When the IRS announced plans to require taxpayers to upload selfies in order to gain online access to their tax records, taxpayers, lawmakers, and digital privacy advocates reacted negatively. The IRS stated that ID.me, an identity verification service, required the selfies to compare with the government-issued ID photos of applicants.
In response to criticism from both sides of the political spectrum, the IRS made selfie uploads optional and required ID.me to delete them automatically once the verification process was complete.
Nonetheless, dozens of states, including Florida, that have contracted with ID.me to conduct identity verification of applicants for unemployment benefits continue to require applicants to upload selfies that remain on ID.me’s servers for years unless users specifically request their removal.
Privacy advocates and several members of the United States House of Representatives have called for an investigation into ID.me’s retention policies and the accuracy of its verification process. Members of the House Oversight Committee and a subcommittee on the coronavirus crisis requested in a letter to ID.me’s CEO a long list of data collected while registering 73 million users for 10 federal agencies and 30 state-run benefit programs.
The letter, signed by New York Democrat Carolyn Maloney and South Carolina Democrat James Clyburn, expressed concerns regarding accuracy issues involving minority applicants, reported delays in verification, reasons for rejections, the number of complaints, and policies regarding the retention of uploaded images.
In Florida, critics question why it’s acceptable for the Department of Economic Opportunity to require applicants for unemployment benefits to upload selfies to ID.me when the Internal Revenue Service allows taxpayers to opt out.
Instead of eliminating the requirement, the department has hired a second identity verification firm that collects selfies from a small percentage of applicants for mortgage and utility assistance related to the pandemic.
Caitlin Seeley George, spokesperson for the Boston-based digital rights advocacy organization Fight for the Future, asserts that it is unacceptable for governments—federal, state, and local—to continue utilizing facial recognition technology for any purpose.
“We were pleased to see the outcry when the IRS was requiring millions of Americans to submit their biometric information,” she said. “In addition, it is unacceptable to require it to access unemployment benefits, veteran’s benefits, or any other government information. Nobody should have to endure this.”
ID.me claims that its system has prevented billions of dollars in unemployment fraud and expedited benefits for applicants who were incorrectly flagged as high-risk. ID.me was able to quickly verify 11,828 of the 52,000 applications flagged by Florida officials in July 2020 as legitimate and process them within 24 hours, the company reported.
Without ID.me, manually confirming these claims would have taken months, according to ID.me spokesperson Patrick Dorton.
Since March 2020, an estimated $23.1 billion in “potentially fraudulent payments” have been prevented “through the current process with ID.me and other fraud prevention measures,” according to Emilie Oglesby, a spokesperson for the Florida Department of Economic Opportunity.
ID.me claims that all of its procedures adhere to the federal government’s identity verification guidelines developed during the Obama administration.
In their letter, however, members of the U.S. House of Representatives referenced a May 2021 television news report about Florida applicants “being locked out of their unemployment accounts for up to six weeks” after registering through ID.me’s system, “with bills piling up in the interim.”
The South Florida Sun Sentinel asked why unemployment benefit applicants were still required to submit selfies after the IRS eliminated the requirement. In response, Oglesby stated, “The security of [applicants’] information is a top priority for the department, and DEO is working with all of its contractors to provide options to Floridians to use more than one means to verify their identity, because ultimately the security of Floridians’ personal information is paramount.”
Oglesby explained that the state uses ID.me to verify identities “because claimants have access to sensitive personal information, including banking information, and receive direct payments through the program, which creates a unique need for fraud prevention to protect Floridians.”
Selfie mandate raises concerns.
Anna Eskamani, a Democrat from the Orlando area and a member of the state legislature, stated that mandating biometric identity verification raises a number of privacy and equality concerns. She stated that not only is it concerning that no state law prohibits companies from storing photos in a database and selling them to commercial entities or law enforcement agencies, but it is also unfair to those who, due to poverty or age, do not own smartphones or phones with high-quality cameras.
