chevron-down Created with Sketch Beta.

Voice of Experience

Voice of Experience Archives

Hello, It’s Me (But Am I “Me”?)

Summary

  • Online identity verification through tools such as ID.me has become increasingly more common for accessing government benefits (e.g., Medicare, SS, VA, and unemployment).
  • The United States Patent and Trademark Office also requires identity verification.
  • The potential risks associated with relying on such platforms is that they can get it wrong and there are privacy isues.
  • There's a need to ensure identity verification systems work reliably and securely in a post-pandemic world where online interactions have become prevalent.
Hello, It’s Me (But Am I “Me”?)
istockphoto.com/shapecharge

Jump to:

I think most of us don’t worry about our personal and professional identities from day to day. 

Until recently, I certainly didn’t.

In the words of Rock and Roll Hall of Famer (https://www.rockhall.com/inductees/todd-rundgren-0) and iconoclast Todd Rundgren’s classic song of my youth (https://www.youtube.com/watch?v=lLeCB7Kn-VE), “I take for granted that you’re always there.”

But I recently had to struggle to prove that I am, in fact, “me” – for stakes were much higher than a catchy melody.

I recently had to prove my identity, to an automated government website, to be able to continue to do a key aspect of legal work I have handled for many years.

And I was not alone. 

For example, and perhaps most egregiously, one colleague on this publication recently described that Medicare told him he does not exist. 

I don’t even want to think about the philosophical implications of a conversation in which a computer tells a human being that he does not exist – especially concerning critical medical insurance benefits.

That nightmare takes the Turing Test (https://en.wikipedia.org/wiki/Turing_test) to a new threat level.

Just as absurdly, critical safety net benefits may now depend on convincing a website of the authenticity of your identity.

Do we as a society want such inhumanity?

Although my challenge did not pose a risk to my health, it could have affected my livelihood.

Let me explain my own struggles, as a caution for those whose public benefits, and perhaps even their life, may also depend on running the same e-gauntlet.

My own angst arose because the United States Patent and Trademark Office recently required practitioners to verify their identity through the ID.me website. https://www.uspto.gov/trademarks/apply/identity-verification

ID.me (https://en.wikipedia.org/wiki/ID.me) is “an American online identity network company that allows people to prove their legal identity online.” 

Relying upon the site’s claimed accuracy, “numerous state unemployment agencies (used it) to verify the identities of claimants … during the US COVID-19 recession.” 

However, “ID.me's verification process in several states resulted in lengthy delays that prevented large numbers of legitimately unemployed individuals from accessing their benefits.”

This change mirrored the nationwide adoption of REAL ID requirements for air travel and access to federal buildings, to improve security by combatting identity fraud.  https://www.dhs.gov/real-id/news/2021/04/27/dhs-announces-extension-real-id-full-enforcement-deadline; https://www.dhs.gov/real-id/news/2021/04/27/dhs-announces-extension-real-id-full-enforcement-deadline

(Ironically, ID.me’s “.me” domain name provides a counterpoint to the challenge I faced in real life, proving that I am “me”.)

Although my problem was not life threatening, it left me just as frustrated.

Notwithstanding the Pandemic, “identity verification” is not a new concept.  A federal agency had released “technical requirements for federal agencies implementing digital identity service” in 2017.  (https://pages.nist.gov/800-63-3/sp800-63-3.html)

On the one hand, I understand the USPTO’s reasons for focusing on the integrity of access to Intellectual Property (IP) rights, and who can modify them. 

As a business law attorney, I have for many years counseled clients on the importance of protecting their IP portfolio, just as they guard their tangible assets.

On the other hand, online assets, such as trademarks and domain names, have become increasingly valuable – so making it more difficult to manage them online could interfere with my work.

This has become even more important in recent years, as IP rights can be essential to winning domain name disputes – making unauthorized interference all the more attractive to scammers.  https://www.icann.org/resources/pages/help/dndr/udrp-enhttps://www.icann.org/resources/pages/policy-2012-02-25-en; https://www.americanbar.org/groups/business_law/safeselling/domains/

As a result, a registered trademark has now become critical to battling online infringement (or defending against spurious claims).

For that reason, the USPTO chose to try to protect the integrity of the trademark registration process, through “identity verification”:

Identity verification helps us deter bad actors who make fraudulent trademark filings and scam our customers. It’s part of our ongoing initiative to strengthen the security of our trademark filing process and protect the integrity of the U.S. trademark register. … Identity verification … ensur(es) that account holders are who they say they are ... and prevent(s) unauthorized changes. (Emphasis added.) https://www.uspto.gov/trademarks/apply/identity-verification

The IRS explained its reliance on ID.me in almost identical terms:

The IRS’ ability to offer an array of online services to Americans is contingent upon the agency’s ability to feel confident the people logging on to its online services are who they claim to be.  (Emphasis added.)  https://fcw.com/digital-government/2022/05/irs-leader-explains-why-irs-went-idme/366516/

ID.me itself describes its role in much the same way:

We provide secure digital identity verification to help government agencies make sure you're you – and not someone pretending to be you – when you request access to government services online.  https://www.id.me/individuals/government

ID.me verifies identity through biometric matching of an uploaded selfie photo to a form of trusted ID, such as a driver’s license.  https://www.id.me/business/online-identity-proofing

When I first saw the USPTO’s identity verification requirement, in late 2021, I put it on my “to do” list, for when I had time to take care of it, later.

