The IRS is backtracking from its decision to make facial recognition mandatory for people using its online services. The agency first announced that it would be using facial recognition for online identity verification in January, and that ID.me had been contracted to provide the technology that would power the system.
However, the IRS revealed that it was reconsidering that decision earlier this month, and has now confirmed that it will ditch facial recognition for another, non-biometric authentication option. The agency is yet to offer any details about its new system, stating only that it is transitioning away from facial recognition, and that the process would not have any impact on service availability during tax season.
The move is a response to pressure from Republicans and Democrats in both Houses of Congress. The IRS received letters from multiple Senators and Representatives in the past few weeks, all of whom raised privacy and technical concerns about the ID.me system.
In some cases, those concerns were about the government’s use of third-party systems more generally, and not about ID.me in particular. Critics noted that making a third party responsible for the entire IRS system would make that party a highly attractive target for cybercriminals, since it would be entrusted with extremely sensitive information about the US public. They raised the specter of the 2019 Perceptics hack, in which cybercriminals obtained face and license plate information from a CBP subcontractor, and stressed that an IRS breach would be an even greater liability.
US lawmakers expressed additional concerns about the accuracy of facial recognition, bringing up a separate 2019 NIST study that found evidence of considerable racial bias in many facial recognition systems. They also argued that the increased use of technology could potentially exclude people who do not have access to a stable internet connection and decent camera.
With regards to ID.me specifically, critics took issue with ID.me’s lack of transparency surrounding the IRS announcement. ID.me initially claimed that it does not use one-to-many facial recognition, though it has since acknowledged that it uses Amazon’s Rekognition platform for one-to-many matching internally to prevent the use of duplicates and stop identity theft. The company’s identity verification process is still based on one-to-one authentication, and uses technology from Paravision and iProov.
For their part, the lawmakers suggested that the IRS should be using a government-developed (and government-controlled) system instead of relying on an external contractor. They pitched the Login.gov single sign-on service as a potential solution for the IRS, noting that the platform is already being used by 28 federal agencies and more than 200 individual websites.
February 8, 2022 – by Eric Weiss