiring 
REAL-ID, as envisioned by the DHS's rules for implementation of the 
REAL-ID system, will not solve the insider threat problem. This was 
pointed out in USACM's comments on the REAL-ID rulemaking. (See the 
``insider threats'' heading in USACM's comments: http://www.acm.org/
usacm/PDF/USACM_REAL_ID_Comments_FINAL.pdf)
    Carefully developed standards for digital photographs are 
necessary--much like those for driver's licenses--although they will 
not be sufficient for the prevention and detection of forgeries.
    Serious areas of concern also exist for the second kind of 
inaccuracies--bad information in the underlying databases, delays in 
entering or revising information, and inconsistencies and name 
confusions among different databases. The Social Security database is 
known to have a high number of errors in name matches, as well as some 
duplicate numbers. For example, the Social Security Administration's 
Office of the Inspector General recently estimated that the SSA's 
`Numident' file--the data against which Basic Pilot checks worker 
information--has an error rate of 4.1 percent. If each of 5.6 million 
employers made a query of a different potential applicant, that 
percentage suggests that on average more than 200,000 of them might get 
false responses.
    The other databases the system will rely on will have similar 
issues. We certainly recognize and endorse the importance of provisions 
that allow individuals to check the correctness of information in the 
system that relates to them. However, a better defined process of 
correcting any erroneous information would be the necessary next step 
in improving the reliability of these databases, and the system as a 
whole. The risks of incorrect information are considerable, although 
establishing standards and procedures for accuracy to avoid those risks 
and to remediate errors and malicious misuse is an extremely difficult 
task. Numerous potential employees could be wrongly denied employment 
because of inaccurate records, if this problem is not addressed.
    Risks of identity theft and privacy violations are also present--
for example, if unauthorized or surreptitious accesses, or even 
changes, can be made. Explicit provisions are needed to protect 
employees and potential employees from adverse consequences of database 
and data entry errors.
    Employers should also be held accountable for misuse of their 
blanket access privileges, such as using the data for running credit 
and insurance checks, engaging in blackmail, and other inappropriate 
purposes.
    USACM encourages Congress to consider undesirable effects of false-
positive and false-negative results. (A false positive is when a 
response indicates someone may be hired, only to be overturned later. A 
false negative would be when a response indicates someone has not been 
confirmed, only to be shown later to be incorrect.) Given the 
possibilities for error, identity theft, and system failure, employers 
should be protected from penalties when acting in good faith, and 
potential employees should be protected against discriminatory 
behavior. This is a policy issue rather than a technical issue, but 
directly arises from using an imperfect system as an arbiter.
    It must be possible for authorized staff, as well as potential 
employees, to challenge incorrect EEVS data and determinations.
2.5 National ID System Concerns
    Although there is no national ID card requirement attached to the 
EEVS, the connections to various databases are similar to the REAL-ID 
system currently proposed by DHS. If the EEVS does store query 
information or holds duplicates of information gleaned from the 
databases it interacts with, then it will have the appearance of a 
national identity system. As the existence of a national ID is not 
authorized by the proposed Senate immigration reform legislation, the 
Department will need to take care to avoid even the appearance of 
providing such documentation. The tradeoffs here are extremely complex, 
but are probably already being discussed in other testimony and other 
hearings.
2.6. Accessibility Issues
    The potential lack of timely and highly available remote access to 
EEVS is another concern. Many small employers may not have Internet 
access or even computers that would allow them to have access. Examples 
might include small shop owners who want to hire clerks, and farmers 
who want a few hired hands. Furthermore, access via slow-speed dial-up 
connections is not likely to encourage consistent system use. Real-time 
confirmation of employability is less likely to occur consistently in 
such cases, and in cases of loss of computing or communication 
connectivity.
    Perhaps even worse, poorly protected systems and poorly trained 
users will probably fall victim to ubiquitous security vulnerabilities 
and malicious software on the Internet. Many casual or novice computer 
system users could become unsuspecting victims of scams, phishing 
attacks, identity theft, and so on--as a consequence of being forced to 
add computing and connectivity to support use of EEVS.
    It is also a certainty that criminal elements will craft phishing 
e-mail appearing to originate from the Department of Homeland Security. 
This would include pointers (URLs) to what appear to be DHS websites 
with the DHS seal and apparent certificates that are essentially 
indistinguishable from the real websites. Unsuspecting users who visit 
these sites might then be victimized, resulting in significant 
financial losses and other serious consequences that typically result 
from identity thefts. Skilled identity thieves are likely to be able to 
scam the system itself more readily than authorized individuals can 
protect themselves or correct data errors.
    A further problem is that many of the computer systems used to 
access EEVS may not have adequate security, and may have been 
compromised. Unfortunately, the security of EEVS itself may be 
subverted by the lack of security in other connected systems (which 
potentially implies the entire Internet).
    For these reasons, despite its possible benefits, EEVS might 
