Why Giving Away Your Personal Data to ID.me and Other Data Aggregators is So Dangerous

From their unusual funding sources to their odd Terms & Conditions and their vague policies around retention of biometric and other information, your best bet is to avoid this company and others.

By Jay R. Taylor

Who Are They and Why Is It Extremely Difficult to Avoid the Clutches of These Data Monsters?

This is the second in a series of three articles about Americans giving up their personal and biometric information to function in society, and what I’ve learned in my research about the organizations doing this dirty work.

In the first article (link), I discussed how I felt the IRS tricked me into giving my personal information to a third-party company called ID.me. I explained how the consolidation of so much information in one spot makes them a target for hackers, and therefore dangerous to individual privacy.

This article will be about one of the largest digital identity companies and their key competitors, including the company that snagged me – namely, ID.me. I intend to answer the following questions:

• What is ID.me? Who runs it?
• What do their Terms & Conditions allow them to do with my data?
• Who is financing them?
• Why should you be concerned?
• Who else is doing this to us?

The Growth of ID.me and Its Funding Sources Including Foreign Influences

Originally founded in 2013 as a re-branding of a company called Troop ID, the ID.me company has since raised substantial capital through various funding rounds to fuel its growth. The company attracted significant investment from venture capital firms, many of which have global reach and diversified portfolios. The nature of venture capital funding often means that ownership stakes and influence may originate outside the United States.

In the case of ID.me, they have major investors from Australia, which is now becoming a center of globalist policy and killer of civil rights. The Australian government regularly talks about putting people in jail for speaking out about vaccine injury. Other investors in ID.me are from Abu Dhabi (UAE), a country that continues to restrict freedom of expression, human rights, and the right of peaceful assembly. And then investors from Japan including Fortress Investment Group LLC got their fingers into ID.me, after receiving massive funding from such globalist corrupt-o-crats as Goldman Sachs and Lehman Brothers underwriting the IPO. These countries and companies have no business owning a U.S. company that collects so much personal and biometric information about our citizenry and military.

Key Investors and Potential Foreign Influence

While ID.me’s core operations are based in the United States, its funding sources reflect a mix of domestic and international investments. Here are some key investors and potential areas of concern regarding foreign influence:

1. Venture Capital Funding:

• U.S.-Based Investors: ID.me has received significant investment from U.S.-based venture capital firms such as FTV Capital, a growth equity firm that has invested heavily in financial services and technology companies. Another notable investor is Tiger Global Management, a New York-based investment firm known for its global reach.
• International Investors: While ID.me’s funding primarily comes from U.S. sources, venture capital firms often have limited partners (LPs) and backers from various countries. This means that, indirectly, foreign capital could be part of the investment pool supporting ID.me. However, specific details about the international entities involved in ID.me’s funding are not always disclosed, which can contribute to concerns about foreign influence.

2. Private Equity Firms:

• Private equity firms that have invested in ID.me may also have global connections. For example, certain private equity firms have partnerships or financial backing from sovereign wealth funds, some of which are based in countries with varying levels of transparency and regulatory oversight. This can raise questions about the ultimate sources of capital and the potential for foreign influence over strategic decisions at ID.me.

3. Cross-Border Investments:

• In addition to venture capital and private equity, ID.me may have attracted investment from international markets through secondary offerings or through investors with diversified global portfolios. The globalization of capital markets means that even companies that appear to be U.S.-centric can have complex ownership structures that include foreign entities.

Concerns About Foreign Influence and National Security

The involvement of foreign capital in companies like ID.me raises several concerns:

1. Data Security and Privacy:

• The Issue: ID.me handles highly sensitive data, including biometric information, social security numbers, and personal identification details of millions of U.S. citizens including military. If foreign entities have ownership stakes or significant influence, there is a concern that this data could be vulnerable to exploitation or misuse.
• The Risk: Countries with less stringent data protection laws or those with adversarial relationships with the United States could potentially gain access to sensitive information if they have influence over the operations of a company like ID.me.

