From 6cb953945f51e312038fc98a7283b371a27f9540 Mon Sep 17 00:00:00 2001
From: Ollie Pile <111679371+opile8@users.noreply.github.com>
Date: Mon, 19 Aug 2024 19:55:30 -0400
Subject: [PATCH 01/12] Create id-me.toml

---
 products/id-me.toml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 products/id-me.toml

diff --git a/products/id-me.toml b/products/id-me.toml
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/products/id-me.toml
@@ -0,0 +1 @@
+

From 16c9d52032607f04db1cb716062cee2da5a15b89 Mon Sep 17 00:00:00 2001
From: Ollie Pile <111679371+opile8@users.noreply.github.com>
Date: Mon, 19 Aug 2024 20:14:43 -0400
Subject: [PATCH 02/12] Add files via upload

---
 icons/id-me.svg | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 icons/id-me.svg

diff --git a/icons/id-me.svg b/icons/id-me.svg
new file mode 100644
index 00000000..ab2ee8b8
--- /dev/null
+++ b/icons/id-me.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 19.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 167.2 59.8" style="enable-background:new 0 0 167.2 59.8;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#2D3E51;}
+	.st1{fill:#2FC877;}
+</style>
+<path class="st0" d="M8.4,0H5.5C1.8,0,0,1.1,0,3.2v53c0,2.1,1.8,3.2,5.5,3.2h2.9c3.6,0,5.5-1.1,5.5-3.2v-53C13.9,1.1,12,0,8.4,0z"/>
+<path class="st0" d="M59.7,53c0-6.3,4.1-11.7,9.8-13.5c0.7-2.9,1-6.2,1-9.7C70.5,10.5,60.8,0,43.3,0H24.6c-2.6,0-3.8,1.2-3.8,3.8
+	v51.7c0,2.6,1.2,3.8,3.8,3.8h18.7c6.7,0,12.2-1.5,16.5-4.5C59.7,54.3,59.7,53.6,59.7,53z M43.3,47.5h-8.6V11.9h8.6
+	c10.8,0,13,9.7,13,17.8C56.3,37.8,54.1,47.5,43.3,47.5z"/>
+<circle class="st1" cx="73.9" cy="53" r="6.5"/>
+<path class="st0" d="M166.1,43.8c-0.2-0.1-0.4-0.1-0.6-0.1c-0.9,0-1.5,0.3-2,1.2c-0.3,0.5-0.6,1-0.9,1.6c-1.2,2-2.4,4.1-4.2,5.6
+	c-2.4,2-5.9,3-8.9,2.4c-1.8-0.3-3-1.6-3.8-2.6c-1.4-1.9-2-4.4-1.9-7.3c4.4-0.4,17.6-2.3,18.7-12.3c0.2-1.9-0.3-3.7-1.6-5.1
+	c-1.6-1.8-4.1-2.7-7.1-2.7c-8.8,0-17.5,9.2-18.6,19.7c-0.3,2.9,0.1,5.5,1.1,7.9c-0.8,0.7-1.5,1.2-2.2,1.5c-0.7,0.4-1.4,0.4-1.8,0.2
+	c-0.6-0.3-0.8-0.9-0.9-1.5c-0.3-1.9,0.1-4.1,0.6-6.4c0.3-1.3,0.7-2.7,1-4c1.1-3.8,2.2-7.7,1.8-11.7c-0.3-3.6-2.9-5.9-6.7-5.9
+	c-5.3,0-8.8,3.8-11,7c0-2.4-0.6-4.2-1.7-5.3c-1.1-1.1-2.6-1.7-4.7-1.7c-5.2,0-8.6,3.6-10.9,6.8c0-0.3,0.1-0.6,0.1-0.9
+	c0.1-1.4,0.2-3.3-0.9-4.5c-0.6-0.7-1.6-1.1-2.9-1.1c-1.1,0-1.4,0-2.6,0.2c0,0-1.2,0.2-1.6,0.6c-0.8,0.7-0.5,1.7-0.4,2.3
+	c0,0.1,0,0.1,0,0.2c0.1,0.5,0.1,1.2,0.1,1.9c-0.2,3.8-0.9,7.6-1.5,10.9c-0.4,1.7-0.8,3.5-1.2,5.3c-0.9,3.9-1.8,7.9-2.3,11.9
+	c-0.1,0.4,0.1,0.8,0.3,1.1c0.3,0.3,0.7,0.5,1.1,0.5l0.3,0c2.9,0,5.7-0.1,6.3-1.7c0.7-1.8,1.1-4,1.5-5.9l0.2-0.9
+	c0.8-4.4,1.6-7.6,3.1-11.7c0.8-2.1,2.2-4,3.3-5.4c1.4-1.7,2.9-3.4,4.5-3.4c0.7,0,1.1,0.2,1.5,0.6c1.6,2.2-0.4,9.2-1.3,12.1
+	c-0.2,0.6-0.3,1.2-0.4,1.6l-0.6,2.3c-0.9,3.4-1.8,6.8-2.2,10.4c0,0.4-0.1,0.7-0.1,1.1l0,0.5l0.4,0.3c0.7,0.6,6-0.2,6-0.2
+	c1.9-0.7,2.4-2.5,2.5-3.1c0.4-1.6,0.7-3.1,1-4.7l0-0.1c0.6-2.9,1.2-5.9,2.1-8.7c1.7-5.6,4.1-9.4,6.9-11.4c1.2-0.8,2.5-0.9,3-0.2
+	c1,1.2,0.4,4.5,0.1,5.9c-0.4,1.9-0.8,3.9-1.3,5.8l0,0.1c-0.3,1.2-0.6,2.4-0.9,3.7c-0.8,3.8-1.5,8.5,0.6,11.2c1.1,1.4,2.8,2.1,5,2.1
+	c2.4,0,4.6-0.8,7-2.5c0.7-0.5,1.3-1,2.1-1.7c2.7,3.1,5.8,4.4,10.2,4.4c10,0,14.7-6.7,17.4-11.7c0.3-0.6,0.7-1.4,0.9-2
+	C167.4,45.2,167,44.2,166.1,43.8z M153.8,31.2c0,0.2,0,0.3,0,0.5c0,0.2,0,0.5,0,0.7c-0.1,0.8-0.2,1.6-0.5,2.3
+	c-1.4,4.6-5.5,5.5-8.9,5.6c0.5-2,1.2-4,2-5.7c1.7-3.5,3.8-5.6,5.6-5.6c0.2,0,0.3,0,0.5,0.1c0.1,0,0.1,0.1,0.2,0.1l0.1,0
+	c0,0,0.1,0,0.1,0c0.1,0,0.1,0.1,0.2,0.2l0.1,0.1c0,0,0,0,0.1,0.1c0,0.1,0.1,0.1,0.1,0.2l0.1,0.1c0,0.1,0.1,0.1,0.1,0.2
+	c0,0,0,0.1,0.1,0.2c0,0.1,0.1,0.2,0.1,0.4l0,0.1c0,0.1,0.1,0.3,0.1,0.5L153.8,31.2z"/>
+</svg>

From 065298db8f05ff3b602ed16c9a89320085c8ec25 Mon Sep 17 00:00:00 2001
From: Ollie Pile <111679371+opile8@users.noreply.github.com>
Date: Mon, 19 Aug 2024 23:08:33 -0400
Subject: [PATCH 03/12] Update CONTRIBUTORS.toml

---
 CONTRIBUTORS.toml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/CONTRIBUTORS.toml b/CONTRIBUTORS.toml
index 2fa69022..02de1f36 100644
--- a/CONTRIBUTORS.toml
+++ b/CONTRIBUTORS.toml
@@ -199,4 +199,8 @@ email = "5990@protonmail.com"
 [loviuz]
 name = "Loviuz"
 website = "https://loviuz.me"
-github = "loviuz"
\ No newline at end of file
+github = "loviuz"
+
+[opile8]
+name = "Ollie Pile"
+github = "opile8"

From 1b9abba78b2a85f21c978574210b362b297a26da Mon Sep 17 00:00:00 2001
From: Ollie Pile <111679371+opile8@users.noreply.github.com>
Date: Tue, 20 Aug 2024 01:55:07 -0400
Subject: [PATCH 04/12] Update id-me.toml

First draft of product toml
---
 products/id-me.toml | 233 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 233 insertions(+)

diff --git a/products/id-me.toml b/products/id-me.toml
index 8b137891..381ae299 100644
--- a/products/id-me.toml
+++ b/products/id-me.toml
@@ -1 +1,234 @@
+name = "ID.me"
+description = "Consumers can verify their identity with ID.me once and seamlessly log in across websites without having to create a new login or verify their identity again."
+slug = "id-me"
+hostnames = ["id.me"]
+sources = ["https://www.id.me/privacy", "https://www.id.me/security", "https://www.id.me/terms", "https://id.me/biometric", "https://id.me/washington-privacy", "https://account.id.me/privacy"]
+contributors = ["opile8"]
 
