Feds Used Lax Security on 1 Million Americans’ Accounts Because of ‘Equity’: IG

One federal technology division had poor security measures for about one million online accounts. It rejected facial recognition technology and instead imposed laxity. “equity” An inspector general’s report (IG), released Tuesday, raised concerns.

General Services Administration’s (GSA’s) failure to disclose accurate information to other federal agencies about security and privacy protection through its Login.gov platform. This is a report that was compiled by the GSA’s IG (General Services Administration).pdf) found. The GSA was mentioned in the document. “misled customers” Login.gov has met federal digital identity requirements.

“Notwithstanding GSA officials’ assertions that Login.gov met SP 800-63-3 Identity Assurance Level 2 (IAL2) requirements, Login.gov has never included a physical or biometric comparison for its customer agencies. Further, GSA continued to mislead customer agencies even after GSA suspended efforts to meet SP 800-63-3,” According to the report. SP 800-63-3 refers To view federal digital identity guidelines.

The GSA is even more important. “knowingly billed IAL2 customer agencies over $10 million for services” To provide Level 2 services that were not federally recognized “standards,” The IG report added that the report “GSA used misleading language to secure additional funds for Login.gov.”

“As of May 2022, Login.gov had 906,187 users of Login.gov services that GSA purported to be IAL2 (Level 2) but did not comply. Notwithstanding GSA officials’ assertions that Login.gov met [federal] requirements, Login.gov has never included a physical or biometric comparison in production,” According to the IG report. “Login.gov officials informed us that biometric comparison was not included in products offered to customer agencies, initially because the feature required testing before implementation and later because they further delayed it due to equity concerns.”

GSA’s Technology Arm’s top leaders discovered that the site didn’t meet the requirements, but they still failed to comply. “notify customer agencies of the noncompliance,” The IG stated.

Washington, November 21, 2016: The General Services Administration Headquarters Building (GSA). (Saul Loeb/AFP/Getty Images)

“The inability to meet IAL2 NIST standards became the topic of discussions among Login.gov leaders and personnel at least as early as 2019, and included concerns that using individuals’ selfies to verify their identity could impact Login.gov’s rejection rates based on physical traits,” This report was also updated “such as skin color and tone.”

Federal Acquisition Service Commissioner Sonny Hashmi responded to the IG report this week. statement Saying that before “misrepresentations about Login.gov’s compliance” The standard “were completely unacceptable.” He added, “When we uncovered those misrepresentations in early 2022, we immediately referred the matter to the Inspector General, and initiated a series of actions to strengthen transparency, accountability, and oversight to correct the problem.”

“As the Inspector General rightly reports, this was a serious issue, but one GSA identified and addressed,” Hashmi also added. “GSA has also taken significant actions to strengthen the Login.gov program to ensure it better delivers for the needs of our customers and meets high standards of security, equity, and integrity.”

The GSA, according to the report, also obtained $187 million in federal funding after current and former GSA officials argued that the login service “is currently used in production and complies with NIST’s 800-63-3 standard for strong authentication (AAL2) and identity verification (IAL2)” When it was not.

Vladlen Zvenyach, the then-Deputy Commissioner for Technology Transformation Services (TTS), stated in a Slack messaging that he wouldn’t be making any efforts to ensure the program was compliant. According to him, the program may not have been compliant in order for it to be more complained. “discriminatory impact.”

“Hey team, I have been hearing that there is still some ambiguity around TTS’ position on liveness detection/PAD [Presentation Attack Detection] as an IAL2 proofing requirement. The position of TTS is that the benefits of liveness/selfie does not outweigh any discriminatory impact, and therefore should not be used as a proofing requirement,” He wrote The report stated that the information was available at the time.

However, the report revealed that “Zvenyach did not notify customer agencies when TTS suspended efforts to implement selfies to meet the NIST biometric comparison requirement,” The GSA also kept the information of “customer agencies about Login.gov’s lack of biometric comparison capabilities.”

For additional comments, the Epoch Times contacted GSA to ask questions regarding security for 1,000,000 accounts.

Read More From Original Article Here: Feds Used Lax Security on 1 Million Americans’ Accounts Because of ‘Equity’: IG