Security News

How the IRS can do better with its digital identity program

David Strom 9 Feb 2022

Here's why the IRS should never rely on proprietary solutions for digital identity

The US’ tax collection agency, the Internal Revenue Service (IRS), has changed course with its short-lived identity verification system that was only recently implemented. Last November, the vendor ID.me was awarded a $86 million contract to provide the exclusive authentication for all online IRS accounts. Until then, the IRS had its own account authentication service that was based on credit reporting data. The older system was to be phased out this summer. Note that online accounts were used for issuing tax refunds – they were not needed for just filing your tax return.

The ID.me implementation was in response to various tax fraud schemes, some of which we have documented in an earlier blog post. But the choice of ID.me as the IRS’ identity provider was fraught with issues. Security blogger Brian Krebs documented his own process of verifying his identity. He had issues and had to connect to an agent via video chat to resolve them, which was supposedly a feature of ID.me. When I set up my own account, I was somewhat more successful, although the amount of personal data required to establish my account did seem onerous, and I’m not sure I would have made the effort had not the IRS said my legacy online account would go away sometime this summer. One of the issues was the requirement for uploading live video selfies to establish the accounts, which some have called intrusive. One security wag likened it to having survived a “digital proctology exam.”

Krebs and I aren’t the only ones experiencing problems with ID.me’s use of facial recognition algorithms. A comprehensive analysis of 189 such systems by the US National Institute of Standards and Technology in 2019 found that the darker the face, the less accurate the software was to verify the individual.

Another issue was more perceptual. ID.me ran into public relation problems when it stated that it “uses one-to-one face match – not one-to-many matching – to verify legitimate applicants. It doesn’t involve using any government data and isn’t tied to ID verification.” That distinction is an important one, because ID.me does use the more advanced one-to-many facial recognition software for its fraud prevention services. As one security blog first reported, the company had to clarify its claims. This also included explaining why ID.me had also claimed that $400 billion in fraudulent unemployment benefit claims have been prevented, since it is used by dozens of contracts with states’ unemployment benefit agencies. Whether you agree with this figure or not, there has been a massive amount of fraud experienced since the pandemic by identity thieves applying for these benefits. ID.me is also used by numerous other federal agencies, including the Social Security Administration and the Veterans Affairs Administration, although it isn’t their exclusive identity provider.

Apparently, a lot of other taxpayers weren’t happy with being forced into using the service. Those with limited access to web browsers or smartphones have complained about the requirement. These complaints all came to a head in the past week. Several Congressional leaders from both parties sent letters to the IRS about the use of ID.me. This groundswell of negative opinion bore fruit and the plans to implement ID.me have been put on hold, with the IRS saying it will be replaced with some other system that won’t use facial recognition. “We are quickly pursuing other short-term options,” said the IRS acting commissioner Charles Rettig. “I appreciate that the administration recognizes that privacy and security are not mutually exclusive, and no one should be forced to submit to facial recognition to access critical government services,” said Senator Ron Wyden of Oregon, one of the more vocal opponents of the IRS’ ID.me implementation.

There have been other efforts to combat identity fraud. The US government has been building out the site Login.gov, a service used by more than 200 federal websites, with 40 million accounts already setup. The site doesn’t currently use facial recognition and its operators have stated they won’t deploy the technology in the future either. The EU has been working on its Digital Identity Wallet for some time now, although that technology makes use of video facial recognition. And the provinces of British Columbia and Ontario have been working on decentralized identity solutions.

What should the IRS do? We asked Drummond Reed, the Director of Trust Services for Evernym, to describe a three-point plan of action.

First, the IRS — nor any U.S. government agency — should never rely on proprietary solutions for digital identity. “Putting the identity information of US citizens into the hands of a private company to interact with the government is simply wrong, period. Whatever solution the IRS adopts, it should be built on open interoperable standards. Citizens should have the choice of using whatever tools to prove their digital identity,” Reed says.

Second, the IRS should begin a program to adopt decentralized identity, so that any US citizen can prove their digital identity anywhere they go, not just at the IRS or other government websites. Reed has been involved in two projects that are building an interoperable decentralized digital trust infrastructures, the Trust Over IP Foundation and the Decentralized Identity Foundation. “We need to extend  federated identity services such as Login.gov to use verifiable digital credentials so they are even more secure, privacy-respecting, and useful to citizens,” says Reed.

Finally, the IRS should steer clear of storing biometric data on any central repository. Biometric data is the most sensitive of all identity-related data, and as such it must be handled and stored extremely carefully. “A much better design is to only ever store and verify biometric data on a local device such as a smartphone,” says Reed.

None of these suggestions are particularly ground-breaking. “Formulating the right policies for the IRS is possible,” says Reed. “The IRS can accomplish all of this with strong security, privacy, and data protection and with the robust support of a fully competitive market of vendors rather than an exclusive contract with a private company.”