I see no way this could possibly go wrong.You'll soon have to prove your identity to a Virginia-based security company called ID.me in order to file a return, check tax records, or make payments on the Internal Revenue Service (IRS) website. Your old username and password credentials -- if they still work -- will stop working in the summer of 2022. [...]
ID.me compares your selfie with your driver's license or passport image to verify you are who you say you are. It might also ask for other documentation, such as a copy of a recent bill. If the system still isn't satisfied, it may even ask you to jump on a video call with a human representative. [...] The company says it's also devised ways for overseas, under-documented, or homeless people to verify their identities.
Uh huh.
ID.me says a total of ten federal agencies use its system, including the Department of Veterans Affairs and the Social Security Administration.
The IRS, of course, is a big agency that deals directly with many millions of individuals and businesses. ID.me will become responsible for a huge amount of personally identifiable information -- at a time when cyberattacks on government networks have become common. Recall the 2015 cyberattack on the United States Office of Personnel Management (OPM), in which cybercriminals gained access to 22.1 million government personnel records, including those of government employees and their families, and people who had undergone background checks. [...]
And ID.me can store tax filers' personal data for up to seven and a half years, the representative tells me in an email. [...]
In the event of a data leak, however, your options for redress are somewhat limited. At the very top of the ID.me terms of service, you'll find an all-caps statement saying that by using ID.me you agree to binding arbitration in the event of a dispute, and wave your right to join a class action against the company.
I first encountered this bullshit a few months ago.
My business, DNA Lounge, tried to apply for the "California Venues Grant Program funded by the State of California and administered by CalOSBA", and we couldn't even begin the application process without me personally submitting to this techbro biometric-harvesting bullshit by ID.me. And I wouldn't do that, so we couldn't apply.
There are many ways to prove who I am to the State of California, and giving my biometric information to some third-party for-profit data-harvester with a Montenegro domain is not an acceptable one.
Previously, previously, previously, previously, previously, previously, previously, previously, previously.
What’s insane is that login.gov, created all out in the open by 18F, is a thing! But nope they go in with this trash.
And login.gov is... really good! It even supports WebAuthn/Yubikeys, which it's basically a lock that your bank hasn't figured out yet. I had to set up an account there to get my Global Entry renewal processed and it was like a breath of fresh air.
ID.me also works with FIDO Security Keys just like login.gov (I don't know if they use WebAuthn or legacy U2F but for this purpose it doesn't matter).
The special sauce is the matching of accounts to specific US citizens. I have a login.gov account, but I'm not a US citizen and I haven't visited the US this century. Which is fine, login.gov doesn't care whether I'm a US citizen. But the IRS certainly does, and ID.me can help them figure out which US citizen the account belongs to which means there's more chance you get your refund cheque not some scammer tele-operating a team of mules from overseas.
The original article (not the one our host linked) mentions that several US government services which don't need to be sure exactly who you are offer the choice of login.gov or ID.me while the IRS only offers ID.me
Being (mostly) self-employed, I make the quarterly payments to the IRS, and IRS Direct Pay is pretty handy for that purpose -- especially since it lets you schedule payments in advance. Looks like I'll be sending them checks in the mail starting sometime later this year.
I also use that service, being partly self-employed.
My logins almost never work two quarters in a row. I inevitably get to a point when I need to have them mail me another Enrollment ID, which sometimes expires by the time it reaches me. This most recent quarter, I tried to phone to see if I could get help logging on or get a reset. The phone queue was over two hours long. So I put in for a callback at the earliest time available (8pm that night), which never came.
I'm sure this new service is going to be so much better. [/sarcasm]
I'm also going to go price checks for my sole's bank account.
As much as I hate the abstract concept, I find their CEO's arguments about why they're better than the previous Direct Pay and alternative possibilities persuasive, especially for the homeless and pre-employment youth.
Cool story that you fell for their marketing propaganda, but under no circumstances should a for-profit data-mining corporation be in the critical path between me and the IRS. Or any government service, mandatory or otherwise. If the government needs an authentication mechanism, they should own one.
Spoiler alert, they already do.
Not arguing the principle, but look at how the login.gov process operates imagining you're homeless.
"Here's a bug, so let's scrap the program and sell out every citizen to a grifter."
Well what's a viable way forward? Has the government ever acquired a vital services startup?
And can we get them to nationalize FICO too? Having credit score computation in private hands seems a whole lot more consequential day-to-day than biometrics.
You can change what accounts you have open & credit cards you use but not your biometrics. Do you get a fee for this?
No I do not get a fee. Equifax, Experian, TransUnion, and PRBC all use FICO scores, which are only disclosed in terms of five broad categories, and not in any way that would allow a consumer to verify they are correct as we are expected to do with financial statements.
You may be shocked to learn that two things can be terrible at the same time: data brokers, and also VCs embedding their biometric-harvesting scam into tax collection.
Jesus Christ, no. Take a look at id-me and imagine the same.
Due to various reasons (read: dumb, unjust, asinine, endlessly complex reasons), I had to log into my SSA account this past weekend. My old login was struck down and they asked me to go through this nonsense. After googling the shit (finding the same article Jamie did, and another puff piece in I think Bloomberg Biz Week). Long story short, I reluctantly used this new service. Multiple attempts to upload a photo of my drivers license eventually worked (sometimes the error was "we couldn't find the photo of your face on the document", sometimes just nothing, a gray screen with no message and no way forward). Once it did accept the photo (one of the two I just kept trying over and over), it all went well enough. The selfie used my macbook webcam (so you know it was low-res and somewhat fisheyed) to "scan" my face, with a live vector view of my face and flashing colors to verify the bad photo on my ID matched the no-depth-info image they were getting from the 720p sensor...I guess I am white and clean-shaven enough that it all went ok, no need to live-verify with someone in a call center.
For the same dumb reasons I had to go through this, I will have to walk my mom through it at some point soon enough...if she were doing it herself she'd be sunk. How well does their house-of-cards verification work if you're on your own, elderly, non-white, perhaps have a non-photo ID (still a thing in my state, if you've had one forever), have a cheap, broken phone to set up the whole thing, are perhaps homeless, etc, etc. Learning that there already is a government system that they could have used is just the shit on the cupcake. The login.gov system, by the way, looks to be leagues easier. And doesn't involve the value-add libertarian skimmers to get involved.
Login.gov requires a mailing address but Id.me doesn't. Both require a live photo and a photo of photo id by default (Id.me will do a live interview for people without photo ids, or other deficiencies.) Id.me's advance is that you have to rotate your head to prove that you aren't sending in two static photos.
California started requiring id.me for identity in the middle of the Covid epidemic. It didn't go particularly well: https://www.vice.com/en/article/5dbywn/facial-recognition-failures-are-locking-people-out-of-unemployment-systems
Previously
DanHugo:
For whatever that's worth.
Nothing
“ we will not use your verification information for any type of marketing or promotional purposes.”
Of course they won’t. That’d be completely contrary to their core business. They’ll “share” it with “selected parameters” who’ll do that. Presumably including their wholly self owned debt collection subsidiary…
I had to do this just over a year ago. It failed initially because they didn't know that voter registration cards had been standardized statewide. Their corrporate account was unresponsive on Twitter, but their CEO, @Blake_Hall, was immediately responsive and corrected the issue completely in less than three hours.
well what a coincidence! shilling for this breathtakingly bad idea above, and down here you're on a first-name basis with the ceo. fascinating!
Exchanging five tweets doesn't put me on a first name basis. I've never met any of them in person and I have no financial, familial, or any other relationship with them. If it wasn't clear, my initial interaction with them was extremely unsatisfactory because they failed to research current voter registration forms for the largest state in the US.
The people who matter do all their business via their agents or employees; the little people don't matter. Usual reminder:
https://www.wired.com/1999/01/sun-on-privacy-get-over-it/
Scott McNealy, 1999: “You have zero privacy anyway. Get over it!”
Ah, the good old days.
State of VA made this a requirement to receive unemployment benefits. I was less than thrilled.
State of NC added this recently, it wasn't in place while I was actually getting unemployment, but when logging in to look for tax forms they forced me through it.
Violet Blue: Uber, but for collapse of the US taxpayer system:
A Montenegro domain is cute for something innocuous, but I find it a bit odd for something as important as this. I once owned a single character .me domain, and they were extremely controlling about how I could use it. It wasn't just a normal domain registration. They were very interested in my specific plans for it, and there was a deadline on when I got my (in development at registration time) site up and running before they took the domain away me.
Does a .me domain mean a foreign government now has the ability to break a US government login system whenever they feel like it?
It absolutely does mean that.
And
id.usremains unused...Oh don't worry, some of the worst people have got your back on this one.
https://www.finance.senate.gov/ranking-members-news/republicans-raise-serious-concerns-with-intrusive-irs-identity-verification-measures
Apparently they are no longer going to switch over to this id.me system: https://www.irs.gov/newsroom/irs-announces-transition-away-from-use-of-third-party-verification-involving-facial-recognition
It isn't clear on what they'll use instead, but I'm glad it's not this.
As usual, thank a Black woman.
I can only assume facial reco is still part of their long-term plans, even if they're ditching this version.
I like the part about how the IRS gave this company an up-front payment of $86M six months ago, for a two-year contract where they no longer have to do anything. I presume that we the people will not get any of that money back.
https://www.usaspending.gov/award/CONT_AWD_2032H521F00420_2050_2032H520A00009_2050