This is the accessible text file for GAO report number GAO-03-920 entitled 'Social Security Numbers: Improved SSN Verification and Exchange of States' Driver Records Would Enhance Identity Verification' which was released on September 15, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States General Accounting Office: GAO: September 2003: Social Security Numbers: Improved SSN Verification and Exchange of States' Driver Records Would Enhance Identity Verification: GAO-03-920: GAO Highlights: Highlights of GAO-03-920, a report to the Committee on the Judiciary and the Subcommittee on Social Security, Committee on Ways and Means, House of Representatives Why GAO Did This Study: Since September 11, 2001, more attention has been focused on the importance of identifying people who use false identity information or documents to obtain a driver license. The Social Security Administration (SSA) offers states a service to verify social security numbers (SSNs) collected during the driver licensing process. This report examines states’ use of SSA’s verification service, factors that may affect the usefulness of the service, and other tools states use or need to verify identity. What GAO Found: GAO found that 25 states have used either one or both of the methods SSA offers for requesting SSN verification. Over the last several years, states used the batch and on-line method to submit over 84 million and 13 million requests, respectively. Although on-line use has been increasing, usage varied significantly among states, with 5 out of 18 states submitting over 70 percent of all requests. States decide to use SSA’s service based on various factors, such as costs and state priorities. Weaknesses in SSA’s design and management of its SSN verification service have contributed to capacity and performance problems and limited its usefulness. While SSA recently increased systems capacity and reduced outages, problems remain. For example: * The level of service cannot be assessed because SSA has not established key performance measures. * States are concerned that the high verification failure rate adds to their workloads. Several states noted that some of the failures could be prevented if SSA disclosed more information to states. * States using the batch method are vulnerable to licensing individuals using SSNs of deceased persons because SSA does not match requests against its death files. In fact, GAO obtained licenses using fraudulent documents and deceased persons’ SSNs in 2 states. Driver licensing agencies rely primarily on visual inspection of documents such as birth certificates, driver licenses, and U.S. immigration documents to verify applicants’ identity. While states may use safeguards beyond visual inspection to verify documents, they lack the ability to systematically exchange identity information on all drivers with other states. Without a means to readily share all driver records, states face a greater risk for identity theft and fraud in the driver licensing process. A recent Department of Transportation report to Congress identified options that would provide states a system for exchanging records on all drivers and could help mitigate identity fraud. What GAO Recommends: GAO recommends that SSA develop performance measures to assess the quality of its service, develop a strategy to decrease the verification failure rate, and modify its batch method to match requests against death records. SSA disagreed on developing performance measures for this purpose but agreed it should develop a strategy for improving the verification rate and begin matching batch requests against death records. However, SSA stated that limits in law and systems priorities could restrict the actions it could take. Given the homeland security implications associated with states’ inability to exchange information on all drivers, GAO recommends that the Congress, in partnership with the states, consider authorizing the development of a national data sharing system. www.gao.gov/cgi-bin/getrpt?GAO-03-920. To view the full product, including the scope and methodology, click on the link above. For more information, contact Barbara Bovbjerg at (202) 512-7215 or bovbjergb@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Twenty-five States Have Used SSA's Verification Service: Weaknesses in SSA's Design and Management of the SSN Verification Service Has Limited Its Usefulness: States May Use Safeguards Beyond Visual Inspection of Identity Documents, but Lack a Systematic Means to Share All Driver Records: Conclusion: Matter for Congressional Consideration: Recommendations: Agency Comments and Our Evaluation: Appendix I: Scope and Methodology: Appendix II: Comments from the Social Security Administration: Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Staff Acknowledgments: Related GAO Products: Figures: Figure 1: States Using SSA's Verification Services through March 2003: Figure 2: SSA's On-line Transactions, Fiscal Years 1998-2002: Figure 3: Distribution of On-line Verification Requests, Fiscal Years 1998-2002: Abbreviations: AAMVA: American Association of Motor Vehicle Administrators: CDLIS: Commercial Drivers Licensing Information System: DHS: Department of Homeland Security: DOT: Department of Transportation: NDR: National Driver Register: NHTSA: National Highway Traffic Safety Administration: SSA: Social Security Administration: SSN: social security number: United States General Accounting Office: Washington, DC 20548: September 15, 2003: The Honorable F. James Sensenbrenner, Jr. Chairman Committee on the Judiciary House of Representatives: The Honorable E. Clay Shaw, Jr. Chairman Subcommittee on Social Security Committee on Ways and Means House of Representatives: The events of September 11, 2001, focused attention on the importance of identifying people who use false identity information or documents, particularly in the driver licensing process. Driver licenses are a widely accepted form of identification that individuals frequently use to obtain services or benefits from federal and state agencies, open a bank account, request credit, board an airplane, and carry on other important activities of daily living. For this reason, driver licensing agencies are points at which individuals may attempt to fraudulently obtain a license using a false name, social security number (SSN), or other documents such as birth certificates to secure this key credential. Accordingly, states face increasing pressure to verify the identity information of individuals to whom they issue licenses. As the agency responsible for issuing SSNs, the Social Security Administration (SSA) is uniquely positioned to help states verify the identity information provided by applicants. To this end, SSA has a verification service in place that allows state driver licensing agencies to verify the SSN, name, and date of birth of customers with SSA's master file of SSN owners. States can transmit requests for SSN verification in two ways. One is by sending multiple requests together, called the "batch" method, to which SSA generally responds within 24 to 48 hours. The other way is to send an individual request on-line, to which SSA responds immediately. To shed light on states' practices for verifying the identity information of driver license applicants, you asked us to examine: (1) the extent to which states use SSA's services to verify the SSNs of driver license applicants, (2) factors that may affect the usefulness of SSA's verification service, and (3) other tools states use or need to verify the identity of driver license applicants. To conduct our work, we reviewed federal requirements governing SSN use in the driver licensing process, SSA's policies for disclosing information to licensing agencies, information on the operation of SSA's verification service, and national data on states' use of the service. We interviewed key SSA headquarters managers and staff responsible for the design and oversight of the verification service, as well as American Association of Motor Vehicle Administrators (AAMVA) officials responsible for co-managing the on-line verification method with SSA.[Footnote 1] To develop in-depth information on specific states' identity verification practices, we obtained data and interviewed officials from California, Florida, Georgia, Maine, Maryland, Massachusetts, Ohio, Pennsylvania, and Tennessee. These states represent a range of identity verification policies and practices. We also telephoned or visited the states that did not use SSA's service to obtain general information about their identity verification policies and practices. Finally, we analyzed SSA and state driver licensing agency data to identify instances of potential identity fraud involving (1) individuals who used the name and SSN of deceased persons and (2) individuals who used fraudulent out-of-state licenses. We conducted our work from July 2002 through May 2003 in accordance with generally accepted government auditing standards. For additional details on our audit approach, see appendix I. Results in Brief: Twenty-five states have used the batch or on-line method to verify SSNs with SSA, and the extent to which they regularly use the service varies. About three-fourths of the states that rely on SSA's verification service used the on-line method or a combination of the on-line and batch method, while the remaining states used the batch method exclusively. Over the last several years, states estimated submitting over 84 million SSN verification requests to SSA using the batch method compared with 13 million requests submitted using the on- line method. States generally use the batch method for a short-term period to verify SSNs in their existing records, while states are more likely to use the on-line service on a continuous basis. States' use of SSA's on-line service has increased steadily over the last several years. However, the extent of use has varied significantly, with 5 states submitting over 70 percent of all on-line verification requests and one state submitting about one-third of the total. States consider various factors in deciding whether to use SSA's verification service. For example, some states that did not use SSA's service told us they were