I am terrified of mice. It is an I-can’t-even-look-at-them level of terror. So, my very realistic and totally doable rule is that I avoid them at all costs. And that usually works out for me.
But a few years ago, my now-husband was on a business trip to Germany when I heard a rustle in the apartment. It was, I convinced myself, just the wind. And then I heard it again. Before I could form any real plan, a little head popped out from under a piece of paper and stared up at me. Without thinking it through, I grabbed the nearest trash can and flipped it over, trapping the mouse. I was relieved for a moment until my next thought: Now what?
We’ve all been there. There’s been a moment for each of us when we took action that made sense at the moment but turned out to be something other than a satisfactory and complete solution.
And so, it would seem, has the IRS.
At the start of tax season, I reported that the IRS was using new technology focused on photo identification for verification. Specifically, taxpayers who wanted to access online services were advised to create a new ID.me account. IRS referred to ID.me, a self-described “secure digital identity network,” as a “trusted technology provider in helping to keep your personal information safe.”
But not everyone was on board with the move. The day after I posted the story, Bloomberg reported that "[t]he Treasury Department is reconsidering the Internal Revenue Service’s reliance on facial recognition software ID.me for access to its website.”
This week, the IRS confirmed that it would stop requiring taxpayers to use facial-recognition software to access online services. The announcement followed a firestorm of criticism about ID.me’s registration process and related fraud complaints.
The announcement was met with some cheers on social media, mixed in with criticisms of the IRS plan. Statements like “poorly executed” and "#fail” echoed how many taxpayers and tax practitioners felt about the system. What floored many, including me, was the timing of the ramp-up—during tax season—together with the speed of implementation. As I wrote in my earlier column, “I think we all assumed that the IRS would tiptoe towards more technology—and all of a sudden, it’s a sprint.”
The move away from ID.me was just as quick—at least on paper. And it has left many taxpayers with questions about what comes next.
For its part, the IRS has said, in a statement, that the transition away from the system “will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season.” The IRS promised to “quickly develop and bring online an additional authentication process that does not involve facial recognition” as well as “continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.”
Let me tell you what it sounds like to me: a mouse in a trash can.
The IRS has managed to isolate the problem and is taking steps to make it feel like it’s taken care of—for now. But there’s still a mouse in a trash can. And it can’t stay in the room forever.
Those concerns that triggered the complaint—data integrity, privacy, and accessibility—haven’t gone anywhere. They’re just under cover.
Millions of taxpayers have likely registered with ID.me. The company puts the total number of users at 70 million, but it’s not clear how many of those users are tied to the IRS versus other state and government agencies and name-brand retailers.
Neither the IRS nor ID.me has provided details about what might happen to the data, including biometric data—those selfies—that has been collected as part of the initial program. Days before the IRS canceled the program, a group of Republican senators sent a letter to IRS Commissioner Charles Rettig demanding that very information, noting that the registration process collected “a trove of personal information” that, in addition to a selfie, could include government-issued photo IDs, utility and phone bills, and other personally identifying information.
Leaving that data in the hands of a private contractor no longer affiliated with the IRS isn’t the answer. The senators worry that the amount of personal data involved could make ID.me “a top target for cyber-criminals, rogue employees, and espionage.”
And while it feels like handing over the data to the government would resolve some of the privacy concerns, it likely would not. The letter cited the IRS’s own data showing the agency estimated it faced 1.4 billion cyber-attacks annually.
Also a concern? The cost. Treasury signed an $86 million contract with ID.me last summer, and modified it just a few months ago. According to official data, the potential end date for the contract is June 10, 2023. With more than a year remaining, how much of that contract do taxpayers remain on the hook to pay?
There are even more concerns moving forward. While the IRS has promised to move quickly to find another solution, what that might look like is concerning. The IRS has promised a system that does not involve facial recognition, but the prior system required documentation that made authentication difficult. Taxpayers without credit cards or mortgages, including those taxpayers who live overseas, had struggled to register using the IRS’s original log-in procedures. The potential to return to that system prompted one taxpayer to tweet, “Sounds like the end of IRS accounts for overseas taxpayers.”
The challenges of building a new process that satisfies concerns about data integrity, privacy, and accessibility are not insignificant. Resources continue to be a problem: Notwithstanding the dollars, the IRS is already understaffed. The idea that they could quickly build, vet, and educate taxpayers on a suitable verification system—while not opening the mail or answering the phones—doesn’t inspire confidence.
So, that puts us back to where we were before—with the mouse in a trash can.
Figuring out those next steps isn’t always easy. In my case, I called my husband, who, I happened to know, was not as mouse-phobic as I am. He also couldn’t offer a simple rodent rescue solution from 3,000 miles away. Left to my own devices, I knew I couldn’t let the mouse out of the trashcan because then it would be in the room. And I couldn’t kill it myself because … I just couldn’t. And we didn’t have a pest service (we have one now, clearly).
So I did the best thing I could think of: I put the smaller trash can in a bigger trash can, and I threw the whole thing out. Sometimes, you have to take a big step just so that you can move forward.
The IRS can’t just leave the mouse in the trash can.
This is a weekly column from Kelly Phillips Erb, the Taxgirl. Erb offers commentary on the latest in tax news, tax law, and tax policy. Look for Erb’s column every week from Bloomberg Tax and follow her on Twitter at @taxgirl.