Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for “deceptive statements” the company and its founder allegedly made over how they handle facial recognition data collected on behalf of the Internal Revenue Service, which until recently required anyone seeking a new IRS account online to provide a live video selfie to ID.me.
In a letter to FTC Chair Lina Khan, the Senators charge that ID.me’s CEO Blake Hall has offered conflicting statements about how his company uses the facial scan data it collects on behalf of the federal government and many states that use the ID proofing technology to screen applicants for unemployment insurance.
The lawmakers say that in public statements and blog posts, ID.me has frequently emphasized the difference between two types of facial recognition: One-to-one, and one-to-many. In the one-to-one approach, a live video selfie is compared to the image on a driver’s license, for example. One-to-many facial recognition involves comparing a face against a database of other faces to find any potential matches.
Americans have particular reason to be concerned about the difference between these two types of facial recognition, says the letter to the FTC, signed by Sens. Cory Booker (D-N.J.), Edward Markey (D-Mass.), Alex Padilla (D-Calif.), and Ron Wyden (D-Ore.):
“While one-to-one recognition involves a one-time comparison of two images in order to confirm an applicant’s identity, the use of one-to-many recognition means that millions of innocent people will have their photographs endlessly queried as part of a digital ‘line up.’ Not only does this violate individuals’ privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed.”
“This risk is especially acute for people of color: NIST’s Facial Recognition Vendor Test found that many facial recognition algorithms have rates of false matches that are as much as 100 times higher for individuals from countries in West Africa, East Africa and East Asia than for individuals from Eastern European countries. This means Black and Asian Americans could be disproportionately likely to be denied benefits due to a false match in a one-to-many facial recognition system.”
The lawmakers say that throughout the latter half of 2021, ID.me published statements and blog posts stating it did not use one-to-many facial recognition and that the approach was “problematic” and “tied to surveillance operations.” But several days after a Jan. 16, 2022 post here about the IRS’s new facial ID requirement went viral and prompted a public backlash, Hall acknowledged in a LinkedIn posting that ID.me does use one-to-many facial recognition.
“Within days, the company edited the numerous blog posts and white papers on its website that previously stated the company did not use one-to-many to reflect the truth,” the letter alleges. “According to media reports, the company’s decision to correct its prior misleading statements came after mounting internal pressure from its employees.”
Cyberscoop’s Tonya Riley published excerpts from internal ID.me employee Slack messages wherein some expressed dread and unease with the company’s equivocation on its use of one-to-many facial recognition.
In February, the IRS announced it would no longer require facial scans or other biometric data from taxpayers seeking to create an account at the agency’s website. The agency also pledged that any biometric data shared with ID.me would be permanently deleted.
But the IRS still requires new account applicants to sign up with either ID.me or Login.gov, a single sign-on solution already used to access 200 websites run by 28 federal agencies. It also still offers the option of providing a live selfie for verification purposes, although the IRS says this data will be deleted automatically.
Asked to respond to concerns raised in the letter from Senate lawmakers, ID.me instead touted its successes in stopping fraud.
“Five state workforce agencies have publicly credited ID.me with helping to prevent $238 billion dollars in fraud,” the statement reads. “Conditions were so bad during the pandemic that the deputy assistant director of the FBI called the fraud ‘an economic attack on the United States.’ ID.me played a critical role in stopping that attack in more than 20 states where the service was rapidly adopted for its equally important ability to increase equity and verify individuals left behind by traditional options. We look forward to cooperating with all relevant government bodies to clear up any misunderstandings.”
As Cyberscoop reported on Apr. 14, the House Oversight and Reform Committee last month began an investigation into ID.me’s practices, with committee chairwoman Carolyn Maloney (D-N.Y.) saying the committee’s questions to the company would help shape policy on how the government wields facial recognition technology.
A copy of the letter the senators sent to the FTC is here (PDF).
This entry was posted on Wednesday 18th of May 2022 12:55 PM
ID.me is a trusted VA partner and 1 of only 4 Single Sign-On providers that meet the U.S. government’s most rigorous requirements for online identity proofing and authentication. ID.me provides the strongest identity verification system available to prevent fraud and identity theft.Feb 18, 2022
Privacy And Security On VA.gov | Veterans Affairs https://www.va.gov/resources/privacy-and-security-on-vagov/
This function should have been performed by Login.gov, even if an extension of their capabilities was required, instead of IRS lazily giving the contract to ID.me.
Correcting my typo: VA and IRS
Long past time for all these systems to be communized on a common platform with best practices across the board and a robust update and maintenance program.
Seems better to have a single point of failure, that failure mitigated by investment in heavy monitoring and maintenance, than a thousand different systems half-assedly maintained and user unfriendly.
ID.me is not a reputable company participating in forced/coerced experimental drugs including the covid19 vaccine.
