• Identity startup ID.me has won dozens of contracts to provide verification for government agencies.
  • As it grew rapidly, it left some user data exposed on internal chat rooms and dashboards, an Insider investigation found.
  • Democratic Sens. Ron Wyden, Ed Markey, and Bob Menendez called ID.me's handling of information "careless" and urged federal privacy legislation.

Three Democratic senators this week criticized identity verification contractor ID.me's privacy and security standards after an Insider investigation found user data was left unsecure on internal dashboards. The senators, Robert Menendez of New Jersey, Ron Wyden of Oregon, and Ed Markey of Massachusetts, called the company's handling of personal information "reckless" and "irresponsible" in statements to Insider.

Data for any ID.me user, which included veterans and people seeking unemployment benefits, was easily accessible with a company laptop for most customer service workers, sometimes before background checks were complete, Insider previously reported. Some customer service workers were instructed to screenshot and upload users' personal documents (including passports, driver's licenses, and Social Security cards) to an internal Slack channel if they needed help verifying whether they were fake or real.

ID.me has won contracts with the Internal Revenue Service, Social Security Administration, Department of Veterans Affairs, and dozens of state unemployment agencies for its identity verification product. Most of those deals were closed in the last two years, during which time the company grew rapidly, hiring nearly 1,500 people and setting up new offices in Tampa, Florida, Insider previously reported.

Menendez, who was the lead signatory on a February letter to the IRS commissioner expressing concerns about ID.me, said he was troubled by the information Insider found.

"I have repeatedly expressed concerns about the amount of data and information that is collected and retained by companies like ID.me," Menendez said in an email to Insider, which he then posted on Twitter. "This report reveals that my concerns were justified–given the careless, irresponsible, and improper manner in which taxpayer information was handled by ID.me's employees."

 

Wyden criticized ID.me for handling "Americans' Social Security cards, drivers licenses and other sensitive documents with reckless disregard for basic security measures."

"Putting a private company between Americans and essential government services is risky in the best circumstances," Wyden said. He added that federal agencies should "speed up adoption of login.gov," a publicly-funded login tool. Unlike ID.me, login.gov doesn't use facial recognition.

In February, Wyden also urged the IRS commissioner to stop using ID.me for IRS.gov accounts after Bloomberg reported that people were being locked out from accessing tax documents. The agency then said it would "transition away" from using ID.me.

Insider's investigation noted that many customer service workers could view a tab within ID.me's internal interface, showing all of the possible facial recognition matches to the selfies that people submit while making an ID.me account. The matches sometimes exposed duplicate accounts, but often, workers said, selfies were matched to faces of obviously different people. 

Markey, who also co-signed one of the February letters to the IRS, noted that the privacy violations described in Insider's report highlighted the need for Congress to pass legislation regulating the use of facial recognition by federal government and law enforcement.

"Consumers and members of the public shouldn't have to have to accept lax privacy and security standards as an inevitability in our increasingly digital society," he said in an email. "The stakes are particularly high when sensitive information, like biometric data, is involved."

ID.me expanded quickly in response to its new contracts with the IRS and state unemployment agencies during the pandemic. Former employees told Insider that the company could not handle the avalanche of work it took on, leading to helpline queues thousands of people long. These workers were often told to verify accounts and resolve tickets as quickly as possible. Veterans and their families complaining to the VA about being unable to access their benefits would frequently be redirected back to ID.me's helpline, Insider previously reported

On Tuesday, ID.me laid off some of its corporate employees. CEO Blake Hall said in an email to staff that the layoffs were part of the company's efforts to "reorient the business around core products and establish an organic path to profitability."

Are you a current or former ID.me employee? Know something we missed? Contact this reporter via email at [email protected] or [email protected], or through secure messaging app Signal at +1 (785) 813-1084. Check out Insider's source guide for suggestions on how to share information securely.

Read the original article on Business Insider