The Internal Revenue Service (IRS) has a backlog of tax returns numbering in the millions and the agency can barely be bothered to answer taxpayer calls. Unfortunately, its failures don’t end there. The agency also doesn’t have a great history of protecting private taxpayer data. Not only did investigative outlet ProPublica somehow manage to get access to a trove of supposedly private tax returns last year, but taxpayer data has been leaked at least two other times over the past five years. Unfortunately, rather than solve the issue, its new identity verification scheme seems to be creating more problems than it solves.
Identity verification company and frequent government contractor ID.me came to prominence this past June when it was the source of an Axios report that criminals had defrauded the government of $400 billion in false unemployment claims, a number that seemed implausibly large.
But since then, the IRS has only continued to get cozier with the company. This past July, the IRS began paying out half of the Child Tax Credit, expanded under the 2021 American Rescue Plan Act as a monthly advance payment. Taxpayers who qualified for the credit based on their 2019 or 2020 tax returns were automatically enrolled to receive advance payments.
The problem was, some taxpayers who were automatically enrolled in the program were not actually eligible for the credit. Any money they erroneously received from the credit will be clawed back this tax season — a nasty surprise in the midst of a still-shaky economic situation.
Of course, taxpayers who did not wish to receive the advance payments could opt out, but to do so, they had to create an account with ID.me. For the lucky ones, this was just a bit of a hassle, entailing having to send pictures of themselves and their photo ID, then a video call with an ID.me agent to verify identity. But those who didn’t make it through the automated sign-up process could expect to have to spend hours verifying their identity.
And soon, ID.me will become an integral part of every taxpayer’s experience, if they want to live in the 21st century and access tax information online. Starting this year, taxpayers will have to go through ID.me in order to create and access their online account with the IRS.
Unfortunately, the IRS’s management of its contractor relationship with ID.me leaves much to be desired in terms of safeguarding sensitive personal and financial information. The IRS allows ID.me to disclose or share information deemed “non-personally identifiable,” which includes the URLs users visited before and after visiting ID.me’s site, unique device identifiers, and users’ IP addresses. That’s a tough pill to swallow for taxpayers who have no choice but to go through ID.me to access their account with the IRS.
It’s not just the federal government increasingly counting on ID.me to perform identity verification. Taxpayers in states like Pennsylvania have had their access to benefits frozen by ID.me’s algorithm bringing up a false positive, then had to wait for weeks to get the problem sorted out by the company. The last thing taxpayers dealing with an unresponsive IRS need is another hurdle to get over just to resolve tax disputes.
Taxpayers need to realize just how backwards the discourse in Washington is on this issue. Congress has spent months debating plans to massively boost the IRS’s enforcement budget and hand it expansive new tools to snoop on taxpayers. Those are the last things that an IRS that can’t keep data safe and can’t handle its most basic taxpayer service functions needs.
Congress desperately needs to take action to get the IRS’s house in order. That can include funding to its taxpayer service and operations accounts, but it should also push it to modernize and embrace digital filing to a greater extent. Most importantly, it needs to understand that protecting taxpayer data is a key responsibility, and not one to be taken lightly.