reluctant to do so based on performance problems they had heard were encountered by other states, such as frequent outages and slowness of the on-line system. States' use of SSA's service is also driven by internal policies, priorities, and other concerns. For example, some states may limit their use to certain targeted populations, such as where fraud is suspected or for initial licenses, but not for renewals of in-state licenses. Weaknesses in SSA's design and management of its SSN on-line verification service have contributed to capacity and performance problems. SSA recently took steps to increase system capacity and to give more management attention to the service; however, problems remain. In designing the service, SSA used an available infrastructure to set up the system and encountered capacity problems, which worsened after the pilot phase. AAMVA's data show that, in 1999, the on-line system experienced an average of three major outages per month, increasing to an average of five per month in 2000. The capacity problems inherent in the design of the on-line system have affected states' use of SSA's verification service. For example, officials in one state told us that they have been forced to scale back their use of the system because they were told by SSA that their volume of transactions was overloading the system. SSA officials acknowledged problems stemming from the design and management of the on-line service and have made some necessary improvements. For example, in April 2003, SSA completed an upgrade to increase capacity and improve response times. SSA has also designated a project manager to oversee the day-to- day management of the service. However, at the time of our review, SSA still had not established key goals for the level of service it will provide to driver licensing agencies. SSA has also not addressed problems regarding the high nonmatch rate and some states' continued vulnerability to fraud associated with the use of SSNs of deceased individuals by driver license applicants. These issues may affect states' willingness to use the service and may also expose them to a higher risk of fraud. Our own investigators were able to obtain licenses in two states using a counterfeit out-of-state license and other fraudulent documents and the SSNs of deceased persons. While states may use safeguards beyond visual inspection to verify documents, states lack the ability to systematically exchange identity information on all drivers with other states. Driver licensing agencies rely primarily on visual inspection of documents such as birth certificates, driver licenses, and immigration documents to verify applicants' identity. For example, driver licensing employees look for security features or other characteristics that indicate authenticity. States may employ more extensive measures to verify identity information. For example, states may use independent data sources to corroborate applicants' identity information and computer systems to identify potential instances of identity fraud within their respective driver records and to prevent licensing when key identity information is questionable. Despite these extra measures, however, states remain vulnerable to identity fraud because they lack a systematic means to exchange information on all drivers. States' current means to exchange driver information is limited to records for commercial drivers and individuals who have lost their driving privileges. Our analysis in one state showed that licensing agencies might unknowingly accept false out-of-state licenses as valid identity documents. However, a joint federal and AAMVA study recently identified options that if implemented would provide states an exchange system for all driver records and could help mitigate the vulnerabilities that exist across states. This report includes recommendations for SSA to improve the management of its SSN verification service to make it more useful to driver licensing agencies. SSA generally agreed with our findings regarding its SSN verification service and commented that recent improvements have increased states' use of the service. SSA also noted that its service only confirms individuals' SSN information and is not a means for verifying their identity. In response to our specific recommendations, SSA did not agree that it should develop measures for assessing the quality of its SSN on-line verification service because the agency did not believe that it would result in improved identity authentication. SSA agreed with our recommendations that it develop a strategy for improving the nonmatch rate and that it modify the batch process to include a match against its death records. However, the agency said that factors such as legal restrictions and limited systems resources could restrict the actions it can take. We are also presenting a matter for congressional consideration that the Congress, in partnership with the states, authorize the development of a national data sharing system for all driver records. Background: Driver licenses have become widely accepted identity documents because they generally include features that make them difficult to counterfeit or alter and may contain identifying information such as the licensees' legal name, photograph, physical description, and signature. Currently, about 188 million drivers are licensed in the United States, and states issue an additional 73 million licenses and identification cards each year.[Footnote 2] Individuals can apply to obtain licenses at about 3,800 locations across the United States.[Footnote 3] Authority for designing and administering driver licensing programs, as well as for verifying the identity information of licensees, lies with individual states. Accordingly, driver licensing agencies face the challenge of determining whether the identity documents individuals provide (1) are authentic and contain information that agrees with the issuing agency's records and (2) actually belong to the person presenting them. To promote uniformity among driver licensing programs, AAMVA provides states with guidance on documents it recommends as acceptable proof of identity, as well as best practices for verifying the documents. Not surprisingly, the SSN is key to any verification process because each SSN is unique to its owner.[Footnote 4] In February 2002, we reported that 45 states collect SSN information from driver license applicants. [Footnote 5] Individuals obtain SSNs by applying to SSA and providing evidence of their age, identity, and U.S. citizenship or lawful alien status.[Footnote 6] As the agency responsible for assigning SSNs and issuing social security cards, SSA provides a service to the states to verify those numbers. SSA provides two methods for driver licensing agencies to verify SSNs: batch and on-line. States use the batch method to submit an aggregate group of SSN requests directly to SSA, and SSA generally responds within 24 to 48 hours. Those states using the on-line method submit individual SSN requests and receive immediate "real time" responses from SSA. On-line users transmit and receive information to and from SSA through a network maintained by AAMVA. SSA charges states a fee to cover its costs (basically system processing and personnel) for providing this service. Batch users pay $0.0015 per transaction while on-line users are charged $0.03 per transaction. For fiscal year 2002, the total billings for batch and on-line users were about $39,000 and $193,000, respectively. SSA collects payments directly from the batch users, while it bills and collects payments from the on-line users through AAMVA. SSA followed Privacy Act[Footnote 7] requirements in deciding what information it would disclose to driver licensing agencies. Under its current disclosure policy, if the SSN, name, and date of birth submitted to SSA by a driver licensing agency match SSA's records, SSA will verify the match to the state driver licensing agency. If one or more elements do not match, SSA will inform the agency of the nonmatch but will not disclose further information. match only establishes that the information agrees with SSA's records and is not proof that the individual using the SSN is the person to whom SSA assigned the number. Beyond SSA's verification service, the federal government plays a role in several other key areas of states' driver licensing programs. For example, within the Department of Transportation (DOT), the National Highway Traffic Safety Administration (NHTSA) operates the National Driver Register (NDR), a national database containing identity information on 39 million problem drivers that states are required to use when making licensing decisions.[Footnote 8] Also, to remove unsafe commercial drivers from the highways, the federal government established the Commercial Drivers License Information System (CDLIS), a nationwide database of 11 million records that states must use to exchange information on applicants who may hold commercial licenses in other states or have driving infractions that make them ineligible for licensing.[Footnote 9] DOT, the federal agency charged with establishing the CDLIS database, contracts with AAMVA to operate it. The federal government also provides grants to help states improve their highway safety programs. Furthermore, states' receipt of federal funds for their state child support enforcement programs are contingent on the collection of individuals' SSNs during the driver licensing process. This provision enables licensing agencies to assist states in locating and obtaining child support payments from noncustodial parents. Twenty-five States Have Used SSA's Verification Service: Twenty-five states have used either the batch or on-line verification method and the extent to which they regularly use the on-line service varies.