[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
SECURING AMERICANS' IDENTITIES:
THE FUTURE OF THE SOCIAL SECURITY NUMBER
=======================================================================
HEARING
before the
SUBCOMMITTEE ON SOCIAL SECURITY
of the
COMMITTEE ON WAYS AND MEANS
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
MAY 17, 2018
__________
Serial No. 115-SS09
__________
Printed for the use of the Committee on Ways and Means
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
33-871 WASHINGTON : 2019
COMMITTEE ON WAYS AND MEANS
KEVIN BRADY, Texas, Chairman
SAM JOHNSON, Texas RICHARD E. NEAL, Massachusetts
DEVIN NUNES, California SANDER M. LEVIN, Michigan
DAVID G. REICHERT, Washington JOHN LEWIS, Georgia
PETER J. ROSKAM, Illinois LLOYD DOGGETT, Texas
VERN BUCHANAN, Florida MIKE THOMPSON, California
ADRIAN SMITH, Nebraska JOHN B. LARSON, Connecticut
LYNN JENKINS, Kansas EARL BLUMENAUER, Oregon
ERIK PAULSEN, Minnesota RON KIND, Wisconsin
KENNY MARCHANT, Texas BILL PASCRELL, JR., New Jersey
DIANE BLACK, Tennessee JOSEPH CROWLEY, New York
TOM REED, New York DANNY DAVIS, Illinois
MIKE KELLY, Pennsylvania LINDA SANCHEZ, California
JIM RENACCI, Ohio BRIAN HIGGINS, New York
KRISTI NOEM, South Dakota TERRI SEWELL, Alabama
GEORGE HOLDING, North Carolina SUZAN DELBENE, Washington
JASON SMITH, Missouri JUDY CHU, California
TOM RICE, South Carolina
DAVID SCHWEIKERT, Arizona
JACKIE WALORSKI, Indiana
CARLOS CURBELO, Florida
MIKE BISHOP, Michigan
DARIN LAHOOD, Illinois
BRAD R. WENSTRUP, Ohio
Gary J. Andres, Staff Director
Brandon Casey, Minority Chief Counsel
______
SUBCOMMITTEE ON SOCIAL SECURITY
SAM JOHNSON, Texas, Chairman
MIKE BISHOP, Michigan JOHN B. LARSON, Connecticut
VERN BUCHANAN, Florida BILL PASCRELL, JR., New Jersey
MIKE KELLY, Pennsylvania JOSEPH CROWLEY, New York
TOM RICE, South Carolina LINDA SANCHEZ, California
DAVID SCHWEIKERT, Arizona
DARIN LAHOOD, Illinois
C O N T E N T S
__________
Page
Advisory of May 17, 2018 announcing the hearing.................. 2
WITNESSES
Nancy Berryhill, Acting Commissioner, Social Security
Administration................................................. 6
Elizabeth Curda, Director, Education, Workforce, and Income
Security, Government Accountability Office..................... 16
Samuel Lester, Consumer Privacy Counsel, Electronic Privacy
Information Center............................................. 39
Paul Rosenzweig, Senior Fellow, R Street Institute............... 51
Steve Grobman, Senior Vice President and Chief Technology
Officer, McAfee, LLC........................................... 61
Jeremy A. Grant, Coordinator, Better Identity Coalition.......... 72
James Lewis, Senior Vice President, Technology Policy Program,
Center for Strategic and International Studies................. 85
MEMBER QUESTIONS FOR THE RECORD
Rep. Sam Johnson to Elizabeth Curda.............................. 108
Elizabeth Curda Response......................................... 109
Rep. Sam Johnson to Jeremy A. Grant.............................. 111
Jeremy A. Grant Response......................................... 112
Rep. Sam Johnson to Steve Grobman................................ 122
Steve Grobman Response........................................... 123
Rep. Sam Johnson to Paul Rosenzweig.............................. 126
Paul Rosenzweig Response......................................... 127
PUBLIC SUBMISSIONS FOR THE RECORD
NAPBS, statement................................................. 128
SECURING AMERICANS' IDENTITIES:
THE FUTURE OF THE SOCIAL SECURITY NUMBER
----------
THURSDAY, MAY 17, 2018
U.S. House of Representatives,
Committee on Ways and Means,
Subcommittee on Social Security,
Washington, DC.
The Subcommittee met, pursuant to notice, at 10:08 a.m., in
Room 1100, Longworth House Office Building, the Honorable Sam
Johnson [Chairman of the Subcommittee] presiding.
[The advisory announcing the hearing follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman JOHNSON. Good morning and welcome to today's
hearing on the future of the Social Security number.
The Social Security card and the Social Security number
were created in 1936, believe it or not, so the Social Security
Administration could track earnings and correctly determine
benefits. Today's use of Social Security numbers for
everything--you need one. So when you get a job, buy a house,
or open a new credit card (sic).
Given all the ways we use it, it is no wonder Social
Security numbers are a valuable target for identity thieves.
For years, I have been dedicated to doing all I can to protect
America--Americans from identity theft by protecting the
privacy of Social Security numbers. Military IDs no longer use
Social Security numbers, and Medicare is now sending new cards
without numbers, Social Security numbers, to seniors across the
country. And last year Congress made all federal agencies stop
mailing documents that contain Social Security numbers unless
it is absolutely necessary.
For a long time keeping Social Security numbers secret
meant keeping them safe. But after so many high-profile data
breaches like Equifax, OPM, and Anthem, where hundreds of
millions of Social Security numbers were stolen, it is clear
they aren't a secret anymore. And it is time we stop pretending
that they are.
Make no mistake, it is still important to limit the
unnecessary use of Social Security numbers. But if we want to
keep pace with identity thieves, we need to think beyond just
keeping them.
As we will hear today, what makes these numbers so valuable
to identity thieves is how we use them. Using Social Security
numbers both to identify someone and to prove their identity
doesn't make sense. But we have been doing it forever. We need
to break the link between identification and authentication.
We will also hear from Social Security about what it takes
get a new Social Security number when it has been stolen and
why it is often harder to do than it should be. I recently
learned of a case in Arizona where the mother of a child whose
Social Security number had been stolen was told she needed to
change her daughter's name and last name--first, middle, and
last name--before her daughter could get a new Social Security
number. Can you believe that? That is wrong.
But what is worse is that having to change your name isn't
Social Security's policy. It was an extra hoop to jump through
made up by a field office employee. While I am happy the little
girl eventually got a new number without having to change her
name, getting a new number shouldn't be so difficult. It
shouldn't take a local news story or a call from a
congressional office for Social Security to do right by those
looking for help.
Identity theft is on the rise, and we must take a hard look
at the future of Social Security numbers, both how it is used,
and if Social Security needs to do things differently. We have
a responsibility to do all we can to better protect Americans
from identity theft.
I want to thank our witnesses for being here today and I
look forward to hearing your testimony, all of you.
And I will now recognize Mr. Larson for his opening
statement.
Mr. LARSON. Well, thank you, Mr. Chairman, and let me echo
your sentiments and also acknowledge that you have been a
leader in the United States Congress, both in protecting the
integrity of the Social Security program from fraud and abuse,
and certainly, in this case, of identity theft which threatens
the entire system.
As you indicated, Mr. Chairman, the recent data breach at
Equifax has left more than 145 million people wondering whether
they will have their identity stolen or credit damaged. Their
ability to get a mortgage, a small-business loan, or even a job
is at the whim of criminals, who have stolen information to
wreak havoc on their financial security.
It doesn't matter if you are in Plano, Texas or you are in
East Hartford, Connecticut, or whether you are 6 weeks old or
96 years old. Cyber criminals don't care. Their only interest
is in profiting from your identity in a way that makes them as
much money as possible. Unfortunately, Equifax is just one in a
long list of data breaches where personal information about
hard-working men and women has been compromised, including
Social Security numbers, which is the subject of today's
hearing.
The problem of identity theft is well known and it affects
our entire economy. We need to come together in a bipartisan
way to strengthen privacy protections and safeguard financial
security. And I thank you, Mr. Chairman, for your continued
efforts in reaching out along those lines, as well.
What is clear, that all users of Social Security numbers,
both government and business, need to change their ways. The
widespread use of Social Security numbers as a way to both
identify and authenticate individuals poses an ongoing risk of
identity theft. This practice assumes that only I have access
to my Social Security Number.
But given the extensive data breaches, this is no longer a
safe assumption, as I believe our witnesses will all agree.
There is a role here both for government and for industry.
Unfortunately, there are steep headwinds in this fight. The
pace of innovation in the technologies used by cyber criminals
present a very difficult and foreboding challenge. At the same
time, we must be sure that the solutions to better protect
personal information are accessible to all Americans, even
those of us who are less adept at the new technologies.
Finally, we must keep Americans' privacy concerns in mind
about how data is collected about individuals, how it is used,
and who controls it. Just as we must come together to protect
Americans' personal identity information, we should also come
together to protect the future of Social Security itself.
I know my dear friend and colleague shares my concern in
this. I think we need to have a hearing on the future of Social
Security itself. We have proposed bills and legislation. It is
time that we expand the most successful program in the Nation's
history, knowing that as we go forward it is important to
protect it at its very heart to secure it from fraud and abuse,
but also to understand that this is an insurance program that
needs to be made actuarially sound, that was last touched in
1983, when Ronald Reagan was President and Tip O'Neill was
Speaker of the House.
It is an actuarial problem that can and should be addressed
to not only protect the future of Americans, but also, as
disparity grows in this great country of ours, the one thing
that every single person in this Nation can count on is that
Social Security has never missed a payment. We have an
obligation on this Committee, and as Members of Congress, to
make sure that the integrity of the program and also its
viability goes beyond the 75-year requirement that we are sworn
to serve.
And with that, Mr. Chairman, I yield back and look forward
to the questions and what we are--look forward to asking
questions, and look forward to hearing from our distinguished
panel.
Chairman JOHNSON. Well, thank you for your comments. As is
customary, any Member is welcome to submit a statement for the
record.
And before we move on to testimony, I want to remind our
witnesses to please limit your oral statements to five minutes.
However, without objection, all of the written testimony will
be made a part of the hearing record.
We have seven witnesses today. Seated at the table are
Nancy Berryhill, acting commissioner of Social Security
Administration; Elizabeth Curda, director, education,
workforce, and income security for Government Accountability
Office; Samuel Lester, consumer privacy counsel, Electronic
Privacy Information Center; Paul Rosenzweig--and that is not
right--Paul----
Mr. ROSENZWEIG. It is Rosenzweig, sir, but----
Mr. JOHNSON. Rosenzweig?
Mr. ROSENZWEIG. Yes, sir.
Mr. JOHNSON. Thank you. Senior fellow, R Street
Institution. Steve Grobman, senior vice president and chief
technology officer, McAfee; Jeremy Grant, coordinator, Better
Identity Coalition; James Lewis, senior vice president,
technology policy program, Center for Strategic and
International Studies.
Acting Commissioner Berryhill, please begin your testimony.
STATEMENT OF NANCY BERRYHILL, ACTING COMMISSIONER, SOCIAL
SECURITY ADMINISTRATION
Ms. BERRYHILL. Chairman Johnson, Ranking Member Larson, and
Members of the Subcommittee, thank you for inviting me to
discuss identity theft and the future of the Social Security
number. I am Nancy Berryhill, Social Security's acting
commissioner.
The scope of our programs is enormous. We pay monthly
benefits to over 62 million Social Security beneficiaries and 8
million supplemental security income recipients. During fiscal
year 2017 we paid about $934 billion to Social Security
beneficiaries, and $55 billion to SSI recipients. In addition,
we posted 279 million earning items to workers' records last
year.
The SSN underpins the programs we administer. We designated
this 9-digit number in 1936 to allow employers to accurately
report earnings and determine eligibility for benefits. To date
we have issued around 505 million unique numbers to eligible
individuals.
Although we created the Social Security number for our
programs, it has become a personal identifier used most broadly
across government and the private sector. For example, in 1943
the executive order required federal agencies to use the SSN.
Advances in computer technology and data processing in the
1960s further increased the use of the number within federal
agencies.
For example, in 1961 the Federal Civil Service Commission
began using the SSN as identification number for all federal
employees. The next year the IRS began using the number as a
taxpayer identification number. Beginning in the 1970s,
Congress enacted legislation requiring the number for a variety
of federal programs. Over the decades use of the SSN grew, not
just in Federal Government, but throughout the state and local
government, banks, credit bureaus, hospitals, and other parts
of the private sector.
As use of the SSN has increased, so have the opportunities
for misuse. We and Congress have made changes to try to protect
the integrity of the number, including strengthening the
security of the SSN card, and requiring additional proofs to
issue them; establishing programs and ensure accurate and
timely of the SSN (sic), such as enumeration at birth, program
that assigns SSNs to newborns, and verifying SSNs for
federally-funded programs, employment eligibility, and other
programs.
Unfortunately, SSN misuse and identity theft continues to
increase. We understand the distress and economic hardship
victims of identity theft face. We advise suspected victims on
how to contact the Federal Trade Commission and law
enforcement, and we refer cases of misuse to our office of
inspector general for investigation. In certain circumstances
we assign a new number to a victim of SSN misuse who has been
disadvantaged due to misuse of the number.
It is important to note that assigning a new number is
often a last resort, because it can cause more problems than it
solves. For example, the absence of a credit history under a
new number makes it more difficult to obtain credit to buy a
house or a car. Nevertheless, in recognition of devastating
effects identity theft can have, we continue to refine our
policies in this area. Our goal is to serve the needs of the
victims.
Over the years we have added flexibilities to our policies
where needed, and we encourage front-line employees to
coordinate with experts in our regional offices. We will
continue to do what we can to mitigate the effects of SSN
misuse.
We--but we cannot alone solve the problem that over-
reliance of the SSN has caused. As long as the SSN remains key
to assessing things of value, particularly credit, the SSN
itself will have commercial value, and it will continue to be
targeted by fraudsters for misuse.
Identity theft is a broad public policy issue that must be
addressed. I applaud the chairman and the Subcommittee for
their efforts to protect the SSN, including mandating the
removal of the SSN from the Medicare cards and documents mailed
by federal agencies. These bills are an important step.
However, addressing identity theft requires a unified
effort that includes this Subcommittee and Congress, the
Administration, public and private experts throughout the
country.
Our chief information officer, who is sitting behind me,
Rajive Mathur, is here with me today. He and I look forward to
hearing the ideas raised during today's hearing.
Thank you, and I will be happy to answer any questions that
you may have. Thank you.
Chairman JOHNSON. I appreciate your testimony.
[The prepared statement of Ms. Berryhill follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman JOHNSON. Ms. Curda, welcome again. Please proceed.
STATEMENT OF ELIZABETH CURDA, DIRECTOR, EDUCATION, WORKFORCE,
AND INCOME SECURITY, GOVERNMENT ACCOUNTABILITY OFFICE
Ms. CURDA. Chairman Johnson, Ranking Member Larson, and
Members of the Subcommittee, thank you for inviting me here to
discuss GAO's observations on the extent to which the paper
Social Security card is currently used, and what it costs to
produce.
SSA has issued about 500 million Social Security numbers
and cards since the Social Security program began in 1935.
Originally, the SSN was not intended to serve as a personal
identifier outside of SSA's programs. But due to its
universality and uniqueness, government agencies and private-
sector entities increasingly use the SSN as a convenient means
of identifying people.
However, as everyday transactions are increasingly
conducted electronically, it raises questions about whether a
paper card is still needed or desirable to communicate or
verify a person's SSN.
Today I will first discuss whether there are any federal
requirements to present a Social Security card. Second, I will
discuss common situations in which other public or private-
sector stakeholders may ask to see the card to conduct
business. And finally, I will discuss stakeholder views about
the potential implications of eliminating the cards, including
potential cost savings.
Although there are many federal requirements to provide an
SSN, we found no statutory requirements and only two regulatory
requirements to show a card. Both requirements were to verify
an individual's SSN under certain narrow circumstances such as
for uniformed service members seeking to change their SSNs.
To identify requirements or customary uses of the cards
outside of the Federal Government we spoke to a variety of
associations representing human resource managers, the finance
sector, higher education institutions, and state agencies. The
stakeholders we spoke with described a variety of instances in
which individuals may present a card among other acceptable
forms of documentation in order to verify their identity or
their SSN.
For employment, all U.S. employers must verify and document
a newly-hired employee's employment eligibility. Although the
Social Security card is the most commonly used document for
this purpose, the card is one of several acceptable documents
that employees may present to prove they are eligible to work
in the United States. Other examples of acceptable documents
include a U.S. passport or permanent residence card, among
others.
A common reason employers may ask to see a card is to
verify the accuracy of the employee's SSN because employers can
be fined for submitting inaccurate W-2 forms, for example.
The card is also commonly used to apply for a driver's
license under the Real ID Act of 2005. The card is one of
several options for documents that an applicant must provide to
verify their identity.
The card may also be used as documentation when setting up
financial accounts or to resolve SSN discrepancies when
processing educational loans. However, providing the card is
not required.
SSA and the stakeholders we interviewed also provided their
perspectives on the implications of eliminating the card. One
advantage of showing the card is to ensure the accuracy of the
SSN, instead of relying on someone's memory. A disadvantage
stakeholders cited included that the card alone is not
sufficient to ensure the identity of the card holder, so other
forms of identification are usually needed.
However, most of the stakeholders we interviewed indicated
that their processes would not change significantly if the card
were eliminated. They would continue to collect SSNs, as
required, but would use other documents for identification or
verification purposes, or electronically verify the SSN with
SSA.
SSA officials also provided their perspective that
eliminating the card may result in limited cost savings, if
any. In 2016, SSA estimated that the cost to produce a card
ranged from $6 for a replacement card requested online to $34
for a card requested in person at a field office. These
estimates include staff time, technology, paper, printing,
postage, and overhead. If the card were eliminated, only some
of these costs would be saved because of the labor and other
costs still needed to generate new SSNs.
A conservative estimate of the savings based on the
printing, paper, and mailing costs accounts for only $.60 of
the cost of the card. SSA officials stated that the agency
spent about $8 million in fiscal year 2016 on paper, printing,
and delivery of the cards. However, implementing a new system
to replace the card could offset these savings.