+[rubric.behavioral-marketing]
+value = "yes-opt-out"
+citations = [
+  "We may use your information to send promotional messages and newsletters via email 
+  or otherwise alert you to products or Services we think might be of interest to you 
+  including for ID.me Shop. You may unsubscribe from receiving marketing communications 
+  from us at any time by logging in to your account and navigating to \"My Preferences\" 
+  to manage your subscriptions.", 
+  "Please note, if you are using ID.me Services in connection with legal identity 
+  verification for a state or federal government agency, or in association with Electronic 
+  Prescriptions for Controlled Substance Services, we will not use any Personal Information 
+  provided as part of your verification for any type of marketing or promotional purposes 
+  related to ID.me Shop without your consent, or unless you otherwise use your ID.me 
+  credential for verification with any ID.me customer who is not a state or federal 
+  government agency customer, use your ID.me account in connection with ID.me Shop, ID.me 
+  Jobs, or ID.me Rx, or otherwise opt-in to receiving marketing communications from ID.me."  
+]
+notes = [
+  "Explanation of 2nd paragraph: Use of personal data requires consent (\"opt-in\") if ID.me 
+  services are used EXCLUSIVELY for \"state or federal government [agencies]\" or \"in 
+  association with Electronic Prescriptions for Controlled Substance Services\". ", 
+  "However, verification with any one of ID.me's \"Shop\", \"Jobs\", or \"RX\" services 
+  (tabs at the top) or any non-government agency appears to constitute *automatic* 
+  \"opt-in\" for marketing.", 
+  "Opt-out is completed through links in marketing emails or account preferences."
+]
+
+[rubric.security]
+value = "yes-independent-audits"
+citations = [
+  "[Privacy Page]", 
+  "We use reasonable security measures. We are committed to protecting your information. 
+  We have adopted technical, administrative, and physical security procedures to help 
+  protect your information from loss, misuse, unauthorized access, and alteration. Please 
+  note that no data transmission or storage can be guaranteed to be 100% secure.", 
+  "To safeguard certain sensitive information (such as biometric information and 
+  government-issued identification information), we implement security measures such as 
+  encryption, firewalls, and intrusion detection and prevention systems.", 
+  "In addition, the following are examples of security measures that are used to safeguard 
+  all types of Personal Information we maintain about our consumers:", 
+  "- Procedures for the identification and classification of Personal Information and 
+  implementation of safeguards appropriate to the sensitivity of the information;", 
+  "- access control procedures designed to verify a business need before access to Personal 
+  Information is granted, and procedures for the periodic review of access permissions;", 
+  "- procedures for termination of access to Personal Information designed to curtail access 
+  to the information by terminated personnel or when there is no longer a business need 
+  for access;", 
+  "- personnel security controls designed to reduce the risk of human error, theft, fraud or 
+  misuse of facilities; and", 
+  "- physical and environmental security procedures designed to prevent unauthorized access, 
+  damage or interference to business premises and information.", 
+  "", 
+  "[Security Page]", 
+  "ID.me has been designed to comply with rigorous information security regulations including 
+  AICPA SOC 2, ISO 27001, FedRAMP, and multiple NIST 800 guidelines. Multiple ID.me clients 
+  have completed extensive technical due diligence with regard to the processing environment. 
+  The customers that have completed this due diligence are: USAA, Veterans Affairs, IRS, SSA, 
+  and Allscripts. ID.me implements role based access management, separation of duties, and 
+  multifactor authentication. Data at rest and in transit is encrypted using approved 
+  FIPS 140-2 algorithms. Personally Identifiable Information (PII) is encrypted using a 
+  rolling key and the AES-256-CBC algorithms."
+]
+notes = [
+  "See ID.me's [Security](https://www.id.me/security) page for a thorough explanation of 
+  their data, network, and data center security standards."
+]
+
+[rubric.third-party-collection]
+value = "critical-only"
+citations = [
+  "Information from our partners. We acquire information from other trusted sources. These 
+  business partners might include companies, such as your mobile phone carriers, certain 
+  government agencies, licensing bodies, etc. We may also collect information about you 
+  from other sources, including service providers, data licensors and aggregators, marketing 
+  companies, programming distributors, and public databases.", 
+  "Information you provide through social media", 
+  "If you connect to us through a social media platform or navigate to a social media platform 
+  from one of our sites, the social media platform will collect your information separately 
+  from us. You should review the social media platforms' privacy policies to understand how 
+  they are using your information and your rights in relation to such information.", 
+  "Information We Derive", 
+  "We may derive additional information or draw inferences about you based on the information 
+  we have collected from you directly, passively, or through third parties."
+]
+notes = [
+  "ID.me previously (until 3/14/2022) allowed login to Facebook using ID.me as the sign-on 
+  service (via Facebook Connect). The privacy policy at that time included language about 
+  ID.me's collection and storage of data about those contacts (depending on the users' privacy 
+  settings). ID.me still allows a customer to [use social media accounts to sign into
+  ID.me](https://help.id.me/hc/en-us/articles/360057107014-Connecting-social-or-third-party-accounts-to-your-ID-me-account) 
+  from accounts like Apple, Facebook, Google, or LinkedIn, but ID.me no no longer seems 
+  policy no longer mentions these by name."
+  
+]
+
+[rubric.history]
+value = "yes"
+citations = [
+  "This Privacy Policy may be periodically updated. This Privacy Policy may be updated 
+  periodically to reflect new ID.me features or changes in our Personal Information practices. 
+  We will post a notice for consumers at the top of this Privacy Policy of any significant 
+  changes. We will indicate at the top of the Privacy Policy when the policy was most recently 
+  updated."
+]
+notes = [
+  "ID.me does not make previous policies available nor do they indicate (either on the website 
+  or via customer email) the substance of any major changes. Wayback Machine (web.archive.org) 
+  confirmed ID.me does post a top banner with a link to the privacy policy. Since at 
+  least 2014, policies have included a version number and date when last updated."
+]
+
+[rubric.data-deletion]
+value = "yes-automated"
+citations = [
+  "Personal Information will be retained until we have fulfilled our legal, contractual and 
+  policy obligations. ID.me stores your Personal Information for as long as needed, or 
+  permitted, based on the reason why we obtained it (consistent with applicable law and 
+  contractual obligations). This means we may retain your Personal Information even after you 
+  close your account with us, for up to three (3) years. Users may request that ID.me delete 
+  certain Personal Information at any time at account.ID.me or through our Privacy Rights 
+  Center, where applicable. We acknowledge all such requests, however we reserve the right to 
+  retain data tied to certain high-risk transactions, particularly in government and healthcare 
+  settings, exclusively for fraud prevention and government audit purposes.", 
+  "ID.me aligns to the National Archives recommended guidelines for data retention when 
+  supporting government agencies. Personal Information provided by users in connection with a 
+  public sector agency as part of their verification may be retained for up to three (3) years 
+  after account closure, unless applicable regulations require a shorter retention period."
+]
+
+[rubric.data-breaches]
+value = "no"
+notes = [
+  "Policy makes no mention of data breach procedures or notification to potential victims."
+]
+
+[rubric.third-party-access]
+value = "yes-specified-critical"
+citations = [
+  "We may share your Personal Information with entities necessary to validate your ID.me 
+  Account and provide our Services to you. In order to verify your identity and eligibility 
+  to receive discounts and other benefits from our partners and other service providers, we 
+  may provide your Personal Information to third parties such as government agencies, 
+  telecommunications networks, financial institutions or other trusted and reliable sources of 
+  information. Our provision of your Personal Information to the foregoing parties is solely 
+  to verify your identity and eligibility for ID.me Services. We have established relationships 
+  with Registration Authorities similar to the entities described above whereby the Personal 
+  Information you provide to us will be transmitted to them using industry standard encryption 
+  tools, designed to protect such information from unauthorized access.", 
+  "[...]", 
+  "We may share information with third parties who perform services on our behalf. We may share 
+  your information with unaffiliated companies or individuals we hire or work with that provide 
+  us with professional advice, business support, or perform services on our behalf, including 
+  customer support, web hosting, information technology, payment processing, direct mail and 
+  email distribution, and administration, and analytics services. These Service Providers are 
+  allowed to use your information to help us provide our Services and not for any other purpose."
+]
+
+[rubric.data-collection-reasoning]
+value = "yes"
+citations = [
+  "Verification information. When you verify yourself, either individually or as part of a 
+  community, with ID.me you provide us with Personal Information that may include your name, 
+  date of birth, social security number and/or other government issued identification numbers, 
+  copies of your government issued identification card (e.g., license or passport), email 
+  address, phone number, mailing address, and certain photographic images, and biometric data. 
+  You may also be asked to provide community affiliations (e.g., Military, First Responder, 
+  Student, Veteran, etc.), memberships, educational degrees, and professional certifications."
+]
+notes = [
+  "ID.me uses this information to become a trusted middleman to verify your affiliation. 
+  For instance: you allow ID.me to verify your Veteran status, then ask ID.me to give a 
+  \"digital thumbs up\" to a third party so you can get the Veteran discount."
+]
+
+[rubric.noncritical-purposes]
+value = "opt-out-all"
+citations = [
+  "We may use your information to send promotional messages and newsletters via email 
+  or otherwise alert you to products or Services we think might be of interest to you 
+  including for ID.me Shop. You may unsubscribe from receiving marketing communications 
+  from us at any time by logging in to your account and navigating to \"My Preferences\" 
+  to manage your subscriptions."
+]
+notes = [
+  "If ID.me is strictly used as identity verification for (state/federal) government services 
+  then this is on an \"opt-in basis\" so no marketing occurs (see also \"behavioral marketing\")."
+]
+
+[rubric.law-enforcement]
+value = "reasonable"
+citations = [
+  "We may share information as required with the United States federal government and certain 
+  state governments. ID.me does not provide any government with direct and unfettered access to 
+  our user's data, and we do not provide any government with our encryption keys or the ability 
+  to break our encryption. We may share certain Personal Information associated with an ID.me 
+  account with government entities where we reasonably believe that account may be engaging in 
+  fraud.", 
+  "If a government entity requires additional information related to an ID.me account, whether 
+  related to a suspected instance of fraud or otherwise, it must follow applicable legal 
+  processes. It must serve us with a subpoena, warrant, or present other legally compelling 
+  justification for the additional information associated with the account, the request must be 
+  targeted and specific in nature.", 
+  "Our legal and compliance teams review all requests to ensure they are valid, reject those 
+  that are not valid, and only provide the data specified in the subpoena or similar court order."
+]
+
+[rubric.list-collected]
+value = "exhaustively"
+citations = [
+  "Verification information. When you verify yourself, either individually or as part of a 
+  community, with ID.me you provide us with Personal Information that may include your name, date 
+  of birth, social security number and/or other government issued identification numbers, copies 
+  of your government issued identification card (e.g., license or passport), email address, phone 
+  number, mailing address, and certain photographic images, and biometric data.  You may also be 
+  asked to provide community affiliations (e.g., Military, First Responder, Student, Veteran, 
+  etc.), memberships, educational degrees, and professional certifications."
+]
+
+[rubric.revision-notify]
+value = "yes"
+citations = [
+  "This Privacy Policy may be periodically updated. This Privacy Policy may be updated 
+  periodically to reflect new ID.me features or changes in our Personal Information practices. 
+  We will post a notice for consumers at the top of this Privacy Policy of any significant 
+  changes. We will indicate at the top of the Privacy Policy when the policy was most recently 
+  updated."
+]

From 36406177a84eadee16eb176b17f26cb1190a5f23 Mon Sep 17 00:00:00 2001
From: Ollie Pile <111679371+opile8@users.noreply.github.com>
Date: Tue, 20 Aug 2024 02:36:39 -0400
Subject: [PATCH 05/12] Update id-me.toml

Add biometric policy citations and update sources.
---
 products/id-me.toml | 78 +++++++++++++++++++++++++++++++++++++++------
 1 file changed, 69 insertions(+), 9 deletions(-)

diff --git a/products/id-me.toml b/products/id-me.toml
index 381ae299..14a04c42 100644
--- a/products/id-me.toml
+++ b/products/id-me.toml
@@ -2,7 +2,7 @@ name = "ID.me"
 description = "Consumers can verify their identity with ID.me once and seamlessly log in across websites without having to create a new login or verify their identity again."
 slug = "id-me"
 hostnames = ["id.me"]
-sources = ["https://www.id.me/privacy", "https://www.id.me/security", "https://www.id.me/terms", "https://id.me/biometric", "https://id.me/washington-privacy", "https://account.id.me/privacy"]
+sources = ["https://www.id.me/privacy", "https://id.me/biometric", "https://www.id.me/security", "https://id.me/washington-privacy"]
 contributors = ["opile8"]
 
 [rubric.behavioral-marketing]
@@ -101,24 +101,32 @@ notes = [
 ]
 
 [rubric.history]
-value = "yes"
+value = "last-modified"
 citations = [
+  "[Privacy Policy Page]", 
   "This Privacy Policy may be periodically updated. This Privacy Policy may be updated 
   periodically to reflect new ID.me features or changes in our Personal Information practices. 
   We will post a notice for consumers at the top of this Privacy Policy of any significant 
   changes. We will indicate at the top of the Privacy Policy when the policy was most recently 
-  updated."
+  updated.",
+  "[Biometric Policy Page]", 
+  "This Biometric Information Privacy Policy may be periodically updated. From time-to-time we 
+  may update this policy to reflect new features or changes in our Personal Information practices 
+  or our Services. We will post a notice for users at the top of this Privacy Policy addressing 
+  any significant changes."
 ]
 notes = [
   "ID.me does not make previous policies available nor do they indicate (either on the website 
   or via customer email) the substance of any major changes. Wayback Machine (web.archive.org) 
-  confirmed ID.me does post a top banner with a link to the privacy policy. Since at 
-  least 2014, policies have included a version number and date when last updated."
+  confirmed ID.me does post a top banner with a link to the privacy policy when it changes. 
+  Both the privacy policy and biometric policy pages include a version number and date when 
+  last updated."
 ]
 
 [rubric.data-deletion]
 value = "yes-automated"
 citations = [
+  "[Privacy Policy Page]", 
   "Personal Information will be retained until we have fulfilled our legal, contractual and 
   policy obligations. ID.me stores your Personal Information for as long as needed, or 
   permitted, based on the reason why we obtained it (consistent with applicable law and 
@@ -132,12 +140,34 @@ citations = [
   supporting government agencies. Personal Information provided by users in connection with a 
   public sector agency as part of their verification may be retained for up to three (3) years 
   after account closure, unless applicable regulations require a shorter retention period."
+  "[Biometric Policy Page]", 
+  "8. Can I Request that ID.me Delete My Biometric Information?", 
+  "Yes, you may direct ID.me to delete your Biometric Information. After successfully verifying 
+  your identity, you may request that ID.me delete your Biometric Information. You may request 
+  the deletion of both the selfie image and Biometric Information submitted during your 
+  verification by submitting a request through the ID.me \"Privacy Rights Center\" which is a
+  ccessible via a link at the bottom of our Website, or under the \"Privacy\" setting in your 
+  account. Deletion of the selfie image and associated Biometric Information may take up to 
+  seven (7) days and will not impact the validity of your credential or verified status. ID.me 
+  reserves the right to retain this information as needed to comply with our legal obligations, 
+  including warrants, subpoenas or other court orders, or to help prevent fraud.", 
+  "Pursuant to the California Consumer Privacy Act of 2018 (CCPA), residents of California are 
+  entitled to additional rights and disclosures regarding their Personal information, including 
+  Biometric Information. Please see our Notice to California Residents for additional details 
+  regarding these disclosures and how to exercise your rights."
+]
+notes = [
+  "Some information you provide to ID.me may be retained for up to 36 months for legal 
+  compliance purposes following a deletion request. Biometric information will automatically 
+  \"age off\" after 36 months, if not sooner."
 ]
 
