Industry

Should a private company own taxpayer data?

Recent controversies involving the IRS’s use of third-party ID verification service providers raise an important question: What’s the right way to handle identification of taxpayers online?

3 obscured facial icons representing hidden taxpayer data
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways

It’s one thing for a government agency to engage a private business to help verify the identity of tens of millions of taxpayers (who use that agency’s website), and handle their biometric and personal data for that purpose. It’s quite another to let that private business replace the government as the de facto gatekeeper and owner of that critical data. That can trigger loud opposition, as the IRS recently found out.

The IRS had the right idea when it set out to block extensive ID theft-based fraud, where fake tax returns are often used to obtain tax refunds.  Recent history, however, hasn’t helped public trust in the IRS’s choice of third parties to handle taxpayer data. In 2017, the IRS engaged Equifax as its “taxpayer identity” contractor, with disastrous results. Equifax neglected to patch a four-month-old zero-day security flaw and suffered a major breach. The data of 148 million taxpayers was stolen.

Fast forward to late 2021. The IRS announced that taxpayers must undergo face verification against their official ID using ID.me, a company that already provided identity verification services to 27 states. There were rumbles of concern, but little action. Then in January 2022, cybersecurity blogger Brian Krebs described his experience with the multi-step process. After presenting documents, long waits, and a video call, Krebs was presented with an interesting screen, asking him to “authorize release of his data to the IRS.”

In other words, he — and every other taxpayer who had gone through the process — had given control of his critical data to a private company, not to the IRS.  The private company wasn’t processing Krebs’ data for the IRS, the way Amazon Web Services runs your applications for you.  Instead, the private company appointed by the IRS to intake and verify Krebs’ data was the central hub. The IRS was clearly not in control of the data it had demanded, and that is a very important difference. In effect, the private entity had ownership of the data, which raised questions.

Did this mean the private entity could do whatever it wished with its treasure trove of data on taxpayers? Could it ask Krebs for permission to share his data with, say, Netflix or other consumer service providers? Did it even need to ask his permission?

With the realization that the IRS’s private sector partner now had the data and a relationship with each taxpayer, many data rights groups, politicians, and security experts voiced their opposition. A backlash erupted, complete with Senate meetings, and lawmakers protesting that “The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services.”  

Most of us have been shunted from a government site to a third-party payment processor when we have to pay a bill, but there’s usually an option to pay as a guest and have your data deleted. So we know the arrangement. But the IRS took things to another level by involving potentially every taxpayer — and their biometrics.  The IRS, for its part, announced it would develop and transition toward other options for ID verification, and on April 14, Congress announced it would investigate ID.me‘s practices.

Despite Krebs’ criticism, he offered advice for citizens that surprised some: get verified using biometrics. He pointed out that it’s a smart move to “plant your flag” by establishing your identity correctly with the government before identity thieves do it for you. In other words, “be the first on your block to be you” because the potential loss from an identity theft today is greater than the risk if your biometric data are stolen at a later point in time.  

Is there still a controversy?

It’s important to distinguish between processing and “ownership.” If the IRS retains clear authority over how your confidential data is used, then it’s logical and acceptable for the IRS to appoint a private company to hold the data and confirm your identity when you log into your IRS account. An important caveat: to merit such trust, the private entity needs to have built the infrastructure and security necessary to provide a high level of protection.

A host of concerns arise when the IRS puts another [private] entity completely in charge of the taxpayer data, as it did. To change or delete data, taxpayers would not go to the IRS; they’d go to ID.me, which took on a role well beyond conducting login approvals. It’s not surprising that taxpayers worry what other uses a commercial enterprise might find for their data.

Even when a private firm appears to have all the right policies and defense measures in place, the IRS [government] should own the sensitive data it requires from taxpayers, and the IRS should have dictatorial control over how it is used.

Making clear that the data belongs to the IRS clarifies responsibility, sets limits for how it’s used, and might even have a deterrent effect: if someone steals information that belongs to the IRS from a private service provider acting as data steward, they know they’re asking for a prison sentence.

Biometrics: Handle with care, but not the real issue

This IRS move probably would have received less scrutiny had it not included biometrics, which are a hot button. Equifax showed how one breach can compromise every taxpayer. Today, however, that single breach could mean something additional: the permanent loss of biometric data. If they steal your password, you change it. If they get your face, well, they have years to figure out how to exploit it.

To confront that danger, we (like most experts) recommend multi-layer, multi-factor security. If one feature is stolen, you can still be safe and function in society. Multi-factor IDV is safer because it’s almost impossible to steal every signal you’d need to pose convincingly as someone else. Hacking facial data and a password would still not be enough to steal a bank account. Multi-layer defense as part of a holistic approach to IDV makes a managed-risk approach viable, even for high-value assets.

What's the right way to handle identification of taxpayers online?

There’s no reason to exclude private companies with expertise in identity verification from working for the IRS. If they are efficient at IDV, have the necessary infrastructure in place (unlike the IRS), and have extensive track records of protecting financial and PII data, they are likely well-qualified as long-term data stewards.

For the IRS and government in general, their two North Stars are accessibility and security. Private companies can help with accessibility, which is crucial to universality — everybody needs the ability to file a tax return and get their refund. Accessibility is already an issue, given that we’re required to pay taxes even if we don’t own a phone, a camera, or a computer. Private vendors can help by offering more than one method of verification.

However, it’s advisable for the IRS to take final responsibility for the safety of our data, allowing private companies to process and hold the data as necessary for identity verification—for the IRS. The IRS should have final say over the IDV workflows and thereby own the user experience. Under those conditions, taxpayers would feel more at ease in “planting their flag” by going through ID verification.

This article was originally published on Fast Company.

Frequently asked questions

No items found.

Continue reading

Continue reading

How digital health apps can overcome four barriers to converting users
How digital health apps can overcome four barriers to converting users
Industry

How digital health apps can overcome four barriers to converting users

New patients might abandon onboarding if they’re confused, frustrated, or overwhelmed. Here are four ways digital health apps can improve conversion.

How to create scalable and compliant international KYB processes
How to create scalable and compliant international KYB processes
Industry

How to create scalable and compliant international KYB processes

Industry experts discuss international KYB and debunk common myths while sharing how to build a scalable global KYB process.

Trust and safety survey insights: Fighting identity fraud in the age of GenAI
Trust and safety survey insights: Fighting identity fraud in the age of GenAI
Industry

Trust and safety survey insights: Fighting identity fraud in the age of GenAI

Persona’s trust and safety survey reveals that although many fraud fighters feel effective, few have the tools to proactively mitigate identity fraud at the scale generative AI has introduced.

Why businesses need to rethink identity online
Industry

Why businesses need to rethink identity online

The digital-first world is here to stay, and it's time for businesses to put the proper systems in place to protect the privacy and security of their users.

The next era of moderation will be verified
Industry

The next era of moderation will be verified

Verification isn't just a blue checkmark — it's an increasingly important tool in moderation efforts to combat nefarious issues like harassment and hate speech.

New age of data privacy regulation: How businesses can prepare
Industry

New age of data privacy regulation: How businesses can prepare

It’s only a matter of time before new data privacy regulation is passed, so it’s pertinent that businesses prepare before it’s too late.

Ready to get started?

Get in touch or start exploring Persona today.