ID.me’s Dorton states that the company never shares personal information without the owner’s consent. And he stated that the company can expedite the delivery of benefits to applicants who are unbanked, live overseas, are homeless, or have no credit history by utilizing tools that traditional credit bureau verification services do not offer.
Despite the IRS’ about-face and pledge to phase out ID.me after the current tax season, taxpayers are still able to create an online account using ID.me. Users who choose to register through ID.me without uploading a photo are still required to engage in a live video chat with a customer service agent who will compare their video image to their government-issued ID card.
According to the company, the primary distinction between the two forms of verification is that one uses algorithms and artificial intelligence to verify matches, while the other relies on human eyes.
Florida and the majority of other states that have contracts with ID.me have not required ID.me to automatically delete images of unemployment applicants from its database, the company said, presumably because Florida wants to preserve evidence for its investigations of benefits fraud.
Their photos will not be deleted for three years unless they request it, and then only if their ID.me accounts become inactive. The remainder will be saved indefinitely, according to the company.
When asked what guarantees the state has that images stored by ID are secure, Oglesby did not respond.
The organization will treat me with respect.
Florida requires selfies for unemployment benefits.
According to the company, Florida has not followed the IRS’s example of providing users with the option to forego uploading a selfie and instead request verification via video chat. In Florida, applicants are only provided with this option if ID.me’s algorithm is unable to match their selfie to their ID photo.
Dorton stated that following the IRS controversy, ID.me decided to give all users the option to log into its website and request deletion of their selfies.
“Our customers and the general public have requested more verification pathway selection options. We responded expeditiously to these requests. Since March 1, any user could access the ID.me website to delete their selfie. The removal will occur within seven days.”
Video chats, however, are recorded and stored by the company, and users have no option to request their deletion under current federal regulations that govern how the company collects, compares, and stores its data, according to the company.
Members of the U.S. House investigating ID.me expressed concern over “the large volume of data that ID.me routinely misidentifies as fraudulent” in light of studies indicating that African Americans and Asians are “up to 100 times more likely” to be incorrectly identified by some facial recognition systems than white men.
Dorton defended ID.me’s identity matching algorithms as “extraordinarily precise, with incredibly small variation across demographic groups and skin color.”
House members stated in a letter to ID.me’s CEO that the company has not made evidence of its accuracy claims available for public review.
Socure was hired by the Florida Department of Economic Opportunity in July to verify the identities of applicants to the state’s $676 million federally-funded homeowner assistance fund.
Document Verification, described on Socure’s website as using selfies to verify IDs during user onboarding, is one of the services Socure agreed to provide under the terms of the contract. A photograph of a smartphone self-portrait is used to illustrate the description page.
Homeowner Assistance Fund applicants are not required to submit selfies in order to qualify for up to $50,000 in mortgage and utility assistance because, unlike unemployment clients, they cannot access sensitive personal information, such as banking information, or receive direct payments through the program, according to a department spokesperson. She stated that program-approved financial aid is paid directly to mortgage or utility holders.
However, applicants “who do not pass the initial verification process” must submit a selfie, she said. She stated that 4% of applicants have been rejected and asked to submit selfies thus far in the application process.
“A small percentage of applicants who fail the initial verification process are required to submit a selfie for comparison with their photo identification,” she explained. This measure ensures that Floridians in need have equal access to the program, while also prioritizing the security of their personal data.
Updated statistics released by the department on Friday indicate 24,730 registrations and 5,170 completed applications have been submitted to date. If 4% of 24,730 applications fail the initial verification, approximately 990 applicants will be required to submit selfies.
Eskamani stated that she would like to see the collection and storage of biometric data addressed in a digital privacy bill that has passed the state House twice but not the Senate.
She stated, “there are no safeguards in state law that dictate how data is stored.” “There are no regulations regarding data protection. It would be essential to establish these standards and consequences for violations.”