The Biden administration has directed the Internal Revenue Service to scrap a policy requiring taxpayers to consent to the use of facial recognition to verify their identities for the purpose of online account authentication, United States Senator Ron Wyden’s office announced in a memorandum published this morning.
The IRS had contracted with a private company called ID.me (originally known as TroopSwap and Troop ID) to perform “verification services” on its behalf.
Based in McLean, ID.me is a twelve year old company that initially focused on digital identity verification for military personnel. It rebranded to ID.me in 2013. During the pandemic, an increasing number of states have used ID.me to verify unemployment claimants in the hopes of reducing fraud.
But it was the IRS’ embrace of ID.me that turned a lot of heads.
“The IRS is using ID.me, a trusted technology provider of identity verification and sign-in services, for taxpayers to securely access IRS tools,” the agency said in an announcement published on November 17th, 2021.
“Anyone with an existing ID.me account from the Child Tax Credit Update Portal, or from another government agency, can sign in with their existing credentials. If they’re a new user, they’ll have to provide a photo of an identity document such as a driver’s license, state ID or passport as part of the identity verification process. They’ll also need to take a selfie with a smartphone or a computer with a webcam. Once they verify their identity, they can use their account across multiple IRS tools and at other government agencies that also use ID.me.”
“Some twenty-seven states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them,” cybersecurity investigative reporter Brian Krebs explained to readers who hadn’t caught the agency’s announcement in a post for KrebsonSecurity last month.
“The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.”
“When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.”
It did not take long for digital privacy advocates and elected officials to begin sounding the alarm and decrying the IRS’ new policy.
“ID.me claims to advance equity and justice, yet it pushes for adoption of its technology before adequate public scrutiny, debate, and oversight have taken place,” noted Joy Buolamwini in a January 27th piece for The Atlantic.
“The company’s CEO also backtracked claims that ID.me’s technology does not use facial recognition only after a leaked internal communication revealed that its engineers had been using one-to-many facial recognition for fraud detection.”
“We should all be concerned about the misrepresentation of biometric technologies sold to and deployed by the government, as they have enormous implications for our civil rights and liberties. The U.S. government is already pushing this technology on citizens — all while the executive branch purports to be conducting a meaningful investigation into how the government should proceed.”
“What’s the point of seeking input about the limitations and harms of this course of action if officials are proceeding to deploy it anyway?”
Several United States Senators have been asking similar questions and expressing opposition to the IRS’ plans. None have been more outspoken than our very own Senator Ron Wyden of Oregon, a champion for digital liberties and privacy.
Just this morning, Wyden sent a letter to the Treasury Department requesting that the verification policy be scrapped. Within hours, Wyden received an assurance that the IRS would be changing its policy at Treasury’s behest.
“The Treasury Department has made the smart decision to direct the IRS to transition away from using the controversial ID.me verification service, as I requested earlier today” Senator Wyden said. “I understand the transition process may take time, but I appreciate that the administration recognizes that privacy and security are not mutually exclusive and no one should be forced to submit to facial recognition to access critical government services.”
NPI thanks Senator Wyden for his leadership in protecting Americans’ privacy. The federal government and major corporations have repeatedly demonstrated that they do not have the ability to protect Americans from hackers working for foreign adversaries or criminal gangs looking to steal information and cause havoc.
On that basis alone, this contract should not have been signed.
Paying ID.me to build a much bigger biometric database of American taxpayers was a bad idea. Continuing the policy would have been tantamount to erecting a large flashing sign reading “Please Hack Us.” Countries like China, Russia, North Korea, or Iran would surely have found the existence of such a large database of Americans’ biometric data to be an irresistible, juicy target.
We need to completely rethink how we authenticate people online. Security and privacy should go hand in hand. Infringing on people’s privacy with intrusive practices is simply not the way to improve security. Vacuuming up people’s personal data and using recorded calls to “verify” people are surveillance methods, not the tools for achieving a better cybersecurity posture.