When the IRS unveiled plans to force people to post selfies if they wanted online access to their tax information earlier this year, taxpayers, legislators, and digital privacy groups reacted angrily. According to the IRS, the selfies were required by ID.me, an identity verification service, to compare with applicants’ government-issued ID photographs.
Following widespread criticism from both political parties, the IRS responded by making selfie uploads optional and forcing ID.me to destroy them automatically once the verification procedure is completed.
Despite this, dozens of states, including Florida, that have contracted with ID.me to conduct identity verification of unemployment benefit applicants have not followed the IRS’ lead. They require applicants to upload selfies on ID.me’s servers for years unless users expressly request that they be deleted.
That angers privacy groups and many US House of Representatives members, who have launched an investigation into ID.me’s retention policy and verification procedure accuracy. Members of the House Oversight Committee and a coronavirus subcommittee asked ID.me to turn over a long list of data obtained while registering 73 million customers for ten federal agencies and 30 state benefit programs to the company’s CEO.
Democrats Carolyn Maloney of New York and James Clyburn of South Carolina signed the letter, which expressed concerns regarding minority applicant accuracy, reported verification delays, grounds for denials, the number of complaints received, and regulations for keeping uploaded pictures.
In Florida, critics question why the Department of Economic Opportunity can require applicants for unemployment assistance to upload selfies to ID.me, yet IRS taxpayers are not.
Instead of eliminating the requirement, the agency has recruited a second identity verification service to collect selfies from a tiny fraction of pandemic-related mortgage and utility aid applications.
Facial recognition technology should not be used for any purpose, according to Caitlin Seeley George, a spokeswoman for the Boston-based digital rights advocacy group Fight for the Future.
“We were pleased to see the outcry [of criticism] when the IRS used this technique to force millions of Americans to give their biometric data,” she said. “However, requiring people to obtain unemployment assistance, veterans benefits, or any other government information is equally unacceptable. This is something that no one should have to go through.”
According to ID.me, its approach has prevented billions of dollars in unemployment fraud and has accelerated payments for applicants incorrectly labeled as high-risk. According to the business, ID.me was able to rapidly evaluate 11,828 of the 52,000 applications reported by Florida officials in July 2020 as legitimate and process them within 24 hours.
“Manually confirming these claims would have taken months without ID.me,” said ID.me spokesman Patrick Dorton.
Since March 2020, an estimated $23.1 billion in “possible fraudulent payments” have been stopped, according to Emilie Oglesby, a spokesperson for Florida’s Department of Economic Opportunity. “Through the current procedure with ID.me and other fraud protection measures,” she said.
ID.me claims that all of its processes follow federal government identity verification requirements created during the Obama administration.
However, a May 2021 television news broadcast highlighted Florida applicants “being shut out of their unemployment accounts for up to six weeks” after registering using ID.me’s system, “with bills mounting up in the interim,” according to the letter.
“The security of [applicants’] information is a top priority for the department, and DEO is working with all of its contractors to provide options to Floridians to use more than one means to verify their identity because, ultimately, the security of Floridians’ personal information is a top priority for the department,” Oglesby said in response to a question from the South Florida Sun-Sentinel about why unemployment benefit applicants were still required to submit selfies after the IRS eliminated the requirement.
“Because claimants have access to sensitive personal information, including banking information, and receive direct payments through the program, which creates a unique need for fraud protection to protect Floridians,” according to Oglesby, the state employs ID.me to authenticate identities.
The demand for selfies raises issues.
According to State House member Anna Eskamani, a Democrat from the Orlando area, Biometric identification verification poses a slew of privacy and equality concerns. Not only is it concerning that no state law prohibits businesses from storing photos in a database and selling them to commercial entities or law enforcement agencies, but it’s also unfair to people who, because they may be poor or elderly, lack access to smartphones or phones with high-quality cameras, she claims.
Dorton of ID.me claims that the company never shares personal information with third parties without authorization. He also claimed that by using techniques that standard credit bureau verification services can not supply, the company could benefit unbanked applicants who reside overseas, are homeless or have no credit history.
Despite the IRS’ U-turn and promise to phase out ID.me after this tax season, people are still offered ID.me to create an online account. Users who register with ID.me without uploading a photo must still participate in a live face-to-face video chat with a customer service agent, who will compare their video image to their government-issued ID card.
The primary difference between the two methods of verification, according to the company, is that one depends on algorithms and artificial intelligence to check matches. At the same time, the other relies on a human’s eyes.
Despite this, Florida and most other states that contract with ID.me have not required ID.me to delete photographs of unemployed claimants from its database automatically, presumably because Florida wants to preserve evidence for benefit fraud investigations, according to the business.
Their images will not be deleted for three years until they request it, only if their ID.me accounts become dormant. The rest will be kept indefinitely, according to the business.
When asked what assurances the state has that photographs saved by ID are safe, department spokeswoman Oglesby did not comment.
The corporation will deal with me responsibly.
Selfies are required for unemployment benefits in Florida.
According to the firm, Florida has not followed the IRS’s lead by allowing consumers to obtain authentication via video chat instead of a selfie. Only if ID.me’s technology fails to match their selfie to their ID photo are applicants in Florida.
According to Dorton, ID.me decided to provide all users the option to log onto its website and seek deletion of their selfies when the IRS scandal broke.
“Our clients and the general public have requested more options for selecting the appropriate verification method. We acted quickly to fulfill those needs. Any user might go to the ID.me website and erase their selfie on March 1. Within seven days, the data will be deleted.”
On the other hand, video chats are recorded and saved by the company. Customers do not choose to have them deleted under existing federal laws that govern how the company gathers, compares, and retains data, according to the company.
In light of studies showing that African Americans and Asians are “up to 100 times more likely” than white men to be misidentified by some facial recognition systems, House members investigating ID.me expressed concern about “the large volume of data that ID.me regularly misidentifies as fraudulent.”
ID.me’s identification matching algorithms are “very accurate with incredibly tiny variation across demographic groups and skin tone,” according to Dorton.
In their letter to ID.me’s CEO, the House members said that the company had not made evidence of its accuracy claims available for public inspection.
In July, the Florida Department of Economic Opportunity engaged another identity verification business, Socure, to check the identities of applicants to the state’s federally financed $676 million homeowner assistance fund.
According to the contract, one of the services that Socure agreed to deliver is Document Verification, which is described on Socure’s website as employing selfies to validate IDs during user onboarding. The description page features a photo of a smartphone selfie.
Because, unlike unemployment clients, they cannot access sensitive personal information, such as banking information, or receive direct payments through the program, Homeowner Assistance Fund applicants are not required to upload selfies to be considered for up to $50,000 in mortgage and utility assistance. According to her, financial accepted aid through the scheme is paid directly to mortgage holders or utilities.
On the other hand, selfies are necessary for applicants who “do not pass the basic verification process,” according to her. 4 percent of applicants have been rejected so far and requested to provide selfies, she said.
“Applicants who fail the initial verification process must complete a secondary fraud prevention measure in which a selfie is used to compare the applicant to their photo identity,” she explained. “The deployment of this measure guarantees that Floridians in need have equitable access to the program while simultaneously emphasizing data security.”
According to the latest figures issued by the agency on Friday, 24,730 registrations have been submitted so far, with 5,170 applications processed. If 4% of the 24,730 applications fail the initial screening, around 990 people will submit selfies.
Eskamani wants biometric data collecting and storage to be addressed in a digital privacy measure that has twice passed the state House but has yet to clear the Senate.
“There are no safeguards in state legislation that govern how data is stored,” she explained. “There are no laws requiring data protection. Setting such criteria, as well as the repercussions for infractions, would be critical.”