2. Influence Over Strategic Decisions:

• The Issue: Investors typically have a say in the strategic direction of a company, including decisions related to technology, data management, and security protocols. If foreign investors have significant stakes, they could influence decisions that impact the security and privacy of the data managed by ID.me.
• The Risk: This influence could lead to decisions prioritizing financial returns over national security considerations, potentially putting U.S. citizens’ data at risk.

3. Regulatory and Compliance Concerns:

• The Issue: The involvement of foreign capital can complicate compliance with U.S. regulations, particularly data protection, cybersecurity, and national security. Foreign investors may not always be aligned with U.S. regulatory requirements or may seek to influence regulatory frameworks in ways that benefit their interests.
• The Risk: Non-compliance with U.S. regulations or introducing policies that weaken data protection standards could severely affect individual privacy and national security.

Concerns About ID.me Terms of Service, Privacy Policy, and Handling of Biometrics

In a nutshell, ID.me, like other digital identity providers, has specific policies regarding the retention and deletion of user data. While they aim to delete user data upon request, certain information may be retained for a business reason or legally required period. Users need to understand these policies and their reasons, especially when using a service that manages sensitive personal information. Transparency from ID.me regarding their data retention practices is crucial to maintaining trust with their users.

In this regard, here is critical information you need to know:

Terms of Service:

• Page 3, Service Definition, states that “you are being bound to the Google Terms of Service and Google Privacy Policy.” How can ID.me bind me to another company’s policy? Why do they need to do that?
• While it also says that “ID.me’s Credential Policy gives further details of how we accomplish our identity proofing,” I could not find a Credential Policy on their website! So I have no idea what this is about.
• They use “special technologies” to validate your documents including from third parties, and authoritative sources such as credit bureaus and the department of motor vehicles. Pretty intrusive stuff.
• Page 4: You must authorize your wireless carrier to use and disclose information about your account and wireless device. More intrusive data gathering that is not needed to identify you.
• You agree not to collect information about ID.me, their website, or users without ID.me’s written consent, and agree not to use, access, copy, or acquire information or monitor their website. What are they afraid of? Isn’t this publicly posted information?
• Page 6: All information you provide to ID.me shall be considered “non-confidential” and becomes ID.me property, and you assigned any copyrights or interests to them. So my most sensitive, personal information is not confidential? Is this to avoid liability on their part?
• Page 7: The Limitation of Liability section says that, to the extent allowed by law, in no event should ID.me’s liability to you exceed $1,000 for any reason. So if their release of my private information causes me severe financial harm, ID.me is essentially off the hook.
• Page 9: You must engage in Mandatory Arbitration and waive Class Action disputes. You will not get your day in court if something bad happens.

Privacy Policy:

• Page 3: Their Information Collected Automatically section says they may collect information associated with your network devices, computer and mobile device information, geolocation, IP address, and use of “other technologies.” They may also collect information about you from service providers, public databases, marketing companies, data licensors or aggregators, and programming distributors. That is an incredible bunch of information to collect and keep.
• The Information You Provide Through Social Media section alerts you that they may collect information those platforms may provide. Be careful what you post; it will be used against you.
• Page 4: They may use your personal and biometric information for reporting to their public sector customers, such as a state or federal agency, for identity verification or undefined “administrative purposes”. Also, your information may be used for marketing purposes. What are “administrative purposes?” Basically, they will use your information in any way they please.
• Page 5: In Who We Share Your Information With and Why section, they may provide your personal information to third parties including telecommunications networks, financial institutions, or other trusted sources to verify your identity. So what you tell them, or what they collect from all other sources, can be shared without you ever knowing. Will you be denied credit in the future or experience other negative ramifications from this data sharing? You may never know why.
• Page 6: They may disclose your information in connection with a corporate transaction such as ID.me seeking financing, purchasing, selling, leasing, merging or other activity involving their business. Wow. Any potential buyer of the company or purchaser of their services can get your data.
• They may also share your data to unaffiliated persons or companies that provide them with services, advice, customer support, web hosting, information technology, mail, analytics and other services. Again, anyone can have your information.
• Closing your ID.me account may involving asking them to deactivate your identify credentials and purge your information, but they will keep your account history and verification history records including vaccine history for up to three years.
• Page 7: To request deletion of a selfie image and biometric information, you must submit a written request through their Privacy Rights Center. Further, information in your account that you requested to be updated or removed may still be retained at the request of certain providers and “for internal use” in fraud prevention.
• Page 8: Even if you close your account, your information may be retained as long as needed or permitted, based on the reason why they obtained it. So they may retain the information up to three years after account closure under some unstated circumstances.
• Page 10: Health information about you may be collected from Rx Plan Administrators, and your pharmaceutical purchases using that service. Are you taking heart medication?

