Though Freedom of Information Act requests to the tax agency can still be filed through FOIA.gov, the mail, by fax, or even in person, the IRS’s decision to point online filers to ID.me — whose facial verification technology has, in the past, drawn scrutiny from Congress — has raised some advocates’ eyebrows

Alex Howard, who directs the Digital Democracy Project and also serves on the FOIA Advisory Committee hosted out of the National Archives, said in an email to FedScoop that language on the IRS website seems to encourage ID.me use for faster service. It also doesn’t make significant references to FOIA.gov, a separate governmentwide portal that agencies are supposed to work with by law, he said. 

“While modernizing authentication systems for online portals is not inherently problematic, adding such a layer to exercising the right to request records under the FOIA is overreach at best and a violation of our fundamental human right to access information at worst, given the potential challenges doing so poses,” Howard said. 

The IRS defended its use of the service in responses to FedScoop questions, noting the other ways people can file FOIA requests and that the tool is only required of those seeking to interact with their public records electronically. The agency also said that ID.me follows National Institute of Standards and Technology guidelines for credential authentication services.

“The sole purpose of ID.me is to act as a Credential Service Provider that authenticates a user interested in using the IRS FOIA Portal to submit a FOIA request and receive responsive documents,” a spokesperson for the agency said. “The data collected by ID.me has nothing to do with the processing of a FOIA request.”

The IRS website currently directs people trying to access the agency’s online FOIA portal to use ID.me, which describes itself as a “digital passport” that “simplifies how individuals prove and share their identity online.” According to one IRS page, the “IRS Freedom of Information Act (FOIA) Public Access Portal now uses a sign-on system that requires identity verification.” Those hoping to access online FOIA portal accounts created before June 2023 also must register for ID.me, the site states. 

The ID.me login page directs users to the FOIA portal, stating that those who can’t verify their identity can try visiting the ID.me help page or pursue alternative options. From there, another page tells users to try “another method” for submitting a FOIA. 

The system requires users to upload a picture of their ID: They can choose between taking a selfie and using biometric facial verification software that compares the image to their ID — or wait for a video appointment to confirm their identity. 

The system also appears to prompt users to share their Social Security number and includes terms of service that discuss the handling of biometric data. Two FedScoop reporters tried registering with the system: one had their expired identification rejected and had to attempt again with a passport, while the other’s driver’s license could not be “read” the first time but was accepted during a second attempt in combination with the video selfie. Both FedScoop reporters later received a letter, by mail, notifying them that their personal information was used to access an IRS service using ID.me.

What an ID.me scan looks like when signing into the IRS’s FOIA portal.

The IRS spokesperson said that the collection of a Social Security number is related to the digital authentication process, not the processing of the FOIA request itself, and biometric information is not retained by the IRS. 

“The IRS requires ID.me to delete the selfie and biometric information within 24 hours for taxpayers who verify using the self-service process,” the spokesperson said, adding that “ID.me is also required to delete any video chat recording within 30 days for taxpayers who choose to verify using the video chat pathway.” 

An ID.me spokesperson said in an email to FedScoop that no state or local agency uses the system for identity verification or as authentication for FOIA portals.  

The FOIA portals for the Treasury Department and Social Security Administration do use ID.me, the company spokesperson noted, but both agencies seem to provide more information on alternative submission options to submit requests online. ID.me referred additional questions regarding the IRS’s use of the company’s FOIA portal to the tax agency. Treasury did not respond to a request for comment by the time of publication.

The Social Security Administration offers both ID.me and Login.gov — another government-run ID service — as options to log into its FOIA portal, FOIAXPress Public Access Link. Like the IRS, the SSA said in response to FedScoop questions that mail, fax, email and FOIA.gov are alternatives to filing FOIAs. A Social Security number is not required for accessing FOIAXpress, though it appears to be required for signing into ID.me, which some users might be using to file FOIA requests. 

“In the scenario where a customer uses their ID.me account to access FOIAXpress PAL, the customer selects this sign in option on the login page and is redirected to a webpage on ID.me’s website,” an agency spokesperson said. “If the customer creates an account in this session, ID.me retains info on the registration event in their records.

