Taxpayers, lawmakers and digital privacy advocates rebelled earlier this year when the IRS announced plans to require taxpayers to upload selfies if they wanted online access to their tax records. The selfies were needed by an identity verification service, ID.me, to compare with applicants’ government-issued ID photos, the IRS said.
Following an outcry from both sides of the political spectrum, the IRS responded by making the selfie uploads optional and requiring the service, ID.me, to automatically delete them once the verification process is complete.
Yet dozens of states, including Florida, that contracted with ID.me to conduct identification verification of applicants for unemployment benefits, have not followed the IRS’ lead and continue to require applicants to upload selfies that remain on ID.me’s servers for years unless users Specifically ask for them to be deleted.
That doesn’t sit well with privacy advocates and several members of the US House of Representatives who announced an investigation into ID.me’s retention policies and accuracy of its verification process. In a letter to ID.me’s CEO, members of the House Oversight Committee and a subcommittee on the coronavirus crisis asked ID.me to turn over a long list of data collected while registering 73 million users for 10 federal agencies and benefits programs operated by 30 states.
The letter, signed by Democrats Carolyn Maloney of New York and James Clyburn of South Carolina, concerns about accuracy issues involving minority applicants, reported delays, reasons for rejections, numbers of complaints and policies for retention of uploaded images.
In Florida, critics wonder why it’s OK for the Department of Economic Opportunity to require applicants for unemployment benefits to upload selfies to ID.me if IRS taxpayers are allowed to opt out.
Rather than end the requirement, the department has hired a second identity verification firm that collects selfies from a small percentage of applicants for pandemic-related mortgage and utility assistance.
Caitlin Seeley George, spokeswoman for the Boston-based digital rights advocacy group Fight for the Future, says it’s not OK for governments — federal, state or local — to continue using facial recognition technology for any purpose.
“We were glad to see the outburst [of opposition] when the IRS was using this tool requiring millions of Americans to submit their biometric information,” she said. “But at the same time, it’s also unacceptable to require it for people to have unemployment access benefits, veterans or any information from the government. No one should have to go through this.”
ID.me says its system has stopped billions of dollars in unemployment fraud and expedited benefits for applicants mistakenly flagged as high-risk. Of 52,000 applications flagged by Florida officials in July 2020, ID.me was able to quickly verify 11,828 of the applications as legitimate and get them processed within 24 hours, the company said.
“Without ID.me, the process of manually verifying these claims would have taken months,” said ID.me spokesman Patrick Dorton.
Emilie Oglesby, spokeswoman for Florida’s Department of Economic Opportunity, said an estimated $23.1 billion in “potentially fraudulent payments” have been prevented since March 2020, “through the current process with ID.me and other fraud prevention measures.”
ID.me says all of its practices adhere to identify verification guidelines developed by the federal government during the Obama administration.
The US House members’ letter, however, cited a May 2021 television news report of Florida applicants “being locked out of their unemployment accounts for up to six weeks” after registering through ID.me’s system, “with bills piling up in the interim. ”
Responding to a question from the South Florida Sun Sentinel asking why unemployment benefit applicants were still required to submit selfies after the IRS eliminated the requirement, Oglesby said, “The security of [applicants’] Information is a top priority for the department, and DEO is working with all of its contractors to provide options to Floridians to use more than one means to verify their identity, because ultimately the security of Floridians’ personal information has to remain at the forefront of every decision we make.”
The state uses ID.me to verify identities, Oglesby said, “because upon accessing [an unemployment assistance] account, claimsants have access to sensitive personal information, including banking information, and receive direct payments through the program, which creates a unique need for fraud prevention to protect Floridians.”
State House member Anna Eskamani, a Democrat from the Orlando area, said requiring biometric identity verification raises a host of privacy and equality concerns. Not only is it worrisome that no state law prevents companies from storing photos in a database and selling them to commercial entities or law enforcement agencies, it’s also unfair to people who, because they might be poor or elderly, don’t own smartphones or phones. with high-quality cameras, she said.
ID.me’s Dorton says the company never releases personal data to a third party without the owner’s informed consent. And he said the company can get benefits more quickly to applicants who are unbanked, live overseas, are homeless, or have no credit histories using tools that traditional verification services operated by credit bureaus do not provide.
Despite the IRS’ about-face and pledge to transition away from ID.me after the current tax season, taxpayers are still offered ID.me as a way to establish an online account. Users who choose to register through ID.me but don’t want to upload a photo must still participate in a live face-to-face video chat with a customer service agent who will compare their video image to their government issued ID card.
The main difference between the two forms of verification, the company said, is that one uses algorithms and artificial intelligence to verify matches while the other relies on a human’s eyeballs.
Yet Florida and most other states that contract with ID.me have not required IDme to automatically delete images of unemployment. applicants from its database — probably because Florida wants to preserve evidence for its investigations of benefits fraud, the company said.
Unless they request deletion, their photos won’t be deleted for three years — and then only if their ID.me accounts become inactive. The rest will be saved indefinitely, the company said.
Department spokeswoman Oglesby did not respond when asked what assurances the state has that images stored by ID.me will be treated responsibly by the company.
Nor has Florida followed the IRS’ lead by giving users the option to forego uploading a selfie and instead request verification through a video chat, the company said. In Florida, applicants are given that option only if ID.me’s algorithm fails to match their selfie to their ID photo.
After the IRS controversy erupted, ID.me decided to give all users the option to log onto its website and request deletion of their selfies, Dorton said.
“Our customers and the public asked for more options to choose the verification pathway that works best for them. We moved swiftly to accommodate those requests. As of March 1, any user was able to go to the ID.me website and delete their selfie. The deletion will take place within seven days.”
Video chats, however, are recorded and stored by the company and users have no option to request their deletion under current federal guidelines that regulate how the company collects, compares, and stores its data, the company said.
US House members investigating ID.me said they were also concerned about “the large volume of data that ID.me regularly misidentifies as fraudulent” in light of studies showing that African Americans and Asians are “up to 100 times more likely” than white men to be misidentified by some facial recognition systems.
Dorton defended ID.me’s identity matching algorithms as “exceptionally accurate with incredibly small variation across demographic groups and skin color.”
In its letter to ID.me’s CEO, the House members said ID.me has not made evidence of its accuracy claims available for public review.
Another identify verification firm, Socure, was hired in July by Florida’s Department of Economic Opportunity, to verify identities of applicants to the state’s federally funded $676 million homeowner assistance fund.
Among the services that Socure agreed to provide, according to the contract, is one called Document Verification, which Socure’s website describes as using selfies to verify IDs during user onboarding. A photo of a smartphone selfie illustrates the description page.
Homeowner Assistance Fund are not being asked to upload selfies to be eligible for up to $50,000 in mortgage and utility assistance because, unlike unemployment clients, they cannot access sensitive personal information, including banking information, or receive direct payments through the program, department spokeswoman Oglesby said. Financial help approved through the program is paid directly to mortgage holders or utilities, she said.
However, selfies are required for applicants “who do not pass the initial verification process,” she said. So far in the application process, 4% have been rejected and asked to submit selfies, she said.
“The small percentage of applicants who do not pass the initial verification process are asked to complete a secondary fraud prevention measure in which a selfie is used to compare the applicant to their photo identification,” she said. “The use of this measure ensures that Floridians in need have inclusive access to the program while also prioritizing the security of their information.”
Updated tallies released by the department on Friday show 24,730 registrations have been submitted to date, and 5,170 applications have been completed. If 4% of 24,730 applications fail the initial verification process, that would mean about 990 will be asked to submit selfies.
Eskamani said she’d like to see biometric data collection and storage addressed in a digital privacy bill that passed the state House twice but hasn’t made it out of the Senate.
“There are no guard rails in state law to dictate how the data is stored,” she said. “There are no mandates to protect the data. It would be important to set those standards as well as consequences for violations.”
Ron Hurtibise covers business and consumer issues for the South Florida Sun Sentinel. He can be reached by phone at 954-356-4071, on Twitter @ronhurtibise or by email at email@example.com.