 [rubric.data-breaches]
 value = "no"
 notes = [
-  "Policy makes no mention of data breach procedures or notification to potential victims."
+  "Policy makes no mention of data breach procedures or notification to potential victims.", 
+  "It does, however, admit \"[...] that no data transmission or storage can be guaranteed 
+  to be 100% secure.\""
 ]
 
 [rubric.third-party-access]
@@ -165,13 +195,21 @@ citations = [
 [rubric.data-collection-reasoning]
 value = "yes"
 citations = [
+  "[Privacy Policy Page]", 
   "Verification information. When you verify yourself, either individually or as part of a 
   community, with ID.me you provide us with Personal Information that may include your name, 
   date of birth, social security number and/or other government issued identification numbers, 
   copies of your government issued identification card (e.g., license or passport), email 
   address, phone number, mailing address, and certain photographic images, and biometric data. 
   You may also be asked to provide community affiliations (e.g., Military, First Responder, 
-  Student, Veteran, etc.), memberships, educational degrees, and professional certifications."
+  Student, Veteran, etc.), memberships, educational degrees, and professional certifications.", 
+  "[Biometric Policy Page]", 
+  "We use your Biometric Information only as follows:", 
+  "- To verify your identity when you are opening an account or using our Services;", 
+  "- To authenticate use of your account and the Services for a transaction;", 
+  "- To prevent fraudulent uses of ID.me’s Services or the creation of multiple accounts; and", 
+  "- To comply with legal obligations or comply with a request from law enforcement or 
+  government entities where not prohibited by law."
 ]
 notes = [
   "ID.me uses this information to become a trusted middleman to verify your affiliation. 
@@ -196,6 +234,7 @@ notes = [
 [rubric.law-enforcement]
 value = "reasonable"
 citations = [
+  "[Privacy Policy Page]", 
   "We may share information as required with the United States federal government and certain 
   state governments. ID.me does not provide any government with direct and unfettered access to 
   our user's data, and we do not provide any government with our encryption keys or the ability 
@@ -208,19 +247,40 @@ citations = [
   justification for the additional information associated with the account, the request must be 
   targeted and specific in nature.", 
   "Our legal and compliance teams review all requests to ensure they are valid, reject those 
-  that are not valid, and only provide the data specified in the subpoena or similar court order."
+  that are not valid, and only provide the data specified in the subpoena or similar court order.", 
+  "[Biometric Policy Page]", 
+  "ID.me will only share your Biometric Information with our partners in the following circumstances:", 
+  "As required with other third parties where permitted by law to enforce our Terms of Service, to comply with legal obligations, or to cooperate with law enforcement agencies concerning conduct or activity that we reasonably believe may violate federal, state, or local law when required by a subpoena, warrant, or other court ordered legal action, and to prevent harm, loss or injury to others.", 
+  "To third party service providers that perform functions on our behalf. These service providers are limited to using the Biometric Information to assist in our provision of Services, and must maintain any Biometric Information we share in a secure fashion."
 ]
 
 [rubric.list-collected]
 value = "exhaustively"
 citations = [
+  "[Privacy Policy Page]",
   "Verification information. When you verify yourself, either individually or as part of a 
   community, with ID.me you provide us with Personal Information that may include your name, date 
   of birth, social security number and/or other government issued identification numbers, copies 
   of your government issued identification card (e.g., license or passport), email address, phone 
   number, mailing address, and certain photographic images, and biometric data.  You may also be 
   asked to provide community affiliations (e.g., Military, First Responder, Student, Veteran, 
-  etc.), memberships, educational degrees, and professional certifications."
+  etc.), memberships, educational degrees, and professional certifications.", 
+  "[Biometric Policy Page]", 
+  "The information we collect will vary depending on the specific type of Services you request. 
+  Many ID.me Services do not require Biometric Information, however certain Services – those 
+  requiring a NIST 800-63A IAL2 credential, such as the Internal Revenue Service (IRS), Office 
+  of Veterans Affairs (VA), or certain state unemployment or labor departments - may require a 
+  higher level of assurance for your identity verification. When you sign up for an applicable 
+  ID.me Service we may collect the following Biometric Information:", 
+  " - Facial Biometrics: Our Service may require you to upload an image of your government 
+  issued or other identification document(s) as well as your photographic image or \"selfie\" 
+  photograph using your mobile or other device. We use these images to create a facial geometry 
+  or faceprint which we use for purposes of identity verification and to prevent the creation 
+  of multiple accounts in a fraudulent manner.", 
+  " - Fingerprint Information: Our Service may require the submission of fingerprints, 
+  including fingerprint or hand scanning. Our Service may require the submission of 
+  fingerprints, including fingerprint or hand scanning, which we use for purposes of identity 
+  verification and to prevent the creation of multiple accounts in a fraudulent manner."
 ]
 
 [rubric.revision-notify]

From 985df62958c29fbf69c355c3924da951d91a331e Mon Sep 17 00:00:00 2001
From: Ollie Pile <111679371+opile8@users.noreply.github.com>
Date: Tue, 20 Aug 2024 02:38:32 -0400
Subject: [PATCH 06/12] Update id-me.toml

correct typo
---
 products/id-me.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/products/id-me.toml b/products/id-me.toml
index 14a04c42..f0a1585e 100644
--- a/products/id-me.toml
+++ b/products/id-me.toml
@@ -139,7 +139,7 @@ citations = [
   "ID.me aligns to the National Archives recommended guidelines for data retention when 
   supporting government agencies. Personal Information provided by users in connection with a 
   public sector agency as part of their verification may be retained for up to three (3) years 
-  after account closure, unless applicable regulations require a shorter retention period."
+  after account closure, unless applicable regulations require a shorter retention period.", 
   "[Biometric Policy Page]", 
   "8. Can I Request that ID.me Delete My Biometric Information?", 
   "Yes, you may direct ID.me to delete your Biometric Information. After successfully verifying 

From 991781a4dcb3079f7548aefc30f6fa730cba4f1a Mon Sep 17 00:00:00 2001
From: Ollie Pile <111679371+opile8@users.noreply.github.com>
Date: Tue, 20 Aug 2024 02:54:47 -0400
Subject: [PATCH 07/12] Update id-me.toml

cleanup, validate TOML format
---
 products/id-me.toml | 231 +++++++++-----------------------------------
 1 file changed, 43 insertions(+), 188 deletions(-)

diff --git a/products/id-me.toml b/products/id-me.toml
index f0a1585e..df51c142 100644
--- a/products/id-me.toml
+++ b/products/id-me.toml
@@ -8,27 +8,12 @@ contributors = ["opile8"]
 [rubric.behavioral-marketing]
 value = "yes-opt-out"
 citations = [
-  "We may use your information to send promotional messages and newsletters via email 
-  or otherwise alert you to products or Services we think might be of interest to you 
-  including for ID.me Shop. You may unsubscribe from receiving marketing communications 
-  from us at any time by logging in to your account and navigating to \"My Preferences\" 
-  to manage your subscriptions.", 
-  "Please note, if you are using ID.me Services in connection with legal identity 
-  verification for a state or federal government agency, or in association with Electronic 
-  Prescriptions for Controlled Substance Services, we will not use any Personal Information 
-  provided as part of your verification for any type of marketing or promotional purposes 
-  related to ID.me Shop without your consent, or unless you otherwise use your ID.me 
-  credential for verification with any ID.me customer who is not a state or federal 
-  government agency customer, use your ID.me account in connection with ID.me Shop, ID.me 
-  Jobs, or ID.me Rx, or otherwise opt-in to receiving marketing communications from ID.me."  
+  "We may use your information to send promotional messages and newsletters via email or otherwise alert you to products or Services we think might be of interest to you including for ID.me Shop. You may unsubscribe from receiving marketing communications from us at any time by logging in to your account and navigating to \"My Preferences\" to manage your subscriptions.", 
+  "Please note, if you are using ID.me Services in connection with legal identity verification for a state or federal government agency, or in association with Electronic Prescriptions for Controlled Substance Services, we will not use any Personal Information provided as part of your verification for any type of marketing or promotional purposes related to ID.me Shop without your consent, or unless you otherwise use your ID.me credential for verification with any ID.me customer who is not a state or federal government agency customer, use your ID.me account in connection with ID.me Shop, ID.me Jobs, or ID.me Rx, or otherwise opt-in to receiving marketing communications from ID.me."  
 ]
 notes = [
-  "Explanation of 2nd paragraph: Use of personal data requires consent (\"opt-in\") if ID.me 
-  services are used EXCLUSIVELY for \"state or federal government [agencies]\" or \"in 
-  association with Electronic Prescriptions for Controlled Substance Services\". ", 
-  "However, verification with any one of ID.me's \"Shop\", \"Jobs\", or \"RX\" services 
-  (tabs at the top) or any non-government agency appears to constitute *automatic* 
-  \"opt-in\" for marketing.", 
+  "Explanation of 2nd paragraph: Use of personal data requires consent (\"opt-in\") if ID.me services are used EXCLUSIVELY for \"state or federal government [agencies]\" or \"in association with Electronic Prescriptions for Controlled Substance Services\". ", 
+  "However, verification with any one of ID.me's \"Shop\", \"Jobs\", or \"RX\" services (tabs at the top) or any non-government agency appears to constitute *automatic* \"opt-in\" for marketing.", 
   "Opt-out is completed through links in marketing emails or account preferences."
 ]
 
