The US Department of the Treasury is looking for alternatives to controversial third-party facial recognition software it has introduced to enable people to access the website of the Internal Revenue Service (IRS) amid privacy concerns.
The IRS, which is the Treasury’s largest bureau and responsible for collecting the taxes of all American citizens and companies as well as enforcing tax laws, is reconsidering its use of ‘ID.me’, a Treasury spokesperson told news agency Bloomberg on 28 January. ID.me is an online identity verification service that requires users to submit a video selfie to verify themselves.
The federal agency’s move follows a report by a security blogger, Brian Krebs, who noticed a message on the IRS website directing taxpayers to create an account with ID.me. The IRS sign-in page reads: ‘If you have an existing IRS username, please create a new ID.me account as soon as possible. We’re bringing you an improved sign-in experience. You won’t be able to log in with your existing IRS username and password starting in summer 2022.’
The IRS announced its ‘new identity verification process to access certain IRS online tools and services’ on 17 November last year highlighting the use of ID.me, ‘a trusted technology provider’. In order to use basic services such as access individual account information, apply for a payment plan, request an ‘identity protection PIN’ or access the ‘Child Tax Credit Portal’, US taxpayers have to provide a photo of an identity document such as a driver’s licence, state ID or passport and also ‘take a selfie with a smartphone or a computer with a webcam’, a press release explained.
Designed to be ‘as secure as possible’
94.3 per cent of individual tax returns in the US were filed electronically in 2020, according to IRS statistics.
Anyone who does not want to use ID.me could opt against filing their taxes online, Treasury spokesperson Alexandra LaManna said in the 28 January statement. “There have been some wildly inaccurate statements regarding the use of selfies relating to paying and filing taxes,” the IRS wrote in a statement to tech news site Gizmodo. “The IRS emphasizes taxpayers can pay or file their taxes without submitting a selfie or other information to a third-party identity verification company.”
An ID.me account will nonetheless be needed to access all the other services mentioned above.
Over the course of the pandemic, ID.me was able to secure numerous government contracts. The US government currently employs the company to verify identities for social security, veterans’ affairs and state benefits. According to the Virginia-based company, it has 70 million users and maintains partnerships with 30 states and 10 federal agencies, as well as more than 500 companies.
In November, IRS commissioner Chuck Rettig said: “Identity verification is critical to protect taxpayers and their information. The IRS has been working hard to make improvements in this area, and this new verification process is designed to make IRS online applications as secure as possible for people.”
Yet criticism of the $86 million (about £64 million) ID.me contract with the IRS gained momentum with politicians and privacy advocates raising concerns about the company’s access to facial images. While LaManna stressed that the IRS would protect any data it receives and ‘believes in the importance of protecting the privacy of taxpayers’, she added that it has been ‘impossible’ for the IRS to develop its own cutting-edge identification programme due to a ‘lack of funding for IRS modernisation’.
ID.me clarifies ‘one to many’ check
ID.me’s founder and chief executive, Blake Hall, meanwhile, attracted fresh scrutiny on 26 January when he wrote in a LinkedIn post that the company uses ‘a specific “one to many” check on selfies tied to government programs targeted by organized crime to prevent prolific identity thieves and members of organized crime from stealing the identities of innocent victims en masse’. So-called ‘one to many’ facial recognition systems compare users to a database of (many) faces and are considered more susceptible to error and bias whereas ‘one to one’ checks match someone against a passport or ID card.
Just two days prior Hall had said in a statement: ‘ID.me does not use “one to many” facial recognition, which is more complex and problematic’. “I apologise for that,” Hall told news site Axios on 26 January. “My intent is never to mislead.” His statement was updated with a footnote clarifying that the ‘one to many’ check ‘is internal to ID.me and does not involve any external or government database’. It also is only to occur once during enrolment and is not tied to identity verification.
ID.me only recently confirmed that it uses US-headquartered company Amazon’s ‘Rekognition’ facial recognition system to compare new selfies to its internal database of selfies taken by users. Amazon has faced considerable criticism in recent years for selling Rekognition to police departments despite studies finding evidence of racial bias in the technology. In 2020, Amazon called for federal regulation of the technology and issued a one-year moratorium on police use of its system explaining ‘this might give Congress enough time to implement appropriate rules’. Last May, the company extended the moratorium until further notice, this time not commenting on the reasoning.