The IRS is working with a startup called ID.me that stores the 'inferred citizenship' of some users. That creates a huge new pool of personal data for police and other authorities to tap into.
Observers worry how much information ID.me collects and how willing the company seems to be to share it with authorities when asked.
A possible collaboration between the Internal Revenue Service and a startup called ID.me is alarming privacy experts and civil-rights advocates who say the partnership will create a massive new pool of sensitive personal data that could be tapped by the police, immigration enforcement, and other authorities.
ID.me verifies people's identities by asking them to upload information, including their Social Security number, a selfie, and pictures of a government-issued ID. It then uses facial recognition and "liveness detection" on the pictures, and compares the submitted information to data from "telecommunications networks, credit card bureaus, financial institutions," and other sources, according to its privacy policy.
The company also stores the "inferred citizenship" of some users "based on passport information," along with facial images, voiceprints, location data, and information from documents such as postal addresses, Social Security numbers, driver's license numbers, passport-card numbers, and more, according to the policy.
Last month, the IRS said it would start requiring people logging into their accounts on the IRS website to use ID.me to verify their identities. The agency is considering alternative providers, but if the deal goes through, it would likely add millions to the company's user base, which already exceeds 60 million members. The technology is now used for identity verification to access benefits in 27 states.
What really worries observers is how much information ID.me collects and how willing the company seems to be to share that with authorities when asked.
"It feels like the IRS has integrated this service into its website without a lot of vetting or really necessarily thinking through these issues," Jeramie Scott, a senior counsel for the Electronic Privacy Information Center, told Insider.
The company states in its privacy policy that it will "access, preserve and share" personal information with law enforcement if asked. "We reserve the right to disclose your Personally Identifiable Information as required by law and when we believe that disclosure is necessary to protect you, our rights and/or comply with a judicial proceeding, court order, or legal process," ID.me writes.
Big Tech platforms, including Google, Facebook, and Apple, host billions of pieces of personal data and are regularly subpoenaed by law-enforcement agencies. These companies often comply, but they also push back sometimes. For instance, Apple has fought law-enforcement requests to unlock the iPhones of some suspects.
Samir Jain, director of policy for the Center for Democracy & Technology, told Insider that the way ID.me talks about law-enforcement compliance is broader than other companies and implies that ID.me can and will comply with police requests voluntarily, even when it's not strictly required by law or court order.
"You read a lot of privacy policies and they say, 'warning, that data we collect will be provided to law enforcement where the law requires it,'" Jain said. "Their privacy policy says, 'We will comply with this request voluntarily where the law doesn't prevent it.' Basically, putting the world on notice that they're going to voluntarily cooperate with law enforcement in sharing of people's data."
Patrick Dorton, who works for a PR firm ID.me hired, said biometric data "is not shared with the IRS or any government agencies absent the receipt of a subpoena or as part of an investigation into an identity theft or fraud case only at the specific agency where the ID.me account was involved."
He did not address several specific questions from Insider, including under what circumstances ID.me would push back against a law-enforcement request like a subpoena, how many times ID.me has complied with law-enforcement requests, and whether ID.me would push back on a hypothetical request from Customs and Border Protection for the data of all ID.me users who are inferred noncitizens.
There are US laws that limit the collection of personal data in certain circumstances. One federal law prevents the Department of Homeland Security from routinely accessing people's tax returns.
Jay Stanley, a senior policy analyst for the American Civil Liberties Union, told Insider that this law — Title 26, Section 6103 of the Internal Revenue Code — generally applies to information submitted to the IRS as part of the tax-filing process.
But ID.me technically isn't part of the tax-filing process. Rather, it would act as an identity confirmation tool for logging into an IRS.gov account. This could lead the DHS to believe that ID.me isn't subject to the law.
"Ideally, the law would cover the biometric data and other personal information collected by ID.me, and generally prevent that information from being disclosed to a law enforcement agency like DHS," Stanley said. "It's not completely clear to me that it does. And consequently, it likely means that DHS would interpret it as not covering this particular information." DHS did not respond to a request for comment on Thursday.
The IRS code has exemptions that allow DHS agencies to access people's tax-return information but only under extreme conditions, such as a person under investigation for tax fraud.
A 2018 letter from the ACLU to the Social Security Administration argued that "immigration enforcement" isn't a legal exemption that would permit sharing data with DHS. "The strict confidentiality of tax returns and related return information is critical to encourage and ensure public compliance with the federal tax laws," the letter said.
The IRS spokesperson Robert Marvin said a lack of funding for IT modernization has made it impossible for the IRS to invest in state-of-the-art technology."
"The IRS today uses third-party service providers to validate the identification of individuals attempting to improperly gain access to taxpayer accounts," Marvin added in a statement that he asked to be attributed to the US Treasury Department. "This includes ID.me, which is compliant with the National Institute of Security Technology standards and used by multiple agencies across the government."
The Treasury Department recently said it was looking into alternatives to ID.me for the IRS after a Bloomberg reported that some people have been unable to get unemployment benefits due to problems using ID.me's service. A Cyberscoop article also showed that ID.me misrepresented how it uses facial recognition. The company claimed to do one-to-one face matching, such as determining whether a selfie matches a driver's license provided by a user. In fact, it uses a method known as one-to-many matching, which compares images to a stored database of photos, but ID.me hasn't disclosed how many images it has or how it got them.
