Back at the beginning of the year, I wrote about a plan by the IRS to require taxpayers to verify their identities with facial recognition software company ID.me in order to access their online account with the IRS. At the time, I, like many others, warned that the proposal carried with it significant privacy concerns for taxpayers and would likely create yet another hurdle for taxpayers attempting to contact an already-unresponsive IRS.
Bowing to broad public concern about the plan, the IRS eventually dropped its proposed agreement with ID.me. But in the aftermath, it’s only become more clear that the agency’s judgment in agreeing to make ID.me the IRS’s data gatekeeper is another unfortunate instance of the IRS doing a poor job safeguarding taxpayers’ private information.
A recent report in Business Insider shows a portrait of a company ill-equipped to handle the responsibilities that state governments and federal agencies were entrusting it with. The Business Insider piece suggests that not only was ID.me overwhelmed by the volume of verifications it had to perform, but that it suffered severe security lapses.
According to Business Insider, ID.me employees had access to the data and documents of any ID.me user, and remote employees were able to take company laptops home and access this information from there — in one instance, even before an employee’s background check was completed. Employees also shared private documents on a Slack channel for “peer review.”
Considering the extent of the relationship that the IRS planned to have with ID.me, taxpayers are fortunate that the IRS was diverted from its course. Nevertheless, it is worrisome that it took a sizable public backlash in order to prevent the IRS from entrusting the security of taxpayers’ data to a business that the IRS clearly did not vet carefully enough.
After all, had the ID.me deal gone forward, taxpayers would have had little choice but to hand their data over to ID.me. Data privacy concerns are one thing for consumers who can choose to take their business elsewhere. They are quite another matter for taxpayers that have to work with the IRS in order to pay their taxes.
Even before the Business Insider piece revealed new and significant concerns with ID.me’s internal data security, taxpayers had reason to worry about how the company would share its data. For example, the IRS’s agreement with the company allowed for it to share some “non-personally identifiable information” of taxpayers which included URLs visited before or after ID.me’s website, IP addresses, and approximate geographical locations.
And while normally it would be a pleasant surprise to see the technologically-challenged IRS, which has yet to fully integrate such revolutionary technologies as “secure document sharing” and “online chat,” embrace more cutting-edge technologies from the private sector, this was clearly a misfire. After a year in which Congress incessantly debated expanded enforcement funding, it has only become more clear that the agency needs investment and guidance at much more basic, operational levels.
Considering the ongoing data security failures within the IRS itself (we still don’t know how ProPublica accessed leaked confidential tax returns), taxpayers unfortunately must conclude that the IRS is currently not up to the challenge of safeguarding taxpayer data. Before Congress considers any other reforms to the IRS, the absolute first step must be to set the IRS up to succeed at its most basic responsibilities: serving taxpayers who have questions or tax return issues, processing taxpayer returns in a timely manner, and protecting taxpayer data.