actually make identity theft easier and at the same time make 
remediation and recovery more difficult.
3. Broader Concerns
    The current state of the art in developing trustworthy systems that 
can satisfy critical requirements such as security, reliability, 
survivability, and guaranteed real-time performance is truly very poor. 
This is not a newly recognized problem, and was well documented in 1990 
in a report, Bugs in the Program, by James Paul (Subcommittee on 
Investigations and Oversight of the U.S. House Committee on Science, 
Space, and Technology). Subsequently, I presented four testimonies 
(1997, 1999, 2000, and 2001) for various House committees--each of 
which suggested that the overall situation had incrementally gotten 
worse. Of specific relevance to this testimony was my written testimony 
for the House Subcommittee on Social Security, The Social Security 
Administration: PEBES, Identity Theft, and Related Risks, on May 13, 
1997--now more than 10 years ago. Similar conclusions appear in my 
testimonies for Senate committees (1996, 1997, 1998). (These 
testimonies are all online, with links from my website, http://
www.csl.sri.com/neumann.)
    Software development fiascos abound--including many highly visible 
projects that have been late, over budget, or indeed abandoned after 
many years and large expenditures. My Illustrative Risks compendium 
index (http://www.csl.sri.com/neumann/illustrative.html) cites numerous 
examples such as the IRS and Air Traffic Control modernization programs 
and the FBI Virtual Case File, to cite just a few. See also the PITAC 
report, Cyber Security: A Crisis of Prioritization: http://
www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf.
    Privacy problems are also manifold, and becoming increasingly 
complex as ubiquitous dependence on computerized databases increases. 
The extent to which computer systems and databases can enforce privacy 
policies is severely limited by the absence of meaningfully secure 
systems, and by the number of privacy violations occurring outside of 
the confines of the computer systems. Correctness and timeliness of the 
data are also major concerns.
    Several problems with identity management must be addressed. The 
existing infrastructure is riddled with security and reliability 
vulnerabilities, and is not sufficiently trustworthy. Because many of 
the privacy problems are related to total systems (encompassing 
computers, communications, people, and procedures), they cannot be 
adequately protected by technological approaches alone. Identities are 
typically subject to masquerading and spoofing. Name confusions such as 
alternative spellings and aliases cause major confusions. 
Authentication is often compromised by "social engineering" and other 
nontechnological bypasses. Authorization is typically inadequately 
fine-grained (and worse yet, often supposedly all-or-nothing, but 
bypassable). Blanket authorization should be avoided, observing the 
Principle of Least Privilege--under which access authorizations should 
be restricted to just what is needed to accomplish that intended task 
rather than being overly broad.
    It is also worth noting that there are cases where identities need 
to be masked. Examples include individuals protected under the Federal 
Witness Protection Program, individuals granted asylum from other 
countries and given new identities, undercover intelligence agents, 
undercover law-enforcement agents working criminal cases, and sky 
marshals. (Note that the Transportation Security Administration somehow 
lost the employee personnel records for 2003-2005.) All of these people 
need to have verifiable identities that stand up to any scrutiny, 
online or otherwise. Exposure of their real identities may result in 
their violent deaths, compromises of national security, and possible 
violence to their friends and families. Those individuals will likely 
need employment under their alternate identities, and it must be 
ensured that any system implemented for EEVS does not endanger their 
cover identities. The more that databases become cross-linked, the more 
difficult it becomes to prevent errors and leakage of such sensitive 
information. Furthermore, such linkages make these database systems 
higher-value targets for criminals.
    The requirement of masking, aliasing, or otherwise providing 
alternative identities seems to create a fundamental conundrum: 
maintaining the accuracy of a critical database while simultaneously 
undermining its accuracy may impair the accuracy of other data in the 
process.
    Past legislative efforts for improving accuracy and integrity of 
public databases have caused serious problems with the viability of 
other systems. For example, the Help America Vote Act mandated 
statewide-centralized voter registration databases that must verify the 
accuracy of records by matching them with drivers' license records. 
States such as California found that the data-matching requirements in 
practice led to high rejection rates in some counties, depending on how 
strictly the data was interpreted across databases. This had the effect 
of reducing, not improving, voter registration list accuracy, because 
legitimate voters were removed from the rolls because of address typos 
and name variants.
4. Conclusions
    The problems identified in this testimony are fundamental in the 
context of EEVS-like systems. There are many risks. Essential concerns 
for system and data security, system and data integrity, and individual 
privacy must be anticipated from the beginning and reflected throughout 
design, implementation, and operation. Many potential slippery slopes 
must also be anticipated and avoided. Privacy requires a real 
commitment to creating realistic policies and enforcing them.
    Experience has taught us that the design of information systems is 
subject to many pitfalls that can compromise their effectiveness. If 
EEVS is not appropriately implemented, it could--like many past 
systems--be subject to problems that include, but are not limited to, 
the following:

