The IRS already has almost all our PII. Not sure how adding a photo materially changes anything in that regard.
I do agree ID.me is the wrong approach. And login.gov should be used in some form over a private enterprise. But, my concern is two-fold… it’s a private entity that I don’t really want to do business with. And the process described by Krebs was impossible - can we really expect everybody to have email, valid phone (what if they aren’t the account owner for the phone), photo ID, and whatever else was required?
My father doesn't have any sort of web-connected camera, which caused a whole set of problems with his unemployment that I can't remember how they got fixed.
On a similar note, I don't have a lot of documents tied to my name, so I had nothing that they wanted when my photo verification didn't work for whatever reason. Pretty sure I just never solved that one and left the last couple weeks I would have gotten unemployment on the table.
The IRS has our PII, but lots of it is not in a big bucket, it's quite diffuse. If PII is dynamite (and it is) then we want it divided up in silos, with firewalls, and limited access where nobody has universal access. Ideally a lot of it is protected by differential privacy - if I am getting audited, the auditor only see's my returns and not my identity, and someone else gets only my identity.
I do agree ID.me is the wrong approach. And login.gov should be used in some form over a private enterprise. But, my concern is two-fold… it’s a private entity that I don’t really want to do business with. And the process described by Krebs was impossible - can we really expect everybody to have email, valid phone (what if they aren’t the account owner for the phone), photo ID, and whatever else was required?