Consent to Collect Biometrics:

• Once consent is given for ID.me’s collection of information, it may not be revoked.
• Biometric information may also include fingerprints, voiceprints, scans of a hand, facial geometry recognition, selfie fascial photographs, and iris and retina recognition which may be shared with providers or others who provide request services.
• Their information storage systems are not guaranteed to be 100% secure.

ID.me Competitors and Certain Troubling Incidents That Occurred Around Protecting Consumer Data

Here are five U.S. companies similar to ID.me that provide digital identity services:

Okta, Inc.

• Overview: Okta is a leading provider of enterprise identity and access management (IAM) solutions. It offers a platform that helps organizations manage and secure user identities across various applications and devices.
• Key Services: Single sign-on (SSO), multi-factor authentication (MFA), user provisioning, and adaptive access controls.

Incident: Okta experienced a significant security incident in January 2022 when the hacking group Lapsus$ gained access to Okta’s systems by compromising a third-party customer support engineer’s laptop from one of Okta’s contractors, Sitel.

Details:

• News Coverage: The breach was widely reported in March 2022, with outlets like TechCrunch and The Verge covering the incident. Okta initially downplayed the breach, stating that it was contained to a small number of customers. However, further investigation revealed that the breach might have affected more customers than initially thought.
• Impact: The breach raised concerns about the security of third-party contractors and the potential risks they pose to enterprise identity providers like Okta. It also highlighted the importance of securing supply chains and third-party vendors.

Auth0 (acquired by Okta)

• Overview: Auth0, now part of Okta, provides a highly customizable identity management platform for developers. It enables secure login for applications and APIs, focusing on ease of integration.
• Key Services: Authentication, authorization, SSO, MFA, and identity federation.

Incident: Before its acquisition by Okta, Auth0 was reported to have experienced security vulnerabilities, though there is no widely reported breach directly involving Auth0.

Details:

• News Coverage: In 2017, Threatpost reported a security vulnerability discovered in Auth0’s platform that could have allowed attackers to bypass authentication mechanisms. The vulnerability was quickly patched by Auth0, and no known breaches were reported as a result of this issue.
• Impact: The incident underscored the importance of regular security audits and quickly patching vulnerabilities to prevent potential breaches.

Ping Identity

• Overview: Ping Identity offers identity security solutions that allow organizations to secure access to their applications, regardless of where they are hosted—on-premises, in the cloud, or in hybrid environments.
• Key Services: SSO, MFA, API security, and identity governance.

Incident: Ping Identity has not been involved in any widely reported data breaches. However, as a provider of identity and access management services, the company remains a target for potential cyberattacks, given the sensitive nature of its data.

Details:

• News Coverage: While no significant breaches have been reported, Ping Identity has been mentioned in various cybersecurity discussions, emphasizing the need for robust IAM solutions to protect against the growing threat of cyberattacks.
• Impact: The absence of known breaches suggests that Ping Identity has maintained strong security measures, but the industry’s potential for future incidents remains a concern.

Duo Security (owned by Cisco)

• Overview: Duo Security, a subsidiary of Cisco, provides multi-factor authentication and secure access solutions that protect organizations from security breaches and unauthorized access.
• Key Services: MFA, secure single sign-on, device trust, and adaptive authentication.

Details:

• News Coverage: Duo Security has been recognized for its strong security posture and effective multi-factor authentication solutions. However, in 2020, Cisco was targeted by a major ransomware attack (Maze ransomware), which raised concerns about the security of its subsidiaries, including Duo Security.
• Impact: While Duo Security was not directly affected by the ransomware attack, the incident highlighted the risks that even well-secured companies face in an interconnected digital landscape.
• Incident: There are no widely reported data breaches specifically involving Duo Security. However, Cisco, the parent company of Duo Security, has faced several security challenges over the years.

Civic Technologies, Inc.

• Overview: Civic offers decentralized identity verification solutions that give individuals control over their personal information. Civic’s platform enables businesses and users to verify their identities securely and privately.
• Key Services: Identity verification, biometric authentication, and decentralized identity management.

Incident: Civic has not been involved in any significant data breaches. However, like other digital identity companies, Civic is often scrutinized for the security of its decentralized identity verification platform.

Details:

• News Coverage: The media has covered Civic for its innovative approach to digital identity verification using blockchain technology. The company’s emphasis on decentralized identity management has been praised for reducing the risks associated with centralized data storage.
• Impact: The lack of reported breaches suggests that Civic’s decentralized approach may offer enhanced security, but it also highlights the importance of continued vigilance in securing digital identity platforms.

Summary of Competitor Data Security Failures

These companies are key players in digital identity, providing services like ID.me that help secure user identities, manage access, and protect sensitive information across various platforms and environments. 

Okta is the most notable among the listed companies for having experienced a significant security incident. The breach involving its third-party contractor, Sitel, highlighted the vulnerabilities associated with supply chain security. This underscores the importance of continuous security improvements and the need for transparency and quick responses when vulnerabilities are discovered.

Given time, it is likely that ID.me will also become a target of hackers and will suffer a significant breach.

News Coverage of ID.me Including the Growing Concerns

1. Concerns Over Facial Recognition:

• What Happened: In 2021 and 2022, ID.me faced significant criticism and media scrutiny over its use of facial recognition technology. The company’s technology was adopted by the IRS to verify the identities of individuals accessing online services, but the requirement for facial recognition sparked privacy concerns.
• News Coverage: Media outlets like The Washington Post, CNN, and The New York Times reported on the growing concerns about using facial recognition technology by ID.me. Critics, including privacy advocates and members of Congress, raised alarms about the potential for misuse, data breaches, and the impact on marginalized communities.
• Impact: In response to the backlash, the IRS announced in February 2022 that it would transition away from using facial recognition as a mandatory requirement for identity verification with ID.me, offering users alternative verification methods.

2. Transparency and Oversight Concerns:

• What Happened: ID.me has also been scrutinized for its lack of transparency regarding how it stores, processes, and secures the vast amounts of personal data it collects. Given the sensitivity of the data involved—including biometric information, social security numbers, and other personal identifiers—there have been concerns about the potential consequences if ID.me were breached.
• News Coverage: Several news outlets, including Forbes and Wired, have published articles discussing the risks associated with centralized digital identity verification systems like ID.me. These articles often emphasize the potential for large-scale data breaches and the need for stronger oversight and transparency.
• Impact: The media coverage has increased calls for greater regulatory oversight of companies like ID.me that handle sensitive personal information. Lawmakers and privacy advocates have urged the government to establish stricter guidelines and protections to safeguard such data.

3. Concerns About User Data Security:

• What Happened: Although ID.me has not experienced a widely publicized breach, the company’s rapid expansion and increasing adoption by government agencies has led to growing concerns about data security. The possibility of a breach and the consequences of such an event have been widely discussed in the media.
• News Coverage: Articles in outlets like TechCrunch and Bloomberg have highlighted the risks associated with consolidating sensitive information in the hands of a single provider. The discussion often revolves around the potential fallout if ID.me were to suffer a breach, including the impact on millions of users whose data would be exposed.
• Impact: The ongoing coverage has contributed to a broader debate about digital identity providers’ security and privacy implications, pushing both the public and lawmakers to consider the need for stronger data protection measures.

Conclusion About ID.me’s Failures Thus Far

While ID.me has not yet been reported as having suffered a major data breach, the company remains under significant scrutiny due to its use of facial recognition technology, the amount of sensitive data it manages, and concerns about its transparency and security practices.

The potential risks associated with a breach at a company like ID.me have been a focal point of media coverage, leading to increased calls for regulatory oversight and better data protection standards. Given foreign ownership and possible control, the situation underscores the importance of ongoing vigilance and accountability for companies like ID.me that handle critical personal information. Certainly the U.S. government could find a better technology partner without including the UAE, Japan, and Australian sources.