February 7, 2022

The Internal Revenue Service (IRS) said today it will be transitioning away from requiring biometric data from taxpayers who wish to access their records at the agency’s website. The reversal comes as privacy experts and lawmakers have been pushing the IRS and other federal agencies to find less intrusive methods for validating one’s identity with the U.S. government online.

Late last year, the login page for the IRS was updated with text advising that by the summer of 2022, the only way for taxpayers to access their records at irs.gov will be through ID.me, an online identity verification service that collects biometric data — such as live facial scans using a mobile device or webcam.

The IRS first announced its partnership with ID.me in November, but the press release received virtually no attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID.me. That story immediately went viral, bringing this site an almost unprecedented amount of traffic. A tweet about it quickly garnered more than two million impressions.

It was clear most readers had no idea these new and more invasive requirements were being put in place at the IRS and other federal agencies (the Social Security Administration also is steering new signups to ID.me).

ID.me says it has approximately 64 million users, with 145,000 new users signing up each day. Still, the bulk of those users are people who have been forced to sign up with ID.me as a condition of receiving state or federal financial assistance, such as unemployment insurance, child tax credit payments, and pandemic assistance funds.

In the face of COVID, dozens of states collectively lost tens of billions of dollars at the hands of identity thieves impersonating out-of-work Americans seeking unemployment insurance. Some 30 states and 10 federal agencies now use ID.me to screen for ID thieves applying for benefits in someone else’s name.

But ID.me has been problematic for many legitimate applicants who saw benefits denied or delayed because they couldn’t complete ID.me’s verification process.  Critics charged the IRS’s plan would unfairly disadvantage people with disabilities or limited access to technology or Internet, and that facial recognition systems tend to be less accurate for people with darker skin.

Many readers were aghast that the IRS would ask people to hand over their biometric and personal data to a private company that begin in 2010 as a way to help veterans, teachers and other public servants qualify for retail discounts. These readers had reasonable questions: Who has (or will have) access to this data? Why should it be stored indefinitely (post-verification)? What happens if ID.me gets breached?

The Washington Post reported today that in a meeting with lawmakers, IRS officials said they were considering another identity verification option that wouldn’t use facial recognition. At the same time, Senate Finance Committee Chairman Ron Wyden (D-Ore.) challenged the Treasury Department and IRS to reconsider the biometric requirements.

In a statement published today, the IRS said it was transitioning away from using a third-party service for facial recognition to help authenticate people creating new online accounts.

“The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season,” the IRS said. “During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.”

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig wrote. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

The statement further stressed that the transition announced today does not interfere with the taxpayer’s ability to file their return or pay taxes owed. “During this period, the IRS will continue to accept tax filings, and it has no other impact on the current tax season,” the IRS said. “People should continue to file their taxes as they normally would.”

It remains unclear what other service or method the IRS will use going forward to validate the identities of new account signups. Wyden and others have urged the IRS to use Login.gov, a single sign-on service that Congress required federal agencies to use in 2015.

“Login.gov is already used to access 200 websites run by 28 Federal agencies and over 40 million Americans have accounts,” Wyden wrote in a letter to the IRS today. “Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity. The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”

Login.gov is run by the U.S. General Services Administration, which told The Post that it was “committed to not deploying facial recognition…or any other emerging technology for use with government benefits and services until a rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations.”

105 thoughts on “IRS To Ditch Biometric Requirement for Online Access

  1. Louise

    Listen to this quote from a Bloomberg article about ID.me – this is rich!

    Between Jan. 28 and March 8, 2021, ID.me had 654,292 users start its verification process in California, according to data Hall provided. Just half of those users completed ID.me’s checks. Hall argues that any users who didn’t complete the process were clearly scammers.

    That’s offensive! If you do not finish the cumbersome ID.me signup process, you’re “clearly a scammer?” That’s rich.

    1. JamminJ

      I wonder why the Bloomberg article didn’t give an exact quote from Hall, but instead paraphrased.
      Don’t get offended by someone else’s translation. What was ACTUALLY said may be very different.

      Also, context matters. If those claimants never attempted to claim benefits since 1 year ago, even through another way, it could be likely they were scammers. And it’s not like 300,000 attempts = 300,000 real people who gave up on collecting benefits. Read the rest of the article, California has been bombarded with claims, usually just a few scammers, pretending to be thousands of different individuals.

      A federal grand jury returned a 15-count indictment last month against Eric Michael Jaklitsch, 40, of Elizabeth, New Jersey, charging him with wire fraud and aggravated identity theft.
      He tried to claim more than $2.5 million in unemployment benefits in California and caused the state and the federal government to incur actual losses exceeding $900,000.

      An internal investigation conducted by ID.me identified Jaklitsch as a person conducting a fraud scheme and referred the case to federal law enforcement.

    2. Liz

      Irrespective of the issue of what Hall actually did or didn’t say, the Bloomberg article raises many valid questions that deserves thought. Thanks, Louise, for the link.
      I agree with JamminJ about journalists synopsizing rather than quoting or quoting out of context. We should all endeavor to be critical consumers of information even though each of us brings our own biases. Otherwise we help perpetuate echo chambers. Most important is not to forget to question ourselves.

      1. NoMoarQ

        Well, that certainly is a Libertarian point of view, from a Libertarian magazine.
        Instead of thinking everything is a conspiracy, and every tech company is out to get you… you should put down the tin foil hat and try to be objective.

      2. Louise

        Blake Hall made splashy headlines in June when he told Axios nearly $400 billion of pandemic funds paid out were fraudulent, based on ID.me’s own data culled from recently entered state contracts . . .

        Journalist Elizabeth Nolan in a Reason dot com article said:

        That’s an insanely high—and disturbing—estimate, as well as one that seems to vindicate the worst fears about fraud in U.S. unemployment insurance programs.

        It’s also pretty thinly sourced, coming from one dude—ID.me CEO Blake Hall—with a vested interest in fearmongering around identity theft. His company is in the business of online identity verification. (“I asked ID.me for more specific information and they sent me an argument in favor of their product—which helps verify claims,” notes CNN’s Zachary B. Wolf.)

        The best estimate from official sources is about $89 billion in fraudulent claims, or 10% – not the huge 50% ID.me’s Blake Hall estimate. The headline-grabbing “$400 billion in fraud payouts,” is an effective marketing strategy for products like ID.me or LexisNexis’ ID Analytics, which acquisition was announced a year ago . . .

        Who is a “critical consumer” of Blake Hall’s inflammatory and self-serving estimate?

        This has to go down as white collar criminals’ biggest swindle of the US population in history, with major ID.me investor Alphabet burnishing its facial recognition product in competition with Amazon’s, using PII handed over by a trusting population. Sheeples.

  2. Coronald McDonald

    Here’s a rad idea: why not simply transition away from the IRS, o mighty federal governors? Or at least repurpose the agency’s employees to do something more benign like composing poetry all day…

  3. GetSerious

    “I can’t trust these unknown people with my selfie! (Posts picture of self in Cabo to FB, Insta, Snapchat, Twitter, LinkedIn…)”

    1. Purposefully Anonymous

      I can’t trust these unknown people with my selfie! And I’ve never posted a picture of myself to any social media. And anyone who has ever taken a digital picture of me has been told not to tag me if that photo is posted to social media. So your point is?

  4. Curious

    What is going to happen to the biometric data that has already been collected?

    1. JamminJ

      They’ll keep it, so they can catch anyone who attempts to claim multiple identities.
      Just like they caught Jaklitsch.

      A federal grand jury returned a 15-count indictment last month against Eric Michael Jaklitsch, 40, of Elizabeth, New Jersey, charging him with wire fraud and aggravated identity theft.
      He tried to claim more than $2.5 million in unemployment benefits in California and caused the state and the federal government to incur actual losses exceeding $900,000.

      An internal investigation conducted by ID.me identified Jaklitsch as a person conducting a fraud scheme and referred the case to federal law enforcement.

  5. Ikijibiki

    A lot of you guys talking about hardware tokens and 2FA and biometrics are missing the point here. Yes, there are plenty of methods of securing log ins. But that’s not the problem the IRS wants to solve. It’s fraud. People signing up for account who are not who they say they are. The question that needs to be answered is how do you verify someone’s identity before they are approved for an account and get their log in credentials? It’s what banks do well every time someone wants to open a new account.

    1. orly

      Nobody can stop the uninformed from having a wrong opinion.

      Unfortunately, security and data privacy are not intuitive to the layperson, and people get scared with all this stuff.

    2. SteveH

      Really banks do this so well! Because if bank and credit card companies did Identity Proofing online so well, we would not all have to have our credit frozen. Would we? Maybe bank do this well in-person but checking a driver license/Real-ID in person is easy. The question is how do you do this online? And if it is not going to be online, where do we do this in-person?

      1. JamminJ

        I disagree that banks do this well. They do this, historically, very poorly.

        Identity theft has existed in various forms for a long time. It’s exploded recently, but even pre-Internet, it was a problem. The biggest culprit… the Social Security Number was used a secret code.
        And who allowed it to be used as a secret instead of its intended use as a unique identifier, lenders.
        It was consumers who got caught in the middle, having to “fix their credit”, because lenders ruined people credit, because some fraudster knew a full name, DOB, home addresses, and an SSN. Stuff found in the trash or with basic surveillance skills. SSNs were used for decades a public identifier, especially in the military where it was on every form used by a servicemember.

        1. JamminJ

          I re-read your comment. I guess the exclamation point was meant to be a question mark.

        2. MoyConcerned

          Oh, it was much worse than that. Every dependent (i.e. family member) of a service member had to know their “sponsor’s” SSN to get certain things done on base. This also lasted for decades, only being phased out in the mid 90’s from what I recall. For instance, if you as a dependent went to the base library, you had to give your sponsor’s SSN to the librarian, TO CHECK OUT A BOOK! This was the same to use all those MWR (Morale, Welfare, Recreation) activities, like the base bowling alley, gymnasium, auto and woodworking hobby shops, even in some cases the base movie theater. The result? It has been nearly 40 years since I was a dependent, and I can still rattle off my dad’s SSN on command.

  6. Ikijibiki

    UPDATE (Washington Post)

    The private contractor ID.me said it will drop the facial recognition requirement in the identity-verification software used by 30 states and 10 federal agencies, a major reversal following a backlash due to the technology’s accuracy and privacy concerns.

    After questioning from The Washington Post, the company also announced that anyone could delete their selfie or photo data starting March 1. The company said its technology has been used by 73 million people, with more than 145,000 new people joining every day.

  7. Fedos

    Login.gov exists, and these agencies are going to some random private company.

  8. Chip Cogswelle

    ID.me is a nightmare of bad interface design trying to facilitate a complex process.
    In Jan of ’22, I needed access to the IRS and tried to set up via “id.me.”
    It was a nightmare! Over the course of 3 sessions (and about 6 hours), I either found myself in a “loop” or needed more info.
    Each attempt required starting from the beginning (post drivers license, have face scan). The first 2x, the face scan seemed fine.
    On the 3rd attempt, after posting a passport, Drivers license, facial scan (took 5 trys!), and verifying phone no., they said it wasn’t good enough and I needed a “referee” video chat. They said standby for an email, but that didn’t come until 2 days later. It had a link to “Enter waiting room”, but no details on the wait time period. I simply gave up!

    1. Orly

      Sorry you had such trouble.

      Like anything though, there have been plenty of people who had an easier time. They don’t comment though. I guess only bad experiences are comment worthy.

      I’m sure your local DMV has an equally “nightmare” experience for lots of people. And that’s been a requirement for nearly all adults for decades. And with that, you have to show up in person. Just be thankful they aren’t asking you to show up somewhere to verify your identity.

