The central technology arm of the federal government has been found jeopardizing the security of close to one million online accounts owned by Americans by rejecting the use of facial recognition technology as potentially racist, then called out “equity” as a means to justify spending a few years lying about it.
The General Services Administration’s (GSA) technology group was originally given the job of creating Login.gov, a service that federal agencies would use to build accounts allowing restricted access to government websites listing both personal and sensitive information. The service was required due to the National Institute for Standards and Technology (NIST) and included offering up a hacker- and impersonator-resistant option for any agencies that deal with the most sensitive data, which would conform to standards from NIST which has been labeled Identity Assurance Level 2 (IAL2).
GSA made well over $187 million due to the service after informing a funding board from the government that the solution it built was made entirely to NIST’s exacting standards and $10 million more from additional groups who bought the most secure solution from GSA on the basis of its representations.
However, GSA expressly knew that the system it had created was actually not at all compliant with IAL2, because it openly disregarded one of the most important security features required: making use of biometrics such as facial recognition, eye scans, or fingerprints to ensure that those attempting to gain access to the restricted data were actually who they claimed to be. Officials chose to just ignore the issues when it comes to that category because they said facial recognition technology could possibly discriminate based on skin color,m the GSA Inspector General discovered in a recent audit.
“Put simply, Login.gov opted to ignore the standards and instead focused on selling Login.gov to customers without regard to NIST requirements,” explained the IG. The audit explained that GSA “misled their customer agencies” and “knowingly billed” them for a product that they were not getting.
As a response to the inspector general, GSA chose to acknowledge the issues discovered.
“Given that employees misled customer agencies about Login.gov’s compliance with NIST standards,” the current director of Login.gov was quickly reassigned, actions regarding employee misconduct had been opened, and a “top-to-bottom review” of the entirety of Login.gov had been called for, officials stated.
The audit discovered that lead officials directly ignored insiders who were quick to point out that a product with the sole aim of cybersecurity was not at all secure, and that one they had been caught, they lied and misled agencies into thinking they were taking out the webcam feature because of Joe Biden’s executive order regarding “equity.” But in reality, it had been entirely out of compliance the whole time, with GSA having tricked agencies into using insecure software for a number of years — sending federal agency officials given the task of online security into a death spiral once they learned the truth.
“As of May 2022, Login.gov had 906,187 users of Login.gov services that GSA purported to be IAL2 but did not comply,” explained the IG. “Notwithstanding GSA officials’ assertions that Login.gov met [the] requirements, Login.gov has never included a physical or biometric comparison in production. Login.gov officials informed us that biometric comparison was not included in products offered to customer agencies, initially because the feature required testing before implementation and later because they further delayed it due to equity concerns.”