      Difficulties in maintaining accuracy, correctness, and 
timeliness of the database
      Inconsistencies among widely distributed systems with 
distributed data entry
      A popular tendency to place excessive faith in the 
trustworthiness of the system's responses
      A common tendency to place excessive faith in the 
infallibility of identification, authentication, and access controls to 
ensure security and privacy
      The lack of scalability with respect to ever-growing 
enormous databases, massive numbers of authorized users, and consequent 
communication and access limitations
      The complexity of requirements imposed by 
noncompromisible auditing and accountability, both of which introduce 
further problems with respect to system security and integrity and with 
respect to data privacy
      The complexity of audit trails and notification of 
accesses to audit trails themselves
      The risks of exacerbated problems that result from 
mission creep--as further applications tend to be linked to the 
originally intended uses, and as control of the above factors becomes 
less possible
      Similar risks related to feature creep, with or without 
any oversight and audit mechanisms.
      ``Piggybacking'' by other agencies--e.g., law enforcement 
and DHS might want to place silent-hit warnings (as was considered in 
the late 1980s for the National Crime Information NCIC system) that 
would inform them who was seeking information for anyone who was under 
surveillance. Linkages with databases for deadbeat parents, student 
loan defaulters, and other applications might also be contemplated. 
Each such connection would expand the exposure of the system and the 
dangers of incorrect data and data leakage.

