As part of their efforts to stem the massive amounts of tax fraud we have seen over the last few years, the Internal Revenue Service (IRS) introduced a new requirement for managing your tax records online. However, they are now backing off from having taxpayers log in to their IRS accounts through ID.me, a private identity verification service still used by 27 states to screen for thieves attempting to claim benefits in another person’s name.
What could go wrong with a private company storing identity data for millions of Americans? Well, it turns out a lot can go wrong. Setting up an account can take hours and requires that taxpayers submit a large number of documents that will reside in the ID.me databases and may even require that they take a video selfie. Some people are concerned that the facial recognition used in some parts of the verification is not accurate, especially when it comes to identifying darker-skinned people. And might a data base of personal information from millions of Americans be a target of hackers?
Security expert Brian Krebs detailed his experience setting up an account with ID.me. The short version of his story is that it took several hours to complete the process, and he had to start over multiple times (including uploading his personal documents again each time he restarted the process).
In response to complaints from privacy advocates, politicians and others, on February 7, 2022 the IRS announced that they were moving away from using a third-party solution to authenticate user accounts, According to a press release, “During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.”
The Surveillance Technology Oversight Project, a digital rights advocacy group, applauded the change and called on other agencies to follow the lead of the IRS. “When government agencies use this technology, it’s a question of when, not if, this biometric data is hacked, leaked or misused,” said the group’s executive director, Albert Fox Cahn.
Although the IRS is not going to require the use of ID.me, it is still used by 27 states for persons trying to claim unemployment benefits. The question now is if there will be pressure for those states to drop ID.me and go to another method of protecting personal information.