A quickly expanding identity verification system used by an estimated 85 million Americans may soon require its users to give the federal government a photo of their face. We must make sure this program is subject to more public scrutiny and congressional oversight — before anonymity becomes a thing of the past.

Americans are increasingly required to use a congressionally mandated single sign-on platform, known as Login.gov, to verify their identities in order to access federal agencies’ websites for benefits and services. Proponents say Login.gov reduces fraud, saves time for users, and cuts costs. But the facial recognition technology (FRT) the government plans to use needs more regulation to protect privacy and civil liberties, experts warn.

Login.gov is in use across 15 federal agencies, including for accessing Social Security, health records and Trusted Traveler programs. The General Services Administration (GSA), which runs Login.gov, plans this year for “fuller expansion across states and localities.”

Also this year, Login.gov will start offering facial recognition to enhance the security of its identity verification (to check that an impostor isn’t presenting someone else’s ID). Although Login.gov will offer alternatives to a face scan via a video chat with a live agent or visiting the post office, many will feel compelled to just take a selfie for convenience.

When the Internal Revenue Service tried to require facial recognition for taxpayers to access accounts in 2022 using private contractor ID.me for identity verification, it met with bipartisan backlash and halted the requirements. As The Washington Post reported: “researchers and privacy advocates … say they worry about how Americans’ facial images and personal data will be safeguarded in the years to come. There is no federal law regulating how the data can be used or shared.”

And when I tried to log into my IRS account recently, ID.me required a selfie. The webpage didn’t mention other options.

In government-run Login.gov’s case, privacy law bars federal agencies from sharing information with each other, but there are exceptions, such as for law enforcement and a loophole for “routine use.”

A study on FRT released this month by the National Academies of Sciences, Engineering, and Medicine, sponsored by the U.S. Department of Homeland Security and the Federal Bureau of Investigation, recommends: “New legislation should be considered to address equity, privacy, and civil liberties concerns raised by FRT, to limit harms to individual rights by both private and public actors, and to protect against its misuse.” It also recommends an executive order on FRT’s use by federal departments.

FRT “can allow repressive regimes to create detailed records of people’s movements and activities,” the study warns.

We don’t currently live in such a regime, but Americans might be wary of the federal government matching their name to their photo with much greater ease, stripping their anonymity. Americans have to be able to trust Login.gov, especially as it would be a hacking target for criminals or foreign governments. 

Congress must oversee which agencies opt into using FRT and evaluate whether less invasive verification methods suffice. Americans also deserve a smooth rollout of any system without long wait times. 

Thus far, the GSA has not instilled confidence. In a 2023 report, it was found to have misled other agencies by stating that Login.gov met identity verification standards it had not.

Congress needs to oversee this massive program while we still have some privacy.