You'll soon have to prove your identity to a Virginia-based security company called ID.me in order to file a return, check tax records, or make payments on the Internal Revenue Service (IRS) website. Your old username and password credentials -- if they still work -- will stop working in the summer of 2022. [...]
ID.me compares your selfie with your driver's license or passport image to verify you are who you say you are. It might also ask for other documentation, such as a copy of a recent bill. If the system still isn't satisfied, it may even ask you to jump on a video call with a human representative. [...] The company says it's also devised ways for overseas, under-documented, or homeless people to verify their identities.
ID.me says a total of ten federal agencies use its system, including the Department of Veterans Affairs and the Social Security Administration.
The IRS, of course, is a big agency that deals directly with many millions of individuals and businesses. ID.me will become responsible for a huge amount of personally identifiable information -- at a time when cyberattacks on government networks have become common. Recall the 2015 cyberattack on the United States Office of Personnel Management (OPM), in which cybercriminals gained access to 22.1 million government personnel records, including those of government employees and their families, and people who had undergone background checks. [...]
And ID.me can store tax filers' personal data for up to seven and a half years, the representative tells me in an email. [...]
In the event of a data leak, however, your options for redress are somewhat limited. At the very top of the ID.me terms of service, you'll find an all-caps statement saying that by using ID.me you agree to binding arbitration in the event of a dispute, and wave your right to join a class action against the company.
I first encountered this bullshit a few months ago.
My business, DNA Lounge, tried to apply for the "California Venues Grant Program funded by the State of California and administered by CalOSBA", and we couldn't even begin the application process without me personally submitting to this techbro biometric-harvesting bullshit by ID.me. And I wouldn't do that, so we couldn't apply.
There are many ways to prove who I am to the State of California, and giving my biometric information to some third-party for-profit data-harvester with a Montenegro domain is not an acceptable one.