Update: Amid IRS' Pullback, ID.me Offers Alternative SolutionUsers Can Choose to Verify Their Identity With an Expert Human Agent Instead of Facial Recognition
The U.S. Internal Revenue Service says it will pull back its plans to use facial recognition for authentication of new users of its online accounts due to concerns about potential cybersecurity, accuracy and software bias issues. Concerns were also voiced around the lack of transparency in the agency's contract with third-party vendor ID.me., which has now made new proposals.
"The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised," IRS Commissioner Chuck Rettig says in an IRS statement. "Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition," says the statement.
The IRS says that it will "transition away" from its third-party contractor ID.me's facial recognition technology "over the coming weeks in order to prevent larger disruptions to taxpayers during filing season." It will instead develop and use an additional authentication process that does not use facial recognition technology, the statement says.
The agency did not respond to Information Security Media Group's request for additional details on the alternative authentication process, but ID.me has subsequently announced a new option to verify identity without using the automated facial recognition technology and plans a definitive rollout of this option to all its public sector government partners soon.
"We have listened to the feedback about facial recognition and are making this important change, adding an option for users to verify directly with a human agent to ensure consumers have even more choice and control over their personal data," Blake Hall, founder and CEO of ID.me says in the statement.
"In recent weeks, we have modified our process so government agencies can empower people to choose to verify their identity with an expert human agent without going through a selfie check. Agencies can now select this configuration. Additionally, all ID.me users will be able to delete their selfie or photo at account.ID.me beginning on March 1."
According to Hall, ID.me's trained agents have already verified more than 3 million Americans, including the unbanked, homeless and international users. The new alternative of verification from ID.me is just an extension of this capability to include individuals who do not wish to use automated facial recognition at all, Hall says.
On Nov. 17, 2021, the IRS introduced an identity verification and sign-in process for those who wished to access and use the agency's online tools and applications. To provide the verification services, IRS partnered with third-party contractor ID.me, which offers similar solutions to at least five federal and six state agencies, according to its website.
At the time Rettig said that the new verification and sign-in process would offer easy accessibility of online tools and the ability to securely perform other routine online tasks. The process was developed under the Secure Access Digital Identity initiative and complies with a federal mandate, according to the earlier IRS notification.
But this process required taxpayers to create a new ID.me account to sign in to various IRS tools and applications. Also, to verify their identity with ID.me, taxpayers were required to provide a photo identity document such as a driver's license, state ID or passport, and take a selfie with a smartphone or webcam to verify their identity. Only then were they permitted to access IRS' online services.
The process is deemed to be secure and based on the guidelines of the federal mandate, but the collection of personal information and its use in a facial recognition algorithm have drawn flak from privacy advocates and lawmakers. Sen. Ron Wyden, D-OR, says in a letter to the IRS commissioner: "It is simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online, including access to essential government programs." And Wyden tweeted, "Americans should not have to sacrifice their privacy for security."
This is big: The IRS has notified my office it plans to transition away from using facial recognition verification, as I requested earlier today. While this transition may take time, the administration recognizes that privacy and security are not mutually exclusive. https://t.co/jw7OR7dNo0— Ron Wyden (@RonWyden) February 7, 2022
Reps. Ted W. Lieu, D-Calif., Anna Eshoo, D-Calif., Pramila Jayapal, D-Wash., and Yvette Clarke, D-N.Y., also sent a letter to the IRS commissioner, urging him to halt the facial recognition technology implementation plans and instead consult with various stakeholders before deciding on an alternative.
"Any government agency operating a face recognition technology system - or contracting with a third party - creates potential risks of privacy violations and abuse," the members write in the joint letter. "Aside from the cybersecurity risk, the accuracy and bias issues of face recognition systems disproportionately impact people of color," the members note, citing a 2019 National Institute of Standards and Technology study that says one-to-one matching algorithms "saw higher rates of false positives for Asian and African American faces" compared to white faces.
The representatives also say they are concerned about the lack of transparency in IRS' contract with ID.me. Citing a recent statement from the company, the members say that ID.me claims to not use one-to-many face recognition algorithms and yet, in a recent interview, its CEO revealed that "his company does, in fact, use one-to-many face recognition technology." The representatives says this is misleading.
The representatives also address the process of choosing a third-party contractor, alternatives for the facial recognition technology, review processes to mitigate data breach risks and steps taken to secure biometric data.
What Are the Alternatives?
While the IRS might use the ID.me's new alternative solution for the facial recognition technology, Lecio De Paula Jr., vice president of data protection at cybersecurity firm KnowBe4, says it's essential to get the basics down pat.
A strong password requirement and a simple two-factor authentication can be the best alternative, given the time frame that the IRS is working on to phase out the current technology used, De Paula Jr. tells ISMG.
"[It] is a much more inexpensive, less intrusive and unbiased way to secure the portal without needing to leverage a third party," he says. "Once one government agency adopts a standard, others begin to follow. If the United States had a robust privacy law that protected biometric information of individuals, that would be a different situation. Without any protection, adopting this [facial recognition] technology at this scale would be a privacy malpractice."
Wyden recommends the adoption of login.gov, a single sign-on service maintained by the U.S. General Services Administration. Congress was required to use the platform in 2015, according to a letter Wyden shared on Twitter.
Wyden says: "Login.gov is already used to access 200 websites run by 28 federal agencies and over 40 million Americans have accounts. Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it and because successive administrations have failed to prioritize digital identity. The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data and enabled companies like ID.me to commercialize what should be a core government service."
In a tweet, Wyden says, "While this transition may take time, the administration recognizes that privacy and security are not mutually exclusive."