@@ -36,218 +21,110 @@ notes = [
 value = "yes-independent-audits"
 citations = [
   "[Privacy Page]", 
-  "We use reasonable security measures. We are committed to protecting your information. 
-  We have adopted technical, administrative, and physical security procedures to help 
-  protect your information from loss, misuse, unauthorized access, and alteration. Please 
-  note that no data transmission or storage can be guaranteed to be 100% secure.", 
-  "To safeguard certain sensitive information (such as biometric information and 
-  government-issued identification information), we implement security measures such as 
-  encryption, firewalls, and intrusion detection and prevention systems.", 
-  "In addition, the following are examples of security measures that are used to safeguard 
-  all types of Personal Information we maintain about our consumers:", 
-  "- Procedures for the identification and classification of Personal Information and 
-  implementation of safeguards appropriate to the sensitivity of the information;", 
-  "- access control procedures designed to verify a business need before access to Personal 
-  Information is granted, and procedures for the periodic review of access permissions;", 
-  "- procedures for termination of access to Personal Information designed to curtail access 
-  to the information by terminated personnel or when there is no longer a business need 
-  for access;", 
-  "- personnel security controls designed to reduce the risk of human error, theft, fraud or 
-  misuse of facilities; and", 
-  "- physical and environmental security procedures designed to prevent unauthorized access, 
-  damage or interference to business premises and information.", 
+  "We use reasonable security measures. We are committed to protecting your information. We have adopted technical, administrative, and physical security procedures to help protect your information from loss, misuse, unauthorized access, and alteration. Please note that no data transmission or storage can be guaranteed to be 100% secure.", 
+  "To safeguard certain sensitive information (such as biometric information and government-issued identification information), we implement security measures such as encryption, firewalls, and intrusion detection and prevention systems.", 
+  "In addition, the following are examples of security measures that are used to safeguard all types of Personal Information we maintain about our consumers:", 
+  "- Procedures for the identification and classification of Personal Information and implementation of safeguards appropriate to the sensitivity of the information;", 
+  "- access control procedures designed to verify a business need before access to Personal Information is granted, and procedures for the periodic review of access permissions;", 
+  "- procedures for termination of access to Personal Information designed to curtail access to the information by terminated personnel or when there is no longer a business need for access;", 
+  "- personnel security controls designed to reduce the risk of human error, theft, fraud or misuse of facilities; and", 
+  "- physical and environmental security procedures designed to prevent unauthorized access, damage or interference to business premises and information.", 
   "", 
   "[Security Page]", 
-  "ID.me has been designed to comply with rigorous information security regulations including 
-  AICPA SOC 2, ISO 27001, FedRAMP, and multiple NIST 800 guidelines. Multiple ID.me clients 
-  have completed extensive technical due diligence with regard to the processing environment. 
-  The customers that have completed this due diligence are: USAA, Veterans Affairs, IRS, SSA, 
-  and Allscripts. ID.me implements role based access management, separation of duties, and 
-  multifactor authentication. Data at rest and in transit is encrypted using approved 
-  FIPS 140-2 algorithms. Personally Identifiable Information (PII) is encrypted using a 
-  rolling key and the AES-256-CBC algorithms."
+  "ID.me has been designed to comply with rigorous information security regulations including AICPA SOC 2, ISO 27001, FedRAMP, and multiple NIST 800 guidelines. Multiple ID.me clients have completed extensive technical due diligence with regard to the processing environment. The customers that have completed this due diligence are: USAA, Veterans Affairs, IRS, SSA, and Allscripts. ID.me implements role based access management, separation of duties, and multifactor authentication. Data at rest and in transit is encrypted using approved FIPS 140-2 algorithms. Personally Identifiable Information (PII) is encrypted using a rolling key and the AES-256-CBC algorithms."
 ]
 notes = [
-  "See ID.me's [Security](https://www.id.me/security) page for a thorough explanation of 
-  their data, network, and data center security standards."
+  "See ID.me's [Security](https://www.id.me/security) page for a thorough explanation of their data, network, and data center security standards."
 ]
 
 [rubric.third-party-collection]
 value = "critical-only"
 citations = [
-  "Information from our partners. We acquire information from other trusted sources. These 
-  business partners might include companies, such as your mobile phone carriers, certain 
-  government agencies, licensing bodies, etc. We may also collect information about you 
-  from other sources, including service providers, data licensors and aggregators, marketing 
-  companies, programming distributors, and public databases.", 
+  "Information from our partners. We acquire information from other trusted sources. These business partners might include companies, such as your mobile phone carriers, certain government agencies, licensing bodies, etc. We may also collect information about you from other sources, including service providers, data licensors and aggregators, marketing companies, programming distributors, and public databases.", 
   "Information you provide through social media", 
-  "If you connect to us through a social media platform or navigate to a social media platform 
-  from one of our sites, the social media platform will collect your information separately 
-  from us. You should review the social media platforms' privacy policies to understand how 
-  they are using your information and your rights in relation to such information.", 
+  "If you connect to us through a social media platform or navigate to a social media platform from one of our sites, the social media platform will collect your information separately from us. You should review the social media platforms' privacy policies to understand how they are using your information and your rights in relation to such information.", 
   "Information We Derive", 
-  "We may derive additional information or draw inferences about you based on the information 
-  we have collected from you directly, passively, or through third parties."
+  "We may derive additional information or draw inferences about you based on the information we have collected from you directly, passively, or through third parties."
 ]
 notes = [
-  "ID.me previously (until 3/14/2022) allowed login to Facebook using ID.me as the sign-on 
-  service (via Facebook Connect). The privacy policy at that time included language about 
-  ID.me's collection and storage of data about those contacts (depending on the users' privacy 
-  settings). ID.me still allows a customer to [use social media accounts to sign into
-  ID.me](https://help.id.me/hc/en-us/articles/360057107014-Connecting-social-or-third-party-accounts-to-your-ID-me-account) 
-  from accounts like Apple, Facebook, Google, or LinkedIn, but ID.me no no longer seems 
-  policy no longer mentions these by name."
-  
+  "ID.me previously (until 3/14/2022) allowed login to Facebook using ID.me as the sign-on service (via Facebook Connect). The privacy policy at that time included language about ID.me's collection and storage of data about those contacts (depending on the users' privacy settings). ID.me still allows a customer to [use social media accounts to sign into ID.me](https://help.id.me/hc/en-us/articles/360057107014-Connecting-social-or-third-party-accounts-to-your-ID-me-account) from accounts like Apple, Facebook, Google, or LinkedIn, but ID.me no no longer seems policy no longer mentions these by name."
 ]
 
 [rubric.history]
 value = "last-modified"
 citations = [
   "[Privacy Policy Page]", 
-  "This Privacy Policy may be periodically updated. This Privacy Policy may be updated 
-  periodically to reflect new ID.me features or changes in our Personal Information practices. 
-  We will post a notice for consumers at the top of this Privacy Policy of any significant 
-  changes. We will indicate at the top of the Privacy Policy when the policy was most recently 
-  updated.",
+  "This Privacy Policy may be periodically updated. This Privacy Policy may be updated periodically to reflect new ID.me features or changes in our Personal Information practices. We will post a notice for consumers at the top of this Privacy Policy of any significant changes. We will indicate at the top of the Privacy Policy when the policy was most recently updated.",
   "[Biometric Policy Page]", 
-  "This Biometric Information Privacy Policy may be periodically updated. From time-to-time we 
-  may update this policy to reflect new features or changes in our Personal Information practices 
-  or our Services. We will post a notice for users at the top of this Privacy Policy addressing 
-  any significant changes."
+  "This Biometric Information Privacy Policy may be periodically updated. From time-to-time we may update this policy to reflect new features or changes in our Personal Information practices or our Services. We will post a notice for users at the top of this Privacy Policy addressing any significant changes."
 ]
 notes = [
-  "ID.me does not make previous policies available nor do they indicate (either on the website 
-  or via customer email) the substance of any major changes. Wayback Machine (web.archive.org) 
-  confirmed ID.me does post a top banner with a link to the privacy policy when it changes. 
-  Both the privacy policy and biometric policy pages include a version number and date when 
-  last updated."
+  "ID.me does not make previous policies available nor do they indicate (either on the website or via customer email) the substance of any major changes. Wayback Machine (web.archive.org) confirmed ID.me does post a top banner with a link to the privacy policy when it changes. Both the privacy policy and biometric policy pages include a version number and date when last updated."
 ]
 
 [rubric.data-deletion]
 value = "yes-automated"
 citations = [
   "[Privacy Policy Page]", 
-  "Personal Information will be retained until we have fulfilled our legal, contractual and 
-  policy obligations. ID.me stores your Personal Information for as long as needed, or 
-  permitted, based on the reason why we obtained it (consistent with applicable law and 
-  contractual obligations). This means we may retain your Personal Information even after you 
-  close your account with us, for up to three (3) years. Users may request that ID.me delete 
-  certain Personal Information at any time at account.ID.me or through our Privacy Rights 
-  Center, where applicable. We acknowledge all such requests, however we reserve the right to 
-  retain data tied to certain high-risk transactions, particularly in government and healthcare 
-  settings, exclusively for fraud prevention and government audit purposes.", 
-  "ID.me aligns to the National Archives recommended guidelines for data retention when 
-  supporting government agencies. Personal Information provided by users in connection with a 
-  public sector agency as part of their verification may be retained for up to three (3) years 
-  after account closure, unless applicable regulations require a shorter retention period.", 
+  "Personal Information will be retained until we have fulfilled our legal, contractual and policy obligations. ID.me stores your Personal Information for as long as needed, or permitted, based on the reason why we obtained it (consistent with applicable law and contractual obligations). This means we may retain your Personal Information even after you close your account with us, for up to three (3) years. Users may request that ID.me delete certain Personal Information at any time at account.ID.me or through our Privacy Rights Center, where applicable. We acknowledge all such requests, however we reserve the right to retain data tied to certain high-risk transactions, particularly in government and healthcare settings, exclusively for fraud prevention and government audit purposes.", 
+  "ID.me aligns to the National Archives recommended guidelines for data retention when supporting government agencies. Personal Information provided by users in connection with a public sector agency as part of their verification may be retained for up to three (3) years after account closure, unless applicable regulations require a shorter retention period.", 
   "[Biometric Policy Page]", 
   "8. Can I Request that ID.me Delete My Biometric Information?", 
-  "Yes, you may direct ID.me to delete your Biometric Information. After successfully verifying 
-  your identity, you may request that ID.me delete your Biometric Information. You may request 
-  the deletion of both the selfie image and Biometric Information submitted during your 
-  verification by submitting a request through the ID.me \"Privacy Rights Center\" which is a
-  ccessible via a link at the bottom of our Website, or under the \"Privacy\" setting in your 
-  account. Deletion of the selfie image and associated Biometric Information may take up to 
-  seven (7) days and will not impact the validity of your credential or verified status. ID.me 
-  reserves the right to retain this information as needed to comply with our legal obligations, 
-  including warrants, subpoenas or other court orders, or to help prevent fraud.", 
-  "Pursuant to the California Consumer Privacy Act of 2018 (CCPA), residents of California are 
-  entitled to additional rights and disclosures regarding their Personal information, including 
-  Biometric Information. Please see our Notice to California Residents for additional details 
-  regarding these disclosures and how to exercise your rights."
+  "Yes, you may direct ID.me to delete your Biometric Information. After successfully verifying your identity, you may request that ID.me delete your Biometric Information. You may request the deletion of both the selfie image and Biometric Information submitted during your verification by submitting a request through the ID.me \"Privacy Rights Center\" which is accessible via a link at the bottom of our Website, or under the \"Privacy\" setting in your account. Deletion of the selfie image and associated Biometric Information may take up to seven (7) days and will not impact the validity of your credential or verified status. ID.me reserves the right to retain this information as needed to comply with our legal obligations, including warrants, subpoenas or other court orders, or to help prevent fraud.", 
+  "Pursuant to the California Consumer Privacy Act of 2018 (CCPA), residents of California are entitled to additional rights and disclosures regarding their Personal information, including Biometric Information. Please see our Notice to California Residents for additional details regarding these disclosures and how to exercise your rights."
 ]
 notes = [
-  "Some information you provide to ID.me may be retained for up to 36 months for legal 
-  compliance purposes following a deletion request. Biometric information will automatically 
-  \"age off\" after 36 months, if not sooner."
+  "Some information you provide to ID.me may be retained for up to 36 months for legal compliance purposes following a deletion request. Biometric information will automatically \"age off\" after 36 months, if not sooner."
 ]
 
 [rubric.data-breaches]
 value = "no"
 notes = [
   "Policy makes no mention of data breach procedures or notification to potential victims.", 
-  "It does, however, admit \"[...] that no data transmission or storage can be guaranteed 
-  to be 100% secure.\""
+  "It does, however, admit \"[...] that no data transmission or storage can be guaranteed to be 100% secure.\""
 ]
 
