Biometric Tech Company ID.Me Continues To Swallow Gov't Agencies, Cause Problems For People Trying To Access Their Gov't Benefits
from the questionable-claims,-extremely-limited-accountability dept
A private company, that leveraged a bold (unproven) claim about $400 billion in pandemic unemployment fraud into government contracts allowing it to (mistakenly) lock people out of their unemployment benefits, is hoping to use both of these dubious achievements to secure even more government contracts.
Here's the claim:
Blake Hall, CEO of ID.me, a service that tries to prevent this kind of fraud, tells Axios that America has lost more than $400 billion to fraudulent claims. As much as 50% of all unemployment monies might have been stolen, he says.
Here's at least one immediate reaction to Halls's claim.
“The greatest theft of American tax dollars in history has risen unabated to $400 billion, with nearly half of all pandemic unemployment spending lost to fraud by criminals,” declared Kevin Brady, the top Republican on the House Ways and Means Committee.
And here's the reality:
In December, California, by far the largest state payee of benefits, said it had identified $20 billion in fraudulent unemployment payments during the pandemic, 11% of what it paid out overall. California was responsible for a quarter of all pandemic unemployment payouts in the U.S.; if its fraud experience held nationally over the past two years it would translate into roughly $95 billion. That’s a big sum, but still only a quarter of what Hall was estimating. And other states like Ohio and Texas have reported lower levels of fraudulent payments than California.
But it made for a hell of a sales pitch. ID.me is currently used to verify the identity of unemployment benefit recipients in 27 states. It also secured a $1 billion contract from the Department of Labor to modernize state systems used to handle dispersal of these benefits.
All of this snowballed into ID.me's biggest get: the Internal Revenue Service.
If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.
That's from Brian Krebs of Krebs On Security. His experience with the verification process was far from painless. The process requires users to take a live, video selfie from the same device being used to apply for the account. This means users can't use a laptop/desktop computer and take the selfie on their phone, even though that would be the most convenient way to accomplish both tasks (apply and verify).
In Krebs' case, the application process got stuck when ID.me came to a halt during the phone verification process, prompting a request for Krebs to reupload three identification documents. Then it told him to wait:
After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”
The system has glitches, as is to be expected from any system engaging in identification verification over the internet. But the problems experienced here are far from abnormal, and that's going to cause lots of people lots of problems with tax filing season now underway. This only adds the IRS to the list of government entities that have discovered it's not performing as well as advertised.
A log of complaints for California’s Employment Development Department (EDD), which signed up with ID.me in September 2020, details issues ranging from a transgender person being blocked from accessing benefits because the gender on their driver’s license didn’t match their passport to an applicant who went through ID.me’s verification process only to find their claim still on hold six weeks later. In a January 2021 letter to the EDD, California state Senator Anthony Portantino complained that his staff had been “inundated with urgent pleas” from constituents whose benefits were on hold as a result of problems with ID.me. “This recent purge has put thousands of legitimate claims in limbo, with no instructions for how to get out of ‘ID verification jail,’ ” Portantino wrote.
Some of these problems can be traced back to ID.me's facial recognition AI, which has yet to be independently tested, despite being the only option for many people seeking access to their unemployment benefits or tax information. There has been some sort of testing, but not with any results ID.me is willing to share with the public.
Hall says the company isn’t running images through a preexisting database, the way law enforcement does, and that it selects facial-recognition vendors that comply with federal standards, though he wouldn’t name them. The company also says ID.me put its facial-recognition software through two separate tests for racial bias in 2021 and found no evidence of discrimination.
And CEO Blake Hall continues to insist ID.me is stopping billions of dollars of unemployment and tax fraud, even though it would appear that a lot of what Hall considers to be thwarted fraud may just be the inadvertent thwarting of legit benefits claimants.
For example, between Jan. 28 and March 8, 2021, ID.me had 654,292 users start its verification process in California, according to data Hall provided. Just half of those users completed ID.me’s checks. Hall argues that any users who didn’t complete the process were clearly scammers.
[...]
On Nov. 17, 2020, for example, ID.me reported that the prior week, 101,050 people in California attempted to verify their identities with ID.me. Of those, just 40% succeeded. But you could see the frustrations unemployed workers and their advocates complain about playing out in the data: Almost a quarter of the people ID.me dealt with in California that week tried to get on a video call with a company rep, but only 10% of that group succeeded. More than 7,000 people also abandoned the ID.me process by either closing their browser midway through or having their session time out. Both situations are as easily attributable to tech glitches as fraud.
This isn't very comforting. ID.me's CEO seems willing to declare failures of the company's system as victories against fraudsters. This unwillingness to even consider the possibility the system has flaws that might separate users from benefits or tax information isn't something you want to see in someone running a company that has already nailed down more than half the country's unemployment payments business. Becoming the point of entry for IRS accounts will just make local issues national issues.
