b"<html>\n<title> - SECURING AMERICANS' IDENTITIES: THE FUTURE OF THE SOCIAL SECURITY NUMBER</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n                    SECURING AMERICANS' IDENTITIES:\n\n                THE FUTURE OF THE SOCIAL SECURITY NUMBER\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                    SUBCOMMITTEE ON SOCIAL SECURITY\n\n                                 of the\n\n                      COMMITTEE ON WAYS AND MEANS\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              MAY 17, 2018\n\n                               __________\n\n                          Serial No. 115-SS09\n\n                               __________\n\n         Printed for the use of the Committee on Ways and Means\n         \n         \n         \n         \n         \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]         \n\n\n\n\n               U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n33-871                   WASHINGTON : 2019       \n\n\n\n\n                      COMMITTEE ON WAYS AND MEANS\n\n                      KEVIN BRADY, Texas, Chairman\n\nSAM JOHNSON, Texas                   RICHARD E. NEAL, Massachusetts\nDEVIN NUNES, California              SANDER M. LEVIN, Michigan\nDAVID G. REICHERT, Washington        JOHN LEWIS, Georgia\nPETER J. ROSKAM, Illinois            LLOYD DOGGETT, Texas\nVERN BUCHANAN, Florida               MIKE THOMPSON, California\nADRIAN SMITH, Nebraska               JOHN B. LARSON, Connecticut\nLYNN JENKINS, Kansas                 EARL BLUMENAUER, Oregon\nERIK PAULSEN, Minnesota              RON KIND, Wisconsin\nKENNY MARCHANT, Texas                BILL PASCRELL, JR., New Jersey\nDIANE BLACK, Tennessee               JOSEPH CROWLEY, New York\nTOM REED, New York                   DANNY DAVIS, Illinois\nMIKE KELLY, Pennsylvania             LINDA SANCHEZ, California\nJIM RENACCI, Ohio                    BRIAN HIGGINS, New York\nKRISTI NOEM, South Dakota            TERRI SEWELL, Alabama\nGEORGE HOLDING, North Carolina       SUZAN DELBENE, Washington\nJASON SMITH, Missouri                JUDY CHU, California\nTOM RICE, South Carolina\nDAVID SCHWEIKERT, Arizona\nJACKIE WALORSKI, Indiana\nCARLOS CURBELO, Florida\nMIKE BISHOP, Michigan\nDARIN LAHOOD, Illinois\nBRAD R. WENSTRUP, Ohio\n\n                     Gary J. Andres, Staff Director\n\n                 Brandon Casey, Minority Chief Counsel\n\n                                 ______\n\n                    SUBCOMMITTEE ON SOCIAL SECURITY\n\n                      SAM JOHNSON, Texas, Chairman\n\nMIKE BISHOP, Michigan                JOHN B. LARSON, Connecticut\nVERN BUCHANAN, Florida               BILL PASCRELL, JR., New Jersey\nMIKE KELLY, Pennsylvania             JOSEPH CROWLEY, New York\nTOM RICE, South Carolina             LINDA SANCHEZ, California\nDAVID SCHWEIKERT, Arizona\nDARIN LAHOOD, Illinois\n\n\n                            C O N T E N T S\n\n                               __________\n\n                                                                   Page\n\nAdvisory of May 17, 2018 announcing the hearing..................     2\n\n                               WITNESSES\n\nNancy Berryhill, Acting Commissioner, Social Security \n  Administration.................................................     6\nElizabeth Curda, Director, Education, Workforce, and Income \n  Security, Government Accountability Office.....................    16\nSamuel Lester, Consumer Privacy Counsel, Electronic Privacy \n  Information Center.............................................    39\nPaul Rosenzweig, Senior Fellow, R Street Institute...............    51\nSteve Grobman, Senior Vice President and Chief Technology \n  Officer, McAfee, LLC...........................................    61\nJeremy A. Grant, Coordinator, Better Identity Coalition..........    72\nJames Lewis, Senior Vice President, Technology Policy Program, \n  Center for Strategic and International Studies.................    85\n\n                    MEMBER QUESTIONS FOR THE RECORD\n\nRep. Sam Johnson to Elizabeth Curda..............................   108\nElizabeth Curda Response.........................................   109\nRep. Sam Johnson to Jeremy A. Grant..............................   111\nJeremy A. Grant Response.........................................   112\nRep. Sam Johnson to Steve Grobman................................   122\nSteve Grobman Response...........................................   123\nRep. Sam Johnson to Paul Rosenzweig..............................   126\nPaul Rosenzweig Response.........................................   127\n\n                   PUBLIC SUBMISSIONS FOR THE RECORD\n\nNAPBS, statement.................................................   128\n\n\n                    SECURING AMERICANS' IDENTITIES:\n\n\n\n                THE FUTURE OF THE SOCIAL SECURITY NUMBER\n\n                              ----------                              \n\n\n                         THURSDAY, MAY 17, 2018\n\n             U.S. House of Representatives,\n                       Committee on Ways and Means,\n                           Subcommittee on Social Security,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 10:08 a.m., in \nRoom 1100, Longworth House Office Building, the Honorable Sam \nJohnson [Chairman of the Subcommittee] presiding.\n    [The advisory announcing the hearing follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n       \n                               \n    Chairman JOHNSON. Good morning and welcome to today's \nhearing on the future of the Social Security number.\n    The Social Security card and the Social Security number \nwere created in 1936, believe it or not, so the Social Security \nAdministration could track earnings and correctly determine \nbenefits. Today's use of Social Security numbers for \neverything--you need one. So when you get a job, buy a house, \nor open a new credit card (sic).\n    Given all the ways we use it, it is no wonder Social \nSecurity numbers are a valuable target for identity thieves. \nFor years, I have been dedicated to doing all I can to protect \nAmerica--Americans from identity theft by protecting the \nprivacy of Social Security numbers. Military IDs no longer use \nSocial Security numbers, and Medicare is now sending new cards \nwithout numbers, Social Security numbers, to seniors across the \ncountry. And last year Congress made all federal agencies stop \nmailing documents that contain Social Security numbers unless \nit is absolutely necessary.\n    For a long time keeping Social Security numbers secret \nmeant keeping them safe. But after so many high-profile data \nbreaches like Equifax, OPM, and Anthem, where hundreds of \nmillions of Social Security numbers were stolen, it is clear \nthey aren't a secret anymore. And it is time we stop pretending \nthat they are.\n    Make no mistake, it is still important to limit the \nunnecessary use of Social Security numbers. But if we want to \nkeep pace with identity thieves, we need to think beyond just \nkeeping them.\n    As we will hear today, what makes these numbers so valuable \nto identity thieves is how we use them. Using Social Security \nnumbers both to identify someone and to prove their identity \ndoesn't make sense. But we have been doing it forever. We need \nto break the link between identification and authentication.\n    We will also hear from Social Security about what it takes \nget a new Social Security number when it has been stolen and \nwhy it is often harder to do than it should be. I recently \nlearned of a case in Arizona where the mother of a child whose \nSocial Security number had been stolen was told she needed to \nchange her daughter's name and last name--first, middle, and \nlast name--before her daughter could get a new Social Security \nnumber. Can you believe that? That is wrong.\n    But what is worse is that having to change your name isn't \nSocial Security's policy. It was an extra hoop to jump through \nmade up by a field office employee. While I am happy the little \ngirl eventually got a new number without having to change her \nname, getting a new number shouldn't be so difficult. It \nshouldn't take a local news story or a call from a \ncongressional office for Social Security to do right by those \nlooking for help.\n    Identity theft is on the rise, and we must take a hard look \nat the future of Social Security numbers, both how it is used, \nand if Social Security needs to do things differently. We have \na responsibility to do all we can to better protect Americans \nfrom identity theft.\n    I want to thank our witnesses for being here today and I \nlook forward to hearing your testimony, all of you.\n    And I will now recognize Mr. Larson for his opening \nstatement.\n    Mr. LARSON. Well, thank you, Mr. Chairman, and let me echo \nyour sentiments and also acknowledge that you have been a \nleader in the United States Congress, both in protecting the \nintegrity of the Social Security program from fraud and abuse, \nand certainly, in this case, of identity theft which threatens \nthe entire system.\n    As you indicated, Mr. Chairman, the recent data breach at \nEquifax has left more than 145 million people wondering whether \nthey will have their identity stolen or credit damaged. Their \nability to get a mortgage, a small-business loan, or even a job \nis at the whim of criminals, who have stolen information to \nwreak havoc on their financial security.\n    It doesn't matter if you are in Plano, Texas or you are in \nEast Hartford, Connecticut, or whether you are 6 weeks old or \n96 years old. Cyber criminals don't care. Their only interest \nis in profiting from your identity in a way that makes them as \nmuch money as possible. Unfortunately, Equifax is just one in a \nlong list of data breaches where personal information about \nhard-working men and women has been compromised, including \nSocial Security numbers, which is the subject of today's \nhearing.\n    The problem of identity theft is well known and it affects \nour entire economy. We need to come together in a bipartisan \nway to strengthen privacy protections and safeguard financial \nsecurity. And I thank you, Mr. Chairman, for your continued \nefforts in reaching out along those lines, as well.\n    What is clear, that all users of Social Security numbers, \nboth government and business, need to change their ways. The \nwidespread use of Social Security numbers as a way to both \nidentify and authenticate individuals poses an ongoing risk of \nidentity theft. This practice assumes that only I have access \nto my Social Security Number.\n    But given the extensive data breaches, this is no longer a \nsafe assumption, as I believe our witnesses will all agree. \nThere is a role here both for government and for industry.\n    Unfortunately, there are steep headwinds in this fight. The \npace of innovation in the technologies used by cyber criminals \npresent a very difficult and foreboding challenge. At the same \ntime, we must be sure that the solutions to better protect \npersonal information are accessible to all Americans, even \nthose of us who are less adept at the new technologies.\n    Finally, we must keep Americans' privacy concerns in mind \nabout how data is collected about individuals, how it is used, \nand who controls it. Just as we must come together to protect \nAmericans' personal identity information, we should also come \ntogether to protect the future of Social Security itself.\n    I know my dear friend and colleague shares my concern in \nthis. I think we need to have a hearing on the future of Social \nSecurity itself. We have proposed bills and legislation. It is \ntime that we expand the most successful program in the Nation's \nhistory, knowing that as we go forward it is important to \nprotect it at its very heart to secure it from fraud and abuse, \nbut also to understand that this is an insurance program that \nneeds to be made actuarially sound, that was last touched in \n1983, when Ronald Reagan was President and Tip O'Neill was \nSpeaker of the House.