Thanks again to the California Globe for running this piece. You visit the website at: https://californiaglobe.com/
In the spring of 2020, the pandemic caught many by surprise – no organization, it seems, was caught more by surprise than the California Employment Development Department.
When the economy was essentially shut down by edict, both the state and federal governments scrambled to make sure that those forced from work had some source of income.
But into that stream of money stepped fraudsters: prisoners, shady characters, ex-EDD employees, massive international criminal cyber gangs, etc. all got in on the act, hoovering up billions while legitimate claimants were far too often left out in the cold, in many cases literally.
Despite clear and overwhelming evidence very early on in the pandemic that something was terribly wrong, the EDD did almost nothing to try to prevent the fraud until last September, about six months into the crisis, when it signed a contract with a Virginia identity security company called ID.me, as the Globe reported in June.
For many claimants, to continue to collect benefits they had to go through ID.me’s identity verification process, which proved to be rather frustrating in the early days particularly after the EDD summarily stopped paying 1.4 million claim last New Year’s Eve. Despite the growing pains (and, depending upon your comfort with and/or access to the latest technology, occasionally onerous process), the EDD was able to confirm the real identities of millions of people and prevent potentially billions more in fraudulent claims from being processed and paid.
But the decision to hire ID.me, which identifies itself as a “secure digital identity network” rather than merely an identity verification company, has raised a number of questions about the status of the sensitive – and extremely valuable – personal data provided to a private company at the demand of a government agency by millions of unemployed Californians.
For clarity, this story has been broken into discrete sections, each looking at a different aspect of the issue (though they without question intertwine). It should be noted at the outset that the EDD was circumspect at best when it came to providing information and that both Governor Newsom’s office and campaign refused to comment on the matter. In fact the Governor’s office referred the Globe to the EDD which, in response to a new group of questions, claimed it had already responded.
Assemblyman Ed Chau (D-Monterey Park), the prime author of the 2018 California Consumer Privacy Act (the strictest law in the nation) refused to comment on the issue, though whether he simply did not want to or was following the current Democrat playbook of saying or doing absolutely nothing that could even hint at implying Newsom has ever done anything less than perfectly as governor and therefore shouldn’t be recalled is unclear (such as actually holding the long-scheduled but recently cancelled EDD oversight committee meeting).
It should also be very specifically noted that ID.me did quickly respond – usually quite voluminously – when asked about the myriad of facets of the issue and that nothing in this article is meant to imply that the identification verification service itself, let alone the validity of the proven identity “credentials” of benefit claimants, is at all compromised.
Finally, it should also be noted that ID.me states that it has lost millions of dollars on the services it has provided to the unemployment agencies of the nearly three dozen states, including California, that it has worked with during pandemic. Simultaneously, though, the value of the ID.me company, once a relatively small player in the identity verification field, has ballooned to an estimated $1.5 billion dollars and, in March, received an investment from Google to the tune of $100 million.
Blake Hall, ID.me’s CEO, has spoken of monetizing “trust and convenience.” So, do you know what your data is doing, and for whom it is making money now?
THE BACKGROUND
Last spring, something was wrong and everybody except the EDD knew it.
Assemblyman Jim Patterson (R-Fresno) told of how, early on in the pandemic, constituents started sending his office dozens and then hundreds of envelopes containing fully loaded debit cards mailed to them, unrequested, by the EDD. The Assembly member tried to get someone at the agency to pay attention to the problem but to no avail and, frustrated, finally put hundreds of envelopes (containing literally hundreds of thousands of dollars’ worth of debit cards) into a box and simply shredded the contents, figuring it was safer than what the EDD had been telling people who got such mail: mark it “return to sender” and put it back in your mailbox. This is exactly what a fraudster would want to happen since they then had another chance to rummage through the mailbox at the random address they had used to perpetrate the scheme.
Patterson didn’t hear back from the agency for months on the issue.