 [rubric.third-party-access]
 value = "yes-specified-critical"
 citations = [
-  "We may share your Personal Information with entities necessary to validate your ID.me 
-  Account and provide our Services to you. In order to verify your identity and eligibility 
-  to receive discounts and other benefits from our partners and other service providers, we 
-  may provide your Personal Information to third parties such as government agencies, 
-  telecommunications networks, financial institutions or other trusted and reliable sources of 
-  information. Our provision of your Personal Information to the foregoing parties is solely 
-  to verify your identity and eligibility for ID.me Services. We have established relationships 
-  with Registration Authorities similar to the entities described above whereby the Personal 
-  Information you provide to us will be transmitted to them using industry standard encryption 
-  tools, designed to protect such information from unauthorized access.", 
+  "We may share your Personal Information with entities necessary to validate your ID.me Account and provide our Services to you. In order to verify your identity and eligibility to receive discounts and other benefits from our partners and other service providers, we may provide your Personal Information to third parties such as government agencies, telecommunications networks, financial institutions or other trusted and reliable sources of information. Our provision of your Personal Information to the foregoing parties is solely to verify your identity and eligibility for ID.me Services. We have established relationships with Registration Authorities similar to the entities described above whereby the Personal Information you provide to us will be transmitted to them using industry standard encryption tools, designed to protect such information from unauthorized access.", 
   "[...]", 
-  "We may share information with third parties who perform services on our behalf. We may share 
-  your information with unaffiliated companies or individuals we hire or work with that provide 
-  us with professional advice, business support, or perform services on our behalf, including 
-  customer support, web hosting, information technology, payment processing, direct mail and 
-  email distribution, and administration, and analytics services. These Service Providers are 
-  allowed to use your information to help us provide our Services and not for any other purpose."
+  "We may share information with third parties who perform services on our behalf. We may share your information with unaffiliated companies or individuals we hire or work with that provide us with professional advice, business support, or perform services on our behalf, including customer support, web hosting, information technology, payment processing, direct mail and email distribution, and administration, and analytics services. These Service Providers are allowed to use your information to help us provide our Services and not for any other purpose."
 ]
 
 [rubric.data-collection-reasoning]
 value = "yes"
 citations = [
   "[Privacy Policy Page]", 
-  "Verification information. When you verify yourself, either individually or as part of a 
-  community, with ID.me you provide us with Personal Information that may include your name, 
-  date of birth, social security number and/or other government issued identification numbers, 
-  copies of your government issued identification card (e.g., license or passport), email 
-  address, phone number, mailing address, and certain photographic images, and biometric data. 
-  You may also be asked to provide community affiliations (e.g., Military, First Responder, 
-  Student, Veteran, etc.), memberships, educational degrees, and professional certifications.", 
+  "Verification information. When you verify yourself, either individually or as part of a community, with ID.me you provide us with Personal Information that may include your name, date of birth, social security number and/or other government issued identification numbers, copies of your government issued identification card (e.g., license or passport), email address, phone number, mailing address, and certain photographic images, and biometric data. You may also be asked to provide community affiliations (e.g., Military, First Responder, Student, Veteran, etc.), memberships, educational degrees, and professional certifications.", 
   "[Biometric Policy Page]", 
   "We use your Biometric Information only as follows:", 
   "- To verify your identity when you are opening an account or using our Services;", 
   "- To authenticate use of your account and the Services for a transaction;", 
   "- To prevent fraudulent uses of ID.me’s Services or the creation of multiple accounts; and", 
-  "- To comply with legal obligations or comply with a request from law enforcement or 
-  government entities where not prohibited by law."
+  "- To comply with legal obligations or comply with a request from law enforcement or government entities where not prohibited by law."
 ]
 notes = [
-  "ID.me uses this information to become a trusted middleman to verify your affiliation. 
-  For instance: you allow ID.me to verify your Veteran status, then ask ID.me to give a 
-  \"digital thumbs up\" to a third party so you can get the Veteran discount."
+  "ID.me uses this information to become a trusted middleman to verify your affiliation.", 
+  "For instance: you allow ID.me to verify your Veteran status, then ask ID.me to give a \"digital thumbs up\" to a third party so you can get the Veteran discount."
 ]
 
 [rubric.noncritical-purposes]
 value = "opt-out-all"
 citations = [
-  "We may use your information to send promotional messages and newsletters via email 
-  or otherwise alert you to products or Services we think might be of interest to you 
-  including for ID.me Shop. You may unsubscribe from receiving marketing communications 
-  from us at any time by logging in to your account and navigating to \"My Preferences\" 
-  to manage your subscriptions."
+  "We may use your information to send promotional messages and newsletters via email or otherwise alert you to products or Services we think might be of interest to you including for ID.me Shop. You may unsubscribe from receiving marketing communications from us at any time by logging in to your account and navigating to \"My Preferences\" to manage your subscriptions."
 ]
 notes = [
-  "If ID.me is strictly used as identity verification for (state/federal) government services 
-  then this is on an \"opt-in basis\" so no marketing occurs (see also \"behavioral marketing\")."
+  "If ID.me is strictly used as identity verification for (state/federal) government services then this is on an \"opt-in basis\" so no marketing occurs (see also \"behavioral marketing\")."
 ]
 
 [rubric.law-enforcement]
 value = "reasonable"
 citations = [
   "[Privacy Policy Page]", 
-  "We may share information as required with the United States federal government and certain 
-  state governments. ID.me does not provide any government with direct and unfettered access to 
-  our user's data, and we do not provide any government with our encryption keys or the ability 
-  to break our encryption. We may share certain Personal Information associated with an ID.me 
-  account with government entities where we reasonably believe that account may be engaging in 
-  fraud.", 
-  "If a government entity requires additional information related to an ID.me account, whether 
-  related to a suspected instance of fraud or otherwise, it must follow applicable legal 
-  processes. It must serve us with a subpoena, warrant, or present other legally compelling 
-  justification for the additional information associated with the account, the request must be 
-  targeted and specific in nature.", 
-  "Our legal and compliance teams review all requests to ensure they are valid, reject those 
-  that are not valid, and only provide the data specified in the subpoena or similar court order.", 
+  "We may share information as required with the United States federal government and certain state governments. ID.me does not provide any government with direct and unfettered access to our user's data, and we do not provide any government with our encryption keys or the ability to break our encryption. We may share certain Personal Information associated with an ID.me account with government entities where we reasonably believe that account may be engaging in fraud.", 
+  "If a government entity requires additional information related to an ID.me account, whether related to a suspected instance of fraud or otherwise, it must follow applicable legal processes. It must serve us with a subpoena, warrant, or present other legally compelling justification for the additional information associated with the account, the request must be targeted and specific in nature.", 
+  "Our legal and compliance teams review all requests to ensure they are valid, reject those that are not valid, and only provide the data specified in the subpoena or similar court order.", 
   "[Biometric Policy Page]", 
   "ID.me will only share your Biometric Information with our partners in the following circumstances:", 
   "As required with other third parties where permitted by law to enforce our Terms of Service, to comply with legal obligations, or to cooperate with law enforcement agencies concerning conduct or activity that we reasonably believe may violate federal, state, or local law when required by a subpoena, warrant, or other court ordered legal action, and to prevent harm, loss or injury to others.", 
@@ -258,37 +135,15 @@ citations = [
 value = "exhaustively"
 citations = [
   "[Privacy Policy Page]",
-  "Verification information. When you verify yourself, either individually or as part of a 
-  community, with ID.me you provide us with Personal Information that may include your name, date 
-  of birth, social security number and/or other government issued identification numbers, copies 
-  of your government issued identification card (e.g., license or passport), email address, phone 
-  number, mailing address, and certain photographic images, and biometric data.  You may also be 
-  asked to provide community affiliations (e.g., Military, First Responder, Student, Veteran, 
-  etc.), memberships, educational degrees, and professional certifications.", 
+  "Verification information. When you verify yourself, either individually or as part of a community, with ID.me you provide us with Personal Information that may include your name, date of birth, social security number and/or other government issued identification numbers, copies of your government issued identification card (e.g., license or passport), email address, phone number, mailing address, and certain photographic images, and biometric data.  You may also be asked to provide community affiliations (e.g., Military, First Responder, Student, Veteran, etc.), memberships, educational degrees, and professional certifications.", 
   "[Biometric Policy Page]", 
-  "The information we collect will vary depending on the specific type of Services you request. 
-  Many ID.me Services do not require Biometric Information, however certain Services – those 
-  requiring a NIST 800-63A IAL2 credential, such as the Internal Revenue Service (IRS), Office 
-  of Veterans Affairs (VA), or certain state unemployment or labor departments - may require a 
-  higher level of assurance for your identity verification. When you sign up for an applicable 
-  ID.me Service we may collect the following Biometric Information:", 
-  " - Facial Biometrics: Our Service may require you to upload an image of your government 
-  issued or other identification document(s) as well as your photographic image or \"selfie\" 
-  photograph using your mobile or other device. We use these images to create a facial geometry 
-  or faceprint which we use for purposes of identity verification and to prevent the creation 
-  of multiple accounts in a fraudulent manner.", 
-  " - Fingerprint Information: Our Service may require the submission of fingerprints, 
-  including fingerprint or hand scanning. Our Service may require the submission of 
-  fingerprints, including fingerprint or hand scanning, which we use for purposes of identity 
-  verification and to prevent the creation of multiple accounts in a fraudulent manner."
+  "The information we collect will vary depending on the specific type of Services you request. Many ID.me Services do not require Biometric Information, however certain Services – those requiring a NIST 800-63A IAL2 credential, such as the Internal Revenue Service (IRS), Office of Veterans Affairs (VA), or certain state unemployment or labor departments - may require a higher level of assurance for your identity verification. When you sign up for an applicable ID.me Service we may collect the following Biometric Information:", 
+  " - Facial Biometrics: Our Service may require you to upload an image of your government issued or other identification document(s) as well as your photographic image or \"selfie\" photograph using your mobile or other device. We use these images to create a facial geometry or faceprint which we use for purposes of identity verification and to prevent the creation of multiple accounts in a fraudulent manner.", 
+  " - Fingerprint Information: Our Service may require the submission of fingerprints, including fingerprint or hand scanning. Our Service may require the submission of fingerprints, including fingerprint or hand scanning, which we use for purposes of identity verification and to prevent the creation of multiple accounts in a fraudulent manner."
 ]
 
 [rubric.revision-notify]
 value = "yes"
 citations = [
-  "This Privacy Policy may be periodically updated. This Privacy Policy may be updated 
-  periodically to reflect new ID.me features or changes in our Personal Information practices. 
-  We will post a notice for consumers at the top of this Privacy Policy of any significant 
-  changes. We will indicate at the top of the Privacy Policy when the policy was most recently 
-  updated."
+  "This Privacy Policy may be periodically updated. This Privacy Policy may be updated periodically to reflect new ID.me features or changes in our Personal Information practices. We will post a notice for consumers at the top of this Privacy Policy of any significant changes. We will indicate at the top of the Privacy Policy when the policy was most recently updated."
 ]

From e60ed5ee82c5642bc5bf7a4951524757427599d2 Mon Sep 17 00:00:00 2001
From: Ollie Pile <111679371+opile8@users.noreply.github.com>
Date: Sat, 7 Sep 2024 11:24:11 -0400
Subject: [PATCH 08/12] remove id-me.svg

image failed verification
will upload png that is mostly square
---
 icons/id-me.svg | 31 -------------------------------
 1 file changed, 31 deletions(-)
 delete mode 100644 icons/id-me.svg

diff --git a/icons/id-me.svg b/icons/id-me.svg
deleted file mode 100644
index ab2ee8b8..00000000
--- a/icons/id-me.svg
+++ /dev/null
@@ -1,31 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Generator: Adobe Illustrator 19.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 167.2 59.8" style="enable-background:new 0 0 167.2 59.8;" xml:space="preserve">
-<style type="text/css">
-	.st0{fill:#2D3E51;}
-	.st1{fill:#2FC877;}
-</style>
-<path class="st0" d="M8.4,0H5.5C1.8,0,0,1.1,0,3.2v53c0,2.1,1.8,3.2,5.5,3.2h2.9c3.6,0,5.5-1.1,5.5-3.2v-53C13.9,1.1,12,0,8.4,0z"/>
-<path class="st0" d="M59.7,53c0-6.3,4.1-11.7,9.8-13.5c0.7-2.9,1-6.2,1-9.7C70.5,10.5,60.8,0,43.3,0H24.6c-2.6,0-3.8,1.2-3.8,3.8
-	v51.7c0,2.6,1.2,3.8,3.8,3.8h18.7c6.7,0,12.2-1.5,16.5-4.5C59.7,54.3,59.7,53.6,59.7,53z M43.3,47.5h-8.6V11.9h8.6
-	c10.8,0,13,9.7,13,17.8C56.3,37.8,54.1,47.5,43.3,47.5z"/>
-<circle class="st1" cx="73.9" cy="53" r="6.5"/>
-<path class="st0" d="M166.1,43.8c-0.2-0.1-0.4-0.1-0.6-0.1c-0.9,0-1.5,0.3-2,1.2c-0.3,0.5-0.6,1-0.9,1.6c-1.2,2-2.4,4.1-4.2,5.6
-	c-2.4,2-5.9,3-8.9,2.4c-1.8-0.3-3-1.6-3.8-2.6c-1.4-1.9-2-4.4-1.9-7.3c4.4-0.4,17.6-2.3,18.7-12.3c0.2-1.9-0.3-3.7-1.6-5.1
-	c-1.6-1.8-4.1-2.7-7.1-2.7c-8.8,0-17.5,9.2-18.6,19.7c-0.3,2.9,0.1,5.5,1.1,7.9c-0.8,0.7-1.5,1.2-2.2,1.5c-0.7,0.4-1.4,0.4-1.8,0.2
-	c-0.6-0.3-0.8-0.9-0.9-1.5c-0.3-1.9,0.1-4.1,0.6-6.4c0.3-1.3,0.7-2.7,1-4c1.1-3.8,2.2-7.7,1.8-11.7c-0.3-3.6-2.9-5.9-6.7-5.9
-	c-5.3,0-8.8,3.8-11,7c0-2.4-0.6-4.2-1.7-5.3c-1.1-1.1-2.6-1.7-4.7-1.7c-5.2,0-8.6,3.6-10.9,6.8c0-0.3,0.1-0.6,0.1-0.9
-	c0.1-1.4,0.2-3.3-0.9-4.5c-0.6-0.7-1.6-1.1-2.9-1.1c-1.1,0-1.4,0-2.6,0.2c0,0-1.2,0.2-1.6,0.6c-0.8,0.7-0.5,1.7-0.4,2.3
-	c0,0.1,0,0.1,0,0.2c0.1,0.5,0.1,1.2,0.1,1.9c-0.2,3.8-0.9,7.6-1.5,10.9c-0.4,1.7-0.8,3.5-1.2,5.3c-0.9,3.9-1.8,7.9-2.3,11.9
-	c-0.1,0.4,0.1,0.8,0.3,1.1c0.3,0.3,0.7,0.5,1.1,0.5l0.3,0c2.9,0,5.7-0.1,6.3-1.7c0.7-1.8,1.1-4,1.5-5.9l0.2-0.9
-	c0.8-4.4,1.6-7.6,3.1-11.7c0.8-2.1,2.2-4,3.3-5.4c1.4-1.7,2.9-3.4,4.5-3.4c0.7,0,1.1,0.2,1.5,0.6c1.6,2.2-0.4,9.2-1.3,12.1
-	c-0.2,0.6-0.3,1.2-0.4,1.6l-0.6,2.3c-0.9,3.4-1.8,6.8-2.2,10.4c0,0.4-0.1,0.7-0.1,1.1l0,0.5l0.4,0.3c0.7,0.6,6-0.2,6-0.2
-	c1.9-0.7,2.4-2.5,2.5-3.1c0.4-1.6,0.7-3.1,1-4.7l0-0.1c0.6-2.9,1.2-5.9,2.1-8.7c1.7-5.6,4.1-9.4,6.9-11.4c1.2-0.8,2.5-0.9,3-0.2
-	c1,1.2,0.4,4.5,0.1,5.9c-0.4,1.9-0.8,3.9-1.3,5.8l0,0.1c-0.3,1.2-0.6,2.4-0.9,3.7c-0.8,3.8-1.5,8.5,0.6,11.2c1.1,1.4,2.8,2.1,5,2.1
-	c2.4,0,4.6-0.8,7-2.5c0.7-0.5,1.3-1,2.1-1.7c2.7,3.1,5.8,4.4,10.2,4.4c10,0,14.7-6.7,17.4-11.7c0.3-0.6,0.7-1.4,0.9-2
-	C167.4,45.2,167,44.2,166.1,43.8z M153.8,31.2c0,0.2,0,0.3,0,0.5c0,0.2,0,0.5,0,0.7c-0.1,0.8-0.2,1.6-0.5,2.3
-	c-1.4,4.6-5.5,5.5-8.9,5.6c0.5-2,1.2-4,2-5.7c1.7-3.5,3.8-5.6,5.6-5.6c0.2,0,0.3,0,0.5,0.1c0.1,0,0.1,0.1,0.2,0.1l0.1,0
-	c0,0,0.1,0,0.1,0c0.1,0,0.1,0.1,0.2,0.2l0.1,0.1c0,0,0,0,0.1,0.1c0,0.1,0.1,0.1,0.1,0.2l0.1,0.1c0,0.1,0.1,0.1,0.1,0.2
-	c0,0,0,0.1,0.1,0.2c0,0.1,0.1,0.2,0.1,0.4l0,0.1c0,0.1,0.1,0.3,0.1,0.5L153.8,31.2z"/>
-</svg>

From ef32a92b6a30dd721ebdb69e4856d59f6018d167 Mon Sep 17 00:00:00 2001
From: Ollie Pile <111679371+opile8@users.noreply.github.com>
Date: Sat, 7 Sep 2024 12:02:40 -0400
Subject: [PATCH 09/12] fix id-me.svg to id-me.png

image validation failed, should be more squared
---
 icons/id-me.png | Bin 0 -> 4950 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 icons/id-me.png