\n    It is an actuarial problem that can and should be addressed \nto not only protect the future of Americans, but also, as \ndisparity grows in this great country of ours, the one thing \nthat every single person in this Nation can count on is that \nSocial Security has never missed a payment. We have an \nobligation on this Committee, and as Members of Congress, to \nmake sure that the integrity of the program and also its \nviability goes beyond the 75-year requirement that we are sworn \nto serve.\n    And with that, Mr. Chairman, I yield back and look forward \nto the questions and what we are--look forward to asking \nquestions, and look forward to hearing from our distinguished \npanel.\n    Chairman JOHNSON. Well, thank you for your comments. As is \ncustomary, any Member is welcome to submit a statement for the \nrecord.\n    And before we move on to testimony, I want to remind our \nwitnesses to please limit your oral statements to five minutes. \nHowever, without objection, all of the written testimony will \nbe made a part of the hearing record.\n    We have seven witnesses today. Seated at the table are \nNancy Berryhill, acting commissioner of Social Security \nAdministration; Elizabeth Curda, director, education, \nworkforce, and income security for Government Accountability \nOffice; Samuel Lester, consumer privacy counsel, Electronic \nPrivacy Information Center; Paul Rosenzweig--and that is not \nright--Paul----\n    Mr. ROSENZWEIG. It is Rosenzweig, sir, but----\n    Mr. JOHNSON. Rosenzweig?\n    Mr. ROSENZWEIG. Yes, sir.\n    Mr. JOHNSON. Thank you. Senior fellow, R Street \nInstitution. Steve Grobman, senior vice president and chief \ntechnology officer, McAfee; Jeremy Grant, coordinator, Better \nIdentity Coalition; James Lewis, senior vice president, \ntechnology policy program, Center for Strategic and \nInternational Studies.\n    Acting Commissioner Berryhill, please begin your testimony.\n\n   STATEMENT OF NANCY BERRYHILL, ACTING COMMISSIONER, SOCIAL \n                    SECURITY ADMINISTRATION\n\n    Ms. BERRYHILL. Chairman Johnson, Ranking Member Larson, and \nMembers of the Subcommittee, thank you for inviting me to \ndiscuss identity theft and the future of the Social Security \nnumber. I am Nancy Berryhill, Social Security's acting \ncommissioner.\n    The scope of our programs is enormous. We pay monthly \nbenefits to over 62 million Social Security beneficiaries and 8 \nmillion supplemental security income recipients. During fiscal \nyear 2017 we paid about $934 billion to Social Security \nbeneficiaries, and $55 billion to SSI recipients. In addition, \nwe posted 279 million earning items to workers' records last \nyear.\n    The SSN underpins the programs we administer. We designated \nthis 9-digit number in 1936 to allow employers to accurately \nreport earnings and determine eligibility for benefits. To date \nwe have issued around 505 million unique numbers to eligible \nindividuals.\n    Although we created the Social Security number for our \nprograms, it has become a personal identifier used most broadly \nacross government and the private sector. For example, in 1943 \nthe executive order required federal agencies to use the SSN. \nAdvances in computer technology and data processing in the \n1960s further increased the use of the number within federal \nagencies.\n    For example, in 1961 the Federal Civil Service Commission \nbegan using the SSN as identification number for all federal \nemployees. The next year the IRS began using the number as a \ntaxpayer identification number. Beginning in the 1970s, \nCongress enacted legislation requiring the number for a variety \nof federal programs. Over the decades use of the SSN grew, not \njust in Federal Government, but throughout the state and local \ngovernment, banks, credit bureaus, hospitals, and other parts \nof the private sector.\n    As use of the SSN has increased, so have the opportunities \nfor misuse. We and Congress have made changes to try to protect \nthe integrity of the number, including strengthening the \nsecurity of the SSN card, and requiring additional proofs to \nissue them; establishing programs and ensure accurate and \ntimely of the SSN (sic), such as enumeration at birth, program \nthat assigns SSNs to newborns, and verifying SSNs for \nfederally-funded programs, employment eligibility, and other \nprograms.\n    Unfortunately, SSN misuse and identity theft continues to \nincrease. We understand the distress and economic hardship \nvictims of identity theft face. We advise suspected victims on \nhow to contact the Federal Trade Commission and law \nenforcement, and we refer cases of misuse to our office of \ninspector general for investigation. In certain circumstances \nwe assign a new number to a victim of SSN misuse who has been \ndisadvantaged due to misuse of the number.\n    It is important to note that assigning a new number is \noften a last resort, because it can cause more problems than it \nsolves. For example, the absence of a credit history under a \nnew number makes it more difficult to obtain credit to buy a \nhouse or a car. Nevertheless, in recognition of devastating \neffects identity theft can have, we continue to refine our \npolicies in this area. Our goal is to serve the needs of the \nvictims.\n    Over the years we have added flexibilities to our policies \nwhere needed, and we encourage front-line employees to \ncoordinate with experts in our regional offices. We will \ncontinue to do what we can to mitigate the effects of SSN \nmisuse.\n    We--but we cannot alone solve the problem that over-\nreliance of the SSN has caused. As long as the SSN remains key \nto assessing things of value, particularly credit, the SSN \nitself will have commercial value, and it will continue to be \ntargeted by fraudsters for misuse.\n    Identity theft is a broad public policy issue that must be \naddressed. I applaud the chairman and the Subcommittee for \ntheir efforts to protect the SSN, including mandating the \nremoval of the SSN from the Medicare cards and documents mailed \nby federal agencies. These bills are an important step.\n    However, addressing identity theft requires a unified \neffort that includes this Subcommittee and Congress, the \nAdministration, public and private experts throughout the \ncountry.\n    Our chief information officer, who is sitting behind me, \nRajive Mathur, is here with me today. He and I look forward to \nhearing the ideas raised during today's hearing.\n    Thank you, and I will be happy to answer any questions that \nyou may have. Thank you.\n    Chairman JOHNSON. I appreciate your testimony.\n    [The prepared statement of Ms. Berryhill follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    Chairman JOHNSON. Ms. Curda, welcome again. Please proceed.\n\n STATEMENT OF ELIZABETH CURDA, DIRECTOR, EDUCATION, WORKFORCE, \n     AND INCOME SECURITY, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Ms. CURDA. Chairman Johnson, Ranking Member Larson, and \nMembers of the Subcommittee, thank you for inviting me here to \ndiscuss GAO's observations on the extent to which the paper \nSocial Security card is currently used, and what it costs to \nproduce.\n    SSA has issued about 500 million Social Security numbers \nand cards since the Social Security program began in 1935. \nOriginally, the SSN was not intended to serve as a personal \nidentifier outside of SSA's programs. But due to its \nuniversality and uniqueness, government agencies and private-\nsector entities increasingly use the SSN as a convenient means \nof identifying people.\n    However, as everyday transactions are increasingly \nconducted electronically, it raises questions about whether a \npaper card is still needed or desirable to communicate or \nverify a person's SSN.\n    Today I will first discuss whether there are any federal \nrequirements to present a Social Security card. Second, I will \ndiscuss common situations in which other public or private-\nsector stakeholders may ask to see the card to conduct \nbusiness. And finally, I will discuss stakeholder views about \nthe potential implications of eliminating the cards, including \npotential cost savings.\n    Although there are many federal requirements to provide an \nSSN, we found no statutory requirements and only two regulatory \nrequirements to show a card. Both requirements were to verify \nan individual's SSN under certain narrow circumstances such as \nfor uniformed service members seeking to change their SSNs.\n    To identify requirements or customary uses of the cards \noutside of the Federal Government we spoke to a variety of \nassociations representing human resource managers, the finance \nsector, higher education institutions, and state agencies. The \nstakeholders we spoke with described a variety of instances in \nwhich individuals may present a card among other acceptable \nforms of documentation in order to verify their identity or \ntheir SSN.\n    For employment, all U.S. employers must verify and document \na newly-hired employee's employment eligibility. Although the \nSocial Security card is the most commonly used document for \nthis purpose, the card is one of several acceptable documents \nthat employees may present to prove they are eligible to work \nin the United States. Other examples of acceptable documents \ninclude a U.S. passport or permanent residence card, among \nothers.\n    A common reason employers may ask to see a card is to \nverify the accuracy of the employee's SSN because employers can \nbe fined for submitting inaccurate W-2 forms, for example.\n    The card is also commonly used to apply for a driver's \nlicense under the Real ID Act of 2005. The card is one of \nseveral options for documents that an applicant must provide to \nverify their identity.\n    The card may also be used as documentation when setting up \nfinancial accounts or to resolve SSN discrepancies when \nprocessing educational loans. However, providing the card is \nnot required.\n    SSA and the stakeholders we interviewed also provided their \nperspectives on the implications of eliminating the card. One \nadvantage of showing the card is to ensure the accuracy of the \nSSN, instead of relying on someone's memory. A disadvantage \nstakeholders cited included that the card alone is not \nsufficient to ensure the identity of the card holder, so other \nforms of identification are usually needed.\n    However, most of the stakeholders we interviewed indicated \nthat their processes would not change significantly if the card \nwere eliminated. They would continue to collect SSNs, as \nrequired, but would use other documents for identification or \nverification purposes, or electronically verify the SSN with \nSSA.\n    SSA officials also provided their perspective that \neliminating the card may result in limited cost savings, if \nany. In 2016, SSA estimated that the cost to produce a card \nranged from $6 for a replacement card requested online to $34 \nfor a card requested in person at a field office. These \nestimates include staff time, technology, paper, printing, \npostage, and overhead. If the card were eliminated, only some \nof these costs would be saved because of the labor and other \ncosts still needed to generate new SSNs.\n    A conservative estimate of the savings based on the \nprinting, paper, and mailing costs accounts for only $.60 of \nthe cost of the card. SSA officials stated that the agency \nspent about $8 million in fiscal year 2016 on paper, printing, \nand delivery of the cards. However, implementing a new system \nto replace the card could offset these savings.