id. me is in the news because the IRS will require you to submit your face to them. So I went to look at their privacy policies. It’s a mess: a 🧵
gizmodo.com/irs-will-require-facial-recognition-scans-to-access-you-1848387715

The Id. me Privacy Bill of Rights says "You must provide explicit consent before we will share any information.” Great! Except this bold statement is contradicted by the Privacy Policy. insights.id.me/privacy-bill-of-rights/

Instead of consent, the Privacy Policy says id .me can share whenever they think it's necessary to "investigate, detect, prevent and address … other harmful … activity,” and well as “requests” from law enforcement. www.id.me/privacy

Investigating any “harmful” activity is the kind of exception that you write to be big enough to drive a truck full of PII through.

The id .me Biometric Privacy Privacy Policy is even worse. It allows for sharing “where permitted by law,” specifically including to “cooperate with law enforcement." I doubt they intend “permitted by law” to include the 4th A restrictions on govt. www.id.me/biometric

So how do they reconcile the contradiction between "explicit consent before we will share” and 'here’s all the ways we’ll share without getting consent’? I’m not sure they can, tbh, but I wonder if someone thought it crafty if you considered the Privacy Policy AS consent.

But ‘if you use our site you agree’–on a document no one reads–is not “explicit consent,” and should not be able to override the short, clear promises of the Id .me Privacy Bill of Rights.