The EDD with its antiquated computer system, problematic customer service philosophy of not having a customer service philosophy, little actual oversight beyond the rhetorical from the majority in the legislature, and exactly no sense of urgency emanating from the governor’s office to deal with the problem, pretty much just continued to ignore the problem as Estonia and Nigerian gangs, death row inmates, wanna-be rap stars, and garden variety fraudsters looted the agency.
“Law enforcement agencies told the states it was going to happen and what was happening as it happened,” said Brett Johnson, former cybercriminal turned noted cybersecurity expert and consultant.
Eventually – with no end to the pandemic in sight, literally millions of presumably angry but mostly unanswered phone calls, and facing increasingly awful press coverage of legitimate claimants literally going hungry and being forced into homelessness – the EDD got the hint and decided something may actually be amiss. The agency’s atrocious response to the needs of the actually unemployed has been chronicled by the Globe.
Prior to the pandemic, the EDD had no identity security system – really, none. For a few years, when it received a federal grant to do so, it paid for a system to back check information (for example, 137 unemployment checks going to the same address would set off a warning) but it never had a “front end” filter, a way to actually make sure the claimant was really who they said they were. It is quite possible that the agency had never faced a concerted effort to defraud it – actually almost certainly so as the amount of money available was comparatively small and the specific hoops one would have to jump through to successfully defraud the agency were enough to dissuade most criminals.
“The more ‘friction’ you add to the system, the lower your crime rate is going to be,” Johnson said.
But the pandemic simultaneously increased the size of the amount of money up for the grabs and the EDD eliminated the pre-existent claimant hoops, actually lowering the “friction.” And the race was on.
Why then did it take so long to do something – anything – about the problem? Security experts state unequivocally that even with the ancient computer system, the EDD could have, last April, installed a “bolt on” app that would have prevented the vast majority of the fraud, within one week and for an infinitesimal amount of money when compared to the at least $30 billion lost to fraud – at the least the $24 billion the state now owes the federal government and plans to hit California employers with additional payroll taxes of what could be up to $1,000 per employee (aggregate) over the next ten years to repay.
“When you talk about governments and billions, you can get lost in a fog of big numbers and no one specifically to blame,” said cybersecurity expert Johnson. “But that tax increase to pay for fraud? That’s the real victimization right there.”
THE CONTRACT
In September of last year, the EDD signed a no-bid, single-source, COVID-related emergency contract with ID.me (actually with a partner company called V3Gate but the contract references ID.me services throughout) for up to 1 million “subscriptions,” or identity verifications (called credentials by ID.me) at a cost of $3.5 million, or $3.50 each.
In January, in the early stages of the system being swamped by those 1.4 million claimants who were cut off without notice on New Year’s Eve, the EDD added another 1.74 million potential credentials for an additional $6 million.
The contract remains in force until January, 2022, with an option to extend it for another year. According to ID.me, they are only paid for an actual real confirmed identity and are not paid the “per head” fee if it turns out, during the verification process, that the claim is not real.
The number of claimants that have been cleared through the system or denied validation was not provided.
The contract contains a lot of standard boilerplate language and government and industry jargon, but it also addresses data privacy quite specifically. Exhibit A, Section 5 notes that ID.me must follow NIST (National Institute for Standards and Technology) standards, which govern data usage and the like. But it also goes further in Section 9, stating specifically that “Vendors cannot use claimant information for marketing, solicitation, or similar purposes.”
And that is where the waters get a bit muddy as while it may seem rather clear to a layman that the information gathered from the unemployment benefit claimant can only be used for unemployment claim purposes, that may not be exactly what is happening.
During the verification process, claimants are asked to provide multiple forms of existing identification and biometric data, either via selfie or through an on-line face-to-face chat with an ID.me employee. Once through the process, they can also be asked if they wish to “opt-in” to consider other services provided by the company, such as ShopID.me, a discount program that offers bargains on a range of products and services.
On the “Fraudian Slip” podcast (hosted by the Identity Theft Resource Center) ID.me CEO Hall did say that “your data is your own. If you want to move it, we’re going to monetize that trust and convenience.”
Additionally, ID.me stated that it “does not share data unilaterally. Like a Visa card, the verified user is the only person who decides if their information is shared anywhere on a case-by-case basis,” and that “If you are using the ID.me Service in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes. By default, users are opted-out of everything in our model.”
That may not be exactly true, as during the identification process, California unemployment claimants were quite clearly asked if they wish to “opt in” to other services, though whether or not agreeing to do so does in fact direct and/or allow the person to access other services offered is not clear.
The claimant must also agree to the terms and conditions of service of ID.me, which do allow for certain third-party information access.
The ID.me privacy policy reads, in part:
“We reserve the right to disclose your Personally Identifiable Information as required by law and when we believe that disclosure is necessary to protect you, our rights and/or comply with a judicial proceeding, court order, or legal process served on us or our Website; enforce or apply this Privacy Policy, our Website Terms of Use or other agreements; or investigate, prevent, or take action suspected or actual prohibited activities, including but not limited to, fraud and situations involving potential threats to the physical safety of any person or to prevent financial loss to any person or entity; or otherwise protect the rights, property or safety of the Website, its Users or others.”
It is the reference to fraud and to “prevent financial loss to any person or entity” clause that experts say is an easily exploitable intentional “gray area” as the number of activities that could fall under the suspicion/prevention of fraud and prevention of financial loss range from, well, what happened to the EDD itself, all the way to making sure the person who is applying for a car loan is who they say they are.
ID.me states categorically that it does not use any data “unilaterally,” or without the consent of the user, even for comparison purposes. “We don’t compare company data to data submitted by a third party,” said ID.me’s CEO Hall. “Again, in ID.me’s model, the user controls their own data.”(For a complete picture, you can visit the company website at www.id.me/privacy, which notes that “If you are using the ID.me service in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”)
However, exactly what those claims mean is a matter of debate.
“If I had a total assurance that they couldn’t do anything with the data then I would be fine with it,” said Jennifer King, Ph.D., the Privacy and Data Policy Fellow at the Stanford Institute for Human-Centered Artificial Intelligence. “But I don’t.”
The rather adamantine stance taken by ID.me also concerns cybersecurity expert Johnson, who thinks ID.me would be a “great security company if they just got rid of the marketing.”
“I hope they are comparing data – they wouldn’t be a security company if they didn’t,” Johnson said.
When asked if it believed ID.me was keeping to the letter and/or spirit of the contract, EDD rather disinterestedly replied to the question thusly: “ We understand you are in touch with ID.me, and they confirmed with you they do not sell customer info and don’t do anything with the info other than use it to verify ID.”
As to who owns the data submitted, now and for how long, the situation is also rather muddy. The contract is set to expire next January but (due to the extension options) may be in place afterwards and ID.me has that data throughout the length of the contract and for seven years afterwards. As the contract is with the EDD and not the individual, the claimant does not appear to be able to “end” the contract, thereby shortening the time frame. Also, ID.me states that a person may“destroy their ID.me credential and account. However, due to extremely high rates of fraud targeted at workforce agencies, we will securely retain that data solely for audit and anti-fraud purposes to support our workforce agency partners until the end of the records retention period.”
Additionally, the EDD does not make it easy to get out of its own system. There is currently no button to click on the website to inform it that you have found employment and want to end your benefit claim. Instead, the EDD website states: “If you want to cancel your claim, contact the EDD IMMEDIATELY. You cannot cancel a claim after you have collected UI benefits and cannot file a new UI claim until your current claim ends. If you go back to work or are no longer in need of UI benefits for some period of time, simply stop certifying.”
THE DATA
Today, everyone leaves a digital trail. From the cell phone that tracks location to browser history to shopping patterns, all of these activities create distinct and valuable data points.
