Patent Security or Privacy Nightmare? USPTO's ID.me Gamble Unveiled

The USPTO's decision to hitch its wagon to ID.me for identity verification is more than just a tech upgrade. It's a high-stakes bet with our privacy on the table. We’re not discussing the privation of Pokémon Go patents — we’re discussing patents, the lifeblood of innovation, now gated by a private company that requires your face. Is this progress, or a Faustian bargain?

Security Theater Masquerading as Progress?

Let's be clear: I get the need for security. What the Patent Center does need is some level of protection from bad actors looking to game the system. The USPTO is celebrating ID.me, calling it a bulwark against fraud, a digital bouncer guarding the velvet rope. But at what cost?

ID.me depends far too much on facial recognition identification, one of the currently most used technologies that is still rife with bias and inaccuracies. You're handing over sensitive biometric data not to a government agency directly accountable to you, but to a private company. A company that has already come under fire for its track record with data privacy. Though they tout NIST IAL2 compliance level, that’s a baseline, not a standard, on security and privacy best practices.

Think about it: DeFi, or decentralized finance, faces similar identity challenges. Second, how do you prove a user's identity without a central authority? The solution isn’t to throw up our hands and blindly trust one private vendor to control all the keys. Instead, the crypto space is exploring decentralized identity solutions, leveraging blockchain and zero-knowledge proofs to minimize data exposure. Why is the USPTO not learning from this innovation, rather than doubling down on a centralized, biometric-laden approach?

Cost Savings or Future Debt?

The USPTO, like many other federal government agencies, is facing increased pressure to reduce expenditures and innovate. Outsourcing to ID.me must’ve seemed like a painless fix. It took the pressure of identity verification off the team and let them focus more on their core duties. Are we actually saving money, or just shoving it down the road?

What if ID.me has a huge data breach? Who foots the bill for the fallout? The USPTO? Taxpayers? What of the expensive long-term impacts of vendor lock-in? Once you’re dependent on one provider, they hold all the cards. They can raise prices, alter their terms of service, and you’re out of luck. It’s a lot like when cloud computing first started penetrating the market. As soon as they did, firms realized that they had just replaced a capital expenditure with an operational expenditure—one that can balloon unexpectedly.

The dollars saved today would be more than offset by higher costs in the future. We require much more transparency about the financial terms of this elaborate deal. How much is the USPTO paying ID.me? What are the penalties for data breaches? What are the exit clauses? Without this information, we're flying blind.

Whose Data Is It, Anyway?

This is where things get really dicey. You, as an inventor, entrepreneur, or patent attorney, are essentially forced to surrender your biometric data to ID.me to access the Patent Center. There's no meaningful alternative. Login.gov, a government-run option, isn't offered. You're left with a single choice: comply or be locked out.

This inquiry hints at deeper and more fundamental questions about ownership and control of data. Who owns your faceprint? Who decides how it's used? What happens to it if ID.me files for bankruptcy or is bought out by another company? How the USPTO should develop its data governance policies. These users must have true agency over their own data!

It’s time for us to start expecting more from our government agencies. The interests of security and efficiency cannot be allowed to trump our basic human rights. The USPTO must look to open source frameworks, between their user base and third-party developers, and with users’ control over their own data. If not, this ID.me wager may become a privacy disaster we’ll all wish they hadn’t banked on.

While moving toward externalized identity proofing is a step in the right direction, that doesn’t mean we should just go with the flow. In order for any of this to work, we need to demand hard questions and hold our government accountable. The future of innovation, and our privacy, hangs in the balance. It is time to be very concerned.