The Trust Over IP Foundation was established to bring trust into the virtual, online world where, all too often, there is low or no trust in data exchanges. To overcome this challenge, the 100s of public and private sector members of ToIP promote open standards-based, interoperable solutions where the individual is in possession and control of their cryptographically verifiable identity attributes. In this context, a news item caught the attention of the ToIP Foundation in the past week where there was a lot of controversy over an exclusive contract between the United States Internal Revenue Service (IRS) and identity provider ID.Me. We base this post on publicly available information and begin with a quote from a Washington Post article:
Millions of Americans could soon have to scan their faces to access their Internal Revenue Service tax accounts, one of the government’s biggest expansions yet of facial recognition software into people’s everyday lives. For now, taxpayers can still file their returns the old-fashioned way; the IRS began accepting returns for 2021 earnings on Monday, encouraging electronic filing. But by this summer, anyone wanting to access their records — including details about child tax credits, payment plans or tax transcripts — on the IRS website could be required to record a video of their face with their computer or smartphone, and send it to the private contractor ID.me to confirm their identity.
Background
On November 17, 2021 the IRS announced the launch of an improved identity verification and sign-in process that enables more people to securely access and use IRS online tools and applications. And we agree with IRS Commissioner Chuck Rettig that, “Identity verification is critical to protect taxpayers and their information.”
To access certain IRS online tools and applications, the IRS decided to mandate that citizens provide extremely sensitive personal information, both biometric and biographic, to a single, private-sector entity. This entity would centrally store it, perform probabilistic analysis (biometric matching) with little or no transparency of how the solution was certified, how often it will be recertified, by whom, and what accuracy, security, or privacy criteria will be utilized.
While it is not clear why the IRS would relinquish this extremely sensitive capability in its entirety to a single, private-sector entity using a proprietary solution, there are clues. In the associated Privacy Impact Assessment (PIA) under PRIVACY TESTING, for example, the response to “Does the system require a System Test Plan?” is NO and the follow-on response to “Please explain why:” is “This [is] a[n] ID.me owned and operated system and not subject to IRS System Test Plan at this time.” The fact that IRS removed the mandate for the Facial Recognition component of the proprietary ID.me solution several days after the story was broadly publized does not resolve the underlying challenges of this approach to achieve trusted, remote authentication.
Challenge 1 – Ethical Use of Biometrics
Strong authentication can benefit from the use of biometric technologies but there are no policies in place for their ethical use which should include measures to ensure that accuracy, security, and privacy criteria commensurate with the specific use case(s) are certified and monitored.
To this end, the Office of Science and Technology Policy recently published a Notice of Request For Information (RFI) on Public and Private Sector Uses of Biometric Technologies. To meet the Ethical Use of Biometrics challenge, our policy makers must provide guard rails for the use of biometrics technologies in both the public- and private-sectors which are use-case specific. That is, similar to the FDA’s 12-step approval process for drugs to be considered safe and effective, before any drug can be released to the market for a specific, on-label use, it must go through a process that includes rigorous testing, with independent review, to demonstrate safety and efficacy, as well as post-approval monitoring.
Challenge 2 – Trusted, Remote Authentication
The Trust Over IP (ToIP) Foundation was established to simplify and standardize how trust is established over a digital network [PDF] or using digital tools (whether online or disconnected) by expanding the opportunities of digital trust by bringing a unified stack of standards for technical interoperability—the same approach that has been successful with the Internet and the Web— together with a unified model for expressing the rules and policies (“governance”) by which people and organizations can cooperate to achieve trust.
ToIP provides guidance, frameworks, and other assets to obviate the need for entities such as the IRS to rely on a single, private-industry contractor’s centralized solution to enable U.S. citizens to strongly prove their digital identities—any more than they would need to rely on a single company to provide them access to the Internet. Instead, like the Internet, the open standards-based ToIP stack (depicted below from the interactive model) would enable citizens to use any digital wallet, any verifiable credentials, and any privacy-respecting biometric verification technologies that meet the requirements of the IRS (as published in their governance framework) to prove a citizen’s identity and give them safe access to their tax records.
There are experts within the US Government that are familiar with, supporting, and promoting the standards associated with decentralized digital identity. They, along with many others internationally, support related ecosystems that enable entities to establish verifiable trust to issue cryptographically verifiable identity attributes that remain in the possession and control of the individual who may then selectively disclose cryptographically verifiable proofs (with or without the underlying identity attributes) through secure channels to verifiers that have established trust.
Where a citizen has a Foundational Identity through a government sanctioned identity proofing process – where the sanctioned entity, as per this NIST Special Publication, was able to “Resolve a claimed identity to a single, unique identity within the context of the population…”, e.g., passport, REALID driver’s license, that Foundational Identity should be used to authenticate an identity claim for each Functional Identity activity like paying taxes, voting, opening a bank account, receiving COVID-19 vaccination, or receiving a COVID-19 vaccination credential.
The ToIP trust ecosystem enables individuals to authenticate themselves using their trusted, cryptographically verifiable Foundational Identity and share cryptographically verifiable Functional Identity proofs without intermediation.
Conclusion
Instead of pushing proprietary, privacy-diminishing, honey-pot creating solutions, the IRS should strive for open standards-based, interoperable solutions where the individual is in possession and control of their cryptographically verifiable identity attributes (versus a single, private-sector vendor) as are the members of the ToIP Foundation.