News: 1727700011

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Remote ID verification tech is often biased, bungling, and no good on its own

(2024/09/30)


A study by the US General Services Administration (GSA) has revealed that five remote identity verification (RiDV) technologies are unreliable, inconsistent, and marred by bias across different demographic groups.

In a pre-press version of the GSA [1]study , shared this month, the agency said that only two of the RiDV products it tested were equitable for all users; two others had at least one demographic where error rates and false rejections were notably higher, with one product showing significantly higher rejection rates for Black participants and individuals with darker skin tones. The fifth product showed more favorable, but still inequitable, performance for Asian American and Pacific Islander participants.

According to the study, one of the products barely merits the term "functional," as it had a false negative rate of around 50 percent, and even the best performer still failed 10 percent of the time.

[2]

In short, the technology used for remote identity verification is a mess.

[3]

[4]

"This study confirms that it is necessary to evaluate products across demographic groups to fully understand the performance of remote identity verification technologies," The GSA said.

While none of the vendors were named in the study itself, the GSA published a privacy impact [5]assessment [PDF] for the study in September 2023 that lists the five products as coming from TransUnion, Socure, Jumio, LexisNexis, Incode and Red Violet. It's not clear if there were any changes to the products tested after that document was published; we reached out to all five vendors listed, and most haven't responded.

[6]

LexisNexis acknowledged the study in a statement and highlighted its longstanding relationship with the GSA, particularly through its work on Login.gov. Due to anonymizing of the experiment, its CEO for government risk solutions Haywood 'Woody' Talcove told The Register in an interview that he's not sure if the outfit's RidV tech was tested.

Meet the new biased tech, same as the old biased tech

If you're wondering - hey, haven't we hashed out bias in facial recognition before? Sure, we have - real-time facial recognition tech used in public places by law enforcement has long been established to have [7]racial biases and other issues that could [8]impinge on civil liberties .

This is a different kind of biased tech, though.

[9]IRS doesn't completely scrap facial recognition, just makes it optional

[10]Rise of deepfake threats means biometric security measures won't be enough

[11]Can I phone a friend? How cops circumvent face recognition bans

[12]Deepfake attacks can easily trick live facial recognition systems online

"Prior work by NIST and others have considered the fairness of face matching systems," the researchers wrote in their report. "Our work expands upon prior work by testing full end-to-end remote identity verification systems which include the face matcher, as well as the user interface, capture process, document verification check, and liveness check."

Remote identity verification technology involves submitting a photo ID, a selfie and/or other forms of identification to verify that a person signing up for a new account, or trying to access an existing one, actually is who they claim to be.

The GSA, which handles procurement for the US government, has previously expressed trepidation about using RidV tech due to fears of inequity surrounding it. GSA announced [13]plans to test the technology in August 2023, and in October it said it was [14]adopting RidV . The tech is now [15]available to use on the Administration's login.gov service.

It's not immediately clear which of the tested vendors, if any, the GSA uses for login.gov aside from LexisNexis. We're told the vendors were anonymized and sealed in the study, making it unclear how performance maps onto vendors, or which, if any, are being used by the GSA.

[16]

"Login.gov is currently using a vendor with an algorithm that was one of the highest performers in the NIST FRVT study," a GSA spokesperson told The Register Friday. "[We] look forward to continuing to evaluate research, such as the final equity study results once complete, to assess all aspects of its performance and inform future efforts."

It's worth noting that the RidV study only included results for volunteers who completed testing with all five vendors, which the GSA said might mean error rates could be higher if users dropped out due to frustration. Performance for fraud detection also wasn't tested as part of the study.

The GSA [17]said it plans to release the final peer-reviewed version of the study in 2025, which will [18]include further analysis into causes of false negatives and inconclusive results, as well as product performance at each step of the identity verification process.

"GSA looks forward to using the results of the study to help GSA and other federal agencies advance equity in new, modern technologies and deliver services more effectively for the public," an agency spokesperson told us in an emailed statement.

Facial recognition just one part of the RidV puzzle

LexisNexis's Talcove told us that while he's glad the government is implementing RidV technology, he's not convinced it's a good solo solution.

"The best at 10 percent and the worst at 50/50 is a real challenge - how are you just better than a coin toss," Talcove asked of the products tested.