To gain an ID.me “credential” – i.e. a verified portable identity – a user must submit a number of personally specific piece of information, commonly called PII, or Personal Identifiable Information. These points would include Social Security numbers, biometric face scans, copies of physical identification papers such as passports and drivers licenses, etc. It is this PII that ID.me says it holds away from any other non-authorized use.
But it does state that it can share non-PII data it gathers, something privacy advocates find troubling as by “backward engineering” even that minimal data a company can build a rather credible outline of a person without even needing to know anything specific about the individual; in other words, while a marketing firm may not actually know a Jim Smith lives at 123 Main Street, it does know that there is a very high likelihood that someone who drives a Ford, likes to play golf, watches too much television, doesn’t have a burning interest in politics, owns at least one cat, collects commemorative shot glasses, and enjoys pinochle lives in that neighborhood.
Being able to compare that general “anonymized” data to confirm the existence of the actual person is extremely valuable.
From its privacy policy page, here is what ID.me can collect on its users:
Category
What We Collect
Identifiers
Name
Alias
Postal address
Unique personal identifier
Online identifier (in the form of a universally unique identifier)
Internet Protocol Address
Email address
Social Security Number
Driver’s license number
Passport or passport card number
State identification card
Date of birth
Phone number
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
Name
Postal address
Unique personal identifier (in the form of a universally unique identifier)
Online identifier
Internet Protocol Address
Email address
Social Security Number
Driver’s license number
Passport or passport card number
State identification card
Date of birth
Phone number
Protected classification characteristics under California or federal law
Gender
Military/veteran status
Inferred citizenship (based on passport information you provide us)
Inferences drawn from other personal information
Inferred citizenship (based on passport information you provide us)
Biometric information
Photos on forms of identification (e.g. driver’s license, employee badge, student identification card, military identification card)
“Selfie” photographs
Video “selfies” for liveness detection
Voice recordings
Geolocation data
Internet Protocol Address
Geolocation data
Professional or employment-related information
Documents and/or information you choose to provide us that prove you are an employee gainfully employed by an organization
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))
Educational transcripts and school identification cards that you choose to provide us
Internet or other similar network activity
Internet traffic’s country of origin and related information
Adam Schwartz, an attorney with the Electronic Freedom Foundation, said that the government forcing people to turn over this type of information to a private company is fraught with peril.
“These are people who are entitled to a government benefit and the government is coercing them into submitting to facial surveillance and giving their info to ID.me,” Schwartz said. “They are in a very emotionally vulnerable moment when they are being asked for their consent. It’s a captive audience.”
HOW TO MONETIZE INFORMATION
The value of personal data is enormous – just ask Google, Facebook, Twitter, etc..
But why is that data so valuable and how is it then monetized?
The how is head-spinningly byzantine and there are practically as many different ways to monetize data as there are people trying to monetize data. But there are a few basic concepts and constructs at play.
First, how is data obtained? While the particulars depend upon your web browser, email service, online subscriptions, shopping patterns, etc. a very large percentage of time spent in front of a screen is up for grabs. One very basic way to capture data is to offer a service, such as Gmail or Facebook, that allows you to capture a person’s data flow. There is a reason why these services are free and why, shortly after you mention “shoes” in your Facebook group or in an online search, you will see – either in your in-box or feed – an advertisement for shoes, or socks, or some other foot-related product.
In other words, by taking advantage of the free service you are allowing the provider to access your information that they can then sell on to marketers and such. This we all know.
There are also more specific forms of “third-party” data sharing. For example, the information holder offers to simply give another company or entity its data for free as a way to create a stronger business relationship. Or that company could “give” the data to another company on the condition that if that company is able to monetize it somehow the first company gets a cut (either a share of the actual revenue or some other future benefit). In neither of these cases is the data “sold” in the sense society is accustomed to but in both cases the holder of the data has profited and/or gained value.
