The Internal Revenue Service is dropping a controversial facial recognition system that requires people to upload video selfies when creating new IRS online accounts.
“The IRS announced it will transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts,” the agency said on Monday. “The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season. During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition.“
The IRS has been using the third-party system ID.me for facial recognition of taxpayers. Privacy and civil rights advocates and lawmakers from both major parties have objected to the system. The IRS wasn’t demanding ID.me verification for filing tax returns but was requiring it for accessing related services, such as account information, applying for payment plans online, requesting transcripts, and the Child Tax Credit Update Portal.
The ID.me system is “using Amazon’s controversial Rekognition technology” and had verified 20.9 million users’ selfies by January 25, Bloomberg wrote. The Treasury Department last year signed a two-year, $86 million contract with a vendor to deploy and maintain ID.me software.
US Sen. Ron Wyden (D-Ore.), chair of the Senate Finance Committee, was among those who called on the IRS to scrap the system. “The Treasury Department has made the smart decision to direct the IRS to transition away from using the controversial ID.me verification service, as I requested earlier today,” Wyden said after Monday’s announcement. “I understand the transition process may take time, but I appreciate that the administration recognizes that privacy and security are not mutually exclusive and no one should be forced to submit to facial recognition to access critical government services.”
The IRS process involves uploading a photo of an ID (such as a license or passport) along with a video selfie, which are compared against each other to verify the user’s identity. ID.me explains that, if the process fails, “you will be routed to verify your identity over a video call with an ID.me Trusted Referee… You will need to show your identity documents to an ID.me Trusted Referee along with a selfie (a photo of yourself) to complete your identity verification.”
ID.me verification was already required for people creating new IRS accounts. There was a phase-in approach for people who previously created IRS online accounts—the IRS said in November that those people can use their credentials until summer 2022 and will be “prompted to create an ID.me account as soon as possible.”
A group of 15 Republican senators last week wrote a letter to IRS Commissioner Chuck Rettig, saying the “IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services.” The senators objected to “intrusive verification measures” and the fact that “ID.me is not subject to the same oversight rules as a government agency.”
Another letter urging the IRS to abandon the facial recognition technology was sent Monday by four Democratic House members. “Americans will be forced to put sensitive data into a biometric database, which is a prime target for cyberattacks,” they wrote.
The Democrats illustrated the risk by pointing to a 2019 “cyberattack on a US Customs and Border Protection (CBP) subcontractor [that] exposed the face images and license plates of thousands of US travelers. The subcontractor cyberattack and ensuing fallout was significant, but the cybersecurity risk with the IRS’s plan is far greater: millions of Americans use the IRS website annually for a variety of vital functions, and, as a result, each of them will be forced to trust a private contractor with some of their most sensitive data.”