USPTO Relies on ID.me for Identity Verification, Raising Privacy Questions

The United States Patent and Trademark Office (USPTO) recently adopted ID.me. This Virginia-based company needs no introduction, as you already know about its identity verification services based on face biometrics. This recent decision to require ID.me as the means of identity verification for patent attorneys, agents and inventors has created a robust discussion. National and local privacy advocates have long warned about the dangers of biometric data and the lack of federal oversight in the emerging field. ID.me already has contracts with a dozen federal agencies—including the IRS, Veterans Affairs, and Social Security Administration—right now. These partnerships highlight its growing presence in the digital identity verification space.

The USPTO first piloted ID.me for access to its trademark register in 2021 and has expanded its use since. The system usually forces its users to first provide government-issued identification and then be verified biometrically through facial recognition. In additional cases, the process has even included live video interviews to finalize the credentialing process.

ID.me's Technology and Implementation

ID.me’s functionally replaceable system would force users to hand over government-funded IDs. It includes biometric identity verification using facial recognition and, in some cases, performs live video interviews. This multi-step process is designed to keep your information very secure and to make sure that no one has access to any sensitive information. The company insists that its systems meet all current federal privacy and cybersecurity standards.

Despite these assurances, concerns have been raised about the extent to which ID.me uses one-to-many (1:N) facial matching in its government deployments. These reports point out that ID.me may have misrepresented what it meant by using facial recognition technology. This technology matches a user’s photo against a huge database of photos, which raises serious privacy issues. This technology is distinct from one-to-one matching, in which a new face is compared against one enrolled face.

The decision by the USPTO to partner with ID.me raises questions about the balance between security and privacy in the digital age. Biometric technology is expected to be ubiquitous soon. We need to avoid the risks it poses and ensure robust safeguards are in place to protect millions of people’s rights.

Privacy Concerns and Regulatory Gaps

Unlike Login.gov, which is administered by the General Services Administration, ID.me is a private company. This distinction has based advocates’ fears about the absence of any federal regulation and oversight of the use of face biometrics. Critics argue that the absence of clear guidelines and standards could lead to potential misuse of data and privacy violations.

Another issue has been ID.me’s opaque retention policies on biometric data. Consumers are understandably concerned about when their data is being breached and how sensitive biometric data could be misused. Without strong regulations, we cannot effectively safeguard people’s privacy rights. The risks created by facial recognition technology are novel and distinctive. It also creates a dangerous pathway to mass surveillance and discriminatory practices.

These issues are further compounded given that hundreds of government agencies are using ID.me’s technology. This prevalent adoption raises the likelihood and scale of any resulting privacy violations or data misappropriation. Now, policymakers need to act to address this injustice. They must set explicit terms and conditions on the use of biometric data when it is used by private enterprises for government contracts.

USPTO's Choice and Future Implications

Yet the USPTO has selected ID.me instead of Login.gov for its digital ID pilot. This decision reflects the ongoing wave of state and federal government agencies outsourcing identity verification requirements to private companies. This collaborative approach not only improves products and outcomes, but it enhances efficiency and innovation. It also poses important questions about accountability and transparency.

As more government agencies adopt biometric-based identity verification systems, it is essential to carefully consider the potential risks and benefits. Policymakers need to find a suitable equilibrium between improving security and privacy protection for individuals. We’re going to come up with some pretty clear rules. It’s time to require clear disclosure of biometric data collection and retention practices, along with real consumer transparency and control over one’s biometrics.

This is part of a larger trend of increasing privatization in identity verification. This unprecedented change underscores the immediate need for public information and education about biometric technology and its impact. Individuals should be informed about how their data is being used, how it is being protected, and what rights they have.