Virtually universal condemnation of an Internal Revenue Service (IRS) plan to force all Americans to use facial recognition technology has caused the federal tax collection agency to change direction.
The plan would have forced all United States taxpayers to create a video “selfie” in addition to displaying a government-issued photo ID for the purposes of using ancillary services not related to directly filing taxes, as well as viewing prior tax returns.
Lawmaker concerns about storage of this biometric identification information and the use of a third-party contractor for processing prompted the change in plans.
IRS drops use of facial recognition technology, re-evaluates relationship with contractor ID.Me
The move to facial recognition technology accompanied a planned switch to the use of a third-party contractor called “ID.Me” for authentication of new accounts. Old accounts created via the current federal government web portal would not have been grandfathered in; as of some point in summer 2022, the plan was to require all users of IRS online services to submit a video selfie along with a government-issued photo ID through ID.me to continue to have access to their accounts.
ID.Me has existed since 2010 and is widely used by state governments for authentication purposes, mostly adopted during the Covid-19 pandemic as claims for unemployment insurance spiked under generous federally-mandated terms. Some 27 states now use the system, but prior to that ID.Me was primarily used by retail stores to verify the identities of shoppers eligible for special discounts (such as military veterans and college students).
The changeover would have subjected IRS users to the standard system used for these other purposes, which can include requests for secondary forms of identification such as utility bills and mobile phone account information. If any red flags are raised or something goes wrong with this verification process, users are asked to engage in a live video chat with an ID.Me “Trusted Referee” in which a photo ID must once again be displayed.
All of this photo and video information is processed and stored by ID.Me, a private company not subject to the same regulations that government agencies are. This was the primary point of contention for both sides of the political aisle, with members of Congress expressing concerns about the security and privacy of the facial recognition technology. Ironically, the IRS shift to ID.Me came about because of the agency’s termination of its prior identity verification relationship with Equifax after that company’s 2017 data breach.
ID.me was reportedly not going to be required for filing tax returns, but would be needed for nearly any other online service provided by the IRS: looking up previously filed tax returns, applying for payment plans, requesting transcripts, and anything involving the Child Tax Credit program.
The IRS issued a statement saying that it would be “moving away from” both facial recognition technology and third-party verification, rolling out a new system in the coming weeks in a bid to prevent tax filing issues just ahead of the annual deadline. An IRS spokesperson said that the change in plans should not interfere with the ability of Americans to file taxes for the current season.
ID.me has yet to make a public comment on the issue. Tim Erlin, VP of Strategy at Tripwire, believes that there should be transparency into the selection of such an ultimately problematic service: “Facial recognition technology is polarizing in general, and for many the concept of the government trusting a third-party to manage such personal data is unacceptable. For many others, the concept of the government itself having facial recognition data is equally unacceptable. It’s clear that there are a number of potential and unresolved issues with the selected vendor. While the immediate emphasis is on stopping the process from moving forward, time should be spent on how a vendor was selected with all these apparent issues.”
Pushback against facial recognition technology from Senate
Senator Ron Wyden (D-OR), chair of the Senate Finance Committee, was among a collection of House and Senate Democrats that condemned the use of facial recognition technology. These members expressed concern about the collection and storage of biometric information in a third-party database, with four House members addressing a letter to the IRS bringing up the US Customs and Border Protection breach of 2019 that exposed traffic camera images and driver’s license information. The Democrats also mentioned the history of racial bias found in studies of facial recognition technology, with systems registering markedly higher false positive rates for certain ethnicities and genders.
Republicans also broadly opposed the IRS use of facial recognition technology, however, with a group of 15 senators penning their own letter to the IRS. The Republicans focused on the intrusiveness of the identity verification process, and echoed Democrats in concerns about trusting a third-party contractor with such an amount of sensitive personal information.
Lecio DePaula Jr., VP of Data Protection at KnowBe4, sums up the perspective of those who find the process too invasive and the concerns about data storage too alarming: “Requiring American citizens to submit a government issued ID as well as a video to verify to the IRS portal is extremely privacy intrusive as that data would then be stored and processed by the third party contractor — which may be using data for a variety of other purposes (potentially sharing to law enforcement). This is one of those cases where the ends do not justify the means. The portal can be just as secure by leveraging strong password requirements as well as two-factor authentication for the end users, which is a much more inexpensive, less intrusive and unbiased way to secure the portal without needing to leverage a third party … If the United States had a robust privacy law which protected the biometric information of individuals, that would be a different situation. However, without any protection for the data of American citizens, adopting this technology at this scale would be privacy malpractice.”
It is unclear how the IRS intends to pivot without causing any disruption during the tax filing season (which ends in mid-April). The most likely answer is the use of Login.gov for the time being, a centralized authentication service developed by the US Digital Service in 2017 and maintained by the government. At the consumer end Login.gov is already used by the Small Business Administration for emergency loans, the USAJOBS site for federal job applications and the TSA PreCheck and Global Entry program among others; collectively the service is already used by about 40 million Americans. Senator Wyden has proposed an expansion that would allow in-person ID verification at Postal Service and Department of Veterans Affairs locations.