The Internal Revenue Service (IRS) has come under fire for its decision to route Freedom of Information Act (FOIA) requests through a biometric identification system provided by ID.me. This arrangement requires users who wish to file requests online to undergo a digital identity verification process, which includes facial recognition technology.
Concerns have been raised about this method of identity verification, notably the privacy implications of handling sensitive biometric data. Although the IRS states that biometric data is deleted promptly—within 24 hours in cases of self-service and 30 days following video chat verifications—skeptics, including privacy advocates and some lawmakers, remain wary, particularly as they don’t believe people should have to subject themselves to such measures in the first place.
Criticism has particularly focused on the appropriateness of employing such technology for FOIA requests. Alex Howard, the director of the Digital Democracy Project, expressed significant reservations. He stated in an email to FedScoop, “While modernizing authentication systems for online portals is not inherently problematic, adding such a layer to exercising the right to request records under the FOIA is overreach at best and a violation of our fundamental human pure right to access information at worst, given the potential challenges doing so poses.”
Although it is still possible to submit FOIA requests through traditional methods like postal mail, fax, or in-person visits, and through the more neutral FOIA.gov, the IRS’s online system defaults to using ID.me, citing speed and efficiency.
An IRS spokesperson defended this method by highlighting that ID.me adheres to the National Institute of Standards and Technology (NIST) guidelines for credential authentication. They explained, “The sole purpose of ID.me is to act as a Credential Service Provider that authenticates a user interested in using the IRS FOIA Portal to submit a FOIA request and receive responsive documents. The data collected by ID.me has nothing to do with the processing of a FOIA request.”
Despite these assurances, the integration of ID.me’s system into the FOIA request process continues to stir controversy as the push for online digital ID verification is a growing and troubling trend for online access.
So why collect it? If the data is irrelevant to the request it shouldn’t be asked for. What is the IRS even trying to say here?
Also I want to say I’ve had to use this system to do my taxes and it’s creepy as hell.
Likely they’re just using ID.me as an SSO provider that just passes some tokens back to the IRS after authentication. I imagine it’s similar to doing forward-auth in nginx or Traefik.
I’m not defending the creepiness of ID.me itself, but I do genuinely believe the IRS isn’t actively trying to gather tons of biometric data (at least directly). We can’t really see what happens on the backend between the two, but as an end-user and web developer it looks like standard authentication practice (minus the creepy biometrics collection that happens on ID.me’s domains).
I think maybe rather than trying to gather biometric data, the choice of this form of authentication is related to the intimidation factor of implying they might be.