U.S. taxpayers’ biometric data could be kept by a third party contractor for years, under new proposals being considered by the Internal Revenue Service.
The IRS and the Treasury Department are reviewing their relationship with identity verification company ID.me, which carries out authentication for federal websites, in light of the growing threat posed by fraudsters using AI.
The changes outlined in a presentation shown to Treasury staff on April 16, according to Politico, would drastically extend the amount of time ID.me is allowed to access account holders’ biometric information to assist with fraud investigations.
The company would be allowed to hang onto records for as long as an account is active and then for a further 36 months after it has been deleted.
Currently it is required to delete the information within 24 hours of an account being closed.
While the prospect of a private entity having access to such intimate personal data for so much longer might alarm privacy activists, use of it by the federal government for any other purpose beyond verification is strictly controlled.
It can only be accessed as part of law enforcement investigations or inspector general probes and the IRS and Treasury would still be required to present ID.me with a “subpoena, warrant or present other legally compelling justification” if they wish to see it.
There is currently no question of that changing.
An ID.me spokesperson said in a statement: “The federal government cannot share ID.me biometric data across agencies because ID.me does not share that data with the government in the first place.
“ID.me only shares biometric data if compelled by a court through a mandatory legal process, like a warrant or subpoena.”
An IRS spokesperson told Politico that changes to data-retention policies within the service are under discussion but declined to discuss details.
One anonymous IRS employee expressed concern over the proposals, however, calling the three-year period of ongoing access “scary.”
“How many email accounts have you requested be deleted because you stopped using them?” they said. “My Hotmail account from my high school days is still active even though I don’t use it.”
Another potentially controversial change suggested is the introduction of a data analytics practice known as “one-to-many comparison” to help the IRS crack down on deepfake-based fraud through cross-referencing.
However, some privacy experts have criticized the approach as unreliable and excessively intrusive.
Virginia Democratic Sen. Mark Warner, a member of the Senate Finance Committee, urged the IRS to take care in implementing new measures.
“Following abuses of taxpayer privacy under the Nixon administration, Congress established and has maintained a robust set of laws safeguarding taxpayers’ personal information,” he said.
“Taxpayer privacy is critically important, and the IRS should take the utmost care to safeguard taxpayer biometric data.”
The government began collecting taxpayers’ biometrics to assist with the “detection of stolen, synthetic and AI enabled fraud that often surfaces well after initial account creation,” as the Treasury phrased it, an ever-growing problem in the era of online banking.
According to ID.me, AI-based scams leaped over 1,210 percent in 2025.
However, the use of increasingly sophisticated technology and information-sharing between agencies to fight back against the problem has attracted concern from watchdogs, lawmakers and activists worried about the potential for misuse and bad practice.
Elon Musk’s DOGE faced questions last year about its perusal of Social Security records as it sought to root out welfare fraudsters while a data-sharing agreement between the IRS and ICE quickly became bogged down in litigation.
Nina Olson, the executive director of the advocacy group Center for Taxpayer Rights, said she was concerned about agencies being able to safely oversee private businesses like ID.me, given that their workforces were slashed by DOGE last year.
She also predicted that citizens would be more reluctant to share information if they did not feel confident it was being handled securely.
“If taxpayers start suspecting they file with the IRS and that information is retained by a private entity for three years, and they have no idea how it is being used, and there’s no transparency on it, they will start changing their filing behavior,” she said.