      1. Nevada

        I would decidedly prefer to verify my identity at a Post Office, Social Security office, IRS office, or other suitable federal facility, rather than going through the miserable ordeal of verifying with id.me. I do not want to provide a shady government contractor with unregulated, unlimited, irrevocable permission to acquire, store, analyze, manipulate, and market my deep biometric data. I do not want to go through the process countless times, having the process break down again and again for opaque reasons, having to wait on hold for literally hours with no meaningful indication when or if I’ll ever get to meet with a “trusted referee”. I am pleased that the IRS commissioner has seen the light–better late than never–but it never should have gotten this far. It’s rank government corruption and cronyism. The IRS should have used login.gov in the first place, according to the law.

        No personal offense intended–I’m assuming you are an investor or executive there. You are so defensive about their business, so eager to employ whataboutism and every other manner of online fallacy to downplay compelling risks and concerns.

        1. Orly

          I’ve got no interest in the company. I just don’t think they’re part of some evil conspiracy.
          I too would rather visit in person to a federal facility. At scale, I’m sure that would be an experience on par with wait times at the DMV though.
          Getting a state photo ID also requires giving up biometrics to shady government contractors. Only real difference, is that the public isn’t really aware, and so they’re unconcerned.
          The sad truth is, if the IRS slapped their own branding on the ID.me system, nobody would be outraged.

  9. VA too

    Not just the IRS… but apparently the VA too.
    It’s been a while since I’ve logged into my VA health portal, and they offer several authentication methods such as their native MyHealtheVet login, the DoD’s DS Login which authenticates via the servicemember’s issued CAC card (in-person enrolled), and ID.me.

    What’s weird, is that using my CAC login through DS Login, still redirected to create an ID.me account.
    This would probably scare a bunch of people who did not know how it works. But I had the browser’s dev tools open, and could follow the redirects to see how the federated SSO worked. It did verify my mil email, and prompted to set up 2FA. But it did NOT need to perform any additional vetting or manual verification.
    Why? Because my prior identity had been verified via DS Login.

    This is good. It took only a few extra minutes. I understand how VA benefits are a valuable target for scammers/fraudsters/identity thieves. They need to adopt good identity proofing.

    1. VA too

      Just confirmed with the va.gov help desk.
      They are transitioning and will no longer allow DS Logon federated authentication in the next few months.

      They too will use ID.me exclusively.

      Mr. Brian Krebs, can you comment or find out more? The VA doesn’t have as many users as the IRS, but we do tend to be older on average.
      Let me know if I should put an email address if you need someone with an existing VA login to help dig up more details.


  10. JamminJ

    I actually hope Login.gov becomes an approved Identity provider for the IRS.
    But I also hope they do have a process to use biometrics for anti-fraud measures.

    A federal grand jury returned a 15-count indictment last month against Eric Michael Jaklitsch, 40, of Elizabeth, New Jersey, charging him with wire fraud and aggravated identity theft.
    He tried to claim more than $2.5 million in unemployment benefits in California and caused the state and the federal government to incur actual losses exceeding $900,000.

    An internal investigation conducted by ID.me identified Jaklitsch as a person conducting a fraud scheme and referred the case to federal law enforcement.

    This is the benefit of biometrics.
    The criticisms of biometrics not being perfect, is only a criticism of using biometrics in an automated way. But to use it to flag a few attempts to claim benefits, for manual review, is very effective.

    Identity thieves like Eric Michael Jaklitsch put themselves at great risk of getting caught, every time they have to go on camera for a live session, pretending to be someone else. They more they try to claim, the higher the risk. Without biometrics, and to appease everyone’s privacy concerns… makes the process very easy for fraudsters to keep doing it.

    1. SteveH

      Yes, you have told us about this case numerous times. I am sure nobody would disagree that ubiquitous biometrics data has benefits in preventing fraud or crime. If the police had everybody’s fingerprints, DNA, and track your cell phone 24/7, we would have little physical crime but hopefully that is not the world we live in or will.
      Like all personal data the questions are how is this data obtained and for what reason? Is it stored? If so is it anonymized, secure, and under what conditions can it be used?
      I think we would all like a non-private entity to provide online “Identity Proofing” for our government accounts since it will most likely require some biometrics but what process will Login.gov use and how will it scale?

