Face Off: IRS kills plan to verify taxpayers with facial recognition database
Uncle Sam takes security, privacy concerns seriously, it says here
Updated The Internal Revenue Service has abandoned its plan to verify the identities of US taxpayers using a private contractor's facial recognition technology after both Democrats and Republicans actively opposed the deal.
US Senator Ron Wyden (D-OR) on Monday said Treasury Department officials informed his office that the agency has decided to move away from using the private facial recognition service ID.me to verify IRS.gov accounts.
"The Treasury Department has made the smart decision to direct the IRS to transition away from using the controversial ID.me verification service, as I requested earlier today," Wyden said in a statement. "I understand the transition process may take time, but I appreciate that the administration recognizes that privacy and security are not mutually exclusive and no one should be forced to submit to facial recognition to access critical government services."
In a statement posted to the IRS website, the tax collector's Commissioner Chuck Rettig said the agency is looking to deploy an authentication mechanism without facial recognition.
"The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised," said Rettig. "Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition."
The IRS last November announced that it intended to adopt a new identity verification and sign-in process to allow people to access their tax records online. The agency said it would ask people to provide an image of a suitable identification document and an image or video of their face so ID.me, its private sector partner, could verify their identity.
The tax agency gave ID.me an $86.1m contract to deploy face-based verification for taxpayers this summer. But lawmakers from both sides of the aisle over the past week urged the IRS to rethink its verification initiative.
- US Treasury wants to treat cryptocurrencies like cash – as in you need to report $10k+ transactions
- It is with a heavy heart that we must tell you America's richest continue to pay not quite as much tax as you do
- Former Cisco exec jailed for fraud, dodging taxes
- Robocall bagmen admit they collected millions of dollars from victims scammed by bogus IRS officials, lenders
On Monday, four Democratic members of Congress sent a letter to Rettig asking the agency to halt its plan to deploy facial recognition technology and to find another way.
"We write to you with great concern regarding the IRS’s plan to employ face recognition software requiring millions of Americans to have their face scanned by a private contractor," said Congressman Ted Lieu (D-CA), Congresswoman Anna Eshoo (D-CA), Congresswoman Pramila Jayapal (D-WA), and Congresswoman Yvette Clarke (D-NY) in their letter. "Any government agency operating a face recognition technology system – or contracting with a third party – creates potential risks of privacy violations and abuse."
The four lawmakers cautioned that a 2019 cyberattack on a Customs and Border Protection Agency contractor exposed the face images and license plates of thousands of US travelers, and noted how the cybersecurity risk posed by the IRS plan is far greater.
They expressed concern about the likelihood of biased facial recognition algorithms and the agency's lack of transparency in its dealings with ID.me.
Senator Wyden also wrote to IRS Commissioner Rettig on Monday [PDF], urging that facial recognition technology not be deployed.
"While the IRS had the best of intentions — to prevent criminals from accessing Americans’ tax records, using them to commit identity theft, and make off with other people’s tax refunds — it is simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online, including to access essential government programs," said Wyden.
IRS plans also anger Republicans
On Friday, Congressman Bill Huizenga (R-MI), proposed the Facial Authorization Cannot be Enforced Act or FACE Act to the House of Representatives [PDF], a bill that seeks to prevent the IRS from using facial recognition software and storing the faces of American taxpayers in a database.
Huizenga, like his colleagues from across the aisle, shows little faith that the IRS can keep its IT systems secure and worries that facial recognition data would be used against Americans by enemies outside and inside the country.
"The IRS' desire to use facial recognition software should be concerning to every American," said Huizenga in a statement. "The federal government or a vendor it employs should not be requiring Americans to submit to facial recognition in order to access basic IRS services."
ID.me responded to a request for comment on the opposition to the deal minutes before Senator Wyden announced the deal was dead.
"We are committed to working together with the IRS to implement the best identity verification solutions to prevent fraud, protect Americans’ privacy, and ensure equitable, bias-free access to government services," a spokesperson said a statement emailed to The Register.
"To date, IRS and ID.me have worked together to substantially increase the identity verification pass rates from previous levels. These services are essential to helping prevent government benefits fraud that is occurring on a massive scale."
Asked to comment on the deal's demise, it responded "We would refer you to the IRS with any questions on this issue," so that's the buck firmly passed.
The Register asked the Government Services Administration to confirm a report that it has ruled out using facial recognition in conjunction with its own Login.gov system. But the GSA had not responded at the time this story was filed.
Fight the Future, an advocacy group opposed to facial recognition, applauded the Treasury Department decision.
"This is great news – we’re thrilled that the IRS listened to the public, privacy experts and legislators and has decided away from this truly terrifying technology," said campaign director Caitlin Seeley George.
"This move will help protect the rights and security of millions of people. We also want all of this energy to continue to push other agencies like the VA and the Social Security Administration, as well as states using ID.me for unemployment benefits, to end their contracts and commit to finding options that protect peoples’ privacy and rights." ®
Updated to add
In a statement emailed after this story was published, Dave Zvenyach, Director of Technology Transformation Services at the GSA, said the agency isn’t presently planning to use facial recognition technology for its Login.gov service, which is used at multiple government agencies.
"GSA’s Login.gov’s secure sign-in service ensures users are properly authenticated for agency services," explained Zvenyach. "In addition, Login.gov provides identity verification services.
"Although the Login.gov team is researching facial recognition technology and conducting equity and accessibility studies, GSA has made the decision for now not to use facial recognition, liveness detection, or any other emerging technology in connection with government benefits and services until rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations."
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Government of the United Kingdom
- Identity Theft
- Insider Trading
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Quantum key distribution
- Remote Access Trojan
- RSA Conference
- Trusted Platform Module
- Zero trust