I Unknowingly Gave Away My Privacy to ID.me: What Are They Doing with My Biometric Data?

The Incredible Rise in Stolen Identity Data Shows the Inherent Dangers of Using Digital ID Providers

I recently went through a torturous process just to get my tax refund.

When this "identity verification" was finally completed over two days, I discovered I had given some of my most personal information NOT to the Internal Revenue Service (IRS) but to a third-party organization called ID.me.

I felt I had been tricked. And now this company, previously unknown to me, had my name, home address, date of birth, Social Security number, driver's license data (including sex, height, eye color, and driving restrictions), passport data, and a facial scan video.

As a result of my experience, I'm writing this article in three parts to help you avoid what happened to me. Here is what I'm providing:

1.      How I was tricked and why this company is so dangerous to privacy

2.      The Big Questions: What is ID.me? Why should you be concerned? Who runs it? What do their Terms & Conditions allow them to do with my data? Who is financing them? Who else is doing this to us?

3.      Solutions: How to mitigate your personal risks.

I hope you share this with your friends and family.

HOW I WAS TRICKED INTO GIVING UP MY BIOMETRIC AND PERSONAL DATA

Here's how it all started. I filed a tax return in March, then on April 18, received a letter from the IRS:

"We received a federal income tax return filed under your Social Security Number. We need to verify your identity and your tax return at IRS.gov/VerifyReturn. We can't process the tax return until we hear from you. Sign in or create a new account. If you're a new user, have your current government-issued photo identification ready (driver's license, state I.D., passport, passport card)."

It told me "What to Do if I Did File a Tax Return":

"You will need the following to answer IRS questions about the tax return:

·         The Form 1040-series tax return for the year shown on the notice or letter.

·         The notice or letter you received.

“You can use your IRS account to sign in. If you're a new user, have your photo identification ready. More information about identity verification is available on the sign-in page.

·         Click the "Sign in to Verify your identity and tax return" button to continue.

·         You must let us know that you did file a tax return and answer IRS questions about the tax return. If you don't see these questions, come back to this page and sign in again."

I thought this was an odd request, especially since nothing had changed from last year: same wife, same address, similar income coming from 1099s, similar deductions, same tax preparation professional, and the same bank account for the IRS to deposit my refund. So why did they need to "verify" me?

Clicking the button took me to this page:

Then:

It seemed clear that I must use the new IRS service to prove who I am and get my refund. So, I set up an account and answered all of their questions. Then I tried to upload my driver's license front and back image six times. After several frustrating and unsuccessful minutes, I went downstairs, found my passport, created a scanned image, and uploaded it. The result? They wanted a live, biometric scan of my face using the camera on my computer.

WHAT WAS SHOCKING ABOUT THIS PROCESS

After completing the facial scan, the system told me the "process was successful" and that I was being "transferred back to IRS.gov." Transferred back? From where?

I quickly determined that I had been sent online to a private, non-governmental third party called ID.me. I had no idea who this company was – and this was AFTER I had just given up all that personal information!

WHAT IS ID.me? WHAT ARE THEY TRYING TO PROVIDE?

As digital identification becomes increasingly central to online security and government services, concerns about the ownership and funding of companies like ID.me have grown. ID.me is one of the leading digital identity providers in the United States. It is widely used by federal agencies, including the Department of Veterans Affairs and the Internal Revenue Service (IRS), to verify users' identities online.

ID.me was founded in 2010 by Blake Hall, a former U.S. Army Ranger, who initially aimed to provide a secure way for military personnel and veterans to verify their identities online. Over time, the company expanded its services to offer digital identity verification to a broader audience, including government agencies, healthcare providers, and financial institutions.

However, with the sensitive nature of the data handled by ID.me, many questions have been raised about where the company itself, the amount and type of data collected, its policies for protecting and destroying personal data, and the company's funding. For example, is there substantial non-U.S. ownership? Which foreign entities have any ownership stakes or substantial influence? These are some of the questions I was determined to answer.

First, Let's consider why it is not a good idea to collect and keep all of this information from a single source.

WHY THIS CONSOLIDATION OF PERSONAL AND BIOMETRIC DATA IS SO DANGEROUS

In today's increasingly digital world, managing and protecting our identities has become more complex and vulnerable than ever before. Digital identity providers play a critical role in this landscape, offering services that consolidate sensitive personal data to verify identities online. These companies store vast amounts of private information, including demographic details, biometric records, and other confidential data. While this consolidation is convenient, it also presents a significant risk: a single breach can expose the personal information of millions, or even billions, of individuals.

Recent news has highlighted the dangers associated with these digital identity providers. A large digital identity provider was recently breached, resulting in billions of private records being stolen, including U.S. residents' sensitive demographic and biometric data. This breach underscores the potential for catastrophic consequences when such vast amounts of information are centralized in a single, vulnerable system.

Despite these risks, governments and private companies continue to march forward with imposing "digital identities."

Many of the dangers are highlighted in our news feeds. Recent headlines include:

"New X Policy Forces Earners to Verify Their Government ID With Israeli Verification Company" (May 22, 2024)

• "X, formerly Twitter, is now mandating the use of a government ID-based account verification system for users that earn revenue on the platform – either for advertising or for paid subscriptions.

• To implement this system, X has partnered with Au10tix, an Israeli company known for its identity verification solutions. Users who opt to receive payouts on the platform will have to undergo a verification process with the company."

Just a month later, researchers found Au10tix had been hacked over a year previously, and the access credentials posted on Telegram for over a year without informing users:

• "AU10TIX, an identity verification company operating out of Israel and serving prominent clients like TikTok and, more recently Elon Musk's X, was found to have inadvertently left sensitive user information vulnerable after administrative credentials were exposed online, according to a report from 404 Media.

• The company, known for processing photos and driver's licenses to verify identities, allegedly had this security lapse exposed by cybersecurity firm spiderSilk, revealing a potential goldmine for hackers.

• The exposed data, accessible for over a year, included not only basic identity details such as names, birth dates, and nationalities but also images of the identity documents themselves, such as drivers' licenses. This breach underscores a growing concern as more platforms, including social networks and adult content sites, demand real identity verification from users, increasing the risk of personal data exposure."

Despite the risks, the largest U.S. state announced its plans earlier this year to push forward:

• California Lawmakers Push Online ID Verification Bill That Would Require Platforms To ID "Users With Large Audiences" (March 20, 2024)

• "C.A. State Senator Padilla and his "legislative partners" from the California Initiative for Technology and Democracy (CITED) announced the bill as a way of "protecting" elections in the state – specifically from technology "misuse and misinformation."

The push by the federal government for digital IDs is nothing new. They have been anxious for years to be able to identify people who post negative information about them or oppose their policies:

• "U.S. lawmakers play with the idea of social media ID verification, following proposals from other countries" (October 20, 2021)

The European Union now wants everyone to have a digital ID to provide "anti-disinformation":

• "EU Commission Urges Digital ID, E-Health Records, and Touts' Anti-Disinformation' Efforts in Digital Decade Report" (July 8, 2024)

Beyond requiring biometric data to get your federal tax refund, the IRS also wants it for anyone filing a Freedom of Information Request:

• "Biometric ID for IRS FOIA Requests Trigger Privacy and Access Concerns" (June 19, 2024)

Now that the "cat is out of the bag" on the big plan to shut us up and take our private data, what do we have as U.S. residents to look forward to?

WHAT ARE THE DANGERS OF A COMPANY CONSOLIDATING SO MUCH SENSITIVE INFORMATION?

1. Massive Data Exposure:

• What It Is: Digital identity providers like ID.me store extensive personal data, including names, addresses, social security numbers, biometric data (such as fingerprints or facial recognition data), and even financial information. When this data is consolidated in one place, it creates a single point of failure.

• The Danger: If a breach occurs, hackers could gain access to a treasure trove of information that can be used for identity theft, financial fraud, and other malicious activities. The more extensive the database, the more attractive it becomes to cybercriminals.

