It’s one thing for a government agency to engage a private business to help verify the identity of tens of millions of taxpayers (who use that agency’s website), and handle their biometric and personal data for that purpose. It’s quite another to let that private business replace the government as the de facto gatekeeper and owner of that critical data. That can trigger loud opposition, as the IRS recently found out.
The IRS had the right idea when it set out to block extensive ID theft-based fraud, where fake tax returns are often used to obtain tax refunds. Recent history, however, hasn’t helped public trust in the IRS’s choice of third parties to handle taxpayer data. In 2017, the IRS engaged Equifax as its “taxpayer identity” contractor, with disastrous results. Equifax neglected to patch a four-month-old zero-day security flaw and suffered a major breach. The data of 148 million taxpayers was stolen.
Fast forward to late 2021. The IRS announced that taxpayers must undergo face verification against their official ID using ID.me, a company that already provided identity verification services to 27 states. There were rumbles of concern, but little action. Then in January 2022, cybersecurity blogger Brian Krebs described his experience with the multi-step process. After presenting documents, long waits, and a video call, Krebs was presented with an interesting screen, asking him to “authorize release of his data to the IRS.”
In other words, he — and every other taxpayer who had gone through the process — had given control of his critical data to a private company, not to the IRS. The private company wasn’t processing Krebs’ data for the IRS, the way Amazon Web Services runs your applications for you. Instead, the private company appointed by the IRS to intake and verify Krebs’ data was the central hub. The IRS was clearly not in control of the data it had demanded, and that is a very important difference. In effect, the private entity had ownership of the data, which raised questions.
Did this mean the private entity could do whatever it wished with its treasure trove of data on taxpayers? Could it ask Krebs for permission to share his data with, say, Netflix or other consumer service providers? Did it even need to ask his permission?
With the realization that the IRS’s private sector partner now had the data and a relationship with each taxpayer, many data rights groups, politicians, and security experts voiced their opposition. A backlash erupted, complete with Senate meetings, and lawmakers protesting that “The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services.”
Most of us have been shunted from a government site to a third-party payment processor when we have to pay a bill, but there’s usually an option to pay as a guest and have your data deleted. So we know the arrangement. But the IRS took things to another level by involving potentially every taxpayer — and their biometrics. The IRS, for its part, announced it would develop and transition toward other options for ID verification, and on April 14, Congress announced it would investigate ID.me‘s practices.
Despite Krebs’ criticism, he offered advice for citizens that surprised some: get verified using biometrics. He pointed out that it’s a smart move to “plant your flag” by establishing your identity correctly with the government before identity thieves do it for you. In other words, “be the first on your block to be you” because the potential loss from an identity theft today is greater than the risk if your biometric data are stolen at a later point in time.
Is there still a controversy?
It’s important to distinguish between processing and “ownership.” If the IRS retains clear authority over how your confidential data is used, then it’s logical and acceptable for the IRS to appoint a private company to hold the data and confirm your identity when you log into your IRS account. An important caveat: to merit such trust, the private entity needs to have built the infrastructure and security necessary to provide a high level of protection.
A host of concerns arise when the IRS puts another [private] entity completely in charge of the taxpayer data, as it did. To change or delete data, taxpayers would not go to the IRS; they’d go to ID.me, which took on a role well beyond conducting login approvals. It’s not surprising that taxpayers worry what other uses a commercial enterprise might find for their data.
Even when a private firm appears to have all the right policies and defense measures in place, the IRS [government] should own the sensitive data it requires from taxpayers, and the IRS should have dictatorial control over how it is used.
Making clear that the data belongs to the IRS clarifies responsibility, sets limits for how it’s used, and might even have a deterrent effect: if someone steals information that belongs to the IRS from a private service provider acting as data steward, they know they’re asking for a prison sentence.
Biometrics: Handle with care, but not the real issue
This IRS move probably would have received less scrutiny had it not included biometrics, which are a hot button. Equifax showed how one breach can compromise every taxpayer. Today, however, that single breach could mean something additional: the permanent loss of biometric data. If they steal your password, you change it. If they get your face, well, they have years to figure out how to exploit it.
To confront that danger, we (like most experts) recommend multi-layer, multi-factor security. If one feature is stolen, you can still be safe and function in society. Multi-factor IDV is safer because it’s almost impossible to steal every signal you’d need to pose convincingly as someone else. Hacking facial data and a password would still not be enough to steal a bank account. Multi-layer defense as part of a holistic approach to IDV makes a managed-risk approach viable, even for high-value assets.
What's the right way to handle identification of taxpayers online?
There’s no reason to exclude private companies with expertise in identity verification from working for the IRS. If they are efficient at IDV, have the necessary infrastructure in place (unlike the IRS), and have extensive track records of protecting financial and PII data, they are likely well-qualified as long-term data stewards.
For the IRS and government in general, their two North Stars are accessibility and security. Private companies can help with accessibility, which is crucial to universality — everybody needs the ability to file a tax return and get their refund. Accessibility is already an issue, given that we’re required to pay taxes even if we don’t own a phone, a camera, or a computer. Private vendors can help by offering more than one method of verification.
However, it’s advisable for the IRS to take final responsibility for the safety of our data, allowing private companies to process and hold the data as necessary for identity verification—for the IRS. The IRS should have final say over the IDV workflows and thereby own the user experience. Under those conditions, taxpayers would feel more at ease in “planting their flag” by going through ID verification.
This article was originally published on Fast Company.