Controversy continues for ID.me with ‘inferred citizenship’ confusion
“We have not and are not creating a database based on citizenship or nationality,” ID.me tells Biometric Update in the email.
The company also pushed back on allegations that it seems willing to share this data with other government agencies, possibly more readily than firms such as Apple and Google. ID.me says it maintains only an image of the passport, in an encrypted database made available to law enforcement or government agencies only through subpoena, or in identity theft or fraud investigations.
According to comments by an official to Bloomberg, the U.S. Treasury Department is now considering alternatives for securing online access to services.
Republicans write to IRS Commissioner Chuck Rettig
A group of Senate Republicans have written a letter to Chuck Rettig, IRS commissioner, to raise their concerns and ask a series of questions about how the partnership with ID.me will affect civil liberties, to be answered by 27 February.
Led by Ranking Member Mike Crapo (Idaho), the senators list their concerns over the technology, process and the implications of any data breach.
“The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services. The decision millions of Americans are forced to make is to pay the toll of giving up their most personal information, biometric data, to an outside contractor or return to the era of a paper-driven bureaucracy where information moves slow, is inaccurate, and some would say is processed in ways incompatible with contemporary life,” states the letter.
“Of concern, also, is that ID.me is not, to our knowledge, subject to the same oversight rules as a government agency, such as the Freedom of Information Act, the Privacy Act of 1974, and multiple checks and balances.”
On the technical issues, the senators delve into what is happening under the hood. “The most intrusive verification item is the required ‘selfie,’ which is much more than simply uploading a picture; it is submitting one’s face to be digitally analyzed by ID.me into a ‘faceprint’,” write the senators.
“ID.me’s ‘Biometric Data Consent and Policy’ defines biometric data as including ‘fingerprints, voiceprints, hand scans, facial geometry recognition and iris or retina recognition.’ Unlike a password, authenticator application, or hardware key, biometric items can never be changed.”
The senators ask fifteen questions spanning how IRS made the decision to appoint ID.me, what oversight it has over them, what due diligence it carried out, where the data will be stored, and what access ID.me staff have to the data.
This post was updated at 9:12pm Eastern on February 4, 2022 to clarify that ID.me does not create or store nationality categorizations and include comments from the company.