The IRS is abandoning a new security program that would have required all online users to submit facial recognition scans in order to access its online services.
Last November, the IRS announced that in summer 2022, it would begin requiring all online patrons to verify their accounts via facial recognition. The program was to be operated by ID.me, a private, third-party partner of the IRS. ID.me also contracts with a select few other federal entities, as well as 27 U.S. states.
Facial recognition technology is a controversial new form of security. It’s been widely embraced by the Chinese Communist Party in its effort to maintain social control over a large population, and it has begun to creep into some jurisdictions in Western countries. But in the West, the resistance has been fierce enough to get it banned in at least two countries (Belgium and Luxembourg), and to keep it largely at bay in others.
The IRS and ID.me insist that these measures guard against fraud and protect people’s private information. But privacy experts, politicians, and civil rights groups like the ACLU and the Surveillance Technology Oversight Project (S.T.O.P.) created a severe backlash.
“The IRS should never have explored this technology in the first place,” wrote Albert Fox Cahn, founder and Executive Director of S.T.O.P. to Gizmodo. “Facial recognition is biased, error-prone, and invasive. We should never have to forfeit our face just to pay a tax bill. When government agencies use this technology, it’s a question of when, not if, this biometric data is hacked, leaked, or misused.”
Jay Stanley, Senior Policy Analyst at the ACLU, told Gizmodo that it was a matter of concern that private companies were being given this kind of responsibility. He pointed out that, “If this company was a government agency they would be subject to FOIA and the Privacy Act and other checks and balances that have been developed over many decades to forestall the kinds of problems that can emerge.”
Of special concern to these groups is the bias often discovered within facial recognition systems, which have been shown to have less accuracy when identifying women and people of color.
The pushback only grew worse when it was discovered that ID.me had not been entirely honest about the way its facial recognition works.
Originally, ID.me explained that it was only comparing the photo submitted for facial recognition against the government-issued photo ID submitted simultaneously by the online user. But a statement published by ID.me CEO Blake Hall earlier this month revealed that this was not entirely true.
In a LinkedIn post published on Wednesday, ID.me founder and CEO Blake Hall said the company verifies new enrolling users’ selfies against a database of faces in an effort to minimize identity theft. That runs counter to the more privacy-preserving ways ID.me has pitched its biometric products in the past and has drawn scrutiny from advocates who argue members of the public compelled to use ID.me for basic government tasks have unclear information.Mack DeGeurin, “IRS Abandons Facial Recognition Plans” at Gizmodo
On February 3, Senate Republicans sent a letter to IRS Commissioner Chuck Rettig, stating that they were “deeply concerned” about how the partnership between the IRS and ID.me “may affect confidential taxpayer information and fundamental civil liberties.”
There is ample evidence to be very concerned about an IRS contractor’s ability to safely manage, collect and store this unprecedented level of confidential, personal data. To put this in perspective, in 2019 the IRS estimated it faced 1.4 billion cyber-attacks annually. It is highly likely, with personal information on a reported 70 million individuals, including biometric data, ID.me could be a top target for cyber-criminals, rogue employees, and espionage.Letter from the United States Senate to IRS Commissioner Rettig, February 3, 2022
Shortly thereafter, Oregon Senator Ron Wyden wrote his own letter to Rettig denouncing the facial recognition program:
While the IRS had the best of intentions – to prevent criminals from accessing Americans’ tax records, using them to commit identity theft, and make off with other people’s tax refunds – it is simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online, including to access essential government programs.Letter from Sen. Ron Wyden to IRS Commissioner Rettig, February 7, 2022
Within hours of Wyden’s letter, the IRS made a public statement that they would be dropping the facial recognition requirement.
“The IRS takes taxpayer privacy and security seriously,” said Rettig, “and we understand the concerns that have been raised. Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”
ID.me followed suit, announcing on February 8 that it would make facial recognition optional for all government agencies moving forward. “We have listened to the feedback about facial recognition and are making this important change,” said CEO Blake Hall, “adding an option for users to verify directly with a human agent to ensure consumers have even more choice and control over their personal data.”
Unfortunately, this will only add to ID.me’s already-long wait times. For nine out of ten people, says ID.me, it’s a simple process. But Ashlea Ebeling at Forbes reports that, “For the other 10%, if the self-service method doesn’t work, the amount of time trying to use the self-service method, combined with the wait for a video chat representative, can mean the whole process takes much longer.” When cybersecurity journalist Brian Krebs ran into issues with his account, his estimated wait time to speak with a representative was over three hours.
Facial recognition technology highlights the tension between security and privacy. These government agencies and private companies are offering greater security, but at the price of a lack of privacy. For some, that cost is too great.