    Congress should establish clear policies and required outcomes, 
rather than prescriptive or detailed technical processes or systems. 
The technical challenges to achieving the policies and outcomes should 
be fully documented in the Congressional Record of the legislation.
    Considerably more focused research is needed on total-system 
approaches that address identity authentication, authorization, and 
data protection within the context of overall system architectures for 
security and privacy. (For example, some promising new developments 
enable the use of cryptography to enable certain queries to be answered 
without requiring decryption and release of excessive information in 
violation of the Principle of Least Privilege. These techniques appear 
to be significantly less subject to misuse, including insider misuse.) 
Such approaches may be more effective than trying to rely on biometric 
and other devices whose effectiveness may be compromised by 
technological or operational flaws in the systems in which they are 
placed and errors in human judgment. Finally, incentives are needed to 
ensure that research and innovative prototypes are relevant to the 
real-world problems and to ensure that these advances find their way 
into the development and operation of practical systems.
    Although similar comments can be made about REAL-ID and any other 
national identification systems, all of these concerns are specifically 
relevant to systems such as EEVS.
    We have not attempted to be complete here, but rather to focus on 
the main issues. There are many relevant reports of the Government 
Accountability Office, the National Research Council, and other sources 
that I hope you have already seen. Whereas USACM and I speak from a 
technical perspective, we recognize the political imperatives regarding 
immigration and employment. We urge the Congress to focus on creating 
the right incentives for operators and employers that maximize 
achievement of our immigration laws and each citizen's right to work 
while minimizing privacy invasion, ID theft, and criminal activity. In 
this effort, technology should be seen as a supporting block, not the 
keystone of the arch.
    We look forward to any further questions that might arise from your 
reading of this written testimony or from my oral testimony.
Acknowledgments
    I am particularly grateful to Cameron Wilson (ACM Director of 
Public Policy), David Bruggeman (USACM Public Policy Analyst), Eugene 
Spafford (USACM Chairman, and Professor at Purdue University), Jim 
Horning, and many other members of USACM for their generous help in my 
preparing this testimony on rather short notice.
Contact Information

Peter G. Neumann
SRI International, Computer Science Laboratory
Menlo Park CA 94025-3493
[email protected]
http://www.csl.sri.com/neumann

Personal Background Information
    Peter G. Neumann ([email protected]) has doctorates from Harvard 
and Darmstadt. His first technical employment was working for the U.S. 
Navy in the summer of 1953. After 10 years at Bell Labs in Murray Hill, 
New Jersey, in the 1960s, during which he was heavily involved in the 
Multics development jointly with MIT and Honeywell, he has been in 
SRI's Computer Science Lab since September 1971. He is concerned with 
computer systems and networks, trustworthiness/dependability, high 
assurance, security, reliability, survivability, safety, and many 
risks-related issues such as voting-system integrity, crypto policy, 
social implications, and human needs including privacy. He moderates 
the ACM Risks Forum (comp.risks), edits CACM's monthly Inside Risks 
column, and is the Chairman of the ACM Committee on Computers and 
Public Policy (ACM-CCPP), which serves as a review board for RISKS and 
Inside Risks and is international in scope. He is also a member of 
USACM, which is independent of ACM-CCPP. He created ACM SIGSOFT's 
Software Engineering Notes in 1976, was its editor for 19 years, and 
still contributes the RISKS section. He has participated in four 
studies for the National Academies of Science: Multilevel Data 
Management Security (1982), Computers at Risks (1991), Cryptography's 
Role in Security the Information Society (1996), and Improving 
Cybersecurity for the 21st Century: Rationalizing the Agenda (2007). 
His book, Computer-Related Risks (Addison-Wesley and ACM Press, 1995), 
is still timely--including many of the problems discussed above. He is 
a Fellow of the ACM, IEEE, and AAAS, and is also an SRI Fellow. He 
received the National Computer System Security Award in 2002 and the 
ACM SIGSAC Outstanding Contributions Award in 2005. He is a member of 
the U.S. Government Accountability Office Executive Council on 
Information Management and Technology, and the California Office of 
Privacy Protection advisory council. He has taught courses at 
Darmstadt, Stanford University, the University of California at 
Berkeley, and the University of Maryland. Neumann chairs the National 
Committee for Voting Integrity (http://www.votingintegrity.org). See 
his website (http://www.csl.sri.com/neumann) for prior testimonies for 
the U.S. Senate and House and for the California state Senate and 
Legislature, publications, bibliography, and further background.
    Dr. Neumann is Principal Investigator for two SRI projects that are 
relevant to this testimony:

