Lawmakers want IRS to address security concerns with use of facial recognition on taxpayers
Democrats and Republicans are turning up the pressure on the Internal Revenue Service to address privacy and security concerns with its plan to use facial recognition on millions of Americans who access the agency’s website for tax documents and payments.
Sen. Ron Wyden, D-Ore., asked the agency Monday to reverse its decision and halt its work with facial-recognition-based identity verification provider, ID.me.
“While the IRS had the best of intentions — to prevent criminals from accessing Americans’ tax records, using them to commit identity theft, and make off with other people’s tax refunds — it is simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online, including to access essential government programs,” Wyden wrote in a letter to IRS Commissioner Charles Rettig, shared with CyberScoop.
The letter adds to a growing charge by both Democrats and Republicans demanding that the IRS pause or reverse the new identification requirement rollout until it addresses serious privacy and cybersecurity concerns with the plan.
Thursday Sens. Roy Blunt, R-Mo., and Jeff Merkley, D-Ore., Senate Commerce Ranking Member Roger Wicker, R-Miss., and Republicans on the Senate Finance Committee wrote three separate letters to the IRS demanding answers about its plans to require all IRS.gov accounts to register with ID.me by summer 2022. Rep. Bill Huizenga, R-Mich., introduced legislation Friday that would ban the IRS from using facial recognition on taxpayers, Fox Business first reported.
“The use of facial recognition on millions and millions of Americans is a huge privacy intrusion,” Rep. Ted Lieu, D-Calif. told CyberScoop. Lieu alongside three other House Democrats wrote a letter to the IRS Monday demanding that the agency pause its plans until it addresses concerns raised by Congress and consults with stakeholders in the civil rights and civil liberties communities. Lieu said that the IRS has failed to justify why it needs to give a third-party contractor access to the biometric data of millions of Americans. “I could do banking transactions right now, without having to have facial recognition. Why does the IRS need to have facial recognition to allow Americans to simply use their portal?”
The letters request information on what steps the agency took to vet the accuracy and security of ID.me’s technology before awarding it an $86 million contract, what security measures the private company has in place to protect Americans’ data, and how the IRS reached the decision to use facial recognition technology.
Lawmakers also expressed concerns about the lack of transparency around the contract, both from the IRS and ID.me. ID.me originally said that it did not compare photos submitted by users to a larger database. As CyberScoop first reported, the company backtracked on its claims, stating in a LinkedIn post that same week that it did use the more advanced facial recognition software, known as one-to-many, for its fraud prevention services. The IRS did not disclose the use of one-to-many facial recognition in its federally-mandated Privacy Impact Assessment of ID.me’s services. ID.me previously told CyberScoop that it discloses to government partners when one-to-many is used.
One-to-many facial recognition has been shown by government studies to demonstrate significant racial bias, prompting a growing list of cities to ban law enforcement use of the technology. Amazon Rekognition, one of ID.me’s providers, has also placed a moratorium on sales to law enforcement in light of civil rights concerns.
“There’s a difference between, for example, your Apple iPhone asking you if you want to use facial recognition technology for purposes of unlocking your Apple iPhone versus the IRS, because this is a mandate and you’re forcing people to use this discriminatory and potentially inaccurate facial recognition technology,” Lieu said.
Calls from lawmakers to halt the program echo that of privacy and civil rights groups who are also pressuring the agency to stop the program.
Photo IDs and video selfies
In order to use ID.me, taxpayers are required to upload images of a government-issued photo ID and submit a live video selfie to confirm a match with that document. If a match isn’t confirmed, the verification process is escalated to a human service representative. Lawmakers and civil rights advocates have expressed concerns that the process is not only invasive but could cause accessibility issues for millions of Americans who lack access to smart devices or reliable internet required to use the technology.
An ID.me account will be required for an array of IRS services, including making payments and accessing tax records. Users who do not currently have an IRS account are required to register with ID.me prior to the full rollout. An account will not be required for filing taxes.
Hackers and spies have a long history of going after U.S. government and government contractor databases containing identifying information on Americans. In 2015 Chinese hackers breached the Office of Personnel Management, exposing the sensitive personal data of 22 million current and former federal employees. In 2019 a hack of a U.S. Customs and Border Protection subcontractor exposed the images and license plates of 184,000 travelers.
Lawmakers fear that a cyberattack on ID.me’s database of Americans could have even more disastrous consequences. ID.me already serves 70 million Americans, thanks largely in part to the company’s rapid growth during the pandemic as the digital verification system for 27 states’ unemployment benefits systems. That number could climb substantially if all Americans are required to use the company for an IRS login. In 2020 IRS.gov received more than 1.6 billion visits and saw taxpayers download more than 437 million files, according to agency data.
ID.me retains users’ biometric data for 7.5 years after an account is closed, per federal law.
Leaning on login.gov
Wyden’s letter urges the IRS to move away from third-party identity verification services in the long-term and instead use the government-run login.gov service, which is currently operating pilots to meet federal standards for verification services. Unlike ID.me, login.gov’s verification service does not use facial recognition software.
The IRS has taken heed of lawmaker criticisms. The agency briefed the staff of a group of Senate Republicans and Democrats on Friday, according to a source familiar with the meeting. The agency said that it was considering other alternatives to ID.me. Company officials have also met with lawmakers, including a meeting last week with the Ways and Means Committee, which oversees the IRS, according to a source familiar with that meeting.
The IRS declined to comment. ID.me declined to comment on the legislation or its meetings with lawmakers.
“We are committed to working together with the IRS to implement the best identity verification solutions to prevent fraud, protect Americans’ privacy, and ensure equitable, bias-free access to government services,” an ID.me spokesperson said in a written statement.
ID.me claims in promotional materials that it has “prevented hundreds of billions of dollars in government benefits fraud over the last 18 months,” a number that has been questioned by outside experts and is difficult to confirm using government data.
Concerns over government use of facial recognition technology extend well beyond the IRS. Lawmakers have in recent years introduced a patchwork of bills to rein in biometric and facial recognition technologies, including legislation to stop federal law enforcement use of the technology and prohibit its use in public housing. Currently, there is no federal law protecting the biometric data of Americans.
Updated 1/7/2022: To include comments from Rep. Ted Lieu.