IRS defends use of biometric verification for online FOIA filers
A few years ago, the Internal Revenue Service announced that it had begun using the identity credential service ID.me for taxpayers to access various online tools. At some point between then and now, the IRS quietly began directing people filing public records requests through its online portal to register for the private biometric verification system.
Though Freedom of Information Act requests to the tax agency can still be filed through FOIA.gov, the mail, by fax, or even in person, the IRS’s decision to point online filers to ID.me — whose facial verification technology has, in the past, drawn scrutiny from Congress — has raised some advocates’ eyebrows
Alex Howard, who directs the Digital Democracy Project and also serves on the FOIA Advisory Committee hosted out of the National Archives, said in an email to FedScoop that language on the IRS website seems to encourage ID.me use for faster service. It also doesn’t make significant references to FOIA.gov, a separate governmentwide portal that agencies are supposed to work with by law, he said.
“While modernizing authentication systems for online portals is not inherently problematic, adding such a layer to exercising the right to request records under the FOIA is overreach at best and a violation of our fundamental human right to access information at worst, given the potential challenges doing so poses,” Howard said.
The IRS defended its use of the service in responses to FedScoop questions, noting the other ways people can file FOIA requests and that the tool is only required of those seeking to interact with their public records electronically. The agency also said that ID.me follows National Institute of Standards and Technology guidelines for credential authentication services.
“The sole purpose of ID.me is to act as a Credential Service Provider that authenticates a user interested in using the IRS FOIA Portal to submit a FOIA request and receive responsive documents,” a spokesperson for the agency said. “The data collected by ID.me has nothing to do with the processing of a FOIA request.”
The IRS website currently directs people trying to access the agency’s online FOIA portal to use ID.me, which describes itself as a “digital passport” that “simplifies how individuals prove and share their identity online.” According to one IRS page, the “IRS Freedom of Information Act (FOIA) Public Access Portal now uses a sign-on system that requires identity verification.” Those hoping to access online FOIA portal accounts created before June 2023 also must register for ID.me, the site states.
The ID.me login page directs users to the FOIA portal, stating that those who can’t verify their identity can try visiting the ID.me help page or pursue alternative options. From there, another page tells users to try “another method” for submitting a FOIA.
The system requires users to upload a picture of their ID: They can choose between taking a selfie and using biometric facial verification software that compares the image to their ID — or wait for a video appointment to confirm their identity.
The system also appears to prompt users to share their Social Security number and includes terms of service that discuss the handling of biometric data. Two FedScoop reporters tried registering with the system: one had their expired identification rejected and had to attempt again with a passport, while the other’s driver’s license could not be “read” the first time but was accepted during a second attempt in combination with the video selfie. Both FedScoop reporters later received a letter, by mail, notifying them that their personal information was used to access an IRS service using ID.me.
What an ID.me scan looks like when signing into the IRS’s FOIA portal.
The IRS spokesperson said that the collection of a Social Security number is related to the digital authentication process, not the processing of the FOIA request itself, and biometric information is not retained by the IRS.
“The IRS requires ID.me to delete the selfie and biometric information within 24 hours for taxpayers who verify using the self-service process,” the spokesperson said, adding that “ID.me is also required to delete any video chat recording within 30 days for taxpayers who choose to verify using the video chat pathway.”
An ID.me spokesperson said in an email to FedScoop that no state or local agency uses the system for identity verification or as authentication for FOIA portals.
The FOIA portals for the Treasury Department and Social Security Administration do use ID.me, the company spokesperson noted, but both agencies seem to provide more information on alternative submission options to submit requests online. ID.me referred additional questions regarding the IRS’s use of the company’s FOIA portal to the tax agency. Treasury did not respond to a request for comment by the time of publication.
The Social Security Administration offers both ID.me and Login.gov — another government-run ID service — as options to log into its FOIA portal, FOIAXPress Public Access Link. Like the IRS, the SSA said in response to FedScoop questions that mail, fax, email and FOIA.gov are alternatives to filing FOIAs. A Social Security number is not required for accessing FOIAXpress, though it appears to be required for signing into ID.me, which some users might be using to file FOIA requests.
“In the scenario where a customer uses their ID.me account to access FOIAXpress PAL, the customer selects this sign in option on the login page and is redirected to a webpage on ID.me’s website,” an agency spokesperson said. “If the customer creates an account in this session, ID.me retains info on the registration event in their records.
They continued: “Upon successful account creation, the user is routed back to SSA’s website and allowed access to FOIAXpress PAL. SSA and ID.me retain info on the transaction in our respective records.”
“Submitting a Social Security Number to ID.me is related to the digital identity authentication process; generally it is not required for the FOIA process,” the IRS spokesperson added.
Albert Fox Cahn, a privacy-focused attorney who directs the Surveillance Technology Oversight Project, expressed concerns about the IRS’s use of ID.me. “This isn’t just creepy and discriminatory, it might break federal law,” he said in a statement to FedScoop. “Under FOIA, public records belong to the public, and no one should have to hand over their biometric data just to see the records they’re entitled to access.”
The use of ID.me by the government has sparked concerns in the past. In 2022, some members of Congress accused the company of downplaying wait times and misleading people about the way its facial recognition technology worked. The company, meanwhile, has defended its practices, including its work on fighting fraud during the pandemic.
Matt Bracken contributed to this article.
This story was updated June 11, 2024, to update Alex Howard’s professional affiliation.