      1. JamminJ

        I only repeated it, because it seems to be wholly ignored. You’re the first to even acknowledge.
        There is a sense that privacy is being eroded for no reason. That there is no purpose other than government be evil, or corporation be greedy.
        Many here believe that the IRS is using ID.me on some whim, and without just cause. And so, I thought it prudent to keep reminding people of the massive surge in fraud against government institutions in the last 2 years. Pandemic relief had to come quickly and easily to help burdened citizens… but of course that led to a huge problems.
        People want their stimulus, and didn’t much care about the door being opened for fraud.

        I don’t want a police/surveillance state either. I just reject the assumptive notion of the “slippery slope” argument.
        There is a difference between a broad dragnet of collection, and collection as a requirement explicit for a government service.
        I again compare it to the biometrics collected by every state DMV. If a person really doesn’t want to participate, they don’t have to, but they don’t get the privilege of driving on public roads. One can argue, that driving privileges are now a right of every American, and there should be no requirements for identification. But I don’t agree with that. Claiming unemployment benefits, tax deductions, etc…. is likewise, a government service that may seem compelled, but is still optional.
        So this is not a slippery slope of what if “police had everybody’s” biometrics.

        Yes, I agree. There is certainly a need for more transparency into personal data collection and retention. A data privacy “bill of rights” would go a long way for easing fears and preventing that slippery slope. We absolutely pass laws similar to California’s CCPA or the EU’s GDPR.

        1. SteveH

          I sorry you seem to keep conflating two things: fraud which was due to inadequate “Identity Proofing” procedures for a Digital Identity for an online account for unemployment benefits and the need to retain the data given in an online “Identity Proofing” procedure.
          I think everybody agrees that we need to do better with the first. Unfortunately, this is a decade old problem in which the government (both fed and states) has for whatever had not solved. And then COVID and the need to provide online account for unemployment benefits happen without having person to person interactions.
          As to the second thing, you were the one who made the claim “ID.me does have legitimate reasons for retaining biometric data”, which was to reduce fraud. Granted having more biometric data could help increase the effectiveness of an algorithm and maybe reduce some of the fraud but by how much? Is the retention of the data needed to bring the fraud rate down to an acceptable level? If so, then what was the effectiveness of the system before every had to use it? Hence the slippery slope since fraud would 0% if you had everybody’s biometric date. And can you use the data anonymized? And by the way, you do not need any of the other data supplied so delete it. And I think the bigger question for many people is what else are you really using my data for? Because you do not need it anymore to verify me since that is where Authentication and lifecycle management phase starts.

          1. JamminJ

            Maybe we aren’t talking about the same thing. I’m NOT talking about using biometrics to get a “positive match” during identity proofing. In that use case, biometrics would match the photo from a presented ID card (passport, driver’s license, etc.), to a “selfie” using live video chat.
            In that case, yeah, no need for retention of the biometrics data past completion of enrollment.

            But that is NOT what ID.me retains the biometrics data for. The anti-fraud feature that ID.me seems to be using, is a “negative match”.
            Not a match to a presented ID, but a match against other previous applicants.
            Not using a match to approve, but using a match to flag for investigation.
            This is how Eric Michael Jaklitsch was ultimately caught.

            They cannot always trust the ID card, as fraudsters have gotten quite good at forgeries, especially when interaction is through scanning or photographing documents to be uploaded for review. So how do you catch fraudsters who can make fake IDs and gather some static information about victims?
            You catch them by flagging them if their face appears multiple times under different claims. If you think about it, that’s how police have done fraud investigations for years.

            Since you really cannot do “negative matching” unless you retain snapshots of those video interactions, biometrics MUST be retained. And there really isn’t a time limit on this kind of fraud. A clever fraudster, like Jaklitsch, can work for months or years, impersonating dozens of people and making hundreds of claims.
            If you make it easy for anyone to simply “opt-out” and have the biometrics truly deleted, then this kind of anti-fraud feature, doesn’t really work. The fraudsters would just want to delete evidence of their crimes after every claim.

