Page 1       TOP OF DOC

49–308 CC



before the


of the





MAY 6, 1997

Serial 105–27
 Page 2       PREV PAGE       TOP OF DOC

Printed for the use of the Committee on Ways and Means


BILL ARCHER, Texas, Chairman

BILL THOMAS, California
E. CLAY SHAW, Jr., Florida
NANCY L. JOHNSON, Connecticut
WALLY HERGER, California
JIM McCRERY, Louisiana
DAVE CAMP, Michigan
JIM RAMSTAD, Minnesota
PHILIP S. ENGLISH, Pennsylvania
 Page 3       PREV PAGE       TOP OF DOC
J.D. HAYWORTH, Arizona

ROBERT T. MATSUI, California
WILLIAM J. COYNE, Pennsylvania
JIM McDERMOTT, Washington
RICHARD E. NEAL, Massachusetts
JOHN S. TANNER, Tennessee

A.L. Singleton, Chief of Staff

Janice Mays, Minority Chief Counsel
 Page 4       PREV PAGE       TOP OF DOC

Subcommittee on Social Security
JIM BUNNING, Kentucky, Chairman

J.D. HAYWORTH, Arizona

RICHARD E. NEAL, Massachusetts
JOHN S. TANNER, Tennessee

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Ways and Means are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined. The electronic version of the hearing record does not include materials which were not submitted in an electronic format. These materials are kept on file in the official Committee records.
 Page 5       PREV PAGE       TOP OF DOC

    Advisory of April 23, 1997, announcing the hearing


    Social Security Administration, Hon. John J. Callahan, Ph.D., Acting Commissioner of Social Security; accompanied by Dean Mesterharm, Deputy Commissioner for Systems
    Social Security Administration, Office of the Inspector General, Hon. David C. Williams, Inspector General; accompanied by Pamela Gardiner, Assistant Inspector General for Audit; and Jim Huse, Investigative Chief
    U.S. General Accounting Office, Joel C. Willemssen, Director, Information Resources Management; accompanied by Keith A. Rhodes, Technical Director, Office of the Chief Scientist, Accounting and Information Management Division

    Electronic Privacy Information Center, and Georgetown University Law Center, Marc Rotenberg
    Information Security Inc., Silver Spring, MD, Noel Matchett
    Privacy Times, Evan Hendricks
    U.S. Junior Chamber of Commerce, Bruce A. Rector


    U.S. Department of Justice, Robert S. Litt, Deputy Assistant Attorney General, Criminal Division, statement
 Page 6       PREV PAGE       TOP OF DOC

    American Association of Retired Persons, James Parkel, statement
    SRI International, Menlo Park, CA, Peter G. Neumann, statement


TUESDAY, MAY 6, 1997
House of Representatives,
Committee on Ways and Means,
Subcommittee on Social Security,
Washington, DC.

    The Subcommittee met, pursuant to call, at 3 p.m., in room B–318, Rayburn House Office Building, Hon. Jim Bunning (Chairman of the Subcommittee) presiding.
    [The advisory announcing the hearing follows:]




CONTACT: (202) 225–9263

 Page 7       PREV PAGE       TOP OF DOC

April 23, 1997

No. SS–4

Bunning Announces Hearing on

the Social Security Administration's Website
    Congressman Jim Bunning (R–KY), Chairman, Subcommittee on Social Security of the Committee on Ways and Means, today announced that the Subcommittee will hold a hearing on the Social Security Administration's on-line program to provide workers with Social Security earnings information and projected benefits via the Internet. The hearing will take place on Tuesday, May 6, 1997, in room B–318 Rayburn House Office Building, beginning at 3:00 p.m.
    Oral testimony at this hearing will be from invited witnesses only. The Subcommittee will receive testimony from the Social Security Administration (SSA), the Inspector General of SSA, the U.S. General Accounting Office, privacy experts, and others who will comprehensively review SSA's on-line initiative. However, any individual or organization not scheduled for an oral appearance may submit a written statement for consideration by the Committee and for inclusion in the printed record of the hearing.
    Ten years ago, SSA began providing Personal Earnings and Benefit Estimate Statements (PEBES). These statements provide individuals with their earnings by year, Social Security taxes paid, and an estimate of future benefits. Individuals have been able to request these statements by mail.
 Page 8       PREV PAGE       TOP OF DOC
    As part of its initiative to improve service to the public, SSA developed a project to request PEBES via the Internet. Last month, after a year of testing, SSA began providing individuals with the opportunity to obtain their actual PEBES statement on-line. The Internet request form required five authenticating elements (name, Social Security number, date of birth, place of birth, and mother's maiden name). According to SSA, a number of security features were built into the service.
    Following press reports of privacy concerns, along with negative public and Congressional reaction, SSA suspended the on-line PEBES service to ''conduct a rigorous evaluation of the system's security features,'' according to an SSA statement.
    In announcing the hearing, Chairman Bunning stated: ''While I appreciate SSA's desire to provide fast and expedient service, such action should never put the privacy of millions of Americans at risk. The public trusts SSA to keep personal records safe and secure. This hearing will provide important information for SSA, and the American public to consider, as we review the fate of PEBES access via the Internet.
    The Subcommittee is interested in receiving witnesses views regarding whether, and how: (1) privacy and security of the information can be protected, (2) violations of the process can be detected, and (3) such violations can be investigated and prosecuted.
 Page 9       PREV PAGE       TOP OF DOC
    Any person or organization wishing to submit a written statement for the printed record of the hearing should submit at least six (6) copies of their statement and a 3.5-inch diskette in WordPerfect or ASCII format, with their address and date of hearing noted, by the close of business, Tuesday, May 20, 1997, to A.L. Singleton, Chief of Staff, Committee on Ways and Means, U.S. House of Representatives, 1102 Longworth House Office Building, Washington, D.C. 20515. If those filing written statements wish to have their statements distributed to the press and interested public at the hearing, they may deliver 200 additional copies for this purpose to the Subcommittee on Social Security office, room B–316 Rayburn House Office Building, at least one hour before the hearing begins.
    Each statement presented for printing to the Committee by a witness, any written statement or exhibit submitted for the printed record or any written comments in response to a request for written comments must conform to the guidelines listed below. Any statement or exhibit not in compliance with these guidelines will not be printed, but will be maintained in the Committee files for review and use by the Committee.
    1. All statements and any accompanying exhibits for printing must be typed in single space on legal-size paper and may not exceed a total of 10 pages including attachments. At the same time written statements are submitted to the Committee, witnesses are now requested to submit their statements on a 3.5-inch diskette in WordPerfect or ASCII format.
    2. Copies of whole documents submitted as exhibit material will not be accepted for printing. Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material not meeting these specifications will be maintained in the Committee files for review and use by the Committee.
 Page 10       PREV PAGE       TOP OF DOC
    3. A witness appearing at a public hearing, or submitting a statement for the record of a public hearing, or submitting written comments in response to a published request for comments by the Committee, must include on his statement or submission a list of all clients, persons, or organizations on whose behalf the witness appears.
    4. A supplemental sheet must accompany each statement listing the name, full address, a telephone number where the witness or the designated representative may be reached and a topical outline or summary of the comments and recommendations in the full statement. This supplemental sheet will not be included in the printed record.
    The above restrictions and limitations apply only to material being submitted for printing. Statements and exhibits or supplementary material submitted solely for distribution to the Members, the press and the public during the course of a public hearing may be submitted in other forms.

    Note: All Committee advisories and news releases are available on the World Wide Web at 'HTTP://WWW.HOUSE.GOV/WAYS_MEANS/'.

    The Committee seeks to make its facilities accessible to persons with disabilities. If you are in need of special accommodations, please call 202–225–1721 or 202–226–3411 TTD/TTY in advance of the event (four business days notice is requested). Questions with regard to special accommodation needs in general (including availability of Committee materials in alternative formats) may be directed to the Committee as noted above.
 Page 11       PREV PAGE       TOP OF DOC



    Chairman BUNNING. The Subcommittee will come to order.
    This afternoon the Subcommittee will hear about the Social Security Administration's online program to provide workers with Social Security earnings information and protected benefits via the Internet. Acting Commissioner Callahan rightly suspended the online initiative following reports that citizens' privacy could possibly be violated. Dr. Callahan has stated—and I plan to hold him to his word—that SSA will conduct a rigorous evaluation of the system security futures.
    This hearing will provide important information for SSA and the American public as we consider the fate of earnings and benefits estimates access via the Internet. Also, we must keep in mind that providing online access to earnings and benefit estimates is just one of the number of electronic services delivered options that SSA is exploring which they view as more convenient for the public and more economical. It is vital for all of us to learn more about the risks of privacy loss and fraudulent use of information obtained online.
    The Internet is becoming a widely accepted resource these days. Our grandkids are learning to use computers in kindergarten and even earlier in their homes. But the point I must make is that progress and convenience must not come at the cost of privacy or at the cost of Americans losing their trust that SSA will keep their personal records safe and secure. It is just not worth it.
    I look forward to hearing the views of our witnesses today and thank them in advance for their testimony.
 Page 12       PREV PAGE       TOP OF DOC
    And, Mrs. Kennelly, you can enter your statement or you can read your statement.
    Mrs. KENNELLY. I apologize, Mr. Chairman; I am very aware that you would like to get meetings started promptly, and it was inadvertent that I was a little late.
    Chairman BUNNING. Anyone who has a statement can enter it into the record.
    Mrs. KENNELLY. I want to thank you, Mr. Chairman, for calling this hearing.
    We are here today to review the Social Security Administration's recent action providing online access to Social Security earnings records. Members of Congress, the press, and the public expressed concern that Internet access to Social Security earnings data would compromise the security and confidentiality of personal financial information. The Social Security Administration has appropriately suspended its online service in order to give the public time to weigh the value of the efficiencies of the service against the risk of personal privacy.
    Over the next 2 months, SSA will be holding a series of hearings around the country to test public opinion. The first of these forums was held yesterday in my congressional district in Hartford. And I want to thank you, Dr. Callahan, for being in Hartford and for bringing your associates to Hartford and making this hearing possible, which many people in Hartford appreciated, and the information that was disseminated was very, very interesting.
    At yesterday's forum, we learned a considerable amount about the new frontier called the Internet. We learned about both its technological promise and its technological limitations. I am pleased that Commissioner Callahan is here today as a witness. In that capacity, he will be able to tell us what SSA has done to date. The difference between today and yesterday was that Dr. Callahan was sitting here and the various panels were sitting there, and it is just the opposite today.
 Page 13       PREV PAGE       TOP OF DOC
    In addition, we will hear from the General Accounting Office. GAO has reviewed a number of Federal computer systems and will be able to tell us about the hazards of placing personal financial records on the Internet.
    I could go on, but I would just like to make a short comment on yesterday's hearing, Mr. Chairman. And of course there will be additional hearings across the country. The Social Security Administration did something that was very good. They wanted to provide services to the clientele to make sure that people could very quickly get their earnings-wage records and find out what their benefits were, and, as we know, it went online and there was a certain amount of controversy.
    The concern focused on the fact that the Internet is not like an old-fashioned telephone system where one or two people could pick up; everybody in the world can pick up on the Internet. Therefore people were concerned about personal information being made public.
    Yesterday we had an interesting hearing, Mr. Chairman, in that we had panel after panel; we had privacy experts; we had computer high-tech experts; we received a lot of information. And so I would just like to say today what I thought about in the evening was that Social Security decided to do something that they thought was a good idea, putting earning and wage records on the Internet so that people—and these are their records, the history of their earnings—could go on the Internet and see them.
    I heard so many ideas yesterday about how high technology could help us have a smart card or something even newer than the smart card, all sorts of interesting things that we could do to protect that information. My feeling is, Mr. Chairman, that, let's not get down the road too far that we can't pull back.
    Right now, as you know, when you are 60, you get the PEBES automatically. I think from 50 up, you can get it. You can right now pick up the phone and call and get that information sent to your home. You can go on the Internet and ask for that information from the Social Security Administration and get that sent to your home.
 Page 14       PREV PAGE       TOP OF DOC
    So what I don't want to see happen here is that because there was a good idea, that all of a sudden we are going to do all sorts of safety procedures with additional expenses.
    What I found from one of the panels that was so fascinating, to me, was that this has great commercial attraction. And I don't think the Social Security Administration should be in the position of providing information for commercial reasons.
    So as there has only been one hearing, and, Dr. Callahan, you are going to hear a great deal more across the country, but I want to make sure that because we had a good idea that everybody didn't agree with, that we don't go out of our way to spend taxpayers' dollars for the safety of that idea. Maybe it is not necessary, but I don't know. I am not making any judgment here.
    Thank you, Mr. Chairman.
    Chairman BUNNING. As Barbara has told us, we begin today's hearing with Hon. John J. Callahan, Acting Commissioner, Social Security Administration. This is the first time for the Acting Commissioner to testify before this Subcommittee.
    The earnings and benefit statement online crisis sure put you in a spotlight very quickly. We appreciate you being here today, and you can provide at your leisure.

    Mr. CALLAHAN. Thank you very much, Mr. Chairman.
    Chairman Bunning, Ranking Member Congresswoman Kennelly, Congressman Tanner, and Congressman Christensen, I appreciate the invitation to appear before you today to discuss the Social Security Administration's initiative to provide Personal Earnings and Benefit Estimate Statements—what we all know as PEBES—on the Internet.
 Page 15       PREV PAGE       TOP OF DOC
    I would like to submit my statement for the record and summarize it briefly.
    Chairman BUNNING. Without objection.
    Mr. CALLAHAN. Let me say at the outset that the Social Security Administration is and always has been vigilant about protecting the privacy of the information in our records. Nothing is more important to Social Security than maintaining the public's confidence in our ability to keep confidential the sensitive data that we maintain on American citizens.
    Given the concerns raised about the security of this data in the online service of PEBES, I decided on April 9 to suspend the online service and, as Congresswoman Kennelly and Chairman Bunning have mentioned, hold a series of forums throughout the country to solicit further views on this matter.
    The Personal Earnings and Benefit Estimate Statement, as this Subcommittee knows, contains a year-by-year listing of the worker's reported earnings, estimated Social Security and Medicare taxes paid, and estimates of the benefits for the Retirement, Disability, and Survivors Program. It is a financial roadmap to millions of Americans.
    Let me assure the Subcommittee that, contrary to some reports, PEBES does not—I repeat, does not—contain information which could be used to contact the worker or the worker's employers nor does the online process allow anyone to alter Social Security Administration records. We began issuing these statements on request in 1988, and, complying with the legislative mandates of 1989 and 1990, we started to issue these statements automatically in 1995 to persons aged 60 and older.
    We are expanding this service to increasingly younger workers. Indeed, by the end of 1996, we had issued more than 12.5 million automatic PEBES. By the year 2000, the Social Security Administration will provide annual Personal Earnings and Benefit Estimate Statements to all workers 25 years of age and older. That is more than 120 million statements each year.
 Page 16       PREV PAGE       TOP OF DOC
    Since the public's response to this service has been positive, SSA wanted to provide the information in a more convenient manner, in keeping with our commitment to provide the American public with efficient, world-class service. We planned this initiative with significant outside consultation to ensure the security of the PEBES online process as well as the integrity of the Social Security Administration data system.
    We conducted several pilots where individuals could request a PEBES through the Internet and receive a paper PEBES mailed to them. Access to the individual's records via the Internet PEBES, the online PEBES, requires a match against Social Security Administration records of five authenticating elements: Exact name, Social Security number, State of birth, date of birth, and mother's maiden name. We also provide an onscreen warning about the substantial and severe criminal penalties for the intentional abuse or misuse of Social Security data.
    SSA then began a limited pretest of interactive PEBES, online PEBES, during which the PEBES response was returned to the requester's screen immediately. User feedback showed that the public reaction to the electronic response was enthusiastic. So, after 1 1/2 years of testing, SSA made the online PEBES available to all individuals in March 1997.
    During the month the service was available, we received approximately 71,000 nonduplicated requests for information over the Internet. Of these, only 48,000 requests were granted, because the other requests failed to pass the Social Security Administration authentication requirements. The primary reasons for failing to pass the authentication requirements were mismatches of mother's maiden name and place of birth.
    Although many regarded the security measures as adequate, I suspended the service so that we could thoroughly examine the views of the public and experts, and, as I mentioned, we are holding six public forums around the country. After holding these forums, we will issue a report and we will provide the information from these forums on the matters of authentication, privacy protection, and disclosure problems vis-a-vis the online PEBES service.
 Page 17       PREV PAGE       TOP OF DOC
    Mr. Chairman, the Social Security Administration is by no means the only organization, public or private, which is addressing these issues of security of data on the Internet. These are serious questions, involving access to personal information, and so forth. Our challenge is to allow individuals to conveniently access their records while protecting the security of this information. I believe that in the case of the online PEBES, at least, our forums and certainly this hearing will go a long way toward helping us achieve that goal.
    I am happy to answer any questions that the Subcommittee might have of me.
    [The prepared statement follows:]

Statement of Hon. John J. Callahan, Ph.D., Acting Commissioner of Social Security, Social Security Administration

    Mr. Chairman and Members of the Subcommittee:
    I appreciate your invitation to appear before you today to discuss the Social Security Administration's (SSA) initiative to provide Personal Earnings and Benefit Estimate Statements (PEBES) online via the Internet.
    Let me say at the outset, nothing is more important to Social Security than maintaining the public's confidence in our ability to keep confidential the sensitive data we maintain on American citizens. We are very much aware that the public's perception about the online PEBES could undermine confidence in the safety and security of the sensitive data we maintain. Because of this concern, I decided on April 9 to suspend the online interactive PEBES service which had been available for about a month.
    I would like to begin today by describing what information the PEBES displays and by providing a brief history of the PEBES. I will then discuss the steps SSA is taking to further evaluate the issues relating to the online PEBES process. In addressing these issues, I would note that the appropriate discussion should focus on authentication requirements, not system security, because, as I will relate, the PEBES system is secure. SSA is using time-tested commercial encryption that banks and other online businesses use every day for credit card transactions.
 Page 18       PREV PAGE       TOP OF DOC

What's In the PEBES

    The PEBES statement is widely considered to be one of SSA's primary tools for restoring confidence in SSA programs, and is among the most popular information documents provided by SSA. The PEBES is designed to help workers ensure that SSA's record of their earnings—the basis for all future benefit payments—is complete and accurate, to show workers the full range of protection that Social Security programs provide, and to give them personal information about potential benefits for use in their financial planning. In Fiscal Year 1996 alone, 3.4 million workers requested a copy of their PEBES.
    The PEBES response contains:
    •  Current earnings estimates as provided by the requestor.
    •  A year-by-year listing of the Social Security-reported earnings up to the Social Security maximum and the estimated Social Security taxes paid.
    •  A year-by-year listing of the Medicare earnings reported, up to the maximum, and the Medicare taxes paid. (For the years 1994 on there is no limit on the Medicare earnings taxed and so the full amount of earnings for these years is displayed.)
    •  An estimate of retirement benefits at age 62, at full retirement age (currently, age 65) and age 70.
    •  An estimate of a current disability benefit amount.
    •  An estimate of survivor benefit amounts for a spouse and children.
    The PEBES response does not contain:
    •  The requestor's mailing address.
    •  The name and address of the requestor's employer.
 Page 19       PREV PAGE       TOP OF DOC
    •  Current Social Security-reported earnings. Earnings for 1997 are not reported by employers until 1998. In most cases, 1996 earnings data are also not available as earnings reports for 1996 are currently being processed by SSA.
    •  Information an improper requestor could use to contact the worker.

History of PEBES

    SSA began issuing PEBES on request in 1988, and legislation enacted in 1989 and 1990 required that by the year 2000 SSA provide an annual PEBES automatically to all workers who are age 25 and older for whom a current address can be located. The legislation also provided for phasing in mailing the automatic PEBES by requiring that they be sent to workers approaching retirement age. Thus, SSA started to issue automatic PEBES in FY 1995 to persons age 60 and older, and is moving on to increasingly younger workers during the FY 1996 through FY 1999 period. By the end of Fiscal Year 1996, SSA had issued more than 12.5 million automatic PEBES, and by the end of FY 1999, will have issued a total of some 70 million automatic PEBES. In FY 2000, when issuance becomes annual and all workers age 25 and older are brought into the process, yearly issuance volumes will exceed 120 million statements.

Developing an Online PEBES

    SSA is committed to providing world-class service—service which is equal to or better than that available in the private sector—to all of our customers. We believe that an important aspect of this service is to provide wage and benefit information that workers and their families can use to help make financial plans for retirement.
 Page 20       PREV PAGE       TOP OF DOC
    Many private sector and government agencies are now using the Internet in ways unique to their needs. Chase Manhattan, Wells Fargo, Bank of America, and other smaller institutions now offer Internet banking. The United States Government Thrift Fund, Charles Schwab, Prudential Securities, American Century Investments, and the NASDAQ stock exchange all offer personal access to financial data via the Internet. Retailers who offer Internet ordering and accept credit card information online include TV Guide, Macy's, Spiegel, Recreational Equipment, Amazon Books, Gateway 2000 Computers, and many others.
    The public's response to the PEBES service we began offering almost 10 years ago has been overwhelmingly positive. Because of our commitment to providing world class service, SSA began to study the feasibility of providing the information in a more convenient manner. The PEBES was identified as a workload that would involve a useful service to the public and demonstrate the ability to do business on the World Wide Web as an alternative to the public's use of the 800 number, a visit to the local office, or the mailing of a PEBES request to SSA.
    SSA began its initiative to provide PEBES online with significant consultation with outside experts. Through our membership in CommerceNet consortium, a unique, not-for-profit market and business development organization located in Silicon Valley, California, and our consultation with experts in business and academia, we built a secure Internet support system with high-level security features. These features include the encryption of data moving to and from the requestor over the Internet and the total isolation of the online PEBES service from SSA's vast online data resources.
    We commissioned an extensive study on all the risks and solutions for our entire Internet service. This report was prepared for us in July 1995 by the Los Alamos National Laboratory. We used the report in implementing the PEBES Internet application. Extensive consultation with vendors such as IBM, Openmarket Inc., Bank of America, and Wells Fargo Bank also provided useful technical information.
 Page 21       PREV PAGE       TOP OF DOC
    We also participated in Federal government committees and organizations and maintained staff contacts at the Office of Management and Budget, the Departments of the Treasury and Justice, and other agencies involved in Internet services to ensure that our planned services were consistent with government standards and guidelines. In some instances, SSA staff helped shape government-wide policies which affect our Internet services, such as the National Information Infrastructure Privacy Guidelines.
    We used the IBM security response team to give us guidance in designing a secure gateway (known as a ''computer firewall'') to protect SSA mainframe computer-based data resources from unauthorized access via the Internet. We hired professional consultants to test the gateway using a variety of penetration tools and techniques. The gateway was not breached. To ensure no future breaches, we implemented some additional technical security measures, based on the advice of these consultants.
    I would like to emphasize this point, because I am concerned that some of the reports about interactive PEBES implied that access to PEBES would also allow the viewer to alter data or gain access to other SSA records. This is absolutely false. The earnings data displayed on the screen may not be altered by the viewer in any way, nor can the user gain entry to or modify any other SSA record. It has never been possible for anyone—either the worker or another individual posing as the worker—to change information on SSA records or to view data other than earnings data.
    After these security features were in place, SSA conducted a pilot program that allowed individuals to request a PEBES through the Internet, and to receive a paper PEBES mailed to the address provided by the individual. The pilot involved testing at 22 Internet kiosk sites in the San Francisco area from March 21 through April 16, 1996. We reviewed almost 4,000 comments received between April 17 and August 16, 1996, and found that approximately 450 (11 percent) of those commenting asked SSA for the ability to obtain the response online.
 Page 22       PREV PAGE       TOP OF DOC
    The online PEBES service we developed in consultation with experts has a number of security measures other than those I have already mentioned to help prevent access to wage records by anyone other than the worker. To view an online PEBES requires a match against SSA records of five authenticating elements: name, Social Security number, date of birth, State of birth, and mother's maiden name. We also provided an on-screen warning that there are substantial criminal penalties for the intentional misuse of Social Security data—penalties which SSA is fully prepared to pursue.
    On October 30, 1996, SSA then began a limited, controlled pretest of the online PEBES service in partnership with the Cedar Falls, Iowa, public library. In December 1996, we expanded our test partners to include the Baltimore County Public Library, Wells Fargo Bank, and SSA employees with Internet access. In this phase of the pilot, the PEBES response was returned to the requestor's screen immediately. Again, feedback and our direct observations showed that the public reaction to the electronic response was enthusiastic.
    After a year and a half of testing, SSA expanded the limited availability of online PEBES to provide all individuals with access to the Internet with the opportunity to obtain the PEBES statements online. During the month that the online PEBES was available, SSA received about 71,000 requests. Of those requests, we provided only 47,000 PEBES to online requestors because the other requests failed to pass SSA authentication requirements. The primary reasons for failing to pass the authentication requirements were mismatches of mother's maiden name and place of birth.

Next Steps to Protect Privacy

    Although many people would regard the security measures we employed as fully adequate, I concluded that, in view of the concerns being expressed about the online process, we needed to more thoroughly investigate the views of the public and appropriate experts with regard to all aspects of Internet access to online PEBES. Thus, when I made the decision to suspend the availability of the online PEBES, I announced that SSA would conduct a series of public forums across the country over a 60-day period to obtain input from experts in computer security and privacy and from members of the public.
 Page 23       PREV PAGE       TOP OF DOC
    These forums will have the following primary objectives:
    •  To obtain informed public input regarding how best to protect the privacy of information and confidential communications when using electronic service delivery;
    •  To refine our authentication, privacy protection, and disclosure policy which reflects the appropriate balancing of stakeholder concerns;
    •  To develop options which will enable SSA to add any necessary and appropriate protections to the interactive PEBES service and begin planning and implementing additional online services, both short-and long-term; and
    •  To produce a report which reflects all of the above objectives, and serves as the foundation for additional action.
    The first of six forums was held yesterday in Hartford, Connecticut, and will be followed over the next six weeks by five additional forums. The information we gain from these forums will assist us in articulating a clear policy foundation to enable SSA to take appropriate steps regarding the viewing on the Internet of earnings data maintained by SSA.


    Mr. Chairman, SSA experience with online PEBES raises issues that are not unique to SSA. The question that SSA and society as a whole must address is how to properly balance the rights of individuals to access and request any necessary correction of their records, the value of allowing them to do so in a convenient way, against the risk, however slight, of unauthorized access to confidential information. The resolution of this question may be made easier if there develops a general consensus of opinion as to how much risk, if any, is acceptable, and whether it is feasible and cost-effective to maintain an acceptable level of risk. I believe that, in the case of the online PEBES at least, our public forums will go a long way to answering these questions. However, they are questions which will inevitably be raised again and again as society develops and uses new technologies.
 Page 24       PREV PAGE       TOP OF DOC



    Chairman BUNNING. Thank you, Dr. Callahan.
    Let me start. Based on my review of your testimony today, I am convinced and confident, Dr. Callahan, that SSA will receive important information to help determine the future of making earnings and benefit statements available online. I am convinced, however, that ultimately this discussion represents just the tip of the iceberg regarding the overall debate on government information available via the Internet.
    Does the Clinton administration have specific final guidelines for Federal agencies to follow as far as putting information on the Internet?
    Mr. CALLAHAN. I can't give you a very specific answer on that, Mr. Chairman. I am certainly going to look into that.
    I think our immediate question, Mr. Chairman, on this very narrow matter of the online PEBES is to get the information that we need to address the privacy questions that you are concerned about, and we will be happy to supply that information to you. But I don't have a precise answer for you on that.
    Chairman BUNNING. Then as an independent agency, when the decision was made, it was made internally by the Social Security Administration, so you are telling me that the administration didn't say yes or no?
    Mr. CALLAHAN. That is correct, sir. The decision was made independently; as was the decision to suspend the online service. I made that decision, sir.
    Chairman BUNNING. Were you surprised by the reaction of the American public, and what do you think went wrong?
 Page 25       PREV PAGE       TOP OF DOC
    Mr. CALLAHAN. Well, I think that, clearly, the American public, as all of us here in this room, have a right to be concerned about the privacy of our information. I think this matter is twofold: We want our sensitive information private; we don't want other people to have that information. At the same time, we would like to have access to that information.
    I think probably some of us over the years have dealt, for example, with credit bureau reports. It is important that we have personal access to that information. So we were trying to balance two things here, and, as it turns out, obviously, we have to look at that balance again and make sure that persons' concerns about the privacy of their data will be protected.
    Chairman BUNNING. Can you give me a cost estimate for mailing a Social Security PEBES back to someone who requested it on the Internet?
    Mr. CALLAHAN. Let me give you three cost figures, if I could, Mr. Chairman. If you write in and request one of these statements and we send it back to you, it costs us about $5 a request. If you ask us online for the request and we were to mail it back to you, it costs us presently about $1. We estimate that when we finally mail out these statements at high volumes—as I mentioned earlier, every worker aged 25 and older will be receiving these statements several years from now—it will cost us approximately, I think, about 70 cents or 60 cents per request. Multiply that, of course, by 120 million. We will be mailing out 120 million forms.
    Chairman BUNNING. You maintain that the discussion should focus on the authenticity requirements rather than the system security because you maintain the system is secure. If this is the case, can you provide additional rationale for why you chose the specific authenticity requirements for online PEBES that you did and whether you believe that these need to be changed?
 Page 26       PREV PAGE       TOP OF DOC
    Mr. CALLAHAN. We chose those elements for authentication, the five data elements that I mentioned in my testimony, because we felt, obviously, as someone asks for information in a service, the more times they have to supply information, they have to be more knowledgeable about their request. So any time you go from one to two to three or four or five items, whatever it is, it becomes more complex to get that data. There are only so many what they call numidents—this is the technical term—under your Social Security record. There are only so many pieces of information that you supply to be used in this process, and we felt that five items just about stretched the limit, sir.
    Chairman BUNNING. Barbara, go ahead.
    Mrs. KENNELLY. Thank you, Mr. Chairman. Just a quick followup on how much it costs.
    According to statute, you will have to mail out these records.
    Mr. CALLAHAN. Yes, ma'am, that is correct.
    Mrs. KENNELLY. What happens if you are on the Internet and people have requested? Do you still have to mail out?
    Mr. CALLAHAN. The question, I suppose, is, if everyone at that time is getting all these statements by mail, whether they would want to ask for the information by Internet.
    But I think the one thing that should be borne in mind, it may well be as we explore other online services that, just as an example, if there were another level of security on the online process, we could do more business with the individual Social Security beneficiary or customer, if you will, through the online than we could through the mail.
    Mrs. KENNELLY. And one of my concerns is how you trace or audit who is acquiring information. What happens in a college where there are 3,000 students using a library? How are you making sure that they are the right ones to be asking that information?
 Page 27       PREV PAGE       TOP OF DOC
    Mr. CALLAHAN. In this particular case, our Deputy Commissioner for Systems, who is here with me today, Dean Mesterharm, who runs our computer systems, has advised me that, whenever we look at the online process, when we find anomalies, such as multiple requests or a lot of requests going to one address or something that doesn't fit the basic pattern of one person asking for one piece of data, we provide these anomalies to the Inspector General for investigation.
    Mrs. KENNELLY. That is my next question. I know there are monetary penalties, and I know there is prison time if you misuse the system. However, we all know that our courts are pretty heavily loaded.
    Has the Social Security Administration got the means to prosecute to find these people to bring them to court? Because if they don't and people realize they can get away with it, what happens then?
    Mr. CALLAHAN. It would certainly be our intention, Congresswoman Kennelly, that we would press this issue very, very hard, because clearly the privacy of these records is very important to us. And I have talked to the Inspector General about this. We would certainly bring this to the Inspector General's immediate attention. We would expect him, and I am sure he would agree, to also press it.
    In terms of the U.S. attorneys and the system and prosecuting these cases, that is a little bit outside our jurisdiction, but I can assure you, from the Social Security Administration's point of view, we would regard this as a very serious violation.
    Mrs. KENNELLY. As you know, in 1992 the U.S. attorney prosecuted 12 people working within the Social Security system for selling information to outsiders, and you take that from 1992 to now we are in 1997, and everybody in the world can get this very same information. I think we have a real question about whether you have the capacity to do what has to be done to keep the system safe.
 Page 28       PREV PAGE       TOP OF DOC
    Thank you, Mr. Chairman.
    Chairman BUNNING. Mr. Christensen.
    Mr. CHRISTENSEN. Thank you, Mr. Chairman.
    I would like to echo the sentiments of Mrs. Kennelly from Hartford and really instead of, I guess, criticize on anything that you have done, I want to tell you that I appreciate you going ahead and moving forward with the whole program.
    We go to high schools a lot, and Social Security usually is the number one issue in the high school forums and the frustration that high school seniors have with not knowing where this money is going, not knowing where it is going to be in 40 years, not knowing anything about why 25 to 30 percent of their pay stub is going into some deep, dark black hole.
    And we have talked a lot about the Internet, and I want to tell you, I appreciate you going ahead and getting this information available and online. Yes, mistakes may have been made. Maybe something went just a little bit awry, and that is what I want to visit with you about. I believe this is of vital importance to young people. If the generation X people cannot become more informed on this information, it is our fault. And I want to thank you for going ahead with this.
    When you were looking at the security issues, whom did you contact as far as government agencies or private sector help, and did they put together any written guidelines for you? Did they offer suggestions?
    Mr. CALLAHAN. Yes, there is a fairly long list of governmental organizations that we work with, acronyms which I probably couldn't even fully tell you about right now, but we will supply that for the record. We also worked with the Los Alamos National Laboratory; we consulted with the National Institute of Standards and Technology, all the requisite people that, for organizations inside the government, are familiar with the Internet and online transmission. So we believe that we did a thorough job in that regard in terms of consultation, but we will supply the names for you in the record.
 Page 29       PREV PAGE       TOP OF DOC
    [The following was subsequently received:]
    [The official Committee record contains additional material here.]



    Mr. CHRISTENSEN. I would like to have all the written memorandums that the various outside organizations as well as the public sector offered you in terms of guidance and advice not only in security matters but also technical advice.
    Mr. CALLAHAN. There is one aspect that we must be sensitive about. There is some data that relates to what we call the architecture of our central data system, which is highly, highly sensitive, and we would want to make that available in the appropriate fashion to the Subcommittee because this protects our central records.
    Mr. CHRISTENSEN. It is my understanding that NIST does provide, under legislative authority, the technical assistance, computer assistance. Did you seek out their input more so than Los Alamos? Which one did you rely more heavily upon?
    Mr. CALLAHAN. This was a little bit before my time, but my understanding was that we sought out NIST assistance certainly in a very intensive fashion, as well as Los Alamos. So it is my understanding that we did seek them out very aggressively.
    Mr. CHRISTENSEN. Since April 9, have you sat down with the National Institute to look at modifications and what we can do to make sure that this doesn't happen again or that we can make the correct modifications so that we can get this information back online so that high school seniors can access that information?
    Mr. CALLAHAN. We will do that, Congressman. We are also in the process of doing these forums around the country and consulting with a variety of experts. But we will do that, sir.
 Page 30       PREV PAGE       TOP OF DOC
    Mr. CHRISTENSEN. Well, I want to tell you, I appreciate the important issue that you are working on. I, maybe unlike my colleagues, want to see this back online as soon as possible. I believe it is vital information for the future, for our generation, our seniors, our 25—I would like to see you even take the PEBES system and move it down to 18-year-olds versus 25-year-olds.
    But I understand the security measures here, and I understand also the modifications that need to be put in place. But I want to thank you, and I want to encourage you, and let's get this back going and let's make the corrections.
    Mr. CALLAHAN. Thank you, sir.
    Chairman BUNNING. Mr. Hayworth.
    Mr. HAYWORTH. I thank the Chairman. And, Dr. Callahan, we thank you for coming by.
    It is interesting to hear from constituents on a variety of issues that come under the jurisdiction of this Committee. Just a couple of months ago, we were very concerned about another area involving computers with the Internal Revenue Service and the reports of a computer system that was supposed to be the wonder of wonders, a technological marvel that was going to streamline what the IRS did, and now it appears that taxpayers are some $5 billion in the hole for a system that has yet to be perfected and is filled with all sorts of technological bugs.
    And in talking to the people of the Sixth District of Arizona, Dr. Callahan, I have heard a great deal of concern about this procedure; press reports, yes, but also philosophical concerns, because I don't believe it is so much technophobia as it is a concern about people's benefits being somehow disseminated unlawfully, hackers getting in, somehow the system not providing the very security that we have come to expect from the Social Security system.
    So in hearing from a variety of people, there are genuine, genuine concerns. And I know that even as you tried to deal with this problem, you cannot be prepared today, nor can anyone be prepared, to say that after reviewing the situation you will have a system that is foolproof.
 Page 31       PREV PAGE       TOP OF DOC
    And just for the record, I want to make sure that we are on the same wavelength; you are not willing to sit before us today and say that we can have a system that will be foolproof in the days ahead.
    Mr. CALLAHAN. For the record, if you are saying, you cannot construct any system that will be absolutely 100 percent safe from these concerns you mentioned, I am sure you are correct.
    Mr. HAYWORTH. With that in mind, I think it is important that we move very deliberately and carefully, because even now as we move to expand the computer technology here in the Capitol with e-mail, there is great concern about hackers and people violating the messages. So I think that we have to move deliberately and with a variety of examinations and seeking the input of so many different people.
    You mentioned, Dr. Callahan, that SSA plans to hold public forums across the country in order to gauge the country's view of offering PEBES on the Internet. Future forums are scheduled in Atlanta, San Jose, and Austin, among other locations. Can you tell me how many SSA staffmembers will be traveling to these associations?
    Mr. CALLAHAN. I don't have that precise number, but I will supply that for the Subcommittee.
    [The following was subsequently received:]

    The number of SSA staff traveling to the PEBES forums typically ranges from 8 to 10.
    •  This number consists of the Acting Commissioner and three senior executives who appear with him on the SSA panel.
    •  Additionally, SSA sends a senior official from the Office of Communications to deal with the media and to provide any necessary onsite support.
 Page 32       PREV PAGE       TOP OF DOC
    •  SSA also sends several technical experts to provide advice to the SSA panel and to prepare for the written report that will follow.
    •  Lastly, the host Regional Commissioner and the lead Public Affairs Officer will normally travel to the site if it is not located in a regional city (e.g., Hartford).



    Mr. HAYWORTH. And could you offer us the insight and the methodology as to how these particular cities were chosen?
    Mr. CALLAHAN. We wanted to cover all parts of the country, and I think you will see that all the regions in the country are covered by these locations. We are also having a final set of hearings in Washington in an online forum from which we will be able to receive information.
    Mr. HAYWORTH. Do you have any idea of the estimated costs for travel and the organizational expenses?
    Mr. CALLAHAN. We will supply that to the Subcommittee, too.
    [The following was subsequently received:]

    SSA expects to hold six forums throughout the country in May and June 1997. The total cost is estimated to be $35,000.

 Page 33       PREV PAGE       TOP OF DOC


    Mr. HAYWORTH. Could you indicate to me what portion of the SSA budget will these funds come from?
    Mr. CALLAHAN. Again, we will supply all of that for the Subcommittee.
    [The following was subsequently received:]

    The costs of conducting the forums will be borne by SSA's Limitation on Administration Expenses Appropriation.



    Mr. CALLAHAN. I would say that I regard this as a very legitimate and very worthwhile expenditure of the Social Security Administration. We could have done the normal bureaucratic thing and gone back into our shells and muttered and groaned and moaned and tried to come back with a proposal which may not be well understood. This is an important service to millions of Americans.
    I appreciate the concern that you have raised about privacy, but we also should remember that this service is very, very valuable to the American public. We have mailed out, as I said, close to 12.5 million of these statements. People use these statements every day to plan their financial retirement. We heard yesterday in Hartford from one of the major insurance companies who said this was a very valuable service for their customers so that they could integrate not only their Social Security benefits but their private benefits, their pension benefits, their savings.
 Page 34       PREV PAGE       TOP OF DOC
    So I think, clearly, we are also talking here about a service and a set of information that is very, very valuable to millions of Americans; there is no doubt about that in my mind.
    Mr. HAYWORTH. I appreciate your perspective on that, Dr. Callahan, and in closing would simply add what tempers a lot of this is the fact that this Congress is mindful that just a couple of weeks ago we had to pass in terms of the Internal Revenue Service an antibrowsing provision, which I think was rather mildly stated, because I believe when people willfully go into individual accounts and peruse those things it is more than simple browsing, it is a criminal act.
    Mr. CALLAHAN. If I may, Congressman, your point is well taken, and we have severe penalties for anyone in the Social Security Administration that does that, and we will enforce those to the letter of the law. That wasn't right in Treasury; it is not right in Social Security; and you can depend, as long as I am here, that we will enforce those penalties to the letter of the law, sir.
    Mr. HAYWORTH. Dr. Callahan, I thank you.
    Chairman BUNNING. Mr. Tanner.
    Mr. TANNER. Thank you very much, Mr. Chairman. And, Dr. Callahan, welcome. Thank you for your testimony.
    As I understand your statement, what you presented here orally and also in reading it, the main concern is the privacy issue as it relates to the Internet access.
    Mr. CALLAHAN. Yes, sir.
    Mr. TANNER. That was primarily the reason that the experiment was discontinued?
    Mr. CALLAHAN. The experiment was discontinued because sufficient concerns were raised that we wanted to take a look at it and get the views, as I mentioned, of these various forums.
 Page 35       PREV PAGE       TOP OF DOC
    Mr. TANNER. The General Accounting Office, I think, is here and is going to present some testimony. But in reading their material, they expressed some degree of skepticism that current technology will allow a secure system to be placed on the Internet, if I am reading correctly, with the current technology base we have. Has there been any coordination between you all and GAO about that issue?
    Mr. CALLAHAN. Well, remember, we suspended this on April 9. Here it is May 6, so it is rather early in the game. We are providing GAO with all the material from these forums; we have provided GAO, as we should, with all the data relative to where we were coming from.
    I think it is fair to say on the technology issue, Congressman Tanner, technology changes incredibly rapidly. I think we heard some good testimony yesterday in Hartford, and I am sure we will hear it elsewhere, as well as advice from elsewhere, that there may be a variety of changes in technology wherein we could enhance the privacy of the transaction.
    Mr. TANNER. I want to say that I think the public hearings around the country are a good idea. This is a high priority to the American people and worthy, as you stated earlier, of bureaucrats getting out of Washington and getting around the country to see; and it raises the profile of the issue out in the country when you all are there. So I think it is an excellent idea and appropriate in this case.
    Other than raising the awareness, can you tell us what you anticipate the hearings producing?
    Mr. CALLAHAN. Well, the forums are structured to get testimony and views from a wide variety of not only the public but also computer experts and business experts. More and more businesses are providing their services online with various levels of security on those online services. We are hearing from, again, computer experts that talk about changes in technology, and we are also hearing from privacy experts. I don't think any community, whether it is the computer people or the privacy people, always speaks with one voice.
 Page 36       PREV PAGE       TOP OF DOC
    We heard an interesting piece of testimony from a privacy expert in Hartford yesterday who offered the notion that one of the things about privacy that is very important is choice, suggesting there may be a lot of people that will look at the risk that is involved in online services and say, I want that data. You have told me what the risk is to the privacy of that data, but I still want that data.
    So the question you have to ask yourself is, if they want that data and they understand the risks, why shouldn't you give that to them? And this was a privacy expert. So I think we will hear a wide variety of views; and again, we will make all of this available to the Subcommittee as it considers this matter on down the line.
    Mr. TANNER. Thank you very much.
    Chairman BUNNING. Mr. Collins.
    Mr. COLLINS. Thank you, Mr. Chairman.
    Dr. Callahan, I understand you had a hearing—when, yesterday—at Harvard?
    Mr. CALLAHAN. Hartford.
    Mr. COLLINS. Hartford. OK. That is good. You mentioned that you heard from the insurance industry there?
    Mr. CALLAHAN. There were four business panelists. One was from Chase Manhattan, one was from the Hartford, one was from a computer service, and there was one other. The affiliation escapes me at the moment, but we will supply it for the record.
    [The following was subsequently received:]
    [The official Committee record contains additional material here.]


 Page 37       PREV PAGE       TOP OF DOC

    Mr. COLLINS. Did you hear from any individuals?
    Mr. CALLAHAN. Yes, we did.
    Mr. COLLINS. What did you ascertain from the insurance company?
    Mr. CALLAHAN. The insurance company said that, if you as a Social Security recipient go to your financial planner and sign an authorization statement allowing that financial planner to get your Personal Earnings and Benefit Estimate Statement so that he or she can aid you in your financial planning, SSA supplies that statement to that person.
    Mr. COLLINS. What did Chase tell you? What was their interest?
    Mr. CALLAHAN. Well, Chase Manhattan was talking to us about the security features they have on their online banking system. They have, as I understand it, a wholesale banking system with the financial industry over which they daily transmit some astronomical figure. I think he said 1.3 trillion dollars' worth of money, so they have had a lot of experience in dealing with online security; so they provided us that information.
    Mr. COLLINS. The good side of this is the information would be available to the beneficiaries of Social Security.
    What would be the downside of it? What would be the downside of someone else ascertaining that information and using it for what purpose?
    Mr. CALLAHAN. Well, a number of people have raised the specter of the nosy neighbor, the divorce lawyer, people who may want to get the information on your particular earnings statement to use it for untoward purposes. And so I think that is one of the basic concerns that we are hearing about.
    And, again, I would say, people should be reminded that there are severe criminal penalties for that. So if you engage in that process, whether it is on the Internet or any other process, you are liable to severe prosecution.
 Page 38       PREV PAGE       TOP OF DOC
    Mr. COLLINS. Say some lawyer got this information for a divorce case; would it be evidence? Would they have to present it as that type of evidence? And how could they use it, would it not be revealing that they got it from the Social Security Administration through the Internet?
    Mr. CALLAHAN. Well, I imagine they wouldn't take any pains to reveal that because they would be subject to prosecution.
    And then this raises the broader question, which is how much of the information that relates to our daily life, whether it is income or whatever it is, is available out in the marketplace from a variety of sources. And I think this is the larger question that we have to be concerned about, which is broader than just the Social Security Administration.
    Mr. COLLINS. I missed the opportunity to check and see what I had in the account. But had I—it was very little.
    Mr. CALLAHAN. You can still request it; you just can't get it on the Internet.
    Mr. COLLINS. All right. I go in and how do I do this? I might want to look mine up.
    Mr. CALLAHAN. OK. You have to supply us——
    Mr. COLLINS. He said it was closed. I knew it was closed.
    Chairman BUNNING. Can you apply for it?
    Mr. CALLAHAN. If you were to get on your home computer and ask us for this information, we would not send it back to you now over the Internet.
    Mr. COLLINS. OK. You are going to send it back to me by mail?
    Mr. CALLAHAN. That is correct.
    Mr. COLLINS. What would I receive? I am not talking about numbers.
 Page 39       PREV PAGE       TOP OF DOC
    Mr. CALLAHAN. I hope a lot.
    Mr. COLLINS. Will I receive my total investment, total amount of earnings, annual earnings?
    Mr. CALLAHAN. You will receive your earnings record that is taxable under Social Security and under Medicare, and an estimate of what you would receive in terms of Social Security benefits when you retire.
    And I actually have for the record what a PEBES Statement looks like. There is no particular name on this, but we would supply this for the record.
    Mr. COLLINS. Good, I would like to see it. Thank you very much.
    [The following was subsequently received:]
    [The official Committee record contains additional material here.]



    Chairman BUNNING. Mr. Portman.
    Mr. PORTMAN. Thank you, Mr. Chairman, and Dr. Callahan for your testimony today. I understand you are going to have some hearings and forums and consult with experts, so you may not be prepared to answer all of these questions; but to the extent you can, I would appreciate it.
    You have looked into the issue, I know, and others we are going to hear from later talking about having a PIN number requirement or a password or perhaps some kind of a digital signature. Of those options, which do you think might be practical for Social Security?
    Mr. CALLAHAN. I can't give you a definitive answer, but my understanding, at least from talking with our own experts and, obviously, based on this forum that we held yesterday, it seems the most readily available in the first instance is the PIN or the password, which is something we are all familiar with.
 Page 40       PREV PAGE       TOP OF DOC
    There seems to be a growing desire to look into the real possibilities of the privacy aspects of digital signatures, and that is certainly something that we would look at.
    Mr. PORTMAN. You mean in relation to addressing the privacy problem?
    Mr. CALLAHAN. Digital signatures would enable us to authenticate who it is that is communicating with us so that we could be able to have a secure transaction between ourselves and the authentic individual.
    Mr. PORTMAN. I hope you are working with the Internal Revenue Service on this, as they are addressing many of the same problems.
    As you know, one of the problems with electronic filing is, we have a separate requirement for a paper return to be signed so that the signature is available; and we are hoping that we can come up with something like that on the IRS side, as well, because it makes a lot of sense.
    My general question to you is, and again I know that you are going through this process of evaluating whether this is feasible, but do you think, given what you know about the problems you had with the PEBES system and, generally speaking, with regard to your computer systems being subject to hackers or other outsiders, do you think this thing is feasible? Do you think it can happen?
    Mr. CALLAHAN. It would probably be premature for me to give you an absolute, definitive answer. But I will say—let me divide the answer into two parts.
    In terms of the integrity of our basic data system—and you mentioned hackers, and every central data system is concerned about——
    Mr. PORTMAN. Have you had problems with hackers in your data systems?
    Mr. CALLAHAN. No, we have not.
 Page 41       PREV PAGE       TOP OF DOC
    Mr. PORTMAN. This is not just related to the Internet?
    Mr. CALLAHAN. We maintain the highest level of vigilance on that. We understand that, like everything else, people will try. They have not succeeded. And believe me, that is very, very——
    Mr. PORTMAN. You know that people have tried?
    Mr. CALLAHAN. Yes, sir. And they have not succeeded and if we find them doing it, we will track them down and we will prosecute them.
    Mr. PORTMAN. And that is through encryption and other methods that you use to ensure the privacy?
    Mr. CALLAHAN. Yes.
    Mr. PORTMAN. So you do have some systems in place?
    Mr. CALLAHAN. Yes, we do.
    Mr. PORTMAN. Let me, before we run out of time, ask you a couple of other specific ones. At the IRS, and I understand at HHS also, although I am less familiar with that, there is a privacy office. Social Security doesn't have one to my knowledge.
    Do you have a privacy office, a privacy department?
    Mr. CALLAHAN. I know we have some senior officials that are charged with privacy concerns. I am not exactly——
    Mr. PORTMAN. We are going to hear from a witness later today, based on the testimony that I saw that we have a Privacy Commissioner for the Federal Government; and my question would be, if that makes sense for the IRS, which I think it does, whether Social Security might want to prioritize this issue and add stature to the people who are looking into it by establishing a group of people that focus on this issue, because it is so important.
    Mr. CALLAHAN. We will look into that.
    Let me just say, though, like everything else, we have to be very, very concerned with privacy. We have said that repeatedly. At the same time, where we serve so many people, beneficiaries, taxpayers, and so forth, we have to have a lot of commerce with people that are concerned about this.
 Page 42       PREV PAGE       TOP OF DOC
    Every Member of this Subcommittee is right. People really are very concerned about Social Security, the future of Social Security, the maintenance of Social Security. That means we have to have that back-and-forth communication with them, whether it is over the telephone or coming into the field office.
    Mr. PORTMAN. That is precisely why you need to focus on privacy. I would agree with comments made earlier by some of my colleagues that what the Social Security Administration was attempting to do through providing this information on the Internet is a good idea and particularly with our younger generation having that access to the Internet for other reasons. I think it is a great idea. But to do that the privacy concerns have to be addressed and addressed at the outset; otherwise we will have another shutdown, as we just experienced.
    Mr. CALLAHAN. That is a point well made.
    Mr. PORTMAN. One other point: Since you are going through this process, I hope you will also make a recommendation to the Clinton administration that there be a governmentwide effort to look at this issue. This is not just related to SSA. And I think we will hear from a lot of people about the lack of focus on privacy in all the government agencies, and one can learn from another.
    Thank you, Mr. Chairman.
    Chairman BUNNING. Mr. Levin.
    Mr. LEVIN. Do you know, most people who inquire, are they mainly interested in the estimate of their benefit they are going to receive?
    Mr. CALLAHAN. You mean, why they inquire?
    Mr. LEVIN. Isn't that the reason that most do?
    Mr. CALLAHAN. Most of them use it for financial planning purposes, yes.
 Page 43       PREV PAGE       TOP OF DOC
    Mr. LEVIN. Isn't one possibility to provide that information over the Internet, but not all of the earnings records?
    Mr. CALLAHAN. Yes, that is a possibility, and that was discussed the other day.
    Mr. LEVIN. Within——
    Mr. CALLAHAN. The forums that we mentioned. That is a matter that has been brought to our attention.
    Mr. LEVIN. I take it that most people who might attempt to misuse the Internet are really interested not in the benefit estimate, but in the earnings record, right?
    Mr. CALLAHAN. Yes, although—let me amend my statement, if I could, Congressman Levin.
    When people look at their earnings record, we encourage them to examine their earnings record carefully because, if they believe it is incorrect, they should bring it to our attention. We will correct it, where appropriate, so they will get the accurate benefit to which they are entitled.
    Mr. LEVIN. I understand that, but most people who inquire are interested in the bottom line benefit. They could receive the earnings record in other ways, right?
    Mr. CALLAHAN. Yes, sir.
    Mr. LEVIN. And I take it, it is also true that most of the abuse would come from people who want not the benefit estimate, but the earnings record.
    Mr. CALLAHAN. I believe that would be correct.
    Mr. LEVIN. So, there might be a relatively—I hate to suggest around here a simple answer, and I am not saying it is a complete one, but I mean, there might be a relatively easy way to at least in the near future to resolve this issue, no?
 Page 44       PREV PAGE       TOP OF DOC
    Mr. CALLAHAN. That could well be, sir.
    Mr. LEVIN. Thank you.
    Chairman BUNNING. I only have one more question. The SSA Inspector General points out that while the financial and retail industries provide online services at a level of risk acceptable to their customers, these exchanges are generally voluntary.
    Did you consider that when you were making the decision to put it online?
    In other words, if I am a Social Security recipient or could be a recipient of PEBES, I want to opt out. I don't want my information online; since I have already received from the Social Security Administration my physical document, I don't need to be online.
    Mr. CALLAHAN. Right.
    Chairman BUNNING. That is why eventually the older members of our population will not need to have anything online. It is the young group that Mr. Christensen was talking about that would like to see what is online and what their benefits might be or might be projected to be.
    Mr. CALLAHAN. Right.
    Chairman BUNNING. So did you consider that? If not, why not?
    Mr. CALLAHAN. Again, it precedes my time here, but let me speak.
    Chairman BUNNING. There are some people here who were in on the decision.
    Mr. CALLAHAN. I understand, but I believe that that certainly was a matter that was considered. There is a cost, obviously, to creating a service where you, in essence, would have to block all these records; so it would not be the normal Internet service. You would have to take that into consideration. That obviously would raise the cost of ''providing'' online service as if we had put it in with a pen or what have you. So, it is my understanding that those things were looked at, but the decision was made to go forward without that option in the service.
 Page 45       PREV PAGE       TOP OF DOC
    Chairman BUNNING. In other words, you couldn't opt.
    Mr. CALLAHAN. I am not saying you couldn't do it. I am sure it is possible in a systems sense. There is a program cost of doing that, and I believe that, as well as other——
    Chairman BUNNING. I understand.
    Mr. CALLAHAN [continuing]. Other considerations, made it go forward without exercising that option.
    Mrs. KENNELLY. Will the gentleman yield?
    Chairman BUNNING. Certainly.
    Mrs. KENNELLY. I believe there is a bill already introduced that people would have to request that their particular information not be available. To me, that misses the point because once you are online—and you heard the gentleman yesterday—we have got hackers you can't stop.
    And once you are online—I don't know yet, and I don't know that we all know—can you protect that information? We should approach it before you go online, rather than after you go online, and then block it.
    Mr. CALLAHAN. I think that was a consideration that was raised yesterday and we will have to further explore it. But I think it is also not one obviously without cost and without creating segmented data systems that we have. So I think I understand the point that you have raised and the Inspector General has raised. But we did not exercise that option as is evident when we did the service.
    Chairman BUNNING. Anyone else?
    Go ahead, Jon.
    Mr. CHRISTENSEN. Yes, when you were looking at the system and, obviously, take a college library or a high school library, you have got hundreds if not thousands of kids who are into the system. When you were testing the system, what did you look at in terms of trying to decide if someone was hacking into the system, how could you find that person and how could you go after that person in terms of the prosecution? What type of ID did you put together initially in your test plan? You had to foresee something like this occurring.
 Page 46       PREV PAGE       TOP OF DOC
    Mr. CALLAHAN. I know that one of the concerns that they had in communicating with the PCs in the public setting, where it wasn't your own PC, was to make sure that the information is not left in the computer's memory and could not be retrieved and what have you. We worked out the encryption for the transmission between the Social Security Administration and that particular terminal to make sure that data could not be retrieved by someone other than the person at the particular computer station.
    We also in some of our other experiments had controlled experiments whereby we worked with large organizations such as GMAC and Wells Fargo where they interacted with us to see how the transmission went.
    Mr. CHRISTENSEN. How did you come up with the number ''eight for eight'' attempts before you kicked them out of the system?
    Mr. CALLAHAN. I think some of us can relate to this. I think most of us think about the number, three—three strikes and you are out. All of us go to our ATM, and I think it is the third time you lose your card; you know, that is it. So most of us, when you put it in two times and you miss it, it is like a real dilemma: Do I put it in the third time and lose my card, or take it back? So that is a very popular number. But we felt that obviously we are asking people for five knowledge-based elements that we talked about earlier: Social Security number, date of birth, mother's maiden name, and so forth. We found out in some of our analysis that a lot of people had a problem with their mother's maiden name. I don't know what that says in a societal sense.
    Mr. CHRISTENSEN. Out of 77,000 attempts, Dr. Callahan, 47,000, you have actually mailed PEBES statements.
    Mr. CALLAHAN. Made the connection.
    Mr. CHRISTENSEN. So 44 percent were either honest error or actually hacking into the system?
 Page 47       PREV PAGE       TOP OF DOC
    Mr. CALLAHAN. Right, and as I mentioned earlier, we looked at the question of ''hacking into the system'' for anomalies, and we have turned those over to the Inspector General for the 5 months we had it online. There were five cases in which we thought there were particular anomalies that might have led to hacking, and it turns out these were financial planners, legitimate financial planners with a large number of family members who wanted to get this information.
    Mr. CHRISTENSEN. So out of 25,000 cases that didn't—were not legitimate or made an honest mistake, your Administration believes there was only five?
    Mr. CALLAHAN. That is correct.
    Mr. CHRISTENSEN. I guess that is a number that I would hold highly suspect, even though I know that you are doing the best effort to try to find out what you can. I would really look at that number a little bit closer because I don't think that is probably very accurate.
    Mr. CALLAHAN. Let me also suggest this: Remember we have had the PEBES mail service going for a long time. We send out a lot of PEBES. I am sure it is not inconceivable that some of these pieces of mail may have fallen into the wrong hands. In all of the time we have had this service available, we haven't had any major concerns brought to our attention of violations of this process. I mean, it just hasn't been brought to our attention.
    Mr. CHRISTENSEN. If we go to a PIN or a password or a digital signature, what disadvantages do you see with that if we go to that type of system?
    Mr. CALLAHAN. Like everything else, it is one more thing to remember. Some of the computer experts tell us, you know, we are going to have a separate PIN for Social Security, a separate PIN for other government agencies that we want to deal with, and so forth; so there is some feeling that that could be complicated.
    Mr. CHRISTENSEN. Has NIST suggested this approach?
 Page 48       PREV PAGE       TOP OF DOC
    Mr. CALLAHAN. I don't know for sure.
    Mr. CHRISTENSEN. Does your staff know or can you get back to us on that?
    Mr. CALLAHAN. Yes, we will get back to you on that and supply it for the record.
    [The following was subsequently received:]

    You asked that we provide information on NIST's views on PINS and passwords. While SSA did consult with NIST on other facets of providing PEBES on the internet, we did not consult with them specifically about PINS and passwords.



    Mr. CHRISTENSEN. Thank you, Mr. Chairman.
    Chairman BUNNING. Thank you very much. We appreciate your testimony.
    Mr. CALLAHAN. Thank you very much, Mr. Chairman.
    Chairman BUNNING. If you see one side of this Subcommittee leaving at 4 o'clock, they have a caucus. At least, that is what I have been told.
    Mrs. KENNELLY. We do.
    Chairman BUNNING. So we know where you are going.
    Hon. David Williams, Inspector General, accompanied by Pamela Gardiner, Assistant Inspector General for Audit at SSA's Office of the Inspector General. And reporting from the GAO is Joel Willemssen, Director of Information Resources Management Issues, and he is accompanied by Keith Rhodes, Director of Computer and Telecommunication Issues.
 Page 49       PREV PAGE       TOP OF DOC
    If they will sit down, please, let's begin with Mr. Williams.