\n    Other implications of a cardless electronic system, \nstakeholders cited, included security and control over personal \ninformation and potential barriers for people with limited \naccess to technology.\n    This concludes my prepared statement, and I would be happy \nto answer the Committee's questions.\n    Chairman JOHNSON. Thank you. I appreciate your testimony.\n    [The prepared statement of Ms. Curda follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    Chairman JOHNSON. Mr. Lester, welcome. Please go ahead.\n\n     STATEMENT OF SAMUEL LESTER, CONSUMER PRIVACY COUNSEL, \n             ELECTRONIC PRIVACY INFORMATION CENTER\n\n    Mr. LESTER. Chairman Johnson, Ranking Member Larson, \nMembers of the Subcommittee, thank you for the opportunity to \ntestify today. My name is Sam Lester. I am the consumer privacy \ncounsel at the Electronic Privacy Information Center. EPIC is \nan independent, non-profit research organization here in \nWashington, D.C. established in 1994 to focus public attention \non emerging privacy and civil liberties issues.\n    I appreciate your interest in this critical topic. I cannot \noverstate the urgency that we update our privacy laws. There is \nno other form of personal information that poses a greater \nthreat to privacy than the Social Security number. The recent \nEquifax breach exposed the Social Security numbers of over half \nof the U.S. adult population.\n    The SSN was never meant to be an all-purpose identifier in \nthe private sector. When it was first introduced in 1936 it was \nto be used only for the administration of Social Security \ntaxes. The fact that it is now so pervasive as both an \nidentifier and authenticator, a user name and a password, has \nundoubtedly contributed to the alarming rise in data breaches, \nidentity theft, and financial fraud.\n    SSNs are the keys to the kingdom for identity thieves. A \ncriminal in possession of your SSN can file fraudulent taxes in \nyour name, open new accounts in your name, take out lines of \ncredit, and many other forms of fraud.\n    If you are about to buy a home, for instance, you could \nexperience your worst nightmare when a lender pulls your credit \nand sees that your FICA score is too low to qualify for a loan \nbecause someone has fraudulently run up debt in your name. For \nsomeone who has experienced new account fraud, it can take \nyears to recover, financially.\n    In 2017 identity theft impacted almost 17 million \nconsumers. More importantly, consumers cannot protect \nthemselves from the misuse of the SSN. As others have stressed, \nthe Social Security Administration will only replace your SSN \nin the most extreme circumstances.\n    And furthermore, the credit reporting industry makes it \neven more difficult for consumers. A credit freeze is \nburdensome and costly, and credit monitoring and fraud alert \nservices do not adequately protect consumers. The CEO of \nLifeLock had his identity stolen 13 times after he displayed \nhis real Social Security number in a commercial that was \nsupposed to demonstrate how effective his product was at \npreventing identity theft.\n    There have been recent efforts to limit the use of the SSN, \nbut much more needs to be done. For example, in 2017 Medicare \nfinally announced it would remove SSNs from cards, the result \nof an effort led by Chairman Johnson and Representative Doggett \nof this Committee.\n    Also, a number of states have taken steps in the right \ndirection. For instance, Alaska now prohibits the use of SSNs \nby both private companies and the government without explicit \nlegal authorization. This would be a good model for federal \nlegislation, and also shows why federal law should not prevent \nstates from enacting their own safeguards.\n    To limit the devastating financial harm caused by the \nmisuse of the SSN, Congress should take the following measures.\n    Firstly, the SSN should be prohibited in the private sector \nwithout explicit legal authorization, and companies should be \nprohibited from compelling consumers to disclose their SSN as a \ncondition of sale or service unless authorized by law.\n    Secondly, Congress should promote the development of \ncontext-specific identifiers. For example, if you are going to \ndo banking, you have a bank account number. If you are \nobtaining a driver's license, you have a driver's license \nnumber. The advantage of these context-specific identifiers is \nthat if one number gets compromised, an identity thief does not \nhave access to all your accounts.\n    Finally, Congress must not replace the SSN with a national \nbiometric identifier. This would be a very bad idea. This \napproach would pose serious privacy and security risks. In the \nmassive breach of the Office of Personnel Management in 2015, \nforeign hackers targeted digitized fingerprints stored in \nfederal databases. These risks would only be compounded if the \nU.S. were to move towards a national biometric identifier.\n    Thank you for the opportunity to testify today, and I will \nbe happy to answer your questions.\n    Chairman JOHNSON. Thank you, sir. I appreciate your \ntestimony, as well.\n    [The prepared statement of Mr. Johnson follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    Chairman JOHNSON. Mr. Rosenzweig.\n    Mr. ROSENZWEIG. Thank you very much.\n    Chairman JOHNSON. Is that the right pronunciation?\n    Mr. ROSENZWEIG. Rosenzweig, but----\n    Chairman JOHNSON. Weig, okay.\n    Mr. ROSENZWEIG. Thank you very much.\n    Chairman JOHNSON. Pardon me. Well, please proceed.\n\nSTATEMENT OF PAUL ROSENZWEIG, SENIOR FELLOW, R STREET INSTITUTE\n\n    Mr. ROSENZWEIG. Thank you very much, Chairman Johnson, \nRanking Member Larson, Members of the Subcommittee. I too am \npleased to be able to speak with you today about the future of \nthe Social Security number.\n    The Social Security number has a long history of utility as \nan identifier. I don't think that is the problem. The use of it \nas an identifier is no different than the use of my phone \nnumber as an identifier or the use of my name as an identifier. \nThe problem is that the Social Security number has mutated in \nits use, so it is now also an authenticator of my identity.\n    Authenticators are classically only useful if they involve \nsomething that you know exclusively, something you have, or \nsomething you are, and they are kept confidential. Today Social \nSecurity numbers are so deeply compromised and so widely \navailable in public--albeit often through criminal means--that \nthey can no longer be used as an authenticator. This is because \nrecent incidents like the Equifax breach that we have already \nspoken of, and whose anniversary occurs this week, have \neffectively disclosed the vast majority of previously \nconfidential Social Security numbers. My own Social Security \nnumber, to my knowledge, has been breached at least three times \nin the past four years. So I feel this quite personally.\n    As a result, in my view, any enterprise that continues to \nuse a Social Security number as an authenticator is engaging in \nborderline privacy and security malpractice. Yet some do. Just \nthe other day I was shocked that a bar renewal membership used \nmy--the last four of my Social Security as a way of \nauthenticating my identity. And this was a governmental use.\n    So what should we do about that? What should we do in \nresponse to the problem? In my judgement, Congress has three \nlogical options.\n    The first is to, as Mr. Lester has just suggested, regulate \nor outlaw Social Security numbers. That is a plausible \nsolution, but one that I respectfully think is not appropriate. \nThat comes with all the usual disadvantages of government \nintervention: regulatory gridlock, administrative costs, \nenforcement mechanisms that are necessary, along with \nprocedural safeguards, as well.\n    In short, I think a regulatory response will come with a \ngreat deal of expense and be a relatively slow result, perhaps \neven no quicker than the next solution, which is to do nothing.\n    In a lot of ways, the market is addressing this problem. \nThe disutility of SSNs as an authenticator has become widely \nknown and is increasingly on the decline (sic). Eventually, the \nmarket will take care of the problem. The problem with that \nanswer, of course, is that before it does, a great number of \nAmericans will suffer from data breach and identity theft. So I \nthink that is a second-best solution.\n    The best solution, in my judgement--and one of the joys of \nbeing in a think tank is your ability to think creatively about \nproblems and think outside the box--is to eliminate the utility \nof the Social Security number as an authenticator. Make it \nimpossible, in practice, for anyone to continue to use it in \nthis way.\n    One simple and quite elegant solution that I offer both as \na thought experiment and also as a possible practical solution \nis to simply publish a phone book with every citizen's Social \nSecurity number in it. In other words, by publishing it \npublicly, we would make it impossible for any enterprise to \ncontinue to legitimately use it as an authenticator of \nidentity. To continue to do so after that and after a suitable \ntransition time would, in my judgement, be per se negligence of \nthe sort that ought to involve liability for the enterprise.\n    One final point that I would make. Congress needs to look \nto its own house. Repeatedly in law we have mandated the \ncollection of Social Security numbers as identifiers, and \nsometimes continued to use them as authenticators, as my \ncolleague has already testified to. At a minimum, I think it is \nincumbent upon Congress to review government's use of the \nSocial Security number and its processes, if only so that by \ncleaning up our own house we can speak to the private sector \nwith authority.\n    I thank you for the opportunity to testify before you, and \nI look forward to the chance to answer questions.\n    Chairman JOHNSON. Thank you, sir. I appreciate your \ntestimony.\n    [The prepared statement of Mr. Rosenzweig follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    Chairman JOHNSON. Mr. Grobman, you are recognized.\n\n  STATEMENT OF STEVE GROBMAN, SENIOR VICE PRESIDENT AND CHIEF \n                TECHNOLOGY OFFICER, MCAFEE, LLC\n\n    Mr. GROBMAN. All right, good morning, Chairman Johnson, \nRanking Member Larson, and Members of the Subcommittee. It is a \nproud honor to testify today. And Chairman Johnson, it is an \nhonor to work in your district. McAfee actually has its largest \nU.S. location in Plano, Texas. So it is an honor to testify \ntoday.\n    As McAfee's senior vice president and CTO I set our \ntechnical strategy to protect connected computing worldwide for \nboth consumers and business architectures. I have worked in the \nfield of cyber security for 2 decades, and have 24 U.S. and \ninternational patents in the fields of security, software, and \ncomputer architecture.\n    McAfee is one of the world's leading independent cyber \nsecurity companies providing solutions for both business and \nconsumers.\n    The nine-digit Social Security number first appeared as an \nidentifier in 1936, but has since become the de facto national \nidentifier and federal credential, uses for which it was never \nintended. Simply knowing a Social Security number has become \naccepted as a mechanism to impersonate an individual, and the \nSocial Security number has become the premier target for cyber \ncriminals.\n    Social Security numbers are sold in bulk in the black \nmarket for as little as $1 each. And once stolen, a Social \nSecurity number cannot easily be reissued or replaced. Last \nyear's Equifax breach resulting in 145 million U.S.