ID.me and the Government’s Identity Verification Problem

Digital identity company ID.me burst into the public eye last year with a simple, straightforward elevator pitch—a one-stop shop for online ID verification—and an eye-popping statistical argument to justify its existence: $400 billion of the federal dollars spent on supplemental unemployment benefits during the pandemic, ID.me asserted, had been lost to fraud.

These sorts of statements contributed to the company’s meteoric rise, with hundreds of millions of dollars in venture capital financing, a $1.5 billion valuation, and, by last fall, a blizzard of contracts to run e-security for government entities at every level—including the unemployment agencies of 27 states, the Department of Labor, and, most notably, the Internal Revenue Service. If you wanted to access your records on the IRS’s website—old tax returns, outstanding balances owed the government, and so on—you’d need to go through ID.me.

But this week, the IRS backed out of the deal, citing ID.me’s use of facial recognition technology. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition,” IRS Commissioner Charles Rettig said in a statement.

The IRS retreat wasn’t particularly surprising: ID.me has been suffering a death of a thousand cuts in the press in recent days, including in a Bloomberg feature (“How Did ID.me Get Between You and Your Identity?”) that portrayed the product as a buggy mess and a widely circulated blog post from security writer Brian Krebs that detailed his own difficulties running ID.me’s verification gauntlet. Internal blunders threw more wood on the bonfire: The company admitted earlier statements claiming it had only used so-called “one to one” facial recognition software (matching your picture to the picture on your government-issued documents, without reference to any biometric database) were untrue. Last week, even Congress got in on the action, with senators on both sides of the aisle publicly calling for the IRS to tear up its ID.me contract.   

A feel-good story about the power of accountability journalism? Proof that—as one commenter on Krebs’ blog put it—you should “never stop complaining”? Maybe. Still, it’s hard to shake the feeling that ID.me is the current scapegoat for a more systemic problem: The government has no good way to keep track of who you are online, even as knowing who you are online is becoming more important in every area of life.

Keeping track of why various people are upset at the moment with ID.me is tricky, because different people are upset for different reasons. Start with the simplest, put forward by Bloomberg and Krebs: At times, ID.me’s verification process just doesn’t work very well. If the algorithm rejects you for one inscrutable reason or another, you’ll need to plead your case to an ID.me employee on a video chat, and hold times for those chats have sometimes snowballed to hours or even days.

But if the question is “Is ID.me’s verification process quick and painless enough?” one pertinent response is “Compared to what?” The in-house system the IRS had in place before signing its ID.me contract could be an inscrutable morass too, as your correspondent knows firsthand: Last year, I tried unsuccessfully for days to access the IRS website, with every login attempt rebuffed. By the time I determined the reason—the IRS was trying to use a caller ID database to match me to my cell phone number, and as I am a shiftless millennial still on a family phone plan the name that it pulled wasn’t mine—the site had locked me out for good, cheerfully promising to simply mail an access code to the address they had on file for me. As I no longer lived there, this wasn’t very useful either. I never did get access to that website—until this week, when I was one of the fortunate ones whose ID.me experience was effortless.

Or maybe it’s the notion of a private company helping the IRS screen visitors to its site in the first place that grinds your gears. That was the line Senate Republicans took: “The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services,” the lawmakers huffed in their letter.

But ID.me isn’t the first private company the IRS has employed to verify people’s identities online: Until 2017, the IRS contracted with Equifax to do much the same thing, until multiple hacks at the credit bureau that year led the agency to distance itself. And public entities using private vendors for various online services is common—if you’ve paid a parking ticket online, you’ve probably done it through a payment processing vendor your city contracted with, not a bespoke public system. The IRS itself does this: For years it’s been possible to pay outstanding federal taxes online through payment processors like PayUSATax.com, operated by Nashville’s Value Payment Systems.

And all that might be to the good: “Government and IT have always mixed like oil and water,” Pete Sepp, president of the National Taxpayers Union, told The Dispatch. “So they tend to lag the private sector in these areas.”

Then there’s the data privacy concerns, like the ones the IRS cited: Some are worried by the fact that ID.me stores its users’ biometric data—namely, the face scan it makes to match you to your identity document—for so long as you use the service. (The company formerly claimed it is required by federal standards to save your data in this way.) This could make it a fruitful target for hackers if that data is stored in an insecure way.

