34 thoughts on “IRS: Selfies Now Optional, Biometric Data to Be Deleted

  1. Greg Smela

    Anyone believe that personal data actually will be deleted?

    I didn’t think so.

    1. mealy

      Whatever data the NSA wanted, it has already. Now it’s just a storage liability for this dept.

  2. Dagmar

    Any projected date for when the IRS will integrate login.gov for their authentication? I would think a Presidential Directive would take care of the issue with agencies flouting the requirement.

  3. Ari Silverberg

    Anyone who is promoting Login.gov clearly have never used it before..it is worse

    1. JamminJ

      It is still going to be optional. If you like ID.me better, and don’t care that they are privately owned, then you can still choose to use ID.me as your identity provider.

  4. NWBstuart

    RE the “taxpayers are no longer required to provide facial scans to create an account online at irs.gov”, it looks like there is no option to create anything but an ID.me account.

    From irs.gov sign-in page:
    “If you have an existing IRS username, please create a new ID.me account as soon as possible. We’re bringing you an improved sign-in experience. You won’t be able to log in with your existing IRS username and password starting in summer 2022. If you’re a new user, please create an account with ID.me.”

  5. G.Scott H.

    “The General Services Administration is currently working with the IRS to achieve the security standards and scale required of Login.Gov . . .”

    Does this mean IRS systems are not meeting security standards?

    1. JamminJ

      Yes, each agency has their own standards and practices. The Treasury Department is different from the GSA, and the DoD.
      Similar to the private sector, where each company largely sets their own standards.

      They do try to follow NIST standards but even their extensive documentation still leaves some room for interpretation.

      It’s quite possible the IRS implementation of Identity management follows most NIST standards but doesn’t adhere strictly to some other NIST guidelines that are implemented by the GSA’s Login.gov.
      Since Login.gov covers a lot more agencies, the “scale” required for Login.gov is very different from what the IRS has been used to.
      Remember, there is a significant body of politicians who have been trying to defund the IRS for decades, and they are behind the curve on many of the latest technologies.

        1. JamminJ

          Yes, thank you. It seems that quoted statement can be taken both ways, as either the IRS doesn’t meet the GSA standard, or GSA doesn’t yet meet the Treasury’s standards.

        2. JamminJ

          IAL1 – There is no requirement to link the applicant to a specific real-life identity. Any
          attributes provided in conjunction with the subject’s activities are self-asserted, which are
          neither validated nor verified.

          IAL2 – Evidence supports the real-world existence of the claimed identity and verifies
          that the applicant is appropriately associated with this real-world identity. IAL2
          introduces the need for either remote or physically present identity proofing

          IAL3 – Physical presence is required for identity proofing. Identifying attributes must be
          verified by an authorized and trained credential service provider (CSP) representative.

  6. Catwhisperer

    The question is who runs login.gov? In an administrative/operational sense. Does the federal government have a Department of IT we don’t know about? My point is that if .gov just farms the work out to a civilian contractor, what is the difference? And who has better operational information security, the government (disregarding .mil) or the private sector?

    1. Jeff

      Krebs will correct if I’m wrong, but I believe login.gov is a government site managed by the GSA. Like many government organizations, they may employ non-government people per the guidelines setup but its still managed by the gov.
      Of course nothing is 100% secure no matter who manages it

    2. Mike

      the difference is that login.gov doesn’t require a facial scan. They also don’t require a video interview…which I have zero confidence ID.me is not taking a screenshot in the course of the video interview….Also, I have zero confidence ID.me is *actually* going to delete those images, despite what the IRS is telling us.

      1. JamminJ

        Yes, ID.me is using the video interview as biometrics. They never denied that, and that’s the way their anti-fraud system worked.
        It’s actually the reason why so many state governments choose ID.me. Because they lost millions in fraud, as the same few criminals, pretended to be thousands of people making claims for benefits.
        Just last month, they indicted a NJ man for defrauding more than $2.5 million in unemployment benefits in California.
        ID.me used those “screenshots” from his video interviews to prove he was the same person.

        ID.me will be forced to delete the data. They would face significant fines and lawsuits if they were to keep it. And it’s not like they can hide it if they keep it, because of whistleblowers. And if they cannot use it for anti-fraud investigations (which would also reveal that they are still retaining the data), then it makes no sense to spend money to retain the data.

        Login.gov is fine…. but I think we’ll just see the same problems with rampant identity theft. It’s all good for privacy advocates, until they get their identity stolen too.

        1. Mike

          well that directly contradicts the article:
          “Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data – including facial recognition – will be required if taxpayers choose to authenticate their identity through a virtual interview,” the IRS said in a Feb. 21 statement.

          So is the video interview “biometrics” or not? Because both can’t be true. Either taxpayers are providing biometrics in the form of the video interview, or no biometrics are required.