-based users \nhaving their personal information compromised reminds us that \nthe U.S. needs to modernize its national identification \nstandard.\n    There are three elements that need to be discussed when we \ntransition to a next-generation personal identifier: identity, \nauthentication, and authorization. In our current model Social \nSecurity numbers play a role in all three. Identity is an \nidentifier that can be public. It is like an individual's \nTwitter handle; it identifies an individual, but simply knowing \nthe handle doesn't enable someone to impersonate the account \nholder.\n    Whereas, authentication is the process of proving that you \nare a specific identity, and generally relies on one of three \ntypes of factors: either something you know, like a password; \nsomething you have, like a smart card; or something you are, \nsuch as a biometric. An authorization is granting a specific \ncapability or benefit to a specific entity. All three parts \nneed to be in scope for a next generation system.\n    We have all the technology pieces to move towards a high-\nquality, high-security, well-thought-out, next-generation \nidentity management system based on strong authentication. What \nis more difficult is understanding the requirements that will \nbe acceptable for both government and the citizens.\n    We need to ask questions such as is this a solution \nexclusively for government-related services? How can a system \nbe inclusive to all citizens, regardless of wealth or access to \nadvanced technologies? Does a government biometrics database \ncreate unacceptable privacy issues? How will recovery \nmechanisms work when technology assets are lost or stolen? What \nare the cost constraints, funding options, and timelines for \nimplementing and maintaining a solution into the next \ngeneration, and how long does the underlying cryptography need \nto last?\n    This last question is interesting, in that we are on the \nverge of quantum computing becoming a viable reality. Quantum \ncomputing is well suited to break the underlying cryptography \nthat protects the world's data. Specifically, RSA, but public \nkey algorithm which is the heart of most protection and \nidentity solutions. A next-generation architecture must \ncomprehend the quantum computing world we will likely face in \nthe next few decades.\n    We need to look at what technology options are available, \nand I have been asked whether things such as blockchain could \nbe useful. I do not recommend it. While a powerful technology \nproviding properties such as decentralized trust, blockchain \nalso brings scalability, complexity, and its own security \nchallenges. In the case of our next-generation system, we do \nhave a trusted central authority: the U.S. Government. We need \nto focus on the problem that we are trying to solve, and the \none thing that we must do is not use the current system that we \nhave.\n    A few quick recommendations: We need an identity management \nexecutive order that outlaws the use of Social Security numbers \nas authenticators; We need to push federal agencies to act as \nvalidators of identity and mandate all federal e-government \nservices require the use of strong authentication; We need to \nlet innovation flourish. NIST and the private sector can work \ntogether on this. And we need to move faster in implementing \nquantum-safe algorithms to protect both data protection and \nidentity solutions.\n    It is an honor to testify to this Subcommittee. I \nappreciate your interest in considering my recommendations, and \nlook forward to answering your questions.\n    Chairman JOHNSON. Thank you for coming all the way from \nPlano.\n    Mr. GROBMAN. You bet.\n    [The prepared statement of Mr. Grobman follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    Chairman JOHNSON. Mr. Grant, welcome. Please go ahead.\n\n  STATEMENT OF JEREMY A. GRANT, COORDINATOR, BETTER IDENTITY \n                           COALITION\n\n    Mr. GRANT. Thank you. Good morning, Chairman Johnson, \nRanking Member Larson, Members of the Committee. Thank you for \nthe opportunity to discuss the future of the Social Security \nnumber with you today.\n    I am here on behalf of the Better Identity Coalition, an \norganization launched earlier this year focused on bringing \ntogether leading firms from different sectors to develop a set \nof consensus, cross-sector policy recommendations that promote \nthe adoption of better solutions for identification and \nauthentication.\n    The Coalition's founding members include recognized leaders \nfrom diverse sectors of the economy, including financial \nservices, health care and technology, telecommunications, fin \ntech, payments, and security. Our members are united by a \ncommon recognition that the way we handle identity today in the \nU.S. is broken, and by a common desire to see both the public \nand private sectors each take steps to make identity work \nbetter.\n    As background I have worked for more than 20 years at the \nintersection of identity and cyber security. In 2011 I was \nselected to lead the National Strategy for Trusted Identities \nin Cyber Space, which was a White House initiative focused on \nimproving security, privacy, choice, and innovation through \nbetter approaches to digital identity. In that role I also led \nthe identity team up at NIST.\n    I left government three years ago, and now lead the \ntechnology business strategy practice at Venable, a law firm \nhere in town with the country's leading privacy and cyber \nsecurity practice. And in that role I serve as the coordinator \nof the Better Identity Coalition.\n    Let me say I am grateful to the Committee for calling this \nhearing today. The SSN is a key component of our identity \ninfrastructure, and the future of this number impacts every \nAmerican. Up front, I would submit that many of our challenges \nhere are linked to more than 80 years of contradictions in \npolicy around how this number should be managed and used.\n    Among the biggest contradictions, the SSN is simultaneously \npresumed to be both secret and public: secret, because we tell \nindividuals to guard their SSN closely; public, because we have \nmultiple laws that require individuals to give it out to \nfacilitate all sorts of interactions with industry and \ngovernment; secret, because we then tell those entities to \nensure that, if they store it, which the law often requires \nthem to do, that it be protected; and public, because that has \nproven quite hard to do, to the point that the majority of \nAmericans' SSNs have been compromised multiple times over the \nlast several years, amidst a wave of data breaches.\n    Now, these contradictions are not the result of anything \nmalicious. On the contrary, they reflect years of trying to \nbalance several important roles played by the SSN and the \nSocial Security Administration. What is most important now is \nthat the government, one, recognizes these contradictions and, \ntwo, takes steps to put policies in place that are more \nconsistent, and that put us on a path towards a system that \nenhances security, privacy, and convenience for Americans.\n    I believe there are five areas where change is needed.\n    Firstly, when talking about the future of the SSN and \nwhether it needs to be replaced, it is essential, as Chairman \nJohnson noted and many members of the panel have noted, to \nunderstand the difference between the number's role as an \nidentifier, which is a number used to sort out which Jeremy \nGrant I am among the hundreds in the U.S., and its use as an \nauthenticator, which is something that can prove I am actually \nthis Jeremy Grant.\n    SSNs should no longer be used as authenticators. That \nmeans, as a country, we stop pretending this number is a \nsecret, or that knowledge of an SSN can be used to prove that \nsomeone is who they claim to be.\n    Secondly, just because SSNs should no longer be used as \nauthenticators does not mean that we need to replace them with \nsome sort of new SSA-issued identifier. I have yet to see any \nproposal here that does not involve spending billions of \ndollars and confusing hundreds of millions of Americans with \nvery little security benefit.\n    Rather than create a new identifier, our focus ought to be \non crafting better authentication solutions that are not \ndependent on the Social Security number and are resilient \nagainst modern vectors of attack.\n    Thirdly, on the authentication topic, there is good news. \nMulti-stakeholder efforts like the FIDO Alliance and the World \nWide Web Consortium have developed standards for next-\ngeneration authentication that are now being embedded in most \ndevices, operating systems, and browsers in a way that enhances \nsecurity privacy and the user experience. The government can \nplay a role in accelerating the pace of adoption.\n    Fourthly, even if we assume the SSN is publicly known, that \ndoes not mean it needs to be used everywhere. Many of the \nmembers of the Better Identity Coalition would love to reduce \nwhere they use the SSN, due to the risks that it presents to \nthem, relative to other identifiers. However, they are running \nup against laws and regulations that require them to collect \nand retain the SSN.\n    Finally, we need to focus not just on the SSN, but also the \nfuture of the Social Security Administration. The issue here \ngoes beyond the future use of a nine-digit number to encompass \na broader topic: What role should the government play in the \nfuture of the identity ecosystem?\n    Now, while identity may not be a part of the SSA's mission \nstatement, there is no question that in 2018 the SSA is in the \nidentity business. It is time to acknowledge that fact and then \ntake a step back to contemplate what that means.\n    Having agencies like SSA accept their role here may be the \nmost impactful thing that the government can do to help solve \nour identity challenges. Specifically, like allowing consumers \nto start asking agencies that have their personal information \nto vouch for them to parties they seek to do business with.\n    The SSA and state departments of motor vehicles have the \nmost to offer here, and this concept was embraced in the 2016 \nreport from the Bipartisan Commission on Enhancing National \nCyber Security. The Federal Government should work to, one, \ndevelop a framework of standards and rules to make sure this is \ndone in a secure, privacy-protecting way; and second, fund work \nto get it started.\n    I appreciate the opportunity to testify today and look \nforward to answering your questions.\n    Chairman JOHNSON. Thank you, sir.\n    [The prepared statement of Mr. Grant follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    Chairman JOHNSON. Mr. Lewis, welcome. Thank you for being \nhere. Please proceed.\n\n  STATEMENT OF JAMES LEWIS, SENIOR VICE PRESIDENT, TECHNOLOGY \n POLICY PROGRAM, CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES\n\n    Mr. LEWIS. Thank you, Mr. Chairman and Ranking Member \nLarson. I thank the Committee for the opportunity to testify.\n    One of the leading scientists of the 20th century said that \nan expert is a individual who has made all possible errors in a \nparticular field. And I think that qualifies me as a expert in \nthis issue, since I have been involved in programs like this \nsince 1992, none of which have worked.\n    So let's give it a try.\n    We have all heard how the SSN is the key identifier. It is \nunique to each individual. It is issued by a trusted source. \nAnd most importantly, it links to different databases. So your \nSSN can link to your bank, your tax account, your driver's \nlicense. It is irreplaceable.