ID.me’s legal woes are continuing to escalate. The company is now staring down the prospect of its second federal investigation in as many months, after the House of Representatives’ Oversight and Reform Committee initiated its review in April.
The new investigation comes courtesy of the Senate, where four Democrats have sent a letter to the Federal Trade Commission (FTC) to ask the regulatory agency to take a closer look at ID.me’s claims about facial recognition software. The four Senators suggest that ID.me deliberately misled both the government and the general public, and in doing so may have engaged in “deceptive and unfair business practices” that violate Section 5 of the FTC Act.
The Senators’ complaints stem from comments that ID.me and CEO Blake Hall made about the nature of its facial recognition system. More specifically, they call attention to statements and a blog post in which Hall claimed that his company only performs one-to-one matching to compare a new selfie to an image on a photo ID during the identity verification process. One-to-one matching is considered to be both more accurate and more secure than alternative one-to-many solutions, since the user’s image is never cross-referenced against a larger database.
However, Hall would eventually clarify that ID.me does, in fact, have such a database, and does use one-to-many facial recognition as part of its fraud prevention process. In doing so, he claimed that ID.me does not use one-to-many matching for identity verification, but instead to check whether or not someone has been associated with fraud or organized crime. He also claimed that the service does not rely on any external or government databases.
For his part, Hall argues that fraud and identity theft would increase without such a step. The Senators counter that Hall was purposefully withholding information that would have been less palatable to lawmakers and the general public. They raised particular concerns about the accuracy of one-to-many facial recognition systems, noting that such systems are more likely to misidentify people of color. Since ID.me is working with government partners, someone could be denied access to essential government services if they are the subject of a false match.
The Senators also chastised Hall for making misleading claims about ID.me’s technology partners. The company revealed that it had facial recognition partnerships with Paravision and iProov when lawmakers first started to scrutinize its contract with the IRS. The company initially failed to disclose that it had also been using Amazon’s controversial Rekognition facial recognition product to perform its one-to-many matches. Internal messages show that ID.me employees were worried that the company’s public statements were deceptive, and the company has since edited blog posts and white papers to fill in information that was initially left out.
As it relates to the FTC, the Senators are arguing that ID.me’s claims allowed it to secure government contracts that would have been out of reach had the company been more forthright about its product. That would constitute an illegal business practice, and could place the company in hot water, depending on the outcome of the FTC investigation. ID.me’s contract with the IRS is worth $86 million, and would have made ID.me mandatory for anyone trying to gain access to the agency’s online services.
The IRS has since backtracked, and was reportedly considering other authentication options. ID.me has similarly tried to emphasize its non-biometric identity verification utility, though critics have pointed out that the company has yet to submit its system for an independent audit. The company currently has more than 80 million users, and still has contracts with dozens of state and federal government agencies.
Sources: CyberScoop and BNN Bloomberg
May 20, 2022 – by Eric Weiss