APA Comments
EPIC Comments to GSA on Login.gov SORN
COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER
to the
General Services Administration
on
Notice of a Modified System of Records: Login.gov
89 Fed. Reg. 41,436
June 12, 2024
_____________________________________________________________________________
The Electronic Privacy Information Center (EPIC) submits these comments in response to the General Service Administration’s (GSA) May 13, 2024 notice of a modified System of Records for Login.gov.[1] The GSA is revising the system of records by changing routine uses, updating the system to cover biometric identity verification, updating fraud prevention practices, and making technical changes.
EPIC is a public interest research center in Washington, DC established in 1994 to focus on public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC regularly studies the growth of and connections between government databases and advocates for strict controls on information flows to preserve privacy.[2] EPIC works to promote the adoption of accessible, secure and privacy-preserving identity proofing across the federal government.[3]
EPIC supports further improving Login.gov to provide a single secure sign-on service across the federal government. EPIC urges the GSA to limit contracts for fraud prevention to a single third-party provider, to investigate and consider abandoning behavioral analytics techniques, and to carefully audit any risk-scoring practices by LexisNexis and provide a clear avenue for appeal when an account is flagged as potentially fraudulent. EPIC further urges the GSA to minimize or abandon transmission of Social Security Numbers (SSNs) to third-party fraud and identity verification providers.
- Background
Login.gov is “a single, secure platform owned and operated by GSA through which members of the public can sign in and access information and services from participating federal agencies (‘partner agencies’).”[4] In May, 2024 the GSA updated its privacy impact assessment (PIA) for Login.gov to include information on biometric identity verification by facial recognition and further describe new fraud prevention tools the agency is implementing. The GSA contracted with LexisNexis to provide the following fraud prevention services for Login.gov:
- Confirm device integrity, characteristics, reputation and association with individual.
- Validate behavioral analytics, such as usage of mouse, keyboard, and interaction with the webpage.
- Confirm Internet Protocol (IP) address and email address history.
- Protect against synthetic identities (false identities created by fraudulent actors).[5]
The PIA specifies that LexisNexis ThreatMetrix is the current provider of fraud prevention services, but the GSA contemplates contracting with multiple third-parties for fraud prevention.[6] In the past, the GSA has contracted with data broker TransUnion for fraud prevention services on Login.gov, though whether that contract remains in effect is unclear.[7] LexisNexis is also the primary third-party provider of identity-proofing services for Login.gov.[8] There is a separate privacy impact assessment for LexisNexis that covers both fraud prevention and identity proofing.[9]
- The GSA should not obtain fraud prevention services from multiple service providers simultaneously.
In the Login.gov PIA and the proposed Login.gov SORN, the GSA leaves room to contract for fraud prevention services from multiple third-party providers. The GSA should restrict outside fraud prevention services to a single carefully vetted and audited third party to prevent increased risks of data loss and data breach. The Login.gov identity verification process ingests a variety of personally identifiable information and provides that information to third party entities including:
- Full Name and Address
- Social Security Numbers
- Date of Birth
- Contact information
- An image of a drivers’ license or other ID card
- A selfie photo for facial recognition analysis
For Fraud Detection, Login.gov collects the above information plus:
- Biometrics including Keyboard and Mouse behavior as well as biometrics from “other device sensors”
- Detailed Device Information including:
- Browser, IP address, installed components, processor, screen resolution settings
- Geolocation data[10]
- Various unique device fingerprints (LG generated, Javascript generated, etc)
This type of information is valuable and creates serious risks of identity theft, surveillance, and fraud if lost in a data breach or otherwise leaked from the third-party service provider.
Because of the sensitive nature of information that the GSA permits third parties to collect, the GSA should minimize the risk of data breach by limiting its fraud prevention services to a single provider. Multiple providers with access to the same data magnifies the risk of a data breach as that data is stored on multiple systems. The GSA is also more likely to be able to thoroughly vet a single provider than the multiple providers allowed for in the PIA and SORN.
- The GSA should investigate and consider abandoning behavioral analysis fraud prevention.
Login.gov collects and discloses behavioral analytics including mouse and keyboard movements to LexisNexis for fraud prevention purposes.[11] This type of biometric collection records how a person moves their mouse, types on their keyboard, and otherwise uses their computer. Although behavioral analysis has some advantages for fraud prevention, neither the PIA nor the SORN contemplate potential drawbacks.
