Last month, news that the IRS has started requiring people who want to set up an account to go through a private company called ID.me created an uproar. What it means is that when dealing with the IRS you may be forced to run a time-consuming, inaccessible, and privacy-invasive gauntlet in the name of “identity verification.” And the IRS is just the latest government agency to place this company as a gatekeeper between itself and the public it’s supposed to serve. During the pandemic, at least 27 U.S. states started using ID.me’s service to verify identity for access to unemployment benefits. The company is also being used by other federal agencies such as the Department of Veteran’s Affairs and the Social Security Administration.
The Treasury Department is reportedly reconsidering the IRS contract, and we strongly urge them to abandon their plans to use ID.me, as should the states that are using it. The ACLU has been working with some of our state affiliates to gather more information about the role of this company in the states via public records requests. We’re still gathering information, but what is already abundantly clear is that the system is beset with privacy and equity problems. We think there are three key problems with relying on ID.me that policymakers need to recognize.
1. The lack of accessible offline options
One problem is ID.me’s lack of accessibility and the barriers that creates for people on the wrong side of the digital divide. Using the service requires uploading government identification documents and taking a live selfie, which means you need an internet-connected device with a camera (no desktop computers that lack webcams). If someone is unable to verify their identity through the automated process, as apparently occurs often, they must go through a live virtual interview with ID.me. That requires a strong enough internet connection to transmit live video, and time to spare. Users of the service report having to wait in a virtual queue for the interview for hours, only to be booted out of line when internet connections fail. This especially disadvantages Latinx, Black, Indigenous, and rural households, which are less likely to have reliable broadband access.
Even worse, many states using ID.me to vet unemployment insurance recipients don’t give people an alternative, offline means of doing business or provide extremely limited offline alternatives, forcing people to use ID.me if they want the government benefits they’re entitled to. It seems likely such problems will worsen as government agencies increasingly move business online.
We should make a commitment as a society to preserve offline ways of doing business. Just as people should have a right to physical and not just digital identity documents, so too should people have a right to do business by mail or in person. And people need not just offline alternatives, but meaningful ones — a single office across the state doesn’t cut it. The IRS and other government agencies have been doing business for more than a century without the need for high-bandwidth video chats; people should have alternatives today.
2. Outsourcing a core government function
Even if you do have reliable internet access, that’s no guarantee that the ID.me system will work. ID.me appears to be nearly universally reviled by users for its poor service and difficult verification process. But this is not a problem of one badly managed company; the problem is structural. A for-profit company is always going to short-change service when the people it serves aren’t its customers. A private company has an incentive not to do extra work even where that’s required for fairness and equity, and it’s exempt from the checks and balances that apply to government such as public records laws or privacy laws specifically applicable to government agencies.
Outsourcing this function also creates privacy problems. ID.me collects a rich stew of highly sensitive personal information about millions of Americans, including biometric data (face and voice prints), government documents, and things like your social security number, military service record, and data from “telecommunications networks, credit card bureaus, [and] financial institutions.” That information will be retained for up to seven and a half years after a person closes their account. The company promises it won’t share personal information with third parties — but reserves a number of exceptions, like voluntarily complying with law enforcement requests that are “not prohibited by law.” The company’s typically dense privacy policy makes it hard to know just what they consider themselves entitled to do with people’s data, and states may or may not choose to add additional privacy protections in their contracts with ID.me. But any pool of information that sensitive will always pose temptations for for-profit entities — and for malicious hackers who see a valuable honeypot ready to be raided.
Government agencies are also susceptible to hackers, of course, but there are great efforts underway to improve their security and they are subject to far more oversight than an up-and-coming Virginia tech company. The IRS already holds enormous troves of sensitive data about Americans and is constrained by strict laws ensuring their confidentiality. Companies like ID.me, meanwhile, are barely regulated at all.
3. Biased biometrics that aren’t subject to independent audits
Another big issue with ID.me is its use of face recognition, which the company uses to decide whether your selfie matches your identity documents. Face recognition is generally problematic; it is often inaccurate and has differential error rates by race and gender, which is unacceptable for a technology used for a public purpose. ID.me claims the face recognition algorithm it uses for these one-to-one identity verifications has “no detectable bias tied to skin type” — but we have no choice but to take the company’s word on this because it is not subject to the transparency requirements of a government agency.
In addition, after claiming for months that it used face recognition only for one-to-one image comparisons, the company last week admitted that it also performs “one-to-many” searches against some larger database of other photographs it holds. Even the CEO previously admitted that kind of search was “more complex and problematic.” The revelation raises numerous questions. How is that one-to-many facial recognition match being conducted? Are they doing a broader search for duplicate applicants among the millions of photos the company now holds (which would greatly increase error rates)? Or is the company maintaining some internal ban list of suspected wrongdoers (which would also raise due process questions)? Or something else? What are the error rates for these one-to-many searches? Do they differ by race and gender? And what standards is ID.me using to determine whether there is a match and when to alert law enforcement for what it thinks may be fraud? Law enforcement uses of one-to-many facial recognition has already lead to people — especially Black people for whom the technology is particularly inaccurate — being wrongly accused and arrested.
People should not have to be subjected to a private company’s dragnet to access government services. More broadly, no biometric technology should be used unless its use in real-world conditions is subject to regular and open auditing by an independent party and found to be accurate, accessible, and free of bias. And the federal government shouldn’t give money to the states for purchasing biometric technology without that kind of auditing. Many of the states using ID.me for unemployment insurance have done so using federal funds.
There is no reason that we can’t have non-biased identity proving systems that protect our privacy, lessen fraud, and make things easy for users. But such systems shouldn’t be run by private companies, shouldn’t be exclusively online, and need to be closely audited. The solution to the security problems created by moving online cannot be a discriminatory system that further erodes privacy and exacerbates the harms of the digital divide.