\n    It is invaluable for business. But as we have heard, it is \nalso invaluable for crime. One estimate is that somewhere \nbetween 60 and 80 percent of all Social Security numbers have \nbeen stolen. Another estimate puts the cost of stolen Social \nSecurity numbers at $16 billion annually. I think the Committee \nis on the right track here by looking at ways to modernize and \nstrengthen the SSN, the Social Security number, because this \nwill provide real benefits and reduce crime.\n    Our goal should be to provide the same level of service and \nsecurity that citizens expect from the private sector, or that \ncitizens enjoy in other developed economies.\n    There are several options for modernizing the SSN. These \ninclude federated authentication of identity, public \nencryption, blockchain, and smart cards. Some of these have \nbeen tried in the past, but they faced problems of complexity, \ncost, and they raise privacy concerns.\n    Simply publishing the SSN, as you heard, is a--is the least \nexpensive option, but it doesn't fix all the problems we face.\n    An easy first step would be to replace the Social Security \ncard with a smart card, a plastic card with an embedded chip, \nlike the credit cards that most of us carry. Millions of \ncommercial transactions are carried out with these cards every \nday. Most people are familiar with them, which would ease the \nburden of both acceptance and transition.\n    A smart card provides a foundation for a secure Social \nSecurity number. When your credit card is stolen, your \nfinancial institution cancels the old one and issues you a new \nnumber. You are still linked to your account, you are still \nresponsible for any legitimate charges, but you are not linked \nto the old number. And a similar approach might help us in \nthinking about how to streamline, modernize, and make the \nSocial Security number more secure.\n    Social Security Administration could use a similar \napproach. It could administer a smart card approach, or it \ncould contract it out to the private sector, a solution that \nother countries have used. Further debate is required, and I \nthink we all recognize that, to decide which modernization \noption is best and, equally important, how we will pay for it, \nbecause there is no free replacement for the SSN.\n    Blockchain technology may offer an option for a modernized \nSSN, but it is not ready, as you have heard. It is not yet \nmature.\n    The best argument for smart cards is that we already use \nthem on a massive scale. Companies and citizens are familiar \nwith them. Implementation, of course, would be difficult. Any \nchange for so venerable an institution is going to be \ndifficult. But we have the advantage of knowing the technology \nand processes already work because of our experience with \ncredit cards and banks.\n    Thank you for the opportunity to testify. I look forward to \nyour questions.\n    [The prepared statement of Mr. Lewis follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n\n    Chairman JOHNSON. Thank you, sir. I appreciate that. We \nwill now look to questions.\n    As is customary, for each round of questions I will limit \nmy time to five minutes, and I ask my colleagues to also limit \ntheir questioning time to five minutes, as well.\n    Acting Commissioner Berryhill, the alarming story about the \nchild in Arizona raises many questions about how Social \nSecurity treats identity theft victims. Are you taking a close \nlook at how you handle requests for new Social Security \nnumbers?\n    Ms. BERRYHILL. Mr. Chairman, I am very aware of the case \nthat you are referencing in Arizona, and thank you for bringing \nthat to our attention. We have worked very hard with our staff \nto issue clarification policies to all of our front-line \nemployees. We have also held national calls with all managers, \narea directors, and we also decided that we would have regional \nexperts available to the front-line employees at the time, when \nthe time comes, where they have a complex case. In this \nsituation, we would consider that a complex case.\n    So having those regional experts that are well-trained on \nenumeration, on replacement cards, on new--issuing new SSNs I \nthink will help. So we took that immediate action, and all \nthose actions have been accomplished.\n    Chairman JOHNSON. Well, with more than 1,200 field offices, \nwhat are you doing to make sure that your policies are being \nfollowed?\n    Ms. BERRYHILL. That is why we held national calls with all \nof our managers and our area directors that have oversight to \nour managers, and we will continue to do checks and balances to \nmake sure that those policies are followed.\n    I really believe having a regional expert there so the \nfront line employees can consult if they have questions is \nreally going to be a key change for SSA.\n    Chairman JOHNSON. You know, I was shocked to learn that \nSocial Security employees' voicemails tell callers to record \ntheir Social Security number with their name and phone number \nto get a return call. How is that a good practice, given all \nthe concerns with identity theft and phone scams?\n    Ms. BERRYHILL. I certainly understand that, and I am aware \nof that situations that we have (sic).\n    We do use the Social Security number to look up our \nrecords. Certainly, if an individual is not comfortable leaving \ntheir Social Security number, they should not do that. However, \nit does expedite the transaction when they call us back. We can \ncertainly, in the front line, pull up someone's record, have \nthat available so when we return that call we can quickly go \nthrough the process with them and answer any questions.\n    But again, if someone is uncomfortable, they should not \nleave their Social Security number.\n    Chairman JOHNSON. Okay. Well, maybe we ought to take \nanother look at that.\n    Mr. Grobman, this panel has talked about some big ideas \ntoday. What do you think?\n    Mr. GROBMAN. I think the----\n    Chairman JOHNSON. Is now the time to take action?\n    Mr. GROBMAN. Absolutely. I think the one thing that we \nheard universally across this panel is using Social Security \nnumbers as authenticators is something that needs to be \naddressed as the most time-critical element of the issue.\n    There are clearly other issues on the fringe of Social \nSecurity number as an identifier. But from a magnitude \nperspective, looking to remove Social Security knowledge as an \nauthenticator is something that we must act on immediately, and \ninvest whatever it takes in order to make that a practical \nreality.\n    Chairman JOHNSON. Yes, we have been trying to do that for \n20 years.\n    Mr. Larson, you are recognized.\n    Mr. LARSON. Thank you, Mr. Chairman. I want to thank the \npanelists. It is--we have an awful lot of hearings, but it is \nalways refreshing when you actually have panelists who give you \nsome solutions, as well.\n    Acting Secretary Berryhill, first of all, let me commend \nyou for your service.\n    Let me also acknowledge that there is no one who has been \nworking harder to make sure that we have a permanent chair of--\nthe Secretary of Social Security than the chairman himself. And \nwe have--support him in those efforts, and hope that the \nadministration will act soon, but want to thank you for your \nservice.\n    I think there is unanimity on the Committee with respect to \nauthentification (sic). How would you go about implementing \nthat? And what is the cost of that?\n    Ms. BERRYHILL. So certainly, any ideas--I think there has \nbeen some great ideas listed by the panel Members today--we \nwill take all of them and review them and cost them out. \nCertainly not something I could address today. Lots of ideas \nare good, but then you have to look at the price tag that is \nattached to them.\n    So again, we will go back and take a look at any ideas that \nthe Committee would like us to look at.\n    Mr. LARSON. Any idea on that price, Mr. Grobman?\n    Mr. GROBMAN. I think one thing that we need to recognize \nwhen we look at the price is the price of not taking action.\n    So if you look at the cost related to fraud or misuse of \nSocial Security numbers as authenticators, my opinion is that \nis a staggering figure that needs to be comprehended when \nlooked at the cost of implementing a new plan.\n    Mr. LARSON. Mr. Lester, you had the--a number of solutions. \nBut one of the things that you emphasized is that you--we make \nsure that we steer clear of any biometric solution. Would you \nexplain why?\n    Mr. LESTER. When Congress passed the Privacy Act in 1974, \nthey were explicitly responding to and rejecting calls for a \nnational identification system. There are national \nidentification systems that rely on biometrics in other \ncountries that raise really grave civil liberties and privacy \nconcerns.\n    For example, in India their new biometric system--AADHAR, I \nthink--was recently breached, compromising the biometric data \non its 1.2 billion citizens. I think that any problems with a \nbiometric system are demonstrated by the recent breach of the \nOPM.\n    Mr. LARSON. Would all the panelists agree that that is a \nreasonable concern?\n    Mr. GROBMAN. I think it very much depends on the problem \nthat you are trying to solve. In India, part of what they were \ntrying to solve was there was no starting point, and they \nneeded to ensure that an individual only registered a single \ntime for benefits. So, by using biometrics, it prevented an \nindividual from registering in one town and then walking down \nthe road to another town and registering again.\n    So, in that case, biometrics was a practical technology in \norder to solve that specific problem. I don't believe we have \nthat problem at scale in the U.S. And therefore, I think the \npoints are well taken that we should look for other, less \nprivacy-intrusive mechanisms as a first step. And as Mr. Lewis \nmentioned, things such as smart cards can be a much more rapid \npractical option that could be distributed without requiring \nevery citizen to have biometrics----\n    Mr. LARSON. Is there consensus amongst the panel with \nrespect to smart cards?\n    Mr. Rosenzweig.\n    Mr. ROSENZWEIG. I--Rosenzweig. I think it is a good interim \nsolution. But to be honest, you know, the smart card security \nsystem is not itself terribly robust. We have all experienced \ncredit card fraud, as well, that is a result of a lot of that.\n    On the issue of biometrics, I think it really is the \ndifference between a centralized database and a distributed \ndatabase. Biometrics, as a localized identifier, is actually \nsomething that the--President Obama's White House supported as \na substitute for passwords because they are more readily usable \nby most citizens than the password system.\n    So I wouldn't write with such a broad brush----\n    Mr. LARSON. You also objected to one of Mr. Lester's \nsolutions. Could you explain why? And hopefully Mr. Lester will \nget a chance to reply.\n    Mr. ROSENZWEIG. Well, I don't so much object. Regulation is \nclearly one of the normal tools in our toolkit here in \nWashington, alongside taxation----\n    Mr. LARSON. Is it regulation or the efficiency of the \nability to regulate?\n    Mr. ROSENZWEIG. Well, we all live in Washington. I am not a \nfan of our efficiency in the regulatory system. To take just--\nto be brief about it, we have already acknowledged that it \nwould have to exclude legal uses----\n    Mr. LARSON. City of northern charm and southern efficiency?\n    Mr. ROSENZWEIG. Indeed.\n    Mr. LARSON. No disrespect to anyone from the South, but----\n    Mr. ROSENZWEIG. I think it would cost us quite a bit and \ntake far too long.\n    Chairman JOHNSON. The gentleman's time has expired.