diff --git a/icons/id-me.png b/icons/id-me.png
new file mode 100644
index 0000000000000000000000000000000000000000..fe40a8345cdbf354d412f6723097f6fafd1c4503
GIT binary patch
literal 4950
zcmcgw^;^^L_kPjg29s7|3J53&qof;T6OfP&0YOFz6ObCANJvVFlpr+_>F%K@(w!sb
zc*AH0QWEmz^G|%A>zs36*Li-t&pG$G&O3w0+F<&d^Z)>W5pYeTE5!WIX{oQG51Z~5
z0FXtvXlNK9G&F8`z4UZ)aeoc~LP^0%O7QQhTt95BitbG^yn>*98RUpW$3&-?ex_wr
zFCY05-dkilQg|DILa|t1V+av3<+jfD_4Q(<>|%r<X#};{@9u>nK5NC%^j!G+?V^qu
zNYnkg(h5HTliE0AUQx%IGIbK`0xfTx@&J5bf~YA@H@xS|2({gPrr3WrpIczon*k!x
zb=T_3h!DVpQav4Fn?9Gl7UH(DAdmFgo9;yGbeoW6Yp<DMNxp~j()wJt+2}n)8pVZg
z-rM6x85>IX9V4wxWj#@*{U%dwf}!?8m~s*CoK*;uc{h_L?R!Hly65K6qhFGq@oJr+
z7%%gd*?aG#lu<rRpfb)=e|e4%CAC^fs)+9hL=aSou^yoyiY}Wx!`kg#2i%Kn;58Ee
z$nCGNuia_Nfu&9?57}=IJfWqiHwe4J03#LZME(aS%lwDt@mDGE>?6NuR2|O5S$RV-
zjH;O}j}`%%C@lPS&9u_u!sH^Z6PbB&0r(ocEXgbOxFQ6gex{?Xd4*T+uSRR=70`LX
zExfNNoc^DasS9QKUnOaL5PDiPYjiY>EL`cwMR@>l-3XznX6!$=ofGQAV)CJ<v+;{O
zzZ%FD5@o2_MW!cDHy(KFy-y%XurE<c*IFq-<;Z`+*YrR(L857>BxqjE@25p#&t9DW
z6jVXM+lLPUq;YHM%2OKC-d^Yp3s>Mx*h~!jC8pO>wz!~@+;qEe(?o_F+<S4Jlv4P#
zJ@9bjY_avY!>kfegHZlI*l*4V0BhT@=KgVm+Nt0zb{XiSnOQ?PFpqR$ks$Yj>O-`S
zgKv~o@oVg0#|d5TLT{WLr988$DRuuj6%f^x%e=-1Q3l3?A_@1)IbHq8?E=1j*UbL6
zPf~|G1>SG(Ww*O?q}NYY&L@k!?o>Pn(S}~$pC2aPih&tuJf7~a23KySXrmQlC7YZD
zu}_Q?cMr`AkCI;p4gPK38=WEpRvXctC}6VtAj{cd&@^D82TF}aVo-~6y$mz67DzCe
zeSS}BQ{=m>i!M@`RxP`3T2Ju&JLZQQ7}S_I*Z2_Un`60jJxNP*o`2~ELXN!-Dk0r+
zM!$H!wFgZiICa$1QvMr_m5t(MmyLPA8u2Y+|3oWWBWc{+-ezy>2Nf^bb)tb|n?#OT
ztW$(O>y2pHs9RD=_l;vy_z7HJD3AANa^ccfNdaBPY<5eS*1c!W;*OD$<eePx6E-U!
z1Rx)Canc`texzHX)cQh6&mInA#C~*WLno9D*pfFH@!uxs#;&eP+mfF!VKIOupvc)&
za!>5K-;N{6$ln$UgT%%n#YCMwEN4Y)-rFllzOgZDSGidlfc1*|Ll(GezVQZ(EQPCg
zXP_*zOdEv1i_nnL5A^g;?eY0v6q6#NC70`_%|gGa-cgMjuUA^8v)X!moroV{D_t1E
zUaSZ0lrULD%hJRTjoK=WE=v_@1h}}EB)~Pg<%HTAUwN>r>SF=|kL-oTbqa42xY{^t
z2bRbT*5kJ#qn~ukMK7M6ZX~Kk7ZK|V%>Vaq{c%b6Pd9H;WVE+eJ>nsM&L3J?E7N<y
zXP`|QySW4Q=f#INTbqYDWO%UJ;f59KS7aF||8b}4a}u)h{hJ@UXnfJU)Apw3%ezPy
zTevP#LN+&=LCCIEKjX3-r<0eiY8O(GlVwr?PYZ+b(Cc=$+K+IKp3XJsE-V+0fM*5q
zcAtNf__gja<^^}paGDKG`DK|xx%LQk^2@tD+E#I&2KkJ-US-o|up!lc<X;1=BHi<<
za3&5A+T!7av;OalJvZHG;)dBwM6xSWQH)78)YMJLC0ZwHvZ~&HW46~r_@@jGAS8U)
zV>?92%j9j2<L-BrG{!Fyi8Ka&ck_VIfED@iZav(_=Bpy%U*c_-uCR(Xb5Qd4KPU}6
z51HRT&umcPScK<k7bIm$d(Bchm@{rFUDJ{ulS^lj=uls@>tMvH?utHtO^W?iLu%s-
zoZ0_^`e*0QT3ek-`&`t5_+~FpW#)8EmF8MM`+ZdE=)>+t@?Ux(<333RYum|qg13>Y
z50#09R#%_G&yovh*d8cM=RG=|{hI3gt}^=YG&jt^#~{KlpXipXm49{JE?zsgSXQgf
zq){HbyZ`X&ofJWmVN`chPZQqMc%f`ZPlUg93KDwAc(%n;o^X@ApK50j@Pze;9qnmq
ziDaeH&g3?kDLL&SMr)B<*Y7^&MQ40U5K>s4<6p!CSf-HWoedf+g9WlP_P1{?-~cLe
znX@=FQ41E5`VfI+O%)sa8F<0^JBww)%8rFgBODxOcn0N2B2X@u9Vos^+q<hv&OMUR
z`+DRYE$e>++a$#Yt_5z1w=7TFRp{a}_^r2IwUs;@73(rjay&_3_JV?zt(`JyR2z|#
z<*%{l^Ve4(hg05`nNBs5OYsh=n>_xyQOoY_(FH*RvSAOYgVpfD_>Pj(gZzDx320t9
z>|JeCm;msEOxL>-@NLL~Wdv9-NxCNXqP5%{78H~&=L}guDt%ZDQ8NYckT)hEyYXKe
za&#_p320|XASzz(rz9}2Zuak$1SDF^Rm?SZ;{5$<Hz~7T<hOBc+ss_Y@AATIrR4+i
z?lgH890j0#@Rqg7KcNg5*$g$wFZk_j4*Tc}j|Cwf74j(GK0W>M)z4}|@k92oGuC|R
z*e!#lljY{+a+9z!?rjP$b(OQf7>}fuQ1{A8<q5%<>e0i0f7h<}*qYwBmCq`gc3~%F
z)EW}jRyQ0LUoeel@Ix_q`NW=21wQ`P&0-Yl_;HGL@X+n(-~#FETTd}^S?mQ(tk-ho
zQL=>1oy8ts@Oc@U@PH-&xKr$|ymQ=zFO#-cO~c0z%-n_qkv6ZcQq{ok^5POALuX)^
zK!C2h<V0HeW?70ZdDTj_xKvqtM-k%ubaaP}_SNA<YgxYq!-!`3sbxdizvdx+rEV@g
zIUH`${9-+t3G>?=S+uQn_besuK`Opsmz-mzx-qEgeoddpjMA)zfNh4m^}^y)ZhhVk
zN$bsobvM*$__Yg7bga%kBj%Hn38Q;~s3<ufeg{oxPGW!bOj>DBQo$;-7-^g>U_}hr
zs+D=nxoh=l%lVd+3KaY9^l?h=Jex(cq>C6s_GVy5ufpm1-f)GbeP9c2o&#?0nlXg7
z|9-j<%`7MxF{XIf?&v+So)0p?-@UQcP{?>w^_zJ6S7{~3n%yKvnrnTHdYijahXrmb
z`wf69%Hkx*?&+GTlg{j=@(5Wd3=I~qc<F0~SeV-^iRVW#g~c53D*rm?*{6ScL}4>|
z(_)sugH|o=FeIQFO&)0$_B*&$UaWDPh+7v++?W{~t83{De;Bb6`vLG@Y|lQ|AB{9|
zOFo5vH_6cIA~ABnd!Afoe{_>vjAf>WFJ*orjjTFtWRle$rj{wu6{Ie7MvspuoHOT}
zwJ0PUyxiTr^SQ6OAv{3SM*+*;l)VZW*LR4oPi&SaeSZaq+C^$2&%*w8gs;x9CkN#8
z5K5Wz<+ExXHvG$OZzSh^`O-JPS8DU6c@KUTxv{W=n2~0DaH0?3E2D>iWrfVDpAlDz
z&jk^XrB8V`kNl5g1`(H)A1@7_TN|qa-5xB>266r|l3i&;^;oR>UU%<n_ZJG}5jNvw
zq_o_2awEsKat~3->*u_?9N+f8nyp_8=8Hwwy^xQI#V<mWH8kgbAXs_K`gf>EWkaJm
ziN2lOWk~aw6n8}iPwx#n$P$}diIsR$LdN1_<CsmwneucOBcJ%b{r3MX*?O|cj6^#k
zUDsF{lcwI1U}2w=x-OHvCPItmPNH&TFIIjlkXi2xg1YraBU^}_uU92>{!D%kkNVo?
zdn!1X?wTwmU0L?ZrgP)HWXgPtyt+p25~ldH`XTiZFrkW<p*t!Y{grwAM6UCev2SLY
z0jBOjxjWR9AVMEm>43LY>Wx_Y?W{5QXGyo$eA>HWa<=&iQjCKFkJeMJ+|=M;@$vn@
zvT-J~t?TE_426x}e70E5fx91z8w>tXfcptHQ=1Jn77z)Ao#X6p58d@9CiE#~UqC4Q
zy87u~sJGVkpz&EkR#(NXQbAJEOFYRG%@r9pV-V6=#<a%N=H=bHR<#hh5iXcv>rNG@
zToIe#t|!(k&Q@xX{4Vewok>DH>!-p?=wPKn#SgjdZ=|~&lok0JO$uoy%erW*8kcrH
z&C88s!{)zo&kJEm94Ow}qUWpoDj1`mqPR>%WKg&`_n-U0K`&RUbRK}VTyO^S<oq%=
z@n{90kySlz_4G856JWw@^{Eq`Z9YpJHH0mX48ME7M6}&yyn&K{&Dt6U)H-qW+UG06
z1OVeVlr(^O_FQY4)s=*9EHJ%YY+E|zJu55H^^sxO4+I-Ws_)@+tU%fevl5$T;7=7!
zszhThXODaH3|}WEhq>Z2YSd)PwDQ(p?CJ5MxqD+ej^^w`Ve?eehk)W;=HZT8#unt0
zVh7s(&u9;`eUxVwiV2mWTzfh(>Ax{P?JFJGLz93_av@|q&Hk%!$R@I}ZU}vHBRCOr
zI3csCxgyp|;19FL+_xz8Q`7{<EQFKIs|=iq;~SD=hQO3Bj-+KO;e}@tLC+e6PvwZA
z3h;nVD9U!cN^e>JMUQrF_L)$Nt;eLM+(~J^Ucb}YJsvF8&91g`PXh}z=i*E-o;z6M
zH~Dc5heCpT)Wp|biB@6E@|Z&akAiaT?wYN(CVIHylqj$LQ8wWC=ujHUuV6XjbL<FQ
z;>9In;rIP?sxFvKfWdTS5O29`28lwCX@zqIN9gi7O=xw&=0flKPnNK@A!K;M{hreQ
z+z*NPn)qO%9f+&jg@|8Fns|Ju<|u84m>Hf-wIhhTy<T-{?klzR1b%h+_??}JA2LB4
z#7~1sqd*N>Osz4V-}||Ji9~8bPH)_#?EdzkhFwebv=gTVL8_|9L?~uRM_OAVyR>)E
zYV50E(J_rB*`i7}d8F<59oL}29awUZ*ifG=FQJPL!xA?2i9doEOEeCib}M2v6=|6=
zsQcvg){g=5BGIGduNxHSLiu@KI8*5G=Of(@{V>bC_0qam`9=r9HiF*@8)a~~GUk7F
zGrmhg5>@<=%u7?jfpKs|>kYKD;`X^3bK17lY5%>lXPg_!v!(xuG18Eog9g&Ucv)p0
zkCNbqTzi!_x0*U-G&Vwoel(>HJ2rYkbBM~kfz>j9(awF2koM)zCG*R{`d$ccgtZ0t
zIv9gy0|nxspw0nZPl&x(k~ai4Z19yHXyL%hA$V^}3v!<A+{A7UkbafoNh6YM9B)+&
z$o-n{NT~UKIn&|#PjA!th4N+60tL?41fw>KX*!B24)L~f8Y`!WztSk2Vp@7t+N?>o
zC?BOV2{vj^ZVsPlfB9)vb@y?g==pC)hb3@(*Ja3c+QN=kNkZ#vVgi4nG#;g5Ew!Zh
zrVN5Sd>posFWy->DUQ+O?^FgT#N`T>(>&kYn(nNhp03~E1oTFw-VZ*V&Xrh>klGlb
z{*z4Mv?%5Ou~q*yW!Up-_^2-h9Wwx;E(%dwtw%t;#y1j2ck9PI`5Y;Kdj3KU#b2#A
zo}MMMTg?mc8!a~mcpexQMLjD@<S(cBQ5b|=WA)EOc!d(P)bs<}8(o&m*=IBq>-75<
z5rwPWH#a}cm|R+8=G+D;gedy2HB-gtI3&$QEePBKL9=AY&9}?*-viD+=;)T(caAlu
z`38f<$6aPYTaF`-U?J+dugwcz7=5iis&F3P@Ov`ojyve-_*FbV3w+XJdiXb$Zo2WR
zW7&HQRv+N<S6Vcc)Xp7$L!+WU^zcfD9t4hVY`FIHOeq2_&F2i{I|`2fv1)OeN*|%V
z5USyW_iuG@!HEu#x}=QNAH2R~>^-HsB_o3ev)2UpL2mMD@q8n)JA2kQ969j}RR7)@
zKl66~E_~L;QczcSk63j>jC^$6-C*^r!2<^2)r;cZvoxc#0M9ARQ#MqghF$;Iy9SN)
z6oO=G7b@JvDj}w`!DXt`#jheu!f&S}TVqy*+PAYuGw(6g;cZZDeR;?VTc!Ru6eLDP
z3Wl_N{0oplnVlQSA2e#YHe&pc$DCR#<@OIsm~@F@{vyIYSS$mqQ(54*RjtdD`W>Fq
zl4tfezS9;2i65@7F@O(6sn^L#%CD_hN%GjrdM#7%ofQ55m-B)e<n40gB}GM@V%V%g
Sp~}_41wd#$)~rysd-H!S9Y4<i

literal 0
HcmV?d00001


From 38abdc8d8d3bd5067c34e63fbedbe4c00fd84ca6 Mon Sep 17 00:00:00 2001
From: Ollie Pile <111679371+opile8@users.noreply.github.com>
Date: Sun, 8 Sep 2024 20:49:19 -0400
Subject: [PATCH 10/12] Update id-me.toml

---
 products/id-me.toml | 42 +++++++++++++++++++++++++++++++-----------
 1 file changed, 31 insertions(+), 11 deletions(-)

diff --git a/products/id-me.toml b/products/id-me.toml
index df51c142..64ed6fbe 100644
--- a/products/id-me.toml
+++ b/products/id-me.toml
@@ -2,7 +2,7 @@ name = "ID.me"
 description = "Consumers can verify their identity with ID.me once and seamlessly log in across websites without having to create a new login or verify their identity again."
 slug = "id-me"
 hostnames = ["id.me"]
-sources = ["https://www.id.me/privacy", "https://id.me/biometric", "https://www.id.me/security", "https://id.me/washington-privacy"]
+sources = ["https://www.id.me/privacy", "https://id.me/biometric", "https://www.id.me/security"]
 contributors = ["opile8"]
 
 [rubric.behavioral-marketing]
@@ -31,14 +31,14 @@ citations = [
   "- physical and environmental security procedures designed to prevent unauthorized access, damage or interference to business premises and information.", 
   "", 
   "[Security Page]", 
-  "ID.me has been designed to comply with rigorous information security regulations including AICPA SOC 2, ISO 27001, FedRAMP, and multiple NIST 800 guidelines. Multiple ID.me clients have completed extensive technical due diligence with regard to the processing environment. The customers that have completed this due diligence are: USAA, Veterans Affairs, IRS, SSA, and Allscripts. ID.me implements role based access management, separation of duties, and multifactor authentication. Data at rest and in transit is encrypted using approved FIPS 140-2 algorithms. Personally Identifiable Information (PII) is encrypted using a rolling key and the AES-256-CBC algorithms."
+  "ID.me has been designed to comply with rigorous information security regulations including AICPA SOC 2, ISO 27001, FedRAMP, and multiple NIST 800 guidelines. Multiple ID.me clients have completed extensive technical due diligence with regard to the processing environment. [...] ID.me implements role based access management, separation of duties, and multifactor authentication. Data at rest and in transit is encrypted using approved FIPS 140-2 algorithms. Personally Identifiable Information (PII) is encrypted using a rolling key and the AES-256-CBC algorithms."
 ]
 notes = [
   "See ID.me's [Security](https://www.id.me/security) page for a thorough explanation of their data, network, and data center security standards."
 ]
 
 [rubric.third-party-collection]
-value = "critical-only"
+value = "yes"
 citations = [
   "Information from our partners. We acquire information from other trusted sources. These business partners might include companies, such as your mobile phone carriers, certain government agencies, licensing bodies, etc. We may also collect information about you from other sources, including service providers, data licensors and aggregators, marketing companies, programming distributors, and public databases.", 
   "Information you provide through social media", 
@@ -80,12 +80,11 @@ notes = [
 [rubric.data-breaches]
 value = "no"
 notes = [
-  "Policy makes no mention of data breach procedures or notification to potential victims.", 
-  "It does, however, admit \"[...] that no data transmission or storage can be guaranteed to be 100% secure.\""
+  "Policy makes no mention of data breach procedures or notification to potential victims."
 ]
 
 [rubric.third-party-access]
-value = "yes-specified-critical"
+value = "yes-unspecified-critical"
 citations = [
   "We may share your Personal Information with entities necessary to validate your ID.me Account and provide our Services to you. In order to verify your identity and eligibility to receive discounts and other benefits from our partners and other service providers, we may provide your Personal Information to third parties such as government agencies, telecommunications networks, financial institutions or other trusted and reliable sources of information. Our provision of your Personal Information to the foregoing parties is solely to verify your identity and eligibility for ID.me Services. We have established relationships with Registration Authorities similar to the entities described above whereby the Personal Information you provide to us will be transmitted to them using industry standard encryption tools, designed to protect such information from unauthorized access.", 
   "[...]", 
@@ -96,7 +95,11 @@ citations = [
 value = "yes"
 citations = [
   "[Privacy Policy Page]", 
-  "Verification information. When you verify yourself, either individually or as part of a community, with ID.me you provide us with Personal Information that may include your name, date of birth, social security number and/or other government issued identification numbers, copies of your government issued identification card (e.g., license or passport), email address, phone number, mailing address, and certain photographic images, and biometric data. You may also be asked to provide community affiliations (e.g., Military, First Responder, Student, Veteran, etc.), memberships, educational degrees, and professional certifications.", 
+  "**2. How We May Use Your Information and Why**",
+  "[...]",
+  "**We may use information to provide you with our Services.** We may use the information collected from or about you to authenticate and manage your identity when you create an ID.me account, including to verify attributes of your identity including, but not limited to, community affiliations (e.g., military status, first responder, student, veteran status, etc.), memberships, social media accounts, educational degrees, and professional certifications, [...] . We may use this information to verify your identity with ID.me partners in both the public and private sector at your request and perform our contractual obligations with you or to ensure that our Services function properly.", 
+  "**We may use Personal Information to perform reporting with our public sector customers.** In order to better serve our users, and to facilitate the identity verification process, ID.me may share a limited set of Personal Information -  including first name, last name, date of birth, phone number, email address, and physical address as requested by a specific state or federal government agency - on behalf of users undergoing legal identity verification for a given government agency. [...] ", 
+  "**We may use information for marketing purposes.** We may use your information to send promotional messages and newsletters via email, or otherwise alert you to products or Services we think might be of interest to you, including for ID.me Shop. [...]", 
   "[Biometric Policy Page]", 
   "We use your Biometric Information only as follows:", 
   "- To verify your identity when you are opening an account or using our Services;", 
@@ -105,8 +108,7 @@ citations = [
   "- To comply with legal obligations or comply with a request from law enforcement or government entities where not prohibited by law."
 ]
 notes = [
-  "ID.me uses this information to become a trusted middleman to verify your affiliation.", 
-  "For instance: you allow ID.me to verify your Veteran status, then ask ID.me to give a \"digital thumbs up\" to a third party so you can get the Veteran discount."
+  "(see also, \"non-critical purposes\" grade for discussion about data collected for marketing purposes)"
 ]
 
 [rubric.noncritical-purposes]
@@ -122,9 +124,21 @@ notes = [
 value = "reasonable"
 citations = [
   "[Privacy Policy Page]", 
-  "We may share information as required with the United States federal government and certain state governments. ID.me does not provide any government with direct and unfettered access to our user's data, and we do not provide any government with our encryption keys or the ability to break our encryption. We may share certain Personal Information associated with an ID.me account with government entities where we reasonably believe that account may be engaging in fraud.", 
+  "**We may share information as needed in order to comply with legal processes, to protect ourselves, or improve our Services.** For example, we will share information when it is necessary for us to comply with applicable law or legal process, to respond to legal claims, to prevent fraud, or to protect our rights or the property or personal safety of our users, employees, or the public.", 
+  "We also use third party service providers to track and analyze website usage and volume statistical information to administer our Website and constantly improve its quality.", 
+  "**We may share information as required with the United States federal government and certain state governments.** ID.me does not provide any government with direct and unfettered access to our user's data, and we do not provide any government with our encryption keys or the ability to break our encryption. We may share certain Personal Information associated with an ID.me account with government entities where we reasonably believe that account may be engaging in fraud.", 
   "If a government entity requires additional information related to an ID.me account, whether related to a suspected instance of fraud or otherwise, it must follow applicable legal processes. It must serve us with a subpoena, warrant, or present other legally compelling justification for the additional information associated with the account, the request must be targeted and specific in nature.", 
   "Our legal and compliance teams review all requests to ensure they are valid, reject those that are not valid, and only provide the data specified in the subpoena or similar court order.", 
+  "**Information you provide offline.** You may also provide information to us in person and offline. You may be recorded if you visit our offices (including by security surveillance of our premises, including CCTV).", 
+  "**Other information.** We also collect information that relates to or is capable of being associated with you, such as age, gender, and any other information you choose to provide.", 
+  "***Information Collected Automatically***", 
+  "When using our Services we may automatically collect or receive certain information associated with you or your network device(s), such as your computer or mobile devices. This includes information about your use of our Services and your preferences. Such information may be automatically collected through device-based tracking technologies such as cookies, pixels, tags, beacons, scripts, or other technologies. For more information about cookies or other tracking technologies and the choices you have regarding the use of them, please visit our ID.me [Cookie Policy](https://www.id.me/cookie-policy).", 
+  "The information we automatically collect may also include geolocation information, such as information that identifies the approximate location of your device and your IP address, which may be used to estimate your approximate location.", 
+  "**Information from our partners.** We acquire information from other trusted sources. These business partners might include companies, such as your mobile phone carriers, certain government agencies, licensing bodies, etc. We may also collect information about you from other sources, including service providers, data licensors and aggregators, marketing companies, programming distributors, and public databases.", 
+  "***Information you provide through social media***", 
+  "If you connect to us through a social media platform or navigate to a social media platform from one of our sites, the social media platform will collect your information separately from us. You should review the social media platforms' privacy policies to understand how they are using your information and your rights in relation to such information.", 
+  "***Information We Derive***", 
+  "We may derive additional information or draw inferences about you based on the information we have collected from you directly, passively, or through third parties.", 
   "[Biometric Policy Page]", 
   "ID.me will only share your Biometric Information with our partners in the following circumstances:", 
   "As required with other third parties where permitted by law to enforce our Terms of Service, to comply with legal obligations, or to cooperate with law enforcement agencies concerning conduct or activity that we reasonably believe may violate federal, state, or local law when required by a subpoena, warrant, or other court ordered legal action, and to prevent harm, loss or injury to others.", 
@@ -135,7 +149,13 @@ citations = [
 value = "exhaustively"
 citations = [
   "[Privacy Policy Page]",
-  "Verification information. When you verify yourself, either individually or as part of a community, with ID.me you provide us with Personal Information that may include your name, date of birth, social security number and/or other government issued identification numbers, copies of your government issued identification card (e.g., license or passport), email address, phone number, mailing address, and certain photographic images, and biometric data.  You may also be asked to provide community affiliations (e.g., Military, First Responder, Student, Veteran, etc.), memberships, educational degrees, and professional certifications.", 
+  "***Information You Provide***", 
+  "*We Collect Information You Provide to Us Which Includes:*"
+  "**Verification information.** When you verify yourself, either individually or as part of a community, with ID.me you provide us with Personal Information that may include your name, date of birth, social security number and/or other government issued identification numbers, copies of your government issued identification card (e.g., license or passport), email address, phone number, mailing address, and certain photographic images, and biometric data.  You may also be asked to provide community affiliations (e.g., Military, First Responder, Student, Veteran, etc.), memberships, educational degrees, and professional certifications.", 
+  "Please note, ID.me asks that you not provide physical documentation, via mail service or otherwise, to ID.me. All documentation to be collected should be provided either through the ID.me app or website portal, or presented to a trusted referee where applicable.", 
+  "Your correspondence and your feedback about our Services. We collect information you provide when you contact us directly or provide feedback, comments, or suggestions on our Services directly to us.", 
+  "**Information you provide when you do business with ID.me.** If you are a vendor, service provider, or business partner of ID.me, we may collect information about you and the services you provide, including your or your employees' business contact information and other information you or your employees provide to us as part of the services you may provide and our agreement with you.", 
+  
   "[Biometric Policy Page]", 
   "The information we collect will vary depending on the specific type of Services you request. Many ID.me Services do not require Biometric Information, however certain Services – those requiring a NIST 800-63A IAL2 credential, such as the Internal Revenue Service (IRS), Office of Veterans Affairs (VA), or certain state unemployment or labor departments - may require a higher level of assurance for your identity verification. When you sign up for an applicable ID.me Service we may collect the following Biometric Information:", 
   " - Facial Biometrics: Our Service may require you to upload an image of your government issued or other identification document(s) as well as your photographic image or \"selfie\" photograph using your mobile or other device. We use these images to create a facial geometry or faceprint which we use for purposes of identity verification and to prevent the creation of multiple accounts in a fraudulent manner.", 

From cea4219d6d5320b1b497687bc1de0043f4aead90 Mon Sep 17 00:00:00 2001
From: Matt Ronchetto <hello@doamatto.xyz>
Date: Mon, 9 Sep 2024 09:03:43 -0700
Subject: [PATCH 11/12] fix(products): remove typo on L50

---
 products/id-me.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/products/id-me.toml b/products/id-me.toml
index 64ed6fbe..7951a772 100644
--- a/products/id-me.toml
+++ b/products/id-me.toml
@@ -47,7 +47,7 @@ citations = [
   "We may derive additional information or draw inferences about you based on the information we have collected from you directly, passively, or through third parties."
 ]
 notes = [
-  "ID.me previously (until 3/14/2022) allowed login to Facebook using ID.me as the sign-on service (via Facebook Connect). The privacy policy at that time included language about ID.me's collection and storage of data about those contacts (depending on the users' privacy settings). ID.me still allows a customer to [use social media accounts to sign into ID.me](https://help.id.me/hc/en-us/articles/360057107014-Connecting-social-or-third-party-accounts-to-your-ID-me-account) from accounts like Apple, Facebook, Google, or LinkedIn, but ID.me no no longer seems policy no longer mentions these by name."
+  "ID.me previously (until 3/14/2022) allowed login to Facebook using ID.me as the sign-on service (via Facebook Connect). The privacy policy at that time included language about ID.me's collection and storage of data about those contacts (depending on the users' privacy settings). ID.me still allows a customer to [use social media accounts to sign into ID.me](https://help.id.me/hc/en-us/articles/360057107014-Connecting-social-or-third-party-accounts-to-your-ID-me-account) from accounts like Apple, Facebook, Google, or LinkedIn, but ID.me no longer seems policy no longer mentions these by name."
 ]
 
 [rubric.history]

From 1d933bdb3fd1815bc74f6665826684717da9d4b3 Mon Sep 17 00:00:00 2001
From: Matt Ronchetto <hello@doamatto.xyz>
Date: Mon, 9 Sep 2024 09:04:36 -0700
Subject: [PATCH 12/12] fix(products): add missing comma to
 rubric.list-collected

---
 products/id-me.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/products/id-me.toml b/products/id-me.toml
index 7951a772..05658257 100644
--- a/products/id-me.toml
+++ b/products/id-me.toml
@@ -150,7 +150,7 @@ value = "exhaustively"
 citations = [
   "[Privacy Policy Page]",
   "***Information You Provide***", 
-  "*We Collect Information You Provide to Us Which Includes:*"
+  "*We Collect Information You Provide to Us Which Includes:*",
   "**Verification information.** When you verify yourself, either individually or as part of a community, with ID.me you provide us with Personal Information that may include your name, date of birth, social security number and/or other government issued identification numbers, copies of your government issued identification card (e.g., license or passport), email address, phone number, mailing address, and certain photographic images, and biometric data.  You may also be asked to provide community affiliations (e.g., Military, First Responder, Student, Veteran, etc.), memberships, educational degrees, and professional certifications.", 
   "Please note, ID.me asks that you not provide physical documentation, via mail service or otherwise, to ID.me. All documentation to be collected should be provided either through the ID.me app or website portal, or presented to a trusted referee where applicable.", 
   "Your correspondence and your feedback about our Services. We collect information you provide when you contact us directly or provide feedback, comments, or suggestions on our Services directly to us.",