The US government should not require biometric data and a SSN to make freedom of information requests!
Hello from Washington! Alex Howard here, with another civic text. I'm sorry for being out of pocket for a bit; I'm will establish a more regular publishing schedule over the course of the summer and keep experimenting with format.
Today, I want to meditate a little on when it's OK for a government agency to ask for your identity, and in what context. "Papers please" can be pretty chilling, in an authoritarian nation, or what you expect at a customs upon re-entering a democracy.
On the extreme end of banality, there's filing your taxes or accessing your health data. In those circumstances, agencies and hospitals need to make absolutely sure that you're YOU, to prevent fraud. The IRS did that …poorly a decade ago, when they first made it possible for us to request our tax transcripts online. Afterwards, "knowledge-based access" based on public facts didn't look so great. Multi-factor authentication, in! More recently, folks filed fraudulent claims for unemployment benefits, driving adoption of more secure digital authentication methods like the one offered by ID.me and Login.gov. More on those in a second.
On the other end of the spectrum, there's accessing public information and services that do not require us to identify ourselves at all. Say, weather forecasts. Or the location of vaccine centers. In some cases, there should be no friction nor barriers to accessing such information posed by requiring special software, devices, payment of fees, or declaring who you are.
In between, there's everything else, from reserving campsites at state parks to filing a 311 service request to booking an appointment with a healthcare navigator.
In May, a reporter reached out with a novel inquiry. They'd noticed that the Internal Revenue Service quietly began requiring people who want to submit a Freedom of Information Act request to sign into ID.me to use the agency's Public Access Link (aka the IRS' FOIA website) to submit a FOIA or access records disclosed under it.
Since I'm endlessly curious about how our rights to access information are being upheld online by government agencies, I went and checked the IRS' "public access portal" for FOIA and determined that, yes indeedly, the IRS "now uses a sign on system that requires identity verification."
Specifically, if you'd created a FOIA account with the IRS system prior to June 26, 2023, you'd "need to register or sign in through ID.me" to use it.
When asked about it, the IRS defended its decision to use ID.me to verify identity to make FOIA requests online. “The sole purpose of ID.me is to act as a Credential Service Provider that authenticates a user interested in using the IRS FOIA Portal to submit a FOIA request and receive responsive documents,” a spokesperson for the agency told Fedscoop. “The data collected by ID.me has nothing to do with the processing of a FOIA request.”
The thing is, ID.me isn't just another username/password service with a CAPTCHA. The service requires people to upload a picture of a government ID and then either take a selfie and use facial verification to compare their face to that ID – or verify identity on a video call.
What really shocked me is that this verification system asked them to share their Social Security numbers!
The system also appears to prompt users to share their Social Security number and includes terms of service that discuss the handling of biometric data. Two FedScoop reporters tried registering with the system: one had their expired identification rejected and had to attempt again with a passport, while the other’s driver’s license could not be “read” the first time but was accepted during a second attempt in combination with the video selfie. Both FedScoop reporters later received a letter, by mail, notifying them that their personal information was used to access an IRS service using ID.me.
To take a step back, there's nothing in the Freedom of Information Act that allows agencies to require identification, much less collect biometric data, upload a government ID, to provide a Social Security number. The Department of Justice FOIA FAQ advises agencies that "a FOIA request generally need not contain a verification of identity for access to publicly available records."
There is one singular exception: If you're seeking records about yourself or other individuals under the Privacy Act, you have to prove you're you – or obtain a waver from that person of interest. For first-party requests, the IRS' improved authentication makes sense – but that's not how the agency defended the decision to a media inquiry.
The IRS spokesperson claimed to Fedscoop that collecting a Social Security number was part of authentication and that biometric data is kept by the IRS, but that distinction is only material to whether the agency is collecting that personally identifiable information from requestors, not the fact that these requirements have been imposed to use their system.
As I told the Fedscoop reporter, imposing such a system for FOIA flies in the face of both principle and policy.
The IRS “FOIA Public Access Portal allows requesters to electronically submit a FOIA request(s), check the status of submitted request(s), and securely send and receive messages to and from the agency” — a fine thing! – but requesters must be able to electronically submit a request through foia.gov by law. (In this case, by a reform to FOIA which I happened to work on directly in 2016 and helped get through Congress and signed into law while I was at the Sunlight Foundation.)
While modernizing authentication systems for online portals is not inherently problematic as a general matter, adding such a verification layer to exercising our right to request records under the FOIA is overreach at best and a violation of our fundamental human right to access information at worst if applied across the board.
Every agency can choose to procure its own case management system, which means they can institute username/password systems for persistent accounts in dozens of Public Access Link (PAL) portals for FOIA that now exists across federal government agencies, but agencies should not force requesters to use these systems to make requests or correspond with FOIA officials, much less require verifying an identity with biometric data to file a FOIA or access records.
Since the IRS told Fedscoop that the FOIA portals for the Treasury Department and Social Security Administration are also now using ID.me, there's now a serious problem with the administration of the FOIA that the Justice Department needs to address.
There is no requirement that agencies must verify the identity of a requestor for them to make a FOIA request using that service – as we would to use the new direct file service or to access a tax transcript – but the current IRS website suggests using fax or that portal that requires ID.me, with no mention of our right to use FOIA.gov instead.
The White House, Office of Information Policy, and Office of Government Information Services at the National Archive should all publicly clarify as soon as possible that agencies cannot require requestors to use ID.me or any third party authentication service to make a request, to check its status, nor to access records disclosed under the FOIA – unless they're making a first-party request.
This should be part of a larger national discussion about how FOIA is being implemented across the federal government, coupled with a reminder to ALL agencies that requesters must be able to use FOIA.gov as an alternative to PAL portals, fax, or snail mail, with a prominent notice of the same act agency.gov/foia.
Both the General Accountability Office and Congress should be conducting far more vigorous oversight of the state of FOIA, given this issue – and the emerging scandal at NIH – with an eye towards generating a body of evidence that would drive reforms.
Videos celebrating Sunshine Week at the Oversight Committee were a welcome display of support, but they don't make up for the lack of a hearing or years of compounding neglect that have left our nation's preeminent open government law and compliance with its aspirational goals in a sorry state.
If you tune in to the next public meeting of the U.S. Freedom of Information Act Advisory Committee this Thursday morning, you'll hear me say something about all of that, as part of consideration of our final report.
As always, feel free to reach out to alex@governing.digital if you have thoughts or concerns about anything of written.
This newsletter was cross-posted to E-PluribusUnum.org, to ensure maximum public awareness and access.