"We shouldn't be required to trust that ID.me will push back on those kinds of requests if they receive them," said Scott from the Electronic Privacy Information Center. It's critical for government agencies to evaluate any company they may work with, especially what data the company is getting, and how it can use or disclose that information, he added.
The IRS' evaluation of ID.me "really isn't being done appropriately," Scott said.
ID.me verifies people's identities by asking them to upload information, including their Social Security number, a selfie, and pictures of a government-issued ID. It then uses facial recognition and "liveness detection" on the pictures, and compares the submitted information to data from "telecommunications networks, credit card bureaus, financial institutions," and other sources, according to its privacy policy.
The company also stores the "inferred citizenship" of some users "based on passport information," along with facial images, voiceprints, location data, and information from documents such as postal addresses, Social Security numbers, driver's license numbers, passport-card numbers, and more, according to the policy.
Last month, the IRS said it would start requiring people logging into their accounts on the IRS website to use ID.me to verify their identities. The agency is considering alternative providers, but if the deal goes through, it would likely add millions to the company's user base, which already exceeds 60 million members. The technology is now used for identity verification to access benefits in 27 states.
What really worries observers is how much information ID.me collects and how willing the company seems to be to share that with authorities when asked.
"It feels like the IRS has integrated this service into its website without a lot of vetting or really necessarily thinking through these issues," Jeramie Scott, a senior counsel for the Electronic Privacy Information Center, told Insider.
The company states in its privacy policy that it will "access, preserve and share" personal information with law enforcement if asked. "We reserve the right to disclose your Personally Identifiable Information as required by law and when we believe that disclosure is necessary to protect you, our rights and/or comply with a judicial proceeding, court order, or legal process," ID.me writes.
Big Tech platforms, including Google, Facebook, and Apple, host billions of pieces of personal data and are regularly subpoenaed by law-enforcement agencies. These companies often comply, but they also push back sometimes. For instance, Apple has fought law-enforcement requests to unlock the iPhones of some suspects.
Samir Jain, director of policy for the Center for Democracy & Technology, told Insider that the way ID.me talks about law-enforcement compliance is broader than other companies and implies that ID.me can and will comply with police requests voluntarily, even when it's not strictly required by law or court order.
"You read a lot of privacy policies and they say, 'warning, that data we collect will be provided to law enforcement where the law requires it,'" Jain said. "Their privacy policy says, 'We will comply with this request voluntarily where the law doesn't prevent it.' Basically, putting the world on notice that they're going to voluntarily cooperate with law enforcement in sharing of people's data."
Patrick Dorton, who works for a PR firm ID.me hired, said biometric data "is not shared with the IRS or any government agencies absent the receipt of a subpoena or as part of an investigation into an identity theft or fraud case only at the specific agency where the ID.me account was involved."
He did not address several specific questions from Insider, including under what circumstances ID.me would push back against a law-enforcement request like a subpoena, how many times ID.me has complied with law-enforcement requests, and whether ID.me would push back on a hypothetical request from Customs and Border Protection for the data of all ID.me users who are inferred noncitizens.
There are US laws that limit the collection of personal data in certain circumstances. One federal law prevents the Department of Homeland Security from routinely accessing people's tax returns.
Jay Stanley, a senior policy analyst for the American Civil Liberties Union, told Insider that this law — Title 26, Section 6103 of the Internal Revenue Code — generally applies to information submitted to the IRS as part of the tax-filing process.
But ID.me technically isn't part of the tax-filing process. Rather, it would act as an identity confirmation tool for logging into an IRS.gov account. This could lead the DHS to believe that ID.me isn't subject to the law.
"Ideally, the law would cover the biometric data and other personal information collected by ID.me, and generally prevent that information from being disclosed to a law enforcement agency like DHS," Stanley said. "It's not completely clear to me that it does. And consequently, it likely means that DHS would interpret it as not covering this particular information." DHS did not respond to a request for comment on Thursday.
The IRS code has exemptions that allow DHS agencies to access people's tax-return information but only under extreme conditions, such as a person under investigation for tax fraud.
A 2018 letter from the ACLU to the Social Security Administration argued that "immigration enforcement" isn't a legal exemption that would permit sharing data with DHS. "The strict confidentiality of tax returns and related return information is critical to encourage and ensure public compliance with the federal tax laws," the letter said.
The IRS spokesperson Robert Marvin said a lack of funding for IT modernization has made it impossible for the IRS to invest in state-of-the-art technology."
"The IRS today uses third-party service providers to validate the identification of individuals attempting to improperly gain access to taxpayer accounts," Marvin added in a statement that he asked to be attributed to the US Treasury Department. "This includes ID.me, which is compliant with the National Institute of Security Technology standards and used by multiple agencies across the government."
The Treasury Department recently said it was looking into alternatives to ID.me for the IRS after a Bloomberg reported that some people have been unable to get unemployment benefits due to problems using ID.me's service. A Cyberscoop article also showed that ID.me misrepresented how it uses facial recognition. The company claimed to do one-to-one face matching, such as determining whether a selfie matches a driver's license provided by a user. In fact, it uses a method known as one-to-many matching, which compares images to a stored database of photos, but ID.me hasn't disclosed how many images it has or how it got them.
"We shouldn't be required to trust that ID.me will push back on those kinds of requests if they receive them," said Scott from the Electronic Privacy Information Center. It's critical for government agencies to evaluate any company they may work with, especially what data the company is getting, and how it can use or disclose that information, he added.
The IRS' evaluation of ID.me "really isn't being done appropriately," Scott said.