\n    Mr. Kelly, you are recognized.\n    Mr. KELLY. I thank you, Chairman, and thank you all for \nbeing here today.\n    Mr. Rosenzweig, I had a coach in high school had the same \nname, we just called him Rosie. So maybe the rest of the panel \ncan do that.\n    [Laughter.]\n    Mr. KELLY. First of all, thank you all for being here. But, \nyou know, Ms. Berryhill, I am--I think when we look at the size \nand scope of the program, and the number of beneficiaries, is \nthere anybody in the private sector that even comes close to \nfacing these types of problems, as far as making sure we are \nsending the right money to the right people, and the fact that \nthere is so much fraud in the system already?\n    Is there any approach out there that people are looking at \nthat would make sense?\n    Ms. BERRYHILL. So, you know, first of all, we need to \nprotect our records. And our focus for the Social Security \nnumber has been collecting wage information and paying \nbenefits.\n    We have a robust, anti-fraud process that we put in place, \nso we review claims ahead of time, we will flag certain high-\nrisk claims. But as far as comparing that to the private \nsector, we have to make sure that, in government, that our \nbeneficiaries, our recipients are protected, and their data is \nprotected.\n    Mr. KELLY. Well, it just seems to me the very nature of the \nway we do things today--we have a safe that we put things into \nthat we cannot lock. There is somebody finding a way to get \ninto this data all the time, and yet we keep thinking, well, \nyou know what? This is just the way we do things today. We are \ngoing to just have to keep going down that path. I just--I am \nreally fascinated.\n    Mr. Grobman, you said something I have written down here. \nIs there any information that indicates the cost of not finding \na remedy to this? I think those numbers would be so staggering \nthat most of us would not even want to discuss it.\n    Is there any idea of what the cost of not fixing this is--\nbecause it seems to me--there is an old saying. You keep doing \nthe same thing over and over again, expecting a different \nresult--I don't see how we fix this the way we are going right \nnow. So that cost of not fixing it, any ideas?\n    Mr. GROBMAN. I don't have a quantitative number.\n    Mr. KELLY. Yes. Nobody does.\n    The Chairman is right; it is the definition of insanity, \nbut----\n    Mr. GROBMAN. There is one estimate, and it was from The \nEconomist, and it was $16 billion a year.\n    Mr. KELLY. Sixteen?\n    Mr. GROBMAN. Billion.\n    Mr. KELLY. Billion, with a B. That is--down here. One, six, \nand with a B, billion. So--okay.\n    Mr. Grant, some companies have recognized problems with the \nSocial Security number and have shifted their business models \nin response. Can you share some examples in the private sector \nof how people are addressing this?\n    Mr. GRANT. Sure. So one of the founding members of our \ncoalition is Aetna, who--their chief security officer, Jim \nRouth, and the team there led an effort I think they launched \nin 2014 focused on reducing the instances of the Social \nSecurity number within their systems.\n    Talking about costs, this is a 6-year, roughly $60 million \ninvestment that the company is voluntarily undertaking because \nthey think that they can reduce their risk profile by reducing \nthe instances of the SSN across their enterprise. And I think \nto date they have eliminated about 10 billion instances, \nwhich--not that they have 10 billion beneficiaries, but it \nshows you, if I am one of theirs, that I probably had my SSN in \na dozen different systems.\n    So, you know, companies are willing to do this today, and I \nthink you are starting to see, you know, particularly Fortune \n500 companies who are holding on to SSN are looking at it as a \nliability. But the cost is significant. It can't happen \novernight.\n    They are also hindered in that, as a health insurer, they \nare required by the government to leverage the SSN for pretty \nmuch all of their government business, as well as any \nbeneficiary who they have to report to the government had \nhealth insurance.\n    So, you know, I highlighted this a little in my opening \ntestimony. There is a lot of government requirements that are \nout there that state that private industry has to collect the \nSSN. As long as we have those out there, it is going to be \nquite hard to eliminate it entirely.\n    Mr. KELLY. As we keep going forward, then, I--and we all \nlook at this program and we refer to it as an entitlement, and \nsome people say that is a negative term. No, entitlement means \nyou are entitled to this benefit because you have paid into it \nyour whole life.\n    I think there is total agreement on this Committee and \nthroughout the whole Congress that we have to protect this \nprogram because it is so vital to our folks.\n    Listen, I really appreciate you all being here today, but \ncould you please continue weighing in and give us other \nexamples and other solutions to what it is we are trying to \nfix? It is just this is so massive right now, I think it is one \nof those things you sit back and say it is too big for us to \nwork with.\n    But I like Mr. Grobman--it is only going to get bigger and \nbigger and more expensive if we don't do it.\n    Mr. GROBMAN. Absolutely. And I think, following up on that \ncomment, one of the things we need to look at is the \nopportunity cost of continuing to try to protect Social \nSecurity numbers from becoming public, when we know that they \nare already public in so many cases.\n    So, although there are a number of interesting efforts put \nforward in the last few years to reduce the disclosure of \nSocial Security numbers, what I would ask is what if we re-\npurposed all of those efforts into building a modern \nauthentication system so that we just simply use Social \nSecurity number as an identity, not an authenticator.\n    Mr. KELLY. Very good. Thank you.\n    Chairman JOHNSON. The gentleman's time has expired.\n    Mr. Pascrell, you are----\n    Mr. PASCRELL. Thank you, Mr. Chairman. A great panel.\n    I want to start by--Mr. Lester, would you respond to Mr. \nLarson's question that you didn't get a chance to respond to \nbefore?\n    Mr. LESTER. Sure. So I think you are talking about the \ncost----\n    Mr. PASCRELL. You got 30 seconds.\n    Mr. LESTER. I think you are talking about the costs of \nregulation, right? So Mr. Rosenzweig talked about the cost of \nregulating this, and I would just like to mention a cost which \nis 16.7 billion, to be precise. That is the amount that was \nstolen as a result of identity theft in 2017. The cost of not \nregulating is in the billions.\n    And furthermore, what we are talking about is restoring the \nSocial Security number to its original purpose, which is to be \nused only by the Social Security Administration. That is what \nit was intended for. Congress has many times looked at this. \nWhen they passed the Privacy Act in 1974, that is originally \nwhat it was intended to do. So----\n    Mr. PASCRELL. Thank you.\n    Mr. LESTER. Yes.\n    Mr. PASCRELL. Thank you.\n    Last month, Mr. Grant, the Ways and Means Committee marked \nup a bill to protect children and consumers from identity \ntheft--it was H.R. 5192--by helping reduce the prevalence of \nsynthetic identity fraud. The bill would do this by \nfacilitating the validation of identifying information provided \nby lenders, and upon the consent of the customer--consumer, \nrather, I am sorry--through a database maintained by the Social \nSecurity Administration. The bill is considered an important \nstep that Congress took to help prevent identity theft.\n    But I wanted to get your view very quickly about what the \nextent this validation system will solve the problem or not. \nWhat is your thoughts?\n    Mr. GRANT. So I actually talked about this a bit in my \nwritten testimony, but didn't get to it in my opening \nstatement. I think it is a great first step.\n    The idea actually goes to a key point that I flagged in my \nopening statement, which is can we shift the model a little bit \nwhen it comes to identity verification services, so that \ngovernment agencies like the SSA that are the authoritative \nroots of trust when it comes to my data--they have got the \ntruth, in terms of what my name and my SSN are--why can't I ask \nthem when I am opening an account to let my bank check to see \nif there really is a Jeremy Grant with my SSN and date of birth \nin their system?\n    And so this new bill, if it passes--and I think it is also \nin the Senate reg reform package for banking that is currently \nin front of the House--will be a good first step.\n    But two things I would add to that. It is only limited to \naccount openings covered under the Fair Credit Reporting Act. I \ncan't imagine, as a consumer, why I wouldn't want to ask SSA to \nvalidate that for everybody. And then I think the other \nquestion that has come up is if we are worried about synthetic \nidentity fraud, this will take care of new account openings \ngoing forward. But there is probably, you know, thousands, if \nnot millions of synthetic accounts that are out there today.\n    And so, one question has been should financial institutions \nhave an opportunity to have a one-time window where they could \nretroactively put existing accounts out there to make sure that \nthings match?\n    Mr. PASCRELL. Thanks, Mr. Grant, I appreciate that. Look, \nthere is widespread data breaches at the Office of the \nPersonnel Management, Home Depot, J.P. Morgan, Target, U.S. \nPostal Service, and, of course, Equifax. And they highlight the \nneed to focus our attention on how better to authenticate \nidentities.\n    From a consumer protection standpoint, this is outrageous. \nHackers assessed--accessed personally-identifiable information \nfrom millions of customer accounts. In the wrong hands, access \nto Social Security numbers, birth data, address, driver's \nlicense number could turn someone's life upside down. We must \ndo everything possible to establish privacy safeguards Social \nSecurity (sic). Protecting the individual's personal \ninformation to ensure their identities are protected must be \none of our top priorities.\n    Should the burden be on the government to create a unique \nidentifier to identify individuals, or should it be on the \nprivate corporations to establish unique identifiers with their \nclients? Anybody?\n    Mr. Lester.\n    Mr. LESTER. Right. So I think that is where the importance \nof context-specific identifiers comes into play. So if you are \ntransacting with a company you have a unique identifier for \nthat company. That way, if an identity thief steals that \nidentifier, they do not have access to all your accounts, and \nthey cannot open new accounts in your name and destroy your \nfinancial life.\n    Mr. LEWIS. Congressman, if I could just add, in the many \nattempts we have had to come up with a national identifier, we \nhave learned that there is only one trusted source, and that is \nthe government. And that is why SSA is the default identifier. \nPeople don't trust other sources.\n    Mr. PASCRELL. Mr. Chairman--thank you, but I must add this \npoint to you. Are we really serious about doing this? Are we \nreally serious about changing the culture, which is a different \nthing? And why haven't we done more? We need to ask ourselves \nthat question.\n    Chairman JOHNSON. You are right. Thank you for your \nquestions.\n    Mr. Rice, you are recognized.\n    Mr. RICE. You know, this is a incredibly complicated \nproblem, but it is not new. This is not new. Identity theft has \nexisted since people had identities, right?