When it comes to data sharing, “sometimes there is revenue sharing and sometimes it’s for adding services to make a company’s offering more attractive,” said James Lee, COO of the Identity Theft Resource Center. “ID.me has not denied they have a way to monetize the information they collect.”
Then there is a very specific type of data sharing related to the security and identity verification industry and that is the ability to compare and confirm data held by others. Example: Company A has a list or group of data points that it has collected, but it wants to make sure that it is as accurate as possible (greater accuracy in identifying marketing targets means a greater chance of a sale of a product or service). Company B has a massive data base and agrees – for a price – to check Company A’s info against it for accuracy. Again, the data has been monetized without being sold.
But this type of service can – and actually should, if a security company is doing its job – go beyond marketing purposes and be used to ensure that a person is who they claim to be. Example: Joe applies for unemployment benefits in California and is cleared through ID.me as actually being Joe and an identity “credential” is created. But then someone else claiming to be Joe uses Joe’s already confirmed identity to apply for benefits in another state – only if it is possible to compare Joe to “Joe” can you determine that the second “Joe” is a fraud because the other state will only “Joe” as a confirmed real person.
The ability to confirm/contrast data – especially in the identity sphere – is extremely valuable and the larger a company’s “owned and operated” data set is, the more the company is worth. In December, 2019 – before the pandemic – ID.me had in the neighborhood of 10 to 12 million users. It now says it has more than 60 million users and, earlier this year, an investment of $100 million by Google set its company valuation at $1.5 billion.
Hall emphasized that ID.me does not sell data; rather “We sell trust so organizations can have a level of assurance that what a user is asserting is true.”
Data has value to legitimate entities but also, as we have seen, to fraudsters. While creating as much “friction” as possible at a system’s access points does decrease the type and amount of fraud significantly, Johnson said cybercriminals are always looking for new ways to earn.
“You have the money, they have the time,” Johnson said. “Eventually they are going to try to figure it out.”
For example, even the ID.me system was being misused recently. While the company quickly put a stop to the practice, fraudsters were using ID.me to create real verified identities by pretending to offer people jobs and then telling people they were hired and to go through the ID.me system for final security purposes. What the happy new employees did not know is that they were in fact being used to secure improper unemployment benefits.
Even bad data can have value, both Johnson and King said. By keeping the information that flows into it from people trying to defraud the system, ID.me and other security companies can compare and contrast that with other data, use it to detect patterns, and to flag other potentially problematic information, either for itself or for another company.
ID.me did not say exactly if it keeps and/or how it uses fraudulent data as they do not comment on “specific anti-fraud sources and methods for obvious reasons,” but did say they can “detect a certain type of fraud increasing across our network.”
THE SAVINGS TO THE STATE AND THE VALUE TO ID.ME
Since hiring ID.me, the EDD claims it has prevented approximately $60 billion in fraudulent payments – an astonishing number.
But that is just one astonishing number brought about by the pandemic. The EDD has paid out $170 billion in the course of processing 24 million claims. Considering that the best estimate of the size of the state’s entire eligible workforce is also about 24 million, that would mean, in theory, that everyone capable of work in California has been unemployed for at least a portion of the past 18 months. As we know that is not true, and since the EDD would not clarify if that number was discrete individuals or included repeat claimants who went on and off and on and off unemployment, the extent of the fraud perpetrated on the department is unquestionably larger than the $11 billion loss the agency has been claiming for months.
In fact, if using ID.me saved the state $60 billion in less than a year, then even the more reasonable estimate of a $30 billion loss in the seven months prior to the hiring that has been opined by experts is also almost certainly low.
It also means that the $9.5 million (maximum) that the EDD has paid ID.me is an incredible bargain. This of course raises the never answered question as to why the EDD, as it easily could have, failed to act immediately, but would most likely leads to an even more infuriating un-answer.
It can be taken as a given that hiring ID.me (as any other firm would have) provided the state value for its money – but what did it provide ID.me?
If it lost millions on providing services to unemployment agencies, which it certainly did, why did it get into the game?
