The new biometric authentication of US taxpayers has been criticized by users and Congressmen over privacy and data security concerns, according to MSN.
IRS signed a two-year $86 million contract with ID.me, which collects the required videos with users’ faces, and there is no law regulating the IRS’ subcontracting with the firm. Meanwhile, the IRS website is the most frequented of all the government services, with around 1.9 billion visits last year.
ID.me participation has raised concerns over the safety of personal facial images and personal information. Congressman Ron Wyden (D-Ore.) tweeted that he was “very disturbed” by the subcontracting revelations.
Rep. Ted Lieu (D-Calif.) also called it a “bad idea” that would further undermine the privacy of American users.
The Senate Finance Committee was said to be planning briefings with the IRS and ID.me on the issue, a committee aide said.
“No one should be forced to submit to facial recognition as a condition of accessing essential government services," Wyden said in a separate statement. "I’m continuing to seek more information about ID.me and other identity verification systems being used by federal agencies.”
The Department of the Treasury is reportedly “looking into” alternatives to ID.me, and some reports speculated that it is also considering alternatives to facial recognition.
“Given the many problems in the filing season just underway, it is a stretch to launch an initiative of this sensitivity in the present circumstances,” said Mark Everson, the vice-chairman of the tax services firm Alliantgroup and a former IRS commissioner.
Meanwhile, 70 million Americans filed applications for unemployment insurance, pandemic assistance grants, child tax credit payments or other services were scanned by the McLean, Va.-based company, “which says its client list includes 540 companies; 30 states, including California, Florida, New York and Texas; and 10 federal agencies, including Social Security, Labor and Veterans Affairs,” according to MSN.
According to Jeramie D. Scott, senior counsel of the Electronic Privacy Information Center, a research group in Washington, the IRS’ outsourcing of facial identification to a private company may “weaken the public’s ability to know how information is being used, especially because no federal laws govern how facial recognition should work nationwide.”
“You go from a government agency, that at least has some obligation under the Privacy Act and other laws, to a third party, where [there’s a] lack of transparency and understanding, and the potential risks go up,” he said. “We haven’t even gone the step of putting regulations in place and deciding if facial recognition should even be used like this."
He added that this technology "has clearly been shown to be dangerous and has issues with accuracy, disproportionate impact, privacy and civil liberties."
Equifax, a credit-reporting firm that previously confirmed taxpayers’ personal information for the IRS, had its $7 million contract dropped in 2017 after hackers leaked the data of 148 million people.
India McKinney, director of federal affairs for the Electronic Frontier Foundation, a digital civil liberties group, told the Boston Globe that taxpayers will have no option except to use the IRS' services, as it hasn’t provided a non-biometric way to log in.
“You cannot opt out of paying taxes,” she said. “This is kind of a big deal, and it’s bad.”
According to Blake Hall, ID.me’s co-founder and chief executive, the company meets strict safety standards.
At the same time, ID.me’s privacy policy says that the company has the right to share personal data when cooperating with “law enforcement activities.” The company, which reportedly stores “tens of millions of face scans in a database to look for identity theft,” is obliged to keep the records for seven years due to federal auditing rules.
According to Hall, the company warns its clients when it detects “clear cases” of fraud. He also noted that facial recognition is similar to ID checks in banks and said that ID.me has digitalized “a process Americans are already quite used to.”
Responding to concerns over the IRS’ contract with a private firm, Hall said the government’s previous attempts to validate its clients were less effective than ID.me’s, as “the government is not fast enough to innovate on the access and security side.”