Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for “deceptive statements” the company and its founder allegedly made over how they handle facial recognition data collected on behalf of the Internal Revenue Service, which until recently required anyone seeking a new IRS account online to provide a live video selfie to ID.me.
In a letter to FTC Chair Lina Khan, the Senators charge that ID.me’s CEO Blake Hall has offered conflicting statements about how his company uses the facial scan data it collects on behalf of the federal government and many states that use the ID proofing technology to screen applicants for unemployment insurance.
The lawmakers say that in public statements and blog posts, ID.me has frequently emphasized the difference between two types of facial recognition: One-to-one, and one-to-many. In the one-to-one approach, a live video selfie is compared to the image on a driver’s license, for example. One-to-many facial recognition involves comparing a face against a database of other faces to find any potential matches.
Americans have particular reason to be concerned about the difference between these two types of facial recognition, says the letter to the FTC, signed by Sens. Cory Booker (D-N.J.), Edward Markey (D-Mass.), Alex Padilla (D-Calif.), and Ron Wyden (D-Ore.):
“While one-to-one recognition involves a one-time comparison of two images in order to confirm an applicant’s identity, the use of one-to-many recognition means that millions of innocent people will have their photographs endlessly queried as part of a digital ‘line up.’ Not only does this violate individuals’ privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed.”
“This risk is especially acute for people of color: NIST’s Facial Recognition Vendor Test found that many facial recognition algorithms have rates of false matches that are as much as 100 times higher for individuals from countries in West Africa, East Africa and East Asia than for individuals from Eastern European countries. This means Black and Asian Americans could be disproportionately likely to be denied benefits due to a false match in a one-to-many facial recognition system.”
The lawmakers say that throughout the latter half of 2021, ID.me published statements and blog posts stating it did not use one-to-many facial recognition and that the approach was “problematic” and “tied to surveillance operations.” But several days after a Jan. 16, 2022 post here about the IRS’s new facial ID requirement went viral and prompted a public backlash, Hall acknowledged in a LinkedIn posting that ID.me does use one-to-many facial recognition.
“Within days, the company edited the numerous blog posts and white papers on its website that previously stated the company did not use one-to-many to reflect the truth,” the letter alleges. “According to media reports, the company’s decision to correct its prior misleading statements came after mounting internal pressure from its employees.”
Cyberscoop’s Tonya Riley published excerpts from internal ID.me employee Slack messages wherein some expressed dread and unease with the company’s equivocation on its use of one-to-many facial recognition.
In February, the IRS announced it would no longer require facial scans or other biometric data from taxpayers seeking to create an account at the agency’s website. The agency also pledged that any biometric data shared with ID.me would be permanently deleted.
But the IRS still requires new account applicants to sign up with either ID.me or Login.gov, a single sign-on solution already used to access 200 websites run by 28 federal agencies. It also still offers the option of providing a live selfie for verification purposes, although the IRS says this data will be deleted automatically.
Asked to respond to concerns raised in the letter from Senate lawmakers, ID.me instead touted its successes in stopping fraud.
“Five state workforce agencies have publicly credited ID.me with helping to prevent $238 billion dollars in fraud,” the statement reads. “Conditions were so bad during the pandemic that the deputy assistant director of the FBI called the fraud ‘an economic attack on the United States.’ ID.me played a critical role in stopping that attack in more than 20 states where the service was rapidly adopted for its equally important ability to increase equity and verify individuals left behind by traditional options. We look forward to cooperating with all relevant government bodies to clear up any misunderstandings.”
As Cyberscoop reported on Apr. 14, the House Oversight and Reform Committee last month began an investigation into ID.me’s practices, with committee chairwoman Carolyn Maloney (D-N.Y.) saying the committee’s questions to the company would help shape policy on how the government wields facial recognition technology.
A copy of the letter the senators sent to the FTC is here (PDF).