Another conspiracy Q an-n nut
Hahah – another double-masked moron heard from
covid vax is fully approved now, not emergency.
Maybe the evaluation criteria need to be expanded.
Are you a press release?
Unless, of course, the user is black or Asian.
Claiming to prevent fraud while also committing it… The (alleged) hypocrisy here is indefensible. Particularly in a role as a validator of identity and trust, and even more so when in support of government services, the organizational and process integrity must be fully transparent and of the highest ethical standards.
What a scam! The price of getting access to your government in the form of the IRS is a digital shakedown with no reasonable limit to how that access can be denied by these very “righteous” business persons just trying to make a compulsory buck out of the public.
The way I found out about this group of “entrepreneurs” is by following up on a notice from the IRS that someone had filed for a tax refund under my name. But this group of “wise persons”, in the name of patriotism and making a buck, were placed as gatekeepers on behalf of the IRS. Until ID.Me was satisfied in their own way with required scan quality, they assured me that I would be unable to find out what the IRS notice was all about.
Big brother is so wonderful, especially when supported by the righteous patriots scamming new technology gimmicks to “save taxpayers resources”. Like expenditures for federal employees that can answer a phone and various relevant questions about the notices that the IRS itself actually sends out.
The bigger question on this:
1. What do they do with this data? 2. How are we guarenteed that this data isn’t leaked? 3. What happens to the business if it does get leaked? (Do we get the ceo thrown in jail?) What’s their incentive to actually do a good job with this? 4. What assurances(and protection for assurances) do we get to force them to wipe our personal data? 4.1 What is the evidence that is given to demonstrate that they don’t have it? 5. What happens to the dervivative data from this? I.e. Face geometry? 6. Who do they sell the data to? (In the US it’s probably unreasonable to assume that who might they sell it to.. it’s probably safe to assume they’ve already have)
There’s an interesting contardiction here in their privacy policy https://www.id.me/privacy which states 10. Additional Information If You Are Located In California Residents of California. Pursuant to the California Consumer Privacy Act of 2018 (CCPA), residents of California are entitled to additional rights and disclosures regarding their Personal Information. Please see our Notice to California Residents for additional information regarding these disclosures and how to exercise your rights.
So to get the data at https://account.id.me/california you are told You’ll need to verify your personal information in order to continue with the request. We do not hold information on users who do not have an account with ID.me.
If there is photo matching for new applications, then clearly they DO hold information on users who do not have an account with ID.me.
No, they would get the photo at time of application from public domains.
As always, appreciate these articles. I’m also extremely frustrated in general with how the average American’s privacy is often an afterthought. My question is why the entire Senate hasn’t signed this letter? Why only four?
Because the others don’t think it matters, having adopted a millenial-style attitude that a persons privacy is an outdated & over-rated commodity
And perhaps because they know it’s a can of worms they don’t want to touch once they begin to explain how ignorant they really are
You can tell when they try to avoid the issue by insinuating that they must have missed that particular memo while being busy doing adult things…
“NIST’s Facial Recognition Vendor Test found that many facial recognition algorithms have rates of false matches that are as much as 100 times higher for individuals from countries in West Africa, East Africa and East Asia than for individuals from Eastern European countries.” – Isn’t this like saying that NTSB found that many cars aren’t that safe? What specific algorithm is being used by ID.me and what is that false rate?
It says a bit more than that, even without any concrete numbers. It says the software was written to recognize white faces, and thus white Americans have more access to the IRS than other Americans. That’s pretty obviously a problem, even without any algorithms or rate numbers.
It says more, even without information on the algorithm and specific rate numbers. It says that the software recognizes white faces best and thus white Americans have better access to the IRS than Black and Asian Americans. That’s a problem, even without knowing the specifics.
I refreshed, honest! Sorry for the double post.
“Oh, we can’t tell you _that_. That’s company IP.”
The federal government is constantly described as incompetent for not stopping a certain level of criminality that occurs in any federal program. If they chose to do what it takes to stop that criminality, they would be described as orwellian for demanding clear and visible photos from the entire population that they could use for training data (like passports use, for example). So the best they have to train on is whatever they can get in publicly available databases, and probably some private social media data. That data has biases. But the situation the feds are in has more to do with the various competing interests who curiously seem to be populated by the same people who simply enjoy whining about ‘tha gubmint’.
It was wrong to lie about it, and even though it can be problematic for some, I still think one-to-many facial recognition is something that is needed. Millions of dollars have been recovered from arrested fraudsters, which would otherwise be left to taxpayers.
onet-to-one isn’t going to stop fraud, as anyone can get a fake id that is convincing when photocopied. you have to check an applicant’s face against many people who have already applied so you can see if it could be the same person making multiple claims over and over again.
