The ranking Republican on the Senate Commerce, Science and Transportation Committee is pressing the IRS for details around how and why it decided to implement an identity verification system that relies on third-party vendor ID.me and requires taxpayers to submit photo “selfies” through a facial recognition system to access their personal tax data.
In a letter Thursday, Sen. Roger Wicker, R-Miss., asked IRS Commissioner Charles Rettig to answer a series of questions about the circumstances in which the new system — which will be mandatory for all taxpayers later this year if they want to access their personal accounts at IRS.gov — was developed and approved.
“Americans are increasingly being asked to provide greater amounts of information to government entities, businesses and other third parties to obtain necessary services,” Wicker wrote. “This trend has only accelerated since the start of the COVID-19 pandemic, as activities that were once largely conducted in person have moved online. The responsibility of Congress and the rest of the federal government to protect Americans’ data privacy and security is therefore greater than ever.”
Wicker outlines nine questions the committee minority wants answered by Feb. 17. They requested for information around how the IRS decided to make biometric identification mandatory for all taxpayers who use IRS.gov, whether any sort of opt out mechanisms will be made available, what controls or contractual language is in place to prevent selected vendor ID.me from misusing taxpayer information and what sort of assessments the IRS conducted around ID.me’s privacy and security controls and whether they are sufficient to protect against possible data breaches our unauthorized access.
He also wants to know if the IRS consulted with the National Institute for Standards and Technology — which has issued research that raises questions around accuracy and bias in some facial recognition algorithms — before settling on a mandatory biometric identity system, and if — as the Treasury Department told Bloomberg last week — it is considering a replacement vendor for ID.me.
“Given the sensitivity of the personal data that ID.me or a successor vendor will compile on many millions of Americans and the sensitivity of the financial and other data that this system is intended to protect, the IRS must treat its responsibility to protect the privacy and security of American taxpayers’ data with the utmost seriousness. Lawmakers must also be fully informed of the steps IRS is taking to live up to this responsibility,” Wicker wrote.
Wicker is the latest member of Congress to raise questions about the Internal Revenue Service's use of facial recognition and reliance on a private vendor to store and process photos. Sen. Ron Wyden, D-Ore., Rep. Ted Lieu, D-Calif., and others have expressed similar concerns in the past month. The cross-agency use and linkage of such biometric databases in government has become an increasing focus of lawmakers in recent years, many of whom question whether the underlying laws agencies cite to justify such programs were designed to authorize such systems.
ID.me is a popular vendor for governments, with contracts in place to provide similar identity verification services to at least 30 states and 10 federal agencies.
CEO Blake Hall initially claimed to reporters that his company only uses what is known as “1 to 1” matching for its facial recognition (meaning they only compare single photos of individuals to another single photo, such as a driver’s license, to determine a potential match). He also said his company does not rely on more “problematic” versions of facial recognition that match a submitted photo to massive databases of facial images in the hopes of finding a match. This method, known as “one to many” matching can lead to inaccurate results and misidentify matches of Asian Americans, African Americans and Native Americans relative to Caucasian Americans with differentials that “ranged from a factor of 10 to 100 times,” according to NIST.
Days after making the claim, Hall walked back those comments in a LinkedIn post, acknowledging that the company uses one to many matching “to prevent identity theft during enrollment.”
“After the 1:1 step, ID.me checks our own internal database of selfies to check for prolific attackers and members of organized crime who are stealing multiple identities. This 1:many check impacts less than .1% of overall users. These individuals are not blocked but re-directed to video chat verification with an expert team of agents,” Hall said in a statement sent to SC Media last week.
Digital civil liberties groups have argued that the mandatory IRS system will expand an already massive government biometric identity program and create a new pool of tens of millions of images that can be shared and used for purposes that go well beyond verifying a user’s identity for tax information. In a statement, Caitlin Seeley George, campaign director at Fight for the Future, said she was thankful the issue was getting attention from Congress and reiterated her organization’s blanket opposition to the use of such technologies by the federal government.
George said that “while these are critical questions that must be answered in order to ensure the IRS is doing its due diligence to fully protect taxpayers, there is no process that involves facial recognition or any biometric verification process that will ensure the safety of peoples’ information and rights.”