Socure explains identity verification compliance to 2 state lawmakers
A pair of lawmakers in different states are objecting to state digital identity verification contracts held by Socure. At issue appears to be an objection to the use of personally identifiable data to identify persons, and a claim that the company’s terms of service clash with a new data protection law.
New York State Senator Jeremy A Cooney claims in a letter addressed to State Chief Information Officer Dru Rai that Socure is a “data broker,” and asks how the company was vetted prior to being awarded the state contract. Cooney is chair of the Senate Procurement and Contracts Committee.
The letter states that digital identity verification is crucial for New Yorkers to access public services. He notes a February letter to Socure CEO Johnny Ayers from State Rep Ritchie Torres asking about discrimination concerns. The company told StateScoop that it met with Torres’ office after receiving the letter. Cooney also refers to a lawsuit by a former commercial customer which claims Socure cut its annual fraud loss by 31 percent, far less than an advertised rate of 95 percent.
“It collects, purchases and stores billions of data points, including sensitive personal identifiable information, on New Yorkers without their consent to confirm their identities,” he writes.
Cooney’s letter concludes with seven questions about whether Socure’s technology has been properly evaluated for performance and bias, whether it complies with state data privacy law, and human review practices.
Portions of the letter reflect a fundamental misunderstanding of what Socure does, VP of Public Strategy Jordan Burris told StateScoop.
“We do not sell data to third parties, we do not use it for marketing. We do not use it to run a marketplace, offering online discounts for e-commerce, like other companies in the space,” Burris says. “We are only focused on verifying identity and rooting out fraud, and ultimately, under looking at what is exactly New York State law today, we are not a data broker, and to suggest otherwise is simply false.”
Further, Burris says the company tests its technology for bias, involves humans throughout its identity verification process, and uses the data it collects only for the stated purpose.
Virginian delegate questions compliance with data protection law
In another letter to Ayers, Virginia Del. Cliff Hayes questioned whether Socure’s terms of use are compliant with state data protection law, The Virginian-Pilot reports.
Socure’s terms require users to seek redress for any problems through arbitration, rather than class action lawsuits. They also receive data requested from Socure under state law in zip file that discourages less tech-savvy users from getting full disclosure, he says.
But Socure says in a written response that it is abiding by all state laws, and the only requests for access come from Hayes and individuals hired by Socure competitors.
“We take seriously the rights granted by all privacy laws, including Virginia’s VCDPA, and have developed a careful process to respond to all requests in a timely and compliant manner,” the letter states. “Upon review, we are confident there is no disruption to Virginians’ ability to exercise any rights granted by the VCDPA, as a result of the processes we employ.”
Socure’s white paper on “Responsible Biometrics: A Guide to Ethical and Secure Identity Verification” explains how the company’s biometric identity verification works, and how it protects against fraud. It also sets out Socure’s approach to transparency and validation through testing.
Hayes has referred the matter to Attorney General Jason Miyares, who is responsible for enforcing Virginia’s Consumer Data Protection Act, which took effect in 2023.
Hayes has been fending off criticism of his own, with The Associated Press reporting last October that he may have violated state residency rules.
At the federal level, the GSA has turned to Socure and a number of its competitors for a face biometrics pilot to secure access to Login.gov, to prevent fraud with more robust identity verification.
Article Topics
biometrics | fraud prevention | government purchasing | identity verification | New York | responsible biometrics | Socure | Virginia
Comments