It's also not exactly comforting that one company holds so much biometric and personal data. That makes it a tempting target for malicious hackers, especially now that it's also home to Internal Revenue Service data. It's going to make people start asking for some sort of biometric data federalism -- one that keeps the federal government from intermingling its sensitive info with state data stashes by using the same vendor to collect ID verification info.
Presumably, ID.me will get better at what it does. And it does appear to be doing everything it can to secure the information it's collecting on behalf of several government agencies. But it's being led by a CEO who is unwilling to allow independent inspection of its AI, who built his company's business on a questionable assertion about pandemic-related benefits fraud, and who has an alarming tendency to blame system issues on end users or to portray ID.me's failures as successful direct hits on benefits fraud.
That's a lot of buck-passing for someone who is being entrusted with the financial, personal, and biometric information of millions of Americans. And it suggests if the shit ever really hits the fan, the CEO is going to ghost a bunch of taxpayers who were never given any input or options when it comes to accessing benefits that are rightfully theirs.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: access, biometrics, facial recognition, irs, logins, privacy, taxes
Companies: id.me
Reader Comments
Subscribe: RSS
View by: Time | Thread
already know about the fraud
But it aint the common person doing most of it.
[ link to this | view in chronology ]
"The company also says ID.me put its facial-recognition software through two separate tests for racial bias in 2021 and found no evidence of discrimination."
They should share more information, since that seems to make them very unique in the industry.
[ link to this | view in chronology ]
What about a blind person, who uses a desktop and needs a keyboard, but does not have or use a monitor?
[ link to this | view in chronology ]
Re:
Not sticking up for the slimy company, but: oh, BS! Show me one blind person that runs their computer headless. They still need a sighted person to setup, configure, and maintain the machine. That requires a monitor. Which, by the way, has NOTHING to do with the story. You don't take pictures with a monitor.
[ link to this | view in chronology ]
Re: Re:
There are several Linux distros that can be installed set up by a blind person. Also, if a monitor is needed by a sighted person to set up the system, they can bring one with them, and take it away when they are done. What may be more significant is failing to have a site useable by blind people.
[ link to this | view in chronology ]
Oh, sir... we've been asking for that ever since Real-ID passed.
Real-ID is everything ID.me is, and protected by your government with all the security the Office of Personnel Management can muster. Admittedly, Real ID is under Homeland Security, who got a "B" cybersecurity grade, but the database is accessible by law enforcement far and wide. Want to guess THEIR cybersecurity grades?
[ link to this | view in chronology ]
Re:
The letter that comes after z.
[ link to this | view in chronology ]
Re: Re:
I hope that's not based on the default Linux collating sequence, i.e., A.
[ link to this | view in chronology ]
This
is why we see people get all second-amendmented and go postal.
[ link to this | view in chronology ]
hate them
i had this with CA. submitted docs said it would be about 6 hours for a live person to review and to please hold. then at just under 6 hours, was told my docs had an issue and resubmit then they dropped the connection. NO opportunity to fix on the spot and that live person never showed up. I resubmitted and was told i had to wait another 7 hours...which worked and the guy told me the reason i was rejected before was because the photo of my BC was slightly grey in the corner and they couldn't read the strip or micro text that was all the way around. It was literally just an inch of slightly grey area but the entire rest of the doc, including seal was there.
[ link to this | view in chronology ]
Analogy with Australia's Robodedt program
There's an interesting analogy here with Australia's Robodebt program. Robodebt used data matching (in a likely deliberately incompetent way) to also kick people off benefits that they were entitled to. Its stated aim of fraud prevention turned out to be somewhat flawed. I suspect Americans are going to see similar failings from this program, but as usual, by the time the failures are rectified a lot of lives will have been ruined.
[ link to this | view in chronology ]
Buck-passing
What is this contract other than buck-passing by the IRS, who are supposed to be managing security?
[ link to this | view in chronology ]
I can't wait for the stories of people dying & politicians claiming they had no way to see this outcome...
Then trotting out the stories of Oz & the UK where not only did they kill people they KEPT killing people knowing the programs were flawed & did fuckall to try and stop killing citizens in need.
There is no problem worse than an imaginary one, except the solutions created to solve those "problems".
All these rules meant to punish welfare queens just pumping out kids for more benefits & punishing them... meanwhile the actual welfare queens milking the system turn out to be mighty white.
All these rules forcing employees to learn to spot & report 'trafficked' persons... meanwhile lets hassle that nice black dad taking his kids on vacation.
All these programs sucking up dollars to 'rescue' the 10 million children forced to have sex at the Superb Owl... well that got that one guy who was selling counterfeit foam fingers.
Dildos are still banned in some places in this nation there is no good reason for this other than some people think sex is icky, but their discomfort shouldn't make law.
