After years of fighting to beat back identity thieves, last November, the IRS launched a new authentication system the agency hoped would start to turn the tide. The tool was designed for a limited set of taxpayers — those who wanted to access past tax returns online, or get access to other self-help tools, like the child tax credit update portal. The process involved uploading a picture of a government-issued ID, like a driver’s license, and then a selfie from a smartphone, for comparison and verification. But taxpayers complained the system was glitchy, and when those complaints reached Congress — the reaction was pretty predictable: “Who thinks it’s a good idea to send selfies to the IRS?”
For today’s Debugger in 10 podcast, I talked with Jeremy Grant, who works at cybersecurity firm Venable. To listen, hit play below or visit the Debugger page on Apple Podcasts.
Grant made some interesting points in our conversation. Government agencies *already have* pictures of your face, he pointed out. You volunteered them when you got a driver’s license or a passport, for example. And if you’ve ever tried to get copies of past tax returns, you know what a headache that can be. So, tech that enables critical citizen tasks should be used.
Still, it makes sense to me that many Americans aren’t anxious about uploading selfies at the IRS website. First, it feels creepy. But even if you get past that, real questions need to be answered about where those images (or videos) will live and who might get access to them in the future. We don’t have a great track record of limiting data use to the reason it was obtained, so there’s a serious trust gap.
Also, since this story first broke, additional reporting has raised serious questions about the vendor behind this selfie authentication, ID.me. The company has contracts with dozens of states to help verify residents who apply for benefits like unemployment. The Washington Post wrote on Friday that ID.me’s systems can be fooled, in at least one case by a trivial costume. In a criminal complaint the newspaper obtained concerning a criminal engaged in a benefits scam, “the case shows that ID.me’s identification systems did not detect bogus accounts created around the same day that included fake driver’s licenses with photos of the suspect’s face in a curly wig,” the Washington Post wrote.
And The Verge wrote that the firm’s selfie authentication tools have a high failure rate, which forces human review — which can cause long, frustrating delays.
Debugger in 10 is produced by Duke University’s Sanford School of Public Policy and the Duke Kenan Institute for Ethics.