EDD Identity Firm Slapped by Congress

The Employment Development Department’s identity verification contractor, ID.me, came under withering Congressional fire late last week for providing allegedly misleading client wait time data and touting allegedly inflated national pandemic fraud-loss figures in order to boost its business.

ID.me was brought in by the EDD in the fall of 2020 to address its rampant fraud problem.  Though the problem was instantly evident to every observer, the EDD waited months to install ANY identity verification system (the job could have been done in the first weeks of the pandemic for a cost of one-thirtieth of one percent of the approximately $30 billion lost to fraud.)

In the end, ID.me issued nearly 6 million verified identity “credentials” to EDD claimants.  Around the nation, the company issued nearly 40 million credentials to people seeking government benefits, multiple unemployment and other state agencies and the IRS making up the lion’s share.  

During the course of the pandemic, ID.me went from having issued about 10 million credentials – i.e. having 10 million registered users – to about 70 million, increasing its corporate valuation significantly.  As a cybersecurity firm, the more identities you have in your data base the more money you can make –  and ID.me’s value increased by at least a factor of six to about $1.5 billion (it is likely much higher as one its similar sector competitors is valued at $4.5 billion.)

For a deeper dive on how ID.me makes money, read this Globe article.

What that means is that at least 10 percent of the growth of the company – worth between $150 and $400 million to ID.me – was directly related to the gathering of the personal data of California’s unemployed (the company was also paid directly by the EDD about $24 million to provide the verification service, a number ID.me executives have in the past said did not cover their costs.)

As to verification wait times, Californian’s had to wait an average 4 hours – often quite a lot more –  to complete the process (ID.me had two ways to create a credential – either using a smart phone to gather your biometric data like selfie, picture of your license, etc. or it could be down via video chat by holding up your license, etc.;  it was the “in person” side that saw the longest wait times.

Late last week, the House Select Subcommittee on the Coronavirus Crisis, chaired by Rep. James E. Clyburn, and the Committee on Oversight and Reform, chaired by Rep. Carolyn B. Maloney, claimed that ID.me did not provide accurate wait time estimates based on its other government clients – like EDD – actual experiences when it was in talks with the IRS for a new contract.  The committee also said that ID.me CEO Blake Hall used inflated estimates of the national fraud problem in order to drum up business.

The Committee claimed “the company informed the IRS that its wait times for video chats were only about 2 hours as of today.  But new data obtained from ID.me shows that this inaccurately downplayed the long wait times Americans were facing in states that were using ID.me.  Average wait times for video chats in April 2021 were more than four hours for 14 of 21 state (including California) unemployment programs it served.”

ID.me admitted that “those that required a live agent faced long wait times, because of this massive volume, the impact of COVID, and the lack of modern technology in state governments,” and specifically noted a “short notice spike in early 2021.”  This was almost certainly caused by the EDD shutting out – and then requiring ID.me-verified identities from – 1.4 million claimants overnight on that New Year’s Eve.  It is unclear if/when the EDD informed ID.me it was about to get 1.4 million customers overnight, which clearly added to the wait time problem.  It should be noted the agency did not directly inform other government agencies and state legislators and officials until well after the fact.

Additionally, the Committee stated ID.me, in “an apparent attempt to increase demand for ID.me’s services,” that Hall erroneously claimed that about $400 billion had been looted across the nation.

ID.me vigorously denied any attempt to gin up government business by making the problem appear larger than it was. Experts have noted that as almost every previous fraud loss estimate made by government agencies have been comically low and that attacking the ID.me figure could merely be a way to deflect/diminish governmental failure (The “See, we only lost $300 billion not $400 billion like he says so we’re not that bad,” line of reasoning).  

Additionally, Hall took personal umbrage at the accusation:  “As a combat platoon leader and soldier in Iraq who risked my life serving the United States of America, I would never use a claim about a national crisis to advance the interests of my company,” Hall said.  “My loyalty to my country supersedes my loyalty to my company.”

Be that as it may, cybercriminal turned noted cybersecurity expert Brett Johnson said that does not mean the pandemic was not very good to Hall and ID.me, despite the personal information privacy concerns and that desperate unemployment benefit claimants were forced by the EDD to hand over that extremely valuable data to a private third-party company.

“They are an extremely powerful security company.  More identities, more information, more data, means more value,” Johnson said.  “They could be a very good security company, but they check all the boxes for everything that is wrong about cybersecurity. The problem is that they’re unethical as shit.”

Oh, and the EDD did not respond to requests for comment.

Here are the ID.me related questions the EDD declined to answer:

What has ID.me told the EDD regarding wait times?

Has ID.me acted ethically, in the EDD’s experience?

Is it ethical that ID.me was paid at least 24 million dollars while hoovering up an incredibly valuable haul of 6 million identities?

ID.me issued about 6 million “credentials” to UI recipients – how many did it decline (deem fake in other words)?

Please find below both the Congressional press release and ID.me’s statement.

Extra Credit – In case you were wondering how all this identity stuff worked in the past, here’s a fun video on how you proved who you were in the Roman Empire: