Why We Think ID.me Surpasses Competitors
One thing we considered when we looked at ID.me is that the US government is using it. Typically, it is very difficult to secure major US government contracts. These tend to be lengthy RFP processes that yield contracts with stringent requirements and a long vetting process. It's significant to us that ID.me won these contracts over competitors. It might mean that there are ways in which ID.me's operations or product were viewed as superior.
Another consideration: ID.me's mistakes have made the news because they have big clients. When an organization comes under public scrutiny, a lot of people become skeptics and a lot of dirty laundry is on display for everyone to see. We wonder how many people who are against ID.me did research into the track records of our competitors. We also wonder whether competitors that had similar product problems or data breaches would have gotten press coverage at all if all of their clients were too small or not noteworthy enough to make headlines. In other words, it's possible that some of these competitors that appear to have a clean reputation are simply junior varsity players.
How ID.me Allows Us to Be More Inclusive Than Other Vendors
A huge reason why we like ID.me is because it gives us the flexibility to decide what documentation we will accept. Whereas most ID verification companies will only accept a narrow, limiting, and (in some cases) more invasive set of documents, such as birth certificate or social security card, we can tell ID me what we accept and they will verify it. This means that, if a member of our community has a special situation and for some reason can't produce a standard set of documents, we can essentially make space for them by telling ID.me to accept what they can put forth. We believe this is tremendously important to inclusion.
ID.me's Data Retention Policy
We committed to looking into this and seeing whether we could have this changed for members of our community. Here is the response we received from our representative: "Regarding the 3 year retention policy, we can reduce that specifically for NaNoWriMo. Let me confirm the options, but I believe it can be reduced to 1 year, 1 month, or as low as 24 hours. Individual users also have the option to request their identity information and selfie be deleted at any time from their ID.me account. " In other words, they will help us here and we are still negotiating and trying to get a final/specific commitment. Also, it seems that individual users have the ability to revoke consent for records retention.
We feel this is a good resolution and we're happy this will put some folks at ease. However, even if ID.me were not willing to work with us on this, we want you to know that we took this into account and did not find a global player with a default privacy policy that was better. Most ID.me competitor boilerplate policies were similar or worse. Though some folks did name organizations that operate in their individual localities that do not retain data, none of the ones directly recommended to us were global solutions.
An inherent risk with any and every mechanism that stores and transfers sensitive digital information is that it can be hacked (and probably will be at some point, whether that information ever becomes public). An inherent risk with any and every automated digital function is that somebody will try to outsmart it (and probably will at some point, whether that information ever becomes public). We certainly view community concerns as relevant, but our decision to continue with ID.me is not a matter of disregard for your concerns. We are simply in an environment of few better alternatives.