\n    Our--thinking back to law school and commercial paper, and \nin order to allow for the free flow of commerce, we had laws to \nprotect consumers with commercial paper. So a bank had a duty \nto know your signature, right? So if somebody forged your \ncheck, that wasn't your problem, it was the bank's problem. And \nthat kind of applies here, too, doesn't it?\n    I mean if somebody negligently releases your personal \ninformation, don't they have a liability for that?\n    Mr. Lester.\n    Mr. LESTER. Absolutely. The burden is on the companies that \ncollect this information. It is important to stress that \nEquifax chose to collect the information on consumers. \nConsumers did not provide that information to Equifax. And in \nfact, when Equifax is breached, they are the ones that put the \ncost on the consumer by charging them for credit freezes and \nfraud monitoring. And I think it is also important to stress \nthat there needs to be----\n    Mr. RICE. Did Equifax----\n    Mr. LESTER [continuing]. A private right of action----\n    Mr. RICE. Did Equifax have liability for that?\n    Mr. LESTER. Absolutely, which is why I need to stress that \nthere needs to be, in any privacy law, private right of action \nfor consumers to get redress.\n    Mr. RICE. So you are advocating for specific identifiers \nfor everything.\n    And I think I heard Mr. Grant say he didn't have a problem \nwith Social Security as a national identifier. I think you said \nthe same thing, Mr. Grobman, and you did, too, Mr. Rosenzweig. \nAnd I kind of agree with you.\n    I mean everybody has got an identifier, right? It is their \nname, at the very least. But the name is not unique. I mean \nthere is a lot of Tom Rices out there.\n    So you need some type of a national identifier, I would \nthink, to make commerce work. And I don't know why Social \nSecurity couldn't be that. But it can't be an authenticator, \nbecause it is not private any more. Right?\n    Mr. Rosenzweig.\n    Mr. ROSENZWEIG. Using my Social Security number as an \nauthenticator is as stupid as using the last four letters of my \nlast name as my authenticator. It--or the last four digits of \nmy phone number, which is another--mobile phone numbers, now \nthat they are mobile, everybody has one and it is probably one \nyou are going to keep for the rest of your life, even if you \nmove to Washington.\n    Mr. RICE. And I just think that--I mean, personally, just \nas a matter of common sense, I think completely--the idea that \nyou would completely identify--I mean eliminate any sort of \nunique identifier is just not practical. I mean we have got to \nhave some kind of unique identifier, and I don't know why it \ncouldn't be your Social Security number.\n    So I would think that the way to attack this problem--\nbecause this--I don't care what we do, I don't care if we come \nup with the most, you know, beautiful and complex system that \nwould do away with any hacking today, tomorrow the hacker is \ngoing to figure out something different. This is not new, it \nhas been going on since the beginning of time, and it is going \nto keep on going on.\n    So I would think that the way to attack this is kind of \nlike they did with commercial paper, and that we should put \nliability on people who negligently release your information.\n    Mr. Rosenzweig.\n    Mr. ROSENZWEIG. Well, there has been at least one proposal \nby a colleague of mine who was in the last Administration to \nmake people strictly liable for that.\n    For myself, I would probably prefer a negligence standard \nover strict liability, but I do think that what you are onto is \nexactly the right economic answer, which is putting the \nobligations on the least cost avoider. One of the reasons that \nI kind of like my fanciful proposal of publication is that it \nmakes it impossible for anyone to maintain the idea of security \nfor the Social Security number as an authenticator. Liability \nwould be another opportunity.\n    Mr. RICE. What do you think about that, Mr. Grobman?\n    Mr. GROBMAN. Oh, cyber crime is a market-driven enterprise. \nCyber criminals are looking to steal things of value. And the \nreason that cyber criminals are looking to steal Social \nSecurity numbers is in today's world they have value because \nthey can be used as an authenticator.\n    One of the most practical ways to stop the theft is to de-\nvalue what they are going after. And that is, in general, a \nmuch more practical mechanism at scale than trying to have the \nworld----\n    Mr. RICE. Okay, I got to stop because I only have 10 \nseconds. If you all would respond to this by raising your hand, \ndo any of you--who of you have a problem with using Social \nSecurity numbers as an identifier, but not an authenticator? \nOne. One out of eight. Thank you.\n    Chairman JOHNSON. The time has expired.\n    Ms. Sanchez, you are recognized.\n    Ms. SANCHEZ. Thank you, Mr. Chairman, and thank you to all \nof our witnesses.\n    Social Security numbers were originally created as a way to \ntrack earnings, and were never meant to be used as an \nidentifier in the private sector. The Social Security number \nhas since morphed into a tool used to identify and authenticate \nindividuals in a number of different situations, greatly \nexpanding the universe of people and companies who have access \nto this incredibly valuable information.\n    The ubiquity and widespread use of Social Security numbers \nhas left consumers vulnerable to identity theft helpless to \nstop it.\n    As we all know, Social Security numbers are incredibly \nvaluable for identity thieves, and can be used to open new \naccounts and credit cards, or even take out mortgages, often \nleading to financial ruin for unsuspecting and innocent \nconsumers.\n    And as technology continues to advance at alarming rates, \nour unique Social Security numbers are increasingly vulnerable \nto cyber theft and fraudulent use. Recent data breaches \ndemonstrate the urgent need to secure this information and just \nhow valuable Social Security numbers and other personal data \nare.\n    The Equifax hack alone comprised over 145 million \nAmerican--pardon me, compromised over 145 million Americans' \npersonal data, including their Social Security numbers. That is \nalmost half of the U.S. population who are now at risk for \nidentity theft or financial fraud.\n    Social Security numbers have become the default identifier \nbecause they are truly unique, standardized, and can be \nverified. But as more and more of our personal information is \navailable on the dark web for cheap, we need to start thinking \nabout the best ways to identify and verify individuals.\n    Mr. Lester, I would like to begin by asking you. Americans, \nconsumers, don't have a full picture of what information is \nbeing collected about them. What kind of data is being \ncollected about Americans? And are companies required to \nprotect it?\n    Mr. LESTER. Thank you. So first I would just like to \nclarify raising my hand to Representative Rice's poll question, \nbecause it wasn't a yes or no answer. I don't have a problem \nwith the Social Security number being used as an identifier for \nSocial Security.\n    To answer your question, companies are now collecting vast \namounts of data on consumers, and the problem is that consumers \ndo not have control over this data.\n    When Equifax collects data from consumers it is getting it \nfrom other commercial sources, and consumers are not providing \nit to Equifax. And so, in addition to limiting the use of the \nSocial Security number in the private sector, consumers need to \nhave control over their personal information.\n    There needs to be a default credit freeze so that companies \nlike Equifax can only disclose your information when consumers \nhave affirmatively opted in. This would solve the problem of \nidentity thieves opening up new accounts in your name, if \nEquifax could only pull your credit when you, as the consumer, \nhave affirmatively given them permission to do so.\n    Ms. SANCHEZ. Great. And--but I want to get at a--sort of a \nlarger question that folks wonder from time to time: Are \ncompanies required to protect that information?\n    Mr. LESTER. There is no federal standard right now for data \nsecurity. The Federal Trade Commission does enforce data \nsecurity when companies--you know, they have authority over \nunfair and deceptive practices. So if a company is representing \nthey have good data security, like in the case with Uber, they \nrepresented over and over again our data security is great, \nwhen in fact it was non-existent.\n    But no, there needs to be national standards that set a \nbaseline, because states need to have the freedom to regulate \nupward in this area, because it is a dynamic and evolving \nfield. So there needs to be a federal standard that sets a \nfloor for data security.\n    Ms. SANCHEZ. I would agree with that, and I would just say \nthat I believe most consumers believe that companies are \nrequired to protect their information.\n    Mr. Lester, could you talk a little more about how context-\nspecific identifiers work, and the medical identification \nnumber that they use in Canada?\n    Mr. LESTER. Oh. Oh, yes. So the medical identification \nnumber in Canada, as I understand it, it is a unique context-\nspecific identifier. I am not super familiar with it. So I can \ncertainly get back to you with more information on that.\n    Ms. SANCHEZ. I would appreciate it, because I would be \ninterested in knowing how that specifically works, because it \nmight be instructive in terms of setting policy for how we \nbegin to reign in the ubiquitous use of the Social Security \nnumber.\n    Mr. LESTER. And there are many other examples of context-\nspecific identifiers. In my statement I mention, like, the \nuniversity identifier that is a recent innovation by \nuniversities like Georgetown, my school, where they give you a \nnine-digit ID number in lieu of using your Social Security \nnumber.\n    Ms. SANCHEZ. Thank you, and I yield back.\n    Chairman JOHNSON. Thank you.\n    Dr. Wenstrup, you are recognized.\n    Mr. WENSTRUP. Thank you, Mr. Chairman. I appreciate it. \nThank you all for being here.\n    Mr. Rosenzweig, I don't have a question for you, I just \nwanted a shot at saying your name, and I hope I got it right.\n    [Laughter.]\n    Mr. ROSENZWEIG. Perfect.\n    Mr. WENSTRUP. Thank you. My question is for Ms. Berryhill. \nBut listening to Mr. Johnson's story earlier, I am reminded of \na song called ``Secret Agent Man,'' you know, and it says we \nare giving you a number and taking away your name. And that is \na concern, obviously.\n    But I want to ask you about getting a new Social Security \nnumber. You know, when you lose your credit card, or it gets \nstolen, I tell you what. That bank wants to get you a new one \nright away: one, because they want you to use it again; and \ntwo, they want to make sure that no more money comes out of \ntheir account, because it personally affects them, as well.\n    And I don't see the same for the Social Security \nAdministration in that environment because, if you think about \nit, when somebody's Social Security number is taken, the fraud \nis either at the bank, or through the IRS, a taxpayer. Maybe, \nif somebody is getting your Social Security check, it may \naffect you. I don't know. I am kind of asking about that.\n    But why do we make it so difficult to get a new number when \nthat really is the problem? Because I don't know that there is \nthe same amount of concern on the Social Security \nAdministration like there is at the bank when your credit card \ngets taken. And I know somebody mentioned it might be, like, \n$34 to get a new card. Well, that may be a lot on your end, but \nit is pretty small on the other end, where the fraud is taking \nplace.