In other words, he—and every other taxpayer who had gone through the process—had given control of his critical data to a private company, not to the IRS. The private company wasn’t processing Krebs’ data for the IRS, the way Amazon Web Services runs your applications for you. Instead, the private company appointed by the IRS to intake and verify Krebs’ data was the central hub. The IRS was clearly not in control of the data it had demanded, and that is a very important difference. In effect, the private entity had ownership of the data, which raised questions.
Did this mean the private entity could do whatever it wished with its treasure trove of data on taxpayers? Could it ask Krebs for permission to share his data with, say, Netflix or other consumer service providers? Did it even need to ask his permission?
Despite Krebs’ criticism, he offered advice for citizens that surprised some: get verified using biometrics. He pointed out that it’s a smart move to “plant your flag” by establishing your identity correctly with the government before identity thieves do it for you. In other words, “be the first on your block to be you” because the potential loss from an identity theft today is greater than the risk if your biometric data are stolen at a later point in time.
Is there still a controversy?
It’s important to distinguish between processing and “ownership.” If the IRS retains clear authority over how your confidential data is used, then it’s logical and acceptable for the IRS to appoint a private company to hold the data and confirm your identity when you log into your IRS account. An important caveat: to merit such trust, the private entity needs to have built the infrastructure and security-in-depth necessary to provide a high level of protection.
Even when a private firm appears to have all the right policies and defense measures in place, the IRS [government] should own the sensitive data it requires from taxpayers, and the IRS should have dictatorial control over how it is used.
Making clear that the data belongs to the IRS clarifies responsibility, sets limits for how it’s used, and might even have a deterrent effect: if someone steals information that belongs to the IRS from a private service provider acting as data steward, they know they’ re asking for a prison sentence.
Biometrics: Handle with care, but not the real issue
This IRS move probably would have received less scrutiny had it not included biometrics, which are a hot button. Equifax showed how one breach can compromise every taxpayer. Today, however, that single breach could mean something additional: the permanent loss of biometric data. If they steal your password, you change it. If they get your face, well, they have years to figure out how to exploit it.
To confront that danger, we (like most experts) recommend multi-layer, multi-factor security. If one feature is stolen, you can still be safe and function in society. Multi-factor IDV is safer because it’s almost impossible to steal every signal you’d need to pose convincingly as someone else. Hacking facial data and a password would still not be enough to steal a bank account. Multi-layer defense as part of a holistic approach to IDV makes a managed-risk approach viable, even for high-value assets.
What’s the right way to handle identification of taxpayers online?
There’s no reason to exclude private companies with expertise in identity verification from working for the IRS. If they are efficient at IDV, have the necessary infrastructure in place (unlike the IRS), and have extensive track records of financial protection and PII data, they are likely well-qualified as long-term data stewards.
For the IRS and government in general, their two North Stars are accessibility and security. Private companies can help with accessibility, which is crucial to universality — everybody needs the ability to file a tax return and get their refund. Accessibility is already an issue, given that we’re required to pay taxes even if we don’t own a phone, a camera, or a computer. Private vendors can help by offering more than one method of verification.
However, it’s advisable for the IRS to take final responsibility for the safety of our data, allowing private companies to process and hold the data as necessary for identity verification—for the IRS. The IRS should have final say over the IDV workflows and thereby owning the user experience. Under those conditions, taxpayers would feel more at ease in “planting their flag” by going through ID verification.
Rick Song is the co-founder and CEO of Persona.