ID.me is a trusted VA partner and 1 of only 4 Single Sign-On providers that meet the U.S. government’s most rigorous requirements for online identity proofing and authentication. ID.me provides the strongest identity verification system available to prevent fraud and identity theft.Feb 18, 2022
Privacy And Security On VA.gov | Veterans Affairs
https://www.va.gov/resources/privacy-and-security-on-vagov/
This function should have been performed by Login.gov, even if an extension of their capabilities was required, instead of IRS lazily giving the contract to ID.me.
Correcting my typo: VA and IRS
Full agree.
Long past time for all these systems to be communized on a common platform with best practices across the board and a robust update and maintenance program.
Seems better to have a single point of failure, that failure mitigated by investment in heavy monitoring and maintenance, than a thousand different systems half-assedly maintained and user unfriendly.
Whether one agrees with your assertion or not, stating it is “Long past time for all these systems to be *communized* on a common platform” may not be the best way to make your case, particularly in non-communist countries. 😉
ID.me is not a reputable company participating in forced/coerced experimental drugs including the covid19 vaccine.
Another conspiracy Q an-n nut
Hahah – another double-masked moron heard from
regoda9423
covid vax is fully approved now, not emergency.
Maybe the evaluation criteria need to be expanded.
Are you a press release?
Unless, of course, the user is black or Asian.
Claiming to prevent fraud while also committing it… The (alleged) hypocrisy here is indefensible. Particularly in a role as a validator of identity and trust, and even more so when in support of government services, the organizational and process integrity must be fully transparent and of the highest ethical standards.
What a scam! The price of getting access to your government in the form of the IRS is a digital shakedown with no reasonable limit to how that access can be denied by these very “righteous” business persons just trying to make a compulsory buck out of the public.
The way I found out about this group of “entrepreneurs” is by following up on a notice from the IRS that someone had filed for a tax refund under my name. But this group of “wise persons”, in the name of patriotism and making a buck, were placed as gatekeepers on behalf of the IRS. Until ID.Me was satisfied in their own way with required scan quality, they assured me that I would be unable to find out what the IRS notice was all about.
Big brother is so wonderful, especially when supported by the righteous patriots scamming new technology gimmicks to “save taxpayers resources”. Like expenditures for federal employees that can answer a phone and various relevant questions about the notices that the IRS itself actually sends out.
The bigger question on this:
1. What do they do with this data?
2. How are we guarenteed that this data isn’t leaked?
3. What happens to the business if it does get leaked? (Do we get the ceo thrown in jail?) What’s their incentive to actually do a good job with this?
4. What assurances(and protection for assurances) do we get to force them to wipe our personal data?
4.1 What is the evidence that is given to demonstrate that they don’t have it?
5. What happens to the dervivative data from this? I.e. Face geometry?
6. Who do they sell the data to? (In the US it’s probably unreasonable to assume that who might they sell it to.. it’s probably safe to assume they’ve already have)
There’s an interesting contardiction here in their privacy policy https://www.id.me/privacy which states
10. Additional Information If You Are Located In California
Residents of California. Pursuant to the California Consumer Privacy Act of 2018 (CCPA), residents of California are entitled to additional rights and disclosures regarding their Personal Information. Please see our Notice to California Residents for additional information regarding these disclosures and how to exercise your rights.
So to get the data at https://account.id.me/california you are told
You’ll need to verify your personal information in order to continue with the request. We do not hold information on users who do not have an account with ID.me.
If there is photo matching for new applications, then clearly they DO hold information on users who do not have an account with ID.me.
No, they would get the photo at time of application from public domains.
No, ID.me (maybe still is) was using Amazon’s one-to-many Rekognition technology.
https://www.theregister.com/2022/05/18/senate_ftc_idme/
So… is the photo uploaded by each new application to ID.me also added to Amazon’s Rekognition database as part of the one-to-many arrangement?
“… including that it would be stored in a database and cross-referenced using facial recognition _whenever new accounts were created in the future_”
Does ID.me use external databases or public photos in your 1:many matching?
No. The 1:many is internal to ID.me and does not involve any external or government database. It occurs once during enrollment, and exists to make sure a single attacker is not registering multiple identities. The selfie is turned into a mathematical representation of a face and then compared against multiple accounts to see if a single person has registered multiple different identities that do not belong to them.