Talcove said he thinks both the government and commercial sectors have become overly reliant on NIST's [19]IAL2 remote identity proofing standard, leading to a focus on using visual identification as the be-all and end-all of RidV.

"Some people's licenses are in better condition, some have better cameras or internet connections than others," the LexisNexis exec said. "Folks lose weight, or change their appearances."

In other words, people change, so it makes sense that purely visual RidV tech would fail so often.

"Any time you rely on a single tool, especially in the modern era of generative AI and deep fakes … you are going to have this problem," Talcove said. "I don't think NIST has gone far enough with this workflow."

Talcove said LexisNexis is pushing for a multi-layer approach that, instead of relying on visual identification, uses a variety of data points to identify an individual. Those could include things like analyzing the machine a person is using for previous fraud attempts, validating email addresses, or cross-referencing other records.

He doesn't even believe facial recognition should be the first string tool, as there are more reliable and user-friendly methods of verifying identity online.

"You need a multi-layered approach with multiple data sources to triangulate an identity," Talcove told us. "It's pretty easy to game [pure facial recognition]."

"What this study shows is that there's a level of risk being injected into government agencies completely relying on one tool," Talcove said. "Some customers are enamored with the IAL2 workflow - which I think is great, but we've gotta go further." ®

Get our [20]Tech Resources



[1] https://arxiv.org/html/2409.12318v1

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZvrLJOsilpP9azlCbOd2FgAAAUA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvrLJOsilpP9azlCbOd2FgAAAUA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvrLJOsilpP9azlCbOd2FgAAAUA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.gsa.gov/system/files/Identity%20Proofing%20Equity%20Study%20Privacy%20Impact%20Assessment%20PIA.docx.pdf

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvrLJOsilpP9azlCbOd2FgAAAUA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2023/05/25/facial_recognition_system_used_by/

[8] https://www.theregister.com/2024/01/17/face_recognition_tech_us/

[9] https://www.theregister.com/2022/02/23/irs_facial_deletion/

[10] https://www.theregister.com/2024/02/01/deepfake_threat_biometrics/

[11] https://www.theregister.com/2024/05/20/cops_circumvent_facial_recognition/

[12] https://www.theregister.com/2022/05/22/ai_in_brief/

[13] https://www.theregister.com/2023/08/21/us_facial_testing/

[14] https://www.theregister.com/2023/10/19/us_government_logingov_will_get/

[15] https://www.login.gov/help/verify-your-identity/overview/

[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvrLJOsilpP9azlCbOd2FgAAAUA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[17] https://www.gsa.gov/governmentwide-initiatives/diversity-equity-inclusion-and-accessibility/equity-study-on-remote-identity-proofing

[18] https://www.gsa.gov/blog/2024/06/05/equity-study-reaches-4000-participants

[19] https://pages.nist.gov/800-63-3-Implementation-Resources/63A/ial2remote/

[20] https://whitepapers.theregister.com/



imanidiot

"It's worth noting that the RidV study only included results for volunteers who completed testing with all five vendors, which the GSA said might mean error rates could be higher if users dropped out due to frustration. Performance for fraud detection also wasn't tested as part of the study."

Holy selection bias batman! This right here pretty much invalidates the study anyway. Especially the first bit. I can't find it right now, but is there any reported number on how many people started and then stopped midway through? I'd imagine the "best" might actually be the worst if all the people for whom it doesn't work have just given up and only those who can reliably make it through the testing (ie, the only ones who can make it work) stay in the study.

Stuart Castle

How would these systems deal with a fake webcam that just streams a JPEG of your face, licence or ID card? I can't check as I don't think I have access to any of these systems, but I should imagine that these systems would be relatively easy to fool if used remotely. At least on a PC or Mac. On a phone or tablet, it might be a different story, because the phone may be limited to using it's internal cameras.

vtcodger

It's worth pointing out that login.gov has no less than FIVE methods for multifactor identification. Face/fingerprint, security key, authentication app, text/phone, pre-established one time codes. With them, you don't have to use biometrics unless you want to. https://www.login.gov/help/get-started/authentication-methods/

They wouldn't listen to the fact that I was a genius,
The man said "We got all that we can use",
So I've got those steadily-depressin', low-down, mind-messin',
Working-at-the-car-wash blues.
-- Jim Croce