© 2024 Allbritton Journalism Institute

The Government and Private Companies Are in a Tug-of-War Over Who Controls Access to Public Websites

A clash is playing out in Washington over what role private companies should have in developing government technologies, centered around a service that would allow Americans to use a single account across any federal website.

Login.gov logo
Login.gov; NOTUS illustration

A lobbying fight is unfolding on Capitol Hill and in executive agencies over how hundreds of millions of Americans will access government websites.

The General Services Administration — a federal agency responsible for logistics and operations — has been developing a tool called Login.gov since 2016, with the vision of creating a sign-on service that would eventually allow Americans to use a single account across any federal website. Commercial companies, mostly notably the Virginia-based ID.me, are pushing their own products as an alternative.

The result is a quiet tug-of-war in Washington over how Americans will interact with websites that let them do everything from renewing a passport and applying for a small business loan to filing taxes and submitting résumés to be considered for a federal job vacancy.

At stake are competing visions of what online government services should look like. To some, the notion of letting private companies mediate how millions of Americans access public services on public websites is a nonstarter. Others point to a long history of government technology disasters, like the botched rollout of Healthcare.gov and the theft of millions of security clearance applications from the U.S. Office of Personnel Management, and say the private sector already has proven products that the government should simply go out and buy.

Login.gov currently serves 40 federal and state agencies and counts more than 49 million users, according to GSA. But ID.me is aggressively competing for market share, either as an alternative or a wholesale replacement to the GSA-run service. It is embedded within the Treasury Department, the IRS and the Department of Veterans Affairs, and has about 130 million total users, including 60 million who have verified their identities using something like a physical ID, and hopes to expand to more agencies.

In 2022, the Biden administration said it was planning to issue an executive order designed to combat fraud in government programs. That order still hasn’t arrived. According to people familiar with the matter and reporting from NextGov, the administration initially leaned toward language that would have pushed agencies to adopt Login.gov as part of that order.

Today, it’s unlikely that any directive to use Login.gov will be included, people say — thanks in part to advocacy from technology trade groups and concerns from both policymakers and lawmakers about the GSA’s management of the Login.gov product.

In a nonbinding congressional report accompanying a spending bill last year, Congress directed GSA to open the market for logins to commercial providers. Lobbying reports show that ID.me lobbied on that provision, and the company is pushing for stronger versions to be written into law into critical bills such as the annual defense bill currently being debated by Congress, according to lobbying disclosure reports and people familiar with the matter.

Both public and private sector options have their supporters and detractors in Washington — a clash of philosophies about what role private companies should play in administering government programs or developing government technologies.

“The U.S. government needs to adopt a common sense approach to digital identity, by requiring standards that can protect against identity theft, and applying them across the board. Login.gov should play a starring role in the provision of online government services, by enabling Americans to access federal, state, and local government websites with a single, secure account, saving them time and protecting them from fraudsters,” Sen. Ron Wyden said in a statement.

The General Services Administration (GSA) building
Jacquelyn Martin/AP

ID.me’s rollout on the IRS website in 2022 drew bipartisan concern over the company’s collection of biometrics, such as face scans, and other personal information from taxpayers trying to simply access a government website. Democrats like Wyden and Republicans on Capitol Hill expressed concern about the company acting as a middleman between government services. An aide for Wyden noted that filing taxes on paper or through a corporate middleman like TurboTax required no identity verification.

“The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services,” a group of Republican senators wrote in 2022 when the IRS adopted ID.me as its login provider.

Others see visions of previous government technology failures, like the Obama-era Healthcare.gov portal, and believe that few Americans should trust that the government can develop safe, reliable and cost-effective technology in-house when there are existing commercial alternatives.

The Business Software Alliance, a trade group that represents technology companies and software developers, advocates for commercial solutions over in-house ones in government procurement.

“Commercial technology is updated and upgraded to respond to market conditions,” said Jessica Salmoiraghi, who is the senior director for IT modernization and procurement at BSA. “If security patches are needed, they’ll be updated quickly.”

Login.gov has also struggled with perceptions about its security.

The federal National Institute of Standards and Technology calls for some sort of matching against a document like a physical ID or a virtual interview with a person to meet more stringent identity requirements. ID.me complied with that requirement through a facial-recognition tool and also offers video interview services where people can present a credential like a driver’s license plus a selfie to help verify their identity.

“We meet the government’s standards set forth by NIST. They wrote those standards and updated those standards on the heels of a couple of large data breaches,” said Wes Turbeville, senior vice president, federal, at ID.me. “We should be offered as an option because we meet the government’s standards for security.”

But GSA has resisted integrating a facial-matching capability into Login.gov out of concerns that facial-recognition algorithms are less effective on people who aren’t white. That meant it was not compatible with NIST’s standard.

An inspector general report from last year found that GSA had misled other federal agencies into believing that Login.gov met the more stringent NIST standard when it did not, leading to a critical hearing on Capitol Hill and the removal of several GSA executives responsible for the program.

GSA announced in April that it would add facial recognition to its tool to meet the NIST standard. A spokesperson for the agency declined to comment.

Correction: This story initially stated an incorrect figure for total users of ID.me.

Byron Tau is a reporter at NOTUS.