      Privacy-Preserving Credentials, one of several 
subcontracts from Dartmouth College, Assessable Identity and Privacy 
Protection, funded by the Department of Homeland Security, 2006-CS-001-
000001-02, FCDA #97.001. The SRI project is part of a collaborative 
team project jointly with the University of Illinois at Urbana-
Champaign, Cornell, Purdue, and Georgia Tech. The project is 
contributing some highly innovative cryptographic research and 
extensive system experience to the application of practical techniques 
for advanced identity management with demonstrations of applications 
that will include health care and finance but that have significant 
relevance to identity management generally.
      A Center for Correct, Usable, Reliable, Auditable and 
Transparent Elections (ACCURATE), NSF Grant number 0524111. ACCURATE is 
a collaborative effort with colleagues at Johns Hopkins, Rice, the 
University of California at Berkeley, Stanford, the University of Iowa, 
and SRI. It is examining techniques and approaches for voting systems, 
with particular emphasis on security, integrity, and privacy. SRI

    Neumann contributes to the following DHS project:

      Cyber Security Research and Development Center (CSRDC), 
Department of Homeland Security, Science and Technology Directorate, 
DHS Contract HSHQDC-07-C-0006 to SRI International. CSRDC is providing 
extensive support for S&T Program Manager Douglas Maughan's R&D 
program. (http://www.csl.sri.com/projects/csrdc and http://
www.cyber.st.dhs.gov)

                                 

    Chairman MCNULTY. Thank you very much.
    The Members will now run over to the House floor to vote. 
There are 5 minutes left on this vote, and the next vote will 
be directly afterward, so we should be able to vote and 
hopefully only be gone for 15 minutes. When we return, we will 
hear from Mr. Rotenberg, and then allow for questions. Thank 
you for your patience.
    [Recess.]
    Chairman MCNULTY. The hearing will come to order. Sorry for 
the delay. We know that your time is very valuable, and we very 
much appreciate the fact that you are spending some of it with 
us here today.
    We have heard from the first four witnesses on this panel, 
and we will now hear Mr. Rotenberg.

  STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC 
                   PRIVACY INFORMATION CENTER

    Mr. ROTENBERG. Thank you very much, Chairman McNulty and 
Ranking Member Johnson, Members of the Subcommittee. Thank you 
for the opportunity to testify today.
    My name is Marc Rotenberg. I am Executive Director of the 
Electronic Privacy Information Center. We are a public interest 
research organization here in Washington, D.C. We track 
emerging privacy issues. We have also frequently been before 
the Subcommittee to discuss the privacy impact of proposals 
that involve the use of the Social Security number and SSA 
records.
    We recently did a detailed report on the employment 
verification systems that are contemplated in both the Senate 
and the House bills. That report is simply titled, ``National 
Employment Database Could Prevent Millions of Citizens from 
Obtaining Jobs.'' I would like to add that it be included in 
the hearing record as part of my statement, if that is okay.
    Chairman MCNULTY. No objection.
    Mr. ROTENBERG. Thank you. I would like to today highlight 
the key findings of our report. The central conclusion that we 
reached is that the employment verification system has 
significant weaknesses. It will pose enormous burdens for 
employers, and put the privacy rights of American workers at 
substantial risk.
    It will also give the Federal Government an extraordinary 
amount of new power over the lives of Americans, as well as 
greatly expand the role of the Department of Homeland Security 
in the American labor force.
    I want to say a word about the Department of Homeland 
Security. As Mr. Johnson mentioned earlier, there is, of 
course, this very significant concern about the misplaced disk 
drive that contained the employment records of 100,000 TSA 
employees who had been hired between January 2002 and September 
2005. I think it is important to understand the significance of 
this particular incident.
    You have heard a great deal of testimony this morning about 
the problem of record accuracy. No doubt, if you scale up the 
Basic Pilot Program, the number of workers who may face 
determinations that say they may not be eligible to work unless 
they, in effect, clear their status is going to grow 
dramatically.
    You haven't heard very much about new threats to privacy 
and security that these proposals raise. I believe that is a 
key problem that the Department of Homeland Security has helped 
identify because by misplacing the records that they did on the 
TSA employees, they have, in effect, brought attention to the 
problem of identity theft and security breaches, which are 
significantly increasing in the United States. In fact, the 
Federal Trade Commission has reported that identity theft is 
now the number one concern of American consumers. A big 
contributor to that problem is the extraordinary collection of 
personal information.
    I will say a few words about the current design of this 
system. As other witnesses have noted earlier, the proposal to 
consolidate so much personal information in these centralized 
government databases does significant increase the risks to 
privacy.
    Now, it is our view that the SSA has done a good job over 
the years trying to narrow the use of the Social Security 
number and Social Security records for the appropriator 
legislative purposes. Of course, when another agency comes 
forward and proposes new expanded uses of the Social Security 
number, then new privacy issues arise.
    Now, both bills state that the database access will be 
limited to authorized users only. However, it is very easy to 
understand the circumstances under which others could get 
access to these record systems. Dr. Neumann has described the 
various ways under which computer systems can be compromised 
through weak security. It is also a result of the insider 
access to the record systems that would result as well.
    I would like to say a word about the role that the REAL ID 
act plays in the legislation that is under consideration in 
both the Senate and the House. As you know, there is a lot of 
opposition to the implementation of the REAL ID Act. The 
statute, which was passed in February of 2005, went forward 
without a vote, without a public hearing.
    Since that time, more than a dozen states have passed bills 
to oppose the implementation of REAL ID in their states. Four 
states have actually said that they would not have a REAL ID 
requirement.
    Now, this is a fact worth keeping in mind as you look at 
these legislative proposals because the Department of Homeland 
Security is proposing that the REAL ID document be used as one 
of the ways to establish employment eligibility. In fact, the 
Senate bill would make non-REAL ID-compliant documents of no 
use for establishing employment eligibility by the year 2013, 
which means you could actually have a situation, if the 
legislation passes and REAL ID is not implemented, that there 
would be no documents available to authenticate employment 
eligibility.
    Well, let me conclude, Members, if I may briefly with a few 
key recommendations. I think there are some things that could 
be done.
    Obviously, the data accuracy issue has to be addressed 
before the system is scaled. I think the systems of 
accountability for the dramatically expanded role for the 
Department of Homeland Security, particularly the ability to 
essentially require biometric identification and perhaps the 
collection of fingerprints, that needs to be examined. I think 
the REAL ID provision needs to be revised.
    Finally, these proposals, very costly proposals, to try to 
make the Social Security card tamper-proof, incorporating 
biometric identity factors--even if those were to go forward, 
as other witnesses have testified, I think you would be right 
back in a couple of years trying to design a new card when the 
flaws in the current card are uncovered.
    Thank you very much for your time.
    [The prepared statement of Mr. Rotenberg follows:]