          The article goes on to state “Any existing biometric data from taxpayers who previously created an IRS Online Account that has already been collected will also be permanently deleted over the course of the next few weeks.” If they are deleting “any existing biometric data” and “new requirements are in place to ensure images…are deleted” (and as you point out, they cannot use it for anti-fraud investigations), then how, exactly, is ID.me going to be any better than Login.gov?

          As to the “millions” saved because of ID.me, even if the story is true (and if it’s not, it’s an open secret that the welfare system is rife with fraud), there is a qualitative difference between an optional, opt-in, voluntary service, and something that ALL income-earning residents and citizens are **required** to use.

          I happen to have a Login.gov account that was more extensively verified than anything ID.me could throw at it…. I have zero interest in yet another account to have to keep track of, private or not. Having more accounts is not going to make my identity any more secure….

          1. JamminJ

            This article is quoting future tense.
            So yes, the IRS and ID.me are going to be doing things differently than they did just 1 month ago. Hence the “now” in the headline, the “will have”, “will be”, etc. in those quotes.

            I agree, there is a big difference between an optional service, and a requirement for a huge population. That is a big point made by opponents of Voter ID laws too.

            But “ALL income-earning residents and citizens are **required** to use” is incorrect. I do not have, nor will I need, an IRS.gov account. You don’t need it to file taxes.

            Nonetheless, I do agree that ID.me should not be the sole identity platform in use, and people should always have multiple options.

            1. Mike

              All income earning residents and citizens are required to use the IRS.

              True, you don’t need an IRS account to file your taxes, but most of us are going to need to interact with the IRS on a deeper level at some point. Need to set up a payment plan? Set up an account. Need a tax transcript for a background check because employers aren’t required to keep employment records past a certain amount of time, and some background checks want 10 years of employment history? Tax transcripts require an account. Need to make estimated payments for a 1099 job? Actually have your identity stolen and need an “identity protection PIN”?

              The list of things you need an account for keeps getting longer.

              How long will it be before the IRS decides that the best way to prevent fraudulent tax returns is to require an account? I’m honestly surprised that it *isn’t* already a requirement for the IRS; many states with an income tax require an account with their taxing authority just to file.

              1. JamminJ

                I get what you’re saying. It certainly does seem like it’s headed in that direction.
                But it is still not currently “ALL income-earning residents and citizens”, and I don’t even think “most” is an accurate term right now.
                In the future? Yeah, I agree.
                That’s why this needs to be sorted out now, before it is required for the majority.

                  1. Mike

                    It’s not nitpicking. It’s detail. And this is why i come to Krebs

    3. JamminJ

      Great questions.
      CISA is kinda the defacto department in charge of Cybersecurity policy. Each department within the federal government has their own “IT department”. DISA for the DoD, and the IRS uses the Treasury Department’s.
      Yes, like most things in the federal government, contractors do most of the actual work. Defense contractors build and operate the DoD’s IT systems too.
      It’s a surprise to many, but there is a significant revolving door between the government and private sector.
      The data is stored in government “owned” cloud networks. But really, still AWS, GCP and Microsoft Azure. It’s just subject to stricter contracts. What this means in practice, varies, but generally means servers are separate from non-government, no shared tenancy, cannot use that data with 3rd parties, etc. This segregation does provide better security. But most vulnerabilities would still apply.

  7. Bob Brown

    It appears that the older logins may no longer work. I just tried my existing IRS login and was taken to the “create a new login” page. {Sigh}

  8. BB

    so I opt-in to the Identity Protection Pin (IP PIN) program every year. Will login.gov let me do this? There’s no way I’m creating an id.me account.

  9. BB

    So just to confirm, login.gov will give access to the same information as ID.me, correct?

  10. lesley

    ID.me was apparently used by Texas unemployment dept. and CA DMV – people have rated ID.me poorly (1.1 out of 5) due to problems verifying data, and asking for too many substantiating documents.

    1. JamminJ

      California unemployment (EDD) has been using ID.me too.
      They don’t really care about Yelp type ratings as they only reflect on convenience, not security.

      These state governments lost millions to fraud. That’s the more important rating for them.
      ID.me, in asking for “too many” substantiating documents and requiring video interviews, directly led to the arrest and indictment of a NJ man who made millions of dollars in claims in California.

      People were tired of Identity Theft. There was huge outrage and people demanded that governments get strict against fraud. ID.me is the result.

  11. Joao

    What a mess.
    In most European countries (except UK) there is a unique Citizen ID Card issued by some government entity that can be used for everything (identification related).
    These day’s with in chip authentication and digital signature certificates even to access government services and some private sector web sites (usually banks… but these one’s all require a mobile app with the government authentication… just because the banks want it that way, government doesn’t care if you use the card or the app on the mobile to access their services).

  12. Nadir

    What about other login.gov of other websites?

    digital signature certificates even to access government services and some private sector web sites. but these one’s all require a mobile app with the government authentication like erp.moh.gov.sa I hope they don’t do the same in Saudi Arabia bcs this is a mess

Comments are closed.