They continued: “Upon successful account creation, the user is routed back to SSA’s website and allowed access to FOIAXpress PAL. SSA and ID.me retain info on the transaction in our respective records.”

“Submitting a Social Security Number to ID.me is related to the digital identity authentication process; generally it is not required for the FOIA process,” the IRS spokesperson added. 

Albert Fox Cahn, a privacy-focused attorney who directs the Surveillance Technology Oversight Project, expressed concerns about the IRS’s use of ID.me. “This isn’t just creepy and discriminatory, it might break federal law,” he said in a statement to FedScoop. “Under FOIA, public records belong to the public, and no one should have to hand over their biometric data just to see the records they’re entitled to access.” 

The use of ID.me by the government has sparked concerns in the past. In 2022, some members of Congress accused the company of downplaying wait times and misleading people about the way its facial recognition technology worked. The company, meanwhile, has defended its practices, including its work on fighting fraud during the pandemic.

Matt Bracken contributed to this article.

This story was updated June 11, 2024, to update Alex Howard’s professional affiliation.

The post IRS defends use of biometric verification for online FOIA filers appeared first on FedScoop.

The update to FOIA.gov — one of the most notable upgrades to the site since the 2018 release of the National FOIA Portal — checks an important box for the Department of Justice in its ongoing efforts to meet pledges in the Fifth U.S. Open Government National Action Plan. 

Per a news release from the DOJ’s Office of Information Policy, the search functionality on FOIA.gov allows users to easily and quickly find publicly available information, and connect them to the proper federal agency depending on the request.  

OIP noted that the website’s search tool is organized by the six most common topics of FOIA requests: immigration or travel records; tax records; social security records; medical records; personnel records; and military records. Users can enter their own search terms or begin their searches by navigating to one of those six topics and selecting answers from a series of questions.

The search tool is powered by a combination of machine learning and logic, pointing users toward relevant documents that are public or guidance on where to request specific information. 

Previous FedScoop reporting found that several federal agencies were behind the eightball on achieving interoperability with FOIA.gov, with some battling ongoing technical and logistical challenges. 

OIP said in its release that launching the new search tool is part of “phase one of a multi-phase project” in DOJ’s push to make the FOIA request process “more efficient and user-friendly.”

The post FOIA.gov unveils new search tool appeared first on FedScoop.

Many agencies have updated their public records systems in order to ensure their systems work with FOIA.gov, a requirement established in a 2019 White House memo, according to a recent FedScoop review of 2023 Chief FOIA Officer reports and subsequent inquiries sent to agencies. But others are still running into technical and logistical issues.

The Secret Service and U.S. Citizenship and Immigration Services have yet to meet these requirements, according to Wyn Hornbuckle, deputy director of the Department of Justice’s public affairs office. The DOJ, which tracks compliance with interoperability requirements, is also still catching up on the requirement. The agency says that all of its components should become interoperable within a matter of weeks. 

Communications staff for the National Archives and Records Administration told FedScoop that the agency is still working toward its goal of making its online portal for accepting veteran records requests interoperable with FOIA.gov. They added that in regard to requests for other records: “NARA continues to assess its options implementing a FOIA tracking and review platform and is mindful of the need for any system to interact with foia.gov.”

The Federal Aviation Administration told FedScoop only that it’s working on its FOIA case management system and that the agency will move to production “once testing is completed.” Meanwhile, the Department of Transportation’s Office of Inspector General’s public records request system has not achieved interoperability and the agency is still working on meeting requirements with its contractor. 

The Department of Health and Human Services’ Office of the Inspector General told FedScoop that it’s “taken significant steps to resolve technical issues that have prevented us from receiving requests from the National FOIA Portal FOIA.gov,” but that it expects to receive requests through the system in the coming months.  

Notably, meeting these interoperability requirements can be relatively easy, according to Michael Morisy, the founder and executive director of MuckRock, which offers a platform for filing public records requests. 

“A lot of times they’re … going to be working with a vendor that’s done this a number of times,” Morisy told FedScoop. “Some of the smaller shops are surprisingly nimble in being able to build their own tooling.” 

