Get a $25 gift card if you help the US check whether these facial logins really work
NB: That will involve handing over your selfies and other personal info to AI outfits to experiment with
The US government hopes to add face-based logins to .gov websites – though first it wants to check whether this technology is as biased or unreliable as experts warn.
Folks in the US are encouraged to sign up for the study and hand over their personal identifiable information – including snaps of their face – to check the abilities of six suppliers' facial-recognition-based authentication systems. It's hoped that one day this kind of tech will be built into government websites, allowing people to log in using their faces.
"This is an important study and initiative to test and validate facial recognition and matching algorithms and technology to identify barriers across demographic lines," said GSA Federal Acquisition Service commissioner Sunny Hashmi. "The results will not only inform government strategy moving forward, but will also lower barriers for more Americans when they interact with their government digitally."
TSA wants to expand facial recognition to hundreds of airports within next decadeREAD MORE
The GSA is asking for anyone with a US-government-issued ID, social security number, email address, and mobile phone plan in their name to participate. On offer is a $25 gift card for sharing that ID, multiple selfies, your SSN, and other info, and giving the GSA permission to perform an automated scan of "your mobile device's features and capabilities."
That data trove will be shared with security-vetted suppliers for processing and analysis, and deleted from their servers within 24 hours, we're promised. However, the GSA also notes in its FAQ that it will keep that data for another six years, presumably in one of those oh-so secure government servers we hear so much about.
It's one thing to probe facial-recognition AI tech for the biases that experts and academics have been warning about – that women and people of color tend to be misidentified, primarily. But this study may have also been inspired, shall we say, by an audit this year that indicated the GSA had "misled" other agencies about its security standards.
The GSA no doubt wants to home in on authentication products that do not suffer bias and accuracy problems, although a note in the official announcement indicates a separate brouhaha may be smoothed over by the study.
Specifically, the procurement officials appear to be responding to a March report [PDF] from the Office of the Inspector General (OIG) that found the GSA had misled other government bodies about the true capabilities of Login.gov, the US government's single-sign-on (SSO) portal to its public-facing websites.
Smile! UK cops reckon they've ironed out gremlins with real-time facial recogREAD MORE
According to the OIG report, the GSA made misleading statements about having implemented NIST's digital identity guidelines [PDF], particularly building in identity assurance level 2 (IAL2), on Login.gov.
When someone wants to apply for a login.gov account, IAL2 requires their identity is verified using either remote or physically-present identity proofing – eg, capturing a selfie and comparing it to a government-issue ID record – just like the GSA study hopes to test. From November 2019, the GSA billed customer agencies claiming its SSO system was IAL2 compliant, before admitting in February 2022 the tech wasn't actually in place. Which would have been somewhat annoying for those other departments.
In September 2021, the GSA also made misleading statements when applying for $187 million in funding from the US government's Technology Modernization Fund. According to the auditors, the agency claimed "Login.gov is currently used in production and complies with NIST’s 800-63-3 standard for strong authentication (AAL2) and identity verification (IAL2)."
The GSA doesn't reference the OIG probe on its facial-recognition study website, though it did mention in its announcement that the complete 800-63-3 standard will "serve as the framework for the study."
The OIG report paints a picture of the GSA as negligent in its implementation of NIST's guidelines, and mentions providing its report to the GSA "for appropriate disciplinary action." A broad public study that shows the agency is now standards compliant, and has taken steps to iron out accuracy problems in future, may help calm things down. It may signal to the rest of the federal government that the GSA is taking things like standards seriously.
The GSA didn't immediately respond to questions from The Register for this story. ®