1. Consider the massive incentives — financial and reputational — to fudge statements about these policies. The public might be reassured that “your facial image” (or “the image you upload”, and so on) won’t be compared with another. However, every firm in this space would scan and extract the facial geometry data. They don’t compare your “face” — they compare that derived data. They can honestly say “We’ve deleted all images” and still do all the same searches! Yes, that would be deeply dishonest — but it’s the kind of mental gymnastics bad actors employ when they get caught out of bounds. All the assurances in the world won’t matter if they’re couched in deniability.
2. That internal Slack channel’s gonna have some new use policies by later today, don’t ya think?
I would be fine with someone keeping my “facial geometry”. I think if people saw the raw biometric data and how it doesn’t look like a face, they would not be freaked out nearly as much.
There are obvious problems which act to coerce persons such as taxpayers to use this system. A recent notice from the IRS stated that another person had filed for a tax refund under my name, with no further information. In order to find out simply what the issues were and whether I needed to reply in any formal way, the IRS claimed that I had to submit an acceptable scan involving equipment capable of doing this, then wait for approval from ID.Me prior to gaining access to the IRS simply to ask them what their notice was about. ID.Me was not cooperative or easy to deal with. This is just a suggestion of how this system will be used to replace employees actually able to make sense of the IRS system to the public. Although I tried to complete the scan process, after much effort there was no success or acceptance from ID.Me. Will the public be expected to work with its own government more and more in this fashion simply to respond to the government’s own notices? The key issue is access to the IRS or other government offices: Will it more and more be channeled through intermediaries using suspect technology, acting anonymously?
They’ll just say you can fulfill your tax obligations via USPS instead. Optional service extra.
ID.me is not a reputable company. Coercion of biometric data.
Its about time. Soon after I completed the process, I started to receive a LOT of spam from this company that had nothing to do with why I gave them my personal info in the first place. When I did it, enrolling this way was the ONLY option otherwise I would have take another choice.
Who ever thought it was appropriate for a 3rd party to be the identity gateway between me and my government?
I needed my IRS transcripts and still had the old IRS login account but after logging in they insisted on the IDme to download the docs so I had them mail the transcripts instead. So much easier using USPS.
Well, at least we have a second option with Login.gov, for when ID.me gets breached. Not a good idea to put all the eggs in one basket, as babies in the US now well know…
I’m having problems with my id.me account for like 5 months now I can’t receive my unemployment economy payments because of id.me
My tax return is still being processed after almost 2 months. Didn’t receive no letter in the mail. Called IRS waited over n hour on phone when I did eventually get thru after serveral failed attempts. For the ldy to say they need to verify me. How you ask good ole ~id.me~ in which I already had an account. If I wouldn’t have called is till be waiting for nothing. Now choice to scan my face or wait hours for u to facetime a person working. After trying & waiting to facetime & them logging me out I really DID NOT WANT TO do scan. I literally had NO CHOICE if I want my return. Oh yeah now I have up to NINE 9 WEEKS to wait for it. Yeahy sucks bc was depending on that for bills but the Lord will provide.
Is not the IRS underfunded? Outsourcing a function integral to an organisation does not cost less. Follow the money. If id.me is authenticating at a cost less than what the IRS can do internally, then how? Is id.me making money from access to the information somehow? My gut tells me yes.
You’ve got the wrong gut feeling. 9 times out of 10, outsourcing to 3rd parties saves money. Whether government or private sector. It’s the whole reason so many companies “move to the cloud”. It’s usually cheaper to outsource to a company that specializes. Identity and Access Management is a huge business. ID.me for all of it’s flaws, is the leading vendor in this space. Government can’t do anything cheaper than the private sector. Yeah, it’s all about the money, tax payer money. The IRS is underfunded, and hemorrhaging money from rampant fraud. No wonder they quickly hired an outside professional services vendor to stop the bleeding.
ID.me is a scam and a mess. I hope the company is soon sued in a lawsuit similar to the Illinois Facebook Biometric lawsuit for facial recognition and tagging. I and about 1.6 million other Illinoisans just got $397 each in our bank accounts — thank you, Mark Zuckerberg. I’d like to get another $500 or so from ID.me. My face is my private business, thank you.
I am on hold right now for verification . I ALREADY got my refund why should I do this. I will not make an account with ID.me.
As always, appreciate these articles.
You can check here Băng keo Vạn Phát
You can check here https://bangkeovanphat.vn
Your email address will not be published. Required fields are marked *
A New York Times Bestseller!
Thinking of a Cybersecurity Career?
Click image for my skimmer series.
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Why So Many Top Hackers Hail from Russia
The reasons for its decline
The Growing Tax Fraud Menace
File 'em Before the Bad Guys Can
A crash course in carding.
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.