    Mr. WILLIAMS. Thank you, Mr. Chairman and Members of the Subcommittee. I am pleased to appear today to discuss the Social Security Administration's initiative to provide online PEBES Statements via the Internet. I agree with Acting Commissioner Callahan that the ultimate goal of electronic service is to balance agency cost, customer service, and protection of an individual's privacy.
    Low cost and fast service are fairly easy to define. The Agency's shift from mailed, hard copy statements to online PEBES reduced costs from over $5 per statement to just a few cents. It also provided customers with PEBES Statements instantly. Privacy protection, on the other hand, is not so easily measured.
    SSA consulted with numerous experts to structure security features aimed at assuring a level of privacy for the system's personal information data. Although a number of security features were structured to prevent unauthorized access, other powerful features such as PINs and passwords were not ultimately added. Recent media accounts provided examples of the value of PEBES information to unauthorized parties. Creditors, litigants, private investigators, and divorce attorneys are just some of the groups for whom earnings information is valuable. The financial and retail industries also provided online services at a level of risk to their customers. However, these services are entered into voluntarily, while SSA's online service placed citizens' earnings histories on SSA's Website without individuals' consent.
    The vast interest in earnings information was implicit in the dramatic upswing in PEBES requests which immediately followed the April 7 front page story in ''USA Today.'' In the month preceding the newspaper article, there were 28,000 requests. In 2 days following the publication, the number of requests increased to nearly 50,000.
 Page 50       PREV PAGE       TOP OF DOC
    This substantial interest in earnings information creates a privacy risk that is magnified by the unique way in which PEBES are requested online. Individuals seeking earnings information, other than their own, may remain virtually anonymous through the use of computers at sites with multiple users such as libraries and universities. In a recent case, SSA traced a single Internet request back to a university computer and learned that as many as 3,000 students had access to it.
    Another concern with SSA's online service is the possibility of a computer hacker penetrating SSA's firewalls which serve as buffers between SSA's internal computer operations and the general public. To evaluate its computer security, SSA hired specialists to attempt to penetrate the firewalls. Although their attempts were unsuccessful, they did identify some shortcomings in SSA's security procedures.
    The Office of the Inspector General's concerns with Internet vulnerabilities are longstanding. We discussed with SSA's Electronic Service Delivery Steering Team the difficulty of verifying users' identities, the risk to SSA's computer operations from hackers, and the broad interest in the information stored in SSA's databases.
    Unauthorized access to SSA's records through the Internet presents a challenge to our investigative and prosecutive efforts. Threats to private and governmental computers have been escalating in concert with the expansion of electronic services. The U.S. Secret Service, the Federal Bureau of Investigation (FBI) and the Air Force's Office of Special Investigations have been battling criminals that are exploiting this new electronic frontier. Although substantial case law is lacking and investigators require knowledge of sophisticated techniques, the government's experiences have shown that substantial investigative opportunities are available through proper training, equipment, and dedication. This investigative commitment, coupled with security and audit mechanisms have proven to be an effective deterrent to these emerging criminal threats. The OIG is prepared to vigorously investigate allegations and seek prosecution of violators.
 Page 51       PREV PAGE       TOP OF DOC
    Numerous security measures are available to SSA to safeguard online earnings; however, most additional security measures would result in either added costs or more restrictive access.
    We do offer the following options for SSA to consider: Explore the option of confirming requester addresses against the address file SSA obtains from the IRS; reduce the number of unsuccessful attempts allowed from eight to three, and then deny further access until the individual visits an SSA office; confirm the entire maiden name of the requester's mother; provide PEBES only by mail, but allow requests via the Internet; allow the public the option to block their records; and consider using PINS, personal identification numbers, passwords or digital signatures.
    We believe SSA's planned public forums are prudent. These forums will provide valuable insight into the public's perception of acceptable levels of risk to privacy, service expectations, and costs. We will continue to remain involved in the decisions related to the PEBES electronic delivery and will coordinate with the General Accounting Office to audit any areas of concern.
    This concludes my statement, Mr. Chairman.
    [The prepared statement follows:]

Statement of Hon. David C. Williams, Inspector General, Social Security Administration

    Mr. Chairman and members of the Subcommittee, I am pleased to appear today to discuss the Social Security Administrations' initiative to provide on-line Personal Earnings and Benefit Estimate Statements (PEBES) via the Internet. I agree with the Acting Commissioner that the ultimate goal of electronic service is to balance agency cost, customer service, and protection of an individual's privacy.
 Page 52       PREV PAGE       TOP OF DOC
    Low cost and fast service are fairly easy to define. The Agency's shift from mailed hard copy statements to on-line PEBES reduced costs from over $5 per statement to just a few cents. It also provided customers with PEBES statements instantly. Privacy protection, on the other hand, is not so easily measured.
    SSA consulted with numerous experts to ensure that its migration to electronic service was done in a responsible manner. As SSA moved to on-line service, it devoted considerable effort and resources to structuring security features aimed at assuring a level of privacy for the system's personal information data. Although a number of security features were structured to prevent unauthorized access, other powerful features such as personal identification numbers (PINs) and passwords were not ultimately added.
    Recent media accounts provided examples of the value of PEBES information to unauthorized parties. Creditors, litigants, private investigators, and divorce attorneys are just some groups for whom earnings information is inherently valuable. The financial and retail industries provided on-line services at a level of risk to their customers. However, these services are entered into voluntarily, while SSA's on-line service placed citizens' earnings histories on SSA's web site without individuals' consent.
    The vast interest in earnings information was implicit in the dramatic upswing in PEBES requests which immediately followed the April 7 front page story in the USA Today. In the month preceding the newspaper article, nearly 28,000 requests for PEBES were received by SSA through the Internet. In the 2 days following publication, the number of attempts to obtain PEBES increased to nearly 50,000.
    This substantial interest in earnings information creates a privacy risk that is magnified by the unique way in which PEBES are requested on-line. Individuals seeking earnings information, other than their own, may remain virtually anonymous through the use of computers at sites with multiple users such as libraries and universities. In a recent case, SSA traced a single Internet request back to a university computer and learned that as many as 3,000 students had access to it.
 Page 53       PREV PAGE       TOP OF DOC
    Another concern with SSA's on-line service is the possibility of a computer hacker penetrating SSA's firewall, which serves as a buffer between SSA's internal computer operations and the general public. To evaluate its computer security, SSA hired specialists to attempt to penetrate the firewall. Although their attempts were unsuccessful, they did identify shortcomings in SSA's security procedures. As SSA looks to the future, it must confront the continuous advancement in techniques available to outsiders to penetrate its data processing systems.
    The Office of the Inspector General's (OIG) concerns with Internet vulnerabilities are longstanding. We discussed with SSA's Electronic Service Delivery Team the difficulty of verifying user identities, the risk to SSA's computer operations from hackers, and the broad interest in the information stored in SSA's data bases.
    Unauthorized access to SSA's records through the Internet presents a challenge to our investigative and prosecutive efforts. Threats to private and governmental computers have been escalating in concert with the expansion of electronic services. The U.S. Secret Service has been confronted with anonymous electronic threats to the President; the Federal Bureau of Investigations (FBI) has dedicated considerable resources to identifying computer criminals who extort major corporations; and the Air Force's Office of Special Investigations has developed techniques to detect foreign and domestic cyber-intrusions into Government computers. These agencies, and others, have been battling criminals that are exploiting this new electronic frontier. Although substantial case law is lacking and investigators require knowledge of sophisticated techniques, the Government's experiences have shown that substantial investigative opportunities are available through proper training, equipment, and dedication. This investigative commitment, coupled with security and audit mechanisms have proven to be an effective deterrent to these emerging criminal threats. The OIG is prepared to vigorously investigate allegations and seek prosecution of violators.
 Page 54       PREV PAGE       TOP OF DOC
    Numerous security measures are available to SSA to safeguard on-line earnings access. However, most security measures would result in either additional costs or more restricted access that may prevent legitimate requestors from obtaining their records. We offer the following options, some of which SSA is considering:
    •  explore the option of confirming requester addresses against the address file SSA obtains from the Internal Revenue Service (IRS);
    •  reduce the number of unsuccessful attempts allowed from eight to three, and then deny further access until the individual visits an SSA office;
    •  confirm the ENTIRE maiden name of the requester's mother;
    •  provide PEBES only by mail, but allow requests via the Internet;
    •  allow the public the option to block their records from Internet PEBES; and
    •  consider using PINs, passwords, or digital signatures.
    We believe SSA's planned public forums across the country over a 60-day period is prudent. These forums will provide valuable insight into the public's perception of acceptable levels of risk to privacy, service expectations, and costs that taxpayers are willing to pay.
    We will continue to remain involved in decisions related to PEBES electronic delivery and will coordinate with the General Accounting Office (GAO) to audit any areas of concern.
    This concludes my statement, Mr. Chairman.


 Page 55       PREV PAGE       TOP OF DOC

    Chairman BUNNING. Thank you, Mr. Williams.
    Mr. Willemssen.

    Mr. WILLEMSSEN. Thank you, Mr. Chairman. Thank you for inviting us to testify today. Accompanying me is Keith Rhodes, GAO Technical Director and a recognized expert in computer security and the Internet. As agreed, we will briefly summarize our statement.
    We just initiated last week a review of SSA's use of the Internet to provide benefit information and, therefore, we are not yet in a position to conclude on the effectiveness of SSA's actions in providing this Internet access.
    However, we have previously performed reviews at other agencies and reported on computer and Internet security and on the risks facing agencies in providing electronic access to data. And based on this work and our knowledge of what SSA has done, we do have a few observations to provide.
    First, we support the Acting Commissioner's decision to suspend the Internet service. And we also would caution SSA to make sure that it carefully looks at the issue before resuming the service.
    Second, the use of Internet is inherently risky because of the way the Internet was designed. Therefore, one issue is whether SSA should provide sensitive information via the Internet.
 Page 56       PREV PAGE       TOP OF DOC
    Third, if the decision is made to use the Internet, the question is whether SSA is doing what is necessary to ensure that sensitive information is not compromised. It should be noted that top experts in the field don't currently agree on how to provide computer security for the Internet.
    I would like Mr. Rhodes to briefly mention some of the vulnerabilities with the Internet system.
    Mr. RHODES. Thank you.
    Mr. Chairman, first let me preface my remarks by saying that SSA is the vanguard in both public and private sectors in public advice via the Internet. The questions we ask and answer here and in the coming days will have to be asked and answered by any and all agencies that wish to send and receive sensitive data to individuals via the Internet.
    That said, I would like to explain two points today: One, what the basis for good security is; and two, why the Internet is a unique environment in which to pass information. On the first point, we need to understand that security in any environment is a three-legged stool. Each leg representing the abilities to protect, to detect, and to react to a threat or risk.
    We must protect the assets we value against compromise—either unwarranted exposure, modification or theft—to detect an attempt at compromise either internal or external, and to react both technically and legally to stop the attempted exposure and to prosecute the would-be attacker.
    For example, if one were building a house, one decides what security measures will be designed in the house. Protection equates to locks and fire extinguishers, detection is found in smoke and burglar alarms, and reaction is in the local fire and police departments.
    The key is that the homeowner decides what is to be protected and what is enough, whether the smoke alarm just senses smoke and sends out a 120-decibel scream that wakes everyone up or also sends a message automatically to the local fire department. The point is the homeowner decides what he or she is going to protect, from what, for how long and at what cost.
 Page 57       PREV PAGE       TOP OF DOC
    The second point is the house we are building, the Internet, has already been built. The house is made of glass, has no doors, just holes in the walls, everyone knows our address, and we are simultaneously in the best and worst neighborhood. People we do not know are walking in and out of our house, having conversations with people we do not know; and every once in a while one of these people gives us a message that we have to deliver to someone else we don't know.
    Now, with all this commotion, we want to have a private conversation with someone we do know. How do we do this? We are not contractors. We are homeowners. The security we want has to be put into the house after the house has been built by someone else.
    What do you do, however, when the contractors to whom we are listening do not agree or if they fix something and break something else? This is the environment to which SSA is venturing. Thus, the key decisions that have to be made in order for anyone to safely navigate this environment are, one, who owns the assets; two, what risk is acceptable; three, at what cost?
    This concludes our statement, and we are open to questions.
    [The prepared statement follows:]

Statement of Joel C. Willemssen, Director, Information Resources Management, and Keith A. Rhodes, Technical Director, Office of the Chief Scientist, Accounting and Information Management Division, U.S. General Accounting Office

    Mr. Chairman and Members of the Subcommittee:
    We appreciate this opportunity to participate in the Subcommittee's hearing on privacy and security concerns relating to the Social Security Administration's (SSA) recent experiences in providing personal benefits estimates to individuals via the Internet. Mr. Chairman, both you and the Ranking Minority Member have expressed concerns about whether SSA's interactive benefits estimates service adequately protects the privacy of Americans, and whether unauthorized access to confidential information is taking place over the Internet. Such concerns are understandable. SSA, as administrator of the nation's largest federal benefits program, touches the lives of almost every American. It is essential that citizens be able to trust that the agency is safeguarding the personal information it collects.
 Page 58       PREV PAGE       TOP OF DOC
    While we have just initiated a review of SSA's use of the Internet to disseminate benefits estimates, we have, however, reported on computer and Internet security, and on the risks facing agencies in providing electronic access to data(see footnote 1) Our remarks today will, therefore, focus on general privacy and security considerations that federal agencies should address to safeguard any sensitive information made available as a public service via the Internet.

Providing Personal Earnings and Benefits Information Via the Internet

    As you know, Mr. Chairman, for just under 10 years, SSA has been providing a Personal Earnings and Benefit Estimate Statement (PEBES) to any individual requesting it. The statement includes a yearly record of earnings, estimates of Social Security taxes paid, estimates of retirement and disability benefits, and potential survivor benefits should the individual die. Legislation(see footnote 2) mandated that beginning in fiscal year 1995, PEBES be sent to all eligible U.S. workers aged 60 and over; beginning October 1, 1999, it is scheduled to be sent annually to all eligible workers aged 25 and over—an estimated 123 million people.(see footnote 3) As we reported last year, the public has found PEBES to be a useful financial planning tool.(see footnote 4)

    SSA has recently tried to educate the public about the importance of its programs and availability of information, such as the PEBES statement; this initiative to provide ''world class service'' was—at least in part—in reaction to surveys showing public confidence in SSA programs at a low level. While much of this perception may relate to continual discussion about SSA's financial viability, officials at the agency have stated that they are attempting to be more responsive to customer desires. As part of this initiative, the agency last year began permitting individuals to request PEBES through the Internet, with the document being sent by mail. This was seen as a new alternative to visiting an SSA office in person or using its toll-free telephone number.
 Page 59       PREV PAGE       TOP OF DOC
    In March of this year, in an effort to be as responsive as possible, SSA began permitting on-line dissemination of the statement to individuals. Using the Internet for this purpose was a planned part of the agency's electronic service delivery project, a component of its business plan for fiscal years 1997–2001. According to this plan, the project would ensure that, among other items, ''integrity and confidentiality of client data are safeguarded.(see footnote 5)

    According to SSA officials, before taking the step of transmitting PEBES data over the Internet, they spent a year testing and consulting with outside experts, including those in the areas of privacy and computer security. Among the security features intended to preserve individual privacy was the requirement for an individual to enter five authenticating elements into the system in order to access the data. These elements were name, Social Security number, date and place of birth, and mother's maiden name.
    In early April, press reports of privacy concerns over the availability of this information via the Internet sparked widespread reaction—including the fear that those not entitled to the information could access it without difficulty. Experts also questioned the adequacy of the five key pieces of information needed to obtain the data, pointing out that three of the five are available in public databases. With this publicity, according to SSA officials, attempts to access the data at SSA's web site(see footnote 6) escalated from about 10 to 80 per second.

    SSA officials believed the situation was well in hand, that the security measures taken were sufficient. They pointed out that, as of April 7, security screening denied access to about 9,000 of the 27,000 requests for on-line PEBES data. SSA officials stated that while they monitored many attempts to break into the system, none succeeded.
 Page 60       PREV PAGE       TOP OF DOC
    On April 9, after public outcry and concerns about the privacy of sensitive information, the Acting Commissioner of Social Security suspended on-line receipt of PEBES data.
    Mr. Chairman, we see this issue as one of balance. While SSA has attempted to be responsive to the needs of its customers, the question is how—and, given the risks involved, whether—to do this via the Internet. If the decision is made to use the Internet in this way, the question is whether SSA is doing everything possible to ensure that sensitive information is not compromised. Convenience with undue risk to security is no bargain.
    This is especially important because the interactive PEBES project is just one of many initiatives planned for the next few years that are intended to make greater use of technology. Other SSA efforts under the electronic service delivery umbrella include third-party access (using technology to allow others, such as state or local government employees or advocacy-group members, to assist individuals in dealing with SSA), dial-up bulletin boards, touchtone telephone access (for less sensitive customer records), and even interactive cable television.(see footnote 7)

Information Security on the Internet

    In the last few years, the use of the Internet has grown tremendously and has placed a vast array of information at the fingertips of millions of users. This is due primarily to the availability of tools that have made the Internet much easier to use. As a result, we have witnessed a rush to connect to the Internet; today there are over 40 million users worldwide.
    Despite this growth and leap in ease of use, the Internet has inherent security risks because of the way it was designed. The Internet is a complex network that has evolved over the last decade from an initially limited and experimental link of interconnected computers. The network, developed for the most part by scientists and engineers, was initially designed to test how a military command and control system could get messages through in a post-nuclear environment without regard to security. To do this, the network was built so that a message would use any available path to its destination, regardless of how many ''dead ends'' it encountered. The most important element of the network was, therefore, its robustness, or tenacity—not security.
 Page 61       PREV PAGE       TOP OF DOC
    The relative insecurity of the Internet makes using it as a vehicle for transmitting sensitive data—such as personal Social Security information—a decision requiring careful consideration. In such an environment, one must weigh added convenience against the potential compromise and misuse of such information—and the potential damage to the database itself. In considering such tradeoffs, it is important to remember that, whether on-line or not, Social Security benefits information is available through means other than electronic.
    Computer hackers(see footnote 8) have for years exploited the security weaknesses of systems connected to the Internet.(see footnote 9) The growing number of people having access to the Internet—any one of whom is a potential hacker—coupled with the rapid growth of and reliance on interconnected computers, has made cyberspace a dangerous frontier. Informal groups of hackers openly share information on how to break into computer systems. Despite security features that boast ever-increasing sophistication, hackers have more tools and techniques than ever before, and the number of attacks on systems is growing each day.(see footnote 10) As a result, the need for secure information systems and networks has never been greater.

    This problem is directly affecting federal systems. Interconnectivity, combined with poor security management, is placing billions of dollars' worth of assets at risk of loss, and vast amounts of sensitive data at risk of unauthorized disclosure. While greater use of interconnected systems offers significant benefits, such systems are much more vulnerable to malicious attack by anonymous intruders—an increasing threat to our national welfare. Consequently, information security has been added to our list of government programs designated as high-risk because of vulnerabilities to waste, fraud, abuse, or mismanagement.(see footnote 11)

 Page 62       PREV PAGE       TOP OF DOC
Implementing Computer Security: Protect, Detect, React

    Making information systems more secure is complicated, not only by the huge numbers of people having access to them, but also by the complexity of most systems themselves. Most large organizations have, along with personal workstation computers, mainframes, software applications, servers, routers, and external connections. These systems use a variety of products from a number of different vendors. Fully understanding the security weaknesses caused by the complex interrelationships of these products is a difficult task. Accordingly, absolute computer security is not possible. In developing effective systems security, officials must, then, consider what level of risk is acceptable. Such a decision will hinge on issues such as the type and sensitivity of the information, how vulnerable to attack the computers and networks are, where potential threats might come from, available countermeasures, and costs.
    For most organizations, a prudent approach involves determining an appropriate level of protection, then ensuring that any security breaches that do occur can be effectively detected and countered. This generally means establishing (1) a comprehensive program with top management commitment, sufficient resources, and clearly defined roles and responsibilities; (2) clear, consistent, and up-to-date security policies and procedures; (3) periodic vulnerability assessments to identify security weaknesses; (4) security awareness training; (5) sufficient time and training for systems administrators and information security personnel; (6) efficient use of automated security tools; and (7) a robust incident-response capability, so that attacks can be detected and a response initiated quickly in order to aggressively track and prosecute the offenders.
    The first point just mentioned, about roles and responsibilities, is essential. In determining these, a decision must be made on identifying the owners of information versus the stewards of information. Owners are ultimately responsible for the decision on what level of security risk to accept, while stewards manage that risk. A recent example of a government agency's handling of electronic data in the steward role rather than owner was when the Internal Revenue System introduced the proposal of electronically filing tax returns. In this case, it left the decision of whether to put one's sensitive data into cyberspace with the individual, the owner.
 Page 63       PREV PAGE       TOP OF DOC
    Turning to detection of an attack once one has been made, organizations use two basic methods: system audits and monitoring. These terms are used loosely within the computer security community, and often overlap. A system audit is a one-time or periodic security evaluation. Monitoring, in contrast, refers to an ongoing activity that examines either the system or its users. In general, the more ''real-time'' an activity is, the closer it is to monitoring.
    In terms of reaction, an organization should address computer security incidents by developing an incident-handling capability. Commonly referred to as a computer emergency-response team, it is typically used to provide the ability to respond quickly and effectively, contain and repair damage from incidents, and prevent future damage.

SSA's Actions to Address Security

    In developing Internet PEBES service, SSA used both government and private consultants. The Los Alamos National Laboratory provided a detailed report, including suggested solutions for addressing Internet security risks. Extensive support was also received from the CommerceNet consortium,(see footnote 12) as well as from individual private companies. Along with phased testing of ''PEBES-By-Mail'' and interactive PEBES, SSA took a number of measures that officials believed would adequately safeguard requesters' privacy, the system itself, and the data it contains. For example, both the request data and the on-line response utilize a form of encryption; further, according to SSA, requesters cannot directly query, browse, or download SSA records.

    SSA officials further state that automated transaction information is continually captured electronically, allowing SSA to audit system use and identify potential abuse; multiple attempts to obtain the same data are automatically restricted; and bulk requests are not honored. SSA officials add that individuals are alerted to on-line risks inherent in using the Internet to obtain PEBES data, and are offered alternative methods. They are also warned of criminal penalties for the intentional misuse of Social Security data.(see footnote 13) Finally, other measures were taken, whose disclosure by us today could compromise their effectiveness.
 Page 64       PREV PAGE       TOP OF DOC

    Despite these measures, however, detection of and action against security breaches is not simple. It is very difficult to track down computer-system abusers and, existing laws notwithstanding, prosecution is rare; one reason is that acceptable electronic evidence is not yet clearly defined.
    Mr. Chairman, as we stated earlier, we have just initiated our work and therefore cannot yet conclude whether SSA implemented a prudent approach to address the security risks in providing Internet PEBES service. Although the agency took steps it thought would render its data and system secure, we do not know whether they have succeeded. However, we do offer the following observations.
    We commend the Acting Commissioner's decision to suspend the service while investigating the adequacy of the security measures that have been taken. We also urge caution before any decision is made to resume the program.
    The Internet security issue is so large and daunting that SSA, like every other federal organization, will have to rely on commercial solutions and outside expert opinion. This reliance poses hurdles because the commercial sector, experts, and standards-setting bodies have not yet reached consensus on how to best solve Internet security problems.
    It is important for SSA—and every other agency considering Internet access—to decide whether they will be the stewards or owners of the information they hold. Being stewards implies a vast job of making the American public knowledgeable about computer security; being owners confers upon SSA the responsibility to assess the potential threat to its data with the utmost care and restraint.
    Regardless of the direction it takes on the owner/steward issue, SSA will need to demonstrate that it has performed a comprehensive risk assessment of the data so that the level of protection required can be clearly defined. Accompanying this task will be the need to provide an adequate training and awareness program that will enable users to understand the risks of Internet access.
 Page 65       PREV PAGE       TOP OF DOC
    Mr. Chairman, this concludes our statement. We would be happy to respond to any questions you or other Members of the Subcommittee may have at this time.



