- The IRS could soon require anyone logging into IRS.gov to use ID.me to verify their identity.
- Privacy experts and civil-rights advocates worry ID.me will share its data trove with authorities.
- IRS evaluation of ID.me “really isn’t being done appropriately,” one expert said.
Samir Jain, director of policy for the Center for Democracy & Technology, told Insider that the way ID.me talks about law-enforcement compliance is broader than other companies and implies that ID.me can and will comply with police requests voluntarily, even when it’s not strictly required by law or court order.
Patrick Dorton, who works for a PR firm ID.me hired, said biometric data “is not shared with the IRS or any government agencies absent the receipt of a subpoena or as part of an investigation into an identity theft or fraud case only at the specific agency where the ID.me account was involved.”
He did not address several specific questions from Insider, including under what circumstances ID.me would push back against a law-enforcement request like a subpoena, how many times ID.me has complied with law-enforcement requests, and whether ID.me would push back on a hypothetical request from Customs and Border Protection for the data of all ID.me users who are inferred noncitizens.
There are US laws that limit the collection of personal data in certain circumstances. One federal law prevents the Department of Homeland Security from routinely accessing people’s tax returns.
Jay Stanley, a senior policy analyst for the American Civil Liberties Union, told Insider that this law — Title 26, Section 6103 of the Internal Revenue Code — generally applies to information submitted to the IRS as part of the tax-filing process.
But ID.me technically isn’t part of the tax-filing process. Rather, it would act as an identity confirmation tool for logging into an IRS.gov account. This could lead the DHS to believe that ID.me isn’t subject to the law.
“Ideally, the law would cover the biometric data and other personal information collected by ID.me, and generally prevent that information from being disclosed to a law enforcement agency like DHS,” Stanley said. “It’s not completely clear to me that it does. And consequently, it likely means that DHS would interpret it as not covering this particular information.” DHS did not respond to a request for comment on Thursday.
The IRS code has exemptions that allow DHS agencies to access people’s tax-return information but only under extreme conditions, such as a person under investigation for tax fraud.
A 2018 letter from the ACLU to the Social Security Administration argued that “immigration enforcement” isn’t a legal exemption that would permit sharing data with DHS. “The strict confidentiality of tax returns and related return information is critical to encourage and ensure public compliance with the federal tax laws,” the letter said.
The IRS spokesperson Robert Marvin said a lack of funding for IT modernization has made it impossible for the IRS to invest in state-of-the-art technology.”
“The IRS today uses third-party service providers to validate the identification of individuals attempting to improperly gain access to taxpayer accounts,” Marvin added in a statement that he asked to be attributed to the US Treasury Department. “This includes ID.me, which is compliant with the National Institute of Security Technology standards and used by multiple agencies across the government.”
The Treasury Department recently said it was looking into alternatives to ID.me for the IRS after a Bloomberg reported that some people have been unable to get unemployment benefits due to problems using ID.me’s service. A Cyberscoop article also showed that ID.me misrepresented how it uses facial recognition. The company claimed to do one-to-one face matching, such as determining whether a selfie matches a driver’s license provided by a user. In fact, it uses a method known as one-to-many matching, which compares images to a stored database of photos, but ID.me hasn’t disclosed how many images it has or how it got them.
“We shouldn’t be required to trust that ID.me will push back on those kinds of requests if they receive them,” said Scott from the Electronic Privacy Information Center. It’s critical for government agencies to evaluate any company they may work with, especially what data the company is getting, and how it can use or disclose that information, he added.
The IRS’ evaluation of ID.me “really isn’t being done appropriately,” Scott said.
Got a tip? Contact this reporter at firstname.lastname@example.org or email@example.com, or via secure messaging app Signal at +1 (785) 813-1084. Reach out using a non-work device. Check out Insider’s source guide for other suggestions on how to share information securely.