Controversy continues for ID.me with ‘inferred citizenship’ confusion

Biometric identity authentication firm ID.me is back in the headlines over its agreement with the U.S. Internal Revenue Service to be the sole provider of identity authentication for online access to key tax services via biometric selfie signup. ID.me’s privacy policy reveals that it could potentially create an ‘inferred citizenship’ status for users, causing consternation but easily explained by the company. Meanwhile, Republican senators write to the IRS to raise their serious concerns over the situation and demand answers.

The ID.me customer signup process requires a biometric selfie with liveness detection, a photo of government photo ID and then facial analysis is applied to match the selfie and photo ID. This is then checked against credit agencies and telecommunications networks, reports Business Insider, which suggests that the firm stores an “inferred citizenship” status of some users “based on passport information,” according to the ID.me privacy policy.

The language in the privacy policy, however, is based on the requirements of The California Consumer Privacy Act, a company representative told Biometric Update in an email. Less than four percent of ID.me users submit passport data, and for those who do, no passport data is categorized by citizenship or nationality in company databases.

“We have not and are not creating a database based on citizenship or nationality,” ID.me tells Biometric Update in the email.

The company also pushed back on allegations that it seems willing to share this data with other government agencies, possibly more readily than firms such as Apple and Google. ID.me says it maintains only an image of the passport, in an encrypted database made available to law enforcement or government agencies only through subpoena, or in identity theft or fraud investigations.

According to comments by an official to Bloomberg, the U.S. Treasury Department is now considering alternatives for securing online access to services.

Republicans write to IRS Commissioner Chuck Rettig

A group of Senate Republicans have written a letter to Chuck Rettig, IRS commissioner, to raise their concerns and ask a series of questions about how the partnership with ID.me will affect civil liberties, to be answered by 27 February.

Led by Ranking Member Mike Crapo (Idaho), the senators list their concerns over the technology, process and the implications of any data breach.

“The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services. The decision millions of Americans are forced to make is to pay the toll of giving up their most personal information, biometric data, to an outside contractor or return to the era of a paper-driven bureaucracy where information moves slow, is inaccurate, and some would say is processed in ways incompatible with contemporary life,” states the letter.

“Of concern, also, is that ID.me is not, to our knowledge, subject to the same oversight rules as a government agency, such as the Freedom of Information Act, the Privacy Act of 1974, and multiple checks and balances.”

On the technical issues, the senators delve into what is happening under the hood. “The most intrusive verification item is the required ‘selfie,’ which is much more than simply uploading a picture; it is submitting one’s face to be digitally analyzed by ID.me into a ‘faceprint’,” write the senators.

“ID.me’s ‘Biometric Data Consent and Policy’ defines biometric data as including ‘fingerprints, voiceprints, hand scans, facial geometry recognition and iris or retina recognition.’ Unlike a password, authenticator application, or hardware key, biometric items can never be changed.”

The senators ask fifteen questions spanning how IRS made the decision to appoint ID.me, what oversight it has over them, what due diligence it carried out, where the data will be stored, and what access ID.me staff have to the data.

This post was updated at 9:12pm Eastern on February 4, 2022 to clarify that ID.me does not create or store nationality categorizations and include comments from the company.

Article Topics

biometric data  |  biometrics  |  data protection  |  data sharing  |  face biometrics  |  government services  |  ID.me  |  identity verification  |  IRS  |  privacy