If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.
That will go down well.
I’ve had my first experience with this system and it did not work with firefox or chromium under linux. They both broke, interestingly at different points in the process (firefox got further). id.me tech support told me to use a non-linux OS, Ugh, seriously? I’m very unhappy about government forcing us to provide them with a private video feed into the house to use our accounts. This feels too much like a police state for comfort…
Alfman,
I am not sure how they handle user facing bugs, they seem to claim Linux support on their web site: “Mac, Windows & Linux: The most current and previous versions are supported.” ( https://help.id.me/hc/en-us/articles/1500004615921-What-are-the-technical-requirements-to-verify-my-identity- )
But of course this would show them being lazy about it. Not everyone has a non-Linux desktop, nor they should be paying for something they don’t want. (There was period where I too was Windows free, did not want to pay for it, and did not like the idea of pirating).
This was announced shortly after the ID.me news: https://www.bloomberg.com/news/articles/2022-01-28/treasury-weighing-id-me-alternatives-over-privacy-concerns
Not only IRS, but more US agencies are moving to these logins: https://www.wired.com/story/irs-us-government-wants-selfies/
My concern is, once the government tastes a new kind of power, they would rarely go back. At least once it becomes “set in stone”.
There is still some hope though. There is public backlash (as you have also referred). And some senators wants to block this: https://www.engadget.com/republican-senators-concerns-irs-use-of-idme-072209592.html
Hopefully it will be stopped before it is “set in stone”. Otherwise expect to have the same thing on all government correspondence.
sukru,
Once it becomes normalized there’s no going back. They can and will use it to rope more and more people and services into it. If it’s allowed to proceed it will become increasingly unavoidable no matter what they promise because they’re not going to stick by those promises. I’m not a big fan of government authentication being privatized by for profit companies either. How much are we paying for that?
Identification is important to provide services, but this isn’t a new problem. I’d rather have a keyfob, one could be issued inside our government issued IDs so that we have reliable authentication tokens that we can use online as long as we have an ID.
Alfman,
I would say it is even worse than privatized profits (and definitely socialized losses in case of breaches). They are essentially building a government issued monopoly.
And my experience have been all negative with them. PG&E, the major power company in California is one major example. I would accept that they actually have some decent service. But it comes at 4x the price of national average, and they do cause massive issues. Billions in damage and tens of people dead… Almost no responsibility by the government or the owners of the company.
Key fobs + password would probably be good enough, though. And no need to have it tied to government id.
It already is the current state of the art for protecting sensitive accounts. And there are existing standards with multiple manufacturers. FIDO / U2F works, is extensible, and supported by almost all browsers and mobile devices. (Google is also a manufacturer, but I think that is just to have a baseline implementation).
If they can mail tax forms, they can mail yubikeys in the same way.
sukru,
I’m not sure I follow? Isn’t the whole point that the government knows it’s you before allowing you to access your personal account? If they cannot identify you it wouldn’t serve the problem that it exists to solve.
Indeed. Previously they used username + password + phone to authenticate. If I recall I had to setup the account using a snail mail pin and obviously an SSN and details of my latest tax forms. A keyfob could easily be added without any of this video call nonsense, which will eventually be obsolete anyways with the rising prevalance of deepfakes, which are only becoming more accessible.
The IRS (and other government agencies) are signing onto “government authentication as a service” because privatizing authentication means the government will no longer have to handle website authentication in house. But I think id.me’s over engineered solution is not only invasive but will ultimately be less robust and more expensive than key fobs at scale.
For those who don’t know how this works, IRS.gov and others literally redirect users to “id.me”, which is a private company website, to upload authentication documents and use video calls to authenticates users and then redirect users back to the IRS with login credentials once id.me is satisfied. They explicitly keep your biometrics and records for 7 years.
If you cannot get through on id.me (as was the case for me), both the IRS and ID.me direct users to ID.me’s tech support, which is officially “24×7”, but they were backlogged by days and their support comprised of telling me to use a different OS.
https://www.msn.com/en-us/health/medical/a-selfie-really-idme-site-used-by-nc-des-to-combat-fraud-causing-delays-confusion/ar-BB1fHks0
I have a feeling this privatized ID.me system is going to cause a lot of new headaches this year.
Alfman,
I think I mis-expressed what I meant. I was talking about actual ID cards, like drivers license or passports. They too have microchips inside. But I would not want them tied to online logins. At least not in this implementation.