    Chairman BUNNING. Thank you for your testimony.
    I will start with Mr. Williams.
    In your testimony, you mentioned that SSA hired specialists to attempt to penetrate the firewalls which protect SSA's internal computer operation. These specialists were unable to penetrate firewalls. Do you have any recommendations in this area?
    Mr. WILLIAMS. We believe that no firewall may be completely safe and that the best answer to protection of the firewall is constant vigilance. We intend to undergo our own examination of the firewalls and hire an independent contractor that would report to us; and, of course, we would report that to you as well. Until then, we are relying upon the Agency's efforts to work with contractors, the latest of which was in April; and, as you said, Mr. Chairman, those efforts to penetrate SSA's firewalls were ultimately unsuccessful.
    There were some recommendations the contractor made to the Social Security Administration. We are tracking those, and we are aware there has been good compliance with recommendations that were made. We believe though, as I said, in closing, that the firewalls are never safe. As technology changes and hardware and software change, we need to stay on top of that with repeating the kinds of exercises SSA has begun.
    Chairman BUNNING. Did SSA consult with you before going online?
    Mr. WILLIAMS. They did, sir.
 Page 66       PREV PAGE       TOP OF DOC
    Chairman BUNNING. And what advice did you give them?
    Mr. WILLIAMS. We provided a technical advisor to SSA's Electronic Service Delivery Steering Team. Our Office of Investigations was asked to provide a briefing to the Steering Team as well, which we did; and I participated in executive sessions in which the matter was discussed. Our Office of Investigations advised the team that in its opinion, the data was of interest to people who might tend to abuse the data.
    We pointed to private investigators. We thought the data would be useful in divorce settlements and financial litigation, and there were a host of information brokers out there who would like to obtain it improperly.
    I said, although we thought the security features were good, the authentication mechanisms and protocols could be strengthened; and in the meetings that I participated in I repeated that I thought that there was a possibility that the authentication would be a problem and impersonation would be a possibility.
    Chairman BUNNING. Do you believe, bottom line, that America's privacy was adequately protected when PEBES went online and was operational?
    Mr. WILLIAMS. The Agency did a great deal to try to arrive at a balance in which privacy and customer service and economy played off against one another. I think that the Agency underwent an extensive effort to try to find that balance. I do believe that during these forums that are going to be held we are going to learn a lot of valuable information.
    Chairman BUNNING. Mr. Williams, answer my question.
    Mr. WILLIAMS. I think, from my standpoint, there was an adequate level of protection, given the value of the information that was available. I know that there are additional—I guess what I was getting at with that long answer, which I apologize for, things we could do. We need to know from the public how private these matters are, to them. Privacy is a very difficult matter to gauge.
 Page 67       PREV PAGE       TOP OF DOC
    Chairman BUNNING. Well, if you are sitting on this side and you have heard from your constituents, they are very private, and they were very concerned. They would like quick access—everybody wants instant response—but they are worried about privacy.
    Now, the bottom line is whether they are willing to give up the privacy for the access, the instant access. My feeling is they are not. And if you are telling me that they can't adequately—and Mr. Rhodes just told me that they can't adequately make sure that they can do this online, then we are going to have to continue the process that we legislate it by mail.
    I appreciate your input, and I appreciate all of you.
    Mr. Tanner, would you like to inquire?
    Mr. TANNER. Thank you, Mr. Chairman. I would like to ask one question.
    Could you outline the security concerns that are different when you receive an impulse online requesting a mail reply, reply by mail, and an impulse when the system was running requesting a reply back over the Internet? Are there different security concerns?
    Mr. WILLIAMS. The concerns are very similar, and the features protecting them are fairly similar.
    Mr. TANNER. We are talking about online here, and I just wondered—it seems to me that the system is subject to some of the same types of abuses, regardless of how you reply. Am I incorrect in that?
    Mr. WILLIAMS. No, there are some similarities. The basic difference and most important difference is that the mail PEBES are sent to an address, which provides a powerful disincentive for someone gaining it improperly.
    I might ask Ms. Gardiner if she would like to add anything. But, to me, the outstanding feature that punctuates the difference is the one coming to an address and you are at that address. That represents a substantial difference.
 Page 68       PREV PAGE       TOP OF DOC
    Mr. TANNER. When you say address, are you talking about the mail reply?
    Mr. WILLIAMS. Yes, sir. You must provide the address at which you would like that statement sent, and that provides a trail for investigators if you are obtaining that improperly.
    Mr. TANNER. There is no way to verify the accuracy of that mailbox, is there?
    Mr. WILLIAMS. Actually, we have information from the IRS that provides fairly current addresses. But the person who wants to misuse that could only misuse it if they were able to obtain it. So if it doesn't come to an address that they have access to, that later on we could investigate, they won't be able to obtain the information.
    Mr. TANNER. With respect to the reply back via the Internet, everyone has an address to the degree that it would be routed to that addressee, I would assume.
    Mr. WILLIAMS. That would tell us the machine from which the request was made. In some cases, that is a residence; and that provides a kind of problem but far less serious than when we can only track it back to a university in particular or a library that might have a very large number of users. Then we have a much more serious investigative challenge when that occurs.
    Mr. TANNER. Thank you.
    One question for Joel. You all indicate or raise some doubt in the information that I read that at this particular point in time there was adequate security for online access. Am I inferring correctly——
    Mr. WILLEMSSEN. We are speaking generically of Internet access. We initiated a review at SSA to look at what security mechanisms may have been put in place last week; so to the extent we find, in our view, that they have put in adequate mechanisms, we will report as such. But, generally, our view is the Internet is not a secure environment.
 Page 69       PREV PAGE       TOP OF DOC
    Mr. RHODES. I would concur with Mr. Willemssen's statements. Until we can delve deeper into the actual security structures, we won't be able to give an answer at this time; but when we do, we will report back to the Subcommittee.
    Mr. TANNER. Well, the reason I asked what—if I may, Mr. Chairman, from that statement, it appears that the security breach that they speak of is inherent in the Internet system and doesn't matter what government agency we are talking about here, if that is true. If the parent is flawed, may we say, then you mean to say that nothing over the Internet can be made secure in terms of the privacy issue we are discussing with these accounts?
    Mr. RHODES. No, the Internet can be made secure. It is a matter of whether or not the government is willing to bear the cost.
    Right now, the same Internet technology is used by the intelligence community. They have their own Internet. They own their own Internet. There is a DOD Internet; but the DOD Internet has been broken into, as we reported on last year. As we reported, they are getting hit about 250,000 times a year; and about 50 percent of them are successful; and only about 5 percent of them are discovered and reported.
    Mr. TANNER. I want to thank you for holding this hearing. It is very timely and I think very interesting.
    Chairman BUNNING. Mr. Christensen.
    Mr. CHRISTENSEN. Thank you, Mr. Chairman.
    On that note, Mr. Rhodes, when you were testing this program, obviously they had to be taking a look at the idea of computer hackers in libraries with the high schools and colleges.
    I am very supportive, obviously, of the whole idea of getting this information. As I said earlier in the first panel, it is vital to get the information to younger people, to the 18- to 25-year-olds.
 Page 70       PREV PAGE       TOP OF DOC
    I know the Chairman in this Subcommittee is very, very concerned about the security with the 65 and older population and even younger population, but I do believe that it is vital information for these young people to understand the situation the system is facing.
    What went wrong, in your opinion? You are the expert in the area. What went wrong when you were testing the system that, out of 77,000 hits, 44 percent have been in error? And the last testimony stated that maybe there were only actually five cases that were fraudulent, that weren't accidental. Don't you think that number sounds low? Or what is your opinion? And you haven't looked at this completely so I know everything is subject to change, but give me your best ballpark shot at this.
    Mr. RHODES. Again, I don't mean to fumble the ball; but we haven't gone into detail on this. And it would be a matter of going back and looking at the logs and seeing if the ''error return'' was a function of what was actually not in the database versus somebody trying to make a fraudulent inquiry or somebody actually attacking the system.
    You raise the issue of two-way authentication. If I am going into a public site at a university where several of us—say all of us here at this table—can use the same access point, then the only way that we are identified is by the information that we submit.
    It is coming back to a particular address at a university; but it is not necessarily coming back to Keith Rhodes in particular, except for the information that I pass. Therefore, the information that I pass becomes the key identifier.
    As more information is requested, as you move to more and more elements, you will then add more and more into the database that Social Security has to maintain. If you find out that the majority of the hits that were in error was a function of information that already wasn't in the database or was in the database in error, then you are increasing the workload on Social Security to scrub this data.
    Mr. CHRISTENSEN. You stated that the intelligence community has their own Internet, but yet they had 250,000 inquiries last year with 50 percent of them—DOD—either in error or fraudulent, but only 5 percent——
 Page 71       PREV PAGE       TOP OF DOC
    Mr. RHODES. No, those were actual attacks. They weren't in error.
    Mr. CHRISTENSEN. But only 5 percent were followed up in terms of prosecution or going after them. How do we increase that number? And what is the cost of a system if we were to look at a private Internet system for SSA?
    Mr. RHODES. I can't give you an off-the-top cost estimate. That is something that we could obviously report back. But one of the things that continues to be daunting to any security over the Internet is the ability to prosecute.
    The Judge Advocate General of the Air Force Office of Special Investigations, who is probably the most experienced person I have encountered in trying to prosecute Internet attacks, gave us a wonderful line. It is fighting 20th century crime with 18th century law. And he described people like Jim Christy, who is a Special Agent out there, as a territorial marshal back in the 1800s.
    I will give you one quick example. I see the time is running out. But a young man in Argentina broke into government computers. It was one of the first times an electronic search warrant was issued. They were able to trace him back to Argentina, and he was prosecuted in absentia. Yes, he has been found guilty; and should he ever step into the United States, he will go to jail.
    But that gives you a view of what the Internet is. Electronically, digitally, he has been to the United States; but you can't prosecute the electrons. You have to go after the person. So this becomes the difficult part.
    Yes, inside the United States of America, it might be easier to prosecute; but, as we saw in cases in the Department of Defense, it is very hard even to get the United Kingdom to expedite the information, not the person, just the information about the case of a British citizen who breaks into U.S. computers.
 Page 72       PREV PAGE       TOP OF DOC
    These are the larger issues. If I can protect as best I can, I can detect and react technically, then I can't prosecute, then I haven't followed through with the three legs of the stool. I have two and a half legs of the stool.
    Chairman BUNNING. The gentleman's time has expired.
    Mr. Collins.
    Mr. COLLINS. I will yield some time to Mr. Christensen.
    Mr. CHRISTENSEN. I will come back.
    Chairman BUNNING. Mr. Portman.
    Mr. PORTMAN. Thank you all for your testimony. I have a lot of questions.
    Mr. Rhodes, you and Mr. Willemssen were talking about sort of your general view on the Internet, on security issues and so on. And I listened to your testimony, Mr. Willemssen. You talked about the Social Security Administration as being stewards of the information and not owners of the information; and the implication of that was, as owners, you might protect the information differently. As stewards, you manage it, provide it.
    But then Mr. Rhodes talked about the SSA is like the homeowner of the glass house without walls. Do you all differ on these characterizations? Are we homeowners or are we owners or stewards? And what does that mean for the SSA and how the government protects and manages information?
    Mr. RHODES. It is not really a difference. It is where the requirement for security is going to come from.
    If the impact, the negative impact is at an individual level, then your requirement as an individual citizen is to be informed about what the risks are. I understand the forums are going on, but trying to disseminate adequate risk——
    Mr. PORTMAN. But as an individual, you don't have any choice. If all this information is on the Internet, short of blocking your name—which is an option——
 Page 73       PREV PAGE       TOP OF DOC
    Mr. RHODES. That is a question that needs to be asked, is who actually owns the data.
    Mr. PORTMAN. Earlier, the Social Security Administration said we are out there finding out that some people are willing to take the risk. That doesn't really answer the question. Unless everybody wants to take the risks, that means some unsuspecting person who doesn't care about accessing his or her information is going to take the same risk that all the rest of us take that want to get the information.
    Is blocking the name a very expensive enterprise for the SSA to go into? Have you looked into that issue?
    Mr. RHODES. We are still in process on that, and we don't have any information on the exact cost and scope that it would take to block the name.
    Mr. PORTMAN. And provide people with the information that they can block the name. How do you feel with PIN numbers? Think about when you go to the corner ATM, plug in the PIN number. Of course, you have a card, too.
    Mr. RHODES. Yes, you do have a card; and the card is a token. It is something I know, something I have, something I am. Those are the three pieces of identification. In that case, you have two—something you have and something you know. You have a card and a PIN number. Short of having biometrics, somebody can scan my retina or something——
    Mr. PORTMAN. We will know if it is really you.
    Mr. RHODES. Right. But if I begin to add additional pieces of information and the link I am passing is insecure, then I am giving more pieces of digital identity exposure.
    The other side is if there is more information added that is required of the individual Social Security person, then there is more that has to be managed and maintained inside the Social Security database.
 Page 74       PREV PAGE       TOP OF DOC
    As I was saying to Mr. Christensen, there is an overhead associated with that. If you find out that half of the hits on the system were in error because something is missing out of the system, then you have to take into account the operational impact. PINs managed properly are good things. Passwords managed properly are good things. Encryption managed properly is a good thing. Getting all those together is a systematic thing, and you won't get it from one person.
    Mr. PORTMAN. And it is also a cost. As you said earlier, what the CIA, NSA and others do is very costly.
    Let me ask you one question. Are you all comfortable that SSA, as they analyze the cost and benefits of this, are taking into account the fact that a typical mail response as to a PEBES is about $5 and that an Internet access is a few cents?
    Mr. WILLIAMS. I would say they are clearly focused on costs——
    Mr. PORTMAN. I mean in relation to the security aspect of it, that there will be cost to the security but there is also a savings.
    Mr. WILLIAMS. Yes. As I said, they are clearly taking those into account; and that is a very powerful factor in the determination of the cost versus the benefit.
    Mr. WILLEMSSEN. Not to be evasive, but since we just got in last week, that is an issue we want to get into, but we can't be conclusive at this time.
    Mr. PORTMAN. Thank you.
    And Mr. Chairman, I commend you for having a hearing on this and just the general issue.
    Chairman BUNNING. Mr. Hulshof.
    Mr. HULSHOF. Thank you, Mr. Chairman.
 Page 75       PREV PAGE       TOP OF DOC
    In fact, as a point of clarification, was the Department of Justice invited to testify at today's hearing?
    Chairman BUNNING. Yes.
    Mr. HULSHOF. And it is my understanding they are going to be submitting testimony but declined to testify. Is that true?
    Chairman BUNNING. That is right.
    Mr. HULSHOF. You talked about efforts of the Department of Defense, and specifically the Judge Advocate General, utilized in prosecuting unauthorized hits. Let me go to you, Mr. Williams. Do you have a sense of how successful the government has been prosecuting these violations?
    Mr. WILLIAMS. I would be pleased to begin.
    There has been some success. There are problems. This is a brandnew area for the government to get into. They have made some substantial cases.
    The Secret Service made an investigation against an electronic gang in New York called the Masters of Deception that shut down the NYNEX system.
    Secret Service also investigated a matter at Cornell University in which a student was able to penetrate a Department of Defense computer, and the Office of Special Investigations for the Air Force made a large case involving foreign espionage from East Germany.
    But the cases are very labor intensive. The matter of adequacy of evidence is very unsettled. As was pointed out, we are dealing with a justice system in the courts that is very uncomfortable with this kind of new evidence; and there is a high degree of uncertainty; and there is not much case law that has been established either. All of those things need to thicken up before we can go forward in a very efficient manner. These are very labor-intensive matters.
    Mr. HULSHOF. And let me follow up. Mr. Rhodes, I think you were repeating about someone following up on 20th century crimes with 18th century laws. I am not sure that hanging or drawing and quartering are proper solutions, but what might you suggest for bringing us up to the 21st century as far as solutions are concerned? Mr. Williams.
 Page 76       PREV PAGE       TOP OF DOC
    Mr. WILLIAMS. One thing we have got to settle is, in a paperless environment, how can we absolutely identify the person that made the request or that is on the computer if they don't actually sign their name?
    All of the courts I am aware of are familiar with the introduction of fingerprints and handwriting, and those result in convictions. Absent that, the work you have to do to authenticate even the person you are investigating involves physical surveillance of both the person and the computer simultaneously. You have to get PIN registers which attach to telephone wires and can tell you in an ongoing fashion what calls are being made so you can respond to those.
    As it stands, those are difficult matters, and they are just beginning to go through the courts. There has been a good record of convictions, but it is thin, and we are just seeing the first ones pass through.
    Mr. HULSHOF. As a former criminal prosecutor, I am intrigued by this. Perhaps we can explore this at some length later on.
    You mentioned, Mr. Williams, in your testimony that after the front-page piece in ''USA Today,'' prior to that there were about 28,000 requests; and in the 2 days following the number was nearly 50,000. I know the attempts were made. Were any of them successful, to our knowledge?
    Mr. WILLIAMS. Yes, I think we received a number of legitimate requests along with the others. I believe the number—I am trusting my memory here, which is not a good thing, but I think it was around 37 percent of the requests resulted in PEBES Statements being sent out. We have some people in the room that might correct me, but I think that was about the ratio of those. There were a number that just visited the site but didn't make a request and a number that were unsuccessful when they made attempts.
    Mr. HULSHOF. My time is running short, and by asking this question I don't want anybody to assume facts not in evidence. Recently, we passed the Taxpayer Browsing Protection Act. That was done on April 15. What controls does SSA have over employees perhaps browsing individual earnings information? I am not suggesting that this has happened; but, as we are continuing this discussion, what thoughts can you share with me?
 Page 77       PREV PAGE       TOP OF DOC
    Mr. WILLIAMS. That is a concern.
    We have a fairly aggressive program. It begins with blocking out persons of prominence in the government and people who have been the subject of a lot of publicity, such as Hollywood people. They are completely blocked out; and you have to obtain supervisory approval to view those records.
    Managers have a responsibility to examine records and audit trails of the number of inquiries that were made; and we have programs that show the average number of inquiries that a various—that a person in various positions ought to be making. And when we have anomalies, it is the manager's responsibility to examine those or refer them to us for examination.
    You can't get into our computer either without a PIN number, so it leaves a trail behind every single one of your inquiries. And once we get on to you, we can examine the nature of those and the ones that were improper.
    Mr. HULSHOF. Thank you, sir.
    Chairman BUNNING. Is there anyone else who would like to question?
    Mr. CHRISTENSEN. I just wanted to follow up on Mr. Williams' questions with Ms. Gardiner. So when your office is called in to an unauthorized hack, I guess, what happens? What is the first step in terms of the process, Ms. Gardiner?
    Mr. WILLIAMS. Actually, if I may, Ms. Gardiner is our Audit Chief. Our Investigative Chief is Jim Huse, and he is with us. So if I can start us off, we can see if he has anything to add.
    It begins typically with an anomaly, and the most common one is multiple statements that are sent to a single address. That alerts us, and those have been the ones that we examined earlier that the Commissioner referred to. We go to the log and see what the machine was that made the request and what request was made. Then we try to find out, we look back at other requests that were made and try to understand the nature and the purpose of the request, whether it is information brokers or a financial scheme.
 Page 78       PREV PAGE       TOP OF DOC
    The next step would be to get the phone records and analyze those and see where the computer has been going——
    Mr. CHRISTENSEN. How far along in the process are we, about 1 week, 2 weeks?
    Mr. WILLIAMS. Yes, sir, that is about the 1-week level, we issue the subpoena. And the phone companies are very good about those. They have a specific security unit set up. We look at the proximity of calls near the suspect call to try to discover the pattern of the user's identity, and we are trying to get what the activity is, what the crime is.
    We try to make connections between the accountholder and the person making the inquiry during this period, too. We try to look at other kinds of signature connections and requests to try to see if they are trying to get into a bank or a wire transfer or a credit card company to activate a credit card or to provide information to one of these information brokers.
    We try to find out all we can about wherever that machine is located. We put PIN registers on it, which allow us to proactively tell each time the computer is contacted for a request so we can respond to those in a very timely manner as opposed to phone records.
    Ultimately, when we are ready and we have the evidence, we execute a search warrant to seize the hardware and software. At this time, for the moment, we depend on the Department of Justice to have computer forensics done on the machine to try to find out everything we can about the history of that machine's requests.
    Mr. CHRISTENSEN. How many of those have you done as far as being with the Department of Justice involved with computer forensics and that whole process? Dozens? Hundreds? Thousands? One?
    Mr. WILLIAMS. I am new to the Social Security Administration, and we have not examined a number of these. I have been an Inspector General elsewhere. I have probably been involved in a half dozen of those.
 Page 79       PREV PAGE       TOP OF DOC
    Mr. WILLIAMS. Yes.
    Mr. CHRISTENSEN. Thank you, Mr. Chairman.
    Chairman BUNNING. I thank the panel for their testimony, and we appreciate your cooperation.
    [Questions and answers follow:]
Questions submitted by Mr. Bunning, and answered by Mr. Callahan

1. Based on review of the hearing testimony, I am confident that SSA has received important information to help determine the future of making PEBES available online, I'm convinced, however, that ultimately, this discussion represents just the tip of the iceberg regarding the overall debate on government information available via the Internet. Does the Clinton administration have specific final guidelines for Federal agencies to follow? If there are such guidelines, please supply these for the record.

    There are no final guidelines from the Clinton Administration on government information availability on the Internet. However, we understand that the Office of Management and Budget's (OMB) Office of Information and Regulatory Affairs is preparing such guidelines.

2. You note that you consulted extensively with Los Alamos in assessing risks and solutions to your Internet service. Why did you choose to consult with Los Alamos instead of the National Institute of Standards and Technology (NIST), the agency that is legislatively charged with providing technical assistance to federal agencies concerning computer security? Did you consult NIST as well? If so, what recommendations did NIST Make? If you did not consult NIST, please explain why? Have you consulted NIST's assistance as you assess possible modifications to the System?
 Page 80       PREV PAGE       TOP OF DOC

    •  Before SSA consulted with Los Alamos, we met with NIST, to ascertain if they could provide consultant services similar to those later provided by Los Alamos. At that time NIST was unable to provide the services because of previous staff commitments. Los Alamos was then chosen because they were well suited to perform the types of analyses we were seeking. We have kept in contact with NIST, and, in fact our Office of Telecommunications and Systems Operations consulted them on firewall technology.
    •  SSA did not specifically request analysis or study by NIST on the Internet PEBES. However, SSA has maintained an ongoing relationship with NIST staff. We have briefed them on our electronic service delivery activities and have reviewed their draft of ''KEEPING YOUR SITE COMFORTABLY SECURE: AN INTRODUCTION TO INTERNET FIREWALLS,'' an overview of the Internet and security-related problems.
    •  NIST and SSA are both members of the Federal Public Key Infrastructure Steering Team. We have discussed with NIST representatives the technical and privacy issues surrounding implementation of the interactive PEBES.

3. In your testimony, you outline a number of government and private sector parties whom you consulted prior to making PEBES available online. Which of these provided you with guidance specifically on privacy issues, as opposed to system security? Did they provide written suggestion or guidance on issues regarding protection of personal privacy? If so, please provide any record of them (such as meeting notes) to the Subcommittee for the record.

    Systems security on the Internet is essential to privacy, and it is difficult to separate the two. Many of the discussions with government and private sector authorities centered on systems security measures and enhancements necessary to protect the privacy of the individuals who would be accessing their PEBES online. For example, we consulted with members of the CommerceNet consortium which includes representatives of Internet users from both the public and private sectors. Other than the Los Alamos report, we did not specifically receive written guidance from any other party on the security of the PEBES.
 Page 81       PREV PAGE       TOP OF DOC

4. While the Subcommittee acknowledges the considerable effort made by SSA to establish a secure computer system, what mechanisms did you have in place for continually assessing systems security and responding to attempted break-ins? Did you have a method for determining who and how many people gained unauthorized access to the PEBES web site?

    •  SSA takes a proactive approach to monitoring all of its Internet servers. This includes visual monitoring of firewall activity during the day-shift hours by the firewall technical team, as well as daily analysis of the previous day's firewall logs. For the evening and night shifts, SSA has incorporated real-time alerts for the network monitoring staff. SSA already has a comprehensive network monitoring facility in place to quickly respond to any network problem that may arise. We have included firewall alerts that are displayed on one of the monitoring screens warning the network control personnel of an immediate problem. Procedures for appropriate action have been included with these alerts, as well as hands-on training for the personnel. Additionally, depending on the severity of the alert, the firewall pager will be called, notifying the firewall personnel to respond. If the alert were to indicate an actual break-in, the procedures instruct the personnel to immediately shut down the equipment. The firewall personnel also have the ability to remotely shut down the equipment securely through an internal connection.
    The firewalls are also secured with a secure key. The firewall software requires any attempted login to correctly respond to a 10-digit, one-time only, alphanumeric password. The only way to answer that password is to physically have a hand held calculator-like device that corresponds to the firewall software. The 10-digit number is keyed into the key device, after which, the secure key replies with another 10-digit, one-time only password that must be keyed into the firewall in order to gain access. No logins are allowed from the external, non-secure (Internet) side of the firewalls.
 Page 82       PREV PAGE       TOP OF DOC
    The monitoring personnel have operational procedures that are used to monitor the SSA home page at least once every half hour for anomalies that would indicate corruption, such as one the Justice Department experienced. These procedures also require immediate shutdown of the web server and notification of the web personnel.
    In addition to the above, SSA has contracted the services of an Internet emergency response service that does continual external monitoring of our Internet servers and firewalls. They provide weekly scans of our servers and firewalls that specifically look for vulnerabilities such as open ports or accessible directories, or anything that would allow unauthorized access to SSA's network via the Internet.
    •  No unauthorized access was ever gained to any of SSA's Internet secure gateways, including the PEBES servers. Our method for determining unauthorized access is described in the first part of this answer. The only additional information that can be added is that all attempts have been traced back to the source provider. Additional information on attempts is described in detail in the answer to question #8.

5. Many violations of privacy and systems security come from within an organization. What safeguards do you have in place to ensure that SSA employees are not violating individuals' privacy and are not gaining unauthorized access to online information?

    SSA has an extensive system to control access to sensitive information by our employees. Since SSA employees work with personal information to perform their jobs, we do permit access to information protected by the Privacy Act, but it is carefully controlled by the employee's position, so that each employee has access only to that which is needed for his/her position. This control is provided by a security software package called Top Secret which has been rated C2, i.e., meets the government standard for security controls for processing sensitive information, by the National Security Agency. SSA also has an extensive program of integrity reviews to review the access of our employees to sensitive data, and ensure that they are not accessing information for which there is no Social Security program-related need.
 Page 83       PREV PAGE       TOP OF DOC

6. What was the role of SSA's chief information officer in the decision to make PEBES available online and the privacy and security issues involved therein?

    SSA's Chief Information Officer reviewed the content and context of the online PEBES, the controls in place and the risk associated with initiating the pilot.

7. If SSA becomes aware that an individual's personal information was the subject of unauthorized access, what is your policy regarding notification of that individual? Do you inform the individual? If so, what information do you provide about who may have accessed the information (from your audit trail)?

    The only instances of unauthorized access to computer files of which SSA is aware have involved SSA's employees. SSA's policy is, if an employee accessed an individual's record without authorization but took no action, we would not notify the individual whose record was inappropriately accessed. Where an employee engaged in criminal activity with the use of unauthorized access, we work with the appropriate Federal and State enforcement agencies and follow their guidance on a case-by-case basis on when to advise individuals that their records were improperly accessed.

8. How many (if any) attempts to hack into your web site or other computer systems have you identified? If you have identified such attempts, what was you response? Did you request assistance from the federal computer incident response capability at NIST, or the computer emergency response team funded through the Department of Defense? If so, what were their recommendations and conclusions?
 Page 84       PREV PAGE       TOP OF DOC

    •  We believe we have identified all attempts of unauthorized access to our Internet servers and firewalls. Again, this identification is possible because of our proactive monitoring as described in the answer to question #4.
    Before explaining in some detail the actual attacks received, we need to clarify the major differences between innocent attempts and actual attacks.
    An attempt may be repeated innocent tries at connecting to a server—the user not realizing that the server does not allow this type of telnet activity. A single service provider like America On Line, may have 30 or so telnet attempts at a given time. Because we only see one address from that large service provider (not for each of the individual users), there is a good chance that this represents 30 different individuals innocently trying once each to telnet. Only if analysis of these attempts indicates a possibility of deliberate unauthorized access would we investigate. If we see this many attempts coming from a smaller service provider or university, we contact their security or data processing department and report it as suspicious activity. In practically all such cases we receive a positive reply from the service provider with their willingness to correct the situation by blocking the activity from their end, or by revoking service to the user.
    An actual attack that would warrant investigation would be scans via Sniffer type devices that probe the firewalls or web port addresses looking for access routes into our private network. An attempt to login to our server, or read or extract private files, would definitely be considered a hostile attack.
    •  In early April, at the time of the USA Today article, we received around 40 attempts, mostly of the telnet variety as described above. Only 3 of the 40 were considered to be actual hostile attacks. Two were probing the PEBES secure server (Sniffer scans of port addressees), and one was an attempt to steal the password file from the web server (www.ssa.gov). Standard procedure for SSA is to immediately act upon all aggressive activity and all the above mentioned have been contacted by email or by voice. The SSA firewall technical team was able to trace the attempted intruders by Internet Protocol address back to their originating Internet source provider. This so far has been successful for 100 percent of all suspicious activity. The attempt to steal the password file from the web server is being handled by the provider, with legal action being taken. The unsolicited probing of our PEBES secure server/firewall was handled with an email message and phone call, and corrective action has been taken by the service provider. We have found that Internet providers are extremely concerned with security issues and are more than willing to assist and to correct these types of issues.
 Page 85       PREV PAGE       TOP OF DOC
    •  Because of the willingness of providers to cooperate and the technical and legal assistance our emergency response service provides, we saw no need to contact NIST for assistance. We have received training from NIST for our internal incident response team, and NIST was our sponsor for membership in the Forum of Internet Response Teams (FIRST).

9. You conducted several pilots or pre-tests of the system in order to obtain public input. Did you specifically ask the participants whether they had concerns about loss of privacy?

    In the pilots conducted before activation of the interactive PEBES, we asked the public to give us general comments. The language of the comment form stated:
    ''Thank you for trying the Social Security Interactive PEBES Request, a service of Social Security Online. You are part of a test of this new and innovative service and we would like your comments. We are especially interested in any comments that you may have on:
    •  The format of the PEBES request form;
    •  The amount of help available;
    •  The format of the PEBES response; and
    •  Any other comments that you may have on this service.''

10. I understand that both the Department of Health and Human Services and the Internal Revenue Service have created privacy offices. Has SSA established a comparable entity within your agency?

    SSA established a privacy organization prior to the enactment of the Privacy Act of 1974. Because of the nature of the information our Agency by necessity collects, SSA always has had a pledge of confidentiality to the American public. Currently, the Office of Disclosure Policy, which consists of staff whose responsibilities are rooted in the Privacy and Freedom of Information Acts, develops policy and regulations for SSA, analyzes and evaluates the privacy provisions of related laws and statutes and ensures the Agency's compliance with the Privacy and Freedom of Information Acts.
 Page 86       PREV PAGE       TOP OF DOC

11. Given the growing use of electronic services for public access to government information, do you believe that there is a need for increased government-wide guidance or policies concerning privacy? Should the government establish a privacy commissioner as is suggested by one of the hearing's witnesses, Mr. Hendricks?

    We currently look to OMB for guidance concerning privacy both through their circulars and guidance rendered through informal contacts and have found the combination to be sufficient.
    SSA does not believe the establishment of a privacy commissioner would be beneficial since each Federal agency must incorporate privacy policy and law in a manner that best ensures both privacy protection and successful accomplishment of each agency's unique missions.

12. How many complaints did you receive at SSA regarding the PEBES online initiative?

    From April 7, 1997 (the date an article first appeared in USA Today) through May 27, 1997, we received comments on the PEBES from several sources:
    General E-mail to Webmaster (webmaster@ssa.gov):
    Comments favorable to online PEBES 3772
    Comments unfavorable to online PEBES 203
    Requested that the owner's PEBES record be blocked 12
    General comments/inquiries on PEBES but did not express opposition or support of online PEBES service 3127
    Suggested improvements of online PEBES service 54
    Had problems accessing PEBES when online 228
 Page 87       PREV PAGE       TOP OF DOC
    Questions about public forums on PEBES 11
    Total 7407
    E-mail comments to a public comment site that SSA has established on our Website (http://www.ssa.gov/forums/online—forum.html):
    Comments favorable to online PEBES 261
    Comments unfavorable to online PEBES 22
    Total 283
    Phone calls to SSA's Office of Public Inquiries (OPI):
    Requested that the owner's PEBES record be blocked 56
    Objected to PEBES information being available on the Internet 53
    General comments/inquiries on PEBES but did not express opposition or support of online PEBES service 22
    Total 132
    Written Inquiries to OPI:
    Complaints about online PEBES or request to be blocked 60
    Other written comments which were not complaints 7
    Total 67
    Total PEBES comments 7889
    Total comments complaining about online service—406 (5%)

13. In response to your comments about the first public forum on PEBES online, one of the Subcommittee Members asked several questions. How many SSA employees are scheduled to participate in the forums? What are the estimated costs for holding these hearings? From what portion of SSA's budget are these expenses coming?

 Page 88       PREV PAGE       TOP OF DOC
    The number of SSA staff traveling to the PEBES forums typically ranges from 8–10.
    •  This number consists of the Acting Commissioner and three senior executives who appear with him on the SSA panel.
    •  Additionally, SSA sends a senior official from the Office of Communications to deal with the media and to provide any necessary on-site support.
    •  SSA also sends several technical experts to provide advice to the SSA panel and to prepare for the written report that will follow.
    •  Lastly, the host Regional Commissioner and the lead Public Affairs Officer will normally travel to the forum site.
    SSA held six forums throughout the country in May and June 1997. The total cost is estimated to be $35,000.
    The costs of conducting the forums will be borne by SSA's Limitation on Administrative Expenses appropriation.

14. Who were the individuals who testified at the public hearing held in Hartford?

    In addition to the individuals who appeared as part of the panels (see list on page 20) at the forum held in Hartford, CT two private individuals, Mr. Steven Thal and Mr. Donald Fyall, offered comments.



 Page 89       PREV PAGE       TOP OF DOC
Questions submitted by Mr. Bunning, and answered by Mr. Williams

Question 1. Is the Office of the Inspector General (OIG) aware of any violations of the PEBES [Personal Earnings and Benefits Statement] on-line process? How does your office detect violations of the process? What are the challenges your staff face as they investigate alleged violations?

    Answer: We are not aware of any violations of the PEBES on-line process. We would become aware of violations to PEBES through the established criminal referral procedures utilized by citizens, law enforcement agencies, and Social Security Administration (SSA) components such as the OIG Hotline, OIG field offices, or SSA components. To date, some anomalies to the PEBES process have been referred by SSA for investigation; however, these have been determined to be legitimate inquiries.
    There are significant challenges to investigators as they seek to resolve alleged violations of the PEBES process. Investigators must: (1) identify the computer system facilitating the unauthorized inquiry; (2) establish the identity of the individual using the computer system; (3) establish fraud or damages to ensure successful prosecution; and (4) ensure the integrity of SSA records.

Question 2. Could you describe the statutory criminal provisions, and their potential application, which may be utilized in cases involving improper PEBES access?

    Answer: There are several Federal criminal provisions which may potentially apply when an individual improperly accesses on-line PEBES information. These provisions, which are listed below, can be found in the Social Security Act, Title 18 of the United States Code, and/or the Privacy Act of 1974. PEBES on-line was available for only a few months, however, there was little opportunity for our office, in conjunction with the Department of Justice, to test these criminal statutes in actual case settings.
 Page 90       PREV PAGE       TOP OF DOC
    The criminal provisions include:
    False Representation—42 U.S.C. 1307—Whoever, with intent to elicit information as to the Social Security number (SSN), date of birth, employment, wages, or benefits of any individual falsely represents to the Commissioner of Social Security (Commissioner) or the Secretary of the Treasury that he is such individual shall be fined up to $10,000 or imprisoned for not more than 5 years, or both, for each violation.
    Intentional SSN Misuse—42 U.S.C. 408—Whoever, with intent to deceive, falsely represents a number to be the SSN assigned by the Commissioner to him or to another person, when in fact such number is not the SSN assigned by the Commissioner to him or such other person, shall be fined up to $250,000 or imprisoned for not more than 5 years, or both.
    False Statements—18 U.S.C. 1001—Whoever knowingly and willfully makes any materially false, fictitious or fraudulent statement or representation shall be fined up to $250,000 or imprisoned for not more than 5 years, or both.
    Unauthorized Computer Access—18 U.S.C. 1030—Whoever knowingly, and with intent to defraud, traffics in any password or similar information (e.g., SSN) through which a Government computer may be accessed without authorization may be guilty of a misdemeanor and/or felony and/or fined depending on the relevant section violated. The range of penalties and fines is quite broad and highly fact-specific.
    False Pretenses—5 U.S.C. 552a—Any person who knowingly and willfully requests or obtains any record concerning an individual from a Federal agency under false pretenses shall be guilty of a misdemeanor and fined up to $5,000.

Question 3. In your report on SSA's Fiscal Year 1996 financial statements, your office expressed your concerns over controls in SSA, in an era where the agency is moving to more on-line access and processing power. Would you briefly discuss your overall concern in this area?
 Page 91       PREV PAGE       TOP OF DOC

    Answer: Our overall concern is that our audit results indicate that SSA has insufficient separation of duties or compensating controls to reduce to an acceptable level of risk undetected errors and/or irregularities in the following SSA systems:
    Modernized Claims System
    Modernized Supplemental Security Income Claims
    System (MSSICS)
    Manual Adjustment, Credit and Award Data Entry
    System (MACADE)
    Critical Payment System
    Earnings Modernization 2.8 System
    For example, under SSA's title XVI program, 11,800 SSA employees can use MSSICS to unilaterally change death information, process SSN applications, and adjudicate Supplemental Security Income claims without a secondary review.
    Similarly, under SSA's title II program, our audit found that a dishonest benefit authorizer in any of SSA's seven Program Service Centers could use SSA's new MACADE system to issue a fraudulent payment under an SSN holder's account, send payments to the benefit authorizer's bank account, and conceal the payment by altering payment data on SSA's payment record and suppressing 1099 information. Furthermore, SSA is currently conducting a pilot study to determine if direct input through MACADE should be expanded to all of its 1,300 field offices.
    Our reviews also found inadequate compensating controls in SSA's systems. For example, to compensate for its lack of separation of duties, SSA field offices (FO) perform integrity reviews of a certain number of benefit payment transactions. Our audit found that integrity reviews are performed in only 1.23 percent of MSSICS awards. Also, about 58 percent of SSA's FOs were not subject to integrity reviews. In addition, the integrity reviews do not include high-risk transactions where employees use MSSICS to change death information or process SSN applications for the same accounts for which they adjudicate claims. Our review of compensating controls under MACADE found that SSA's criteria excluded more than $86 million in payments from integrity reviews at its Philadelphia Program Service Center.
 Page 92       PREV PAGE       TOP OF DOC
    The pervasive occurrence of the lack of separation of duties and/or compensating controls where dishonest employees could enter and conceal errors or irregularities in SSA's on-line systems led us to recommend that SSA report this condition as a material weakness under the Federal Managers' Financial Integrity Act criteria.

Question 3a. As part of your investigations are you exploring potential internal privacy threats from employees as well as possible external threats?