I often wish I could train a neural network based on how I think, I would be the snotty 12 yr old every idea should be run by to explain the flaws. To many times people seem to imagine that tech will magically avoid the possible problems & anyone mentioning the problems is just inventing issues.
But then I also give advice like this...
google "Me to pregnant friend: Instead of practicing on a doll" end up on ifunny
[ link to this | view in chronology ]
ID, DOT, STAR CARD
I hope you all know of the topic listed.
Mr. Bush jr. instigated it.
Every state is now saving your Data at Dept. of transport.
DOT used to throw your drivers lic. pic away after a few years, the amount of data in the past was to much, until we got LARGER Storage on computers.
So, why hasnt this company asked for the data. They could have it in 1 day, if they ask the right person. Every picture and address of >1/2 of the state. AND as its a state ID, there should be no Problem.
[ link to this | view in chronology ]
Good con if you can run it
Build atrocious system with utterly insane requirements like 'wait several hours on hold'.
Have people either decide to try again later under the mistaken impression that it's just busy at the time rather than your service being garbage or have a technical issue end the call for them.
Claim that any call that doesn't go through is evidence of fraud and shows that you deserve all the money you've been granted and them some.
Profit.
[ link to this | view in chronology ]
It's worth pointing out that as "...far from painless" the application process was for Brian Krebs, it was probably still a whole lot better than it would be for the average Schmo:
[ link to this | view in chronology ]
This is the beginning of China's social credit system. 1st everyone is now REQUIRED to own a verifiable cell phone to access services from the government. Next you're going to need to use this to buy a house. Pay taxes(already happening). enroll your kids in school. Buy plane tickets. Open a bank account. Collect social security. Get help at the VA. And if youre homeless, or marginalized by poverty?.. tough sh*t. No phone no access. No Id.me no assistance. This is going to get so bad an onerous that people will literally die by not being able to get basic life saving services. No Id.me , no emergency room.
[ link to this | view in chronology ]
$20 billion in fraudulent payments in California is... actually a lot, even if the numbers fall well short of what the company is claiming. But how much of that is people claiming to be someone else, versus people claiming to be themselves but committing fraud in other ways?
I mean, if we really have $20 billion worth of fraud from people claiming to be someone else, then the process is obviously broken and we should find a solution, even if that solution isn't this company.
[ link to this | view in chronology ]
Re:
Problem 1 is 20 billion jumped to 400 billion in the twitch of politicians fundraising sphincter.
Problem 2 is the system was never designed for a pandemic & lets admit they've done fuck all to prepare for the next big thing that will overwhelm the system. Scaling to this size drew giant targets on the flaws in the system that have never been addressed.
Problem 3 Without defining the actual problem (we think we gave out 20 bil to much, maybe an audit?) they've just thrown tech at the problem as the magical panacea to solving the problem.
The federal government spies on us & collects huge troves of data in the name of keeping the nation safe... but somehow we can't verify someone is who they claim to be without a 3rd party doing 'facial rec'??
Identity theft isn't a new problem, but there is no will to make rules that might hurt profits. Its so much cheaper to let the average citizen fight in court that they never took out said loan than to admit perhaps the company knew the ID was leaked (cause they leaked it) and shouldn't have approved it so quickly, but the burden needs to be on the person who did nothing wrong.
But then I like problems clearly defined so that solutions can fix the real problem & not imaginary problems.
[ link to this | view in chronology ]
ID.me
I had to use the facial recognition feature of ID.me last week when I tried to log into my existing IRS account. I was already an ID.me account holder. It took 4 tries to scan my face before their system took it.
I've used ID.me for years as I am a retired GI. As a military retiree, they already have me verified 6 way to Sunday. I don't think the video verification is necessary or value added.
[ link to this | view in chronology ]
you can't use https://www.login.gov/ instead? i prefer the government site as opposed to a commercial site.
[ link to this | view in chronology ]
Not going to be everyone's experience
"The process requires users to take a live, video selfie from the same device being used to apply for the account. This means users can't use a laptop/desktop computer and take the selfie on their phone, even though that would be the most convenient way to accomplish both tasks (apply and verify)."
Just want to point out that I did the exact thing this quote says you can't. I applied from a laptop that did have a webcam. Once the phone verification part was complete (TELL PEOPLE TO DISABLE THEIR ADBLOCKERS AND IT WILL WORK!), they sent a link to my phone for taking fresh pictures of the documents, and face scan, then it went back to the laptop for the live video chat. It couldn't match me with my ID (my hair color changed and I lost 30lbs so duh) so the live chat was required. I was half-embarrased the call started so fast (less than 30 seconds when it gave me a minute wait time). I was still in my underwear and the guy was very professional about it. It was a mundane but simple process that I'm confident the average threat actor could not have pulled off.
[ link to this | view in chronology ]