[Federal Register Volume 89, Number 93 (Monday, May 13, 2024)]
[Notices]
[Pages 41436-41438]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-10404]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

[Notice-IEB-2024-02; Docket No. 2024-0002; Sequence No. 20]


Privacy Act of 1974; System of Records

AGENCY: Office of IEB; General Services Administration (GSA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, notice 
is given that the General Services Administration (GSA) proposes to 
modify an existing system of records, entitled Login.gov (GSA/TTS-1). 
GSA maintains this system of records to provide a secure sign-in 
service with the capability to authenticate and identity proof users 
before the user is granted access to participating government websites 
or applications.

DATES: Submit comments on or before June 12, 2024. Routine use ``f.'' 
will be effective June 12, 2024.

ADDRESSES: Comments may be submitted to the Federal eRulemaking Portal, 
http://www.regulations.gov. Submit comments by searching for GSA/TTS-1.

FOR FURTHER INFORMATION CONTACT: Call or email Richard Speidel, Chief 
Privacy Officer at 202-969-5830 and [email protected].

SUPPLEMENTARY INFORMATION: GSA proposes to modify a system of records 
subject to the Privacy Act of 1974, 5 U.S.C. 552a. GSA is modifying the 
categories of records in the system, routine uses of records maintained 
in the system, and the policies and practices for retention and 
disposal of records. This modification is intended to revise and 
replace all notices previously describing this system of records.
    GSA is also making technical changes to GSA/TTS-1 consistent with 
OMB Circular No. A-108. Accordingly, GSA has made technical corrections 
and non-substantive language revisions to the ``Policies and Practices 
for Storage of Records'' and ``Contesting Record Procedures'' sections.

SYSTEM NAME AND NUMBER:
    Login.gov, GSA/TTS-1

SECURITY CLASSIFICATION:
    Unclassified

SYSTEM LOCATION:
    General Services Administration owns Login.gov, which is housed in 
secure data centers in the continental United States. Contact the 
System Manager listed below for additional information.

SYSTEM MANAGER(S):
    Daniel Lopez-Braus, Director, Login.gov, TTS, Office of Solutions, 
General Services Administration, 1800 F Street NW, Washington, DC 
20405. https://www.login.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    E-Government Act of 2002 (Pub. L. 107-347, 44 U.S.C. 3501 note), 6 
U.S.C. 1523 (b)(1)(A)-(E), and 40 U.S.C. 501.

PURPOSE(S) OF THE SYSTEM:
    The purposes of the system are:
     to provide a secure sign-in service with the capability to 
authenticate and identity proof users before the user is granted access 
to participating government websites or applications;
     to prevent fraud and to protect the integrity of the 
Login.gov system; and
     to conduct studies into enhancements to the secure sign-in 
service, including demographic studies of the equitable performance of 
new technologies.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered by this system of records include members of 
the public seeking electronic access to a website or application from a 
Federal, State, or local agency that has integrated with Login.gov 
(``partner agency'') and participants in studies commissioned by GSA to 
evaluate equitable performance of new identity verification and fraud 
prevention technologies.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system contains information provided by individuals who create 
and use Login.gov accounts. There are two types of accounts in the 
Login.gov system: records related to the process of authenticating a 
Login.gov user's account, and records related to the process in which 
an individual's identity is verified.
    For accounts for which Login.gov is authenticating the user, the 
system collects and mai
     email address,
     password,
     and phone number (optionally).ntains:
    For remote (but not in-person) verification of accounts that 
require a verified identity, the system collects the following after 
each identity proofing transaction:
     photographs of their government-issued ID, to include all 
personal information and images on the ID; and
     a self-photograph of the user.
    ID card images and data collected from government-issued IDs are 
assessed to determine the document's authenticity as part of the 
identity verification process. Self-photographs of the user are only 
collected when partner agencies require verification by biometric 
comparison, a process that involves comparing the user's self-
photograph to the portrait on their government-issued ID.
    For all accounts that require a verified identity, the system 
collects and maintains:
     Social Security Number (SSN); and
     phone number or postal address.
    Each third-party identity proofing service will send information 
back to Login.gov about its attempt to identity proof the user, 
including:
     Transaction ID;
     pass/fail indicator;
     date/time of transaction; and
     status codes associated with the transaction data.
    Each partner agency whose services the user accesses via Login.gov 
may add its own unique identifier to that user's account information.
    To protect the public and the integrity of the system, Login.gov 
needs to detect and prevent fraud while providing redress to users who 
were unable to complete identity verification. To that end, Login.gov 
will also obtain a collection of information about the device (a 
``Device ID'') including, for example browser type and internet 
protocol (IP) address, and usage patterns (e.g., keyboard, mouse, or 
touchscreen behavior) used to access their Login.gov account. The 
Device ID and usage patterns are assessed by a third-party fraud 
prevention service along with the other information collected by 
Login.gov. The third-party fraud prevention services provide Login.gov 
risk scores for all of the information assessed, and also provide other 
identifying attributes that have been associated with that same Device 
ID in the past. Those identifying attributes include, but are not 
limited to, names, addresses, phone numbers, and SSNs that have been 
associated with the Device ID.
    Separate from Login.gov's active sign-on service, GSA may also 
conduct studies in which it temporarily collects information from 
voluntary participants

[[Page 41437]]

to evaluate the equitable performance of new technologies and guide 
service improvements. In addition to the categories of records 
previously described, collection of information for studies could 
include, but is not limited to:
     demographic information such as race, ethnicity, gender, 
income, age, and education.
    For further details about Login's data use and privacy policies, 
refer to the Login.gov Privacy Impact Assessment. https://www.gsa.gov/reference/gsa-privacy-program/privacy-impact-assessments-pia.

RECORD SOURCE CATEGORIES:
    The sources for information in the system include individual 
Login.gov users, participants in GSA-commissioned studies, third-party 
identity-proofing services, partner agencies, and third-party fraud 
prevention services. Individual users and research participants provide 
information needed to authenticate themselves, verify their identity, 
or voluntarily respond to research surveys. Each third-party identity 
proofing service provides transaction details about their attempt to 
identity proof a user. Partner agencies may provide their own unique 
identifier to that user's account information. Third party fraud 
prevention services provide risk scores and identity attributes 
associated with a user's Device ID.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed to authorized 
entities, as is determined to be relevant and necessary, outside GSA as 
a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. To the Department of Justice or other Federal agency conducting 
litigation or in proceedings before any court, adjudicative or 
administrative body, when: (a) GSA or any component thereof, or (b) any 
employee of GSA in his/her official capacity, or (c) any employee of 
GSA in his/her individual capacity where DOJ or GSA has agreed to 
represent the employee, or (d) the United States or any agency thereof, 
is a party to the litigation or has an interest in such litigation, and 
GSA determines that the records are both relevant and necessary to the 
litigation.
    b. To third parties providing remote or in-person authentication 
and identity proofing services, inclusive of other Federal agencies 
providing such services, as necessary to authenticate and/or identity 
proof an individual for access to a participating government website or 
application;
    c. To an appropriate Federal, State, Tribal, local, international, 
or foreign law enforcement agency or other appropriate authority 
charged with investigating or prosecuting a violation or enforcing or 
implementing a law, rule, regulation, or order, where a record, either 
on its face or in conjunction with other information, indicates a 
violation or potential violation of law, which includes criminal, 
civil, or regulatory violations and such disclosure is proper and 
consistent with the official duties of the person making the 
disclosure.
    d. To a Member of Congress or his or her staff in response to a 
request made on behalf of and at the request of the individual who is 
the subject of the record.
    e. To the Office of Management and Budget (OMB), Office of 
Inspector General (OIG), and the Government Accountability Office (GAO) 
in accordance with their responsibilities for evaluation or oversight 
of Federal programs.
    f. To compare such records to other agencies' systems of records or 
to non-Federal records, in coordination with an OIG in conducting an 
audit, investigation, inspection, evaluation, or some other review as 
authorized by the Inspector General Act.
    g. To an expert, consultant, or contractor of GSA in the 
performance of a Federal duty to which the information is relevant and 
necessary.
    h. To the National Archives and Records Administration (NARA) for 
records management inspections conducted under authority of 44 U.S.C. 
2904 and 2906.
    i. To appropriate agencies, entities, and persons when (1) GSA 
suspects or has confirmed that there has been a breach of the system of 
records; (2) GSA has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, GSA (including 
its information systems, programs and operations), the Federal 
Government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with GSA's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    j. To another Federal agency or Federal entity, when GSA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    k. To the Government Publishing Office (GPO), when Login.gov needs 
to mail a user an address confirmation form or if a user requests 
mailed notifications of account changes or of proofing attempts.
    l. To other Federal agencies and third-party fraud prevention 
services as necessary to detect and investigate suspected fraud, 
including providing redress to users.
    m. To third-party identity proofing services and fraud prevention 
services when participating in studies commissioned by the GSA to 
evaluate the equitable performance of new technologies and guide 
service improvements.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    All records are stored electronically in a database. Information is 
encrypted in transit and at rest.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records retrieval practices vary based on the type or category of 
record in the system.
    a. When a user logs in, Login.gov retrieves their email and phone 
number (if provided) to send the user a one-time passcode.
    b. When a user accesses a participating government website or 
application that requires the user's identity attributes, the following 
retrieval practice occurs:
    i. The user successfully logs into their account (enabling 
decryption and retrieval of certain records);
    ii. Login.gov decrypts and retrieves the user's verified personal 
information (full name, date of birth, postal address, and Social 
Security Number); and
    iii. Login.gov requests that the user provide consent to share the 
personal information requested by the participating government site.
    c. When a user with verified identity is recovering access to their 
account, the following retrieval practice occurs:
    i. The user successfully authenticates their account when 
requesting to reset their Login.gov password;
    ii. The user provides their personal recovery code (enabling 
decryption and

[[Page 41438]]

retrieval of the records) and selects a new password;
    iii. Login.gov retrieves the user's verified personal information 
(full name, date of birth, postal address, and Social Security Number);
    iv. These attributes are then encrypted with the user's new 
password.
    d. When Login.gov is performing fraud investigation and redress, 
the following retrieval practices occur:
    i. Only trained Login.gov fraud operations personnel have access to 
records maintained specifically for fraud prevention purposes. This 
includes Device IDs and usage patterns associated with personal 
identifiers and risk scores as described in the Categories of Records 
in the System.
    ii. Login.gov fraud operations personnel retrieve personal 
information (full name, date of birth, postal address and Social 
Security Number) from third-party identity proofing services while 
completing a manual review of a user's identity proofing transaction.
    e. When GSA is conducting studies into enhancements to the secure 
sign-in service, data from voluntary participants' surveys and 
identity-proofing transactions are retrieved by GSA and third-party 
contractors to conduct statistical analysis of the performance of new 
technologies. Data from Login.gov' s active service is not retrieved 
during these studies.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Retention and disposal policies and practices vary based on the 
type or category of record in the system.
    a. Records related to active user authentication and validated user 
identities will be retained and disposed of in accordance with NARA's 
General Records Schedule (GRS) 3.2, item 30 ``System access records'' 
covering records such as user profiles, log-in files, password files, 
audit trail files and extracts, system usage files, and cost-back files 
used to assess charges for system use.'' The guidance instructs, 
``Destroy when business use ceases.''
    b. Records related to identity verification attempts, including 
personal information entered by the user, may be retained by Login.gov 
in accordance with NARA's General Records Schedule (GRS) 3.2, item 30 
to aid in fraud investigation, redress, or product improvement.
    c. Records related to fraud prevention operations, such as Device 
IDs and user behaviors with associated identity attributes and risk 
scores, are maintained by a third party on behalf of GSA for up to 
three years.
    d. For studies commissioned by GSA, third-party proofing services 
will discard any information collected within 24 hours of collection. 
GSA will maintain the information for the duration of the study after 
which it will be preserved for 6 years as required by the GSA's 
retention schedule for Customer Research and Reporting Records, DAA-
0269-2016-0013-0002.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records in the system are protected from unauthorized access and 
misuse through a combination of administrative, technical, and physical 
security measures. Administrative measures include but are not limited 
to policies that limit system access to individuals within an agency 
with a legitimate business need, and regular review of security 
procedures and best practices to enhance security. Technical security 
measures within GSA include restrictions on computer access to 
authorized individuals, required use of passphrases and regular review 
of security procedures and best practices to enhance security. Access 
to the Login.gov database is maintained behind an industry-standard 
firewall and information in the database is encrypted. As noted above, 
other than email address, neither the system nor the system operators 
can retrieve the user's personal account information without the user 
supplying a password or recovery code. Trained and cleared Login.gov 
fraud operations personnel are able to cross-reference personal 
information used by third party or Federal agency identity proofing 
services to validate a user's identity attributes as part of a manual 
review of identity proofing transactions. Records related to studies 
are kept separate from records related to Login.gov 's active users.

RECORD ACCESS PROCEDURES:
    If an individual wishes to access any data or record pertaining to 
him or her in the system after it has been submitted, that individual 
should consult the GSA's Privacy Act implementation rules available at 
41 CFR part 105-64.2.

CONTESTING RECORD PROCEDURES:
    During identity proofing, an individual can use the Login.gov fraud 
operations redress mechanism to contest records used by third party 
identity proofing services. After identity proofing or participating in 
a study, individuals wishing to contest the content of records about 
themselves contained in this system of records should contact the 
system manager at the address above. See 41 CFR part 105-64, subpart 
105-64.4 for full details on what to include in a Privacy Act amendment 
request.

NOTIFICATION PROCEDURES:
    If an individual wishes to be notified at his or her request if the 
system contains a record pertaining to him or her after it has been 
submitted, that individual should consult the GSA's Privacy Act 
implementation rules available at 41 CFR part 105-64.4.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    This system was previously published in the Federal Register: 82 FR 
6552; 82 FR 37451; 87 FR 70819.

Richard Speidel,
Chief Privacy Officer, Office of the Deputy Chief Information Officer, 
General Services Administration.
[FR Doc. 2024-10404 Filed 5-10-24; 8:45 am]
 BILLING CODE 6820-AB-P