A technology arm of the federal government had lax security on about 1 million online accounts because it rejected using facial recognition technology over “equity” concerns, according to an inspector general’s (IG) report released on Tuesday.
What’s more, the GSA “knowingly billed IAL2 customer agencies over $10 million for services” for alleged Level 2 services that did not meet federal “standards,” said the IG report, adding that it “GSA used misleading language to secure additional funds for Login.gov.”
“As of May 2022, Login.gov had 906,187 users of Login.gov services that GSA purported to be IAL2 (Level 2) but did not comply. Notwithstanding GSA officials’ assertions that Login.gov met [federal] requirements, Login.gov has never included a physical or biometric comparison in production,“ the IG report said. ”Login.gov officials informed us that biometric comparison was not included in products offered to customer agencies, initially because the feature required testing before implementation and later because they further delayed it due to equity concerns.”
Top leaders with GSA’s technology arm found out that the website didn’t comply with the requirements but still did not “notify customer agencies of the noncompliance,” the IG said.
“The inability to meet IAL2 NIST standards became the topic of discussions among Login.gov leaders and personnel at least as early as 2019, and included concerns that using individuals’ selfies to verify their identity could impact Login.gov’s rejection rates based on physical traits,” the report added, “such as skin color and tone.”
“As the Inspector General rightly reports, this was a serious issue, but one GSA identified and addressed,“ Hashmi added. ”GSA has also taken significant actions to strengthen the Login.gov program to ensure it better delivers for the needs of our customers and meets high standards of security, equity, and integrity.”
The GSA, according to the report, also obtained $187 million in federal funding after current and former GSA officials argued that the login service “is currently used in production and complies with NIST’s 800-63-3 standard for strong authentication (AAL2) and identity verification (IAL2)” when it wasn’t the case.
In June 2021, then-Technology Transformation Services (TTS) Deputy Commissioner Vladlen Zvenyach said in a Slack message that he would not be taking steps to make the program compliant, according to the report. The reason why, he said, is because that in order to make it more complaint, it may have a “discriminatory impact.”
But the report found that “Zvenyach did not notify customer agencies when TTS suspended efforts to implement selfies to meet the NIST biometric comparison requirement,” adding that the GSA kept information from “customer agencies about Login.gov’s lack of biometric comparison capabilities.”
The Epoch Times has contacted the GSA for additional comment, including questions about whether the security of 1 million accounts was jeopardized due to the lower security standards.