First, recording behavioral biometrics requires a third-party Javascript plugin to capture mouse movements and keystrokes on the Login.gov website. Although the Login.gov PIA discloses the use of behavioral analytics, it may not be clear to users of Login.gov that this type of monitoring is required to use the service. Further, providing notice alone means little when individuals have no practical alternative to using Login.gov to access federal government services. Therefore, the GSA should carefully scrutinize all forms of surveillance on Login.gov and seek to minimize the use of these surveillance technologies.
Second, behavioral surveillance is an invasive form of monitoring. Tracking how individuals use computers risks revealing users’ medical information. At least one study used mouse movements to identify mild cognitive impairments associated with Alzheimers’ disease as an early diagnosis tool.[12] Behavioral monitoring is also likely to capture information about individuals with disabilities, including the blind, individuals with limited vision, and those with neuromuscular conditions. For example, mouse movements have been used to screen for Parkinsons’ disease and similar conditions.[13] Internet users with disabilities may also be disproportionately flagged by poorly designed fraud monitoring tools because their behavioral patterns will differ from abled users. Behavioral analysis creates an additional risk of harm that must be accounted for.
- The GSA should carefully audit any risk-scoring practices by LexisNexis and provide a clear avenue for appeal when an account is flagged as potentially fraudulent.
Finally, risk scoring by algorithm is prone to errors and bias that must be accounted for. Neither the Login.gov PIA nor the SORN identify risk scoring as a practice that can have disparate impacts. And neither one explicitly requires an appeal process to protect individuals’ access to federal government systems when an error in risk scoring occurs. For a thorough treatment of the harms associated with algorithmic scoring, see EPIC’s Screening and Scoring Project[14] and our recent report, Screened and Scored in D.C.[15]
The GSA should subject any scoring algorithms, internal or external, to a third-party algorithmic impact assessment and provide an avenue of appeal when accounts are flagged as fraudulent. If an account is flagged but individuals do not understand why they are denied access to government websites and given a means to appeal, the GSA risks preventing individuals access to vital government benefits and entrenching discriminatory patterns.
- The GSA should minimize or abandon the transmission of SSNs when not strictly necessary.
The Social Security Number has lost much of its value as a personal identifier. For nearly 20 years, federal policy has aimed to minimize collection and storage of SSNs across agencies, recognizing the extreme risks of a data breach exposing SSNs. Unfortunately, that federal policy has not been successful, and many agencies continue to collect SSNs. Current OMB guidance and White House policy dating back to 2007 both instruct federal agencies to minimize collection and storage of SSNs. The federal government recognized that agencies collecting SSNs posed a threat and specifically instructed agencies to a) eliminate unnecessary use of SSNs and b) explore alternatives to the SSN.[16] However, agencies have not made enough progress in reducing or eliminating use of the SSN to validate identity. In 2017 the Government Accountability Office (GAO) surveyed federal agencies collecting SSNs, finding that 22 agencies used the SSN in the provision of benefits and services.[17] The GAO issued five recommendations to the Office of Management and Budget to harmonize federal policy and meaningfully reduce how often agencies collect SSNs. As of 2021, OMB could not confirm that it had implemented any of the GAO’s recommendations.[18] In short, agencies are repeatedly failing to act to remove the SSN from identity proofing.
Minimizing both transmission and use of the SSN for purposes beyond legally mandated tax-compliance and anti-money laundering purposes is vital to reduce the harms created by SSN overuse and data breaches. Agencies across the federal government must also do everything possible to prevent further data breaches exposing SSNs. For Login.gov, that means minimizing the transmission of SSNs to third-party identity verifiers, and especially for fraud prevention purposes. When an agency still requires an SSN to provide benefits, Login.gov should provide the agency with the SSN or a reliable reference to obtain the SSN. But beyond that narrow use, SSN collection and transmission should be deprecated to the maximum extent possible. Yet the current SORN and PIA for Login.gov authorizes the transmission of SSNs for fraud prevention purposes.[19]
Conclusion
EPIC urges the GSA to carefully consider the use of fraud prevention services and institute additional best practices to reduce the risk of wrongful surveillance or data breach. EPIC supports the agency’s efforts to improve Login.gov, but urges the agency to prioritize privacy and prevent further exposing individuals’ sensitive information. For further questions, please contact EPIC Senior Counsel Jeramie Scott at [email protected] or EPIC Counsel Jake Wiener at[email protected].
Respectfully Submitted,
Jake Wiener
Jake Wiener
EPIC Counsel
[1] 89 Fed. Reg. 41,436, https://www.federalregister.gov/documents/2024/05/13/2024-10404/privacy-act-of-1974-system-of-records.
