Ranking Member News | Writing

February 03, 2022

Senators ask IRS how new partnership will affect private taxpayer information and civil liberties

Washington DC–Senate Republicans, led by Ranking Member Mike Crapo (R-Idaho), are raising serious questions and concerns with the Internal Revenue Service’s (IRS) announcement of a major expansion of its collaboration with ID.me which will require taxpayers to have an identity document. me to access key IRS online resources. In order to register with ID.me, taxpayers will be required to submit a wealth of personal information, including sensitive biometric data, to ID.me from summer 2022.

In a letter to IRS Commissioner Chuck Rettig, the senators write, “The IRS has unilaterally decided to allow an outside contractor to act as a gatekeeper between citizens and needed government services. The decision millions of Americans are being forced to make is whether to pay the price of giving up their most personal information, biometrics, to an outside contractor or reverting to the age of paper-based bureaucracy. where information travels slowly, is inaccurate and some would say is treated inconsistently with contemporary life.

The senators identify a number of issues and raise serious questions, including but not limited to:

  • Intrusive verification measures that may be required of taxpayers, such as submitting biometric data to ID.me such as a video “selfie” – an identifier that cannot be changed if compromised, unlike a password ;
  • Cybersecurity standards and how this sensitive data will be stored and protected;
  • Surveillance issues, as ID.me is not subject to the same surveillance rules as a government agency; and
  • What assurances and what rights are granted to taxpayers in the collaboration, as it appears that taxpayers would be subject to several conditions of agreement filled with dense legal impressions.

To see the full list of questions and read the letter in its entirety, click here or read below.

Senators signing the letter include:

Mike Crapo (R-Idaho)

Marsha Blackburn (R-Tennessee)

Chuck Grassley (R-Iowa)

JOhn Cornyn (R-Texas)

John Thune (R-South Dakota)

Richard Burr (R-North Carolina)

Rob Portman (R-Ohio)

Pat Toomey (R-Pennsylvania)

Tim Scott (R-South Carolina)

Bill Cassidy (R-Louisiana)

James Lankford (R-Oklahoma)

Steve Daines (R-Montana)

Todd Young (R-Indiana)

Ben Sasse (R-Nebraska)

John Barrasso (R-Wyoming)

______________________________________

Dear Commissioner Rettig:

On November 17, 2021, the Internal Revenue Service (IRS) announced a major extension of its collaboration with ID.me which will, starting in the summer of 2022, require taxpayers to have an ID.me account in order to access IRS keys online. Resources. While we understand that the IRS’ use of ID.me is intended to protect data and reduce fraud, we have serious concerns about how ID.me may affect confidential taxpayer information and fundamental civil liberties.

To access IRS online services, including checking the status of a return, viewing balances and payments received, obtaining a transcript, and entering into a payment agreement online, taxpayers will soon need to register. for an ID.me account. As part of registration, ID.me requires a wealth of personal information, which may include one or more of the following: (1) government-issued photo ID, (2) passport, (3 ) birth certificate, (4) W-2 form, (5) Social Security card, (6) veteran’s medical ID card, (7) DHS trusted traveler card, (8) “selfie video with smartphone or webcam, (9) utility bill, (10) insurance bill, (11) phone bill, and (12) recorded video interview with an ID.me employee.

The above list is not exhaustive. ID.me may need other items. The most intrusive verification element is the required “selfie”, which is more than just uploading a photo; it’s submitting your face to be digitally analyzed by ID.me into a “face print”. Additionally, use of ID.me appears to subject taxpayers to the terms of three separate agreements filled with dense legal fine print: a Privacy Policy Agreement, a Terms of Service Agreement, and a “Consent and Biometrics Policy”. “.

ID.me’s “Biometric Data Consent and Policy” defines biometric data as including “fingerprints, voiceprints, hand scans, facial geometry recognition, and iris recognition or of the retina”. Unlike a password, authenticator app, or hardware key, biometrics can never be changed.

We are deeply concerned for many reasons. Both government and private companies have an unfortunate history of data breaches. The examples are numerous. Two of the most prominent are the breach of the Office of Personnel Management, where the government failed to protect some of the most sensitive identity details of its critical employees, and the recent Pro Publica leak, the authorities revealed. legally protected confidential information of many US taxpayers. There is ample evidence to be very concerned about an IRS contractor’s ability to manage, collect, and securely store this unprecedented level of confidential personal data. To put that into perspective, in 2019 the IRS estimated that it faced 1.4 billion cyberattacks per year. It’s highly likely that with personal information of 70 million individuals, including biometrics, ID.me could be a prime target for cybercriminals, rogue employees, and espionage.

The IRS unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and needed government services. The decision millions of Americans are being forced to make is whether to pay the price of giving up their most personal information, biometrics, to an outside contractor or reverting to the age of paper-based bureaucracy. where information travels slowly, is inaccurate and some would say is treated inconsistently with contemporary life. It is also of concern that ID.me is not, to our knowledge, subject to the same oversight rules as a government agency, such as the Freedom of Information Act, the Privacy Act of 1974 and multiple checks and balances.

We would like more information about the IRS’ collaboration with ID.me. We also ask that you please respond in writing to the following questions and requests by February 27, 2022, and provide a subsequent briefing to review your written responses.

  1. How did the IRS decide to require taxpayers to submit their personal information, including biometrics, to an outside provider in order to access certain IRS online resources?
  2. What due diligence did the IRS perform to ensure taxpayer information would be protected before entering into a contract with ID.me?
  3. What oversight does the IRS have on ID.me after entering into an agreement with them?
  4. In order to register with ID.me to access an IRS online account, must one accept or be subject to the Privacy Policy Agreement, Terms of Use and Consent and Data Policy ID.me biometrics?
  5. Before entering into a contract with ID.me, has the IRS verified that the entire system of ID.me has undergone an independent cybersecurity audit? If so, are these audits periodic?
  6. List all types of taxpayer data that will be collected and stored by ID.me. Where will the data be stored? How long will the data be stored? What safeguards are in place to protect the data?
  7. Can an ID.me employee access information uploaded to ID.me by taxpayers? If so, how does the IRS ensure that this taxpayer information is not misused?
  8. Will taxpayers be able to delete all of their data from ID.me storage? Does deletion equate to permanent deletion of all devices on which the data is stored? Assuming that permanent deletion is possible, how long does it take between the request and the actual permanent deletion?
  9. If the IRS cancels its collaboration with ID.me or if the term of the contract expires, what will happen to the personal information submitted by taxpayers?
  10. How does the IRS contract with ID.me deal with state laws limiting the use of biometric data (eg, Illinois Biometric Information Privacy Act)?
  11. Does the IRS know how the “selfies” required by ID.me are analyzed (e.g. is digital forensics used to analyze an image’s metadata, EXIF ​​data, depth map, facial geometry or face recognition 1:1 or 1:many)?
  12. As the IRS has experienced unprecedented difficulty managing the volume of correspondence and telephone calls from taxpayers, does the IRS or ID.me collect information about taxpayers’ experience with ID.me (for example, customer satisfaction, wait times, number of repeat contacts and difficulties with facial recognition technology)? What mechanisms are in place to ensure a quality service by ID.me?
  13. What contingency plans are in place for an event in which ID.me has a data breach that includes taxpayer information?
  14. Please describe the IRS process for making ID.me a “Trusted Technology Provider”.
  15. What criminal penalties do IRS employees or contractors face if they intentionally or negligently disclose personal taxpayer information without consent?

Thank you for your immediate attention to this matter.

Truly,

Comments are closed.