    Answer: In this era of electronic services and digital technology we are keenly aware that vulnerabilities can be exploited by employees and others utilizing new and innovative techniques. We have dedicated resources within OIG to coordinate and cooperate with SSA to deal with these potential threats.
    Employee fraud and misconduct are top priorities of OIG. Experience has shown that the ''insider'' is always the biggest threat to any system or organization. Employee access to the various systems is profiled and periodically audited to detect unauthorized or inappropriate activity. All access to SSA systems is tracked by an employee's personal identification number (PIN) and is subject to reviews by SSA's integrity staff.
    To deter ''browsing,'' SSA has a computer program which will prevent employees from accessing the earnings records of individuals of extraordinary national prominence such as high-level Government officials including the President and his family, the Vice President, Members of Congress, Supreme Court Justices, and individuals designated by the Commissioner. Examples of individuals designated by the Commissioner include persons under the witness protection program, the Commissioner's family, certain newsworthy individuals, and requests by other agencies such as the Federal Bureau of Investigation and the Central Intelligence Agency. If someone attempts to access such a record an alert will come up on the employee's computer screen and also be sent to the computer security officer.
 Page 93       PREV PAGE       TOP OF DOC
    Browsing can also be discovered by a citizen's complaint, if brought to his or her attention, or by management looking for excessive use or access of files. Citizens can report suspected browsing through SSA's toll-free 800 number, field offices, or the OIG Hotline. To help identify instances of excessive use, SSA management is required to periodically review individual earnings query activity through SSA's management information system. SSA's management information system contains information on what the average number of earnings queries should be and how many queries each employee performed. When SSA is notified by a citizen, or an SSA manager finds excessive use of earnings queries, SSA policy is to notify OIG so that we can evaluate the allegation and conduct an investigation, if warranted.

Question 4. You mention that on-line services provided by most financial and retail industries are based upon the customer voluntarily participating, but in the case of PEBES, this is not true. Do you believe that SSA should establish some method for allowing individuals to approve or disapprove of having their PEBES information on-line?

    Answer: We believe that until SSA can provide additional security measures to the interactive PEBES, such as use of a PIN and password, SSA should establish some method of allowing individuals the choice of having their PEBES information on-line. SSA can provide the public with the choice to participate in PEBES by altering its system in one of two ways, both of which entail additional programming and maintenance costs. SSA can limit the service to citizens who specifically request it, or block the service for those who indicate that they do not wish to participate. Either way, the public would be given the same choice to participate afforded by virtually all private on-line services. We believe that SSA should pursue the more cost-effective of these two alternatives.

 Page 94       PREV PAGE       TOP OF DOC
Question 5. You mention that most financial services require passwords or personal identification numbers (PINs). Would it be feasible for SSA to consider such measures?

    Answer: The PIN is an option that SSA has considered and must again consider seriously before reinstatement of the interactive PEBES. In 1995, SSA established an Electronic Service Delivery steering team to study and advise on electronic service delivery issues including identification and authentication by means such as PINs and passwords. The team considers these and other mechanisms on an application-by-application basis.
    However, the PIN presents problems both to SSA and to the public. Any method to assign PINs would require an additional step by individuals before they can request a PEBES. Adding this step, particularly if the requirement is to apply in person for a PIN, would place a burden on the public which may offset the convenience of the service.
    In addition to the burden placed on the public, SSA would need to establish an infrastructure to assign and maintain PINs. Some activities required would be to cancel stolen or compromised PINs, assign new ones, retrieve old PINs for people who have forgotten their PINs, and maintain a database of all PINs assigned and the evidence submitted to support the assignment of a PIN.

Question 6. You offer several options for improving systems security. In your opinion, if these were implemented, would public confidence in the system be increased?

    Answer: We believe that public confidence would be increased if the options we offered were implemented. These options included:
    explore the option of confirming requester addresses against the address file SSA obtains from the Internal Revenue Service;
 Page 95       PREV PAGE       TOP OF DOC
    reduce the number of unsuccessful attempts allowed from eight to three, and then deny further access until the individual visits an SSA office;
    confirm the entire maiden name of the requester's mother;
    provide PEBES only by mail, but allow requests via the Internet;
    allow the public the option to block their records from Internet PEBES; and
    consider using PINs, passwords, or digital signatures.
    The increased level in public confidence, however, would vary depending on which of the options was implemented. Activating some of the options, such as blocking, could have a substantial impact on public confidence. Other less costly actions, such as requiring the entire mother's maiden name as part of the access requirements, would have less effect.
    We believe that the correct balance between security, privacy, and cost can best be determined after we review the information garnered through the public forums SSA is currently conducting across the country.
    On a related systems security note, this year we issued three audit reports on SSA's data security at its National Computer Center (NCC). In each audit we identified deficiencies in the systems security area. SSA has either corrected the deficiencies or is working with OIG to correct the deficiencies identified. Security over resources at the NCC is critical to protect SSA's centralized processing operations and data. These audits include:
    ''Review of CA-TOP SECRET Access Control Software,'' which examined the security procedures in place for access controls to SSA's systems for people who work in SSA's NCC;
    ''Review of the Back-up and Recovery Procedures at the National Computer Center,'' which analyzed SSA's ability to continue to provide data processing services for FOs if the NCC was unable to function as a result of a disaster; and
 Page 96       PREV PAGE       TOP OF DOC
    ''Review of Physical Security at the Social Security Administration's National Computer Center,'' which evaluated SSA's physical security program at the NCC.

Question 7. What recourse do individuals have if they believe their personal data have been accessed by unauthorized persons?

    Answer: SSA and OIG promote a variety of public education and awareness vehicles so that individuals will know to contact the SSA Hotline or the OIG Hotline, or to visit a local SSA office and report any concerns or suspicions. A number of different systems queries can be conducted that will determine if an individual's personal data has been accessed and to what extent, if any, it was affected. At that point, any inappropriate activity would be identified and the data restored or corrected.

Question 8. Who has oversight authority for Websites and Internet in general within the Federal Government?

    Answer: Although security management is primarily the responsibility of agency managers, under the Paperwork Reduction Act of 1995, Pub. L. 104–13, the Office of Management and Budget (OMB) is charged with overseeing the use of Federal information resources, including providing direction and overseeing the ''privacy, confidentiality, security, disclosure, and sharing of information.'' OMB oversees and guides agency operations through its three offices, which are primarily responsible for setting policy, and its five Resource Management Offices (RMO), which are primarily responsible for examining agency budget issues and overseeing implementation of Governmentwide management policies. OMB's Office of Information and Regulatory Affairs is the entity responsible for establishing Governmentwide information resource management policies, including those related to information security, and assisting the RMOs in overseeing agency implementation of these policies.
 Page 97       PREV PAGE       TOP OF DOC
    As part of its responsibilities for Federal information resources, OMB has issued a preliminary draft memorandum entitled, ''Principles for Federal Agency Use of the World-Wide Web.'' This welcome OMB draft establishes general principles to guide the process of agencies setting up Internet Web pages and conducting business of varying degrees over the Internet. While any guidance must be general enough to meet the needs of organizations with many different objectives, OMB's principles appear to be so general that they would not prohibit agencies like SSA from placing data on its Website even though the individuals who are the subject of the data may object.
    In addition, OMB's guidance could be interpreted differently by many agencies. For example, it calls for agencies to ''avoid improperly restrictive access practices,'' and to ''guard the public's personal privacy and ensure the security of their information.''

Question 9. You mention that the experience of other agencies shows that investigative opportunities are available to combat electronic crimes through proper training, equipment, and dedication. In your opinion, has SSA committed the necessary resources for training and equipment, and are they working to ensure their employees are dedicated to combating crimes?

    Answer: Under our separate appropriation, OIG has the flexibility to dedicate resources to this pressing issue. With the additional resources the Subcommittee helped us to obtain this year, we have undertaken several initiatives to strengthen our ability to recognize, address, and resolve electronic crimes which are being directed at SSA programs, systems, and employees.
    Each OIG Field Division will have an experienced Special Agent responsible for investigating electronic crimes. These agents will receive technical training in the seizure of computer systems and investigative training to understand computer intrusions. We are also establishing a specialized computer forensics capability. A limited number of Special Agents will receive the most advanced training available in the processing of seized computer systems for evidence.
 Page 98       PREV PAGE       TOP OF DOC
    All Special Agents will receive training to allow them to conduct investigations in an automated environment. The training is available through basic and advanced courses at the Federal Law Enforcement Training Center, Glynco, Georgia. Additional training in the legal aspects of computer search and seizure issues is provided through the OIG continuing legal training program. We will seek training opportunities within SSA in order to maximize the effectiveness of this effort.
    We are satisfied that SSA is fulfilling its responsibility to refer allegations to OIG.



Questions submitted by Mr. Bunning, and answered by Mr. Willemssen

    The following is in response to your request that we provide answers to questions relating to our May 6, 1997, testimony.(see footnote 14)

Question 1. In Dr. Callahan's testimony, he indicates that discussion should focus on authentication requirements, not system security, because he says the PEBES system is secure, since SSA is using time-tested commercial encryption that banks and other on-line businesses use every day. How do your views compare with Dr. Callahan's?

    We believe that discussion should include a focus on system security for the following reasons.
 Page 99       PREV PAGE       TOP OF DOC
    •  There have been recent problems in implementing currently available commercial encryption processes; and computer systems that use these processes have been successfully attacked. For example, about 18 months ago, a leading product available for protecting the confidentiality of data was found to contain a flaw that resulted in the improper implementation of a key process used to encrypt the data. As noted by the individuals who identified the flaw, ''[t]he security community has painfully learned that small bugs in a security-critical module of a software system can have serious consequences, and that such errors are easy to commit.''(see footnote 15)

    In addition, within the past 3 months, a number of security weaknesses have been identified in the two leading software packages that would have been used by individuals to access PEBES information. While we cannot know the exact impact of such weaknesses on the security of PEBES information, we believe they clearly indicate that the security solution selected may not be as stable as SSA believes.
    •  Dr. Callahan stated that SSA is using the same encryption techniques as banks and other on-line businesses. However, SSA's analyses did not include detailed reviews or assessments of the actual techniques and procedures that these businesses used to implement secure transactions. Without full knowledge of these techniques and procedures, we do not believe that SSA can know with certainty that it has implemented the same type of system that is being used by the commercial enterprises it is trying to emulate.
    •  Because of security concerns, some commercial enterprises have not implemented full Internet-based electronic commerce. Others have done so, but have given customers a choice in whether to provide sensitive information via the Internet. For example, some firms allow customers to use the Internet to identify and order items or services that they wish to purchase. The customers, however, then decide whether to pay for these purchases by providing their credit card information over the Internet or via a toll-free telephone call to the firm.
 Page 100       PREV PAGE       TOP OF DOC
    •  In our opinion, the risks associated with commercial systems should be viewed very differently from those associated with SSA's on-line service. With commercial enterprises, economic risks—driven by such considerations as how much the company can afford to lose if its security system is compromised—are likely to be key factors in assessing the need for computer security, and in deciding what additional controls should be implemented to prevent significant monetary losses. With SSA, however, privacy considerations—rather than economic concerns—would likely be among the key factors that SSA considers in determining its security needs. In our view, one of the paramount factors in assessing the risks associated with SSA's on-line service is establishing public confidence in the agency's ability to adequately protect an individual's information.

Question 2. You mention that SSA made on-line PEBES a part of its business plan for 1997–2001 and took numerous actions to protect the confidentiality of client data. In addition, they tested the system for a year and consulted with numerous outside experts. Yet, there was considerable public outcry when the system became publicly available. Based on your experience, what other steps might SSA have taken to prevent this?

    In deciding to establish the PEBES service, SSA hoped that providing U.S. workers with better information about Social Security would help rebuild public confidence in its programs and offer a useful financial planning tool. Moreover, by making PEBES information accessible via the Internet, SSA believed it could better reach its intended audience and, ultimately, provide ''world class'' service to the more than 100 million people projected to receive PEBES information annually by the year 2000.
    In making information readily available via the Internet, however, many opportunities for serious misuse of sensitive information exist; these must be carefully considered, and must be communicated to those individuals whose information might be placed at risk. In our opinion, many people are not fully aware of most of the risks relating to the use of computer systems—risks that tend to be amplified in the on-line world. Consequently, when the potential for security weaknesses becomes apparent, public concern and outcry are not unexpected. Moreover, the need to identify and promote awareness of security risks may be vital to a project's success.
 Page 101       PREV PAGE       TOP OF DOC
    We support SSA's recent use of public forums to solicit views on how the agency can provide electronic services via the Internet while protecting individual privacy. In our view, engaging in public dialogue about the system prior to full implementation and deployment is essential not only to assess public acceptance of this service but also to educate people about the inevitable risks inherent in the Internet. In this way, the public can make an informed decision regarding its use.
    Because of the sensitive information contained in the PEBES system, the potential threats to this system are great. While public forums can provide invaluable insights regarding the agency's use of electronic services via the Internet, these views, alone, would not be sufficient to ensure that the most appropriate technical safeguards are identified and implemented to protect against security threats. Effective risk management is necessary to accomplishment this.
    Risk management would include assessing the vulnerabilities involved in using the Internet to provide this service, and then implementing appropriate security controls to reduce risk to an acceptable level. A risk assessment can focus on many different areas, including hardware and software systems, telecommunications, and technical and operational controls that can be designed into a new application. The results of such an assessment can then be used to determine acceptable levels of risk and to select cost-effective safeguards, considering factors such as organizational policy and legislation; safety, reliability, and quality requirements; cost; and cultural constraints. It is important to note, however, that merely selecting appropriate safeguards does not reduce risk; those safeguards must also be effectively implemented. Moreover, agencies must periodically reassess risks and, where necessary, improve system security safeguards.

Question 3. You state that agencies need to determine the acceptable level of risk when developing effective systems security. Do you believe that agencies need more specific guidance, perhaps government-wide, on how to assess risks and develop the appropriate balance between privacy and other agency objectives?
 Page 102       PREV PAGE       TOP OF DOC

    In light of the increasing importance of information security and the pattern of widespread problems that has emerged, it is essential that federal agencies implement information security programs that proactively and systematically assess risk, monitor the effectiveness of security controls, and respond to identified problems. Such programs are necessary to ensure that management and technical controls, including actions to correct identified weaknesses, are effective on a continuing basis.
    The need to protect sensitive federal data maintained on automated information systems has been recognized for years in various laws and federal guidance. The Privacy Act of 1974, as amended, the Computer Security Act of 1987, and the Paperwork Reduction Act of 1995, as amended, all contain provisions requiring agencies to protect the confidentiality and integrity of the sensitive information that they maintain. In accordance with the Paperwork Reduction Act, the Office of Management and Budget (OMB) is responsible for developing information security policies and overseeing agency practices. OMB's Circular A–130, appendix III, ''Security of Federal Automated Information Resources,'' (updated February 1996), establishes minimum controls to be included in agency information system security programs, including the need to assess risks and take actions to manage them. In addition, guidance on effective risk management has been developed by the National Institute of Standards and Technology.(see footnote 16) This guidance identifies basic activities and processes that agencies should use in assessing and taking steps to reduce and maintain acceptable levels of risk.

    Despite such guidance, we have recently reported that information system security weaknesses remain pervasive among many major federal agencies,(see footnote 17) and we have designated information security a high-risk area.(see footnote 18) Our reviews found inadequate management and implementation of information security programs, rather than the absence of specific guidance, to be the primary cause of many of these weaknesses. Specifically, one of the fundamental causes is that agencies have not implemented security programs that provide a systematic means of assessing risk, implementing effective policies and control techniques, and monitoring the effectiveness of these measures. Ensuring adequate security requires ongoing attention to risk-monitoring and the effectiveness of mitigating controls. Yet, many federal managers are either not fully aware of their responsibility to identify and control these risks, or have not given information security the level of attention needed to ensure its effectiveness.
 Page 103       PREV PAGE       TOP OF DOC

    The challenge for federal managers is to view the management of information security as an integral element of program management. This means (1) considering the security implications whenever computer and telecommunications technology is being designed and put in use to support program operations, (2) weighing the potential costs and benefits, (3) determining what level of risk is acceptable in light of expected benefits, and (4) providing adequate resources to monitor controls and keep risks at an acceptable level.

Question 4. Have you done any assessments of the existing privacy offices at HHS and the IRS and how effective they are for addressing issues such as SSA faces?

    We have not performed any assessments of existing privacy offices at HHS and IRS and therefore cannot comment on their effectiveness. However, the Privacy Act requires certain actions on the part of federal agencies and departments to ensure the privacy and confidentiality of personal information. These requirements include establishing appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records. They also include protecting against anticipated threats or hazards to the security or integrity of these records, that could result in substantial harm, embarrassment, inconvenience, or unfairness to individuals.

Question 5. What do you see as the role of SSA's chief information officer in the decision to make PEBES available on-line and the privacy and security issues involved therein?

    As the senior official designated to oversee information resources management (IRM), SSA's chief information officer (CIO) should have primary responsibility for ensuring that the on-line PEBES initiative represents a sound information technology investment based on factors such as the project's cost, risk, return on investment, and support of mission-related outcomes. The CIO should also be responsible for ensuring that the information systems supporting this initiative are adequately protected from unauthorized access that could result in the potential disclosure of sensitive data and/or serious disruptions to the agency's operations.
 Page 104       PREV PAGE       TOP OF DOC
    The Paperwork Reduction Act of 1995 (as amended) and Clinger-Cohen Act of 1996 require a number of IRM practices to improve the productivity, efficiency, and effectiveness of government operations. To fulfill the requirements of these acts, one of the CIO's primary responsibilities is ensuring the effective acquisition and management of information resources to support agency programs and missions. This includes (1) promoting effective agency operations by implementing budget-linked capital planning for, and performance-based management of, information technology (IT) systems; (2) actively participating with other agency managers in IT planning, budgeting, and investment decision-making; and (3) monitoring the performance of agency IT programs, evaluating them on the basis of applicable performance measures, and advising the agency head regarding whether to continue, modify, or terminate individual programs or projects. Only through a sound IT investment process that encompasses these practices can the CIO be effectively positioned to establish clear accountability for agency IRM activities, promote coordination among and visibility of the agency's information activities, and guarantee the effective acquisition and use of information technology.
    To be effective in implementing the requirements of these acts, IRM must be the CIO's primary duty. However, it is important to note that while the CIO is to play an active role in managing and overseeing IT investments, it is the agency head's responsibility under these acts to establish an agencywide process and framework within which such IT management and oversight is conducted. In our view, this involves the creation of a high-level forum or board composed of the CIO, the chief financial officer, and senior line managers with responsibility for selecting, controlling, and evaluating information technology investments against established criteria.
    An essential element in managing information resources is protecting sensitive and critical federal data from unauthorized access and inappropriate disclosure. Thus, another key responsibility of the CIO's is ensuring the privacy and security of information contained in the agency's information systems. Agencies increasingly rely on interconnected systems to control critical functions such as communications, financial services, transportation, and utilities. Although greater use of interconnected systems promises significant benefits in improved business and government operations, such systems are much more vulnerable to anonymous intruders, who may manipulate data to commit fraud, obtain sensitive information, or severely disrupt operations. The Paperwork Reduction Act, consistent with the Computer Security Act, requires each federal agency to ''identify and afford security protections commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information collected or maintained by or on behalf of an agency.'' The Clinger-Cohen Act further requires the agency's CIO to ensure that information security policies, procedures, and practices fulfill this requirement.
 Page 105       PREV PAGE       TOP OF DOC

Question 6. In reference to the intelligence community having its own Internet system, Mr. Rhodes was asked by Rep. Christensen how much a private Internet system would cost if Social Security would choose this option. Please provide a cost estimate for the record.

    We do not have sufficient information at this time to provide an estimate of the cost that SSA would have to incur to develop a secured Internet, such as that used by the intelligence community. Cost data for the intelligence community's network, which would serve as the basis for establishing a comparative cost estimate, is classified and, therefore, not available for public analysis. However, on the basis of our reviews of satellite systems owned by the Department of Defense—some of which are used by the intelligence community to support its Internet—we believe that developing a comparable network for SSA would be very costly.

Question 7. Mr. Rhodes noted that 50% of the 250,000 inquiries to the Department of Defense's private Internet were attacks, and that approximately 5% of those attacks were actually prosecuted. What steps would you recommend for improving the rate of prosecution?

    Just as in physical crime, the rate of prosecution for digital crime is a function of the ability to collect, analyze, and ultimately, prove the evidence of a crime. However, detecting and reacting to computer attacks—and, in turn, establishing the types of evidence that would be required for successful prosecution—is difficult, since some attackers have access to a number of tools and techniques that can enable them to avoid detection.
    Improving the potential for detecting and acting against security breaches will depend, in large part, on the extent to which federal agencies and departments implement effective information security. A good computer security program begins with top management understanding of the risks associated with its computers, and emphasizes the implementation of (1) cost-effective procedures to protect the agency's electronic assets, (2) vigorous and effective programs to detect unauthorized attacks on these assets, and (3) the ability to react to any intrusions that do occur.
 Page 106       PREV PAGE       TOP OF DOC
    For the Department of Defense, attacks on computer systems are a serious and growing threat. Accordingly, we have made a number of recommendations for improving the Department's information security program.(see footnote 19) These recommendations include developing departmentwide policies for preventing, detecting, and responding to attacks on Defense information systems, including mandating that (1) all security incidents be reported within the Department, (2) risk assessments be performed routinely to determine vulnerabilities to attacks and intrusions, (3) vulnerabilities and deficiencies be expeditiously corrected as they are identified, and (4) damage from intrusions be expeditiously assessed to ensure the integrity of data and systems compromised.

    The Department of Defense developed this approach to protect against, detect, and react to threats as part of its activity to implement a formal defensive information warfare program. Defense's plan calls for monitoring and detecting intrusions or hostile actions as they occur, reacting quickly to isolate the systems under attack, correcting the security breaches, restoring service to authorized users, and improving security. If agencies improve their protection, detection, and reaction capabilities, the ability to prosecute could be improved.
    In responding to these questions, we reviewed and analyzed agency documents describing the security of SSA's on-line PEBES service and the strategies that SSA is using to manage its information technology investments. We also reviewed and analyzed the documented positions of experts in the field of Internet and computer security, as well as federal legislation and guidance on computer security, privacy, and information technology management. We discussed a draft of this correspondence with SSA's Acting Director overseeing the on-line PEBES initiative, and his comments have been incorporated as appropriate. We conducted our work from June 2 through June 20, 1997, in accordance with generally accepted government auditing standards.
    We are sending copies of this correspondence to the Acting Commissioner of Social Security and other interested parties. Copies will also be made available to others upon request.
 Page 107       PREV PAGE       TOP OF DOC



    Chairman BUNNING. Joining us today on the third panel is Marc Rotenberg, director of the Electronic Privacy Information Center; he is also an adjunct professor at Georgetown University's Law Center; Evan Hendricks, editor and publisher of Privacy Times here in Washington, DC; Noel Matchett of Information Security, Inc., in Silver Spring, Maryland; and Bruce Rector, general legal counsel of the U.S. Junior Chamber of Commerce. Some of us are more familiar with the group's less formal name, the Jaycees. Mr. Rector is a member of the Lexington, Kentucky chapter of the Junior Chamber of Commerce. He is accompanied by the Junior Chamber's national president, Mike Marshall, from the Jaycees headquarters in Tulsa, Oklahoma.
    I would like to add that James Parkel, a member of the board of directors of AARP, was invited to testify today. Due to a family emergency, he won't be joining us, so without objection I will place his testimony in the record. Copies have been made available at the side table. And we appreciate AARP's delivery of Mr. Parkel's testimony so we could have it today.
    [The prepared statement follows:]

Statement of James Parkel, American Association of Retired Persons (AARP)

    The American Association of Retired Persons (AARP) appreciates the opportunity to present its views regarding the Social Security Administration's (SSA) decision to make its Personal Earnings and Benefit Estimate Statement (PEBES) available on-line. AARP hopes today's hearing will help resolve the concerns that have surfaced regarding this service. If this can be done satisfactorily, SSA will be able to provide the public with the information it wants, in a form that is readily available and cost effective, while still safeguarding worker confidentiality.
 Page 108       PREV PAGE       TOP OF DOC
    Since Social Security's inception in 1935, workers have been able to review their earnings records on file at SSA in order to ensure their accuracy. In 1988, SSA initiated an on-request PEBES to enable workers who requested their records in writing to review them more easily. The Omnibus Budget Reconciliation Act (OBRA) of 1989, and a subsequent modification in OBRA 1990, made these statements mandatory. Section 1143 of the Social Security Act requires SSA to: 1) make the statements available on request to all eligible individuals age 25 and older; 2) send these statements automatically (SIPEBES) to all eligible individuals age 60 and older in Fiscal Years 1995 and 1996, and in Fiscal Years 1996 through 2000 as individuals reach ages 60; and 3) expand these mailings on an annualized basis to all workers age 25 and over beginning in Fiscal Year 2000.
    Although the PEBES contains valuable information, SSA estimates that only two percent of workers actually request them from the agency each year. The statement delineates workers' recorded earnings on a year-by-year basis. This enables workers to detect errors and request a correction (a three year, three month, fifteen day statute of limitation generally applies). The PEBES also explains and estimates the full range of retirement, disability and survivor benefits for which workers and their families are eligible. The projection of retirement benefits is a helpful financial planning tool for the future. The PEBES, along with individual benefit statements available from pension plans, as well as individuals' own savings statements, will enable them to construct a more realistic picture of their financial future. In addition, the information in the PEBES regarding disability and survivor benefits should remind workers that Social Security is there for them now.
    The mailed out PEBES contains other general information about Social Security that could enhance public understanding of the program and may improve confidence in the future of Social Security among workers. According to the General Accounting Office (GAO), participants in focus groups conducted for SSA responded favorably to receiving unsolicited PEBES from the agency—a reaction that increased with age.
 Page 109       PREV PAGE       TOP OF DOC
    Issuing the PEBES has been a significant initiative for SSA. It entails production costs, such as printing and mailing, and personnel costs, including the cost of responding to subsequent inquiries from some of those receiving statements. In order to reduce costs and to make the PEBES more easily available, SSA implemented procedures to utilize the Internet. Last year, workers could file an electronic request for a PEBES through SSA's website. Effective this March, workers could obtain a PEBES electronically upon furnishing their Social Security number, their date and place of birth, and their mother's maiden name. Approximately 27,000 requests for statements (''hits'') were made in the first month.
    In April, press accounts about the potential for abuse generated public and congressional attention. In response to growing concerns, SSA suspended the on-line service effective April 9 and announced that it would conduct national forums at which privacy and technology experts and the public could comment. The agency held the first forum yesterday and others have been scheduled. In addition, SSA is evaluating security features, such as personal identification numbers (''pin numbers'') or allowing workers to block computer access to their work records, in order to further safeguard the data from being accessed by unauthorized persons.

Balancing conflicting goals

    In going on-line with PEBES, SSA saw the value to individuals of greater use of these statements, as well as the cost savings that could be generated through electronic delivery. The agency recognized the potential for misuse and took some precautions to prevent unscrupulous or inquisitive individuals from using the website to obtain information about a worker's earnings history. Precautions include encryption and terminating inputs after several incorrect tries. As a further deterrent, the agency warns that illegal use of Social Security data is a federal crime subject to criminal penalties. SSA reports that only 18,000 of the March requests for on-line PEBES were generated because the remaining requests did not meet the security screen criteria.
 Page 110       PREV PAGE       TOP OF DOC
    Although SSA made a genuine effort to ensure confidentiality and limit abuse, in today's marketplace, an individual can obtain a worker's birth date and birthplace, as well as the mother's maiden name, without too much effort. And, individuals who are seeking information about others can preserve their own anonymity by inputting the information from a cybercafe or a public location, such as a library.
    Public concern about the security of the on-line PEBES service is understandable because privacy is an important issue for many people, including older Americans. And, with the increased use of electronic commerce, the privacy issue has taken on an added dimension. A 1996 Equifax/Harris consumer privacy survey showed that the percentage of respondents concerned about threats to personal privacy rose from 64 percent in 1978 to 79 percent in 1990, and 1993, (82 percent in 1995) and to 87 percent in 1996.
    AARP has been concerned about privacy issues and how the right to privacy affects the private sector. One of these is the inappropriate release of an individual's medical information. At the same time, we support the computerization of health care data systems. However, what is needed as those systems develop, and is still lacking, is a strong federal law imposing clear, workable standards, which encourage patients to communicate freely with their physicians, and significant civil and criminal penalties for violations. We are pleased that, pursuant to legislation adopted in the 104th Congress, there will, within the next three years, be federal law or regulations governing the use and disclosure of personally identifiable health information.
    The Association also has been concerned with the availability of adequate consumer protections against the unauthorized dissemination of information about consumers' use of data, financial, credit, retail, communications, and medical services. We believe consumers have a right to personal privacy and they should be able to reject intrusive marketing practices, communications, technology and the unauthorized use of data. To that end:
 Page 111       PREV PAGE       TOP OF DOC
    •  consumers should be able to easily protect themselves against the unauthorized use or dissemination of personal data;
    •  consumers should be given the explicit opportunity to authorize or refuse permission for the distribution and sale of personal data from its originating source of collection;
    •  data bases that compile employment records should meet a standard for consumer access and privacy similar to that applied to credit reports; and
    •  consumers should be able to receive copies of any information assembled at any time concerning employment or medical insurance records (at minimal and free of change) and have the opportunity to correct inaccurate or incomplete information.
    Protecting an individual's privacy is somewhat different when it involves the public sector. The on-line PEBES is a government-initiated service and the government should provide information in a way that protects the privacy of its citizens. Moreover, since the Social Security number is used as a defacto national identifier, people are understandably concerned that the use of their Social Security number will be extended for purposes that are outside their control.
    Although SSA has not received reports of abuses of either the mail-in and electronic PEBES service, AARP agrees every effort must be made to protect the security of this service in order to maintain the confidence of the American people and to give them a sense of security. Today's hearing and SSA's public forums can help identify potential problems and possible solutions that the agency can implement. While the American people cherish their privacy, they also value the free flow of information. We hope that SSA will find a way to strike the proper balance between these sometimes conflicting goals.

 Page 112       PREV PAGE       TOP OF DOC


    Chairman BUNNING. If the panel would please take their seats—and they all have—let's begin with Mr. Rotenberg.

