Former Employees Say ID.me Grew Too Fast, Got Too Careless With Users And Their Data
ID.me hasn't always been a government contractor powerhouse. For more than a decade, it wasn't really on anybody's radar. The personal identification software began as a Craigslist for military personnel before morphing into an ID service designed to combat fraud and ensure military members could access the many government programs available to them.
Not exactly the humblest of beginnings (considering the number of active and retired military members the service could potentially access) but ID.me managed to stay off the public radar for most of a decade. Then, the pandemic hit.
Suddenly, there were tons of government programs accessible by those affected by the unexpected rollout of COVID v.19.0. ID.me jumped into the breach, selling dozens of states on its verification software, promising to limit benefit fraud. Unfortunately, its facial recognition tech was underwhelming. But due to its nature as the only (government) game in town, people were stuck using a system that separated people from their unemployment payments while simultaneously separating them from any useful tech support.
Some unemployment applicants have said that ID.me's facial recognition models fail to properly identify them (generally speaking, facial recognition technology is notoriously less accurate for women and people of color). And after their applications were put on hold because their identity couldn't be verified, many should-be beneficiaries have had to wait days or weeks to reach an ID.me trusted referee" who could confirm what the technology couldn't.
As people continued to struggle to access their benefits, the company's CEO, Blake Hall, continued to claim ID.me's tech support staff was tip-top while blaming users for their own negative experiences with the company.
In his statement to Motherboard, Hall said that facial recognition failures are not a problem with the technology but with the people using it to verify their identity. For example, if someone uploads a selfie that only shows half their face."
At the point that article was published, 21 states were using ID.me as their preferred ID verification provider. ID.me expanded its business quickly after that, hooking up with the IRS while using inflated claims of COVID-related fraud to drive its business.
The IRS soon decided to move away from ID.me as a sole provider for taxpayer verification following these publications and pressure applied by Senator Ron Wyden. Soon after that, reports began trickling in alleging the explosive demand for ID.me's services had apparently caught the company unprepared. The dearth of human backstops for its automated ID verification services led to more unemployment fraud - like one person wearing a bad wig availing himself of $900,000 in benefits by duping ID.me's supposedly awesome facial recognition AI.
Employees unfortunate enough to become part of ID.me's mid-pandemic, understaffed dystopia have been speaking with Business Insider's Caroline Haskins. It's definitely not pretty. Throw that many people into the mix during a period of exponential growth and bad stuff happens.
As it grew rapidly, so did errors, technical hurdles, and strain on its relatively new staff of customer service representatives, nine former ID.me employees told Insider. Helpline queues for the millions of Americans who relied on unemployment benefits in 2020 and 2021 would sometimes number in the thousands because of these strains, they said.
ID.me's rush to hire and train nearly 1,500 new workers at this time also led to lax verification practices and poor user privacy protections, these people said. Information like passports and social security numbers were often posted in internal Slack channels, and some employees were hired and given access to confidential data without completed background checks. Some chattered about how easy it would be to steal users' information.
Demands escalated for government benefit recipients during this surge as well. With access to the usual verification methods disappearing rapidly as ID.me expanded its reach, millions of Americans were stuck dealing with an understaffed government contractor that forced benefit seekers to interact with faulty facial recognition tech.
Meanwhile, back at ID.me, the crisis continued. The limited staff was unable to handle the influx of recipients experiencing problems, forcing those who needed help the most to try to get by without any of the financial assistance they were entitled to. Employees who had been on the job for only a few weeks were tasked with training new hires. Still understaffed (and definitely undertrained), employees were given mere seconds to make calls on submitted ID documents.
Document reviewers were expected to rule on a document every 20-30 seconds, video chat agents were expected to verify about 40 people a day, and email representatives were expected to send around 70 emails a day, according to the former employees. Team leads" would show workers a top-to-bottom ranking of employees based on how many accounts or documents they verified that week, sometimes every day, they said.
You can't verify actual humans in that amount of time. Placing time limits on activities that are supposed to reduce fraud only makes it more likely actual fraudsters will be able to manipulate the system. Enacting quotas tends to lead to people doing more busywork than actual work, encouraging customer service reps to solve the easy problems and ignore complaints that might be more time-consuming. And, lest this get forgotten in the rush, actual people relying on benefits to survive were at the other end of the arbitrary time limits/quotas set by the company.
Not only was ID.me failing to verify benefit recipients in a timely fashion, it was apparently incapable of verifying its own employees before handing them access to millions of Americans' personal information.
One former employee told Insider that training for the job was remote, and everyone was allowed to take company-issued laptops home with them, but after a couple days of training, ID.me told this person they had to complete training in the office because the company hadn't finished running background checks on the new hires. This shocked them.
It was disturbing to me that my background check wasn't completed and that I was allowed to take home a computer with people's information on it," the former employee said. I could have, as I was going through my training, been taking pictures of people's things. Nobody was watching me."
You can only get away with this sort of thing when your user base is locked in. And it very much was in multiple states, with access to state and federal benefits locked up behind ID.me's verification tech. While it's understandable governments will seek the assistance of private contractors to handle things like verification, making companies like ID.me the only option separates taxpayers from their benefits and leaves them at the mercy of a company that was entirely unprepared to handle the amount of business it had managed to drum up during the pandemic.
What ID.me should have done is rein in its expansion plans if it was incapable of handling increased demand. And more government agencies should have ensured the company was capable of handling millions of concurrent users before spending taxpayers' money on services that left taxpayers high and dry.