[Footnote 10] States that used the batch method generally use it for a short period then switch to the on-line process exclusively. Although states' use of SSA's on-line service has increased steadily over the last several years, 5 states submitted over 70 percent of all on-line verification requests. Factors such as cost, system performance, and individual state priorities play a role in determining whether states opt to use SSA's verification service and the frequency in which it is used. Twenty-five States Have Used the Batch or On-line Methods: As of March 2003, driver licensing agencies in 25 states have used the batch or on-line method to verify SSNs with SSA. States generally use the batch method for a short-term period, but states are more likely to use the on-line service on a continuous basis. About three-fourths of the states that rely on SSA's verification service used the on-line method or a combination of the on-line and batch method, while the remaining states used the batch method exclusively. (See fig. 1.) Over the last several years, states estimated submitting over 84 million requests to SSA using the batch method.[Footnote 11] Similarly, states submitted a total of 13 million requests using the on-line method. Two- thirds of these on-line requests were submitted in the last 2 fiscal years.[Footnote 12] Figure 1: States Using SSA's Verification Services through March 2003: [See PDF for image] [End of figure] SSA officials told us that the batch method offers advantages in circumstances where a real-time verification response is unnecessary. For example, some states have used the batch method to "clean-up" SSNs in their existing records and address any discrepancies prior to the license coming due for renewal at a later date. A number of states that have used the batch method in this manner subsequently used the on-line method exclusively. For example, one state that used the batch method in 2001 to verify over 8.3 million existing records has since used the on-line method exclusively. SSA officials noted that only one state currently uses the batch method on a continuous basis to verify SSNs for all of its customers. For states that issue permanent licenses on the spot, the on-line service also offers an advantage, namely, the ability to instantly verify the SSN and other key information submitted by individuals seeking initial licenses, as well as those converting out-of-state licenses. Between fiscal years 1998 and 2002, the number of states participating in SSA's on-line service grew by about 3 states each year. As shown in figure 2, the volume of on-line verification requests processed by SSA has also increased significantly from 300,000 in fiscal year 1998 to 5.5 million in fiscal year 2002. Figure 2: SSA's On-line Transactions, Fiscal Years 1998-2002: [See PDF for image] [End of figure] Extent of States' Use of the On-line Verification Method Varied: Although the volume of on-line requests grew between 1998 and 2002, usage varied significantly among states and within individual states from year to year. As shown in figure 3, 5 states accounted for over 70 percent of the total transactions over a 5-year period, and a single state was responsible for submitting about one-third of the total transactions. In addition, in some states, the use of the on-line service varied from year to year. For example, one state sent in about 250,000 requests in 1 year and about half that number the following year. Figure 3: Distribution of On-line Verification Requests, Fiscal Years 1998-2002: [See PDF for image] [End of figure] States Weigh Considerations in Deciding to Use SSA's Verification Service: Various factors--such as costs, performance problems, and state priorities--may affect states' decisions about whether or not to use SSA's verification service. The nonverifying states we contacted frequently cited cost as a reason why they did not use SSA's verification service. In addition to the per-transaction fees that SSA charges, states may incur additional costs to set up and use SSA's service, including the cost for computer programming, equipment, staffing, training, and so forth. State estimates associated with establishing an on-line SSN verification process with SSA varied considerably based on factors such as the system modifications they planned to make. For example, one state we contacted estimated that it would cost approximately $770,000 to implement the on-line service. Another state estimated that using the on-line service would have a start-up cost of about $230,000. Many nonverifying states we contacted expressed a reluctance to use SSA's verification service based on performance problems they had heard were encountered by other states. Some states cited concerns about frequent outages and slowness of the on-line system. Other states mentioned that the extra time to verify and resolve SSN problems could increase customer waiting times because a driver license would not be issued until verification was complete. States' decisions about whether to use SSA's service, or the extent to which to use it, are also driven by internal policies, priorities, and other concerns. For example, some of the states we visited have policies requiring their driving licensing agencies to verify all customers' SSNs. Officials in one of these states acknowledged that the growing prevalence of identity theft and the events of September 11, 2001, directly affected their decision to begin using SSA's service. Conversely, another state we visited that had submitted only 51 transactions over a 3-year period told us that it was delaying full use of SSA's service until spring 2003 to coincide with the roll-out of its new driver-license issuance system. Finally, we found that states may limit their use of the on-line method to certain targeted populations. For example, one state reported that its policy was to use the on-line method only if fraud was suspected, while another used the service only for initial licenses and out-of-state conversions, but not for renewals of in-state licenses. Weaknesses in SSA's Design and Management of the SSN Verification Service Has Limited Its Usefulness: Weaknesses in the design and management of SSA's on-line verification service have contributed to capacity and performance problems and ultimately limited its usefulness. SSA recently took steps to increase systems capacity and to give more management attention to the service; however, problems remain. In designing the system, SSA used an available infrastructure and encountered capacity problems early on. Although the problems worsened after the pilot phase, SSA did not monitor or modify the system to improve its performance. Beyond system design problems, SSA's day-to-day management of the service has also been problematic. This lack of management attention to the service is evidenced by the fact that SSA has failed to bill and collect in a timely fashion more than $370,000 from AAMVA over the last several years. SSA officials have taken some steps to address system capacity problems, but the agency still lacks key performance goals for the on- line service. Despite an increased focus on daily management and oversight of the service, SSA still has not addressed other problem areas such as a high nonmatch rate or states' vulnerability to fraud associated with individuals who use the SSNs of deceased individuals to obtain licenses. These issues may affect states' willingness to use the service and expose them to a higher risk of fraud. The Design and Management of the On-line System Contributed to Capacity and Performance Problems: Weaknesses in the design and management of SSA's on-line system have contributed to capacity and performance problems. In designing the system, SSA connected its server to AAMVA's network, to which driver licensing agencies across the country were linked.[Footnote 13] SSA connected the two systems using a low-speed data communication line. In 1997, SSA piloted the on-line service with three states participating. A joint SSA and AAMVA evaluation of the pilot estimated that the on- line service could verify 43,200 requests in a 12-hour period or 12.5 million per year. It was also estimated that states would submit 7.7 million requests in 1998. While the system experienced some problems during the pilot--such as slow response times and outages--SSA expressed confidence that its system would be sufficient to handle all requests. SSA acknowledged that only limited capacity testing was done. However, SSA planned to monitor the system's performance as needed to ensure it could meet states' needs. Following the pilot phase, problems worsened as more states began using SSA's service. AAMVA's data show that in 1999 the system experienced an average of three major outages per month, increasing to an average of five per month in 2000. More recent AAMVA data showed that from August 2002 through March 2003, outages continued to occur frequently and lasted from about 30 minutes to as long as 1 day. Such outages can affect customer service because employees in one state told us that when the service is down, they cannot process customers' transactions. However, because SSA did not collect or monitor performance data on response times and outages, SSA did not know the magnitude or specifics of the problem. The capacity problems inherent in the design of the on-line system have affected states' use of SSA's verification service. Officials in one state told us that they have been forced to scale back their use of the system because they were told by SSA that the volume of transactions was overloading the system. In addition, AAMVA representatives told us that because of concerns about performance and reliability, they have not allowed new states to use the service since the summer of 2002. At the time of our review, 10 states had signed agreements with SSA and were waiting to use the on-line system, and 17 states had received funds from DOT for the purpose of verifying SSNs with SSA.