            I honestly think we should make these online interactions on par with in-person interactions. You walk into a bank, you’re on camera. You don’t get a “right to privacy” walking into a bank. You don’t get to demand they scrub their video to blur out your face, as your are walking out. Even if you didn’t rob the bank on that visit, they retain your biometric data as long as they want to. They keep footage for “negative matching”. So when they are robbed, they know who came in to case the joint. And this concept of retaining biometric data does not lead to a “slippery slope” of banks using the data to approve loans.

  11. NoMoarQ

    That certainly is a Libertarian point of view, from a Libertarian magazine.
    Instead of thinking everything is a conspiracy, and every tech company is out to get you.
    If I were so cynical, I’d might suspect that YOU are a scammer like that NJ guy who got caught when ID.me used his biometrics to see he was stealing multiple identities. Scammers hate companies like ID.me that makes it hard for them to steal.

  12. Mopani

    Why not just go to a physical location to get verified and receive a login token? Social Security has offices all over; every state has Motor Vehicle / License offices that could work with the IRS to verify identity and link an IRS account.

    This idea that everything has to be done online and virtually is insanity.

    1. Orly

      Tell that to the people who just want the convenience. Everything has moved to the cloud, has a social media presence, can be done from a smart phone, and within minutes. We’ve become lazy and entitled in this age of instant gratification.
      But I agree, identity verification should not be virtual.

      Many people don’t want to work with the IRS at all, and some think they are illegitimately taxing their income.
      States want to be sovereign from the federal government, so the DMV offices might not want to integrate for federal services. The post office is probably the most ubiquitous federal office available everywhere, and there is a concerted effort to defund and wipe them out.

  13. Alice

    I’m glad to learn that these demons are being pushed back and IRS won’t require facial recognition to use their online service.
    Forcing people to submit to facial recognition (or provide other highly private data to shady criminal 3rd party private company) to receive government services they are ENTITLED to is unacceptable.
    I will continue my fight against ID.me. I was successful fighting them off when the State of California started require them and received alternative identification option.
    Remember, you can not be forced to submit to them.
    You are entitled to government services without being forced to submit to this degrading treatment that threatens your personal data security. Not to even mention that this is part of Mark of the Beast system.
    This is all a part of grand digital concentration camp plan where they want to put everyone.
    They want people not to be able to leave the house without e-permit on their phone, wearable or, eventually, chip implant.
    This had been tested in China, Russia just recently, coming to you next.
    As a citizen of multiple countries I can see the creep of these demonic “technologies” more than others, I can not even return to my home country anymore because of this fascist system taking over already.
    Resist and don’t let them put you in permanent electronic Soviet Union, this is what they want.
    They want to decide who lives or dies eventually, by pressing a button in centralized control system.
    Cutting people off needed government services is the first step towards it (just like forced injections, illegal false imprisonment since 2020, etc) – veterans, SSA receipients, people who rely on IRS tax return, unemployment – these were hit the hardest by these satanic requirements.
    The best defense is probably separate your life from the government as much as possible and not rely on it, but one still needs SSA, Medicare, and it’s important not to allow them to block access to these key services requiring facial recognition and other insults and destruction of peace that are done by ID.me (their process is horrendously degrading and they want all, everythiung on you, your social security card, passport, DL, facial live selfie, static selfies, video chat where they record you showing with passport, SSN card on camera – all of which can be misused, hacked, or sold to China/CCP -the latter is probably one of their goals)

  14. Patrick Katus

    I went through that horrible process of submitting biometric data to create my account. Now that the IRS has decided to stop that practice, whom do I contact to ensure EVERY SINGLE BIT OF THAT DATA is removed permanently from the IRS’s databases and any other database it was shared with? Will it require a lawsuit on my part to have all of that data deleted?

  15. JamminJ

    Sometimes Privacy and Security are at odds with each other. They don’t always have to be, but in some cases, you cannot have both, and must prioritize.