PD databases are public domains they can access and they admitted they have “optional” extra checks for law enforcement but were deliberately vague about use cases.
“ID.me confirmed Thursday in an email to CyberScoop that the company uses Amazon’s Rekognition facial recognition product.”
https://www.cyberscoop.com/id-me-ceo-backtracks-on-claims-company-doesnt-use-powerful-facial-recognition-tech/
right, they have been using Amazon’s recognition SERVICE to process their own INTERNAL DATABASE of images.
As always, appreciate these articles. I’m also extremely frustrated in general with how the average American’s privacy is often an afterthought. My question is why the entire Senate hasn’t signed this letter? Why only four?
Because the others don’t think it matters, having adopted a millenial-style attitude that a persons privacy is an outdated & over-rated commodity
And perhaps because they know it’s a can of worms they don’t want to touch once they begin to explain how ignorant they really are
You can tell when they try to avoid the issue by insinuating that they must have missed that particular memo while being busy doing adult things…
“NIST’s Facial Recognition Vendor Test found that many facial recognition algorithms have rates of false matches that are as much as 100 times higher for individuals from countries in West Africa, East Africa and East Asia than for individuals from Eastern European countries.” – Isn’t this like saying that NTSB found that many cars aren’t that safe? What specific algorithm is being used by ID.me and what is that false rate?
It says a bit more than that, even without any concrete numbers. It says the software was written to recognize white faces, and thus white Americans have more access to the IRS than other Americans. That’s pretty obviously a problem, even without any algorithms or rate numbers.
or even AI thinks they all look alike… facial recognition systems built by asians in china suffer from the same “issue” but god forbid suggesting the problem is with the faces (inbreed much?)
It says more, even without information on the algorithm and specific rate numbers. It says that the software recognizes white faces best and thus white Americans have better access to the IRS than Black and Asian Americans. That’s a problem, even without knowing the specifics.
I refreshed, honest! Sorry for the double post.
“Oh, we can’t tell you _that_. That’s company IP.”
The federal government is constantly described as incompetent for not stopping a certain level of criminality that occurs in any federal program. If they chose to do what it takes to stop that criminality, they would be described as orwellian for demanding clear and visible photos from the entire population that they could use for training data (like passports use, for example). So the best they have to train on is whatever they can get in publicly available databases, and probably some private social media data. That data has biases. But the situation the feds are in has more to do with the various competing interests who curiously seem to be populated by the same people who simply enjoy whining about ‘tha gubmint’.
Curious that you missed the entire discussion where the technology is ineffective and doesn’t adequately address the task it was employed to manage: matching one single photo with a known Id. Instead, it’s being illegally used as a surveillance tool repeatedly scanning photos fraudulently obtained using ML algorithms that have high rates of failure. That violates the equal protection clause, the Fourth Amendment, as well as various anti-discrimination laws for equal access to government services due to the inability to reverse inaccurate adverse decisions.
The problem is endemic with the field. All facial rec algorithms display severe bias towards the majority racial type in the regions they’re utilized. Chinese algorithms can’t easily detect non-Han characteristics. In the US, it’s white European descendants: Negroid, Mongoloid, and others are misidentified. European algorithms show the exact same biases. This means these technologies should not be used in any form as a gatekeeper to vital government services or criminal searches till the accuracy is near 100% with a robust and easy way to challenge false identification. Otherwise, civil rights will be violated which is abhorrent to the principles the country is supposedly founded on.
A federal grand jury returned a 15-count indictment last month against Eric Michael Jaklitsch, 40, of Elizabeth, New Jersey, charging him with wire fraud and aggravated identity theft.
He tried to claim more than $2.5 million in unemployment benefits in California and caused the state and the federal government to incur actual losses exceeding $900,000.
An internal investigation conducted by ID.me identified Jaklitsch as a person conducting a fraud scheme and referred the case to federal law enforcement.
This is the benefit of One-to-Many face recognition.