[Footnote 14] It is uncertain how many of the 17 states will ultimately opt to use SSA's on-line service. However, even if they signed agreements with SSA today, they may not be able to use the service until the backlog of waiting states is addressed. In addition to design weaknesses, SSA did not sufficiently focus on the management of its service. In particular, SSA previously lacked a designated person to oversee the day-to-day operations of the service and to coordinate with AAMVA on various management issues. As a result, AAMVA lacked a focal point within SSA to resolve persistent performance problems that arose with the system. AAMVA officials told us they would start by calling SSA's general help desk, as directed by SSA, but would end up calling several different components within the agency. This situation impeded the timely and effective resolution of problems necessary to meet states' verification needs. SSA's lack of management attention to the service is also evidenced by the fact that the agency failed to timely bill and collect fees from AAMVA over the last several years. Each year SSA is required to reach agreement with AAMVA on the per transaction cost of its service. However, for several years SSA and AAMVA have not done this. Under the agreement, SSA is also required to send AAMVA a final billing each year based on the number of transactions processed. SSA billed and collected payments from AAMVA for the first 2 fiscal years--1997 and 1998. However, between fiscal years 1999 and 2002, SSA failed to bill and collect more than $370,000 it calculated as being due from AAMVA. SSA and AAMVA officials have acknowledged problems stemming from the design and management of the on-line service and have made some necessary improvements. For example, according to SSA, in April 2003 the service began using software that AAMVA recently revised to increase the volume of transactions states could submit and receive through AAMVA's network. About the same time, SSA completed an upgrade of its data communication line and server to enhance its system capacity and response time. SSA officials told us these upgrades should reduce outages and enhance performance. SSA provided us with information showing that in May 2003, 2 states had increased their volume of transmissions and an additional 3 states had begun using the service. SSA plans to add 4 new states that are currently testing the on-line system. AAMVA estimates that 2003 verification requests may increase to 28 million, more than five times the number received in 2002. Despite this projection, however, at the time of our review, SSA still had not established key goals for the level of service it will provide driver licensing agencies. SSA officials told us they are currently monitoring the volume of transactions and response times as new states are added. However, until SSA establishes key goals, the quality and effectiveness of SSA's on-line service cannot be fully assessed. More recently, SSA also designated a project manager responsible for overseeing the day-to-day operation of its service, as well as an individual responsible for the billing and collection of AAMVA payments. At the time of our review, SSA had collected $330,000 from AAMVA for fiscal years 1999-2002.[Footnote 15] SSA officials told us that they are in the process of updating the cost estimates and payments for fiscal year 2003. SSA Has Not Focused on Other Key Weaknesses in the Service It Provides States: Despite SSA's recent efforts to focus more management attention on its verification service, problems regarding the high nonmatch rate and states' continued vulnerability to fraud associated with the use of SSNs of deceased individuals by driver license applicants remain. These problems pose a concern for states because of the additional workloads associated with resolving discrepancies between SSA and states' driver records as well as the potential for identity theft. SSA's data over the last 5 years show that an average of 11 percent of all transactions submitted by states failed to verify with SSA's records. Some states have experienced nonmatch rates as high as 30 percent. In fiscal year 2002, about 800,000 records failed verification. Generally, about one- half of these failed because the name submitted with the SSN did not match the name in SSA's records. Such mismatches may occur, for example, if a person's SSN record lists a maiden name, but the person is applying for a license under a married name. The states and AAMVA have voiced their concerns to SSA about the need for additional disclosure of information. In a May 2001 letter to one state, SSA's Acting Deputy Commissioner specified the agency's disclosure policy for driver licensing agencies and stated that SSA closely scrutinizes requests involving SSN use for purposes not related to the Social Security program. In doing so, SSA has decided to provide its verification service in a limited manner by informing driver licensing agencies which data elements match or do not match. State concerns about the potential workloads associated with resolving nonmatch issues may affect their willingness to fully use SSA's service. Officials in one state told us that a planned start up of the on-line service may be delayed due to concerns about the high nonmatch rate they have experienced using SSA's batch service. Officials in another state indicated that they have not done a batch clean up of their existing databases because they are unable to devote the additional funding and staff resources to address nonverification issues. SSA officials told us that they are aware of states' concerns and have recently begun discussions to address disclosure issues with the states. In reviewing SSA's verification service, we also identified a key weakness in the batch method that exposes states to a higher risk of fraud by allowing them to inadvertently issue licenses to individuals using the SSNs of deceased individuals. Unlike the on-line service, SSA does not match batch requests against its death records. As a result, the batch method will not identify and prevent the issuance of a license in cases where an SSN of a deceased individual is being used. SSA officials told us that they initially developed the batch method several years ago, and they did not design the system to match SSNs against its death files. However, a death match was built into the on- line system. At the time of our review, SSA acknowledged that it had not explicitly informed states about the limitation of the batch service. Our own analysis of 1 month of SSN transactions submitted to SSA by one state using the batch method identified at least 44 cases in which individuals used the SSN, name, and date of birth of persons listed as deceased in SSA's records to obtain a license or an identification card.[Footnote 16] We forwarded this information to state investigators who quickly confirmed that licenses or identification cards had been issued in 41 cases and were continuing to investigate the others. To further assess states' vulnerability in this area, our own investigators, working in an undercover capacity, were able to obtain licenses in two batch states using a counterfeit out-of-state license and other fraudulent documents and the SSNs of deceased persons. In both states, driver licensing employees accepted the documents we submitted as valid. Our investigators completed the transactions in one state and left with the new valid license.[Footnote 17] In the second state, the new permanent license arrived by mail within weeks. The ease in which they were able to obtain these licenses confirmed states' vulnerability to accepting fraudulent documents, and for those states that use SSA's batch process, to issuing licenses to individuals using SSNs of deceased individuals. SSA officials have told us that the agency has not made a decision about whether the current batch system will be modified to include a death match. Our field work shows that licensing officials in states that use or have used the batch process were often unaware that SSA did not match SSNs against its death records. As a result, these states lacked information that they could have used to make more informed decisions in choosing either the batch or on-line method or to seek alternative strategies to avoid issuing licenses to individuals using SSNs of deceased persons. Moreover, states that have used the batch method in prior years to clean up their records and to verify the SSNs of millions of driver license holders, may have also unwittingly left themselves open to identity theft and fraud. States May Use Safeguards Beyond Visual Inspection of Identity Documents, but Lack a Systematic Means to Share All Driver Records: States may use tools beyond visual inspection to verify documents, but lack the ability to systematically exchange identity information on all drivers with other states. Although driver licensing agencies rely primarily on visual inspection of documents to verify applicants' identity information, states may employ more extensive measures such as using independent sources to corroborate applicants' identity information. Despite the extra measures, states remain vulnerable to identity fraud because they lack a systematic means to exchange information on all drivers. As a result, states may unknowingly accept false out-of-state licenses as valid identity documents or license individuals who use the identity information of others. Visual Inspection of Documents Is a Primary Practice for Verifying Identity: In the states we visited, driver-licensing agencies rely primarily on visual inspection to determine the authenticity of documents provided by applicants. As proof of identity, applicants must present one or more state-approved documents that are generally inspected by staff. Applicants may present a variety of documents, such as a social security card, a U.S. birth certificate, a driver license from another state, or passport. For noncitizen applicants, staff also review a myriad of passports and U.S. immigration documents. In reviewing identity documents, staff look for security features such as watermarks and raised seals that are difficult to counterfeit and are designed to reveal evidence of tampering. They also inspect documents for other indications of authenticity such as signs of appropriate aging. If employees are unsure if a particular document is authentic or if it actually belongs to the applicant, they may use interviewing techniques to ensure that the individual can corroborate key information. In the states we visited, staff responsible for processing driver license applications generally received some training and basic assistance to support the visual inspection. For example, all of the states provided training to help employees distinguish between authentic and fraudulent documents. This generally occurred once or twice a year and was sometimes presented as part of a larger training module covering other policies and procedures of the agencies. In addition to training, office managers and supervisors with more experience in detecting false documents were available on site to help with the visual inspection if needed. In several states, supervisors and office managers told us that they have directly contacted issuing agencies to determine whether documents, such as birth certificates, were valid. However, this was not routinely done because it can be a time-consuming and labor-intensive process. Nearly every state we visited provided staff with some basic tools to help with the visual inspection, such as reference manuals describing the security features included in various state and federal government issued identity documents. Other tools such as black lights and magnifying glasses were also commonly available to help staff view the security features embedded in certain documents. However, we found that the extent to which staff actually used these tools varied. Despite the training and other measures to aid visual inspection, these approaches are often not enough for employees to make a definitive determination of a document's authenticity. Staff and managers we interviewed frequently expressed concern that the variety of valid state birth certificates, social security cards, out-of-state licenses and immigration documents, made it extremely difficult to catch those that are forged, short of them being obvious fakes.