Security Program Controls/Technologies, Security Strategy, Plan, Budget, Governance, Risk and Compliance, Identity, Risk Assessments/Management, Privacy

GSA tees up equity study to explore potential of facial recognition for Login.gov

The GSA wants to determine if commercial facial recognition technologies can be incorporated into Login.gov. Pictured: A young Hispanic businesswoman looks up while in an office lobby with businesspeople all around her. (Image credit: SDI Productions via Getty)

The General Services Administration wants to conduct a massive study around commercial facial recognition technologies to determine if they can be incorporated into Login.gov, the federal government’s primary identity service for interacting with public-facing federal websites.

According to a Request for Information published this week, the GSA may be seeking to hire third-party researchers for a remote identity proofing study that will include 2,000 testers and cover multiple vendors in the commercial facial recognition space. The project will help to “determine if identity verification capabilities including facial verification meet equity standards across various demographics.” It will also help determine whether GSA will incorporate such technologies into Login.gov, a secure sign-on tool for Americans to access their information on federal websites and applications.

“This data study will enable GSA to make a data driven decision on whether to pursue facial verification capabilities for Login.gov in the near term, to determine baseline performance metrics, and to provide real-world identity verification pass rate data for the first time to the broader Federal agency community,” the document states.

The study will be designed and led by a team of researchers at GSA’s Technology Transformation Services, who will work with contractors, an academic institution and accredited Institutional Review Board. The project will require partnering with a range of organizations, from recruiters with backgrounds in biometric testing, an outreach partner to recruit diverse participants and live spoof testing services to conduct negative testing for comparison against vendor results.

In addition to testing for accuracy and equity, the study will also look at how different vendor products perform and match up to NIST standards when it comes to the non-biometric aspects of identity assurance.

Federal adoption of facial recognition draws concerns

GSA becomes the latest government agency to consider incorporating facial recognition into their applications or services. The nascent technology has been speedily adopted in many commercial and government applications over the past decade, even as it has come under a range of critiques from technologists and digital rights advocates for its inaccuracy (particularly for people with darker or non-Caucasian skin hues), the collection and storage of massive amounts of biometric data and an inability to keep that data from being stolen or leaked to the public.

Other federal agencies, like the IRS and Customs and Border Patrol, have announced plans to incorporate facial recognition more broadly into their operations, only to later walk them back in the face of a fierce public outcry. Many critics have relied on a 2019 study from the National Institute for Standards and Technology that found wide disparity between different facial recognition algorithms when it came to accurately measuring Black, Asian and Native American faces.

While discussing the IRS’ use of facial recognition technologies provided by third-party vendor ID.me earlier this year, NIST officials told SC Media that their recent research indicates the technical capabilities of some vendors has evolved considerably in the years since the 2019 study, but a formal updated study or results weren’t yet available.

Earlier this month, a statement from a GSA spokesperson provided to Federal Computer Week seemed to indicate that while the agency wouldn’t rule out the use of facial recognition for Login.gov over the long term, there were no current plans to do so.

"Although Login.gov team is researching facial recognition technology and conducting equity and accessibility studies, GSA has made the decision for now not to use facial recognition, liveness detection, or any other emerging technology in connection with government benefits and services until rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations," the spokesperson told FCW April 1.

Caitlin Seeley George, a campaign director at the digital rights nonprofit Fight for the Future told SC Media that federal agencies will continue incorporating facial recognition and other biometric identification technologies by fiat in the absence of action from Congress.

"This is exactly why we need legislation protecting people against facial recognition technology. While we celebrated the GSA earlier this year for saying it would not be using facial recognition as a part of Login.gov, there is nothing keeping them from using it," Seeley George said in an email. "The only way to ensure governmental agencies cannot use the technology is to pass legislation prohibiting it."

The document states that the study would ultimately be published in 2023, when it will “assist GSA to make better informed decisions regarding identity verification capabilities.” SC Media has reached out to the GSA press office with questions about the standards the study will rely on and any potential timelines for moving forward with facial recognition for Login.gov.

The GSA recently received $187 million in funding from the Technology Modernization Fund to build new cybersecurity capabilities into Login.gov, the government’s sign-in service for members of the public who interact with federal websites or apply for federal jobs and programs. The justification for the award detailed a number of enhancements, including expanding identity verification and integrating the tool with additional government systems and websites.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.