Other implications of a cardless electronic system,
stakeholders cited, included security and control over personal
information and potential barriers for people with limited
access to technology.
This concludes my prepared statement, and I would be happy
to answer the Committee's questions.
Chairman JOHNSON. Thank you. I appreciate your testimony.
[The prepared statement of Ms. Curda follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman JOHNSON. Mr. Lester, welcome. Please go ahead.
STATEMENT OF SAMUEL LESTER, CONSUMER PRIVACY COUNSEL,
ELECTRONIC PRIVACY INFORMATION CENTER
Mr. LESTER. Chairman Johnson, Ranking Member Larson,
Members of the Subcommittee, thank you for the opportunity to
testify today. My name is Sam Lester. I am the consumer privacy
counsel at the Electronic Privacy Information Center. EPIC is
an independent, non-profit research organization here in
Washington, D.C. established in 1994 to focus public attention
on emerging privacy and civil liberties issues.
I appreciate your interest in this critical topic. I cannot
overstate the urgency that we update our privacy laws. There is
no other form of personal information that poses a greater
threat to privacy than the Social Security number. The recent
Equifax breach exposed the Social Security numbers of over half
of the U.S. adult population.
The SSN was never meant to be an all-purpose identifier in
the private sector. When it was first introduced in 1936 it was
to be used only for the administration of Social Security
taxes. The fact that it is now so pervasive as both an
identifier and authenticator, a user name and a password, has
undoubtedly contributed to the alarming rise in data breaches,
identity theft, and financial fraud.
SSNs are the keys to the kingdom for identity thieves. A
criminal in possession of your SSN can file fraudulent taxes in
your name, open new accounts in your name, take out lines of
credit, and many other forms of fraud.
If you are about to buy a home, for instance, you could
experience your worst nightmare when a lender pulls your credit
and sees that your FICA score is too low to qualify for a loan
because someone has fraudulently run up debt in your name. For
someone who has experienced new account fraud, it can take
years to recover, financially.
In 2017 identity theft impacted almost 17 million
consumers. More importantly, consumers cannot protect
themselves from the misuse of the SSN. As others have stressed,
the Social Security Administration will only replace your SSN
in the most extreme circumstances.
And furthermore, the credit reporting industry makes it
even more difficult for consumers. A credit freeze is
burdensome and costly, and credit monitoring and fraud alert
services do not adequately protect consumers. The CEO of
LifeLock had his identity stolen 13 times after he displayed
his real Social Security number in a commercial that was
supposed to demonstrate how effective his product was at
preventing identity theft.
There have been recent efforts to limit the use of the SSN,
but much more needs to be done. For example, in 2017 Medicare
finally announced it would remove SSNs from cards, the result
of an effort led by Chairman Johnson and Representative Doggett
of this Committee.
Also, a number of states have taken steps in the right
direction. For instance, Alaska now prohibits the use of SSNs
by both private companies and the government without explicit
legal authorization. This would be a good model for federal
legislation, and also shows why federal law should not prevent
states from enacting their own safeguards.
To limit the devastating financial harm caused by the
misuse of the SSN, Congress should take the following measures.
Firstly, the SSN should be prohibited in the private sector
without explicit legal authorization, and companies should be
prohibited from compelling consumers to disclose their SSN as a
condition of sale or service unless authorized by law.
Secondly, Congress should promote the development of
context-specific identifiers. For example, if you are going to
do banking, you have a bank account number. If you are
obtaining a driver's license, you have a driver's license
number. The advantage of these context-specific identifiers is
that if one number gets compromised, an identity thief does not
have access to all your accounts.
Finally, Congress must not replace the SSN with a national
biometric identifier. This would be a very bad idea. This
approach would pose serious privacy and security risks. In the
massive breach of the Office of Personnel Management in 2015,
foreign hackers targeted digitized fingerprints stored in
federal databases. These risks would only be compounded if the
U.S. were to move towards a national biometric identifier.
Thank you for the opportunity to testify today, and I will
be happy to answer your questions.
Chairman JOHNSON. Thank you, sir. I appreciate your
testimony, as well.
[The prepared statement of Mr. Johnson follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman JOHNSON. Mr. Rosenzweig.
Mr. ROSENZWEIG. Thank you very much.
Chairman JOHNSON. Is that the right pronunciation?
Mr. ROSENZWEIG. Rosenzweig, but----
Chairman JOHNSON. Weig, okay.
Mr. ROSENZWEIG. Thank you very much.
Chairman JOHNSON. Pardon me. Well, please proceed.
STATEMENT OF PAUL ROSENZWEIG, SENIOR FELLOW, R STREET INSTITUTE
Mr. ROSENZWEIG. Thank you very much, Chairman Johnson,
Ranking Member Larson, Members of the Subcommittee. I too am
pleased to be able to speak with you today about the future of
the Social Security number.
The Social Security number has a long history of utility as
an identifier. I don't think that is the problem. The use of it
as an identifier is no different than the use of my phone
number as an identifier or the use of my name as an identifier.
The problem is that the Social Security number has mutated in
its use, so it is now also an authenticator of my identity.
Authenticators are classically only useful if they involve
something that you know exclusively, something you have, or
something you are, and they are kept confidential. Today Social
Security numbers are so deeply compromised and so widely
available in public--albeit often through criminal means--that
they can no longer be used as an authenticator. This is because
recent incidents like the Equifax breach that we have already
spoken of, and whose anniversary occurs this week, have
effectively disclosed the vast majority of previously
confidential Social Security numbers. My own Social Security
number, to my knowledge, has been breached at least three times
in the past four years. So I feel this quite personally.
As a result, in my view, any enterprise that continues to
use a Social Security number as an authenticator is engaging in
borderline privacy and security malpractice. Yet some do. Just
the other day I was shocked that a bar renewal membership used
my--the last four of my Social Security as a way of
authenticating my identity. And this was a governmental use.
So what should we do about that? What should we do in
response to the problem? In my judgement, Congress has three
logical options.
The first is to, as Mr. Lester has just suggested, regulate
or outlaw Social Security numbers. That is a plausible
solution, but one that I respectfully think is not appropriate.
That comes with all the usual disadvantages of government
intervention: regulatory gridlock, administrative costs,
enforcement mechanisms that are necessary, along with
procedural safeguards, as well.
In short, I think a regulatory response will come with a
great deal of expense and be a relatively slow result, perhaps
even no quicker than the next solution, which is to do nothing.
In a lot of ways, the market is addressing this problem.
The disutility of SSNs as an authenticator has become widely
known and is increasingly on the decline (sic). Eventually, the
market will take care of the problem. The problem with that
answer, of course, is that before it does, a great number of
Americans will suffer from data breach and identity theft. So I
think that is a second-best solution.
The best solution, in my judgement--and one of the joys of
being in a think tank is your ability to think creatively about
problems and think outside the box--is to eliminate the utility
of the Social Security number as an authenticator. Make it
impossible, in practice, for anyone to continue to use it in
this way.
One simple and quite elegant solution that I offer both as
a thought experiment and also as a possible practical solution
is to simply publish a phone book with every citizen's Social
Security number in it. In other words, by publishing it
publicly, we would make it impossible for any enterprise to
continue to legitimately use it as an authenticator of
identity. To continue to do so after that and after a suitable
transition time would, in my judgement, be per se negligence of
the sort that ought to involve liability for the enterprise.
One final point that I would make. Congress needs to look
to its own house. Repeatedly in law we have mandated the
collection of Social Security numbers as identifiers, and
sometimes continued to use them as authenticators, as my
colleague has already testified to. At a minimum, I think it is
incumbent upon Congress to review government's use of the
Social Security number and its processes, if only so that by
cleaning up our own house we can speak to the private sector
with authority.
I thank you for the opportunity to testify before you, and
I look forward to the chance to answer questions.
Chairman JOHNSON. Thank you, sir. I appreciate your
testimony.
[The prepared statement of Mr. Rosenzweig follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman JOHNSON. Mr. Grobman, you are recognized.
STATEMENT OF STEVE GROBMAN, SENIOR VICE PRESIDENT AND CHIEF
TECHNOLOGY OFFICER, MCAFEE, LLC
Mr. GROBMAN. All right, good morning, Chairman Johnson,
Ranking Member Larson, and Members of the Subcommittee. It is a
proud honor to testify today. And Chairman Johnson, it is an
honor to work in your district. McAfee actually has its largest
U.S. location in Plano, Texas. So it is an honor to testify
today.
As McAfee's senior vice president and CTO I set our
technical strategy to protect connected computing worldwide for
both consumers and business architectures. I have worked in the
field of cyber security for 2 decades, and have 24 U.S. and
international patents in the fields of security, software, and
computer architecture.
McAfee is one of the world's leading independent cyber
security companies providing solutions for both business and
consumers.
The nine-digit Social Security number first appeared as an
identifier in 1936, but has since become the de facto national
identifier and federal credential, uses for which it was never
intended. Simply knowing a Social Security number has become
accepted as a mechanism to impersonate an individual, and the
Social Security number has become the premier target for cyber
criminals.