“ID.me lost significantly more money than we made while supporting unemployment agencies,” Hall said.
Pre-pandemic, ID.me had about 10 million users. Thanks, in large part, to its work with dozens of state unemployment agencies, it now has nearly 70 million users. In other words it grew by a factor of at least six in less than two years, an astonishing rate even in the tech industry and its current valuation is $1.5 billion.
But if it is not monetizing that data in any way, how could that be possible? There is one possibility – the double loss leader principal which involves losing truckloads of money until a company becomes a major force in an industry, if not THE force, and then at that point cashes in (remember, Amazon took nearly 20 years to make a profit, popular car sharing and delivery services are currently operating at a loss, etc.).
By building out its data base to expand its business, King said, ID.me stands to be able to take huge advantage of each and every identity profile they created.
ID.me freely admits it has grown in value, but does try to downplay the critical role the unemployed have played in making it richer.
“Like Visa, the more credentials we issue and the more places that accept those credentials as valid, the more value we provide to consumers and organizations alike,” Blake said. “COVID certainly accelerated the growth of the digital economy. ID.me’s network growth is certainly tied to an increase in value but it’s not perfectly correlated.”
ID.me did certainly provide a service of value to the EDD; but it also unquestionably – by being able to access and store the personal data of millions of unemployed people across the nation – increased its own value more than rather significantly.
THE ETHICS AND THE OPTIONS
While there are a number of other services that provide comparatively much more “standalone” identity verification, including the federal government’s General Services Administration’s “Login.gov” program, the EDD declined to say why they eventually picked the ID.me, though they did say they looked at other options.
The choice of ID.me could have been made for any number of reasons, from the relatively low upfront costs (again, the company says it lost millions on providing the service) to the fact that many other states were jumping on board with ID.me, to it possibly being a case of simple rushed panic.
“Making ethically informed choices in the midst of a crisis is not the best practice,” said Jeff Smith, the Frank Shrontz Professor of Professional Ethics at the Center for Business Ethics at Seattle University. “Data is ubiquitously traded, ubiquitously monetized and when you have to make quick decisions they can be ethically sub-optimal.”
While the EDD touted the hiring of a security firm, it did little if anything to let claimants know about the data and privacy implications.
Professor Dennis Wittmer of the Daniels College of Business at the University of Denver noted that for an already beleaguered agency to hire a firm that could be seen to be taking advantage of a dire situation is a problem.
“There is nothing wrong with hiring a third party, but you have to be pro-active, you have to make it clear that the information is not being misused,” Wittmer said. “If you’re in constant crisis mode and the citizen’s aren’t getting reliable service, this just adds one more glitch to a big problem.”
An even more basic ethical issue is the simple fact that the EDD decided to force private citizens to hand over their personal information to a private company in order to receive a benefit to which they were entitled.
No matter what any particular private does or not does with the data misses a larger point. Unlike signing up for Gmail for free, fully knowing you are sharing your data in exchange for the service, unemployment claimants had no other option.
“When the government demands personal information and hires a third party there need to be laws,” Schwartz said. “Personal information is worth money and they should not be taking advantage of the coercive powers of the government. When the government says ‘give them your face print,” it is very problematic.”
King agreed.
“The government is forcing people to walk through (ID.me’s) doors and they are building out their data base to expand their business,” King said. “Not being offered a choice is a bad deal.”
IN CLOSING
So where does all of this leave us?
It apparently leaves Governor Newsom and the EDD utterly unfazed by the loss of billions to fraud, the coercive nature of how personal data was collected, and that the massive growth of a tech company was, in part, built on the backs of California’s unemployed.
It leaves ID.me with a massive haul of new and extremely valuable data and an exponentially increased company value.
And it leaves the millions of people forced out of work by the pandemic and then forced to turn over their personal data to a private company to access the benefits they were entitled to with yet another queasy feeling of having got the wrong end of the stick.
Again.