The General Services Administration is adding anti-fraud measures to its sign-in and identity service, Login.gov, in an effort to prevent account takeovers, according to a Nov. 21 notice in the Federal Register.
But at least one privacy advocate is concerned about the agency’s use of an outsourced service to monitor user data.
Login.gov uses LexisNexis Risk Solutions, part of London-based global information and analytics provider RELX, for these fraud detection services, according to a GSA privacy impact assessment in September. . LexisNexis also provides identity verification services for Login.gov.
Fraud prevention systems will collect information about a given device – such as IP address, browser type, and usage patterns, such as keyboard and mouse behavior – when someone accesses their Login.gov account.
LexisNexis’ services will also provide “risk scores” associated with the device, as well as name, address, and other identifying information that has been associated with that device before, according to the Nov. 21 notice. .
GSA officials did not say when the new services launched or how many contractors are working on them, but said in a statement that the website would continue to evolve as needed.
“Login.gov is built with a mix of in-house and vendor-provided capabilities and technologies, and leverages multiple industry sources, spanning document authentication, identity verification, and notification services,” a GSA spokesperson told FCW.
The spokesperson added that “as new use cases and needs are identified, Login.gov continues to build product functionality,” highlighting anti-fraud controls for partner agencies and “mechanisms to robust remedies for legitimate users,” as well as an expanded contract center. staff, hours and services and improving identity verification services.
The GSA is accepting comments on the record change system until December 21.
Linda Miller, fraud expert and partner at Guidehouse, told FCW via email that these fraud risk capabilities are normal for the course, writing that “device information is crucial in determining things like whether the ‘device has been spoofed’ and information like geolocation” can be triangulated with data elements about the individual’s identity to help paint a more complete picture of the user and establish the level of risk they it’s a compromised identity.
However, there remain apprehensions about privacy and accuracy issues, said Jake Weiner, a home surveillance lawyer at the Electronic Privacy Clearinghouse.
It’s a “huge concern that they use LexisNexis”, which “is in the upper echelon of data brokers that suck up huge amounts of information, almost always without the meaningful consent of the people whose information they collect, then sell to government and private companies,” he said.
These data collection processes are integrated with the platform’s identity verification process and users consent to the anti-fraud technology at the start of this process, the privacy impact assessment says. In terms of alternatives, people who do not want this information collected about them can “contact” the agency that controls the system they are trying to enter.
A separate privacy impact assessment from LexisNexis states that “the data collected is never used for the overall enrichment of LexisNexis products” and the privacy impact assessment from Login.gov states that Login. gov reviews the security and compliance of third-party systems that obtain data annually.
Wiener told FCW that the audits will be paramount and that “it doesn’t address the broader issues of using and approving a service that trades people’s personal data and sells that data to law enforcement.” order without their meaningful consent. The best solution here is to have the GSA/Login.gov check the fraud internally.
The November 21 notice and September assessment do not explicitly describe what a notice and appeal process would look like for those deemed at risk by fraud prevention services.
The privacy impact assessment says there is a “third-party dashboard” that allows Login.gov to review anti-fraud assessments to “confirm fraud or provide redress to users.”
The addition of anti-fraud controls comes as Login.gov continues to seek to expand across government agencies, many of which are grappling with how to provide accessible digital government services while preventing fraudsters through measures such as the identity verification.
The director of the Office of Management and Budget, the GSA administrator and others have singled out Login.gov as a potential solution to the fraud since the topic came to light earlier this year when the IRS has come under fire from lawmakers and privacy advocates for its use of facial recognition through provider ID.me.
#Login.gov #antifraud #tools #privacy #advocate #raises #concerns