[2] See e.g., Dana Khabbaz, EPIC, DHS’s Data Reservoir: ICE and CBP’s Capture and Circulation of Location Information (Aug. 2022), https://epic.org/documents/dhss-data-reservoir-ice-and-cbps-capture-and-circulation-of-location-information/; Comments of EPIC to the U.S. Postal Inspection Service on Using U.S.P.S. Customer Data for Law Enforcement (Jan. 18, 2022), https://epic.org/documents/epic-comments-to-the-u-s-postal-investigative-service-on-using-u-s-p-s-customer-data-for-law-enforcement/; Comments of EPIC on the U.S. Department of Homeland Security/ALL-046 Counterintelligence Program System of Records (Jan. 2021), https://epic.org/documents/u-s-department-of-homeland-security-all-046-counterintelligence-program-system-of-records/.
[3] See e.g. EPIC, Coalition Comments to DHS on Advance Passenger Information System: Electronic Validation of Travel Documents (Apr. 3, 2023), https://epic.org/wp-content/uploads/2023/04/IDP-APIS-comments-3APR2023.pdf; EPIC Comments to OSTP on Digital Assets Request for Information (Mar. 6, 2023), https://epic.org/documents/comments-of-epic-to-ostp-on-digital-assets-request-for-information/; EPIC Comments to GSA on Fraud Controls on Login.gov (Dec. 21, 2022), https://epic.org/documents/epic-comments-modified-system-of-records-notice-for-login-gov/; EPIC Spotlights Pondera’s Fraud Detection Algorithms for Public Benefits (Jul. 5, 2022), https://epic.org/epic-spotlights-ponderas-fraud-detection-algorithms-for-public-benefits/.
[4] Richard Spiedel, GSA, Login.gov Privacy Impact Assessment at 5 (May 14, 2024), accessible athttps://www.gsa.gov/reference/gsa-privacy-program/privacy-impact-assessments-pia (hereinafter Login.gov PIA).
[5] Id. at 10-11.
[6] See, e.g., id at 21 (“Third-party providers only verify the information provided by the user and do not provide any information to partner agencies. third-party identity proofing services only send the following information back to login.gov: transaction ID; pass/fail indicator; date/time of transaction; and codes associated with the transaction data.”).
[7] Alfred Ng, Data brokers raise privacy concerns — but get millions from the federal government, Politico (Dec. 21, 2022), https://www.politico.com/news/2022/12/21/data-brokers-privacy-federal-government-00072600; TransUnion, TransUnion’s NIST-Compliant Identification Managed Services Among First to be Awarded GSA’s Approved Status Designation, TransUnion Newsroom (Sept. 18, 2022), https://newsroom.transunion.com/transunions-nist-compliant-identification-managed-services-among-first-to-be-awarded-gsas-approved-status-designation/.
[8] Login.gov PIA at 18 n. 26.
[9] Laura Gerhardt et al., LexisNexis Risk Solutions (LNRS)Identity Proofing Privacy Impact Assessment (PIA) – Guidance, GSA (Sept. 15, 2022), available at https://www.gsa.gov/reference/gsa-privacy-program/privacy-policy-for-nonfederal-systems(hereinafter LexisNexis PIA).
[10] Id. at 11-12.
[11] Id.
[12] Adriana Seelye et al., Computer mouse movement patterns: A potential marker of mild cognitive impairment, Alzheimers Dement (Amst.) 472-80 (2015), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4748737/.
[13] Kryzstof Gajos et al., Computer Mouse Use Captures Ataxia and Parkinsonism, Enabling Accurate Measurement and Detection, Wiley InterScience (Jul. 8, 2019), https://movementdisorders.onlinelibrary.wiley.com/doi/10.1002/mds.27915.
[14] https://epic.org/issues/ai/screening-scoring/.
[15] Thomas McBrien et al., Screened and Scored in the District of Columbia, EPIC (Nov. 2022), https://epic.org/screened-scored-in-dc/.
[16] OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007), https://georgewbush-whitehouse.archives.gov/omb/memoranda/fy2007/m07-16.pdf.
[17] GAO-17-553, Social Security Numbers: OMB Actions Needed to Strengthen Federal Efforts to Limit Identity Theft Risks by Reducing Collection, Use, and Display (Jul. 25, 2017), https://www.gao.gov/products/gao-17-553.
[18] Id.
[19] Login.gov SORN Routine Use l.; Login.gov PIA at ll Table 2: Data Used for Fraud Mitigation.
News
Senators Call on DHS to Investigate TSA’s use of Facial Recognition
November 21, 2024
Senators Call on DHS to Investigate TSA’s use of Facial Recognition
November 21, 2024
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate