Did ID.me hoodwink Americans with IRS facial-recognition tech?
Senators want the FTC to investigate "evidence of deceptive statements"
Democrat senators want the FTC to investigate "evidence of deceptive statements" made by ID.me regarding the facial-recognition technology it controversially built for Uncle Sam.
ID.me made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.
Just before the IRS controversy, ID.me said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.
That would suggest ID.me created a system in which people provide a photo of themselves when creating an account, and when they try to log in, their picture is taken again and compared against the photo on file, and if it matches, they are authenticated. It may not be a perfect solution, as some facial-recognition tech struggles with women and people of color, though it's simple enough: you're either who you say you are, or not.
Just days later, however, CEO Blake Hall revealed ID.me does, in fact, use one-to-many facial recognition at some point. "ID.me uses a specific 'one-to-many' check on selfies tied to government programs targeted by organized crime to prevent prolific identity thieves and members of organized crime from stealing the identities of innocent victims en masse," he wrote on a LinkedIn post.
Now, Senators Ron Wyden (D-OR), Cory Booker (D-NJ), Ed Markey (D-MA), and Alex Padilla (D-CA) claim the company "likely misled consumers" through its messaging. It appears the four are unhappy that the biz went from saying: we do one-to-one matching only, to well, OK, a small amount of one-to-many, too.
"We therefore request that you investigate evidence of ID.me's deceptive public statements to determine whether they constitute deceptive and unfair business practices under the Section 5 of the FTC Act," the lawmakers wrote in a letter [PDF] addressed to FTC chair Lina Khan.
One main problem with one-to-many matching is that your face is compared against a wider database of images of other people, including yourself. This means you can be mistaken for someone else, and accused of trying to defraud someone or creating multiple fake accounts. There's also the elevated security and privacy risk of storing such a database of images.
Staff at the biz were concerned by the claims that ID.me was only using one-to-one face matching when they knew internally the startup was, in fact, using Amazon's one-to-many Rekognition technology. "We could disable the 1:many face search, but then lose a valuable fraud-fighting tool. Or we could change our public stance on using 1:many face search," an engineer said in a message posted in a company Slack channel, first reported by Cyberscoop. "But it seems we can't keep doing one thing and saying another as that's bound to land us in hot water."
Hall in his LinkedIn post claimed ID.me uses a one-to-many facial recognition system only during enrollment to prevent a person from registering multiple accounts, and that its database for this purpose was for internal-use only and not part of a government program. This is, by the way, despite earlier denials and references to the method being "tied to surveillance applications."
That followup clarification by the CEO, seemingly provoked by its staff displeasure, has got the Dems fired up: they would prefer organizations are clear and upfront about biometric data use.
"According to media reports," the senators wrote, "the company's decision to correct its prior misleading statements came after mounting internal pressure from its employees ... ID.me's statements, therefore, appear deceptive, and were harmful in two ways.
"First, they likely misled consumers about how the company was using their sensitive biometric data, including that it would be stored in a database and cross-referenced using facial recognition whenever new accounts were created in the future. Second, the statements may have influenced officials at state and federal agencies as they chose an identity verification provider for government services.
"These officials had the right to know that selecting ID.me would force millions of Americans – many of them in desperate circumstances – to submit to scanning using a facial recognition technique that ID.me itself acknowledged was problematic."
- IRS doesn't completely scrap facial recognition, just makes it optional
- Face Off: IRS kills plan to verify taxpayers with facial recognition database
- UK.gov threatens to make adults give credit card details for access to Facebook or TikTok
- A smarter alternative to password recognition could be right in front of us: Unique, invisible, maybe even deadly
A spokesperson for ID.me did not directly address our questions on how it came to find itself correcting its own statements on its tech use. The spokesperson, instead, pointed to how the company's facial-recognition technology has helped government agencies detect fraud.
"Five state workforce agencies have publicly credited ID.me with helping to prevent $238 billion dollars in fraud," they said in a statement to The Register. "Conditions were so bad during the pandemic that the deputy assistant director of the FBI called the fraud 'an economic attack on the United States'.
"ID.me played a critical role in stopping that attack in more than 20 states where the service was rapidly adopted for its equally important ability to increase equity and verify individuals left behind by traditional options. We look forward to cooperating with all relevant government bodies to clear up any misunderstandings." ®