2. Irreversible Damage from Biometric Data Theft:

• What It Is: Biometric data, such as fingerprints, iris scans, and facial recognition, is increasingly used to secure identification. Unlike passwords, which can be changed if compromised, biometric data is immutable—you can't change your fingerprints or facial structure.

• The Danger: If biometric data is stolen, it could be used to create fake identities or bypass security systems designed to protect sensitive information. Misusing biometric data can lead to long-term consequences for individuals, as they cannot recover or replace this information.

3. Impact on National Security:

• What It Is: Digital identity providers like ID.me are used by the U.S. government to verify the identities of individuals accessing military and other sensitive government services. This means they hold the personal information of military personnel, veterans, and government employees.

• The Danger: A breach of such a provider could have profound national security implications. Hackers could access classified information, impersonate military personnel, or disrupt critical government functions. The exposure of sensitive data related to military and government employees could also put their lives at risk.

4. Loss of Trust in Digital Systems:

• What It Is: Digital identity providers are meant to be trusted gatekeepers of our most sensitive information. When these companies are breached, public trust in the entire digital identity system erodes.

• The Danger: A loss of trust could lead to decreased use of online services, with individuals and organizations reverting to less efficient or more vulnerable methods of identity verification. This could slow the adoption of digital services, increase operational costs, and reduce overall security.

5. Widespread Economic Impact:

• What It Is: A major breach at a digital identity provider could have far-reaching economic consequences. Beyond the immediate costs of responding to the breach—such as notifying affected individuals, paying for credit monitoring, and implementing security upgrades—there are also broader economic implications.

• The Danger: Victims of identity theft may face financial ruin, leading to lost productivity and increased strain on social services. Businesses that rely on digital identity providers may also suffer losses due to reduced customer trust, legal liabilities, and regulatory fines.

WHAT HAPPENS IF A BREACH DOES OCCUR?

If a breach were to occur at a major digital identity provider like ID.me, the consequences for U.S. residents could be severe:

1. Identity Theft and Financial Fraud on a Massive Scale:

• Identity theft occurs when someone uses stolen personal information to commit fraud, such as opening credit accounts, filing false tax returns, or making unauthorized purchases. Digital identity providers are prime targets for hackers seeking this type of information.

• A breach at a digital identity provider could lead to widespread identity theft, affecting millions of individuals. Victims may spend years resolving the damage, including drained bank accounts, damaged credit scores, and legal battles over fraudulent activities conducted in their name. The financial and emotional toll on victims could be devastating, with long-term effects on their credit and financial stability.

2. Compromised Government Services:

• If hackers gained access to government systems through stolen digital identities, they could disrupt critical services like tax filing, military benefits, and social security. This could delay or deny essential services to those who rely on them.

3. Increased Fraud and Scams:

• With access to detailed personal information, scammers could create more convincing phishing attacks, leading to further financial losses for individuals and businesses.

4. Erosion of Public Trust:

• Public confidence in digital identity systems would likely plummet, leading to greater resistance to online services and a shift toward less secure, more cumbersome identity verification methods.

5. National Security Risks:

• The exposure of military and government personnel's data could compromise national security, leading to potential espionage, blackmail, or other security breaches.

CONCLUSION

It is clear that this movement to create digital IDs for everyone in the world is not about protecting us but better controlling us by obtaining and using our most personal information.

In my next two blog posts, I will outline some of the shocking information I found about ID.me, their competitors, and where things are going next. Ultimately, there are some things you can do to protect yourself, but they may not be very easy to do.

Coming up next time:

• The Big Questions: What is ID.me? Why should you be concerned? Who runs it? What do their Terms & Conditions all them to do with my data? Who is financing them? Who else is doing this to us?

• Solutions: How to mitigate your risks.

I hope you share this with your friends and family.

Comments

[Selden Deemer]

Thank you for writing this. I went through exactly the same tortuous problem this afternoon to access my tax records with the IRS. At first I felt like I had fallen for an identity theft scam, but unfortunately ID.me is real.