Social Security numbers are sold in bulk in the black
market for as little as $1 each. And once stolen, a Social
Security number cannot easily be reissued or replaced. Last
year's Equifax breach resulting in 145 million U.S.-based users
having their personal information compromised reminds us that
the U.S. needs to modernize its national identification
standard.
There are three elements that need to be discussed when we
transition to a next-generation personal identifier: identity,
authentication, and authorization. In our current model Social
Security numbers play a role in all three. Identity is an
identifier that can be public. It is like an individual's
Twitter handle; it identifies an individual, but simply knowing
the handle doesn't enable someone to impersonate the account
holder.
Whereas, authentication is the process of proving that you
are a specific identity, and generally relies on one of three
types of factors: either something you know, like a password;
something you have, like a smart card; or something you are,
such as a biometric. An authorization is granting a specific
capability or benefit to a specific entity. All three parts
need to be in scope for a next generation system.
We have all the technology pieces to move towards a high-
quality, high-security, well-thought-out, next-generation
identity management system based on strong authentication. What
is more difficult is understanding the requirements that will
be acceptable for both government and the citizens.
We need to ask questions such as is this a solution
exclusively for government-related services? How can a system
be inclusive to all citizens, regardless of wealth or access to
advanced technologies? Does a government biometrics database
create unacceptable privacy issues? How will recovery
mechanisms work when technology assets are lost or stolen? What
are the cost constraints, funding options, and timelines for
implementing and maintaining a solution into the next
generation, and how long does the underlying cryptography need
to last?
This last question is interesting, in that we are on the
verge of quantum computing becoming a viable reality. Quantum
computing is well suited to break the underlying cryptography
that protects the world's data. Specifically, RSA, but public
key algorithm which is the heart of most protection and
identity solutions. A next-generation architecture must
comprehend the quantum computing world we will likely face in
the next few decades.
We need to look at what technology options are available,
and I have been asked whether things such as blockchain could
be useful. I do not recommend it. While a powerful technology
providing properties such as decentralized trust, blockchain
also brings scalability, complexity, and its own security
challenges. In the case of our next-generation system, we do
have a trusted central authority: the U.S. Government. We need
to focus on the problem that we are trying to solve, and the
one thing that we must do is not use the current system that we
have.
A few quick recommendations: We need an identity management
executive order that outlaws the use of Social Security numbers
as authenticators; We need to push federal agencies to act as
validators of identity and mandate all federal e-government
services require the use of strong authentication; We need to
let innovation flourish. NIST and the private sector can work
together on this. And we need to move faster in implementing
quantum-safe algorithms to protect both data protection and
identity solutions.
It is an honor to testify to this Subcommittee. I
appreciate your interest in considering my recommendations, and
look forward to answering your questions.
Chairman JOHNSON. Thank you for coming all the way from
Plano.
Mr. GROBMAN. You bet.
[The prepared statement of Mr. Grobman follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman JOHNSON. Mr. Grant, welcome. Please go ahead.
STATEMENT OF JEREMY A. GRANT, COORDINATOR, BETTER IDENTITY
COALITION
Mr. GRANT. Thank you. Good morning, Chairman Johnson,
Ranking Member Larson, Members of the Committee. Thank you for
the opportunity to discuss the future of the Social Security
number with you today.
I am here on behalf of the Better Identity Coalition, an
organization launched earlier this year focused on bringing
together leading firms from different sectors to develop a set
of consensus, cross-sector policy recommendations that promote
the adoption of better solutions for identification and
authentication.
The Coalition's founding members include recognized leaders
from diverse sectors of the economy, including financial
services, health care and technology, telecommunications, fin
tech, payments, and security. Our members are united by a
common recognition that the way we handle identity today in the
U.S. is broken, and by a common desire to see both the public
and private sectors each take steps to make identity work
better.
As background I have worked for more than 20 years at the
intersection of identity and cyber security. In 2011 I was
selected to lead the National Strategy for Trusted Identities
in Cyber Space, which was a White House initiative focused on
improving security, privacy, choice, and innovation through
better approaches to digital identity. In that role I also led
the identity team up at NIST.
I left government three years ago, and now lead the
technology business strategy practice at Venable, a law firm
here in town with the country's leading privacy and cyber
security practice. And in that role I serve as the coordinator
of the Better Identity Coalition.
Let me say I am grateful to the Committee for calling this
hearing today. The SSN is a key component of our identity
infrastructure, and the future of this number impacts every
American. Up front, I would submit that many of our challenges
here are linked to more than 80 years of contradictions in
policy around how this number should be managed and used.
Among the biggest contradictions, the SSN is simultaneously
presumed to be both secret and public: secret, because we tell
individuals to guard their SSN closely; public, because we have
multiple laws that require individuals to give it out to
facilitate all sorts of interactions with industry and
government; secret, because we then tell those entities to
ensure that, if they store it, which the law often requires
them to do, that it be protected; and public, because that has
proven quite hard to do, to the point that the majority of
Americans' SSNs have been compromised multiple times over the
last several years, amidst a wave of data breaches.
Now, these contradictions are not the result of anything
malicious. On the contrary, they reflect years of trying to
balance several important roles played by the SSN and the
Social Security Administration. What is most important now is
that the government, one, recognizes these contradictions and,
two, takes steps to put policies in place that are more
consistent, and that put us on a path towards a system that
enhances security, privacy, and convenience for Americans.
I believe there are five areas where change is needed.
Firstly, when talking about the future of the SSN and
whether it needs to be replaced, it is essential, as Chairman
Johnson noted and many members of the panel have noted, to
understand the difference between the number's role as an
identifier, which is a number used to sort out which Jeremy
Grant I am among the hundreds in the U.S., and its use as an
authenticator, which is something that can prove I am actually
this Jeremy Grant.
SSNs should no longer be used as authenticators. That
means, as a country, we stop pretending this number is a
secret, or that knowledge of an SSN can be used to prove that
someone is who they claim to be.
Secondly, just because SSNs should no longer be used as
authenticators does not mean that we need to replace them with
some sort of new SSA-issued identifier. I have yet to see any
proposal here that does not involve spending billions of
dollars and confusing hundreds of millions of Americans with
very little security benefit.
Rather than create a new identifier, our focus ought to be
on crafting better authentication solutions that are not
dependent on the Social Security number and are resilient
against modern vectors of attack.
Thirdly, on the authentication topic, there is good news.
Multi-stakeholder efforts like the FIDO Alliance and the World
Wide Web Consortium have developed standards for next-
generation authentication that are now being embedded in most
devices, operating systems, and browsers in a way that enhances
security privacy and the user experience. The government can
play a role in accelerating the pace of adoption.
Fourthly, even if we assume the SSN is publicly known, that
does not mean it needs to be used everywhere. Many of the
members of the Better Identity Coalition would love to reduce
where they use the SSN, due to the risks that it presents to
them, relative to other identifiers. However, they are running
up against laws and regulations that require them to collect
and retain the SSN.
Finally, we need to focus not just on the SSN, but also the
future of the Social Security Administration. The issue here
goes beyond the future use of a nine-digit number to encompass
a broader topic: What role should the government play in the
future of the identity ecosystem?
Now, while identity may not be a part of the SSA's mission
statement, there is no question that in 2018 the SSA is in the
identity business. It is time to acknowledge that fact and then
take a step back to contemplate what that means.
Having agencies like SSA accept their role here may be the
most impactful thing that the government can do to help solve
our identity challenges. Specifically, like allowing consumers
to start asking agencies that have their personal information
to vouch for them to parties they seek to do business with.
The SSA and state departments of motor vehicles have the
most to offer here, and this concept was embraced in the 2016
report from the Bipartisan Commission on Enhancing National
Cyber Security. The Federal Government should work to, one,
develop a framework of standards and rules to make sure this is
done in a secure, privacy-protecting way; and second, fund work
to get it started.
I appreciate the opportunity to testify today and look
forward to answering your questions.
Chairman JOHNSON. Thank you, sir.
[The prepared statement of Mr. Grant follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman JOHNSON. Mr. Lewis, welcome. Thank you for being
here. Please proceed.
STATEMENT OF JAMES LEWIS, SENIOR VICE PRESIDENT, TECHNOLOGY
POLICY PROGRAM, CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES
Mr. LEWIS. Thank you, Mr. Chairman and Ranking Member
Larson. I thank the Committee for the opportunity to testify.
One of the leading scientists of the 20th century said that
an expert is a individual who has made all possible errors in a
particular field. And I think that qualifies me as a expert in
this issue, since I have been involved in programs like this
since 1992, none of which have worked.
So let's give it a try.
We have all heard how the SSN is the key identifier. It is
unique to each individual. It is issued by a trusted source.
And most importantly, it links to different databases. So your
SSN can link to your bank, your tax account, your driver's
license. It is irreplaceable.
It is invaluable for business. But as we have heard, it is
also invaluable for crime. One estimate is that somewhere
between 60 and 80 percent of all Social Security numbers have
been stolen. Another estimate puts the cost of stolen Social
Security numbers at $16 billion annually. I think the Committee
is on the right track here by looking at ways to modernize and
strengthen the SSN, the Social Security number, because this
will provide real benefits and reduce crime.