    Mr. ROTENBERG. Thank you very much, Mr. Chairman. Thank you for the opportunity to appear today before the Subcommittee.
    The week that the story appeared in ''USA Today'' about the SSA online program, we received a number of calls from people who are very concerned about their privacy. But perhaps the most interesting call came from a person who asked whether it was appropriate for the Social Security Administration to be asking him for his Social Security number, and he wanted to know if there could be a law to prevent this from happening in the future.
    I patiently explained to this person that if there was any organization in the world with a right to request the SSN, it was the SSA. But as I began to think about it, I realized what was going on in the course of that week was the expression of a very high level of concern in this country about the loss of privacy. And if you read the public opinion polls, you will find that the level of public concern about the loss of privacy is at an all time high, this according to a poll taken just this last year by the Lou Harris Associates. They have been tracking this for three decades.
    People are concerned about the computerization of information. They are concerned about the loss of control about information affecting their lives. So this issue doesn't arise in a vacuum. Organizations are buying and selling data, and, unfortunately, the administration has shown little interest in developing new safeguards.
 Page 113       PREV PAGE       TOP OF DOC
    Now, my own view of what the SSA undertook to do was perhaps not as critical as some of the people I work with on a regular basis in the privacy community. I understood that the Agency was trying to make it easy for individuals to get access to their own information.
    In fact, this obligation to make data available to American citizens, data that affects their lives, can be found in the Privacy Act of 1974, which sets out the framework of the responsibilities that Federal agencies have both to protect the privacy of the information from misuse by others but also the obligation to ensure that that information is readily available so that people can make informed decisions about such issues as retirement in this case.
    And it is also true with other privacy laws, like the Fair Credit Reporting Act. There is an obligation to protect the information from access by others and to provide the credit records to individuals so they are able to make decisions and act on loan information.
    I think the project was well intended, I think more could be done to improve the authentication and address public concern about privacy, but I want to say a word about the authentication issue. I think in the near term, you will find that many of the solutions that are being proposed right now could be both costly for the Agency and increase the level of inconvenience, make it more difficult for people to get access to their own information, and there is necessarily going to be some tradeoff.
    Now, the Agency may decide, on balance, that perhaps in the near term it just may not make sense to try to give this direct access online. Until last year, people could go to the Internet site, request the earnings statement, the record, and it would be sent to the home. Perhaps that is a good solution.
    Over the long term, I think there will be new techniques, such as digital signatures and such, that will make it easier to authenticate. But I do not recommend an elaborate security procedure that would make it as difficult for someone to get access to their earnings statement as it might be to get access to high-level government material. That is just too costly and too inefficient.
 Page 114       PREV PAGE       TOP OF DOC
    I think the Agency has taken very important steps by undertaking these public forums and soliciting public comment. I think what the Agency will find is that the level of privacy concern is quite widespread.
    And this gets to my final point—it was suggested by Congressman Portman earlier—which is that there may be some need to try to coordinate policies within the Federal Government, establish some standards, some guidelines, so when these databases are put online, not just the Inspector General and the GAO but some entity in the Federal Government with some expertise in this area has had the opportunity on behalf of groups concerned with privacy to say, yes, this looks adequate, you can go ahead with this, or perhaps there are other issues that need to be considered.
    But as I said, I think on balance it was a well intended effort, but the level of public concern today is so high that I don't think, frankly, anything the SSA did at this point is going to solve all those problems, certainly for my friend who called about the misuse of his Social Security number.
    [The prepared statement follows:]

Statement of Marc Rotenberg, Director, Electronic Privacy Information Center; and Adjunct Professor, Georgetown University Law Center

    My name is Marc Rotenberg. I am the director of the Electronic Privacy Information Center (EPIC), a public policy research organization in Washington, DC that focuses on emerging privacy and civil liberties issues. I am also on the faculty at Georgetown University Law Center where I have taught a course on the Law of Information Privacy since 1991. I appreciate the opportunity to appear before the Subcommittee today to discuss the recent issues surrounding the Social Security Administration's online services.
 Page 115       PREV PAGE       TOP OF DOC


    This hearing focuses on the decision earlier this year of the Social Security Administration to make available the Personal Earnings and Benefit Estimate Statements (PEBES) over the Internet. While many criticized SSA for this decision, it is my view that the SSA was trying to do the right thing and got caught in the growing public concern about the loss of privacy. There are steps that the SSA can take to address concerns about the risk of unlawful access to the PEBES records, but the larger problem is not something that the Social Security Administration will be able to solve. To address this problem may require the creation of an office within the federal government with privacy expertise and the passage of legislation to control the misuse of the Social Security Number.
    The PEBES provides individuals with their earnings by years, Social Security taxes paid, and an estimate of future benefits. The statement has been available by mail for the past decade. For the past year, the SSA allowed individuals to request the statement over the Internet. It was then sent by mail. The document is important for American workers and families and allows individuals to plan for their family's economic security in the event of retirement, disability, or death.
    In March, the Social Security Administration made the PEBES available online at the SSA's web site. An individual could view the information contained in the Earnings Statement directly on a computer terminal. To obtain online access to the records the SSA required individuals to provide their full name, date of birth, place of birth, Social Security number, and mother's maiden name. This was the same information that an individual would provide if he or she sent a request by mail to the SSA for a copy of the PEBES.
    What made the SSA project somewhat unique is that the new service was designed to allow individuals to download their personal information from a government agency over the Internet. There are many federal agencies that have taken advantage of the Internet to make information widely available to the public at little cost. Congress itself has done an excellent job with the Thomas system which now makes it possible for individuals across the country to track Congressional legislation, read the Congressional Record and obtain other public information.
 Page 116       PREV PAGE       TOP OF DOC
    But the PEBES statement is not public information. It is private information and individuals are rightly concerned that such information should not be improperly disclosed or made available to others.
    A front page story in USA Today on April 7 focused public attention on the SSA project. Evan Hendricks, the publisher of Privacy Times and one of the country's leading privacy experts, expressed concern that the SSA database could lead to the disclosure of sensitive personal information. Several members of Congress cited the risk that others might get access to the online database. The SSA received calls as did the Committee about the possible risks to personal privacy.
    On April 9 the Social Security Administration suspended the service. Commissioner Callahan said that maintaining public confidence in protecting the privacy of sensitive data was one of the SSA's primary missions. He also noted that over the ten-year period that SSA has offered the PEBES, and during the month that the PEBES was offered online, the SSA ''received no allegations of individuals fraudulently accessing SSA's records.''
    On April 30, the Social Security Administration published a federal Register Notice announcing that a series of Public Forums would be held to solicit comments on the PEBES service. The SSA intends to conclude the comment period this summer and develop recommendations.

Public Concern About Privacy

    Considering the ongoing efforts of the Social Security Administration to make the PEBES more easily available to the public, it is almost surprising that the public reaction was so strong and so swift. But the loss of public confidence in the privacy of personal information is very real today.
 Page 117       PREV PAGE       TOP OF DOC
    Lou Harris reported last year that public concern about the loss of privacy is at an all-time high. Privacy concern is particularly high among users of the Internet, arguably the most technologically sophisticated individuals. A comprehensive survey undertaken by the Georgia Institute of Technology found that after censorship, privacy was the top concern among Internet users. And among women, privacy outranked censorship as the number one concern. According to the survey, Internet users also favor new laws to protect personal privacy (3.8/5.0) [http://www.cc.gatech.edu/gvu/user—surveys/survey-10–1996/ ]
    There are many factors that have contributed to the growing concern about the loss of privacy—the rapid growth of technology, the increased collection and sale of personal data, the development of new surveillance techniques. But perhaps the most significant factor is the sense that we have simply lost the ability to control the collection and use of data. Indeed, the Harris poll found that 60% of consumers believe they have lost all control over personal information.
    This problem is not easily solved. But as the SSA goes forward with its assessment of the PEBES service, it will be critical to keep in mind the larger concern about the loss of privacy in America.

Dual Responsibilities of the Privacy Act

    When Congress addressed the question in the early 1970's about what should be done to protect the privacy of personal information held by federal agencies, it concluded that it would be necessary to establish in law certain obligations for federal agencies and certain rights for American citizens. The rights and responsibilities were set out in the Privacy Act and reflected an approach that is commonly understood as a Code of Fair Information Practices.
    The key point about the SSA's efforts is that under the Privacy Act, federal agencies have two obligations, that may appear to operate at cross purposes, but are in fact quite consistent. The Privacy Act requires federal agencies to prevent the unlawful disclosure and use of personal information. The Privacy Act also requires that federal agencies make information pertaining to particular individuals available to those individuals.
 Page 118       PREV PAGE       TOP OF DOC
    Indeed, one of main purposes of the Privacy Act is to ''permit an individual to gain access to information pertaining to him in Federal agency records and to have a copy made of all or any portion thereof and to correct or amend such records'' Of course, federal agencies also have a responsibility to ensure that ''adequate safeguards are provided to prevent misuse'' of identifiable personal information.
    Many other privacy laws follow a similar approach. The Fair Credit Reporting Act of 1970, for example, both limits the disclosure of credit reports and requires Credit Reporting Agencies to make available credit reports to individuals to whom the reports pertain. Such access can be critical when credit is denied, particularly if such decisions came about as a result of incorrect information.
    For similar reasons, the SSA must make the Earning Statements available to individuals to ensure that records are accurate and individuals are not improperly denied benefits to which they are entitled.
    In making the PEBES statements available online, the SSA was clearly attempting to comply with the spirit of the Privacy Act. It would be wrong to fault the agency for this effort.

Authentication and the Trade-offs of Computer Security

    One of the critical questions that was raised in the aftermath of the PEBES episode was whether additional steps should have been taken to ensure the authenticity of the individuals requesting the requesting records. Some individuals proposed digital signature techniques or passwords. Others questioned whether it was ever appropriate to transfer personal information over the Internet.
    The SSA is now conducting hearings and meeting with technical experts to explore a range of options. I don't mean to prejudge this process, but I would like to point out that at least in the near term there will almost certainly be a trade between the level of authentication that can be provided and the ease of access and reduced cost. I do not believe that the steps that the SSA took to authenticate users, if coupled with auditing and the risk of criminal penalty, were unreasonable.
 Page 119       PREV PAGE       TOP OF DOC
    It is also signficiant that the Commissioner stated that there was no record of unauthorized access to the PEBES records during the period of time that the SSA made the records available. But the Social Security Administration could take additional steps to address public concern, including routine auditing and criminal prosecution where wrongdoing is established. These steps could do a lot to protect privacy and discourage illegal access.
    It is also important to note that many techniques which could over time provide higher levels of authentication at low cost are being discouraged by the Administration's policy on encryption which has generally been to defer to law enforcement considerations rather than to allow new privacy solutions to develop. Improving the security of federal information systems will require that the Administration understand the importance of these new techniques.

Need for Greater Privacy Safeguards

    One of the privacy issues that continues to plague efforts at the Social Security Administration is the growing use of the Social Security number. At EPIC we received several irate calls about the SSA database. One person asked whether the Social Security Administration had the right to request a Social Security number. This person asked whether there was any law to prevent this. I patiently explained that if there was any organization in the world with the right to request the Social Security number it was the Social Security Administration.
    But the public concern about the misuse of the Social Security number is well-founded. The widespread availability of the SSN has increased the level of banking fraud and credit fraud.
    Last summer a Lexis-Nexis locator service called P-Trak allowed anyone to search by Social Security number to find individuals. In this case the Social Security numbers were obtained when Lexis-Nexis exploited a loophole in the Fair Credit Reporting Act and obtained credit record information from TransUnion, a credit reporting agency. The display of the SSN was eventually discontinued after public protests, but it is still possible to look-up individuals by use of the SSN. Several members of Congress and the FTC are now looking at ways to close the loophole in the FCRA.
 Page 120       PREV PAGE       TOP OF DOC
    There have also been proposals to extend the use of the SSN to all forms of government, including, ''any application for a professional license, commercial driver's license, occupational license, or marriage license [the SSN] be recorded on the application.'' Even the Federal Aviation Administration has claimed the need to collect Social Security numbers for all air travelers.
    The Privacy Act of 1974 tried to control the widespread use of the Social Security number when it incorporated provisions that limited the collection and use of the SSN and provided a notice requirement and legal authority when it was gathered. In the absence of effective oversight of the Privacy Act, the use and misuse of the Social Security number continues. Now the one agency that rightfully should be able to use the number runs into problems.
    Many of the problems could be addressed in part if the United States would move forward with a proposal that was central to the original design of the Privacy Act and that is the creation of a federal privacy entity with the authority and the expertise to ensure that agencies are complying with the Privacy Act and to help agencies antitcipate the new challenges that technology necessarily involves.
    It is clear that there is a larger problem here than the SSA can solve. Some steps must be taken to strengthen the privacy infrastructure within the United States before other online services meet similar public protest.

    EPIC, ''National ID Cards'' [http://www.epic.org/privacy/id—cards/default.html]
    EPIC, ''Privacy Surveys'' [http://www.epic.org/privacy/survey/ ]
    EPIC, ''Social Security Administration and Online Privacy'' [http://www.epic.org/privacy/databases/ssa/ ]
 Page 121       PREV PAGE       TOP OF DOC
    EPIC, ''Social Security Number and Privacy'' [http://www.epic.org/privacy/ssn/default.html ]



    Chairman BUNNING. Mr. Hendricks.

    Mr. HENDRICKS. Thanks, Mr. Chairman.
    It is not only an important day because we are talking about some important privacy issues, but this is the birthday of my first hero, Willie Mays. When I was 5 years old, the first book I ever read was ''The Willie Mays Story.'' As a lifelong sports fan, sometimes we go into a game and the television announcer is telling us, well, this is a turf team and they are playing on grass, and they give all this conventional wisdom about who is going to win and lose, and it often turns out to be very wrong.
    And I find that the conventional wisdom about privacy is very wrong here, because, as Marc Rotenberg said, and others have said, this is a well intentioned effort. And there is a yin and a yang to privacy. The yin is getting access to your own records; the yang is making sure that other people don't get to see your records.
    And SSA, I think the important lesson here is to see how, by the failure to conduct an adequate privacy impact analysis, that they are costing us a lot of money, they are wasting a lot of time, and that if they would have done the privacy analysis first, we would all be in a lot better shape, because a lot of time people think of the conventional wisdom, privacy is something that is going to get in the way of what we want to do.
 Page 122       PREV PAGE       TOP OF DOC
    Privacy is not for secrecy. Doctor and patient don't have a privacy privilege because they want to be secretive, it is because they want to have a free flow of information so the doctor can make a judgment about how to treat the patient. At the same time, we need to have adequate privacy protections so we can accomplish goals that SSA set out to do this time and make sure the information will be used for its proper purpose.
    Now, let's start out with reality. And this is why it was a bit shocking to me that SSA proceeded in the way it did. In December alone, there was a credit fraud ring that was busted for bribing SSA employees for as little as $10 apiece for mother's maiden names which they wanted to use to activate credit cards. That was in December.
    As mentioned before in this hearing, in 1992, last time I testified before the Subcommittee, there was a whole ring of information brokers that were bribing SSA employees for this very earnings data. There was a market for this information, and it was clearly established. The SSA IG was involved in that investigation. So that was a bit shocking to me that they went ahead.
    And I talked to one of the people who was indicted, and he said they are all laughing in the industry now because they used to have to pay bribes for this information and now SSA is putting it up and making it easy for anyone to get it.
    Another thing that was very disturbing from that last lesson, and this was something I hoped the Subcommittee could take action on, at least in the form of a sturdy letter of recommendation, is, SSA refused to notify victims whose information was leaked illegally that they were victims of a crime.
    And the same thing is happening in the IRS browsing cases. The IRS has refused to notify people that their records are being leaked in violation of law, and it is my understanding that this has gone all the way to OMB, and OMB has made a decision that it is better that people do not know this is happening with their records, and I think that is a horrible policy. I think maybe it is going to take some congressional prodding to turn that around.
 Page 123       PREV PAGE       TOP OF DOC
    The process used here was defective. They talked about consulting with experts but never talked to anyone who was a privacy expert or had any privacy background. Some of these issues are policy issues that can't be resolved by talking to software architects and technical people.
    The other thing that was very disappointing to me is, to prepare for this testimony, I asked SSA for certain information which I mentioned in my prepared statement, and I see a lot of Members are asking for some of the same information, but SSA declined to give me that information, information about who was involved in making the decision and the process that led up to it, and they told me to file a Freedom of Information Act request, which unfortunately does not work as fast as it is supposed to under the law either.
    When we talk about the suspicious number of hits, one of the things we cannot forget is that the information brokers, if they are actually trying to abuse the system, are going to have all the information right. What my information broker said was that the five data elements he used to get into the system are all publicly available. They will have their ducks in order. And what I am concerned with is, they don't have a way of determining the people who did get access, if that was actually for a legitimate purpose.
    I would really like to see the costs documented, how many person hours were involved, how much time discussing change in the policies and creating and operating the Website. How about responding to the thousands of consumer complaints and the media queries?
    As you mentioned, you got a lot of calls, too. I lost an entire week of work just responding to all the queries I was getting from the public. It was overwhelming, and it should be no question as all of us know now of the people's concern for privacy.
    So in the conventional wisdom, it costs us more by not doing the right privacy thing in the case, and also, as Marc had mentioned, we need an independent structural entity or some sort of privacy commissioner. I would like one that is independent. We have this in almost every other Western country, and it doesn't answer to the government, it answers to the Parliament or the legislative branch, because we can see in this executive branch, like so many other executive branches, the NII has come out with a long report, OMB sat on it and then watered it down, and all it does is give us option papers. We know what the options are; we don't need an option paper, we need recommendations on where to go forward.
 Page 124       PREV PAGE       TOP OF DOC
    The FTC has done the same thing. The Federal Reserve Board was mandated by Congress under the last Fair Credit Reporting Act to do reports with legislative recommendations. All they did was regurgitate the arguments of both sides and say, ''No recommendations.'' And NTIA has done the same thing. So we are not getting any leadership out of this administration on this issue. I think between Congress and creating the sort of entity I would like to see, we would get a lot more work done on behalf of people and the protection of their privacy.
    [The prepared statement follows:]

Statement of Evan Hendricks, Editor and Publisher, Privacy Times, Washington, DC

    Thank you for the opportunity to testify before the Subcommittee. The debacle with the Social Security Administration's PEBES Web Site is a case study of how large organizations utterly fail to conduct a ''privacy impact analysis'' before launching risky programs involving personal information.
    While there are many intermediate steps that can be taken, the long-term solution is the creation of what every other advanced nation has: a Privacy Commissioner, independent of the Executive Branch, who answers to Congress. In other nations, the SSA would have had to consult with the Privacy Commissioner, who would have stopped the Web site before it went up due to the threat to privacy. Thus, the Privacy Commissioner would have saved taxpayers' money and would have prevented SSA from embarrassing itself.
    Meanwhile, we must take advantage of this incident to fully explore and document SSA's privacy disaster. In preparation for this hearing, I asked SSA for documents that were vital to me providing the subcommittee with informed testimony. SSA's response? ''File a Freedom of Information Act request.'' (This is often a bureaucracy's way of stalling.)
    With the information I requested, I could provide the subcommittee with a thorough analysis of the cost—in terms of dollars and privacy—of SSA's mysterious decision. But since SSA thus far has refused to make public information that is vital to an informed public debate, and which they are obligated to disclose, I urge the subcommittee to be vigilant in gaining full disclosure. After all, Sunshine is the Best Disinfectant.
 Page 125       PREV PAGE       TOP OF DOC
    Specifically, SSA needs to make public:
    •  The memo traffic leading up to the decision to create the Web site. Previously, SSA told people making online queries that it could not deliver the PEBES data online because it had no way of verifying one's identity. Why the change in policy and who was involved in making it? Was there any privacy input at all? Had they consulted with me, for instance, I would have told them not to do it the way they did.
    •  How much money and how many ''person-hours'' were involved? Such analysis must include time spent discussing the change in policy, creating and operating the Web Site, responding to the thousands of consumer complaints and media queries, taking down the Site, and holding six public hearings around the country, and the follow up to that.
    •  What were the final numbers on complaints to SSA? How many suspicious hits were there?
    •  Does SSA have a method for determining who and how many gained unauthorized access to the PEBES Web Site? Is it possible that someone could have downloaded the entire Site, thereby gaining full possession of it?
    •  Is it still SSA's unconscionable policy to refuse to notify Americans when the privacy of their records has been violated? (In the early 1990s, when federal prosecutors indicted a ring of ''information brokers'' for bribing SSA employees for the same kind of earnings data, SSA steadfastly refused to notify those unsuspecting Americans that their data was illegally divulged in a context that could have caused them harm.)
    This sad affair shows that SSA lacks a privacy policy, privacy expertise and privacy infrastructure. Too bad. Facilitating easy access to one's own records is an admirable goal, and an important part of any privacy policy. But if there is no privacy impact assessment, then personal records can be made vulnerable to unauthorized access, and the cure becomes worse than the disease. This is what happened in the SSA case.
 Page 126       PREV PAGE       TOP OF DOC
    And it will continue to happen across government, due to persistent neglect of America's national privacy policy. Federal agencies responding to budgetary pressures will continue to create privacy-threatening programs and practices. On many issues, it's normal for Congress to wait for the Administration to come forward with legislative proposals and certain administrative actions.
    But on the issue of privacy, the Clinton Administration has been a major disappointment (to put it mildly). Administration officials will tell you that several executive branch ''task forces'' are studying the issue, or holding hearings. But the issue has been studied to death since the Privacy Protection Study Commission, created by Congress, issued its recommendations for a national policy in 1977. Various Congressional committees have supported stronger legal rights for the average American, but there often has not been the crisis to prompt the entire Congress to Act. Meanwhile, every Clinton task force or agency that has examined privacy has balked at endorsing solutions or making recommendations, and instead issued feckless reports that merely regurgitate the familiar, opposing arguments of privacy advocates and industry representatives. (See, for instance, recent reports by NII task force, Federal Reserve Board, FTC or NTIA.)
    This represents further waste of taxpayer dollars, as we don't need our executive branch officials telling us what already is known. If the Clinton Administration is not going to do anything about privacy, it should so declare, and inform Congress that it must take the lead.
    Privacy is too big an issue for any one Congressional Committee to handle. That's why every responsible study of U.S. privacy policy, beginning with the Congressionally-created Privacy Protection Study Commission in 1977, has recommended creation of an Independent Privacy Commissioner.
    Nearly every European country has one, as do Canada, Australia, and New Zealand. These offices are small. Staffs run between 50 and 100 people. But these nations get great value from these offices because they follow privacy and technology developments full time, they report directly to the legislative branches about a host of issues, they help citizens with individual problems (relieving workload for legislative offices) and the advise and audit executive branch agencies.
 Page 127       PREV PAGE       TOP OF DOC
    Most importantly, they often can prevent well-intentioned, but poorly thought out programs that threaten privacy. I urge this Subcommittee to endorse legislation to create a Privacy Commissioner in the United States. I would be happy to answer any questions.
    [The official Committee record contains additional material here.]



    Chairman BUNNING. Thank you very much.
    Mr. Matchett.

    Mr. MATCHETT. Mr. Chairman, Members of the Subcommittee, my name is Noel Matchett, and I appreciate the opportunity to testify at this hearing. I am president of Information Security, which is a consulting firm I founded in 1985. We have no government grants or clients, and I am testifying solely on behalf of myself.
    I would say my comments are addressing the tip of the iceberg, not the part under the water, and if that was the issue, my response would be different. So I am focusing on the PEBES system.
    Like many other Americans, I was concerned when PEBES went over the Internet, but upon reviewing Social Security's fact sheet, my concerns really were eliminated. In assessing the Internet PEBES system, I found five things needed to be determined: One, what information is available in the system; two, the value of the information; three, the threat to that information; four, the system vulnerability; and, five, what protective measures need to bring that risk down to an acceptable level.
 Page 128       PREV PAGE       TOP OF DOC
    Social Security earnings by year and projected benefits, in my opinion, is relatively low value information, of use and interest to the person it belongs to but, I feel, of little or no value to anyone else. The threat, I believe, is modest, since it has small exploitative value and fraudulent use of someone else's Social Security number is a felony.
    The Internet is known to be highly vulnerable, however, to eavesdropping. A person's true identity is easy to conceal, and it is difficult to know who is at the keyboard of a terminal, and knowing who is at the keyboard really is the fundamental issue overlying providing online access with adequate privacy and security.
    Also, there is a broader concern about someone gaining access to the front end of computer systems and not being able to prevent them from getting into the rest of the database for which they are not authorized.
    My remarks on protective measures are really based on Social Security's response and fact sheet. SSA appears to have addressed the very strong requirement to ensure someone querying the system cannot penetrate into other databases or systems but is restricted to querying the limited PEBES database. I am taking them at their word. I haven't looked at the exact system architecture. If that isn't the case, that is a problem. It certainly is the focal point.
    Two, the vulnerability of the Internet to eavesdropping SSA countered by encrypting the information. The fundamental issue of both the tip of the iceberg (i.e., PEBES) and the rest of the iceberg (i.e., many other applications with more valuable information and higher threat) is both really who is at the terminal. SSA has chosen in this case to require two additional pieces of information, a person's place of birth and their mother's maiden name.
    Now, in answer to the question of whether PEBES is adequately protected, in this particular case, for this information, my opinion is, yes, it is. I think they did a good job of balancing accessibility of information with adequate security and privacy at a reasonable cost.
 Page 129       PREV PAGE       TOP OF DOC
    Can violations be detected? I would say some can be, but the success rate is related to the level of resources, while some types will not be able to be detected. They installed a query analysis tool to identify and prevent certain types of unauthorized access, and, while useful, it cannot detect all violations.
    Can violations be investigated and prosecuted? It is possible but not likely. This, in part, is a law enforcement policy and resource issue. It is also difficult to prove that someone has gained fraudulent electronic access to data. It is just a tough problem.
    Here are some suggestions and recommendations I would offer.
    One, let Americans decide for themselves whether or not they wish to let their PEBES data be available via the Internet. I think this hearing is an excellent forum to raise that issue and help people understand the true issues.
    One will never reach unanimous agreement on what is the appropriate balance, as we have heard in this forum and hearing. So Social Security should clearly explain the risks and then allow people to choose. This could be done by checking a box on the individual's Federal income tax return, and if you don't check it and say you want it available, it will not be available electronically. Anyone uncomfortable with the electronic program can then assure their PEBES data will not be accessed over the Internet. All those wanting the data will get it. The election by an individual to allow or deny online access to their PEBES data could be changed at any time by mail or with the next year's income tax return.
    Two, a nonnegotiable requirement is that the security architecture and implementation of the online PEBES system prevent anyone gaining access to other databases or computers from the Internet PEBES system. Social Security has recognized this; I am just reinforcing it.
    Security must be designed into systems at the beginning to be effective and at reasonable cost.
 Page 130       PREV PAGE       TOP OF DOC
    If someone foresees adding on access to higher value data with a higher level of threat later on, then the system's security requirements for this higher threat must be considered at the beginning and implemented as needed.
    This concludes my testimony. I thank you.
    [The prepared statement follows:]

Statement of Noel Matchett, President, Information Security Inc., Silver Spring, Maryland

    Mr. Chairman and members of the subcommittee, my name is Noel Matchett and I appreciate very much the opportunity to testify at this hearing. I am president of Information Security Incorporated, a security consulting firm I founded in 1985. We have no government grants or clients and I am testifying this afternoon solely on behalf of myself.
    Like many other Americans I was concerned when I read about PEBES over the Internet, but upon reviewing Social Security's fact sheet my concerns were eliminated.
    In assessing the Internet PEBES system five things need to be determined: 1) the information available in the system, 2) the value of the information, 3) the threat to the information, 4) the system vulnerabilities and 5) the protective measures needed to bring the risk to an acceptable level.
    SS earnings by year and projected benefits is relatively low value information, of use and interest to the person it belongs to, but of little or no value to anyone else. The threat is modest since the information has little exploitative value and fraudulent use of a SSN is a felony, a non trivial deterrent. The Internet is known to be highly vulnerable to eavesdropping. True electronic addresses are easily concealed and it is difficult to know who is at the keyboard of a remote terminal. Also there is always a broader concern about someone gaining access to other parts of Social Security's computer systems if allowed limited access to one part. My remarks on protective measures are based upon the SSA Internet PEBES fact sheet. SSA appears to have addressed what I consider a very strong requirement to ensure that someone querying the system can not penetrate into other data bases or systems but is restricted to the limited PEBES data associated with a SSN. The vulnerability of the Internet to eavesdropping is countered by encrypting the information. The fundamental issue of how the person at the remote terminal is identified and authenticated to the system was addressed by requiring two additional pieces of information, a person's place of birth and their mother's maiden name.
 Page 131       PREV PAGE       TOP OF DOC
    Now in answer to the question as to whether PEBES is adequately protected, my opinion is yes, it is. I believe the SSA did a good job of balancing accessibility of information with adequate security and privacy at a reasonable cost.
    In answer to the question of whether violations can be detected I must say some types can be detected, (with the success rate directly related to the level of resources employed) while some types will never be detected. A query analysis tool was installed to identify and prevent certain types of unauthorized access and while useful it can not detect all violations.
    Can violations be investigated and prosecuted? It is possible, but not likely. This is in part a law enforcement policy issue. Also, proving someone gained fraudulent electronic access to data can be very difficult.
    Here are some suggestions and recommendations I would offer.
    1) Let Americans decide for themselves whether or not they wish their PEBES data to be available via the Internet. One will never achieve unanimous agreement upon what is the appropriate balance between accessibility and security so SSA should clearly explain the risks and then allow each person to decide. This could be done by checking a box on an individual's Federal income tax return. Anyone uncomfortable with the electronic program can ensure their PEBES data can not be accessed over the Internet while those wanting Internet accessibility of their PEBES data can have it.
    2) A non negotiable requirement in the security architecture and implementation should be the prevention of anyone gaining access to other databases or computers from the Internet PEBES system. SSA has recognized this. I am just reinforcing it.
    3) Security must be designed into systems at the beginning to be effective and obtained at reasonable cost. If higher value data with a higher threat is to be accessed via the same system later on, the security requirements should be considered at the beginning and then implemented as needed.
 Page 132       PREV PAGE       TOP OF DOC
    This concludes my testimony and I thank you for the opportunity to contribute.



    Chairman BUNNING. Thank you very much.
    Mr. Rector, thank you very much. Welcome to Washington.

