GSA's proposed digital-certificate program draws fire

The General Services Administration is finding it difficult to generate interest among agencies and vendors for a program that would provide identity verification so that the public could access data at or send information to agencies. The Access Certificates for Electronic Services (ACES) project, which was once scheduled for award this past January but has been delayed, has also drawn fire from consumer and privacy groups that argue the project would create a centralized storage mechanism for personal information about citizens.

The draft solicitation for ACES calls for commercial vendors to provide identity verification and registration services for agencies, businesses and the general public. Under the program, GSA plans to award multiple contracts to vendors to issue certificates that could be used by citizens to access or provide data to agencies. The certificates would contain digital signatures, which are codes attached to electronically transmitted information that verify the identity of the sender. Digital signatures are key to secure electronic commerce.

But vendors argue that burdensome policy requirements and the cost of the program may impede its success. As it is structured now, ACES resembles a "government off-the-shelf program," rather than one designed to harness the power of commercial off-the-shelf products, because of massive policy requirements, said an industry source who asked not to be identified.

"Through a set of negotiated bilateral discussions with federal agencies, [GSA has] had to capitulate and accommodate every individual thumb in the pie, which set [the agency] off track," the source said.

In addition, agencies may not be interested in the project, the source added.

GSA has not announced any agencies that have committed to using ACES, and several likely candidates such as the Internal Revenue Service and the Defense Department have launched their own public-key infrastructure efforts, the source said. "The solicitation as currently developed really does not have a minimum threshold of business that would entice [our company] to stay involved."

Judith Spencer, director of GSA's Center for Governmentwide Security, said GSA officials still are talking to agencies and cannot publicly release any confirmed customers for ACES.

Another vendor source, who also requested anonymity, said that while the solicitation requires a firm, fixed price, it also requires contractors to accommodate changes in individual agency requirements, federal standards or technology features without changing the price of the service. "They've made it very unattractive from a business standpoint," the second source said.

Public Groups Speak Out

Public interest groups also have criticized ACES. The Center for Democracy and Technology has criticized ACES for allowing the government to collect and store data about individuals' identity and activities, said Ari Schwartz, a policy analyst at the center. The project also has the potential to create a de facto "national identification card" for all interaction with the government, Schwartz added.

In a June 4 letter to CDT, in which it responded to CDT's concerns, GSA Associate Administrator G. Martin Wagner said the public is entitled to anonymity when communicating with the government unless identity is required, such as when a user is obtaining benefits information. GSA also plans to add requirements to ACES advising that agencies seek the guidance of their designated privacy officers before using ACES, according to the letter.