Our goal should be to provide the same level of service and
security that citizens expect from the private sector, or that
citizens enjoy in other developed economies.
There are several options for modernizing the SSN. These
include federated authentication of identity, public
encryption, blockchain, and smart cards. Some of these have
been tried in the past, but they faced problems of complexity,
cost, and they raise privacy concerns.
Simply publishing the SSN, as you heard, is a--is the least
expensive option, but it doesn't fix all the problems we face.
An easy first step would be to replace the Social Security
card with a smart card, a plastic card with an embedded chip,
like the credit cards that most of us carry. Millions of
commercial transactions are carried out with these cards every
day. Most people are familiar with them, which would ease the
burden of both acceptance and transition.
A smart card provides a foundation for a secure Social
Security number. When your credit card is stolen, your
financial institution cancels the old one and issues you a new
number. You are still linked to your account, you are still
responsible for any legitimate charges, but you are not linked
to the old number. And a similar approach might help us in
thinking about how to streamline, modernize, and make the
Social Security number more secure.
Social Security Administration could use a similar
approach. It could administer a smart card approach, or it
could contract it out to the private sector, a solution that
other countries have used. Further debate is required, and I
think we all recognize that, to decide which modernization
option is best and, equally important, how we will pay for it,
because there is no free replacement for the SSN.
Blockchain technology may offer an option for a modernized
SSN, but it is not ready, as you have heard. It is not yet
mature.
The best argument for smart cards is that we already use
them on a massive scale. Companies and citizens are familiar
with them. Implementation, of course, would be difficult. Any
change for so venerable an institution is going to be
difficult. But we have the advantage of knowing the technology
and processes already work because of our experience with
credit cards and banks.
Thank you for the opportunity to testify. I look forward to
your questions.
[The prepared statement of Mr. Lewis follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman JOHNSON. Thank you, sir. I appreciate that. We
will now look to questions.
As is customary, for each round of questions I will limit
my time to five minutes, and I ask my colleagues to also limit
their questioning time to five minutes, as well.
Acting Commissioner Berryhill, the alarming story about the
child in Arizona raises many questions about how Social
Security treats identity theft victims. Are you taking a close
look at how you handle requests for new Social Security
numbers?
Ms. BERRYHILL. Mr. Chairman, I am very aware of the case
that you are referencing in Arizona, and thank you for bringing
that to our attention. We have worked very hard with our staff
to issue clarification policies to all of our front-line
employees. We have also held national calls with all managers,
area directors, and we also decided that we would have regional
experts available to the front-line employees at the time, when
the time comes, where they have a complex case. In this
situation, we would consider that a complex case.
So having those regional experts that are well-trained on
enumeration, on replacement cards, on new--issuing new SSNs I
think will help. So we took that immediate action, and all
those actions have been accomplished.
Chairman JOHNSON. Well, with more than 1,200 field offices,
what are you doing to make sure that your policies are being
followed?
Ms. BERRYHILL. That is why we held national calls with all
of our managers and our area directors that have oversight to
our managers, and we will continue to do checks and balances to
make sure that those policies are followed.
I really believe having a regional expert there so the
front line employees can consult if they have questions is
really going to be a key change for SSA.
Chairman JOHNSON. You know, I was shocked to learn that
Social Security employees' voicemails tell callers to record
their Social Security number with their name and phone number
to get a return call. How is that a good practice, given all
the concerns with identity theft and phone scams?
Ms. BERRYHILL. I certainly understand that, and I am aware
of that situations that we have (sic).
We do use the Social Security number to look up our
records. Certainly, if an individual is not comfortable leaving
their Social Security number, they should not do that. However,
it does expedite the transaction when they call us back. We can
certainly, in the front line, pull up someone's record, have
that available so when we return that call we can quickly go
through the process with them and answer any questions.
But again, if someone is uncomfortable, they should not
leave their Social Security number.
Chairman JOHNSON. Okay. Well, maybe we ought to take
another look at that.
Mr. Grobman, this panel has talked about some big ideas
today. What do you think?
Mr. GROBMAN. I think the----
Chairman JOHNSON. Is now the time to take action?
Mr. GROBMAN. Absolutely. I think the one thing that we
heard universally across this panel is using Social Security
numbers as authenticators is something that needs to be
addressed as the most time-critical element of the issue.
There are clearly other issues on the fringe of Social
Security number as an identifier. But from a magnitude
perspective, looking to remove Social Security knowledge as an
authenticator is something that we must act on immediately, and
invest whatever it takes in order to make that a practical
reality.
Chairman JOHNSON. Yes, we have been trying to do that for
20 years.
Mr. Larson, you are recognized.
Mr. LARSON. Thank you, Mr. Chairman. I want to thank the
panelists. It is--we have an awful lot of hearings, but it is
always refreshing when you actually have panelists who give you
some solutions, as well.
Acting Secretary Berryhill, first of all, let me commend
you for your service.
Let me also acknowledge that there is no one who has been
working harder to make sure that we have a permanent chair of--
the Secretary of Social Security than the chairman himself. And
we have--support him in those efforts, and hope that the
administration will act soon, but want to thank you for your
service.
I think there is unanimity on the Committee with respect to
authentification (sic). How would you go about implementing
that? And what is the cost of that?
Ms. BERRYHILL. So certainly, any ideas--I think there has
been some great ideas listed by the panel Members today--we
will take all of them and review them and cost them out.
Certainly not something I could address today. Lots of ideas
are good, but then you have to look at the price tag that is
attached to them.
So again, we will go back and take a look at any ideas that
the Committee would like us to look at.
Mr. LARSON. Any idea on that price, Mr. Grobman?
Mr. GROBMAN. I think one thing that we need to recognize
when we look at the price is the price of not taking action.
So if you look at the cost related to fraud or misuse of
Social Security numbers as authenticators, my opinion is that
is a staggering figure that needs to be comprehended when
looked at the cost of implementing a new plan.
Mr. LARSON. Mr. Lester, you had the--a number of solutions.
But one of the things that you emphasized is that you--we make
sure that we steer clear of any biometric solution. Would you
explain why?
Mr. LESTER. When Congress passed the Privacy Act in 1974,
they were explicitly responding to and rejecting calls for a
national identification system. There are national
identification systems that rely on biometrics in other
countries that raise really grave civil liberties and privacy
concerns.
For example, in India their new biometric system--AADHAR, I
think--was recently breached, compromising the biometric data
on its 1.2 billion citizens. I think that any problems with a
biometric system are demonstrated by the recent breach of the
OPM.
Mr. LARSON. Would all the panelists agree that that is a
reasonable concern?
Mr. GROBMAN. I think it very much depends on the problem
that you are trying to solve. In India, part of what they were
trying to solve was there was no starting point, and they
needed to ensure that an individual only registered a single
time for benefits. So, by using biometrics, it prevented an
individual from registering in one town and then walking down
the road to another town and registering again.
So, in that case, biometrics was a practical technology in
order to solve that specific problem. I don't believe we have
that problem at scale in the U.S. And therefore, I think the
points are well taken that we should look for other, less
privacy-intrusive mechanisms as a first step. And as Mr. Lewis
mentioned, things such as smart cards can be a much more rapid
practical option that could be distributed without requiring
every citizen to have biometrics----
Mr. LARSON. Is there consensus amongst the panel with
respect to smart cards?
Mr. Rosenzweig.
Mr. ROSENZWEIG. I--Rosenzweig. I think it is a good interim
solution. But to be honest, you know, the smart card security
system is not itself terribly robust. We have all experienced
credit card fraud, as well, that is a result of a lot of that.
On the issue of biometrics, I think it really is the
difference between a centralized database and a distributed
database. Biometrics, as a localized identifier, is actually
something that the--President Obama's White House supported as
a substitute for passwords because they are more readily usable
by most citizens than the password system.
So I wouldn't write with such a broad brush----
Mr. LARSON. You also objected to one of Mr. Lester's
solutions. Could you explain why? And hopefully Mr. Lester will
get a chance to reply.
Mr. ROSENZWEIG. Well, I don't so much object. Regulation is
clearly one of the normal tools in our toolkit here in
Washington, alongside taxation----
Mr. LARSON. Is it regulation or the efficiency of the
ability to regulate?
Mr. ROSENZWEIG. Well, we all live in Washington. I am not a
fan of our efficiency in the regulatory system. To take just--
to be brief about it, we have already acknowledged that it
would have to exclude legal uses----
Mr. LARSON. City of northern charm and southern efficiency?
Mr. ROSENZWEIG. Indeed.
Mr. LARSON. No disrespect to anyone from the South, but----
Mr. ROSENZWEIG. I think it would cost us quite a bit and
take far too long.
Chairman JOHNSON. The gentleman's time has expired.
Mr. Kelly, you are recognized.
Mr. KELLY. I thank you, Chairman, and thank you all for
being here today.
Mr. Rosenzweig, I had a coach in high school had the same
name, we just called him Rosie. So maybe the rest of the panel
can do that.
[Laughter.]
Mr. KELLY. First of all, thank you all for being here. But,
you know, Ms. Berryhill, I am--I think when we look at the size
and scope of the program, and the number of beneficiaries, is
there anybody in the private sector that even comes close to
facing these types of problems, as far as making sure we are
sending the right money to the right people, and the fact that
there is so much fraud in the system already?