    Mr. RECTOR. Mr. Chairman, thank you for the opportunity to testify today.
    Over the past year, the U.S. Chamber of Commerce has been conducting townhall forums across America on the issue of Social Security. Although individuals of all ages are welcome at the townhall forums, the U.S. Chamber specifically sought the input of young Americans on this important issue.
    The purpose of these townhall forums was twofold. First, the U.S. Chamber seeks to solicit ideas for the improvement of the Social Security system. Second, the U.S. Junior Chamber seeks to inform all Americans as to how the Social Security system works and what role Social Security benefits may play at some point in their own retirement plans.
    Through conducting these townhall forums, the U.S. Junior Chamber has found that young Americans in general who have attended these forums have expressed a lack of confidence in the Social Security system. This is consistent with my personal experience in speaking with young adults.
 Page 133       PREV PAGE       TOP OF DOC
    When discussing the Social Security system, young Americans express frustration that although a significant deduction is made from each of their paychecks for FICA, many are convinced that when they reach retirement, the system won't be there.
    Despite the fact that the Social Security system may help more people than any other government program, most people, and especially young Americans, do not understand how the system works. Through townhall forums, the U.S. Junior Chamber has learned that the more that young Americans learn about how the Social Security system and Social Security benefits work, the greater interest they have in improving the current system and making sure that effective changes are made today to make sure the system is available for generations to come.
    Greater access to Social Security information will increase confidence in the system, and providing Personal Earnings and Benefit Estimate Statements via the Internet is a tremendous tool to help achieve that goal. The Internet is a growing medium and communications avenue for young Americans.
    Young Americans have grown up in a culture in which they have been surrounded by fax machines, mobile telephones, automatic teller machines, and so forth. In the nineties, young Americans expect to be able to get the information they want quickly. If they cannot get that information quickly, they are often inclined not to try to access it, and our Federal Government in general does not have a good reputation for being able to provide information quickly.
    It is no surprise to me that the Social Security Administration reports that the public's response to the Internet service was overwhelmingly positive. This service provides the public with the kind of quick response that they have become so accustomed to in many other aspects of their everyday lives but so rarely feel they get from the Federal Government.
    For these reasons, it is important that the Social Security Administration restore access to Personal Earnings and Benefit Estimate Statements via the Internet.
 Page 134       PREV PAGE       TOP OF DOC
    The Internet service was suspended because privacy concerns were raised, although the Social Security Administration reports that during the entire 10-year period that it has offered these statements via the mail and the month that the statements have been offered online, it has not received one allegation of an individual fraudulently accessing these records. In fact, the Social Security Administration has made an impressive effort to offer the Internet service in a way that will not compromise the privacy of any information made available via the Internet. More authenticating elements are required to access Personal Earnings and Benefit Statements via the Internet than are required to access the same information by mail.
    Furthermore, safeguards are built into its Internet system to prevent unauthorized attempts to access someone else's records and to identify suspected abuses for further investigation and possible prosecution. Criminal penalties are already in place that would punish those individuals that might misuse Social Security data.
    Hearing the testimony before me, it strikes me that concerns that have been raised about privacy are good and are right, but I think the gentleman who testified just prior to my testimony made the point that it is impossible to eliminate all the risks and at some point we need to find an appropriate balance.
    There was also a reference made earlier to the U.S. mail system. I seem to recall occasions when I received my neighbor's mail through the U.S. mail. It is a system that may not be perfect, but yet we use it every day in my office knowing there is some risk that the mail might not be delivered to the right place.
    All in all, we believe that providing access to these statements via the Internet is a tremendous opportunity for the administration to reach millions of young people and provide them with information that will help increase their confidence in the Social Security system. The Social Security Administration has gone to great lengths to ensure that the privacy of this information is properly protected. I urge this Subcommittee to restore access to Personal Earnings and Benefits Estimate Statements via the Internet.
 Page 135       PREV PAGE       TOP OF DOC
    Thank you very much.
    [The prepared statement follows:]

Statement of Bruce A. Rector, Member, U.S. Junior Chamber of Commerce, Lexington, Kentucky

    My name is Bruce Rector and I am a member of the United States Junior Chamber of Commerce. For a little over the past year, the U.S. Junior Chamber of Commerce, has been conducting Town Hall Forums across America on the issue of Social Security. Although individuals of all ages are welcome at the Town Hall Forums, the U. S. Junior Chamber has specifically sought the input of young Americans on this important issue.
    The purpose of these Town Hall Forums is two-fold. First, the U.S. Junior Chamber seeks to solicit ideas for the improvement of the Social Security system. Secondly, the U.S. Junior Chamber seeks to inform all Americans as to how the Social Security system works and what role Social Security benefits may play at some point in their own retirement plans.
    Through conducting these Town Hall Forums, the U. S. Junior Chamber has discovered that young Americans, in general, who have attended these forums, have expressed a lack of confidence in the Social Security system. This is consistent with my personal experience in speaking with young Americans about the Social Security system. When discussing the Social Security system, young Americans express frustration that although a significant deduction is made from each of their paychecks for FICA, many are convinced that when they reach retirement, the system won't be there.
    Despite the fact that the Social Security system may help more people than any other government program, most Americans, and especially young Americans do not understand how the system works.
    Through Town Hall Forums, the U. S. Junior Chamber has learned that the more young Americans learn about how the Social Security system and Social Security benefits work, the greater interest they have in improving the current system and making sure that effective changes are made today to insure that the system is available for generations to come.
 Page 136       PREV PAGE       TOP OF DOC
    Greater access to social security information will increase confidence in the Social Security system and providing Personal Earnings and Benefit Estimate Statements via the Internet is a tremendous tool to help achieve that goal. The Internet is a growing medium and communication avenue for young Americans. Young Americans have grown up in a culture in which they have been surrounded by fax machines, mobile telephones, automatic teller machines, etc.
    In the 1990's, young Americans expect to be able to get the information that they want quickly. If they cannot get that information quickly they are often inclined not to try to access it and our federal government in general does not have a good reputation for being able to provide information quickly. It is no surprise to me that the Social Security Administration reports that the public's response to the Internet service was ''overwhelmingly positive.'' This service provides the public with the kind of quick response that they have become so accustomed to in many other aspects of their everyday lives.
    For these reasons, it is important that the Social Security Administration restore access to Personal Earnings and Benefit Estimate Statements via the Internet. The Internet service was suspended because privacy concerns were raised, although the Social Security Administration reports that during the entire 10 year period that it has offered these statements via the mail and the month that the statements have been offered online it has not received one allegation of an individual fraudulently accessing these records.
    In fact, the Social Security Administration has made an impressive effort to offer the Internet service in a way that will not compromise the privacy of any information made available via the Internet. More authenticating elements are required to access Personal Earnings and Benefit Statements via the Internet than are required to access the same information by mail. Furthermore, safeguards are built into its Internet system to prevent unauthorized attempts to access someone else's records and to identify suspected abuses for further investigation and possible prosecution. Criminal penalties are already in place that would punish those individual that might misuse Social Security data.
 Page 137       PREV PAGE       TOP OF DOC
    Providing access to Personal Earnings and Benefit Estimate Statements via the Internet is a tremendous opportunity for the Social Security Administration to reach millions of young people and provide them with information that will help to increase their confidence in the Social Security system. The Social Security Administration has gone to great lengths to ensure that the privacy of this information is properly protected. I urge this subcommittee to support restoring access to Social Security Personal Earnings and Benefit Estimate Statements via the Internet.



    Chairman BUNNING. Thank you very much for all of your statements, and I am going to start with Mr. Christensen.
    Mr. CHRISTENSEN. Thank you.
    Mr. Hendricks, you stated that the SSA did not do any privacy analysis, yet the first panel of testimony stated that they had gone through NIST, also had done a very indepth analysis with Los Alamos. Do you have information that we have not been provided, or is that an editorial opinion?
    Mr. HENDRICKS. It is an opinion in the sense that NIST, they are talking about certain security aspects that they looked at.
    But in terms of looking at the history of who has tried to get access to this information and who has been successful at it, I don't see anything yet that shows that they took that information into consideration, which is testimony before this very Subcommittee. That is a privacy issue. It is like, what is the value of this information? What is the incentive to try and compromise it?
 Page 138       PREV PAGE       TOP OF DOC
    Second of all, I have talked to my colleagues in the privacy community, since we don't have any sort of independent privacy office as in other countries. In other countries, SSA would have been required to consult with the privacy office and they would have been stopped from doing it this way.
    As far as I can tell, SSA has not consulted with anyone who is a privacy advocate in this country or across the border in Canada. So they did not avail themselves of some of the assets there. The people they talked to were technical people, not people who put privacy as a policy concern first. So there is a difference: technical security does not equal privacy. They talked to technical security people.
    Mr. CHRISTENSEN. What did you think of Mr. Matchett's testimony concerning the checkoff idea on your IRS form?
    Mr. HENDRICKS. Well, yes, I believe the choice is a very important part of privacy.
    If you turn on daytime television, you will see a lot of people who don't care at all about their privacy. But any time you can have a system where people can choose how they want their information recorded and accessed, I think that is an excellent approach and that would solve the problem. If people decide yes, I want it online because I want to continually monitor it, that would solve the problem. Nothing like that was done in this case.
    Mr. CHRISTENSEN. Give me your analysis of the PIN, or the password or digital signature.
    Mr. HENDRICKS. I am hoping that we will be able to move toward a state in this country where we will be able to access all of our records. I am even working on a business venture trying to facilitate that. So yes, I would like to see PIN codes.
    I am just wondering technically if people can query SSA if there would be an automated callback, where the number would correspond to a home listing or something that would be a nice, cheap, and easy way to do it, but obviously you need some sort of PIN or password system, because I am always thinking about the information brokers out there.
 Page 139       PREV PAGE       TOP OF DOC
    Mr. CHRISTENSEN. You heard the previous panel's testimony. Were you aware of the high number of hits to the Department of Defense's Internet system—out of 250,000, 50 percent had been hit?
    Mr. HENDRICKS. In trying to get into that system? I remember seeing that in passing.
    I mean, these huge systems are kind of the electronic equivalent of swimming pools without fences around them, and the Defense Department has as big a fence as anyone, but they really are attractive nuisances, and that is why credit bureau databases are being hit by people engaged in identity theft and credit fraud, things like that.
    So there is a real problem of building these huge databases just like neighborhoods that used to have swimming pools without fences.
    Mr. CHRISTENSEN. I want to add my thanks to the Chairman for holding this hearing, and also to Mr. Rector and Mr. Marshall for your organization. I have been aware of your organization going around the country and doing their educational tour. I think it adds credence to bringing information to the young people on this issue.
    As you know, we have the opportunity to do a lot of high schools and visit with a lot of kids who have no idea where this money is going on their pay stub, and they have no idea what it is going to look like at age 65 and what is going to be there. I think the information that you are providing them and also the awareness issue is of paramount importance. I hope you continue to go city to city and provide that information through the tour and through the U.S. Junior Jaycees and—the Junior Chamber of Commerce and Jaycees. I think you are doing a good job. I appreciate your testimony.
    Chairman BUNNING. Mr. Hulshof.
    Mr. HULSHOF. Thank you, Mr. Chairman.
    Mr. Hendricks, to follow up on the questions that my friend from Nebraska was asking, under what circumstances do you believe that government agencies, including SSA, should notify individuals that their personal data has been compromised?
 Page 140       PREV PAGE       TOP OF DOC
    Mr. HENDRICKS. I think in the situation—in the testimony before this Subcommittee, clearly you had had cases where people outside the government were paying bribes to government employees. Government employees had leaked the information to outsiders, so they knew who sold what to whom about whom. And so that case, clearly there was a crime committed, and the people's records that are sold are victims of the crime.
    In those cases and I think in the IRS browsing cases, I believe that is another example where it was against certainly policy, it was against the law, or some gray area, and Congress had to follow up on that. But there is no question, not what people expect.
    So here are cases where people have been victims of crimes, the Federal agency is the only one that knows that you are a victim of crime, yet they refuse to notify you because they don't want you to worry your pretty little head about it. I don't think that is the way we should be running our information policy in the information age.
    So I hope those two examples outline the severe example where clearly they should be notified.
    Mr. HULSHOF. I am glad that you mentioned the Taxpayer Browsing Protection Act which we enacted or passed on our side on April 15, which, as you know, gives individuals more recourse to go after those who have snooped into their individual tax records. And you mentioned in your testimony that perhaps some legislative changes would be in order regarding what we are talking about today. What, if any, recommendations would you make?
    Mr. HENDRICKS. Well, I would go back to the 1977 one of those government reports by the congressionally created Privacy Protection Study Commission, and they recommended that we have a privacy infrastructure, and that is that we have an independent office.
    I would emphasize that it would answer directly to Congress, because right now you can see, with the executive branch, they get this issue and they just bury it and create a lot of wind and paper but they don't take any action, largely because privacy is for individuals.
 Page 141       PREV PAGE       TOP OF DOC
    Large organizations have no interest in privacy; they like to exploit people's personal data. And I think we have to move to a situation where people have a legal interest in their own personal information throughout society. In the information age, we need information rights, and right now you don't even own your own name in some context. If someone gets your name, you don't own it. And that is something that will be a long, hard march, but it is something that I think we will have to accomplish, because I think privacy rights, as my friend here said, will be to the information age what consumer product safety was to the industrial age. It is something we can't live without.
    Mr. HULSHOF. I take from your testimony that while we certainly applaud public forums around the country, that would not be enough, in your estimation, to restore public confidence.
    Mr. HENDRICKS. Yes, I think it will be hard, under the current situation, for SSA to do this Website the way they want to do it. The goal of facilitating electronic access I really support, but it is just sad, to me, talking about privacy infrastructure and wanting an independent office, but every major organization needs someone wearing a privacy hat.
    Nowadays we have to do many things, but our SSA Commissioner today said, well, do you have someone like that on your staff? And he couldn't answer. I thought that was a sad comment on the lack of privacy infrastructure and why SSA sort of went down this slippery slope.
    Mr. HULSHOF. Mr. Rotenberg, let me ask you, as Mr. Christensen asked Mr. Hendricks, to comment on Mr. Matchett's suggestion to allow individuals to assume the risk, if they choose to have this information available online. As Mr. Rector indicated, many young people would like to have that direct access, but give them the choice, what are your thoughts on that possible alternative?
 Page 142       PREV PAGE       TOP OF DOC
    Mr. ROTENBERG. Well, I certainly think there could be some benefit, but I also think there would be some cost, because to try to implement a system of the size that we are talking about and trying to reach that many people, and let them act on that choice, would be a tremendous problem.
    And of course people's preferences for privacy change over time. It may be the case that a lot of people today who are concerned about online access over time come to see the convenience of being able to get the data.
    I did visit the site before the system was taken down. I thought it was fairly well done. There was some way to do projection for future earnings and so forth, and I thought that would be very useful. It was something that you couldn't even imagine until you had seen.
    So of course you have to consider that if you gave people this option, then of course they may change their mind. And you never really escape the problem of what is the default setting, which is to say, if someone, you know, does nothing, is the information going to be online or will it not be online, and that is also going to be a big issue.
    Mr. HULSHOF. I thank the panel, and I thank you, Mr. Chairman.
    Chairman BUNNING. I have a question that I would like to ask the entire panel. Do you think this administration or any administration should set policy for security regarding all government information about individuals? In other words, the IRS and the Social Security Administration and any other database that the Federal Government controls, do you think this administration or any administration should have guidelines for security policy?
    Mr. ROTENBERG. Mr. Chairman, if I could take a crack at that, I think the short answer, in fact, is that we do have——
    Chairman BUNNING. But they are specific to individual agencies——
 Page 143       PREV PAGE       TOP OF DOC
    Mr. ROTENBERG. But, you see, the Privacy Act really was for all Federal agencies, and the structure of that law was basically to say to all agencies, if you are collecting personal information, there are certain general responsibilities that you have.
    Now, of course, over time we have had regulations that are specific for each agency, and specific record issues come up, and it is kind of like a tree, I guess, branching out in different practices and procedures.
    Chairman BUNNING. Let me restate my question then. Should there be an update of the Privacy Act?
    Mr. ROTENBERG. Yes, that is where I was heading, sir. I think the Privacy Act needs to be updated and needs to be enforced, because the piece that was missing in 1974 when the law was enacted and the reason why I and Mr. Hendricks both keep harping back to the notion of this privacy agency is that you really do need some oversight. You really do need someone in charge, someone responsible, who can say, Is this basic law, this law that protects privacy rights, is it being followed?
    Chairman BUNNING. Should it be an independent agency other than an appointee of the administration, or should it be someone who is within the administration?
    Mr. ROTENBERG. It should be independent, and it should be an office that is created pursuant to law, pursuant to statutory authority.
    Mr. HENDRICKS. I again can't emphasize enough, right now the overseer of the Privacy Act is the Office of Management and Budget, and their neglect of that has been well documented through the years. Watching them water down this latest administration report on privacy really was an embarrassment to the issue.
    And I would like to emphasize that when I go to the annual meeting of privacy commissioners and the United States has an empty seat there, that a lot of these commissioners, half the time they are sort of working with agencies to stop them from doing things like SSA does. Another thing they do is, they handle individual problems, which I think would be of tremendous assistance to congressional offices for constituent mail.
 Page 144       PREV PAGE       TOP OF DOC
    Sometimes privacy should not have to be a big Federal case; it is just a matter of a phone call, you know, or let's get this straightened out. And if you can refer constituents to that, I think that would really help with constituent service as well.
    But the most important thing a privacy commissioner does is just be a bully pulpit. And this is the problem with the IRS Privacy Advocate and the HHS Privacy Advocate. They are so secretive, it is hard to understand what they are doing. A privacy commissioner has to be transparent. They have to throw sunshine on the issue. Like the SSA, once this thing became public, they had to think about it, look at it, and stop. And it goes back to what Brandeis says: Sunshine is the best disinfectant; and that is the main rule.
    Chairman BUNNING. Mr. Matchett.
    Mr. MATCHETT. If I could make one comment about the IRS Privacy Advocate, Bob Veeder. I am quite familiar with the IRS tax modernization system, being on the National Research Council Committee looking at it from a security standpoint, and I thought he did quite a good job.
    Chairman BUNNING. I am sorry Mr. Portman isn't here. He might have a different opinion.
    Mr. MATCHETT. But in terms of your question, should there be an overall government policy for access to data? Absolutely, yes. The difficulty comes in responding to privacy policy. These systems are extremely complex, and it is very—you run up quickly, as the IRS did, to impossible situations where you cannot, with the existing systems or the resources you are willing to employ, meet those privacy goals. This means the only alternative is that you pull the plug, meaning shut down the system.
    We are making—continually for the last 15 years, we have made tradeoffs for convenience throughout the government, throughout the Defense, IRS, for the convenience of these electronic systems, and typically security and privacy have been the sacrifice. An overall government privacy policy for access to data is needed.
 Page 145       PREV PAGE       TOP OF DOC
    Chairman BUNNING. Mr. Rector.
    Mr. RECTOR. Mr. Chairman, I believe that this was a good idea.
    Chairman BUNNING. I don't think there is anyone here who——
    Mr. RECTOR. I am disappointed that it got slowed down. I thought the Social Security Administration really delved into it a lot. I realize they had to stop when these concerns were raised, but this is a very customer-based type process, and I think it is wonderful that the Federal Government——
    Chairman BUNNING. Well, I am a customer, and I am not so sure.
    Mr. RECTOR. Well, I think I would like to see the government resolve it once for all agencies so other agencies don't come up with good ideas and run into the same obstacles later on. I think it is a wonderful idea to have it all condensed into one place with the revisions to the Privacy Act rather than each agency having to go through this same process.
    Chairman BUNNING. OK. Anyone else?
    I want to thank you all for being here, and before we conclude, I would like to advise the witnesses that I might be sending additional questions to you for the record. With so many issues to consider, I am sure that more questions will come to mind when determining what actions will best correct the problems we have discussed today.
    I would like to thank the witnesses who have certainly helped enlighten me and the Members of the Subcommittee about the complex nature of offering information online. Thank you very much for your time.
    The Subcommittee is adjourned.
    [Whereupon, at 5:15 p.m., the hearing was adjourned.]
    [Submissions for the record follow:]
 Page 146       PREV PAGE       TOP OF DOC

Statement of Robert S. Litt, Deputy Assistant Attorney General, Criminal Division, U.S. Department of Justice

    Mr. Chairman and members of the Subcommittee: Thank you for this opportunity to help increase public awareness of the potential hazards that accompany the many benefits of the Internet. I hope that increased appreciation of these pitfalls will help people to be careful in management of this powerful technology.
    The Internet, which allows people to interact electronically for both personal and commercial reasons, has generated justifiable excitement over the past few years. But as with other innovations, crime has quickly followed, and it has already begun to affect the public. I would like to describe for you some aspects of Internet crime that the Department of Justice is starting to see, and some of the steps we are taking to deal with it.
    Although it is difficult to quantify the scope of the computer crime problem, public reports have estimated that computer crime costs us between five hundred million and ten billion dollars per year. The Computer Security Institute has surveyed 428 information security specialists in Fortune 500 companies; 42% of the respondents indicated that there was an unauthorized use of their computer systems in the last year.
    Computers can play three different roles in criminal activity:
    •  First, computers can be targets of an offense, for example if a hacker tries to steal information from, or to damage, a computer or computer network. We're all familiar with examples of this, such as vandalism of Web sites or the introduction of viruses into computers.
    •  Second, computers can be tools in the commission of a traditional offense. They can replace the telephone as a tool in an illegal telemarketing operation; they can be and are used to create and transmit child pornography. Or, to give you a specific example, Russian computer hackers in St. Petersburg broke into a Citibank electronic money transfer system and tried to steal more than $10 million by multiple wire transfers to accounts in at least seven different countries. Members of the gang have been arrested in several countries, but according to Citibank $400,000 has still not been recovered.
 Page 147       PREV PAGE       TOP OF DOC
    •  Finally, computers can be incidental to the offense, but still significant for law enforcement purposes. For example, many drug dealers now store their records on computers, which raises difficult forensic and evidentiary issues that we don't face with old-fashioned paper records.
    Of course, a single computer could be used in all three ways. For example, a ''hacker'' might use his computer to gain unauthorized access to an Internet Service Provider such as America On-Line—known as an ''ISP''—and then use that access to illegally distribute copyrighted software stored on his computer's hard drive.
    But it is not only ISP's or large financial institutions who should be concerned about computer crime. Others have testified in other forums about the important issues of protection of our infrastructure and of the impact computers have on our ability to protect our intellectual property, and I won't dwell on them today. But hackers can also affect individual citizens directly. For example, they can compromise the confidentiality and integrity of personal and financial information. In one case, hackers from Germany gained complete control of an ISP in Miami and captured all the credit card information maintained on the service's subscribers. The hackers then threatened to destroy the system and distribute all the credit card numbers unless the ISP paid ransom. German authorities arrested the hacker when he tried to pick up the money—but had he not sought ransom he could have used the stolen credit card numbers to defraud thousands of consumers.
    Government records, like any other records, can be susceptible to a network attack if they are stored on a networked computer system or without proper protections. In Seattle, two hackers pleaded guilty to penetrating the U.S. District Court System, an intrusion which gave them access to confidential or perhaps even sealed information.(see footnote 20) In carrying out their attack, they used supercomputers at the Boeing Computer Center, also in Seattle, to crack the courthouse system's password file. If Boeing had not reported the intrusion to law enforcement, the District Court system administrator would never have known the system was compromised.
 Page 148       PREV PAGE       TOP OF DOC

    Just as significantly, the computer can be a powerful tool for consumer fraud. The Internet can provide a con artist with the unprecedented ability to reach millions of potential victims. As far back as December 1994—and two and a half years is a long time in this field—the Justice Department indicted two people for fraud on the Internet. Among other things, they had placed advertisements on the Internet which promised victims valuable goods upon payment of money. But the defendants never had access to the goods, and never intended to deliver them to their victims. Both pleaded guilty to wire fraud.(see footnote 21)

    Moreover, people can use computers to engage in new kinds of consumer fraud that would have never been possible before. In one interesting case, two hackers in Los Angeles pleaded guilty to computer crimes committed to ensure they would win prizes given away by local radio stations. When the stations announced that they would award prizes to a particular caller, for example the ninth caller, the hackers manipulated the local telephone switch to ensure that the winning call was their own. Their prizes included two Porsche automobiles and $30,000 in cash. Both of them received substantial jail terms.(see footnote 22)

    Just this year, in another interesting case that raises novel issues, a federal court in New York granted the Federal Trade Commission's request for a temporary restraining order to shut down an alleged scam on the World Wide Web. According to the FTC's complaint, people who visited pornographic Web sites were told they had to download a special computer program to view the sites. Unknown to them, the program secretly rerouted their phone calls from their own local Internet provider to a phone number in Moldova, a former Soviet republic, for which a charge of more than two dollars a minute could be billed. According to the FTC, more than 800,000 minutes of calling time were billed to U.S. customers.
 Page 149       PREV PAGE       TOP OF DOC
    Like other kinds of crimes, Internet crimes can be addressed proactively and reactively. For example, fraudulent activity over the Internet, like other fraudulent activity, can be prevented to some extent by increased consumer education. People must bring the same common sense to bear on their decisions in cyberspace as they do in the physical world. They should realize that a World Wide Web site can be created at relatively low cost and can look completely reputable even if it is not. They should invest time and energy to investigate the legitimacy of parties with whom they interact over the Web. Just as with other consumer transactions, they should be careful about where and to whom they provide their credit card numbers. The ancient maxim ''caveat emptor'' continues to apply with full force in the computer age.
    The public can also be protected by vigorous law enforcement efforts. Many consumer-oriented Internet crimes, such as fraud or harassment, can be prosecuted using traditional statutory tools, such as wire fraud. Moreover, last year the Congress, at our request, substantially strengthened the laws against computer crime in the National Information Infrastructure Protection Act of 1996. As now drafted, the law contains eleven separate provisions designed to protect the confidentiality, integrity and availability of data and systems.
    Nevertheless, the Internet presents novel challenges for law enforcement. Two particularly difficult issues for law enforcement are jurisdiction and identification.
    One of the benefits of the global Internet is its ability to bring people together, regardless of where in the world they are located. But this can sometimes have a subtle impact for law enforcement. For example, to buy a book you used to walk down to your local bookstore and have a face to face transaction; if the bookseller cheated you, you went to the local police. But the Internet can make it easier and cheaper for a consumer to make purchases, without even leaving his or her home, from a distributor based in a different state or even a different country. And if the consumer pays by credit card or, in the future, electronic cash, and then the book never arrives, this simple transaction may become a matter for the federal or even international law enforcement community, rather than a local matter.
 Page 150       PREV PAGE       TOP OF DOC
    Moreover, the Internet makes interstate and international crime significantly easier in a number of respects. For example, a fraudulent telemarketing scheme might be extremely difficult to execute on a global basis because of the cost of international telephone calls, the difficulty of identifying suitable international victims, and the more mundane problem of planning calls across numerous time zones. But the Internet enables scam artists to victimize consumers all over the world in simple and inexpensive ways. An offshore World Wide Web site offering the sale of fictitious goods may attract U.S. consumers who can ''shop'' at the site without incurring international phone charges, who can be contacted through e-mail messages—and who may not even know that the supposed merchant is offshore. The Moldova phone scam I mentioned earlier provides an example of the relative ease with which more complex international crimes may be perpetrated. In such a global environment, not only is international crime more likely, but some consumer fraud cases traditionally handled by state and local authorities may require federal action.
    Another fundamental issue facing law enforcement involves proving a criminal's identity in a networked environment. In all crimes—including cybercrimes—we must prove the defendant's guilt beyond a reasonable doubt, but global networks lack effective identification mechanisms. Indeed, individuals on the Internet can be anonymous, and even those individuals who identify themselves can adopt false identities by providing inaccurate biographical information and misleading screen names. Even if a criminal does not intentionally use anonymity as a shield, it is easy to see how difficult it could be for law enforcement to prove who was actually sitting at the keyboard and committing the illegal act. This is particularly true because identifiable physical attributes such as fingerprints, voices or faces are absent from cyberspace, and there are few mechanisms for proving identity in an electronic environment.
    A related problem arises with the identity of the victim. With increasing frequency, policy-makers are appropriately seeking to protect certain classes of citizens, most notably minors, from unsuitable materials. But if individuals requesting information can remain anonymous or identify themselves as adults, how can the flow of materials be restricted? Similarly, if adults can self-identify as children and lure real children into dangerous situations, how can these victims be protected? Congress last year made an important attempt to protect minors who use the Internet in the Communications Decency Act. As you know the Government defended the constitutionality of that statute before the Supreme Court in March and we are awaiting the Court's decision.
 Page 151       PREV PAGE       TOP OF DOC
    One area that raises both jurisdictional and identification issues is Internet gambling. The Internet offers several advantages for gambling businesses. First, electronic communications, such as electronic mail, allow for simple record keeping. Second, the Internet is far cheaper than long distance and international telephone service. Third, many software packages make it easy to operate consumer businesses over the Internet. Use of the Internet for gambling—as well as for other illegal activities such as money laundering—could increase substantially as the use of ''electronic cash'' becomes more commonplace.
    Gambling on the Internet is governed by existing federal law. Interstate gambling by the use of any wire communication facility, including the Internet, is illegal unless the gambling activity is legal in both states. Even where gambling is legal, it is legal only for adults. Therefore, the legality of gambling depends critically on both the location and the age of the participants, neither of which can be verified reliably through current network mechanisms, at least when the participants are not willing to cooperate honestly. Congress has already established the national Gambling Impact Study Commission to study a variety of issues, including ''the interstate and international effects of gambling by electronic means, including the use of interactive technologies and the Internet.''(see footnote 23) We expect to provide assistance to the Commission, and hope they will address the difficult issues we have raised here.

    In other contexts as well, we have long taken steps to ensure that the Justice Department can respond effectively to Internet crime. For example, as far back as 1991 both the Federal Bureau of Investigation and the Justice Department created dedicated computer crime units. Since that time, the FBI has established two additional high-tech squads, and the Department has created, within the Criminal Division, a new Computer Crime and Intellectual Property Section. Additionally, in early 1995, the Department of Justice initiated the Computer/Telecommunications Coordinator program, under which each of the 93 United States Attorney's Office has designated at least one Assistant United States Attorney to serve as an in-house high-tech expert. We provide special training to these prosecutors to help them keep abreast of the rapidly changing technological and legal issues. In addressing privacy concerns, the Department has participated in a number of working groups and forums that have included representatives from both the public and the private sector, including the Privacy Working Group of the Information Infrastructure Task Force.
 Page 152       PREV PAGE       TOP OF DOC
    The Department of Justice is also taking the lead in providing training in computer and telecommunications technologies and legal issues to others in law enforcement. The Computer Crime and Intellectual Property Section has established an ''Infotech Training Working Group,'' which includes representatives from every relevant federal agency, the National Association of Attorneys General, the National District Attorneys Association, and others, to guide, assist and coordinate federal, state and local high-tech training.
    As significant as these efforts are, however, the problems of the global Internet cannot be solved without extensive international cooperation. Although international awareness concerning computer crime is growing, considerable work remains, as countries attempt to harmonize their computer crime laws and eliminate the procedural obstacles which prevent the timely acquisition of evidence that is located in cyberspace. Several separate efforts are underway to tackle these difficult issues, including multilateral efforts at the Organization for Economic Cooperation and Development, the P–8, and the Council of Europe.
    Mr. Chairman, I thank you for the opportunity to present testimony today. The Attorney General and the Department of Justice look forward to working with the Congress to meet the law enforcement and privacy protection challenges associated with the Internet.



Statement of Dr. Peter G. Neumann, Principal Scientist, Computer Science Laboratory, SRI International, Menlo Park, CA
The Social Security Internet Website: Technology and Privacy Implications

 Page 153       PREV PAGE       TOP OF DOC

    This document is prompted by the recent on-line availability of the PEBES (Personal Earnings and Benefit Estimate Statement) database system, a Website developed and maintained by the Social Security Administration (SSA) (http://www.ssa.gov). Because of widespread complaints (for example, see [2]), PEBES was removed from the Internet to permit further study of some of the implications. On the whole, the SSA is to be commended for taking the initiative toward making this database available on the Internet, but chided for not having engaged in a public review prior to implementation and deployment. Nevertheless, it is appropriate that the SSA is now submitting to an open review.
    This testimony discusses the underlying issues and makes a few constructive suggestions. Section 1 addresses specific questions from the SSA. Section 2 discusses the issues and the risks. Section 3 gives some recommendations, while Section 4 provides a concise summary.

1. SSA Questions and My Answers

    For its forthcoming series of Social Security Forums, the SSA has requested brief answers to the following questions. My answers are interspersed; further discussion follows in Section 2.

SSA Q1. In providing electronic services, what information should SSA require from a customer for authentication of identity?

