The Social Security Subcommittee, chaired by Rep. Sam Johnson (R-TX), held a hearing entitled “Securing Americans’ Identities: The Future of the Social Security Number.”
The Social Security Administration (SSA) originally created the Social Security number (SSN) in 1936 to uniquely identify American workers so the SSA could accurately track their earnings and administer the Social Security program. Despite being created for use as an identifier by one federal agency, for decades the SSN has also been widely used as an authenticator. At the hearing Members and witnesses discussed the SSN’s use as both an identifier and authenticator and the dangers that this use presents, considered options to make SSNs safer, and laid the groundwork for future action.
Chairman Johnson opened up the hearing by saying:
“Using the SSN both to identify someone and to prove their identity just doesn’t make sense. But we’ve been doing it forever. We need to break this link between identification and authentication. …
“Identity theft is on the rise and we must take a hard look at the future of the Social Security number – both how it’s used and if Social Security needs to do things differently. We have a responsibility to do all we can to better protect Americans from identity theft.”
Social Security Ranking Member John Larson (D-CT) echoed this:
“What is clear is that all users of Social Security numbers, both government and business need to change their ways. The widespread use of Social Security numbers as a way to both identify and authenticate individuals poses an ongoing risk of identity theft.”
Witnesses agreed on the dangers of using SSNs as authenticators because their confidentiality has been compromised.
Paul Rosenzweig, Senior Fellow at the R Street Institute, stated:
“Authenticators are classically only useful… [if they] are kept confidential. Today Social Security numbers are so deeply compromised and so widely available in public, albeit often through criminal means, that they can no longer be used as an authenticator. This is because recent incidents, like the Equifax breach whose anniversary occurs this week, have effectively disclosed the vast majority of previously confidential Social Security numbers.”
Jeremy Grant, Coordinator at the Better Identity Coalition, said this has been an issue decades in the making:
“Many of our challenges here are linked to more than 80 years of contradictions and policy on how this number should be managed and used. Among the biggest contradictions: the SSN is simultaneously presumed to be both secret and public. Secret, because we tell individuals to guard their SSN closely. Public, because we have multiple laws that require individuals to give it out to facilitate all sorts of interactions within industry and government. Secret, because we then tell those entities to ensure that they store it, which the law often requires them to do that it be protected; and public, because that’s proven quite hard to do because the majority of Americans’ SSNs have been compromised multiple times over the last several years.”
Nancy Berryhill, Acting Commissioner of Social Security, stressed that the SSA can’t fix the problems with the SSN on its own:
“We will continue to do what we can to prevent and mitigate the effects of SSN misuse and identity theft, and we will continue to evaluate new technologies and data to better secure the number. But just as we cannot control how other entities use the SSN for outside purposes, [the SSA] alone cannot solve the problem [of] overreliance on the SSN has caused.”
Rep. Tom Rice (R-SC) focused on using the SSN as an identifier and the danger of the SSN’s continued use as an authenticator:
“Everybody’s got an identifier: their name. But the name is not unique. There are a lot of Tom Rices out there… [the SSN] can’t be an authenticator because it’s not private anymore… We’ve got to have some kind of a unique identifier and I don’t know why it couldn’t be your Social Security number.”
Mr. Rosenzweig agreed with Rep. Rice, saying:
“Using my Social Security number as an authenticator is as stupid as using the last four letters of my last name as my authenticator or the last four digits of my phone number.”
When Rep. Rice asked Steve Grobman, Senior Vice President and Chief Technology Officer for McAfee, LLC, about his thoughts, Mr. Grobman responded:
“Cybercrime is a market-driven enterprise. Cybercriminals are looking to steal things of value, and the reason that cyber criminals are looking to steal Social Security numbers is in today’s world they have value because they can be used as an authenticator. One of the most practical ways to stop the theft is to devalue what they are going after.”
Rep. Brad Wenstrup (R-OH) questioned why it’s so much harder for victims of identity theft to get a new SSN than it is to get a new credit card number when your credit card has been stolen:
“When you lose your credit card or it gets stolen, your bank wants to give you a new one right away. … I don’t see the same for the Social Security Administration in that environment. … Why do we make it so difficult to get a new number when that really is the problem? I don’t know if there is the same amount of concern at the Social Security Administration as there is at the bank when your credit card gets taken.”
When asked by Chairman Johnson if now is the right time to act, Mr. Grobman responded:
“Absolutely. I think the one thing we heard universally across this panel using Social Security numbers as authenticators is something that needs to be addressed as the most time critical element of the issue.”
Chairman Johnson closed the hearing by saying this is just the beginning of a long road ahead to determine the future of the SSN and how we can protect Americans’ identities:
“To keep pace with the identity thieves, we need to stop thinking just about the Social Security number and start thinking about how to make the numbers less valuable to criminals in the first place. It’s time to take a hard look at the future of Social Security numbers and to decide what needs to change to better protect Americans from identity theft.”
CLICK HERE to read Chairman Johnson’s op-ed in Roll Call “Rethinking Social Security Numbers in the Modern Age.”