Is there any approach out there that people are looking at
that would make sense?
Ms. BERRYHILL. So, you know, first of all, we need to
protect our records. And our focus for the Social Security
number has been collecting wage information and paying
benefits.
We have a robust, anti-fraud process that we put in place,
so we review claims ahead of time, we will flag certain high-
risk claims. But as far as comparing that to the private
sector, we have to make sure that, in government, that our
beneficiaries, our recipients are protected, and their data is
protected.
Mr. KELLY. Well, it just seems to me the very nature of the
way we do things today--we have a safe that we put things into
that we cannot lock. There is somebody finding a way to get
into this data all the time, and yet we keep thinking, well,
you know what? This is just the way we do things today. We are
going to just have to keep going down that path. I just--I am
really fascinated.
Mr. Grobman, you said something I have written down here.
Is there any information that indicates the cost of not finding
a remedy to this? I think those numbers would be so staggering
that most of us would not even want to discuss it.
Is there any idea of what the cost of not fixing this is--
because it seems to me--there is an old saying. You keep doing
the same thing over and over again, expecting a different
result--I don't see how we fix this the way we are going right
now. So that cost of not fixing it, any ideas?
Mr. GROBMAN. I don't have a quantitative number.
Mr. KELLY. Yes. Nobody does.
The Chairman is right; it is the definition of insanity,
but----
Mr. GROBMAN. There is one estimate, and it was from The
Economist, and it was $16 billion a year.
Mr. KELLY. Sixteen?
Mr. GROBMAN. Billion.
Mr. KELLY. Billion, with a B. That is--down here. One, six,
and with a B, billion. So--okay.
Mr. Grant, some companies have recognized problems with the
Social Security number and have shifted their business models
in response. Can you share some examples in the private sector
of how people are addressing this?
Mr. GRANT. Sure. So one of the founding members of our
coalition is Aetna, who--their chief security officer, Jim
Routh, and the team there led an effort I think they launched
in 2014 focused on reducing the instances of the Social
Security number within their systems.
Talking about costs, this is a 6-year, roughly $60 million
investment that the company is voluntarily undertaking because
they think that they can reduce their risk profile by reducing
the instances of the SSN across their enterprise. And I think
to date they have eliminated about 10 billion instances,
which--not that they have 10 billion beneficiaries, but it
shows you, if I am one of theirs, that I probably had my SSN in
a dozen different systems.
So, you know, companies are willing to do this today, and I
think you are starting to see, you know, particularly Fortune
500 companies who are holding on to SSN are looking at it as a
liability. But the cost is significant. It can't happen
overnight.
They are also hindered in that, as a health insurer, they
are required by the government to leverage the SSN for pretty
much all of their government business, as well as any
beneficiary who they have to report to the government had
health insurance.
So, you know, I highlighted this a little in my opening
testimony. There is a lot of government requirements that are
out there that state that private industry has to collect the
SSN. As long as we have those out there, it is going to be
quite hard to eliminate it entirely.
Mr. KELLY. As we keep going forward, then, I--and we all
look at this program and we refer to it as an entitlement, and
some people say that is a negative term. No, entitlement means
you are entitled to this benefit because you have paid into it
your whole life.
I think there is total agreement on this Committee and
throughout the whole Congress that we have to protect this
program because it is so vital to our folks.
Listen, I really appreciate you all being here today, but
could you please continue weighing in and give us other
examples and other solutions to what it is we are trying to
fix? It is just this is so massive right now, I think it is one
of those things you sit back and say it is too big for us to
work with.
But I like Mr. Grobman--it is only going to get bigger and
bigger and more expensive if we don't do it.
Mr. GROBMAN. Absolutely. And I think, following up on that
comment, one of the things we need to look at is the
opportunity cost of continuing to try to protect Social
Security numbers from becoming public, when we know that they
are already public in so many cases.
So, although there are a number of interesting efforts put
forward in the last few years to reduce the disclosure of
Social Security numbers, what I would ask is what if we re-
purposed all of those efforts into building a modern
authentication system so that we just simply use Social
Security number as an identity, not an authenticator.
Mr. KELLY. Very good. Thank you.
Chairman JOHNSON. The gentleman's time has expired.
Mr. Pascrell, you are----
Mr. PASCRELL. Thank you, Mr. Chairman. A great panel.
I want to start by--Mr. Lester, would you respond to Mr.
Larson's question that you didn't get a chance to respond to
before?
Mr. LESTER. Sure. So I think you are talking about the
cost----
Mr. PASCRELL. You got 30 seconds.
Mr. LESTER. I think you are talking about the costs of
regulation, right? So Mr. Rosenzweig talked about the cost of
regulating this, and I would just like to mention a cost which
is 16.7 billion, to be precise. That is the amount that was
stolen as a result of identity theft in 2017. The cost of not
regulating is in the billions.
And furthermore, what we are talking about is restoring the
Social Security number to its original purpose, which is to be
used only by the Social Security Administration. That is what
it was intended for. Congress has many times looked at this.
When they passed the Privacy Act in 1974, that is originally
what it was intended to do. So----
Mr. PASCRELL. Thank you.
Mr. LESTER. Yes.
Mr. PASCRELL. Thank you.
Last month, Mr. Grant, the Ways and Means Committee marked
up a bill to protect children and consumers from identity
theft--it was H.R. 5192--by helping reduce the prevalence of
synthetic identity fraud. The bill would do this by
facilitating the validation of identifying information provided
by lenders, and upon the consent of the customer--consumer,
rather, I am sorry--through a database maintained by the Social
Security Administration. The bill is considered an important
step that Congress took to help prevent identity theft.
But I wanted to get your view very quickly about what the
extent this validation system will solve the problem or not.
What is your thoughts?
Mr. GRANT. So I actually talked about this a bit in my
written testimony, but didn't get to it in my opening
statement. I think it is a great first step.
The idea actually goes to a key point that I flagged in my
opening statement, which is can we shift the model a little bit
when it comes to identity verification services, so that
government agencies like the SSA that are the authoritative
roots of trust when it comes to my data--they have got the
truth, in terms of what my name and my SSN are--why can't I ask
them when I am opening an account to let my bank check to see
if there really is a Jeremy Grant with my SSN and date of birth
in their system?
And so this new bill, if it passes--and I think it is also
in the Senate reg reform package for banking that is currently
in front of the House--will be a good first step.
But two things I would add to that. It is only limited to
account openings covered under the Fair Credit Reporting Act. I
can't imagine, as a consumer, why I wouldn't want to ask SSA to
validate that for everybody. And then I think the other
question that has come up is if we are worried about synthetic
identity fraud, this will take care of new account openings
going forward. But there is probably, you know, thousands, if
not millions of synthetic accounts that are out there today.
And so, one question has been should financial institutions
have an opportunity to have a one-time window where they could
retroactively put existing accounts out there to make sure that
things match?
Mr. PASCRELL. Thanks, Mr. Grant, I appreciate that. Look,
there is widespread data breaches at the Office of the
Personnel Management, Home Depot, J.P. Morgan, Target, U.S.
Postal Service, and, of course, Equifax. And they highlight the
need to focus our attention on how better to authenticate
identities.
From a consumer protection standpoint, this is outrageous.
Hackers assessed--accessed personally-identifiable information
from millions of customer accounts. In the wrong hands, access
to Social Security numbers, birth data, address, driver's
license number could turn someone's life upside down. We must
do everything possible to establish privacy safeguards Social
Security (sic). Protecting the individual's personal
information to ensure their identities are protected must be
one of our top priorities.
Should the burden be on the government to create a unique
identifier to identify individuals, or should it be on the
private corporations to establish unique identifiers with their
clients? Anybody?
Mr. Lester.
Mr. LESTER. Right. So I think that is where the importance
of context-specific identifiers comes into play. So if you are
transacting with a company you have a unique identifier for
that company. That way, if an identity thief steals that
identifier, they do not have access to all your accounts, and
they cannot open new accounts in your name and destroy your
financial life.
Mr. LEWIS. Congressman, if I could just add, in the many
attempts we have had to come up with a national identifier, we
have learned that there is only one trusted source, and that is
the government. And that is why SSA is the default identifier.
People don't trust other sources.
Mr. PASCRELL. Mr. Chairman--thank you, but I must add this
point to you. Are we really serious about doing this? Are we
really serious about changing the culture, which is a different
thing? And why haven't we done more? We need to ask ourselves
that question.
Chairman JOHNSON. You are right. Thank you for your
questions.
Mr. Rice, you are recognized.
Mr. RICE. You know, this is a incredibly complicated
problem, but it is not new. This is not new. Identity theft has
existed since people had identities, right?
Our--thinking back to law school and commercial paper, and
in order to allow for the free flow of commerce, we had laws to
protect consumers with commercial paper. So a bank had a duty
to know your signature, right? So if somebody forged your
check, that wasn't your problem, it was the bank's problem. And
that kind of applies here, too, doesn't it?
I mean if somebody negligently releases your personal
information, don't they have a liability for that?
Mr. Lester.
Mr. LESTER. Absolutely. The burden is on the companies that
collect this information. It is important to stress that
Equifax chose to collect the information on consumers.
