There’s a solid cybersecurity argument for electronic verification, but equity can’t be neglected, observers say.
The General Services Administration wants to replicate a system the Social Security Administration has been implementing over the last three years to reduce identity theft in the financial services sector for use in the provision of digital services by various other agencies.
In 2018, Congress instructed SSA to create an electronic consent based social security verification system, known now as ECBSV, to help stop criminals from stealing the identity of victims, most of whom are children, according to Kate Wechsler, executive director of the Consumer First Coalition.
Wechsler spoke alongside Phil Lam, GSA’s executive director for identity on Monday during an event hosted by the Better Identity Coalition, a group of companies pushing the government to move ahead on securely digitizing identity verification.
She said before the system was in place, identity verification at SSA “was paper based and very slow to the point that quite frankly, it wasn't useful, especially in our increasingly digital environment for credit applications and decisions. You know, by the time you got the result from SSA that it wasn't a match, the criminal has gotten their credit and is gone.”
Congress specifically crafted the law to grant access to the system to financial institutions, including credit reporting agencies, but with the rise of digital services, Lam wants to see greater use of the SSA model across the government.
“Something that GSA is taking particular interest in is helping sort of advance the concept [behind] what SSA is doing around strong authoritative attribute verification,” he said. “How can we do that with other agencies such as the Post Office for example with addresses, or State Department perhaps with the passport, and maybe even [the Transportation Security Administration] with a known traveler number, and how do we bring together these different government agencies so that we can do identity verification at the attribute level, direct to the authoritative source?”
Lam sought to allay privacy concerns associated with working with private-sector partners by arguing such systems would reduce the amount of replicated personally identifiable information needlessly floating around.
”The work that SSA has done with ECBSV, honestly it's groundbreaking for government agencies to allow,” he said. “They do it in a privacy preserving way where they're not sending information out. They're just saying yes or no.”
The question of what makes for an “authoritative source,” was highlighted by the Internal Revenue Service’s plan to—starting this summer—require tax filers to submit selfies through a company called ID.me in order to access their accounts.
“Fight for the Future received many emails from people looking for ways to avoid giving up their biometric information, and thousands of people signed a petition to state legislators asking them to put an end to this practice,” Caitlin Seeley George, campaign director of the digital rights group, said. “Everything about ID.me’s process is invasive, creepy and unsafe. The federal government should abandon plans to require millions of Americans to use this facial recognition system to complete their taxes … the company alleges in-person verification options, but has no information on their site about where and how to access these options.”
Lam said the in-person option is a must-have for identity verification systems, as many of the people seeking government services may not have a smartphone.
“They might not be able to take that selfie,” he said. “So we’ve got to keep focusing here too, not just on the high tech, but how do we reach those other individuals so we can provide them with equitable access to government resources?”