The Electronic Privacy Information Center (EPIC) submits these comments in response to the General Service Administration’s (GSA) November 21, 2022 notice of a modified System of Records for Login.gov. The GSA is revising the system of records to align with current National Institute of Standards and Technology technical standards and expanding the routine uses to include third-party fraud prevention. Login.gov is the secure sign-on service for the public to access various federal government websites and applications.
EPIC is a public interest research center in Washington, DC established in 1994 to focus on public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC regularly studies the growth of and connections between government databases and advocates for strict controls on information flows to preserve privacy.
EPIC commends the GSA for producing an accessible and thorough privacy impact assessment and supports further improving Login.gov to provide a single secure sign-on service across the federal government. EPIC urges the GSA to limit contracts for fraud prevention to a single third-party provider, to investigate and consider abandoning behavioral analytics techniques, and to carefully audit any risk-scoring practices by LexisNexis and provide a clear avenue for appeal when an account is flagged as potentially fraudulent.
Login.gov is “a single, secure platform owned and operated by GSA through which members of the public can sign in and access information and services from participating federal agencies (‘partner agencies’).” In September, 2022 the GSA updated its privacy impact assessment (PIA) for Login.gov in part to describe new fraud prevention tools the agency is implementing. The GSA contracted with LexisNexis to provide the following fraud prevention services for Login.gov:
Confirm device integrity, characteristics, reputation and association with individual.
Validate behavioral analytics, such as usage of mouse, keyboard, and interaction with the webpage.
Confirm Internet Protocol (IP) address and email reputation.
Protect against synthetic identities (false identities created by fraudulent actors).
The PIA specifies that LexisNexis ThreatMetrix is the current provider of fraud prevention services, but the GSA contemplates contracting with multiple third-parties for fraud prevention. In the past, the GSA has contracted with data broker TransUnion for fraud prevention services on Login.gov, though whether that contract remains in effect is unclear. LexisNexis is also the primary third-party provider of identity-proofing services for Login.gov. There is a separate privacy impact assessment for LexisNexis that covers both fraud prevention and identity proofing.
II. The GSA should not obtain fraud prevention services from multiple service providers simultaneously.
In the Login.gov PIA and the proposed Login.gov SORN, the GSA leaves room to contract for fraud prevention services from multiple third-party providers. The GSA should restrict outside fraud prevention services to a single carefully vetted and audited third party to prevent increased risks of data loss and data breach. The Login.gov authentication process ingests a variety of personally identifiable information and provides that information to third party entities including:
Full Name and Address
Social Security Numbers
Date of Birth
Biometrics including Keyboard and Mouse behavior
Device Information including Browser, IP address, and geolocation data
This type of information is valuable and creates serious risks of identity theft, surveillance, and fraud if lost in a data breach or otherwise leaked from the third-party service provider.
Because of the sensitive nature of information that the GSA permits third parties to collect, the GSA should minimize the risk of data breach by limiting its fraud prevention services to a single provider. Multiple providers with access to the same data magnifies the risk of a data breach as that data is stored on multiple systems. The GSA is also more likely to be able to thoroughly vet a single provider than the multiple providers allowed for in the PIA and SORN.
III. The GSA should investigate and consider abandoning behavioral analysis fraud prevention.
Login.gov collects and discloses behavioral analytics including mouse and keyboard movements to LexisNexis for fraud prevention purposes. This type of biometric collection records how a person moves their mouse, types on their keyboard, and otherwise uses their computer. Although behavioral analysis has some advantages for fraud prevention, neither the PIA nor the SORN contemplate potential drawbacks.
Second, this type of behavioral surveillance is an invasive form of monitoring. Tracking how individuals use computers risks revealing users’ medical information. At least one study used mouse movements to identify mild cognitive impairments associated with Alzheimers’ disease as an early diagnosis tool. Behavioral monitoring is also likely to capture information about individuals with disabilities, including the blind, individuals with limited vision, and those with neuromuscular conditions. For example, mouse movements have been used to screen for Parkinsons’ disease and similar conditions. Internet users with disabilities may also be disproportionately flagged by poorly designed fraud monitoring tools because their behavioral patterns will differ from abled users. Behavioral analysis creates an additional risk of harm that must be accounted for.
IV. The GSA should carefully audit any risk-scoring practices by LexisNexis and provide a clear avenue for appeal when an account is flagged as potentially fraudulent.
Finally, risk scoring by algorithm is prone to errors and bias that must be accounted for. Neither the Login.gov PIA nor the SORN identify risk scoring as a practice that can have disparate impacts. And neither one explicitly requires an appeal process to protect individuals’ access to federal government systems when an error in risk scoring occurs. For a thorough treatment of the harms associated with algorithmic scoring, see EPIC’s Screening and Scoring Project and our recent report, Screened and Scored in D.C.
The GSA should subject any scoring algorithms, internal or external, to a third-party algorithmic impact assessment and provide an avenue of appeal when accounts are flagged as fraudulent. If an account is flagged but individuals do not understand why they are denied access to government websites and given a means to appeal, the GSA risks preventing individuals access to vital government benefits and entrenching discriminatory patterns.
EPIC urges the GSA to carefully consider the use of fraud prevention services and institute additional best practices to reduce the risk of wrongful surveillance or data breach. EPIC supports the agency’s efforts to improve Login.gov and specifically applauds the agency for a well-structured and accessible PIA that provides the public with meaningful information on how Login.gov works. For further questions, please contact EPIC Counsel Jake Wiener at [email protected].
See, e.g., id at 23 (“Third-party providers only verify the information provided by the user and do not provide any information to partner agencies. third-party identity proofing services only send the following information back to login.gov: transaction ID; pass/fail indicator; date/time of transaction; and codes associated with the transaction data.”).