The White House memo, M-19-10, was required under the FOIA Improvement Act of 2016 and stipulated that agencies could become interoperable with the portal in two ways: incorporating an API or accepting FOIA requests through an email inbox. Unless granted an exception by OMB and DOJ, agencies using automated case management systems were required to use the first approach, while agencies with “non-automated” FOIA systems were supposed to take the second approach. As part of these requirements, agencies were also required to maintain an account on FOIA.gov

The memo established a timeline, too. Chief Financial Officers Act agencies were supposed to submit plans for achieving interoperability by May 2019. Agencies taking the structured email approach were supposed to set one up “as soon as technically feasible,” while agencies with automated case management systems were supposed to set up the API interoperability within two fiscal years. “No exceptions will be granted beyond August 2023,” the memo noted. 

“Foia.gov is a centralized portal,” noted Sue Seeley, a managing director at Deloitte who focuses on public records request technology. “Agencies have required interoperability between whatever system they use and that portal.”

Right now, it’s not clear how well the DOJ has been tracking compliance. The DOJ appeared to update its website for tracking 2023 Chief FOIA Officer reports in response to questions FedScoop scoop sent about the missing reports to them and several agencies, according to a website tracking tool that FedScoop set up. 

“The Department’s Office of Information Policy has been closely tracking each agency’s progress on interoperability and working directly with them to support compliance,” Hornbuckle, from the DOJ public affairs office, told FedScoop. “There currently are no exceptions for any agency,” he added. 

While agencies had been asked about their progress on achieving interoperability, Hornbuckle said, last year was the first time agencies were asked to publicly report on their compliance with the memo. Agencies with more than 50 FOIA requests in the prior fiscal year are required to produce a Chief FOIA Officer report. 

Several agencies indicated they’ve made some progress since their reports were published. For example, 97 percent of Defense Department components comply with the interoperability standards, while the remaining components are expected to achieve “100% compliance” by the end of this month, according to Sue Gough, a spokesperson for the department. 

In its 2023 report, HUD said it was not compliant, but the agency told FedScoop that it has since achieved interoperability. Similarly, the Central Intelligence Agency — which did not respond to a request for comment – reported that it was not compliant in its 2023 report. The agency has now met interoperability goals, the DOJ told FedScoop. 

For other agencies, it’s not entirely clear where they stand. Amtrak reported in its 2023 report that only its headquarters was interoperable and added that its OIG office tracked FOIAs via Microsoft Excel. The agency did not respond to several requests for comment.  

The Federal Housing Finance Agency, which said that it had been granted an exception and secured a contract to meet the interoperability requirement in its report, told FedScoop it has no further comment at this time.

The post Some agencies fall behind on FOIA.gov interoperability requirements appeared first on FedScoop.

The FOIA Improvement Act of 2016 required that OMB and the Department of Justice simplify the Freedom of Information Act landscape by creating a central portal that anyone can visit to submit a request to any agency. Today, that portal lives at FOIA.gov.

But not all agencies have established interoperability between FOIA.gov and the agency’s existing FOIA platform. Deputy Director for Management Margaret Weichert sent a memo Tuesday setting a deadline of May 10, 2019, for agencies to submit a full strategy for how their in-house platform, which can range from a simple spreadsheet to an automated case management system depending on agency need and resources, will play nice with FOIA.gov.

Not all agencies are linked to FOIA.gov. (Screenshot)

The memo lays out the two ways agencies can achieve interoperability — either by accepting requests through a structured application programming interface (API) or by accepting the request as a formal, structured e-mail to a designated email inbox. If an agency has an automated FOIA system, OMB says, it needs to go the API route unless otherwise agreed.

In any case, though, agencies have until May 10 to let OMB know which option they will pursue, how long it will take and what it will cost. From there, deadlines are a little less clear but the memo states that email interoperability should be in place “as soon as technically feasible,” and API interoperability available within two fiscal years.

In addition to ensuring this interoperability, agencies have a few other responsibilities that have to do with the FOIA.gov portal. Per the memo, agencies are required to maintain an account on FOIA.gov and keep agency contact information up to date there. Agencies are also required to “maintain a customized FOIA request form tailored to its own FOIA regulations.”

The post OMB sets deadline for agency FOIA interoperability plans appeared first on FedScoop.