[Footnote 18] They also frequently expressed a need for better access to automated means of verifying these documents. States Employ Additional Safeguards to Verify Identity and Prevent Fraud: Because of the vulnerabilities associated with the visual inspection of documents, states employ more extensive safeguards to better deter and detect identity theft and fraud. These include seeking out independent third-party data sources to corroborate identity information and documents provided by driver license applicants, utilizing computer systems to strengthen the integrity of their licensing process, and using other innovative tools to better verify applicants' identity information and deter fraud. At the time of our review, a number of states we visited were either using or pursuing the use of other tools to electronically verify identity information with issuing agencies and other independent third parties. Officials in several states we visited told us that they wanted access to the Department of Homeland Security (DHS)[Footnote 19] immigration information to verify the identity documents of noncitizen applicants. Further, a state with a large immigrant and noncitizen population had contracted with DHS to routinely authenticate immigration documents and other information relevant to a person's citizenship and immigration status.[Footnote 20] A second state was in the process of negotiating access to these records. Statewide birth and death information was also viewed by state administrators as key to the identity verification process. Accordingly, several of the states we visited have periodically used electronic queries or data matches to access birth or death records. Three of the nine states we visited were pilot-testing or considering the use of private vendors to strengthen their identity verification and fraud detection procedures. These private vendors typically access various information sources, including civil and criminal records, credit information, address information, state driver records, and state birth and death data to help driver licensing agencies corroborate information provided by applicants and correctly issue licenses. At the time of our review, one state was pilot-testing on- line access to a private vendor in a limited number of sites. AAMVA officials did not have national data on the extent to which other states are using innovative third-party verification tools to strengthen the integrity of their licensing procedures. However, they generally noted that such practices are not routinely used to supplement states' primary practice of visually inspecting documents. Several states we visited made extensive use of computer systems to prevent identity theft and fraud. Several states have computer systems capable of screening for multiple individuals in their state with the same or similar identity information. For example, one state's computer system automatically cross-matches first-time applicants' personal information against existing driver records in the database to search for such situations. When states do not have the capability to routinely perform such cross-matches, employees may inadvertently issue licenses to individuals who may be using the identity information of someone the state has previously licensed. Some states' computer systems are designed to prevent the issuance of a license in certain high-risk situations. For example, one state's system terminates the processing of a transaction if identity information does not verify with SSA, or if staff attempt to by-pass this verification step. Staff are also prevented from overriding the system and issuing the license unless an authorized person--generally a higher-level official--intervenes. Similarly, some states had systems that could prevent issuance of a license if an individual's personal information already existed in the states' driver records, or DHS information failed to verify. Further, in cases where fraud is suspected, most states' systems--although not all--are capable of flagging the transaction and automatically transmitting this information to other offices within the state to prevent persons from "shopping" sites once they were denied at the first location. Officials in one state that lacked this protection told us that in cases of suspected fraud, staff relied on manual processes such as telephone calls and e-mails to alert other offices about suspicious individuals and false documents. Finally, to varying degrees, the states we visited have instituted additional controls to better address identity theft and fraud issues. Due to concerns about the quality and integrity of other state licensing systems, three states prohibit or limit the acceptance of out-of-state licenses as a sole or primary identity document. Officials from another state told us that they would not accept such documents from 20 states that they have determined to have less stringent verification processes. A few other states have also instituted policies requiring that two employees review or sign-off on the authenticity of documents provided by applicants before a license can be issued. This separation of responsibilities provides for additional scrutiny of documents and may act as a further check against employee fraud. Another common practice among several states was to copy all identity documents if during the application process, fraud was suspected. This provides the licensing agency with key information for investigating the individual's alleged identity. An official in one state told us that staff are trained to collect and copy identity documents upfront regardless of whether fraud is suspected at the time. All nine states we visited also store and transmit information such as digital photographs and signatures for verification purposes. Two states also captured fingerprints at the time of application, but only one of them used biometric technology to electronically verify this identity information for individuals renewing licenses. Another safeguard used by two states is the issuance of temporary licenses when identity information has not been corroborated at the time of application. Such licenses lack photographs and security features common to permanent licenses or clearly state that they are not valid for identity verification purposes. However, a third state's temporary license looks the same and includes identical information as its permanent license. As a result, this license could continue to be presented as an identity document by individuals even if the circumstances under which it was issued are ultimately determined to be fraudulent. States Lack a Systematic Means to Exchange Records on All Drivers: Despite the additional safeguards taken by some states, licensing agencies lack a systematic means to exchange information on all drivers nationwide, limiting their ability to deter identity theft and fraud. Currently, states have automated access and are required to use the NDR, which is a DOT database of 39 million problem drivers. With this system, licensing agencies have the ability to simultaneously query all 50 states to determine whether an applicant's name appears in the database. For commercial drivers, states obtain information on their licensing, identification, and disqualification from the CDLIS database of 11 million records. States are required to input driver information into CDLIS and to use the system to verify commercial driver record information during the licensing process. Because the NDR and CDLIS target specific driver populations and do not include the records and identity information of the approximately 188 million drivers operating in the United States, state driver licensing agencies lack a single inquiry process to determine whether or not a person has ever been issued a license. Numerous officials in the states we visited told us that having a more efficient means of electronic interstate communications, that included the electronic transfer of identity information such as digital photographs and signatures, would improve the integrity of their licensing process. Officials in the states we visited were particularly concerned about individuals using licenses issued by other states as identity documents and their inability to quickly query all states' databases to corroborate key information. As a result, states are limited in their ability to determine whether other states' identity documents are authentic or to identify multiple individuals using the same personal identifying information in other states. Our analysis of one state's data demonstrates the potential vulnerabilities driver licensing agencies currently face when accepting out-of-state licenses as proof of identity. We examined data from one state's internal state cross-match of its existing driving records and identified numerous instances where the same out-of-state license number had been used by multiple individuals with different names and dates of birth to apply for and obtain a new license. We forwarded about 100 of these license numbers to the alleged issuing state and asked them to provide us with key information on the owner of record. We found 96 cases of potential identity fraud involving 52 of the driver licenses numbers. For example, states reported some license numbers as invalid or as being issued to someone other than the persons that had used them. One state reported back that the license number we submitted to them was actually a zip code, rather than a genuine state- issued license number. Another license was reported by the issuing state to be a valid number that had been counterfeited and used in several states. A July 2001 report to the Congress prepared by DOT in cooperation with AAMVA, identified alternatives to improving state data exchanges and discussed various options for change.[Footnote 21] The specialized nature of NDR and CDLIS does not allow states to verify licenses for all drivers--a means to identify potential identity fraud. However, the report concluded that an alternative system encompassing all driver records could operate efficiently using existing programs developed for CDLIS and on hardware that is currently in use. However, the report also concluded that before such a system could be developed, several potential obstacles should be addressed. These include agreeing on the use of a unique identifier by which to query all state driving records, ensuring that all states participate, defining the role of the federal government, and funding the costs of developing and converting to an all-driver system. The report also acknowledged that state resources for development and implementation would be necessary to cover projected costs, which AAMVA has estimated to be about $78 million over 3 years. However, the report concluded that, once operational, user fees similar to those imposed for CDLIS could be levied by states to cover operational expenses. Conclusion: The driver license is a key identity document that can be used by individuals to obtain a range of public and private services nationwide. Accordingly, state driver license agencies face a daunting task in ensuring that the identity information of those to whom they issue licenses is verified. However, states' effectiveness in this area is often dependent on several factors, including the receipt of timely and accurate identity information from SSA, the extent to which they implement additional identity verification and fraud detection tools, and their ability to quickly and systematically share key driving record information with other state licensing systems. Deficiencies in any of these areas may weaken states' efforts to ensure the integrity of their licensing decisions. Unfortunately, design and management weaknesses associated with SSA's verification service have limited its effectiveness. States that are unable to take full advantage of the service and others that are waiting for the opportunity to use it remain vulnerable to identity theft and fraud. SSA's recent efforts to refocus management attention on improving its service represents a positive step and may be key to moving more state licensing agencies away from processes that rely heavily on fraud-prone visual inspections of identity documents, to one in which information such as an individual's SSN, name, and date of birth can be quickly and independently corroborated. However, sustained attention to improving its service is needed. Furthermore, states that continue to rely primarily or partly on SSA's batch verification service still risk issuing licenses to individuals using the SSNs and other identity information of deceased individuals. This remains a critical flaw in SSA's service and states' efforts to strengthen the integrity of the driver license. Since September 11th, more state driver licensing agencies have begun to reassess their prior view that driver licenses are simply an authorization to operate a motor vehicle and have taken aggressive actions to strengthen the integrity of this important identity document. However, licensing programs remain state-administered and may vary considerably in the tools provided to front-line staff to verify identity information, such as access to automated independent third- party data sources. This has potentially serious consequences for the numerous public and private sector service providers who rely on the driver license as an identity document, but may be unaware that not all states' licenses are equal in terms of the integrity of the identifying information included on them. Beyond the actions taken by individual states, coordination and data sharing is key to addressing many of the factors that allow identity theft and fraud to continue in the driver licensing process. No single state has overarching authority to require information sharing nationwide, define minimum standards for proof of identity, or mandate the development of a systematic means for interstate communication. However, cooperative efforts between the federal government, the states, and AAMVA have identified and facilitated technological options for improving the exchange of driver record data among all states. We recognize that potential barriers related to system's design, funding, privacy rights, and states' willingness to use such a tool have yet to be fully resolved. However, given the potential economic and national security implications associated with identity theft at the point of driver licensing, sustained leadership at the federal level could be the catalyst for needed change. Matter for Congressional Consideration: In light of the homeland security implications associated with states' inability to systematically exchange driver license identity information and the need for sustained leadership in this area, the Congress, in partnership with the states, should consider authorizing the development of a national data sharing system for driver records. Recommendations: Considering the significant increase in the number of on-line requests that SSA anticipates receiving from states, as well as the weaknesses that we identified in SSA's service that may increase states' vulnerability to identity fraud, we recommend that the Commissioner of Social Security take the following actions: * Develop performance measures essential to assessing the quality of the service provided. * Develop a strategy for improving the nonmatch rate for SSA's verification service. This should include identifying additional information it can reasonably and legally disclose to state driver- licensing agencies as well as actions states can take to prevent nonmatches. * Modify SSA's batch verification method to include a match against its nationwide death records. Agency Comments and Our Evaluation: We obtained written comments on a draft of this report from the Commissioner of SSA. SSA's comments are reproduced in appendix II. SSA also provided additional technical comments, which we incorporated in the report as appropriate. We also requested that AAMVA officials review the technical accuracy of our discussion of AAMVA's role in the SSN verification process, as well as our characterization of states' identity verification and fraud prevention activities. We incorporated AAMVA's comments in the report as appropriate. SSA generally agreed with our findings regarding its SSN verification service and said that recent improvements have increased states' use of the service. The agency noted that it is continuing to investigate the sequence of events surrounding our ability to obtain driver licenses with counterfeit documents and the SSNs of deceased individuals. SSA also said that its service only offers confirmation that SSNs and other identity information provided by driver license applicants are consistent with its records and should not be perceived as a means for verifying identity. Also, SSA said that any attempts to reduce the nonmatch rate for its service by relaxing the match criteria would be inconsistent with the need for "tighter match requirements" and increased security in the post 9/11 era. We agree that SSA's service does not allow states to definitively determine the identity of driver license applicants and have made small changes to ensure that our report will not be misinterpreted. However, we continue to believe that the verification service, in combination with other verification tools used by the states, is key to corroborating the identity information presented by driver license applicants. We also are not suggesting that SSA compromise the integrity of its verification service in order to reduce the nonmatch rate. However, our report shows that about half of all verification failures are for name mismatches. Such mismatches are thought to commonly occur due to changes in marital status. We continue to believe that opportunities exist for SSA to work with the states to explore options for addressing this issue and to ultimately improve the overall quality of its service. In response to our specific recommendations, SSA disagreed that it should develop measures for assessing the quality of its SSN on-line verification service. Instead, SSA said that it plans to develop a performance baseline for enumeration accuracy to measure whether applicants were entitled to receive an SSN based on supporting documentation. SSA did not believe that developing performance measures specifically for its verification service would result in improved identity authentication. However, we continue to believe that the verification service, in combination with other tools used by the states, is key to corroborating driver license applicants' identity information. As our report notes, performance concerns and issues often affected the extent to which states used SSA's verification service, or whether they opted to use the service at all. Thus, some states lacked a key tool for corroborating the identity information of driver license applicants. We continue