But there’s no reason to believe ID.me’s security standards are any laxer than any comparable entity’s. The company’s founder, Blake Hall, told Krebs last year that ID.me follows industry data protection best practices.

Still others are unhappy not at the prospect of a data leak, but at the notion that facial recognition be used in ID verification for government services at all. They invoke issues of equity: Requiring a face scan means requiring people to have access to a cell phone with a browser and a camera, which some Americans do not. And facial recognition algorithms tend to have more trouble identifying people of color than they do white people.

These are not insignificant concerns. But they do need to be weighed against a countervailing question: How much fraud does including a facial ID component head off? There’s no question that, in the early pandemic, government agencies erred heavily on the side of getting money out the door, fraud or no, which led to some truly eye-popping levels of financial crime. ID.me’s $400 billion claim has faced scrutiny for possibly overshooting the mark, but even official tallies are remarkable: California alone estimates it paid out $20 billion in fraudulent claims over the first two years of the pandemic. 

The status quo is unacceptable, and the usefulness of video verification in such a situation is obvious: It demonstrates that the person trying to use an official document is in fact the person to whom that document belongs. If not that technology, then which?

It’s an unfortunate reality of our age: Identity verification and fraud prevention are both much bigger challenges online than off. And Americans have spent the last two decades moving more and more of our lives online—a trend given rocket boosters by the COVID pandemic. Suddenly the expectation was that everything could happen online, from your job to your kids’ education right down to your social drinking.

This goes for the government as much as it does for the rest of society. Since the start of the pandemic, many states have moved various basic government services online, like renewing your driver’s license. Last December, President Joe Biden issued an executive order instructing various major federal agencies to make their basic functions more accessible online, from passport renewal at the State Department to tax payments at the Treasury Department to hunting and fishing permits at the U.S. Fish and Wildlife Service.

“COVID-19 moved government service delivery online, and there’s every reason to believe that move is permanent,” Waldo Jaquith, now senior adviser to the head of the General Services Administration, wrote last year while still in the private sector. “Government is now unavoidably in the identity-verification business, because doing so is central to delivering on agency missions.” 

Historically, federal efforts to centralize this process have left much to be desired. The main federal ID for every citizen, the Social Security number, has existed largely unchanged since 1936. “Nine digits—it’s not exactly cyber secure,” Sam Hammond, director of poverty and welfare policy at the Niskanen Center, told The Dispatch.

The rapid push to move services online has thus exacerbated two related problems at once: It’s made it more difficult for the government to keep track of who you are, which means government entities must frequently choose between systems difficult for regular people to access easily and systems that are vulnerable to fraud.

“Overall, we’re in a world where a lot of institutions like the IRS are moving things online,” said Jay Stanley, a senior policy analyst with the American Civil Liberties Union. “And moving things online is just insecure right now. And so everybody’s struggling with how to make it work … but it cannot be that the only solution is to have a private sector service that raises serious privacy questions and equity questions.”

But even Login.gov—a service stood up by the federal government in February 2021 specifically to compete with ID.me—relies on private contractors for its ID verification process.

ID.me is doing its best to roll with the punches: In the wake of the IRS’s decision, the company announced several new features aimed at defusing certain criticisms of its product, including an option to skip straight to verification with a human agent rather than using the facial recognition algorithm and the ability to choose to delete the video selfie from ID.me servers after verification. 

“ID.me is deeply committed to access, equity, security, and privacy,” founder Hall said in a press release. The company’s goal, he said, was to “advance a consumer-centric model of identity verification where individuals—not data brokers or credit bureaus—get to decide how their data is shared.”

Whether such changes will be enough to stave off government defections from ID.me’s services remains to be seen. But the bigger question—how the government can find its citizens online, preserve equitable access, and protect against rampant fraud all at once—hasn’t been solved yet either way.

“Services like ID.me simply make the state of digital identity legible to the public,” Chris Hoofnagle, a professor at Berkeley Law who studies the intersection of law and technology, told The Dispatch in an email. “The big picture problem here is that our government has never created an identity infrastructure. This means that we have no ability to authoritatively verify identity.”