Consumers did not provide that information to Equifax. And in
fact, when Equifax is breached, they are the ones that put the
cost on the consumer by charging them for credit freezes and
fraud monitoring. And I think it is also important to stress
that there needs to be----
Mr. RICE. Did Equifax----
Mr. LESTER [continuing]. A private right of action----
Mr. RICE. Did Equifax have liability for that?
Mr. LESTER. Absolutely, which is why I need to stress that
there needs to be, in any privacy law, private right of action
for consumers to get redress.
Mr. RICE. So you are advocating for specific identifiers
for everything.
And I think I heard Mr. Grant say he didn't have a problem
with Social Security as a national identifier. I think you said
the same thing, Mr. Grobman, and you did, too, Mr. Rosenzweig.
And I kind of agree with you.
I mean everybody has got an identifier, right? It is their
name, at the very least. But the name is not unique. I mean
there is a lot of Tom Rices out there.
So you need some type of a national identifier, I would
think, to make commerce work. And I don't know why Social
Security couldn't be that. But it can't be an authenticator,
because it is not private any more. Right?
Mr. Rosenzweig.
Mr. ROSENZWEIG. Using my Social Security number as an
authenticator is as stupid as using the last four letters of my
last name as my authenticator. It--or the last four digits of
my phone number, which is another--mobile phone numbers, now
that they are mobile, everybody has one and it is probably one
you are going to keep for the rest of your life, even if you
move to Washington.
Mr. RICE. And I just think that--I mean, personally, just
as a matter of common sense, I think completely--the idea that
you would completely identify--I mean eliminate any sort of
unique identifier is just not practical. I mean we have got to
have some kind of unique identifier, and I don't know why it
couldn't be your Social Security number.
So I would think that the way to attack this problem--
because this--I don't care what we do, I don't care if we come
up with the most, you know, beautiful and complex system that
would do away with any hacking today, tomorrow the hacker is
going to figure out something different. This is not new, it
has been going on since the beginning of time, and it is going
to keep on going on.
So I would think that the way to attack this is kind of
like they did with commercial paper, and that we should put
liability on people who negligently release your information.
Mr. Rosenzweig.
Mr. ROSENZWEIG. Well, there has been at least one proposal
by a colleague of mine who was in the last Administration to
make people strictly liable for that.
For myself, I would probably prefer a negligence standard
over strict liability, but I do think that what you are onto is
exactly the right economic answer, which is putting the
obligations on the least cost avoider. One of the reasons that
I kind of like my fanciful proposal of publication is that it
makes it impossible for anyone to maintain the idea of security
for the Social Security number as an authenticator. Liability
would be another opportunity.
Mr. RICE. What do you think about that, Mr. Grobman?
Mr. GROBMAN. Oh, cyber crime is a market-driven enterprise.
Cyber criminals are looking to steal things of value. And the
reason that cyber criminals are looking to steal Social
Security numbers is in today's world they have value because
they can be used as an authenticator.
One of the most practical ways to stop the theft is to de-
value what they are going after. And that is, in general, a
much more practical mechanism at scale than trying to have the
world----
Mr. RICE. Okay, I got to stop because I only have 10
seconds. If you all would respond to this by raising your hand,
do any of you--who of you have a problem with using Social
Security numbers as an identifier, but not an authenticator?
One. One out of eight. Thank you.
Chairman JOHNSON. The time has expired.
Ms. Sanchez, you are recognized.
Ms. SANCHEZ. Thank you, Mr. Chairman, and thank you to all
of our witnesses.
Social Security numbers were originally created as a way to
track earnings, and were never meant to be used as an
identifier in the private sector. The Social Security number
has since morphed into a tool used to identify and authenticate
individuals in a number of different situations, greatly
expanding the universe of people and companies who have access
to this incredibly valuable information.
The ubiquity and widespread use of Social Security numbers
has left consumers vulnerable to identity theft helpless to
stop it.
As we all know, Social Security numbers are incredibly
valuable for identity thieves, and can be used to open new
accounts and credit cards, or even take out mortgages, often
leading to financial ruin for unsuspecting and innocent
consumers.
And as technology continues to advance at alarming rates,
our unique Social Security numbers are increasingly vulnerable
to cyber theft and fraudulent use. Recent data breaches
demonstrate the urgent need to secure this information and just
how valuable Social Security numbers and other personal data
are.
The Equifax hack alone comprised over 145 million
American--pardon me, compromised over 145 million Americans'
personal data, including their Social Security numbers. That is
almost half of the U.S. population who are now at risk for
identity theft or financial fraud.
Social Security numbers have become the default identifier
because they are truly unique, standardized, and can be
verified. But as more and more of our personal information is
available on the dark web for cheap, we need to start thinking
about the best ways to identify and verify individuals.
Mr. Lester, I would like to begin by asking you. Americans,
consumers, don't have a full picture of what information is
being collected about them. What kind of data is being
collected about Americans? And are companies required to
protect it?
Mr. LESTER. Thank you. So first I would just like to
clarify raising my hand to Representative Rice's poll question,
because it wasn't a yes or no answer. I don't have a problem
with the Social Security number being used as an identifier for
Social Security.
To answer your question, companies are now collecting vast
amounts of data on consumers, and the problem is that consumers
do not have control over this data.
When Equifax collects data from consumers it is getting it
from other commercial sources, and consumers are not providing
it to Equifax. And so, in addition to limiting the use of the
Social Security number in the private sector, consumers need to
have control over their personal information.
There needs to be a default credit freeze so that companies
like Equifax can only disclose your information when consumers
have affirmatively opted in. This would solve the problem of
identity thieves opening up new accounts in your name, if
Equifax could only pull your credit when you, as the consumer,
have affirmatively given them permission to do so.
Ms. SANCHEZ. Great. And--but I want to get at a--sort of a
larger question that folks wonder from time to time: Are
companies required to protect that information?
Mr. LESTER. There is no federal standard right now for data
security. The Federal Trade Commission does enforce data
security when companies--you know, they have authority over
unfair and deceptive practices. So if a company is representing
they have good data security, like in the case with Uber, they
represented over and over again our data security is great,
when in fact it was non-existent.
But no, there needs to be national standards that set a
baseline, because states need to have the freedom to regulate
upward in this area, because it is a dynamic and evolving
field. So there needs to be a federal standard that sets a
floor for data security.
Ms. SANCHEZ. I would agree with that, and I would just say
that I believe most consumers believe that companies are
required to protect their information.
Mr. Lester, could you talk a little more about how context-
specific identifiers work, and the medical identification
number that they use in Canada?
Mr. LESTER. Oh. Oh, yes. So the medical identification
number in Canada, as I understand it, it is a unique context-
specific identifier. I am not super familiar with it. So I can
certainly get back to you with more information on that.
Ms. SANCHEZ. I would appreciate it, because I would be
interested in knowing how that specifically works, because it
might be instructive in terms of setting policy for how we
begin to reign in the ubiquitous use of the Social Security
number.
Mr. LESTER. And there are many other examples of context-
specific identifiers. In my statement I mention, like, the
university identifier that is a recent innovation by
universities like Georgetown, my school, where they give you a
nine-digit ID number in lieu of using your Social Security
number.
Ms. SANCHEZ. Thank you, and I yield back.
Chairman JOHNSON. Thank you.
Dr. Wenstrup, you are recognized.
Mr. WENSTRUP. Thank you, Mr. Chairman. I appreciate it.
Thank you all for being here.
Mr. Rosenzweig, I don't have a question for you, I just
wanted a shot at saying your name, and I hope I got it right.
[Laughter.]
Mr. ROSENZWEIG. Perfect.
Mr. WENSTRUP. Thank you. My question is for Ms. Berryhill.
But listening to Mr. Johnson's story earlier, I am reminded of
a song called ``Secret Agent Man,'' you know, and it says we
are giving you a number and taking away your name. And that is
a concern, obviously.
But I want to ask you about getting a new Social Security
number. You know, when you lose your credit card, or it gets
stolen, I tell you what. That bank wants to get you a new one
right away: one, because they want you to use it again; and
two, they want to make sure that no more money comes out of
their account, because it personally affects them, as well.
And I don't see the same for the Social Security
Administration in that environment because, if you think about
it, when somebody's Social Security number is taken, the fraud
is either at the bank, or through the IRS, a taxpayer. Maybe,
if somebody is getting your Social Security check, it may
affect you. I don't know. I am kind of asking about that.
But why do we make it so difficult to get a new number when
that really is the problem? Because I don't know that there is
the same amount of concern on the Social Security
Administration like there is at the bank when your credit card
gets taken. And I know somebody mentioned it might be, like,
$34 to get a new card. Well, that may be a lot on your end, but
it is pretty small on the other end, where the fraud is taking
place.
So why is it so difficult to get a new number?
Ms. BERRYHILL. So usually it is a last resort to issue a
Social Security--new card, a new number, because it doesn't
always solve the problem. Many times banks, other companies,
will cross-reference the old number to the new number. So you
haven't really solved the problem in many situations.
We do look at misused--are people disadvantaged? Are they
not getting a loan for their house? Are their IRS tax returns
and so forth--but again, I hope that our recent change in
looking at our instructions to our front line will help that.