    Many of the comments seem to be from non-Security people, upset about the potential loss of privacy. I get that.
    The thing is, anyone can be an advocate for data privacy. It doesn’t take training, education, skill or experience to comment on, and advocate for, better privacy of data.
    On the flip side, Security doesn’t get a huge number of advocates. It takes some understanding of the concepts to truly advocate for secure systems, and to know why they are secure. It requires knowledge of Identity, access management, authentication systems, etc., to really understand the failings and strengths of any given system.

    This is a Security blog, first and foremost. Krebs talks about fraud, cyber crime, and hacks mostly. Data breaches are a big part of this website, but not really because of the Privacy implications, but rather the Security aspect that led to the breach.
    This is not a Privacy blog, which would cover misuse of private data even without a Security breach. For example, the ethical, moral and legal questions revolving around ID.me, their terms of service, and if they can sell data to 3rd parties.

    This story is about the IRS reaction to the outrage from Privacy advocates. It’s certainly a story that needs to be told.
    But we cannot take it out of context. It cannot be read in a vacuum from just the Privacy perspective.
    The entire reason and backstory is just as important. The Security perspective is the real story, and informs the rationale behind the IRS’ decision to use ID.me in the first place.

    Fraud, one of the core topics behind Krebsonsecurity, is the real story here.
    It’s the reason the IRS would choose ID.me over Login.gov, because of the way they can use biometrics to flag claims as potentially fraudulent.
    Without making a judgement call as to whether is it worth the risk to Security and Privacy, to go with a private company, I can at least understand the decision. And, IMO, I think it’s good they are backtracking and do not exclusively require only ID.me.

    I do bring this up often, but only because it keeps getting ignored, while being a significant reason all this is happening.
    “dozens of states collectively lost tens of billions of dollars at the hands of identity thieves impersonating out-of-work Americans seeking unemployment insurance”. And that’s just unemployment insurance. When looking at all types of fraud, the losses are staggering.

    A federal grand jury returned a 15-count indictment last month against Eric Michael Jaklitsch, 40, of Elizabeth, New Jersey, charging him with wire fraud and aggravated identity theft.
    He tried to claim more than $2.5 million in unemployment benefits in California and caused the state and the federal government to incur actual losses exceeding $900,000.
    An internal investigation conducted by ID.me identified Jaklitsch as a person conducting a fraud scheme and referred the case to federal law enforcement.
    The only way to really catch this kind of fraud, is to either force people to show up on camera in-person, or to require live stream video or selfies.

    Unfortunately, non-Security people do not know how biometric face data is being used. Many simply think they are just matching the video/selfie with an ID photo. Nope. They have to match your video/selfie, with the thousands of other video/selfie claimants, to find and flag the fraudsters that keep showing up as different people.
    Since customers no longer can, or are no longer willing, to walk into a building covered with security cameras, Biometrics are the only real alternative for security against this kind of fraud.
    You walk into a bank, you’re on camera. You don’t get a “right to privacy” walking into a bank. You don’t get to demand they scrub their video to blur out your face, as your are walking out. Even if you didn’t rob the bank on that visit, they retain your biometric data as long as they want to. They keep footage for “negative matching”. So when they are robbed, they know who came in to case the joint.

    Security (Fraud) is a huge problem. One made much worse by the pandemic. Requiring people to show up in person prevented a lot of fraud and identity theft. The convenience that people demanded over the years, is like a drug. Once you experience a quick and easy process, you don’t want to go back. Also, people want Privacy when they receive government benefits and entitlements. The problem is you cannot have it both ways. You cannot receive benefits while remaining anonymous. I’m not talking about 3rd parties here, but rather anonymity from the entity giving you money. Some people want to get tax credits from the government, without the government knowing your face? Sorry, but this has NEVER been the reality. Getting a driver’s license requires taking a photo. International travel requires a photo passport. And throughout most modern history, to do any finance like getting a loan, you showed up in person at a bank. –
    The convenience of the Internet, and the respect for Privacy, has enabled fraud at a scale never imagined. Even from across the globe, a identity thief can steal from millions of people. The Security of this system is untenable, and it needed to change. How that happens, I don’t know. But it will come with a sacrifice of Privacy and convenience, despite our addiction to them.

Comments are closed.