 Prepared Statement of Marc Rotenberg, Executive Director, Electronic 
                       Privacy Information Center


        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman MCNULTY. Thank you, Mr. Rotenberg. Thanks to all 
of you for your testimony, and for the clarity of your 
testimony. As a matter of fact, I had a number of questions 
prepared for several of you, but you answered them quite 
clearly in your testimony.
    I do want to ask Ms. Moran, because we have been discussing 
the database discrepancies in the abstract, if you could 
provide us with a real-life example of how the problems with 
the databases affect people.
    Ms. MORAN. Sure. We provide technical assistance to a lot 
of labor unions and immigrant organizations across the country. 
In fact, we just got a technical assistance call last week from 
a woman in North Carolina. She is Honduran. She had temporary 
protected status. She was work-authorized. She presented her 
documents. She worked at a hog plant. When the company put her 
information in the system, SSA said the stuff didn't match.
    The long story short is from January to April she went back 
to Social Security Administration four times to try to fix the 
error in the database. Because it wasn't fixed, ultimately the 
company fired the woman and she was without a job.
    So today, she could theoretically go to another company and 
get a job, but under this new system, if she were fired, she 
wouldn't be able to go get a new job. Under the proposal that 
is in the Senate right now, she wouldn't be able to get back 
wages. She wouldn't be able to get attorneys fees. She could be 
out of--a low-income worker could be out of a job for a number 
of months.
    So, that is just one example of many to show, really, it is 
pretty serious, talking about people's livelihood here.
    Chairman MCNULTY. Thank you. We just received information 
that there was a cloture vote in the Senate, and it failed 55 
to 42. There is going to be another vote at 5:00, so there is a 
very real question about how far this bill is going to go now. 
If it goes anywhere, we want to be prepared for it.
    I will now call on the Ranking Member of the Subcommittee, 
Mr. Johnson, to inquire.
    Mr. JOHNSON. Thank you, Mr. Chairman. I appreciate that.
    I wonder if all of you could comment, maybe. Many have 
advocated the use of biometric ID as an effective way to 
confirm a person's identity. I would like your comments and 
what you think of a biometric ID. Is it the right or wrong way 
to go, and why?
    Ms. MORAN. I will refer to the technology people on that.
    Ms. MEISINGER. I believe that there is some use of 
biometric information. I think it should be voluntary for the 
employers who can afford to develop the system and work with 
the system, but I think the technology is there. I think 
biometric information has the advantage of being carried with a 
person wherever they go, and you don't need a card for it if 
you can have it locked in with other identification that may be 
in the system.
    I think there are ways now--and I am not a technologist so 
I am going to defer--to build a system where it is not 
centralized in one government agency, which I agree, I think, 
is very troublesome to many people, the thought that this would 
all be in some centralized database.
    Right now companies do reference checks on a regular basis. 
Data mining takes place. They go out with public data sources--
where people lived, whether their house was on that street, 
what the name on the mortgage was--those sorts of things in 
terms of to link the person.
    I just think that what we would like to see is some 
technology experts coming together, privacy as well as 
employers and government, to sort through what is possible that 
balances. I don't think there is anything that we will ever 
develop that provides an absolute protection against privacy 
because you can't control people's behaviors, but I think there 
are ways to design something that gets closer to what everybody 
is trying to get done than what is being proposed here.
    Mr. JOHNSON. Well, I will tell you, when we had the eye 
scan out at the airport, which Homeland Security can't get back 
in again, as you know, I used to like to go to the airport 
because I would look in that thing and it would say, hello, Mr. 
Johnson.
    Mr. AMADOR. I have to say that from our perspective, as was 
just mentioned, it should be voluntary, because the employers 
are of different sizes and levels of sophistication. Most 
employers in the United States do not have an HR division and 
an inside legal counsel.
    So, what might be easy for one of the over 7 and a half 
million employers in the United States, about 2 million of 
those are basically self-employed individuals. Those machines 
are actually right now, and maybe the technology would improve 
and it will be cheaper, as has happened with computers and 
others, but right now those card readers are very expensive for 
somebody to----
    Mr. JOHNSON. Well, you are advocating a private enterprise 
operation versus government, I think, in that instance.
    Mr. AMADOR. Correct.
    Mr. JOHNSON. Yes. Dr. Neumann?
    Mr. NEUMANN. I would like to generalize your question just 
a little bit because when you start to talk about biometrics, 
the question is, how are they embedded in the overall system? 
You have the problem of nonsecure operating systems and 
application software, you have the problem of supposedly smart 
and secure and tamper-proof smart cards that aren't, and then 
you have the biometrics.
    Well, some biometrics are actually potentially pretty good. 
When they first put the photo and the face recognition stuff in 
the Palm Beach Airport, they could only recognize 40 percent of 
the people. We are photographed with perfect lighting, and that 
system was a failure. Well, then, we will increment it up a 
little bit, and we will get it to 50 and 60 and 70, but most of 
these systems have the fundamental problem. The gummy bear 
story is one of the examples of the fingerprint system. There 
was a demonstration at Asiacrypt a couple of years ago where 
somebody had taken essentially an imprint of a thumb on a gummy 
bear and was able to get through all of the fingerprint 
detection systems that were being demonstrated.
    Mr. JOHNSON. Really?
    Mr. NEUMANN. The next version of that is you cut off the 
thumb, of course, and----
    Mr. JOHNSON. Well, according to you, there is not a system 
that can be devised that can't be circumvented.
    Mr. NEUMANN. Well, one of my colleagues has in fact 
essentially broken every smart card. This is Paul Kotcher, who 
has done differential power analysis. Just by determining the 
power consumption of the crypto chip, he can extract the secret 
key. There are some high tech solutions, but I think we are in 
this escalating spiral, where we continually believe that if we 
throw more technology at it, it will solve the problem. Then 
there turns out to be an utterly trivial countermeasure that 
completely defeats it.
    In many cases, it is, for example, that a cryptography key 
is stored in memory or a password is pasted up on a Post-It. 
So, in many cases, it is a very simple attack. Here you have 
built this very complex system, and discovered that there is 
some utterly trivial way of breaking it.
    Mr. JOHNSON. Thank you. Mr. Rotenberg, do you have a 
comment?
    Mr. ROTENBERG. Yes. I was just going to say briefly that 
one of the obvious problems with the biometric identifiers is 
that when they are compromised, you have a real problem. You 
can change a credit card number or a bank account number, but 
it is not so easy to change the digital representation of your 
fingerprint or your eye scan.
    It was interesting to us also because we have been studying 
the identity systems that the Department of Homeland Security 
has been pursuing. One of the identity systems that they 
developed, the digital access card, the DAC, was originally 
designed with only a biometric identifier. They decided that 
