U.S. Sen. John Thune (R-S.D.), a member of the Senate Finance Committee and the top Republican on the Subcommittee on Taxation and IRS Oversight, recently joined several of his Senate Republican colleagues in raising serious concerns with the Internal Revenue Service’s (IRS’s) announcement of a major expansion of its collaboration with ID.me that will require taxpayers to have an account to access key IRS online resources. In order to register with ID.me, taxpayers will need to submit a trove of personal information, including sensitive biometric data, starting in the summer of 2022.
“The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services,” the senators wrote. “The decision millions of Americans are forced to make is to pay the toll of giving up their most personal information, biometric data, to an outside contractor or return to the era of a paper-driven bureaucracy where information moves slow, is inaccurate, and some would say is processed in ways incompatible with contemporary life.”
The senators identify a number of problematic issues and raise serious questions, including, but not limited to:
- The intrusive verification measures that may be required of taxpayers, such as submitting to ID.me biometric data like a video “selfie” – an identifier that cannot be changed if compromised, unlike a password;
- Cybersecurity standards, and how such sensitive data will be stored and protected;
- Oversight issues, since ID.me is not subject to the same oversight rules as a government agency; and
- What assurances and rights are allowed taxpayers within the collaboration, as it appears taxpayers would be subject to multiple terms of agreement filled with dense legal print.
In addition to Thune, the letter, which was led by U.S. Sen. Mike Crapo (R-Idaho), was signed by U.S. Sens. John Barrasso (R-Wyo.), Marsha Blackburn (R-Tenn.), Richard Burr (R-N.C.), Bill Cassidy (R-La.), John Cornyn (R-Texas), Steve Daines (R-Mont.), Chuck Grassley (R-Iowa), James Lankford (R-Okla.), Rob Portman (R-Ohio), Ben Sasse (R-Neb.), Tim Scott (R-S.C.), Pat Toomey (R-Pa.), and Todd Young (R-Ind.).
Full letter below:
The Honorable Charles P. Rettig
Commissioner
Internal Revenue Service
1111 Constitution Avenue, NW
Washington, DC 20224
Dear Commissioner Rettig:
On November 17, 2021, the Internal Revenue Service (IRS) announced a major expansion of its collaboration with ID.me that will require, starting in the summer of 2022, taxpayers to have an ID.me account in order to access key IRS online resources. While we understand the IRS's use of ID.me is intended to protect data and reduce fraud, we have serious concerns about how ID.me may affect confidential taxpayer information and fundamental civil liberties.
To access IRS online services, including to check on the status of a return, view balances and payments received, obtain a transcript, and enter into an online payment agreement, taxpayers will soon be required to register for an ID.me account. As part of the registration, ID.me requires a trove of personal information, which may include one or more of the following: (1) government-issued photo ID, (2) passport, (3) birth certificate, (4) Form W-2, (5) social security card, (6) veteran health ID card, (7) DHS trusted traveler card, (8) video "selfie" with a smartphone or webcam, (9) utility bill, (10) insurance bill, (11) telephone bill, and (12) a recorded video interview with an ID.me employee.
The list above is not exhaustive. There are other items ID.me may require. The most intrusive verification item is the required "selfie," which is much more than simply uploading a picture; it is submitting one's face to be digitally analyzed by ID.me into a "faceprint." Additionally, using ID.me appears to subject taxpayers to the terms of three separate agreements filled with dense legal fine print: a privacy policy agreement, a terms of service agreement, and a "Biometric Data Consent and Policy."
ID.me's “Biometric Data Consent and Policy” defines biometric data as including "fingerprints, voiceprints, hand scans, facial geometry recognition and iris or retina recognition." Unlike a password, authenticator application, or hardware key, biometric items can never be changed.
We are deeply concerned for many reasons. The government and private companies have an unfortunate history of data breaches. The examples are many. Two of the most prominent are the Office of Personnel Management breach, where the government failed to protect some of its critical employees' most sensitive identity details, and the recent Pro Publica leak, exposed the legally protected confidential taxpayer information of many American taxpayers. There is ample evidence to be very concerned about an IRS contractor's ability to safely manage, collect and store this unprecedented level of confidential, personal data. To put this in perspective, in 2019 the IRS estimated it faced 1.4 billion cyber-attacks annually. It is highly likely, with personal information on a reported 70 million individuals, including biometric data, ID.me could be a top target for cyber-criminals, rogue employees, and espionage.
The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services. The decision millions of Americans are forced to make is to pay the toll of giving up their most personal information, biometric data, to an outside contractor or return to the era of a paper-driven bureaucracy where information moves slow, is inaccurate, and some would say is processed in ways incompatible with contemporary life. Of concern, also, is that ID.me is not, to our knowledge, subject to the same oversight rules as a government agency, such as the Freedom of Information Act, the Privacy Act of 1974, and multiple checks and balances.
We are interested in obtaining more information about the IRS's collaboration with ID.me. We also ask that you please respond in writing to the following questions and requests by February 27, 2022, and provide a subsequent briefing to review your written responses.
- How did the IRS decide to require taxpayers to submit their personal information, including biometric data, to an outside vendor, in order to access certain online IRS resources?
- What due diligence did the IRS complete to ensure taxpayer's information would be protected before entering into a contract with ID.me?
- What oversight does the IRS exercise over ID.me after entering into an agreement with them?
- In order to register with ID.me to access an IRS online account, must one agree, or be subject to, ID.me's privacy policy agreement, terms of service agreement, and Biometric Data Consent and Policy?
- Before contracting with ID.me, did the IRS verify that ID.me's entire system had gone through an independent cyber-security audit? If yes, are such audits periodic?
- List all the types of taxpayer data that will be collected and stored by ID.me. Where will the data be stored? How long will the data be stored? What safeguards are in place to protect the data?
- Can an ID.me employee access information uploaded to ID.me by taxpayers? If yes, how does the IRS ensure this taxpayer information is not abused?
- Will taxpayers have the ability to remove all their data from ID.me's storage? Does removal equate to permanent deletion from all devices where the data is stored? Assuming permanent deletion is possible, how long does it take from request to actual permanent deletion?
- If the IRS cancels its collaboration with ID.me, or the contract’s term expires, what will happen to the personal information submitted by taxpayers?
- How does the IRS's contract with ID.me navigate state laws limiting the use of biometric data (e.g., the Illinois Biometric Information Privacy Act)?
- Does the IRS know how ID.me's required "selfies" are analyzed (e.g., are digital forensics employed to analyze a picture's metadata, EXIF data, depth map, facial geometry, or 1:1 or 1:many facial recognition)?
- Considering the IRS has encountered unprecedented difficulty handling the volume of taxpayer correspondence and telephone calls, does the IRS or ID.me gather information about the taxpayer experience with ID.me (e.g., customer satisfaction, hold times, number of repeated contacts, and difficulties with facial recognition technology)? What mechanisms are in place to ensure quality service by ID.me?
- What contingency plans are in place for an event in which ID.me has a data breach that includes taxpayer information?
- Please describe the IRS's process to make ID.me a "trusted technology provider."
- What criminal penalties would IRS employees or contractors face who intentionally or negligently release taxpayer's personal information without their consent?
Thank you for your immediate consideration of this matter.