As reported by KrebsOnSecurity in January of 2022, the IRS announced it would begin requiring the use of an ID.me account for anyone looking to find out information on their taxes. We saw similar things at the state level where it was stated that it would be required later but was already in play with the sites in question pushing you to use the system. Having used ID.me in the past I was a bit surprised when people reported that they could not get things to work without submitting a “selfie”. Thinking this was a bit odd I went through the process on a state system myself. Even though I already have an ID.me account that is used for a federal service, I had to completely start over and verify who I am.
The process was very complicated, overly so. I started out using a PC to browse to the site in question. The PC in use did not have a camera, which was a problem for ID.me. They offered to text me a link to a phone number, which I had to also confirm was mine. Once I had the link, getting it to work was time consuming as I usually do not allow access to the phone’s camera by anything that does not need it (like the browser). This prevented the links from working until I grated the browser on the phone direct access to the camera before I clicked on the link. Even after that, it turns out the “selfie” is not just a picture of you, but a biometric capture of your image. Looking at the process was a little unnerving as it was not really needed for what I was looking to do at this agency. I could see how this part of the process would fail though. After about 6 tries ID.me decided things were not going to work and I was finally offered a chance to set up a video chat with someone to confirm who I was.
Still after the collection effort, I began to wonder about the potential issues of a private company that has contracts with government agencies collecting biometric data about a large portion of the population. I mean it is not like there has never been a loss of data from a private company contracted by the government. There was a total of six biometric “selfies” of me made during the effort. In talking with others that had problems with the selfie they reported similar numbers. How much biometric data about each person is sitting in databases owned and operated by ID.me. What is being done with that data?
The IRS (again according to Krebs) is saying they will begin deleting the data after account creation and will delete any existing data that was collected when setting up accounts and will also allow for an option to use the video conference without the need for a selfie attempt. Sounds good, but I would also not trust them as far as I could comfortably spit out a rat. It does not tell us if the data was shared who else had access to it while the collection was happening and does not resolve the number of agencies that are still requiring the selfie and collecting the biometric data.
ID.me has stated that they take security very seriously and they do not need the data collected about an individual after the initial verification. However, it also seems that they do keep that information and the only way to delete that data is to remove your entire account with ID.me. If you do this any services that require you to login with or through ID.me will not work for you. This means that they have a shit-ton of personally identifying information complete with biometric data. Regardless of the security implemented, we know that if attackers want something enough, they will get it. As with many aspects of modern digital life, there is no shortage of vulnerabilities to be exploited in any system designed and built by a person. Attackers have time on their hands and only need to be right once to compromise everything. Eventually the amount of identity validation information will be too tempting of a prize to not go after.