\n    So why is it so difficult to get a new number?\n    Ms. BERRYHILL. So usually it is a last resort to issue a \nSocial Security--new card, a new number, because it doesn't \nalways solve the problem. Many times banks, other companies, \nwill cross-reference the old number to the new number. So you \nhaven't really solved the problem in many situations.\n    We do look at misused--are people disadvantaged? Are they \nnot getting a loan for their house? Are their IRS tax returns \nand so forth--but again, I hope that our recent change in \nlooking at our instructions to our front line will help that.\n    But our number, again, is really designed to collect wage \ninformation and to pay benefits. As you can see, many of the \nexamples are really about credit card fraud, banking fraud, not \nabout our programs.\n    Mr. WENSTRUP. But let me get back----\n    Ms. BERRYHILL. Our----\n    Mr. WENSTRUP. Let me get back to my question. There is no \nharm, monetarily or otherwise, to the Social Security \nAdministration's budget. It is usually affecting someone else. \nSo you don't have the vested interest that the bank does in \nthis situation. And the cross-referencing, that doesn't need to \nhappen. They get rid of the old number. They don't need to keep \nthat data. So I don't find that as a very good answer as to \nthat being a problem.\n    So I really think you need to take a look at what can be \ndone to get somebody a new number, because that is exactly what \na business is going to do. If your identifier is stolen, they \nhave a motive to get you a new one to protect themselves. But I \ndon't find that you are at risk when somebody's Social Security \nnumber is taken away in any way. So there is not this desire to \nsolve this problem.\n    But $34, if that is what it actually costs to give somebody \na new card, new number, whatever the case may be, that is a \npittance to the hundreds or thousands of dollars that are going \nout on the other end. I just want to--I want to clarify that, \nbecause there is really no detriment to the Social Security \nAdministration, is that right?\n    Ms. BERRYHILL. Well, I don't know if I would agree with \nthat. Certainly, if we open up the flood gates and said \neverybody that wants a number come on and get one, we \nprobably----\n    Mr. WENSTRUP. No, no, no, you would have to have a reason, \nnot just say I don't like the number, it ends in an odd number \nand I want an even number. That--let's be realistic here. We \nare talking about people that have been victimized, not just \nanyone who wants a new number.\n    Ms. BERRYHILL. And again, we believe that we want to do due \ndiligence, we want to know what has happened with that number, \nwe want to make sure that it is appropriate to assign them a \nnew number.\n    Mr. WENSTRUP. I get that. But why is it so hard? Why is \nsomebody told they have to change their name?\n    Ms. BERRYHILL. That was not an appropriate answer to say \nyou change your name.\n    Mr. WENSTRUP. Well, thank you. I think we need to look into \nthat further.\n    I yield back, thank you.\n    Chairman JOHNSON. Thank you. Is Mr. Schweikert here?\n    Mr. SCHWEIKERT. Mr. Chairman, I apologize. We also have \nthe--running at the same time, so----\n    Chairman JOHNSON. You are recognized if you care to make \nsome questions.\n    Mr. SCHWEIKERT. And I actually had a couple--have you ever \nactually started to write down a couple questions and--where \nsome of us have brutal disagreements on the utilization of node \nnetworks and--but it is also a threat to certain companies.\n    So I want to go--I want to take one gigantic step \nbackwards, because I have missed a number of the questions \nhere. If I came to all of you, either as policy, technology \nexperts and said how do we design almost a single portal in our \nsociety that, whether--have a combination of multi--I am a big \nfan of certain token tradeoffs with the biometric and a \npassword.\n    So you could go on there and see your last 10 years of your \nIRS tax returns, or of your Social Security benefits, your \nveterans discharge, your--you know, where all these things that \nwe, as government--all of us, as government--hold on you, and \ncreate a single portal so you could see them, but in a way that \nwould be safe, robust, elegant.\n    And we have actually been sketching out a concept of sort \nof a, you know, pass code biometric to a token back--if I was \nto run down the line, A, is that just techno-Utopian; but B, \nwould it actually not only solve our issue here on the misuse \nof Social Security numbers, but also some of the other policy \ndecisions we as Congress and the bureaucracy have made of \nstarting to blind documents for our Medicare population, and \nthose things, and now having to get unique identifiers, and the \nre-issuing of such things, and the confusion and cascade of \nchaos I expect to come from that?\n    And could--run down. Let's start. If I came to you and said \nI don't want a simple, incremental solution, I want a \ndisruption of more--of a unified portal, can it be done?\n    Ms. BERRYHILL. So my first concern was if that unified \nportal was breached, does that mean all of my information is \nthen out there from all different----\n    Mr. SCHWEIKERT. It wouldn't if we designed permissions. \nSo--and we will probably get to that, but there is a way to--so \nlet's right now, for theoretically, just say it is--we were \nable to level--produce levels of security.\n    Ms. BERRYHILL. I would certainly be willing to work with \nyou on any ideas that you have. But again, my concern that if \none portal--everything was breached, we would be in a worse \nsituation today.\n    Mr. SCHWEIKERT. Okay.\n    Ms. CURDA. It sounds like a nice, aspirational idea. And \nthe Federal Government, in terms of designing such complex \nsystems, does not have a great track record. And it is \nextremely costly, so----\n    Mr. SCHWEIKERT. We were thinking we would go to McAfee \nand----\n    Ms. CURDA. Very difficult to do.\n    Mr. LESTER. So, moving towards centralized database is \nexactly the wrong approach. I would use the example of \ncontainer ships. They are compartmentalized, so that if there \nis a rocky wave, all the oil is not in one container to capsize \nthe ship. It is the same with identity. As----\n    Mr. SCHWEIKERT. So why do countries like Estonia and others \nhave incredible success because you create levels of permission \nthat require--that--it is a unified portal, but different \nlevels of permission and pass and security?\n    Mr. LESTER. Is that for me?\n    Mr. SCHWEIKERT. Yes.\n    Mr. LESTER. I don't know about the case of Estonia. As I \nunderstand, it is a much smaller----\n    Mr. SCHWEIKERT. Yes, what is your coding background?\n    Mr. LESTER. I am sorry?\n    Mr. SCHWEIKERT. Your coding----\n    Mr. LESTER. My coding background? I don't have a coding \nbackground.\n    Mr. SCHWEIKERT. Okay, sorry. And I am sorry, I was trying \nto go more technical than that. I am not being mean.\n    Mr. ROSENZWEIG. I would say that Estonia is a good case \nstudy. My concerns would mostly be about scalability issues.\n    Mr. SCHWEIKERT. Yes, that is actually fair.\n    Mr. ROSENZWEIG. It is much smaller. I think that such a \nsystem is at least feasible within the context of design.\n    I do share some people's concerns that U.S. Government \nlarge-scale procurement programs like this never seem to \nactually get there. So even if we could idealize it, the \ngovernment sector might----\n    Mr. SCHWEIKERT. Oh, yes.\n    Mr. ROSENZWEIG [continuing]. Not quite get it----\n    Mr. SCHWEIKERT. And let's be brutally honest. There will be \na knife fight because----\n    Mr. ROSENZWEIG. Yes.\n    Mr. SCHWEIKERT [continuing]. You are interrupting a lot of \nbureaucracies, layers of power and authority.\n    Mr. GROBMAN. It can absolutely be done. I think if you look \nat the large-scale systems that exist today for authentication, \nwhether it is financial services, whether it is some of the \nmodels that--there is numerous capabilities. The private sector \nhas built a set of protocols that enable one entity to do \nauthentication, and then allow that authentication to be \nhonored by others. Things like SAML and OATH.\n    Really, the discussion needs to be about getting the right \nbalance between privacy and security----\n    Mr. SCHWEIKERT. Well, you hit one thing I fixate on, and \nthat is--we hit quantum. I will absolutely have to have a \ntoken, because I think--because an algorithmic is under threat \n(sic).\n    Mr. GROBMAN. So one of the key points I made in my written \ntestimony is although we haven't settled on exactly what \nquantum-safe algorithms to use, in the design of a new system \nwe can design it such that we have the ability to swap \nalgorithms out as we----\n    Mr. SCHWEIKERT. Well, you don't think a token system would \nbe more robust?\n    Mr. GROBMAN. I think that it is part of the solution, but I \nthink that the underlying cryptography that needs to be used in \nthe solution does need to eventually be----\n    Mr. SCHWEIKERT. I need to learn more. If you have something \nI can read----\n    Chairman JOHNSON. The time of the gentleman has expired.\n    Mr. SCHWEIKERT. Oh, all right. I will talk after. But thank \nyou for tolerating me. I need to disclose I have had a lot of \ncaffeine.\n    [Laughter.]\n    Chairman JOHNSON. Thank you.\n    To keep pace with the identity thieves we need to start \nthinking beyond just protecting Social Security numbers, and \nstart thinking about how to make the numbers less valuable to \ncriminals in the first place.\n    You know, it is time to take a hard look, I think, at the \nfuture of Social Security numbers, and to decide what needs to \nchange to better protect Americans from identity theft. This \nhearing has given us a good starting point, and I look forward \nto working with my colleagues in the future to figure out the \nnext steps forward.\n    Americans are counting on us to get this right. They want, \nneed, and deserve nothing else.\n    Thank you to all our witnesses for your testimony today, \nand I thank you to our Members for being here.\n    With that, the--you want to?\n    Mr. LARSON. Yes.\n    Chairman JOHNSON. I recognize Mr. Larson----\n    Mr. LARSON. I want to thank----\n    Chairman JOHNSON [continuing]. For a comment.\n    Mr. LARSON. I want to thank the chairman. This is indeed \none of the more interesting panels that we have. And as you can \ntell, a number of our Members still have a lot of questions.\n    What we would like to ask of you is that if you could \nsubmit to us in writing--because it was very valuable to get \nyour input--we don't--and the chairman has already indicated \nthat we, as a Committee, will meet internally to digest what \nyou send us in writing, in terms of your solution and also the \nurgency that you all attach with this, especially, as the \nchairman has already outlined, under authentification (sic), \nand how we might proceed. Because there is a--this was a very \nfertile and productive meeting. I thank the chairman.\n    Chairman JOHNSON. Thank you.\n    Mr. LARSON. And I appreciate the opportunity to respond.\n    Chairman JOHNSON. Thank you. And thank you all for being \nhere. We appreciate your presence.\n    With that, the Subcommittee stands adjourned.\n    [Whereupon, at 11:36 a.m., the Subcommittee was adjourned.]\n    [Member Submissions for the Record follow:]\n    \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n\n\n               \n    [Public Submission for the Record follow:]\n    \n    \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n\n    \n    \n\n\n\n                                 <all>\n</pre></body></html>\n"