The criticisms of biometrics of not being perfect, is only a criticism of using biometrics in an automated way. But to use it to flag a few attempts to claim benefits, for manual review, is very effective.
Identity thieves like Eric Michael Jaklitsch put themselves at great risk of getting caught, every time they have to go on camera for a live session, pretending to be someone else. They more they try to claim, the higher the risk. Without biometrics, and to appease everyone’s privacy concerns… makes the process very easy for fraudsters to keep doing it.
It was wrong to lie about it, and even though it can be problematic for some, I still think one-to-many facial recognition is something that is needed.
Millions of dollars have been recovered from arrested fraudsters, which would otherwise be left to taxpayers.
onet-to-one isn’t going to stop fraud, as anyone can get a fake id that is convincing when photocopied.
you have to check an applicant’s face against many people who have already applied so you can see if it could be the same person making multiple claims over and over again.
Two thoughts:
1. Consider the massive incentives — financial and reputational — to fudge statements about these policies. The public might be reassured that “your facial image” (or “the image you upload”, and so on) won’t be compared with another. However, every firm in this space would scan and extract the facial geometry data. They don’t compare your “face” — they compare that derived data. They can honestly say “We’ve deleted all images” and still do all the same searches! Yes, that would be deeply dishonest — but it’s the kind of mental gymnastics bad actors employ when they get caught out of bounds. All the assurances in the world won’t matter if they’re couched in deniability.
2. That internal Slack channel’s gonna have some new use policies by later today, don’t ya think?
I would be fine with someone keeping my “facial geometry”. I think if people saw the raw biometric data and how it doesn’t look like a face, they would not be freaked out nearly as much.
What it looks like is not really the point. The point is what it does.
There are obvious problems which act to coerce persons such as taxpayers to use this system.
A recent notice from the IRS stated that another person had filed for a tax refund under my name, with no further information.
In order to find out simply what the issues were and whether I needed to reply in any formal way, the IRS claimed that I had to submit an acceptable scan involving equipment capable of doing this, then wait for approval from ID.Me prior to gaining access to the IRS simply to ask them what their notice was about.
ID.Me was not cooperative or easy to deal with.
This is just a suggestion of how this system will be used to replace employees actually able to make sense of the IRS system to the public.
Although I tried to complete the scan process, after much effort there was no success or acceptance from ID.Me. Will the public be expected to work with its own government more and more in this fashion simply to respond to the government’s own notices?
The key issue is access to the IRS or other government offices: Will it more and more be channeled through intermediaries using suspect technology, acting anonymously?
YES!!!!!!!!!
They’ll just say you can fulfill your tax obligations via USPS instead. Optional service extra.
Fascism.
ID.me is not a reputable company. Coercion of biometric data.
Its about time. Soon after I completed the process, I started to receive a LOT of spam from this company that had nothing to do with why I gave them my personal info in the first place. When I did it, enrolling this way was the ONLY option otherwise I would have take another choice.
Who ever thought it was appropriate for a 3rd party to be the identity gateway between me and my government?
I needed my IRS transcripts and still had the old IRS login account but after logging in they insisted on the IDme to download the docs so I had them mail the transcripts instead. So much easier using USPS.
Well, at least we have a second option with Login.gov, for when ID.me gets breached. Not a good idea to put all the eggs in one basket, as babies in the US now well know…
I’m having problems with my id.me account for like 5 months now I can’t receive my unemployment economy payments because of id.me
The biggest reason I can think of that the id.me scan fails, because this happened to my mother, is that something in the metadata of the identification document doesn’t match current records. For instance, the address on a driver’s license doesn’t match IRS records.
My mother lives in PA, and when she moved recently, instead of giving her a new license, they gave her a piece of paper stating they knew she moved – or some other bs like that.
Fast forward to her trying to claim unemployment benefits, and her scan of the front and back of the driver’s license failed for the next 4 weeks while she attempted to contact the ID.me and PA unemployment persons. She could not find a physical building to visit with Unemployment personnel present, and ID.me only had FAQs for her with a statement to contact the office of the agency she was directed to get the scan for. When she opened a support case with the unemployment office, they couldn’t help her with the ID.me scan process.