    First, let me answer a more important question: What information should not be required from a customer? Easily acquired information such as names, phone numbers, SSNs, and mother's maiden names should not be used for authentication of identity—although it is of course very useful for identification. Identity and authenticity must not be confused. (See item 2a in Section 2.1 on identity, authentication, and authorization.) Nonspoofable authentication is very difficult to attain; it requires a substantially more secure infrastructure than is currently available or foreseen. A user-designated nontrivial password would be a marginal improvement; however, in the absence of encryption, those passwords would be transmitted in the clear and therefore capturable. In the absence of substantial infrastructural improvements and meaningful authentication, all measures to provide proof of customer identity can be compromised.
 Page 154       PREV PAGE       TOP OF DOC
    Now we can address SSA Q1. A relatively straightforward near-term authentication procedure is proposed in the paragraphs of item 3d in Section 3, requiring a separately obtained confirmation number that must be used in conjunction with the customer password; that approach would be significantly stronger than the existing procedure. In the longer term, when a national certificate service is available and the infrastructure has improved, it would be natural to use some sort of one-time (nonreusable) cryptographically-based token. (See References [4] and [5] for consideration of risks in the infrastructure.)

SSA Q2. Beyond information obtained directly from the customer, what further safeguards should SSA employ to support customer authentication and privacy in electronic transactions? Which safeguards should be employed in the near term, and which in the longer term?

    Three additional safeguards are of particularly urgent importance in the near term, relating to accountability (item 3i). The first involves detailed monitoring of all database accesses. The second involves real-time analysis of the monitored accesses to detect nonindividual uses of the database and other potential misuses—for example, to discover and analyze apparent attempts to access records for different individuals or data collections en masse. The third is to provide even stronger authentication (item 3f), monitoring and analysis of system access (item 3i) by insiders who are privileged to query, update, modify, or maintain the PEBES database and the underlying system—recognizing that insider misuse is always a serious risk (as noted in item 2g).
    Unfortunately, it is often not possible to identify a perpetrator in the absence of meaningful authentication; the perpetrator could be using a faked network identity and a faked net address, possibly even masquerading as a victimized user. However, at least the SSA might become aware of the extent of the misuse, and could consider defensive measures such as further monitoring and pursuit of the offenders. In the longer term, the SSA should actively promote the development of a national public certificate service and a much more robust computer-communication infrastructure, which the SSA should anticipate by planning now to exploit where appropriate.
 Page 155       PREV PAGE       TOP OF DOC

SSA Q3. Should we reinstate the PEBES online service with minor additions to the safeguards we had in place, should we reinstate it only with fundamental changes to our safeguards, or should we not reinstate it at all?

    Clearly, the SSA would like to reinstate PEBES, because of its potential benefits to the SSA. However, the risks to the public must be considered. I believe that PEBES must not be reinstated if only minor additions can be made. I would not recommend reinstatement unless I were convinced that the SSA really understands the risks outlined here, and that it had engineered something along the lines of the much less spoofable authentication scheme noted in my response to Q1 (item 3d), the monitoring and analysis capabilities in my response to Q2 (item 3i), and internal-use controls (item 3f). Fundamental changes are necessary. Minor additions are insufficient to defend against identity fraud and other misuses, with respect to individuals as well as on a massive scale. (See items 2e to 2g on the risks of identity theft.)

SSA Q4. If you believe electronic PEBES should be reinstated, what additional safeguards should we include?

    If the SSA believes that what is recommended in my responses to Q1, Q2, and Q3 is worth pursuing, then it must also recognize that those measures (or something equivalent) are by themselves still insufficient—even if they could be fully enforced. In fact, serious extrinsic risks would remain that cannot be covered by system safeguards. Several procedural safeguards are noted in my response to Q5.

SSA Q5. Because the question of maintaining privacy in electronic transactions has far-reaching implications in both the public and private sectors, what other matters should SSA consider in addressing this major public-policy issue?
 Page 156       PREV PAGE       TOP OF DOC

    The SSA must look broadly at PEBES and related databases. It would be simplistic to place blame on the existence of Social Security Numbers or on the existence of PEBES; the problems are much deeper than that, relating to intrinsic vulnerabilities in authentication and the overall infrastructure, misuses that can occur outside of the scope of the PEBES system, and legal shortcomings (for example). As discussed in detail in Section 2, any such databases will inevitably have some serious misuses; the potential risks are quite far-reaching. SSA employees must understand and anticipate the overall risks that can result from the misuse of SSNs and the misuse of the PEBES data—in the larger context of identity theft, aggregation of data from other sources, and related problems. In addition, law-enforcement communities must understand the implications of these risks on the victims—whose tales of woe are often either disbelieved or ignored. All Government employees with legitimate privileged access to PEBES and related systems must be specially trained to resist social-engineering efforts by would-be perpetrators. Explicit codes of proper use must be established for both external users and internal SSA personnel. Legislation must provide stiff penalties for database misuses that violate those codes, and empower compensation for victims of identity theft and other personal intrusions that might result. Although there can be no complete set of countermeasures or checklists, these procedures would help.
    The rest of my testimony discusses these issues and recommendations in greater detail.

2. Discussion of the Issues and the Risks

    The primary message of this testimony is that, despite the desire to make information readily available to those individuals directly involved, there are many opportunities for serious misuse of personal information that must be carefully considered. Similar issues have arisen before, as in the case of the criminal-history information that was formerly a part of the NCIC National Crime Information database; the criminal-history data is much more prone to misuse than the more topical NCIC data that needs to be widely available for law-enforcement purposes. However, in the case of PEBES, the application affects every individual in the country much more directly than other databases. Although this document refers specifically to PEBES and certain types of misuses that can result from it, the observations and conclusions here are also applicable to many other databases, both public and private.
 Page 157       PREV PAGE       TOP OF DOC
    Ideally, the World-Wide Web is a very effective way to make public information accessible world-wide. In practice, there are some serious technological and social problems, discussed herein.
    In general, most people—including many professionals and managers—are oblivious to most of the risks relating to the use of computer systems (see Reference [5]). These risks tend to be dramatically amplified in the on-line world, compared with the paper-based world of a few decades ago. What could previously have been done typically only with some effort by an insider to affect a single individual can now be done with almost no effort on a massive scale to affect an entire population. Furthermore, a perpetrator can operate outside of the country and beyond its legal jurisdiction. The Internet greatly exacerbates the problems because of its almost instantaneous global accessibility, with its serious lack of system and network security, Website integrity, personal authentication, accountability. The entire infrastructure is riddled with risks [4], although many of those risks are routinely ignored by database purveyors. PEBES gives us an opportunity to analyze some of these risks.

2.1. Intrinsic Technological Risks

    Various risks arise within the limits of the technology itself.
    * 2a. Identity, authentication, and authorization of Website users. We make a careful distinction among the concepts of personal identity, authentication that someone's identity is as claimed, and authorization that permits an authenticated individual to access computer systems and data in some particular way. Identities tend to remain the same over time, whereas parameters used in authentication and authorization may change—and may actually have to be revoked under certain circumstances. Commonly known information (such as your name) is typically used for identification purposes. Unfortunately, easily acquired information is often also used as a means of authentication, which is an extraordinarily bad practice. For example, unless you have militantly refused to divulge your SSN, it and your mother's maiden name are likely to be available in many places accessible to a would-be impersonator. The latter ''secret'' item is on your birth certificate and is found in publications such as Who's Who. In general, authentication does not prove that someone claiming to be a particular individual is actually that individual. This not only opens up risks of impersonation, but also introduces the problem of repudiation—namely, that an individual using his or her own identity for authentication may justifiably be able to later claim that it had been someone else.
 Page 158       PREV PAGE       TOP OF DOC
    The Internet does not currently provide any real assurances as to the identity of a person or computer agent accessing a given Website. It is relatively easy for one user to masquerade as another user, and even to appear to be coming from a system other than the one from which misuse originates. Some systems and Web browsers take authentication more seriously than others (for example, using the SSL secure socket-layer protocol), but casual use typically requires no positive authentication. Even if some sort of strong authentication were to be invoked (and many techniques are emerging as less spoofable alternatives to reusable passwords), the typical Website does not enforce differential authorization in the form of selective access controls—once you are there, you may have implicit permission to read everything that is accessible to any other Web browser. PEBES does attempt to restrict you to accessing your own records, although such controls in similar systems are often subvertible.
    * 2b. Integrity of the data and the system. In principle, PEBES is a read-only database where external users are not permitted to modify the information. However, because of the existence of flaws in Webware security and presumed flaws in the SSA operating systems and networking software, that does not necessarily prevent an intruding external user from modifying the data—for example, by masquerading as an internal SSA employee. Thus, there is the possibility that information on a given Website may itself not be trustworthy, because the Website may have been compromised. Recent attacks on Websites resulted in the disruptive alteration of Web pages developed by the CIA, NASA, the Justice Department, the Air Force, and even the National Collegiate Athletic Association. Subtler changes that are not immediately obvious could be even more insidious than flagrantly obvious spoofs. In addition, malicious alternative sites may be created that act as Trojan horses—capturing sensitive information, interfering with normal use, or otherwise deviating from expected behavior. For example, promulgation of a false http address such as http://www.ssa.org instead of www.ssa.gov might entrap users into responding to requests for their SSN, mother's maiden name, and other identifying information, and then could redirect their queries to the correct site).
 Page 159       PREV PAGE       TOP OF DOC
    * 2c. Correctness of the data. Various reports suggest that there are many errors in the information in the Social Security databases, although people typically may not discover errors until they retire—by which time records and evidence necessary to make corrections may no longer be available. Unfortunately, many people assume that ''computers are always right.''
    * 2d. Confidentiality of the data. Widespread dissemination of certain parts of the SSN data for a given customer data may lead to misuse in the context of the authentication problems (2a) and the risks of identity theft (2e to 2g). However, it is worth noting that certain high-level Government employees have their PEBES records ''red-flagged'' to make them inaccessible externally; I hope those folks are not the ones who might falsely conclude that there are no significant risks resulting from external disclosure of records! As discussed here, the secondary risks of misuse can be considerable.
2.2. Extrinsic Risks: Misuse Beyond the Computer Systems

    Many other risks are outside of the scope of the computer technology, such as large-scale identity fraud, data mining to identify potential targets, and development of commercial database systems that integrate and draw inferences from data across many different databases.
    * 2e. Inference and aggregation. Perhaps the most serious risk of a Website containing information on individuals is that this information can be used for purposes other than those for which it was intended. Furthermore, information from different databases may be easily combined to provide detailed information about individuals that may be misused to the detriment of those individuals, either by further computer manipulation or by ''social engineering''—getting people to do what they are not supposed to do by exploiting partial knowledge and clever subterfuges. Although individual data items may not appear to be sensitive, their aggregation may provide opportunities for attacks on particular individuals or on large groups of people. (There are also risks of annoyance such as apparently legitimate creative scams, or being flooded with unwanted solicitations.)
 Page 160       PREV PAGE       TOP OF DOC
    * 2f. Identity theft. An important type of misuse derived from the collection of personal information involves theft of one's identity and other forms of malicious masquerading. For example, knowledge of your Social Security Number (SSN) and mother's maiden name is often sufficient for someone else to dishonestly access and manipulate your financial accounts, and to obtain credit cards and loans in your name. There have been numerous sometimes very agonizing cases of identity theft. (Recall the cases of Terry Dean Rogan, Richard Sklar, Teresa Stover, Clinton Rumrill, and Charles Crompton (see Reference [5]), and the more recent cases of Kathryn Rambo and Caryl Fuller [3]. For example, Rambo's masquerader acquired a $35,000 sports utility vehicle, a $3000 loan, new credit-card accounts, and a rented apartment in her name. (These cases are summarized in the on-line Risks Forum Digest, volume 19 no 05. Additional problems with identities are summarized in the Risks Forum Digest, vol 18, no 91.) In other cases, life savings and all social security benefits have been lost. Perhaps the most tragic is that once this has happened to you, your life may have been permanently altered; efforts to regain your credit rating and your sanity may be very difficult.
    * 2g. Misuse of SSNs. SSN misuse is apparently an art form. 550 felonies involving SSN misuse were reported in approximately the first half of 1991, a sudden considerable increase over earlier years [1]. The problems seem to be growing rapidly since then [3]. To give just a few examples of fraudulent SSN misuse, a woman dunned for back taxes discovered that her SSN was being used by 12 other people; another person found someone had opened up 16 credit cards in her name and charged $10,000; another person claiming her own unemployment discovered others had beaten her to it using her SSN [1]. SSN misuse can be done by outsiders and insiders; it transcends the issues raised by PEBES. A notorious case of insider misuse involved several SSA employees who sold SSA information (including SSNs and mother's maiden names of more than 11,000 people) to a credit-card fraud ring, which then used the information to activate newly issued Citibank credit cards that had been stolen. (See the on-line RISKS, vol 18, no 02.)
 Page 161       PREV PAGE       TOP OF DOC
    * 2h. Uniqueness of apparent identity. The SSN has a major intended benefit in that a correct SSN is expected to uniquely identify an individual (or, in the case of an EIN, a corporate entity). Note that the reverse is not generally true, because some individuals have multiple SSNs, or no SSN at all. Also, some SSNs are fraudulently obtained.
    * 2i. Allocation of SSNs. There are various cases in which the same SSN has been allocated to or used by different people. In one case, two women with almost the same name and birthdays in the same month were given the same SSN, which was discovered only when one of them was dunned for back taxes on their combined income ([4], p. 196).

3. Where Should we Go from Here?

    It is essential to accept the fact that there are no easy answers. However, here are some fairly specific recommendations that could help significantly.
    * 3a. The identity-related risks of information systems must be recognized and assessed realistically. Identity fraud is becoming very easy to perpetrate, very profitable, and very difficult to prevent (let alone to detect) until it is too late. The ready availability of SSNs and other personal information greatly increases the risks in the absence of people who understand the risks. Confusion or ambivalence over how vulnerable SSNs are also adds to the problem.
    * 3b. Using SSNs for authentication as well as identification is an enormous mistake. SSNs are certainly useful for identification, and can even help avoid problems resulting from accidental misidentification. However, when required to be presented as a means of authentication, they are too easily misused.
    * 3c. It is in general wise to plan on open access for Government databases rather than restricted access, whenever the other risks can be controlled. However, the risks of inference, aggregation, and misuse must be addressed explicitly rather than ignored. In particular, the only practical strategy regarding SSNs is to assume that they are public, and to establish strong restrictions on how they may be used with stringent penalties for misuse. Nevertheless, whenever any data sensitivity is present, authorization to access records should be restricted to those authenticated users who actually need such access. Furthermore, it is unwise to assume that unprivileged (e.g., external) users cannot find a way to gain the access permitted to privileged (e.g., internal SSA) employees, or to assume that privileged users are all impeccable.
 Page 162       PREV PAGE       TOP OF DOC
    * 3d. In the short term, any attempt to resuscitate PEBES should include nontrivial user passwords that are assigned by the SSA more or less randomly and distributed securely to individuals. In addition, the SSA must find some way of preventing masqueraders from requesting address changes for other people—which is relatively easy today, through either the postal service or the SSA.
    My colleague Lauren Weinstein (Moderator of the Privacy Forum Digest, which exists in part under the auspices of my ACM Committee on Computers and Public Policy) suggests a relatively simple multistep approach that could help reduce misuse. A person requesting access to the database via the World Wide Web would be asked to provide an existing identifier, but would not be granted access to any data during this initial authentication session. Secure-sockets mode would be required for all Web transactions to prevent interception. During this initial session, the SSA Website would generate and display a random confirmation number to be used in future sessions. It would also generate a random password, which would be sent in a sealed envelope by postal mail to the user's established address. The password would never be displayed via the Web, and the confirmation number would not be sent through the mail.
    After receiving the password via postal mail, the customer could then routinely use that password in conjunction with the confirmation number to access the server for database queries or other operations. The use of the confirmation number would make the password of little use to anyone else receiving the mail. The password would be sent only to the user's address of record in the SSA database; specification of or changes to the address would not be permitted through the Web site during the authentication session, and in subsequent sessions would require both the confirmation number and the password. Additionally, notice of any change of address should be mailed via the USPS to both old and new addresses.
    Although this procedure is not completely foolproof, it could dramatically reduce misuse. Although the initial establishment of each user's authorized account would take a few days of elapsed time, subsequent accesses would be instantaneous with minimal involvement of SSA human resources, with lowered risks to each individual, and greatly decreased opportunities for large-scale misuse.
 Page 163       PREV PAGE       TOP OF DOC
    * 3e. In the more distant future, our computer infrastructure must become more secure (for digital commerce, if nothing else), and some sort of national public certificate authority must be instituted (more or less invisibly). When this occurs, it would be the basis for some form of one-time password such as supposedly nonforgeable cryptographic authenticators, and significantly better authentication could become ubiquitous. Privileged access, selective write-access controls for SSA employees, selective read access only to properly authenticated users, and nonbypassable audit trails would then be much easier to enforce, and misuse might be easier to control.
    * 3f. In addition to stronger authentication for customers, even stronger authentication is recommended for privileged users with permission to modify the database or to access it globally. Cryptographic or biometric authenticators (e.g., fingerprint or handwritten signature) might be appropriate for any privileged accesses above and beyond individuals accessing only their own records.
    * 3g. People should be given the option to have on-line access disabled completely (thereby denying access to masqueraders and to themselves).
    * 3h. We must develop a more meaningfully secure infrastructure. The present infrastructure is very weak with respect to security and integrity. Authentication and accountability are fundamental to digital commerce and governmental uses of computer-communication technology, and must be pursued more vigorously. If such solutions were more widely available, they could contribute to an amelioration of the identity theft and general misuse problem—as well as the SSA database risks. (Again, see Reference [4].)
    * 3i. Good accountability requires at least two capabilities. The first involves detailed monitoring of all attempted database accesses, in terms of who made the access, what query (or update) was initiated, what data was accessed, or what type of failed access resulted in cases where either the authentication or the authorization barred access. System staff personnel with permission to update the database should be subjected to stringent authentication and detailed monitoring. Accountability is also necessary for all status changes—changes of user address and changes of system authority. The second capability involves real-time analysis of the monitoring results to detect and analyze suspicious uses of the database—for example, to discover immediately unauthorized attempts to access records for multiple individuals. Unfortunately, accountability may be very weak in the absence of strong user authentication. For example, a perpetrator masquerading as another user or using a faked net address may be very difficult if not impossible to identify and prosecute. However, such real-time analysis could at least alert the SSA to ongoing misuse, whereupon the SSA could consider alternatives such as carrying out finer-grain monitoring, or decommissioning the system.
 Page 164       PREV PAGE       TOP OF DOC
    * 3j. PEBES should detect repeated unsuccessful access attempts, and have the option of disabling all accesses to that record after several failed attempts. That option could be turned off if system administrators detect a massive denial-of-service attack attempting to block everyone from the system.
    * 3k. Attempting to detect misuse is much less satisfying than having a policy for authentication and authorization that can be properly enforced. Unfortunately, today's infrastructure does not permit such a policy to effectively control usage. Also, external misuse cannot be adequately limited by internal controls.
    * 3l. As SSNs are increasingly exhausting the 9-digit limit, randomly generated numbers are more likely to be valid. Adding redundancy to the SSN itself (for example, through a check digit as used in credit-card numbers) could somewhat reduce mistakes resulting from mistyped or misread digits. This, however, would do very little to increase security, just as the check digit on credit cards does little to prevent fraud. Similarly, it would not eliminate the use of bogus SSNs.
    * 3m. All in all, there are very considerable risks to individuals and to Government stability. The Social Security Administration problems raised by PEBES are merely the tip of an enormous iceberg, although they are very significant in their own right. Any measures to resolve the SSA problems must also take into account the broader issues relating to the need for open Government information via the Internet and the risks that ensue—as well as the risks of not having open information.
    * 3n. Various legislation is being contemplated. For example, Senators Dianne Feinstein (Dem., California) and Charles Grassley (Rep., Iowa) have introduced legislation (S 600) that would bar commercial use of Social Security numbers (including by state motor-vehicle agencies) and make it illegal for credit bureaus to disseminate Social Security numbers, unlisted phone numbers, birthdates, mothers' maiden names, and other personal information. It would also enable offended parties to collect civil damages. In the House, Congressman Paul E. Kanjorski (Dem., Pennsylvania) has submitted legislation that would create a Commission on Privacy of Government Records and ban Social Security or Internal Revenue Service records from being posted on the Internet without an individual's written permission (Washington Post, 17 Apr 1997). Although any legislation must be reviewed carefully for loopholes and side-effects, it is essential that some such legislation be passed. In the absence of a sufficient infrastructure, taking no action at all would be insufferable.
 Page 165       PREV PAGE       TOP OF DOC
    * 3o. Good cryptography is needed—both for authentication and for confidentiality in transmitting passwords (not to mention the user data). Existing U.S. cryptographic policy is therefore a relevant factor [6]. Although the existing export controls do permit strong cryptography to be exported if it cannot be used for anything other than authentication, in many systems it is difficult if not impossible to ensure that such cryptography could not be used as encryption for secrecy; thus, the export controls and associated difficulties in integrating cryptographic solutions into systems tend to have a chilling effect on cryptography used for authentication as well as for privacy. As a consequence, effectively authenticated use of databases such as PEBES may be further hampered by delay in the development a national public-authentication infrastructure—which is already hindered by these controls.

4. Conclusions

    In conclusion, I believe that the dramatic increase in the open use of Internet-accessible databases and Websites—both Governmental and private—is generally very beneficial. However, some of those databases (and PEBES in particular) have the potential for seriously increasing the risks of identity theft and related misuse. The technological alternatives suggested here are quite realistic—better authentication, authorization, and accountability for both insiders and outsiders, use of secure browsers, and eventually the use of a public-key certificate infrastructure.
    * 4a. Risk awareness. Despite the massive size of the SSA organization, many of its employees will have to be cognizant of the risks and exert the vigilance necessary to avoid them. The law-enforcement community will need to recognize the risks (in several cases, victims of identity theft have been further victimized by unknowing police actions) and help in achieving remedial measures. In addition, the populace at large must become better aware of these risks and their implications.
 Page 166       PREV PAGE       TOP OF DOC
    * 4b. Risk assessment. Attempting to quantify the risks associated with systems such as PEBES is itself a risky business. Quantitative risk assessment is very much like statistics—you can prove anything you want, depending on your assumptions and skill. (For example, see [5], pages 255–257.) On the other hand, I strongly urge Congress to commission a non-SSA oversight group (such as the Government Accounting Office) to conduct a comprehensive qualitative risk assessment for PEBES that takes into account all of the factors discussed in this testimony (and others I may have omitted). Superficial analysis might conclude that a few individuals losing a little privacy is not a sufficient risk to warrant the measures that I have recommended. However, a deeper analysis might conclude that the risks affect not just a few unfortunate victims of identity theft or financial fraud, but wide-spread coordinated and well-organized extrinsic misuse that is vastly greater than generally recognized and could indeed affect the national infrastructure. Even with such a risk analysis, we may have to endure a few highly visible massive misuses for this conclusion to become evident; it often takes a major disaster affecting important people.
    * 4c. Seeing the big picture. Focusing too much on the database information itself is a mistake—the real problems arise because of the many ways in which that information can be misused. Risks of information misuse represent a fundamental problem that cannot be avoided by restricting the use of SSNs for identity purposes, but that can be greatly reduced by avoiding the use of SSNs and related common knowledge for authentication purposes. PEBES is not intrinsically bad; however, as it is presently implemented, its use is an open invitation to misuse, particularly in the absence of a meaningfully secure infrastructure.
    * 4d. Technology. The SSA (as well as other state and Federal government agencies) should be extremely cautious when deploying databases such as PEBES, and should make a much greater effort to understand the risks summarized here. There are no easy answers; there is no simple way to make PEBES widely available without encountering the risks outlined here, given the vulnerabilities in today's technological and social infrastructure. At the very least, identifying information such as SSNs should be avoided as a means of authenticating identities (item 3a and 3b, above), and SSNs should not be assumed to be secret (item 3c). PEBES and any other database systems contributing to the identity-theft problem and related misuse should provide nontrivial individual authentication and selective authorization (as discussed in items 3c through 3g), generally improved computer-communication infrastructure (3h) including good cryptography (3o), thorough monitoring and accountability (3i), real-time detection of potential misuse (3i), and reaction to systematic attacks (3j).
 Page 167       PREV PAGE       TOP OF DOC
    * 4e. Legislation. Explicit policies must define unacceptable misuse of information—for example, associated with SSNs and PEBES—and thoughtful legislation must provide stiff penalties and unwaivable tort-law protection (see item 3n). However, making something illegal may not be a sufficient deterrent if the infrastructure is incapable of providing adequate internal and external controls and positive identification of culprits.
    PEBES must constrain access so that individuals can access only those data items for which they have a direct need to know. Suitable technology and administrative controls must be in place to minimize the likelihood of unacceptable risks, particularly those caused by other individuals (some perhaps acting remotely, outside of local jurisdiction). Ideally, those controls must not be intrusive. If acceptable controls cannot be implemented effectively, and if the risks outweigh the benefits to the populace at large, then the entire concept is flawed and the system should not be deployed. The Social Security Administration has an vital challenge get it right. I believe Congress must play a strong role in overseeing that process. Finally, although this document has focused on PEBES, my testimony is applicable to many other applications in which authentication, authorization, accountability and operational procedures can significantly decrease the risks of misuse.


    [1] Yasmin Anwar, ''Thieves Hit Social Security Numbers; Fouled-Up Benefits and Credits'', San Francisco Chronicle, 30 August 1991, A1. The entire copyrighted article is in the on-line RISKS, vol 12, no 20, on the same date, reprinted with permission.
    [2] Simson L. Garfinkel, Social Insecurity: Few key bits of info open Social Security records, USA Today, 7 April 1997. The entire copyrighted article is in the on-line Risks Forum, vol 19, no 5, 7 April 1997 (ftp://ftp.sri.com/risks/risks-19.05 and http://catless.ncl.ac.uk/Risks/19.05.html), reprinted with permission.
 Page 168       PREV PAGE       TOP OF DOC
    [3] Ramon G. McLeod, ''New Thieves Prey on Your Very Name; Identity bandits can wreak credit havoc'', San Francisco Chronicle, 7 April 1997, A1.
    [4] Peter G. Neumann, Security Risks in the Emerging Infrastructure, Written testimony for the U.S. Senate Permanent Subcommittee on Investigations of the Senate Committee on Governmental Affairs, 25 June 1996. See Security in Cyberspace, Hearings, S. Hrg. 104–701, 1996, pages 350–363, with oral testimony included on pages 106–111. ISBN 0–16–053913–7. (http://www.csl.sri.com/neumannSenate.html)
    [5] Peter G. Neumann, Computer-Related Risks, Addison-Wesley, 1995. ISBN 0–201–55805-X. (See http://www.csl.sri.com/neumann.html for a few errata.) This book should be read by everyone who is not yet convinced that computer-communication systems and the people who use them do not always behave the way they are expected to.
    [6] Cryptography's Role In Securing the Information Society (a.k.a. the CRISIS report), Final Report of the National Research Council Cryptographic Policy Study Committee, National Academy Press, 2101 Constitution Ave., Washington, D.C. 20418, 1996.

Note: http://www.csl.sri.com/risko/risks.txt gives the latest issue of the ACM Risks Forum (including subscription information); back issues are at http://catless.ncl.ac.uk/Risks (with a search engine) and ftp://ftp.sri.com/risks (/i for vol i less than 19).

(Footnote 1 return)
Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD–96–84, and GAO/T–AIMD–96–92, May 22, 1996) and Information Security: Computer Hacker Information Available on the Internet (GAO/T–AIMD–96–108, June 5, 1996).

(Footnote 2 return)
Public laws 101–239 (Dec. 19, 1989) and 101–508 (Nov. 5, 1990).

(Footnote 3 return)
Besides the age requirement, eligibility entails having a Social Security number, having wages or net earnings from self-employment, not presently receiving Social Security benefits, and having a current address obtainable by SSA.

(Footnote 4 return)
See SSA Benefit Statements: Well Received by the Public but Difficult to Comprehend (GAO/HEHS–97–19, Dec. 5, 1996).

(Footnote 5 return)
Business Plan, Fiscal Years 1997–2001, SSA publication no. 01–008, April 1996.

(Footnote 6 return)
The World Wide Web (www), as its name implies, is a vast collection of interconnected computers spanning the world. A web site refers to any computer on the web, and its particular web address. SSA's web site, then, is the location at which its PEBES data can be found.

(Footnote 7 return)
These projects are described briefly in SSA publication no. 01–008, April 1996.

(Footnote 8 return)
The term hacker refers to any individual who, though unauthorized, attempts to penetrate a computer information system; browse, steal, or modify data; deny access or service to others; or cause damage or harm in some other way.

(Footnote 9 return)
See GAO/AIMD–96–84 and GAO/T–AIMD–96–92, May 22, 1996; and GAO/T–AIMD–96–108, June 5, 1996.

(Footnote 10 return)
Testimony of Richard Pethia, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, before the Permanent Subcommittee on Investigations, Committee on Governmental Affairs, United States Senate, June 5, 1996.

(Footnote 11 return)
High-Risk Series: Information Management and Technology (GAO/HR–97–9, February 1997).

(Footnote 12 return)
CommerceNet is an industry consortium dedicated to accelerating the growth of the Internet and creating business opportunities for its members.

(Footnote 13 return)
Four laws are cited: 42 USC 408 (misuse of Social Security number), 5 USC 552(a) (Privacy Act), 18 USC 1030 (misuse of computer), and 18 USC 1001 (false statements or entries). Penalties range from fines with maximums of $5000 or $10,000, and jail terms up to 10 years.

(Footnote 14 return)
Social Security Administration: Internet Access to Personal Earnings and Benefits Information (GAO/T–AIMD/HEHS–97–123, May 6, 1997).

(Footnote 15 return)
Randomness and the Netscape Browser, Ian Goldberg and David Wagner, Dr. Dobbs' Journal, January 1996.

(Footnote 16 return)
An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and Technology, Special Publication 800–12.

(Footnote 17 return)
Information Security: Opportunities for Improved OMB Oversight of Agency Practices (GAO/AIMD–96–110, Sept. 24, 1996).

(Footnote 18 return)
High-Risk Series: Information Management and Technology (GAO/HR–97–9, Feb. 1997).

(Footnote 19 return)
Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD–96–84, May 22, 1996).

(Footnote 20 return)
To our knowledge, no investigations were compromised. On February 22, 1993, the two defendants were sentenced to 5 years' probation, $30,000 restitution (joint and several), and 250 hours community service. As a condition of probation, both hackers are restricted from owning or using a computer without permission from the probation officer.

(Footnote 21 return)
One of the two was sentenced to incarceration of 15 months, and 36 months probation, while the other was sentenced to 60 months probation. Restitution was ordered jointly in the amount of $32,000.

(Footnote 22 return)
One of them received a sentence of 51 months of incarceration and three years supervised release for these crimes alone. The other received a sentence of 41 months, three years of supervised release, and restitution of $40,000, for commission of these and other crimes. See United States v. Peterson, 98 F.3d 502, 504 (9th Cir. 1996) (upholding two-level enhancement under Sentencing Guidelines for use of special skill to facilitate crimes, including crime described in text).

(Footnote 23 return)
National Gambling Impact Study Commission Act § 4(a)(2)(F), 18 U.S.C.A. § 1954 note (West Supp. 1997).