was actually a too-risky approach for Federal employees, so 
they have included a PIN number as a backup to the biometric. I 
think it is a recognition on their part that there are going to 
be problems with biometrics.
    Mr. JOHNSON. Thank you. Thank you, Mr. Chairman.
    Chairman MCNULTY. Thank you.
    Mr. Brady may inquire.
    Mr. BRADY. Thank you, Mr. Chairman. Thanks for holding this 
hearing. I think this is one of the most overlooked issues in 
the Senate debate right now, and may be an area where this 
Committee can play a big role in this whole debate.
    Listening to the panel, the second panel, I think they have 
exposed two myths in this discussion. The first is that any 
Federal agency will be ready in 18 months to reliably and 
accurately verify employment and identification. It is not a 
criticism of the agencies. The task is simply overwhelming. The 
data that is currently available is unreliable. The pilot 
programs we have had in place have too many question marks. It 
is like we are trying to stand an elephant on a toothpick and 
hoping it will hold. It likely won't, and we know it in 
advance.
    The second myth is that any single document, including a 
national ID card, is necessary or in fact desirable in this. I 
am not in the black helicopter caucus, but the truth is I think 
using multiple documents tailored more--the truth of the matter 
is some workers will be very easily verifiable. Others will be 
very difficult. We ought to have a system that is flexible 
enough to deal with that, and it seems this Committee Chairman 
ought to be exploring some innovative partnership between 
government and the cutting-edge private companies that are 
today verifying ID instantaneously, both for companies and for 
the government itself; find a way where it is more 
decentralized so you don't have a single, as Dr. Neumann said, 
hacker, cracker, or terrorist, I think was the phrase, able to 
break it. We have examples today.
    Two questions. Mr. Amador, GAO says the cost of a 
completely verifiable system will be about $11.7 billion a 
year, much of it borne by employers and workers. Can you talk a 
little about that?
    Ms. Meisinger, Mr. Ryan wanted to ask about the background 
checks that help confirm identity. From what databases do they 
draw?
    So, Mr. Amador.
    Mr. AMADOR. Yes. Last year--actually, in 2005, GAO 
testified and they said it would be that much. I since have 
called them, and I was trying to find out, well, how do you 
split it up? They didn't have a rigid split, but what they 
said, that would be the cost because you will be adding 96 
percent of employers to a system. You have to find out a way of 
also making it telephonic.
    So, they said that in addition to considering the fact that 
you have to hire more verifiers, modernize the system, and 
purchase and monitoring additional equipment, employers would 
also need to train employees to comply with the new law 
requirements and devote a great deal of human resources staff 
to verifying and re-verifying the workforce.
    Currently, under the I-9 system, the estimate is that we 
spend about 12 million working hours verifying the 50 to 60 
million of individuals that are hired, either--some people are 
hired more than once in a year. Some people have more than one 
job, but somebody is doing the hiring.
    There is also the cost of keeping these documents, filing. 
The requirements in the Senate right now, which we know are too 
many, too much, are requiring that you keep these documents for 
like 7 years. We think that is obviously too long, especially 
when you have a turnover rate that is very high.
    Resolving data errors is going to be a new additional cost 
that is going to be more complicated and expensive than it is 
under the current system. A new issue is going to be dealing 
with wrongful denial of eligibility when you get a tentative 
nonconfirmation.
    What they are looking at is the employer is going to have 
to start making calls because of course you cannot fire the 
individual until you go through the entire process. In the 
Senate version, the shortest period that it could take is 152 
days. So, you have an employer dealing with days and an 
employee that is going to have to be taking time off from work 
to go in person to an SSA office to try to resolve all these 
things.
    So, when they put all of these things together, they are 
just not looking at how much the one inquiry costs. They are 
saying, well, how did the entire thing cost? How much was spent 
in hours from the employer's perspective and from the employee 
perspective in addition to the government's perspective? And 
that is when, again, they were using that number when they were 
trying to ask for more funding. I notice that now they are 
trying to use lower numbers.
    It is also important to mention that I think the number is 
based on the study that came in 2002, the Westat study that 
everybody--the independent study that has been mentioned 
before. There is a new study. Tyler mentioned it. The Chamber 
has been trying to get a copy of it. DHS has it, and we would 
like to have your help in trying to find out if they maybe 
broke down this number, and some other information in it.
    Mr. BRADY. Thank you.
    Ms. Meisinger, I am not suggesting background checks on 
everyone. The point is, oftentimes using multiple sources you 
can verify quicker and more accurately.
    Ms. MEISINGER. I think if you think of some times when 
you've gone online and people ask you for background questions 
that you might answer--mother's maiden name, street that you 
lived in when you were young--those sorts of things are really 
embedded in databases that exist in a public format.
    I think that would be the recommendation, that it would be 
public formats, public databases. Criminal records are one that 
reference checkers always go into and look at. Depending on the 
level of depth that you are going through, you will go to the 
FBI. Sometimes it will just be local. It depends on the job.
    There are state laws now that require this sort of in-depth 
background check for certain types of jobs. If it is somebody 
working with children, frequently they will have a much more 
in-depth background check to try and make sure they know 
everything they can know about that person, including that the 
person is who they say they are.
    Mr. BRADY. So, you use different sources for different 
types of jobs and different needs.
    Ms. MEISINGER. Different sources. Right.
    Mr. BRADY. Which I think it would be difficult to 
accomplish by people in the single agency or double agency.
    Ms. MEISINGER. Well, and I think right now you have got 
credit companies, check companies that track people's credit 
history. There is a competitive market to try and make sure 
that you are the most accurate, the most reliable, respond the 
quickest to the customers. I think you want to build that same 
sort of environment.
    Mr. BRADY. Right. Thank you.
    Thank you, Mr. Chairman.
    Chairman MCNULTY. Thank you very much. On behalf of Mr. 
Johnson, Mr. Brady, and all the Members of the Committee, we 
want to thank each of you for your expert testimony. It has 
been extremely helpful.
    We would ask that as the process moves forward, we may keep 
in contact with you for your response to questions by our 
Members and our staff outside of the formal setting of a 
hearing, so that we are able to contact you on a more immediate 
basis.
    I would just like to say for myself that as I have looked 
at the Social Security agency and the many challenges that it 
faces, we have been tremendously distressed with the lack of 
progress on the issue of the disability backlog, which we have 
been trying to work on for a long time now.
    I think it is an unmitigated disaster and I don't want to 
see it compounded by another disaster. If you can help us in 
that regard, we are deeply grateful.
    This Committee hearing is adjourned.
    [Whereupon, at 12:17 p.m., the hearing was adjourned.]
    [Submission for the Record follows:]