The resolution was getting a new drivers license with correct data, but 6 weeks had gone by. At 4 weeks, she complained to me about the system, after her attempts to follow the process consistently failed.
When I watched the scan and upload process, I realized it was her address causing the failure, which wasn’t apparent to her because, hey, the error didn’t tell her the REASON the scan failed, and the state didn’t give her a new ID to begin with, probably to save money. She was quitting even trying after failing to reach a human who could help her.
Citizens and government systems aren’t ready for this.
My tax return is still being processed after almost 2 months. Didn’t receive no letter in the mail. Called IRS waited over n hour on phone when I did eventually get thru after serveral failed attempts. For the ldy to say they need to verify me. How you ask good ole ~id.me~ in which I already had an account. If I wouldn’t have called is till be waiting for nothing. Now choice to scan my face or wait hours for u to facetime a person working. After trying & waiting to facetime & them logging me out I really DID NOT WANT TO do scan. I literally had NO CHOICE if I want my return. Oh yeah now I have up to NINE 9 WEEKS to wait for it. Yeahy sucks bc was depending on that for bills but the Lord will provide.
Is not the IRS underfunded? Outsourcing a function integral to an organisation does not cost less. Follow the money. If id.me is authenticating at a cost less than what the IRS can do internally, then how? Is id.me making money from access to the information somehow? My gut tells me yes.
You’ve got the wrong gut feeling. 9 times out of 10, outsourcing to 3rd parties saves money. Whether government or private sector. It’s the whole reason so many companies “move to the cloud”. It’s usually cheaper to outsource to a company that specializes. Identity and Access Management is a huge business. ID.me for all of it’s flaws, is the leading vendor in this space.
Government can’t do anything cheaper than the private sector. Yeah, it’s all about the money, tax payer money. The IRS is underfunded, and hemorrhaging money from rampant fraud. No wonder they quickly hired an outside professional services vendor to stop the bleeding.
Yemen sana.a
ID.me is a scam and a mess. I hope the company is soon sued in a lawsuit similar to the Illinois Facebook Biometric lawsuit for facial recognition and tagging. I and about 1.6 million other Illinoisans just got $397 each in our bank accounts — thank you, Mark Zuckerberg. I’d like to get another $500 or so from ID.me. My face is my private business, thank you.
I am on hold right now for verification . I ALREADY got my refund why should I do this. I will not make an account with ID.me.
These are the 3 partners being used. Each is using a specific type of technology.
Paravision (1:1), iProov (Presentation Attack Detection) and Amazon Rekognition (1:many)
Through January 25th, 2022 there have been 20,901,406 accounts that have been secured against identity theft with 1:many fraud checks. For every 10,000 identity proofing attempts, on average 8 attempts would have been flagged for review.
Why didn’t ID.me disclose their counter-fraud measures more broadly?
They avoid publishing identity theft countermeasures to the general public as disclosure can jeopardize the effectiveness of our controls while putting real people in harm’s way.
People don’t like that answer. They rather allow identity theft and millions of dollars in fraud, the cost of which is passed to taxpayers.
“It’s been a nightmare. My husband and I would have survived better had our house burned to the ground, or if we had been burglarized or robbed at gunpoint. There would have been less hassle, less stress, and less indignation. It caused the death of our marriage and of everything we’ve known to be safe and secure. I have no hope or faith of trust in anybody anymore.”
ID.me should be investigated and given strict oversight, and then allowed to get back to work protecting identity from theft. If or when login.gov can do this level of fraud prevention, then they can take over.
I don’t understand why there are so many negative comments about ID people first of all try to work on the security of your data, of course the system is not yet fully developed and there are flaws in it, but nevertheless, we should try to be more responsible about this
Because people fear even the smallest chance of privacy being compromised, and don’t much care about the very real and major problem of identity theft.
Having my private data leaked, lost and stolen is not the worst thing that can happen. Having someone USE that private data to steal my identity, open lines of credit, or apply for benefits in my name is the real issue here.
Facepalm. Read it all over again. Start at the beginning.
I agree with James. Even after reading the whole story. The outrage here seems overblown since we know that we’ve been asking for better fraud and identity theft protection.
What you’re saying is you don’t understand that and proffering that nobody should be critical of these actors or their motivatinos nor implementations because there is a general need for increasing cybersecurity and combatting fraud ongoing. You don’t have to understand if you don’t see it. This is controversial to people who do and they’re not telling you to be quiet just because you don’t.
> nobody should be critical of these actors or their motivatinos..
I never said that. Just that the outrage here is just overblown. People should be critical yes, but not overreact with ignorant fear. The people who do understand cybersecurity and fraud seem to understand the need for facial recognition, while the people who don’t understand but just fear the government or tech companies seem to be on the side against it.
Why are there no Republican Senators signing off on this letter?
D.me is a trusted VA partner and 1 of only 4 Single Sign-On providers that meet the U.S
Looking more closely at this situation than what this Krebs article provides…. In what I’m reading from the actual sources, the ID.me press article and the linkedIn post both differentiate between verification and non-verification uses of facial recognition, and did from the start. The Id.me article was updated to add additional clarity since reading comprehension seems to go by the wayside when the words “facial recognition” and “government” get used together. Your article is what seems misleading to me.
sigh,,, it’s not the company that needs investigation, it is obviously not a secure sytem and can never be a secure system – it is the IRS that needs investigating for wanting to use insecure systems to begin with
Why is it “obviously not a secure sytem”? And if you say, “no system is secure” or “everything is insecure”, then why not investigate everyone for using anything?
Security isn’t the concern, but privacy. In this case, the IRS is trying to “secure” from identity theft by using anti fraud measures that may potentially reduce the “privacy” of the public.
The question becomes, do you value security over privacy? May seem like an easy choice, until you become a victim of identity theft because the IRS wasn’t using every possible means to secure your account.
I worked for a Gov contractor and had my id.me setup with that work (contractor) email as my primary email. I no longer work for that contractor, and I tried to setup a person id.me account to for the IRS account. Once I scanned my license, it denied me stating that I had the work email as a valid email already(keeping facial tech on file much?). Side note, it was a new drivers license as well.
Now I get to wait to talk to someone some web conference tech to reset this.
When you scan your driver’s license, there’s a lot more data that is checked, besides your photo.
If it matched your current address or even known previous addresses, then it would know your previous email. Getting a new driver’s license does not change all of the backend data that’s stored.
Probably a good thing to protect against identity theft. You wouldn’t want somebody being able to do this on your behalf, would you?
They don’t sound like a good company
Brian, When I go to the IRS site, I only find offered for either new accounts or existing accounts the option of signing up with ID.me – nothing else. Note: Login.gov is, so far, not an option. Was it ever an option? And is it better to wait for another option or simply keep our existing accounts. So far not too keen on ID.me.
You all seemed to have missed the other IRS debacle. The IRS unwisely decided to put every taxpayers Title 26 data (federal tax information), every businesses Title 26 data, every non profit org Title 26 data and because of Covid handouts every citizen entitled to stimulus payments even if they never payed a penny of taxes into the Palantir’s Cloud (SaaS) product unencrypted and unaudited. They were warned repeatedly and chose to trust Palantir to do the right thing and protect the data per Title 26, 6103 and IRS PUB 1075 requirements. Shortly thereafter we started seeing massive amounts of Title 26 data hitting the presses at ProPublica.
This is old news. Its been 10 years that the IRS is using Palantir.
It helps when you understand this is NOT YOUR DATA. It is data “about” you, sure. But just like credit reporting agencies, the data isn’t going to be protected as if it belongs to the individuals.
Just like ID.Me exists because of a huge fraud problem. The IRS will use whatever means they can to fight against tax cheats. Funny enough the rich top 1% who evade and cheat on their taxes are the ones shouting about how the IRS is unconstitutional.
There are obvious problems which act to coerce persons such as taxpayers to use this system.
A recent notice from the IRS stated that another person had filed for a tax refund under my name, with no further information.