But our number, again, is really designed to collect wage
information and to pay benefits. As you can see, many of the
examples are really about credit card fraud, banking fraud, not
about our programs.
Mr. WENSTRUP. But let me get back----
Ms. BERRYHILL. Our----
Mr. WENSTRUP. Let me get back to my question. There is no
harm, monetarily or otherwise, to the Social Security
Administration's budget. It is usually affecting someone else.
So you don't have the vested interest that the bank does in
this situation. And the cross-referencing, that doesn't need to
happen. They get rid of the old number. They don't need to keep
that data. So I don't find that as a very good answer as to
that being a problem.
So I really think you need to take a look at what can be
done to get somebody a new number, because that is exactly what
a business is going to do. If your identifier is stolen, they
have a motive to get you a new one to protect themselves. But I
don't find that you are at risk when somebody's Social Security
number is taken away in any way. So there is not this desire to
solve this problem.
But $34, if that is what it actually costs to give somebody
a new card, new number, whatever the case may be, that is a
pittance to the hundreds or thousands of dollars that are going
out on the other end. I just want to--I want to clarify that,
because there is really no detriment to the Social Security
Administration, is that right?
Ms. BERRYHILL. Well, I don't know if I would agree with
that. Certainly, if we open up the flood gates and said
everybody that wants a number come on and get one, we
probably----
Mr. WENSTRUP. No, no, no, you would have to have a reason,
not just say I don't like the number, it ends in an odd number
and I want an even number. That--let's be realistic here. We
are talking about people that have been victimized, not just
anyone who wants a new number.
Ms. BERRYHILL. And again, we believe that we want to do due
diligence, we want to know what has happened with that number,
we want to make sure that it is appropriate to assign them a
new number.
Mr. WENSTRUP. I get that. But why is it so hard? Why is
somebody told they have to change their name?
Ms. BERRYHILL. That was not an appropriate answer to say
you change your name.
Mr. WENSTRUP. Well, thank you. I think we need to look into
that further.
I yield back, thank you.
Chairman JOHNSON. Thank you. Is Mr. Schweikert here?
Mr. SCHWEIKERT. Mr. Chairman, I apologize. We also have
the--running at the same time, so----
Chairman JOHNSON. You are recognized if you care to make
some questions.
Mr. SCHWEIKERT. And I actually had a couple--have you ever
actually started to write down a couple questions and--where
some of us have brutal disagreements on the utilization of node
networks and--but it is also a threat to certain companies.
So I want to go--I want to take one gigantic step
backwards, because I have missed a number of the questions
here. If I came to all of you, either as policy, technology
experts and said how do we design almost a single portal in our
society that, whether--have a combination of multi--I am a big
fan of certain token tradeoffs with the biometric and a
password.
So you could go on there and see your last 10 years of your
IRS tax returns, or of your Social Security benefits, your
veterans discharge, your--you know, where all these things that
we, as government--all of us, as government--hold on you, and
create a single portal so you could see them, but in a way that
would be safe, robust, elegant.
And we have actually been sketching out a concept of sort
of a, you know, pass code biometric to a token back--if I was
to run down the line, A, is that just techno-Utopian; but B,
would it actually not only solve our issue here on the misuse
of Social Security numbers, but also some of the other policy
decisions we as Congress and the bureaucracy have made of
starting to blind documents for our Medicare population, and
those things, and now having to get unique identifiers, and the
re-issuing of such things, and the confusion and cascade of
chaos I expect to come from that?
And could--run down. Let's start. If I came to you and said
I don't want a simple, incremental solution, I want a
disruption of more--of a unified portal, can it be done?
Ms. BERRYHILL. So my first concern was if that unified
portal was breached, does that mean all of my information is
then out there from all different----
Mr. SCHWEIKERT. It wouldn't if we designed permissions.
So--and we will probably get to that, but there is a way to--so
let's right now, for theoretically, just say it is--we were
able to level--produce levels of security.
Ms. BERRYHILL. I would certainly be willing to work with
you on any ideas that you have. But again, my concern that if
one portal--everything was breached, we would be in a worse
situation today.
Mr. SCHWEIKERT. Okay.
Ms. CURDA. It sounds like a nice, aspirational idea. And
the Federal Government, in terms of designing such complex
systems, does not have a great track record. And it is
extremely costly, so----
Mr. SCHWEIKERT. We were thinking we would go to McAfee
and----
Ms. CURDA. Very difficult to do.
Mr. LESTER. So, moving towards centralized database is
exactly the wrong approach. I would use the example of
container ships. They are compartmentalized, so that if there
is a rocky wave, all the oil is not in one container to capsize
the ship. It is the same with identity. As----
Mr. SCHWEIKERT. So why do countries like Estonia and others
have incredible success because you create levels of permission
that require--that--it is a unified portal, but different
levels of permission and pass and security?
Mr. LESTER. Is that for me?
Mr. SCHWEIKERT. Yes.
Mr. LESTER. I don't know about the case of Estonia. As I
understand, it is a much smaller----
Mr. SCHWEIKERT. Yes, what is your coding background?
Mr. LESTER. I am sorry?
Mr. SCHWEIKERT. Your coding----
Mr. LESTER. My coding background? I don't have a coding
background.
Mr. SCHWEIKERT. Okay, sorry. And I am sorry, I was trying
to go more technical than that. I am not being mean.
Mr. ROSENZWEIG. I would say that Estonia is a good case
study. My concerns would mostly be about scalability issues.
Mr. SCHWEIKERT. Yes, that is actually fair.
Mr. ROSENZWEIG. It is much smaller. I think that such a
system is at least feasible within the context of design.
I do share some people's concerns that U.S. Government
large-scale procurement programs like this never seem to
actually get there. So even if we could idealize it, the
government sector might----
Mr. SCHWEIKERT. Oh, yes.
Mr. ROSENZWEIG [continuing]. Not quite get it----
Mr. SCHWEIKERT. And let's be brutally honest. There will be
a knife fight because----
Mr. ROSENZWEIG. Yes.
Mr. SCHWEIKERT [continuing]. You are interrupting a lot of
bureaucracies, layers of power and authority.
Mr. GROBMAN. It can absolutely be done. I think if you look
at the large-scale systems that exist today for authentication,
whether it is financial services, whether it is some of the
models that--there is numerous capabilities. The private sector
has built a set of protocols that enable one entity to do
authentication, and then allow that authentication to be
honored by others. Things like SAML and OATH.
Really, the discussion needs to be about getting the right
balance between privacy and security----
Mr. SCHWEIKERT. Well, you hit one thing I fixate on, and
that is--we hit quantum. I will absolutely have to have a
token, because I think--because an algorithmic is under threat
(sic).
Mr. GROBMAN. So one of the key points I made in my written
testimony is although we haven't settled on exactly what
quantum-safe algorithms to use, in the design of a new system
we can design it such that we have the ability to swap
algorithms out as we----
Mr. SCHWEIKERT. Well, you don't think a token system would
be more robust?
Mr. GROBMAN. I think that it is part of the solution, but I
think that the underlying cryptography that needs to be used in
the solution does need to eventually be----
Mr. SCHWEIKERT. I need to learn more. If you have something
I can read----
Chairman JOHNSON. The time of the gentleman has expired.
Mr. SCHWEIKERT. Oh, all right. I will talk after. But thank
you for tolerating me. I need to disclose I have had a lot of
caffeine.
[Laughter.]
Chairman JOHNSON. Thank you.
To keep pace with the identity thieves we need to start
thinking beyond just protecting Social Security numbers, and
start thinking about how to make the numbers less valuable to
criminals in the first place.
You know, it is time to take a hard look, I think, at the
future of Social Security numbers, and to decide what needs to
change to better protect Americans from identity theft. This
hearing has given us a good starting point, and I look forward
to working with my colleagues in the future to figure out the
next steps forward.
Americans are counting on us to get this right. They want,
need, and deserve nothing else.
Thank you to all our witnesses for your testimony today,
and I thank you to our Members for being here.
With that, the--you want to?
Mr. LARSON. Yes.
Chairman JOHNSON. I recognize Mr. Larson----
Mr. LARSON. I want to thank----
Chairman JOHNSON [continuing]. For a comment.
Mr. LARSON. I want to thank the chairman. This is indeed
one of the more interesting panels that we have. And as you can
tell, a number of our Members still have a lot of questions.
What we would like to ask of you is that if you could
submit to us in writing--because it was very valuable to get
your input--we don't--and the chairman has already indicated
that we, as a Committee, will meet internally to digest what
you send us in writing, in terms of your solution and also the
urgency that you all attach with this, especially, as the
chairman has already outlined, under authentification (sic),
and how we might proceed. Because there is a--this was a very
fertile and productive meeting. I thank the chairman.
Chairman JOHNSON. Thank you.
Mr. LARSON. And I appreciate the opportunity to respond.
Chairman JOHNSON. Thank you. And thank you all for being
here. We appreciate your presence.
With that, the Subcommittee stands adjourned.
[Whereupon, at 11:36 a.m., the Subcommittee was adjourned.]
[Member Submissions for the Record follow:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[Public Submission for the Record follow:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]