Cybersecurity eyeball
Cybersecurity eyeball

The Biden admin­is­tra­tion has direct­ed the Inter­nal Rev­enue Ser­vice to scrap a pol­i­cy requir­ing tax­pay­ers to con­sent to the use of facial recog­ni­tion to ver­i­fy their iden­ti­ties for the pur­pose of online account authen­ti­ca­tion, Unit­ed States Sen­a­tor Ron Wyden’s office announced in a mem­o­ran­dum pub­lished this morning.

The IRS had con­tract­ed with a pri­vate com­pa­ny called ID.me (orig­i­nal­ly known as Troop­Swap and Troop ID) to per­form “ver­i­fi­ca­tion ser­vices” on its behalf.

Based in McLean, ID.me is a twelve year old com­pa­ny that ini­tial­ly focused on dig­i­tal iden­ti­ty ver­i­fi­ca­tion for mil­i­tary per­son­nel. It rebrand­ed to ID.me in 2013. Dur­ing the pan­dem­ic, an increas­ing num­ber of states have used ID.me to ver­i­fy unem­ploy­ment claimants in the hopes of reduc­ing fraud.

But it was the IRS’ embrace of ID.me that turned a lot of heads.

“The IRS is using ID.me, a trust­ed tech­nol­o­gy provider of iden­ti­ty ver­i­fi­ca­tion and sign-in ser­vices, for tax­pay­ers to secure­ly access IRS tools,” the agency said in an announce­ment pub­lished on Novem­ber 17th, 2021.

“Any­one with an exist­ing ID.me account from the Child Tax Cred­it Update Por­tal, or from anoth­er gov­ern­ment agency, can sign in with their exist­ing cre­den­tials. If they’re a new user, they’ll have to pro­vide a pho­to of an iden­ti­ty doc­u­ment such as a dri­ver’s license, state ID or pass­port as part of the iden­ti­ty ver­i­fi­ca­tion process. They’ll also need to take a self­ie with a smart­phone or a com­put­er with a web­cam. Once they ver­i­fy their iden­ti­ty, they can use their account across mul­ti­ple IRS tools and at oth­er gov­ern­ment agen­cies that also use ID.me.”

“Some twen­ty-sev­en states already use ID.me to screen for iden­ti­ty thieves apply­ing for ben­e­fits in some­one else’s name, and now the IRS is join­ing them,” cyber­se­cu­ri­ty inves­tiga­tive reporter Bri­an Krebs explained to read­ers who had­n’t caught the agen­cy’s announce­ment in a post for Kreb­son­Se­cu­ri­ty last month.

“The ser­vice requires appli­cants to sup­ply a great deal more infor­ma­tion than typ­i­cal­ly request­ed for online ver­i­fi­ca­tion schemes, such as scans of their driver’s license or oth­er gov­ern­ment-issued ID, copies of util­i­ty or insur­ance bills, and details about their mobile phone service.”

“When an appli­cant doesn’t have one or more of the above — or if some­thing about their appli­ca­tion trig­gers poten­tial fraud flags — ID.me may require a record­ed, live video chat with the per­son apply­ing for benefits.”

It did not take long for dig­i­tal pri­va­cy advo­cates and elect­ed offi­cials to begin sound­ing the alarm and decry­ing the IRS’ new policy.

“ID.me claims to advance equi­ty and jus­tice, yet it push­es for adop­tion of its tech­nol­o­gy before ade­quate pub­lic scruti­ny, debate, and over­sight have tak­en place,” not­ed Joy Buo­lamwi­ni in a Jan­u­ary 27th piece for The Atlantic.

“The company’s CEO also back­tracked claims that ID.me’s tech­nol­o­gy does not use facial recog­ni­tion only after a leaked inter­nal com­mu­ni­ca­tion revealed that its engi­neers had been using one-to-many facial recog­ni­tion for fraud detection.”

“We should all be con­cerned about the mis­rep­re­sen­ta­tion of bio­met­ric tech­nolo­gies sold to and deployed by the gov­ern­ment, as they have enor­mous impli­ca­tions for our civ­il rights and lib­er­ties. The U.S. gov­ern­ment is already push­ing this tech­nol­o­gy on cit­i­zens — all while the exec­u­tive branch pur­ports to be con­duct­ing a mean­ing­ful inves­ti­ga­tion into how the gov­ern­ment should proceed.”

“What’s the point of seek­ing input about the lim­i­ta­tions and harms of this course of action if offi­cials are pro­ceed­ing to deploy it anyway?”

Sev­er­al Unit­ed States Sen­a­tors have been ask­ing sim­i­lar ques­tions and express­ing oppo­si­tion to the IRS’ plans. None have been more out­spo­ken than our very own Sen­a­tor Ron Wyden of Ore­gon, a cham­pi­on for dig­i­tal lib­er­ties and privacy.

Just this morn­ing, Wyden sent a let­ter to the Trea­sury Depart­ment request­ing that the ver­i­fi­ca­tion pol­i­cy be scrapped. With­in hours, Wyden received an assur­ance that the IRS would be chang­ing its pol­i­cy at Trea­sury’s behest.

“The Trea­sury Depart­ment has made the smart deci­sion to direct the IRS to tran­si­tion away from using the con­tro­ver­sial ID.me ver­i­fi­ca­tion ser­vice, as I request­ed ear­li­er today” Sen­a­tor Wyden said. “I under­stand the tran­si­tion process may take time, but I appre­ci­ate that the admin­is­tra­tion rec­og­nizes that pri­va­cy and secu­ri­ty are not mutu­al­ly exclu­sive and no one should be forced to sub­mit to facial recog­ni­tion to access crit­i­cal gov­ern­ment services.”

NPI thanks Sen­a­tor Wyden for his lead­er­ship in pro­tect­ing Amer­i­cans’ pri­va­cy. The fed­er­al gov­ern­ment and major cor­po­ra­tions have repeat­ed­ly demon­strat­ed that they do not have the abil­i­ty to pro­tect Amer­i­cans from hack­ers work­ing for for­eign adver­saries or crim­i­nal gangs look­ing to steal infor­ma­tion and cause havoc.

On that basis alone, this con­tract should not have been signed.

Pay­ing ID.me to build a much big­ger bio­met­ric data­base of Amer­i­can tax­pay­ers was a bad idea. Con­tin­u­ing the pol­i­cy would have been tan­ta­mount to erect­ing a large flash­ing sign read­ing “Please Hack Us.” Coun­tries like Chi­na, Rus­sia, North Korea, or Iran would sure­ly have found the exis­tence of such a large data­base of Amer­i­cans’ bio­met­ric data to be an irre­sistible, juicy target.

We need to com­plete­ly rethink how we authen­ti­cate peo­ple online. Secu­ri­ty and pri­va­cy should go hand in hand. Infring­ing on peo­ple’s pri­va­cy with intru­sive prac­tices is sim­ply not the way to improve secu­ri­ty. Vac­u­um­ing up peo­ple’s per­son­al data and using record­ed calls to “ver­i­fy” peo­ple are sur­veil­lance meth­ods, not the tools for achiev­ing a bet­ter cyber­se­cu­ri­ty posture.

About the author

Andrew Villeneuve is the founder and executive director of the Northwest Progressive Institute, as well as the founder of NPI's sibling, the Northwest Progressive Foundation. He has worked to advance progressive causes for over two decades as a strategist, speaker, author, and organizer. Andrew is also a cybersecurity expert, a veteran facilitator, a delegate to the Washington State Democratic Central Committee, and a member of the Climate Reality Leadership Corps.

Adjacent posts

Enjoyed what you just read? Make a donation

Thank you for read­ing The Cas­ca­dia Advo­cate, the North­west Pro­gres­sive Institute’s jour­nal of world, nation­al, and local politics.

Found­ed in March of 2004, The Cas­ca­dia Advo­cate has been help­ing peo­ple through­out the Pacif­ic North­west and beyond make sense of cur­rent events with rig­or­ous analy­sis and thought-pro­vok­ing com­men­tary for more than two decades.

The Cas­ca­dia Advo­cate is fund­ed by read­ers like you and trust­ed spon­sors. We don’t accept unso­licit­ed ad buys or pub­lish con­tent in exchange for money.

Help us keep The Cas­ca­dia Advo­cate edi­to­ri­al­ly inde­pen­dent and freely avail­able to all by becom­ing a mem­ber of the North­west Pro­gres­sive Insti­tute today. Or make a dona­tion to sus­tain our essen­tial research and advo­ca­cy jour­nal­ism. Your con­tri­bu­tion will allow us to con­tin­ue bring­ing you fea­tures like Last Week In Con­gress, live cov­er­age of events like Net­roots Nation or the Demo­c­ra­t­ic Nation­al Con­ven­tion, and reviews of books and doc­u­men­tary films.

Become an NPI mem­ber Make a one-time donation