to believe that SSA should develop measures for its service to monitor and assess systems availability, outages, response times and other key aspects of performance. Without such measures, SSA lacks a means to identify performance problems and take corrective actions when needed. SSA agreed with our recommendations that it develop a strategy for improving the nonmatch rate for its service and that it modify the batch process to include a match against its death records. However, the agency said that factors such as legal restrictions on the information it may disclose to states and limited systems resources could restrict the actions it can take. Indeed, we encourage SSA to work within the existing law to develop policies to reduce nonmatches and to better assist states when they occur. Also, in view of states' vulnerability to licensing individuals using deceased persons' SSN information and the volume of batch verification requests submitted to SSA by the states, we believe immediate action is needed. We are sending copies of this report to the Commissioner of SSA and other interested parties. Copies will also be made available to others upon request. In addition, the report will be available at no charge on GAO's Web site at http://www.gao.gov. If you have any questions concerning this report, please call me on (202) 512-7215. The major contributors to this report are listed in appendix III. Barbara D. Bovbjerg Director, Education, Workforce, and Income Security Issues: Signed by Barbara D. Bovbjerg: [End of section] Appendix I: Scope and Methodology: This appendix provides additional details about our analysis of the Social Security Administration's (SSA) verification services and states' practices for verifying the identity of driver license applicants. To attain our objectives, we obtained and reviewed various reports related to the issue of identity verification from state auditors, SSA's Office of Inspector General, and the American Association of Motor Vehicle Administrators (AAMVA). We reviewed federal requirements governing social security number (SSN) use in the driver licensing process, SSA's policies for disclosing identity information to licensing agencies, and numerous verification agreements between SSA and the states. We analyzed nationwide data on states' use of SSA's verification service, including the volume of records submitted, trends in usage, and the rate at which SSNs failed to verify between October 1997 through May 2003.[Footnote 22] We interviewed SSA officials responsible for the SSN verification data with regard to the reliability of the data, and determined the data to be sufficiently reliable for our reporting purposes. We telephoned or visited states that were not using SSA's service to obtain general information about their identity verification practices, as well as their plans for using SSA's service in the future. To obtain more specific information on the design and management of SSA's batch and on-line verification service, we interviewed key SSA line and management officials as well as AAMVA officials responsible for co-managing the on-line service. We also reviewed an SSA/AAMVA evaluation of a pilot of the on-line method. [Footnote 23] To determine batch service states' vulnerability to individuals who may use deceased persons' SSNs to obtain a license, we matched approximately 500,000 batch verification requests submitted by one state for the month of December 2002 against SSA's Master Death file.[Footnote 24] We identified 44 instances in which SSA verified an SSN submitted by the state that matched an SSN in the death record where the death occurred before December 2002. In order to determine whether these individuals actually received a license or identity card, we submitted the 44 cases to the state licensing agency for its review. The state officials confirmed that licenses or identification cards had been issued in 41 cases and are currently reviewing the remaining cases. Because we selected a judgmental sample of cases to review, our findings are not generalizable to the entire state over time or to any other state. To gain more in-depth information on specific challenges states may encounter in their efforts to verify applicant identity documents, as well as their policies and procedures for doing so, we conducted field work in California, Florida, Georgia, Maine, Maryland, Massachusetts, Ohio, Pennsylvania, and Tennessee. At these locations we interviewed key management and line staff and obtained data and documents relative to their verification processes and tools. We selected states that were geographically dispersed to obtain a mix that (1) did, and did not, issue temporary licenses before issuing permanent licenses, and (2) have, and have not, used one or both of SSA's verification services. We also chose some states that had large immigrant populations or were identified as using innovative practices to verify identity. We also interviewed and obtained information from representatives of private businesses that offer commercial services to assist driver licensing agencies in verifying identity information. Finally, to assess states' vulnerability to accepting fraudulent out- of-state driving licenses as an identity document, we used one state's listing representing numerous instances where the same out-of-state license number was used multiple times to obtain a license in another state. We selected about 100 cases where the name and date of birth of the individual were clearly different from one record to the next and submitted about 100 of them to the original issuing states. We obtained information from the states identifying the name and date of birth of the owner of the driver license to determine whether there was possible identification fraud. We conducted internal reliability checks for data received from state driver licensing agencies. Because we selected a judgmental sample of cases to review, our findings are not generalizable. We conducted our work from July 2002 through May 2003 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Comments from the Social Security Administration: SOCIAL SECURITY: The Commissioner August 22, 2003: Ms. Barbara D. Bovbjerg Director, Education, Workforce, and Income Security Issues U.S. General Accounting Office Washington, D.C. 20548: Dear Ms. Bovbjerg: Thank you for the opportunity to review and comment on the draft report "Social Security Numbers (SSN): Improved SSN Verification and Exchange of States' Driver Records Would Enhance Identity Verification" (GAO-03- 920). Our comments on the report are enclosed. If you have any questions, please have your staff contact Laura Bell at (410) 965-2636. Sincerely, Jo Anne B. Barnhart: Signed by Jo Anne B. Barnhart: Enclosure: SOCIAL SECURITY ADMINISTRATION BALTIMORE MD 21235-0001: COMMENTS ON THE GENERAL ACCOUNTING OFFICE (GAO) DRAFT REPORT "SOCIAL SECURITY NUMBERS (SSN): IMPROVED SSN VERIFICATION AND EXCHANGE OF STATES' DRIVER RECORDS WOULD ENHANCE IDENTITY VERIFICATION" (GAO-03- 920): Thank you for the opportunity to review and comment on the draft report. We are pleased that the report highlights our and the American Association of Motor Vehicle Administrators' (AAMVA)[NOTE 1] efforts to improve the system that provides Social Security number online verification (SSOLV) to States in their driver licensing efforts. The enhancements are necessary and timely for a number of reasons, including that prior to April 2003, 18 States (including the District of Columbia) were using the SSOLV service, compared to 30 States that now have agreements to use the service. In researching why SSOLV responses to the States were slow (even though SSA was processing requests in sub-second time frames), it was discovered that AAMVA's processing code was incapable of handling the traffic volume. AAMVA took steps to upgrade its code and it was placed into SSA's production processes in April 2003. To address additional concerns that could emerge on the then current infrastructure, we upgraded the capability of the data connection and supporting server that transmits data between AAMVA and SSA. We are pleased to report that tests of the upgraded system have proved satisfactory to both SSA and AAMVA. Specifically, the data shows that prior to the upgrade, we were processing 15,000 to 20,000 transactions per day, and currently we are processing 30,000 to 40,000 transactions a day. To further promote the States' use of the online verification service, AAMVA plans to begin a renewed campaign to educate the States about the improvements to the process. We also have been meeting with AAMVA and State MVA representatives, to develop systems security requirements that will cover States' use of online SSN verification service under a new data exchange agreement with AAMVA. Concerning the success of agents obtaining a false driver's license, we are investigating the sequence of events with the GAO test cases. On the face of it, it may be that the State employee simply did not attempt to use the service. If the undercover GAO agent left the MVA office with a driver's license, the batch routine interface may not be an issue, as the driver's license personnel may not have used the verification process. Finally, we are concerned that the report and cover letter imply that SSA's SSN verification process verifies identity. Instances may occur when external system users wrongly believe if the forwarded information "matches" our information the person who provided it is the individual to whom the data relates. We believe the report's stated goals are internally inconsistent; that is, looser match routines, to reduce the number of mismatches, necessarily work against the tighter match routines required in the post-9/11 quest for security by State and Federal entities. Additionally, we do not believe that improving the non-match rate will necessarily result in improved identity authentication as anyone who presents a State's MVA with all of the correct data used on the SSN application would produce a match via SSN verification, but still may not be the person to whom the SSN was assigned. It has been our experience that the States and the Federal government are seeking better security, requiring "tighter" routines. The report should be clear that our processes merely confirm whether the forwarded information matches information in our computer records and that a match does not verify identity. Our responses to the specific recommendations are provided below, and we are including technical comments to enhance the accuracy of the report. Recommendation I: SSA should develop performance measures to assess the quality of the SSN verification service. Comment: We do not agree. Beginning with fiscal year (FY) 2003, SSA began collecting data to establish a performance baseline that includes a new verification criterion to determine if the applicant was entitled to receive an SSN based on supporting documentation. This means that the field office verified appropriate records from the Bureau of Citizenship and Immigration Services, Department of Homeland Security, to document foreign born applicants and a birth certificate for U.S. born applicants. This new criterion will be applied to criteria in our existing performance measure for the percent of SSNs issued that are free of critical error effective FY 2004. The addition of this new criterion is expected to result in improved performance on the accuracy of SSN issuance. However, we must emphasize that the accuracy of SSN issuance is entirely different from the quality of SSN verification service to the States for the purpose of enhancing identity verification. It is important that GAO fully understand that SSA's SSN verification process does not verify identity; it verifies that the individual's name and SSN, presented to SSA for verification, matches SSA's records. Because the premise in the report that SSA's SSN verification process verifies identity is incorrect, the recommendation to develop performance measures to assess the quality of SSN verification service would be flawed. As we have stated, developing a performance measure to assess the quality of SSN verification service will not result in improved identity authentication any more than improving the no-match rate will result in improved identity authentication. Recommendation 2: The SSA should develop a strategy for improving the verification rate for the service. Comment: We partially agree. However, we are very limited by law and policy in the types of information that can be disclosed and accessed by motor vehicle agencies. While we can increase the elements to match upon, that may decrease "improve the non-match rate" by yielding more matches, we caution that there is the potential for increased vulnerability to fraud by increasing the number of false positives. Recommendation 3: SSA should modify the batch method to include a match against the nationwide death records. Comment: We agree. However, we must evaluate the resource impact and prioritize this request in our systems development plans. NOTES: [1] AAMVA represents the 50 state's Motor Vehicle Administrators. [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Barbara Bovbjerg, Director, (202) 512-7215 Daniel Bertoni, Assistant Director, (202) 512-5988 Jacquelyn Stewart, Analyst-in-Charge, (202) 512-7232: Staff Acknowledgments: In addition to those named above, the following team members contributed to this report throughout all aspects of its development: Raun Lazier, Caterina Pisciotta, and Dorothy Yee. In addition, Daniel Schwimer, Mary Dorsey, Shana Wallace, Raymond Wessmiller, and Corrina Nicolaou made contributions. [End of section] Related GAO Products: Social Security Numbers: Ensuring the Integrity of the SSN. GAO-03- 941T. Washington, D.C.: July 10, 2003. Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards. GAO-02-352. Washington, D.C.: May 31, 2002. Social Security Numbers: SSNs Are Widely Used by Government and Could Be Better Protected. GAO-02-691T. Washington, D.C.: April 29, 2002. Child Support Enforcement: Most States Collect Drivers' SSNs and Use Them to Enforce Child Support. GAO-02-239. Washington, D.C.: February 15, 2002. Responses to Questions From May 18th Hearing on Uses of Social Security Numbers. HEHS/AIMD-00-289R. Washington, D.C.: August 21, 2000. Social Security Numbers: Subcommittee Questions Concerning the Use of the Number for Purposes Not Related to Social Security. HEHS/AIMD-00- 253R. Washington, D.C.: July 7, 2000. Social Security: Government and Other Uses of the Social Security Number are Widespread. GAO/T-HEHS-00-120. Washington, D.C.: May 18, 2000. Social Security: Use of the Social Security Number is Widespread. GAO/ T-HEHS-00-111. Washington, D.C.: May 9, 2000. Social Security: Government and Commercial Use of the Social Security Number Is Widespread. GAO/HEHS-99-28. Washington, D.C.: February 16, 1999. FOOTNOTES [1] AAMVA is an association that represents motor vehicle administrators in North America and is a recognized leader in driver credentialing issues. [2] Identification cards are issued for the sole purpose of identifying the owner and generally contain the same information as driver licenses but lack information authorizing the owner to drive. Estimates of the number of licenses and identification cards issued annually were taken from a 2002 survey conducted by the California Department of Motor Vehicles. [3] Estimates of the number of licensing sites nationwide were provided by AAMVA. [4] SSN verification primarily serves to corroborate the identity information submitted by driver license applicants. If the identity document contains a photograph or biometric information, licensing employees may visually inspect or electronically read these data as well as use interviewing techniques to determine if the documents actually belong to the individual presenting them. [5] See U.S. General Accounting Office, Child Support Enforcement: Most States Collect Drivers' SSNs and Use Them to Enforce Child Support, GAO-02-239 (Washington, D.C.: Feb. 15, 2002). [6] All U.S. citizens can be assigned SSNs. SSA will also assign SSNs to noncitizens authorized by the Department of Homeland Security to work in the United States and to noncitizens legally in the country who have a valid nonwork reason. [7] The Privacy Act regulates federal agencies' collection, use, and disclosure of individuals' personal information and generally prohibits disclosure of such information without the individuals' consent. The act authorizes 12 exceptions under which an agency may disclose information. One exception, "routine use," allows an agency to disclose the information if the agency deems the disclosure to be compatible with the purpose for which it collected the information, and the agency gives public notice describing the information it plans to disclose. SSA offers as many as 14 different verification services, each of which is designed for various requesters (e.g., social service agencies, employers, etc.) and may make different disclosures as a result of the verification. [8] Problem drivers are individuals whose driving privileges have been suspended, revoked, or canceled for cause or who have been convicted of certain traffic offenses. [9] States issue commercial driver licenses to individuals involved in interstate, intrastate, or foreign commerce to operate certain types of vehicles such as large trucks and buses. [10] This report uses the word "states" to refer to the 50 states and the District of Columbia. [11] SSA did not provide the actual number of batch transactions. Batch estimates represent data for 1999-2003. [12] On-line verification requests represent data for fiscal years 1998-2002. [13] AAMVA's network serves as the conduit for transmitting verification requests from individual state driver licensing agencies to SSA, as well as receiving verification responses from SSA and transmitting them to individual states. [14] Included in the 10 states that have signed agreements with SSA and the 17 that received DOT funding are 6 batch states. Of the 25 states that received DOT funding, 17 were not online users. [15] According to AAMVA, in May 2003 it paid SSA the remaining amount owed. [16] SSA's death records may contain inaccuracies because SSA records all reports of death but only verifies those involving benefit payments. [17] This state does not use SSA's batch verification process for initial licenses, but only for license renewals. Therefore, the use of the deceased person's SSN will not be caught when the state ultimately verifies it using the batch method. [18] SSA has issued 53 versions of the social security card. Those issued before 1983 lack counterfeit-resistance and tamper proof security features. When issuing new versions of the social security card, SSA allows prior versions to remain valid because issuing new cards to all number holders would be costly. U.S. birth certificates, issued by each of the 50 states and the District of Columbia and in some cases by local government units within the state, vary according to the provisions of the issuing government unit. [19] The former Immigration and Naturalization Service has been transferred to DHS. [20] In some states, noncitizens must document that they have a legal presence in the United States, as well as proof of their identity, as a condition for receiving a license. [21] U.S. Department of Transportation, NHTSA in conjunction with Federal Motor Carrier Safety Administration and American Association of Motor Vehicle Administrators, Report to Congress: Evaluation of Driver Licensing Information Programs and Assessment of Technologies. (July 2001). [22] "States" for the purposes of this report is defined as the 50 states plus the District of Columbia. [23] Evaluation of the Social Security Number Online Verification System for the American Association of Motor Vehicle Administrators, Social Security Administration (Jan. 1998). [24] These transactions include any transaction where an SSN was collected from an applicant (i.e., issuance of licenses, IDs, motor vehicle registration, etc.). SSA maintains a death master file containing about 70 million records of persons who have been reported to the agency as being deceased. SSA only verifies the deaths of persons if it needs to make benefit decisions. The Master Death File for this review was current as of January 31, 2003. GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: