IRS to End the Use of Facial Recognition for Identity Verification After Privacy and Security ConcernsFollowing concerns about privacy and civil rights, the IRS announced its intention to transition away from a third-party facial recognition system that authenticates people opening new online IRS accounts. Taxpayers have been using the optional authentication technology to create and use IRS online accounts. However, in November, the IRS announced that the facial recognition service would be mandatory starting in the summer of 2022 for any taxpayer creating a new account or signing in for IRS online services. The facial recognition process relies on the ID.me technology provider and requires taxpayers to upload selfie videos to compare them against ID for verification purposes. The procedure, technology, and the channeling of taxpayers’ sensitive information and photos through a private entity have raised concerns among privacy advocates and other stakeholders. People were concerned that the IRS has been demanding ID.me verification not just for tax returns filing purposes, but for access to related services such as:
- Child Tax Credit Update Portal
- Account information
- Requesting transcript
- Applying for payment plans online
- Online Payment Agreement services
- Identity Protection PIN
The Controversial ID.me SystemThe facial recognition system that the IRS has been using for the authentication process uses Amazon’s controversial Recognition technology. Bloomberg says that by January 25th, the facial recognition system had verified over 20.9 million users’ video selfies. The system required people to upload their IDs — license or passport — along with video selfies. The system would then compare the video selfies to the ID to verify user identity. According to ID.me, if the authentication process fails, the system will direct you to verify your identity on a video call with an ID.me Trusted Referee. The user had to show their ID to the ID.me Trusted Referee with a photo of themselves to complete identity verification. ID.me verification was already a requirement for people creating new IRS accounts. People who had created IRS online accounts earlier were allowed to use their credentials until the summer of 2022, before they were prompted to create an ID.me account immediately.
One-to-One Vs. One-to-Many Facial Matching: The Transparency ProblemIn the ID.me and IRS contract, ID.me said its system employs 1:1 facial matching technology — comparing the taxpayer’s image to the image on ID. The company further states that it doesn’t use one-to-many technology. The one-to-many facial matching compares a taxpayer’s facial image to a mass of images in a database. However, the disclosure that ID.me doesn’t use the one-to-many fails to mention that the company uses the technology that compares a facial image against a mass database of other facial images to guard against fraud in other government programs. In a LinkedIn post, ID.me founder and CEO admitted publicly that its company utilizes one-to-many facial matching technology. The conflicting information raised concerns, with stakeholders referring to the ID.me practices as privacy-invasive and prone to error. More concerning, the IRS’s Privacy Impact Assessment failed to disclose that ID.me was using one-to-many facial matching technology on Americans. With such transparency issues, stakeholders raised an alarm about how unfit it would be to compel millions of Americans to trust the new IRS protocol.
Trusting a Third-Party with Sensitive Data of Millions of AmericansStakeholders started raising issues and questioning the privacy and security of the resulting huge data of Americans’ biometric and other personal data. The IRS was planning to expand on its use of ID.me, but privacy and security advocates questioned how the IRS would protect the personal data that ID.me collects. In fact, many pointed out that government and private entities have an unfortunate history of data breaches. The senator wrote to Charles Rettig — the Commissioner of the IRS — that ID.me as a private business is not subject to the same oversight rules as a government agency. Yet, the company will still have a lot of sensitive data from the American population. People complained that the IRS had decided to allow a third party to stand as the gatekeeper between citizens and essential government services. To make the matter worse, lawmakers viewed the ID.me verification process as intrusive since the company isn’t subject to the same oversight rules as other government agencies. Some senators pointed out that forcing millions of Americans to put their sensitive information in biometric data is risky in the event of cyberattacks. Considering the 2019 cyberattack on the US Customers and Border Protection (CBP) — where the attack exposed many US travelers’ facial images and license plates— the ID.me approach is risky. People think that the IRS’s plan would pose a huge cybersecurity risk because millions of Americans use the IRS website yearly for integral functions. While ID.me has been available for other government services, using its facial recognition would force the public to trust a private contractor with its most sensitive data.
The Shift to Other Verification MethodsThe IRS announced that it’d end facial recognition for identity verification. The commissioner said that the IRS respects taxpayers’ security and privacy. As a result of the raised concerns, the IRS commissioner promised to shift to a short-term verification process that doesn’t include facial recognition. The shift won’t interfere with the taxpayer’s ability to file their return or pay the tax they owe — the IRS will continue accepting tax filings. While the transition from the ID.me verification system might take time, the shift shows that the government recognizes how integral privacy and security are to people. No one should be forced to submit to facial recognition to access government services. However, the government is committed to not deploying facial recognition for use with government benefits and services until they are confident that it won’t cause harm to vulnerable populations.
Baroan Can Help Your Business Implement Privacy and Security Solutions for Sensitive DataEveryone is concerned about the sensitive information they share, how businesses handle and safeguard the data, and to whom their sensitive data is shared. Everyone wants to be sure that their confidentiality is protected. Baroan Technologies offers secure cloud solutions to boost customer trust in business. Contact us today to discuss your business.
Information Technology Aligned With Your Business Goals?
Baroan is a complete IT services & IT support company working with organizations in Elmwood Park and across the United States of America.