Enhancing Privacy through Secure Identity Verification
Diane, a victim of identity theft in Minnesota, told NBC News:
“It’s been a nightmare. My husband and I would have survived better had our house burned to the ground, or if we had been burglarized or robbed at gunpoint. There would have been less hassle, less stress, and less indignation,’ she said. “It caused the death of our marriage and of everything we’ve known to be safe and secure. I have no hope or faith or trust in anybody anymore.”
David Crouse, a victim of identity theft, stated: “It really ruined me. It ruined me financially and emotionally.”
The Identity Theft Resource Center (ITRC), a non-profit organization that helps victims of identity theft released their Identity Theft Aftermath Studythat explains the lasting harm inflicted on innocent people. Eva Velasquez, the CEO of the ITRC, observed: “A full 10% of respondents had suicidal thoughts they hadn’t had before. 10% of people felt so overwhelmed dealing with this victimization that they felt like ending their life was an option.”
The FTC reported that identity theft tied to government benefits increased by 2,918% from 2019 to 2020. 2,918%. Given the devastating personal impact on victims, the scale of identity theft since March 2020 introduced an entirely new dimension of human suffering to the pandemic.
With respect to identity verification, privacy considerations balance evidence requirements against the harm to an individual’s privacy and well-being if an attacker steals their identity. Identity theft also imposes significant public costs. Organizations that lose money to fraud charge higher prices. Government agencies that make improper payments have fewer resources to pursue their mission. As a result, the context of a transaction determines the appropriate set of identity verification requirements to balance privacy considerations.
We are all familiar with this balancing act. When you open a bank account, a driver’s license and your face are sufficient to prove who you are. When you go to work, you use your office badge to gain physical access to the office. When you board an airplane, a driver’s license proves who you are but you also need a boarding pass to prove you have a ticket and you must submit to security screening of your possessions to protect other passengers on the plane.
Criminal organizations think about these trade offs in terms of a profit equation. If the benefit of a successful attack outweighs the costs to defeat identity verification, then fraud and identity theft will run rampant over systems. Effective security introduces sufficient controls to raise the cost curve to attackers to eliminate any net benefit so an attack becomes unprofitable. If this balance moves in favor of crime rings, then real people suffer. Some even commit suicide.
Unemployment benefits programs and other COVID stimulus programs like PPP represent the most lucrative targets criminal organizations have ever attacked. State workforce agencies and cybersecurity experts alike have likened the situation to the “Super Bowl for fraudsters.”
Today, ID.me verifies identity for unemployment claimants in 27 states. When we started to work with those states, many of them were completely shut down — they were completely unable to process new claims — because they were overwhelmed with fraud. The states that were still functional had severely degraded performance because they were unable to separate fraudulent applicants from legitimate claimants. In other words, the benefit for the attackers was so far above the cost to mount an attack that America’s unemployment system was failing.
Time and again, ID.me walked into a crisis situation and enabled vital aid to flow to unemployed people. We helped millions of legitimate applicants gain access to their benefits while blocking billions of dollars in fraud. We also protected tens of millions of people from the ravages of identity theft as criminals attempted to use stolen personal data to file for unemployment.
ID.me follows the federal standards for consumer authentication to government agencies, specifically National Institute of Standards and Technology (NIST) 800–63–3 Identity Assurance Level (IAL) 2 and Authenticator Assurance Level (AAL) 2. NIST is an impartial federal agency full of scientific experts who balance privacy and security considerations when dealing with identity verification at different levels of trust. NIST defines best practice in terms of privacy, security, and usability. ID.me is audited against the NIST IAL2 standards.
The NIST IAL2 controls defeated the fraud and allowed workforce agencies to begin processing claims at pace to speed critical aid to people and their families. Uniquely, ID.me also offers video chat verification as an alternative option for people who are not able to prove their identity in records. We have verified 1.24 million people through this video chat method. Other vendors that rely solely on personal data matching in records would have left these people behind.
When people lose their job, especially during a pandemic, they are more likely to move, potentially to stay with family or friends to save money. When they move, their information no longer matches in records. When their information doesn’t match in records, they are unable to prove their identity online. States that turned to data brokers like LexisNexis left huge numbers of applicants with no recourse to prove their identity online. At least one state had to change state law to enlist police officers to help people verify their identity for unemployment.
As part of our verification process, ID.me follows the NIST standards and compares a “selfie” to the photo on a government ID. This process is known as 1-to-1 Face Verification — it is decidedly not 1-to-many Facial Recognition. The former is what hundreds of millions of people use to unlock their phones every day and to prove their identity at a TSA checkpoint when they get onto an airplane. The latter is highly problematic — like having that same TSA agent on stage at a U2 concert trying to pick a single face out of the crowd. ID.me uses 1-to-1 matching.1
This process is not controversial. Americans prove their identity every day by displaying their photo government ID and their face to prove who they are. Apple and Android phone manufacturers have deployed this technology at scale to help eliminate passwords and PINs. In other words, this process is widely used across America, and the federal standards, developed by expert computer scientists, recommend these controls to enhance privacy and security.
The masks below provide visual confirmation the NIST standards work and prevent identity theft. ID.me stopped all of these masks to prevent a criminal from harming someone by using stolen information and government identity documents to file an unemployment claim in their name. We saw these masks on 2–2.5% of all unemployment claims in late 2020.
For every single mask we stopped, we protected an innocent person from the suffering that Diane and David experienced. Recent media stories have deliberately attempted to conflate Face Verification with Face Recognition — ignoring vast amounts of testing data published by NIST that demonstrate bias is not an issue for leading 1-to-1 Face Verification algorithms.
Given that identity theft leads to substantial human suffering in general and hundreds of billions of loss to the government specifically, the stakes are simply too great to do anything but follow the science. Taking a selfie enhances privacy because it keeps criminals from taking over someone’s identity and ruining their life. We are grateful there is a federal agency that defines the appropriate set of identity verification controls against risk. Because we have to get it right.
Lives are quite literally at risk.
— — — — — — — — — — — — — — — — — — — — — — — — — — — —
Blake Hall is the Founder and CEO of ID.me, the next-generation digital identity network that simplifies how individuals securely prove their identity online. Consumers can verify their identity with ID.me once and seamlessly prove their identity to over 500 organizations without needing to re-verify identity. Government agencies, healthcare organizations, financial institutions, and consumer brands use ID.me to verify customer identity.
In 2019, Blake was named CEO of the Year by One World Identity. Prior to ID.me, Blake led a reconnaissance platoon in Iraq. He was awarded the Bronze Star with Valor for stopping an Al-Qaida assault on a Combat Support Hospital in Mosul, Iraq. He won a second Bronze Star for exceptional performance hunting high value targets. Blake holds a Bachelor of Science magna cum laude from Vanderbilt University and an MBA from Harvard Business School.
Footnotes:
1. Clarification: ID.me verifies identity using 1:1 face match only. After an identity is verified, ID.me uses a specific 1:many check on selfies tied to government programs targeted by organized crime. That step is internal to ID.me and does not involve any external or government database. It occurs once during enrollment and exists to ensure a single attacker is not registering multiple identities. The 1:many step is not tied to identity verification.