And why not?  I saw no reason to be concerned.

I have practiced law and been admitted in two states since 1985, and registered over 60 trademarks.  With that background, I did not anticipate problems.

Yet when I tried to verify my identity, I failed – several times (despite hours of effort).

I don’t know if my inability to verify my identity was because I wear glasses, or because of the quality of my phone camera (or the lack thereof).

I was eventually able to verify my identity – after investing many hours in preparation for a short online video conference.  I solved the problem by displaying my passport and another form of identification to a human referee.

(I admit that I retreated to my comfort zone for the video conference – a desktop with a webcam, rather than my phone.)

Coincidentally, but providentially, the 3G phaseout (https://www.fcc.gov/consumers/guides/plan-ahead-phase-out-3g-cellular-networks-and-service) also forced me to upgrade my flip phone, after my initial unsuccessful effort.  My new smartphone proved critical, as I unexpectedly had to photograph and upload documents the referee requested during the conference. 

Fortunately, I had both the technical resources and legal documentation to satisfy ID.me – as I suspect most lawyers who must file with the USPTO do have. 

My children and assistant – all smart phone natives – would have been proud had they seen my ability to adjust on the fly, to provide what the referee requested by using the smartphone, rather than my desktop camera.

But what about non-lawyers, who desperately need safety net benefits from agencies which require ID.me? 

Not everyone may have the resources I had to satisfy ID.me’s technology prerequisites (or the patience to persist in the effort).

Even though I am an experienced lawyer (and have written professionally about technology), I experienced significant frustration and anxiety at the risk being unable to continue do a key competency of my practice.

(I never imagined in law school that camera skills on a smart phone adopted 16 years after my graduation would become essential to my practice.) 

Equity concerns about ID.me have also become critical.

The IRS, Social Security, the VA, and state agencies (particularly for unemployment insurance) have all required ID.me verification. https://www.id.me/governmenthttps://help.id.me/hc/en-us/categories/360004475354-Verifying-My-Identity-for-Unemployment-Insurancehttps://help.id.me/hc/en-us/articles/4402754222615-IRS-What-does-ID-me-do-for-the-IRS-https://help.id.me/hc/en-us/articles/360053556894https://help.id.me/hc/en-us/categories/360004475354-Verifying-My-Identity-for-Unemployment-Insurance

According to one biometric industry site, “The company rose to prominence during the pandemic, when it provided identity verification services for US states looking to clamp down on unemployment fraud.”  https://findbiometrics.com/id-me-fires-half-fraud-review-team-050603/

Apart from these systemic concerns, large bureaucracies’ increasing reliance on mandatory disclosure of personally identifiable information also creates grave privacy concerns about their ability to safeguard the most personal of “personally identifiable information.”  https://www.wsj.com/articles/getting-irs-records-from-id-me-means-giving-up-privacy-11651189687?st=tmp8dfa1b3nhbu4&reflink=desktopwebshare_permalink

In fact, the IRS quickly backed down from requiring ID.me for continued access to its secure website, because of the perceived privacy risks.  https://www.wsj.com/articles/irs-backs-away-from-facial-recognition-to-verify-taxpayers-identities-11644264843?st=zh4wrvw50aoa7s2&reflink=desktopwebshare_permalink

One leading online privacy advocate has also questioned the IRS’ apparent inattention to ID.me’s privacy risks. https://krebsonsecurity.com/2022/01/irs-will-soon-require-selfies-for-online-access/

More recently, several members of Congress have formally begun to investigate ID.me’s privacy promises.  https://krebsonsecurity.com/2022/05/senators-urge-ftc-to-probe-id-me-over-selfie-data/https://findbiometrics.com/congress-opens-formal-investigation-into-id-mes-irs-project-041801/https://www.cnn.com/2022/04/14/tech/idme-facial-recognition-house-lawmakers/index.html

To be fair, ID.me does clearly post its privacy (https://www.id.me/privacy) and biometrics (https://www.id.me/biometric) policies.  It also mentions its reliance on secure, patented, third-party “online credential authentication”.  https://www.id.me/about

Do you ever read such policies?  Me neither.

Moreover, ID.me’s “marketing platform” offers and “Cash Back Loyalty Program” also seem inconsistent with its trusted verification role.  https://insights.id.me/viewpoint/a-beginners-guide-to-the-id-me-marketing-platform/

Despite these concerns, ID.me appears here to stay. 

In our post-Pandemic world, online interactions have replaced “face to face” appointments – making it critical that you are comfortable sharing information with the correct, actual person with whom you intend to do so. 

Security has become everyone’s concern, not just that of lawyers, or IT departments. 

If we all have to use ID.me, I just hope that it actually works as intended.

But I remain concerned.  As Rundgren’s song bemoans, “Maybe I think too much, but something’s wrong.”