    On behalf of the 11,000 front-line Border Patrol employees that it 
represents, the National Border Patrol Council thanks the Subcommittee 
for holding a hearing to examine various methods of verifying the 
employment eligibility of workers in the United States. There is now 
near-universal agreement with the 1994 finding of the U.S. Commission 
on Immigration Reform that ``reducing the employment magnet is the 
linchpin of a comprehensive strategy to reduce illegal immigration.'' 
There is no consensus, however, regarding the best method for 
accomplishing that goal. The Immigration Reform and Control Act of 1986 
made it a crime to hire illegal aliens, but failed to provide employers 
with a simple and effective means of verifying the authenticity of the 
numerous documents that were permitted to be used to prove eligibility 
to work in this country. Thus, it is nearly impossible to establish 
that an employer ``knowingly'' hires illegal aliens, rendering the 
current law largely unenforceable and meaningless.
    The Illegal Immigration and Immigrant Responsibility Act of 1996 
required the Attorney General to conduct three pilot programs of 
employment eligibility confirmation: the basic pilot program, the 
citizen attestation pilot program, and the machine-readable-document 
pilot program. Of these, the basic pilot program, now known as the 
Employment Eligibility Verification System, has emerged as the most 
widely-utilized system. Although it is relatively inexpensive and easy 
to use, it is also extremely susceptible to identity fraud, wherein 
legitimate information is used by imposters. This was highlighted by 
the recent Bureau of Immigration and Customs Enforcement raids against 
several Swift & Company plants, in which nearly thirteen hundred people 
who were cleared to legally work under the provisions of the Employment 
Eligibility Verification System were arrested for being in the country 
in violation of our immigration laws. Although the current amount of 
fraud under that system is relatively low, that is due to the fact that 
only a very small percentage of companies are participating in the 
program, and most illegal aliens opt to seek employment in companies 
that do not use it. If its use became mandatory, however, the amount of 
fraud would undoubtedly increase exponentially. The Federal Trade 
Commission estimates that about ten million Americans are victimized by 
identity theft annually. With such a large universe of compromised 
identities to draw from, criminals would have no problem supplying 
illegal aliens with new identities to circumvent the system. Moreover, 
the information contained in the Social Security Administration's 
databases contains a number of inaccuracies, especially concerning 
citizenship. In fact, a recent study by the Office of Inspector General 
of the Social Security Administration found that at least 100,000 non-
citizens are provided with bona fide Social Security numbers every year 
based on invalid immigration documents. That report also acknowledged 
that the agency has no way of knowing how many Social Security numbers 
have been improperly issued to illegal aliens.
    The other two employment eligibility confirmation pilot programs 
suffered from similar shortcomings. The citizen attestation pilot 
program was limited to non-citizens, and was not designed to verify the 
validity of claims of citizenship, but only identity. Thus, this 
program was by far the most vulnerable to fraud, as well as the least 
useful of the experimental programs. The machine-readable-document 
pilot program relied upon State-issued identity documents that met 
specified criteria, and matched that to the information contained in 
Social Security Administration and Immigration and Naturalization 
Service databases. Because only one State's driver's licenses met the 
specified criteria at that time, this test was quite limited in scope. 
Moreover, its reliability was diminished by its reliance upon the 
aforementioned incomplete and inaccurate databases.
    The National Border Patrol Council believes that it would be unwise 
to expand any of these experimental systems, but rather recommends that 
the lessons learned from them be used to construct a workable and 
effective system.
    Such a system must utilize a single, counterfeit-proof, machine-
readable document that contains a recent digital photograph, as well as 
embedded biometric information. Since every authorized worker in this 
country is issued a Social Security number, the logical choice for this 
document is the Social Security card. Instead of relying upon 
information contained in one or more incomplete or inaccurate databases 
to check for employment eligibility every time a person applies for a 
job, the system should verify that information conclusively prior to 
issuing the new secure document. Then, when an applicant presents the 
employment eligibility document to a prospective employer, the only 
check that would need to be made is a determination of whether or not 
the document is genuine, and that could easily be accomplished through 
means of an electronic reader. At the same time, this process would 
provide the Department of Homeland Security with a record of all 
employment inquiries, which would facilitate its worksite enforcement 
efforts. It would be a simple matter for investigators to spot-check 
for compliance by matching employment inquiries with payroll and income 
tax withholding records.
    H.R. 98, the ``Illegal Immigration Enforcement and Social Security 
Protection Act of 2007,'' would mandate the establishment of such a 
system, and would also provide the enforcement mechanism and resources 
to ensure compliance therewith. This would effectively eliminate the 
employment magnet, allowing the Border Patrol and other law enforcement 
agencies to concentrate their scarce resources on stopping terrorists 
and other criminals from entering the United States. Such a system 
would have the added benefit of greatly reducing the amount of identity 
theft involving Social Security numbers.
    The consequences of inaction and/or delay are dire. Open borders 
are an open invitation to further terrorist attacks. These measures 
need to be enacted swiftly in order to safeguard our Nation.

                                  
