Connect.Gov will become Login.Gov, according to a notice published in the Federal Register as a notice of a new system that would fall under the U.S. Privacy Act of 1974. The notice is to inform the public of the change that will be subject to the 42-year-old law.
The notice comes as the GSA is proposing a citizen identity platform that can be used to access government services. The platform will collet personal data and provide identity proofing to agencies. Login.Gov replaces Connect.Gov, which was scrapped earlier this year.
To enable access information must be collected to authenticate an individual’s identity. How much data will be collected will depend on the level of identity assurance necessary for the application. Login.Gov will use third-party identity services to proof an identity.
For a level one credential a citizen will provide a email, password and phone number. For a level three credential they will be asked additional information. Full name, date of birth, address, phone number and Social Security number will be requested. The identity proofer will also ask the user credit and financial related questions. Login.gov will not retain the commercial identity verification information, questions asked of a user or the responses provided.
“Once proofed, the attribute bundle will be given a meaningless, but unique identifier number (MBUN) to identify the user in the system. The MBUN and attribute bundle will be asserted to the partner agency. The partner agency is granted access to user information only when the user logs in or specifically gives permission to transmit their information. The information in the system is contributed voluntarily by the user and cannot be accessed by the government without explicit consent of the user, except as provided in this notice,” the notice states.
ID.me was one of the identity providers with Connect.Gov and this new system has shut out other identity providers, says Blake Hall, co-founder and CEO at the company. The new system is also being setup as a honeypot for people wanting citizen information. “The idea of one government agency housing all citizen information and tracking activity online is scary,” Hall says. “It will be an immediate target for hostile state actors and opens the door to malicious use for domestic purposes too.”
The system also seems to against White House policy that originally states a government database of citizen information wouldn’t happen. “At the end of the day, the question that just confounds me: can a small group of technologists really just hijack executive policy and attempt to destroy an ecosystem of private sector companies that made huge investments in good faith to support this administration’s policy for trusted identities online?” Hall asks.
The system was supposed to also accept third-party identity credentials, however, the notice made no mention of that idea. “If Login.gov is the only way for citizens to interact with government services online and there is no choice between identity providers, then the system is de facto involuntary because there is only one option and no recourse provided for citizens to interact with their government,” Hall says. “My way or the highway doesn’t sound like voluntary to me.”