And… they never needed this in the first place. There is already a federal program for vetting cloud providers (FedRamp), which has very strict ID requirements. And they allow FIDO keys as part of the process: https://support.yubico.com/hc/en-us/articles/360016614760-Achieving-FedRamp-Compliance-with-the-YubiKey-FIPS-Series-Devices
So, government accepts these devices as secure enough. And these allow employees to login and access systems that contain data on private individuals. But the government does not accept them to access your own data.
sukru,
Ok, can I ask why? My point is what when filing taxes or applying for benefits we’re asked to provide the same ID numbers off of these same documents anyways, so I can’t think of a reason why making them robust online would be any worse for privacy? It would make it a lot more robust against fraud.
This has direct parallels to using credit/debit cards online. The banking industry hasn’t improved “card not present” transactions in decades and remains committed to using static numbers with practically zero security for authentication despite the fact that we have so many ways to cryptographically secure transactions remotely. Rather than use a secure system, they’ve evolved around the idea that fraud is an acceptable loss that merchants have to cover even though merchants have absolutely no responsibility for the insecure CC payment system they’re forced to rely on. This is a bit tangential to government ID, but technically it’s the exact same problem.
To be clear, I’m not saying additional keyfobs couldn’t work, obviously it could but that additional keyfob is clearly going to be tied to your preexisting ID in a database, so I don’t see any additional privacy benefit in having two cards. Right? Combining them into one that can identify yourself online or offline seems more practical to me (I don’t really want to be responsible for carrying even more government documents that serve the same purpose as the old ones except online).
Yes, corporations and governments use keyfobs to authenticate their employees including the IRS themselves The technology is clearly viable. But the public doesn’t get that option, it will likely remain insecure just like credit cards
In sweden they have something called BankID that if you once accept to use it, can not go back to regular identification. Without it you can not book tickets, shop online, do online banking and pretty much anything to do with the authorities if you are in the BankID database. They will not force you to accept it, and i myself will never use it nor even consider signing up for it, as it is almost impossible to go back once you have accepted it.
My guess is that in the not so distant future you will need to use that digital ID just to use the internet in Sweden. Happily we are not there yet.
It’s already like this in Brazil since I think the late 90s or 2000s … you cannot do any business electronically or really any significant business beyond buying basic goods without having a CPF or the like (which translates to physical person card).
Also its extremely problematic if this number gets stolen just like an SSN in the USA except an SSN isn’t really used all that much compared to it being required for almost everything in Brazil.
Well, the alternative is to verify your identity in person at some authorized point. It’s what we do in Spain to obtain a digital certificate from “la Fábrica Nacional de Moneda y Timbre” and it’s not a big problem but I’m sure that people will complain.
Authorized point. Unless you are a fascist, you mean a at most a legal local voting card.
Yes. Unfortunately we can not rely on government(s) to do something meaningful regarding surveillance capitalism, as they want the same thing. That is surveillance state.
I accept there needs to be some form of identity verification, I worry that some people who push against it complain just a bit too much. They might well be fighting to preserve our freedoms, but they may also be criminals losing a lucrative revenue stream.
When I see people ripped off online I accept we need something, an higher level of accountability, but then I can imagine the devastation that might have happened if the Nazis Party has access to a high speed digital database.
It’s hard to find a balance.
We can’t assume all those with potential future access to such a system will be benign!
And what of the future, and potential quantum threats?
cpcf,
Yeah, people need to be able to identify themselves. I still cringe at healthcare records being released with nothing more than a birthdate and SSN. This is so obviously insecure, but it’s the accepted security standard that everyone uses.
The real problem for privacy IMHO isn’t strong authentication, but data sharing without explicit permission. Banks, creditcards, tech companies, etc can and do share our information with partners and it’s perfectly legal to do without specific consent, only vague blurbs in the terms of service that don’t reveal who’s getting the data or how our data is really being used. They sell our information to all kinds of advertisers, mail, spam calls, even google is buying credit card transactions to cater online ads. Facebook isn’t above selling our data to our adversaries. Corporations are good at making sure that our private data belongs to them. We (or more precisely politicians) could fix this in one fell swoop by legislatively making such terms illegal and requiring services to clearly and explicitly ask for permission (ie opt-in) for every time they want to share our data. But until then consumers don’t realistically have the tools necessary to protect themselves.
At least HIPAA is more stringent about personally identifiable information, but even there our data might get resold and repackaged anonymously as the other article gets into.
@Alfman
I agree this is a risk / problem if people are doing it for profit by selling the data, I suppose that is often the case.
I don’t have a problem with correctly anonymised data being shared for academic or public health purposes.
In much the same way I don’t have a problem if Apple or MS use anonymised subscriber data to improve products, it makes perfect sense when it’s all in house as I get an end user product benefit from that data.
My problem is always related to selling anonymised data, if you profit from it I should too!
cpcf,
Well, I don’t have a problem with it if it’s opt in. I’m not comfortable with companies like MS tracking us on our own machines though, which is something they’ve started to do. The thing with anonymization is that this tends to be a post-process with the underlying database still containing personal identifying material. There are ways to use hashed data and make it more granular, but it’s a trade off between accuracy and anonymity. So unless there are legal restrictions like HIPAA at play, the market for personally identifying material is likely to continue regardless of what’s best for consumers.
Sure, why not. There’s nothing wrong with that, as long as it’s opt in. A cut of profits would provide incentives to opt-in.
It’s always funny watching Americans get all twisted into knots over centralised services, and then whining that nothing works between the hodge-podge of mostly-incompatible systems they’re stuck with.
Pretty much each province in Canada has a centralised authentication service for accessing provincial government services online. For example, BC has the BCeID system. You sign up for an account online, you provide details from your BC ID (for non-drivers) or driver’s license, and a phone number. Then you contact the service desk either via a cell phone, or a computer with a camera. They confirm the live video matches your ID, confirm your details, and generate your temporary password.
Federal government also has a similar centralised authentication service for accessing federal programs, including Canada Revenue: the GC Key (there’s also some legacy logins supported, but they’re eventually moving everything to the key). This one doesn’t require photo confirmation, it just uses your tax info and SIN to create the account.
I guess the difference is that in Canada, certain government IT projects actually work (yes, we do have our spectacular failures as well, like the Phoenix financial system), and we’re not afraid of centralised systems. Having it done by 3rd parties outside of government IT dept would be a little more dicey.
phoenix,
I don’t think centralization is the problem though, becoming ever more dependent on private companies for government access is. Citizens from overseas may not realize this, but we’re not even allowed to e-file our taxes with the IRS directly because accounting firms keep lobbying the government to block IRS from accepting taxes electronically. So if you want to e-file, we’re forced to do it through a private accounting firm. many of which charge fees to efile. It’s insane just much private corporations will corrupt things to increase their profits once they get involved.
Would you be ok with that though? Honestly I think submitting documents to private company and being reliant on them for access to government services and benefits should be controversial in any country, canada included.
The old system did allow you to login using a phone call as 2 factor authentication, but that’s what’s being discontinued. I’m all linux at home now, I’ll be incredibly pissed if they don’t fix it and I have to buy a windows machine or license to get past id.me and access my government accounts.
I’m a fan of keeping things simple, reliable, and unintrusive. IMHO ID.me fails on all counts.
I disagree. Centralization is absolutely the problem, especially when there’s no accountability at the government end which, in the U.S, is more often the case than not. The thing is, we get the worst of both: the politicians in bed with the very entities they hire to privatize the services (conflict of interest), and zero accountability by them or their friends. I have no problem with privatization in principal, as often companies are able to provide the services more reliably and without being weighed down by bureaucrats. We don’t have true privatization though. What we essentially have is government-funded chronyism in the guise of privatization. It’s an absolute disaster.
darknexus,
I don’t really understand that. Why is accessing services of the federal government in a centralized manor a problem that needs to be fought by the public?
I don’t think I understand your rational. Sure there’s resentment against government shortcomings, but to me that’s got nothing to do with whether or not the federal government uses one network versus many. A lot of these systems have to cross feed in the back end anyways so I don’t really see it as causing additional harm to privacy.
You have a lot more faith in corporations than I do. In fact, I think it’s bureaucrats who privatize government functions who often end up ballooning costs like our health care system. The layers of middle-men and subcontracting for even the simplest tasks is insane. The people doing the work end up getting a tiny fraction of what the government paid. They could save billions by cutting out the middle men who’ve corrupted government programs with their own for-profit incentives.
Anyways, we may end up disagreeing on the benefits of privatizing public functions. In any case the US government has been privatizing things for several decades with politicians promising that it will drive down costs, and yet it never seems to work out that way.
Just saw this in the news…
“IRS halts plan to require facial recognition for logging in to user accounts”
https://www.cnn.com/2022/02/07/tech/irs-facial-recognition-idme/index.html
I’m glad. I’d like to see them go to a keyfob solution like we started discussing above. I think cryptographic authentication is the obvious and ideal for combating fraud…but I kind of doubt they’ll ever get the house in order enough to deploy it.
Nice! Fortunately the backlash worked this time.
I am not too hopeful that they will implement a good solution in the short term. But I would be glad to be proven wrong.