Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

IRS Will Cease Use of Facial Recognition for Identity Verification

February 9, 2022

Thank heavens, the IRS has come to its senses.  CyberScoop reported on February 7 that the IRS will cease using a third-party authentication service that uses facial recognition technology to verify new online accounts.

The transition will take place “over the coming weeks in order to prevent larger disruptions to taxpayers during filing season,” an IRS news release states.

The change in plan is attributable to growing concerns from both advocates and lawmakers that the agency’s decision to put the biometric data of millions of Americans into the private sector’s hands posing enormous privacy and security risks.

The IRS said it is working on developing an authentication process that does not involve facial recognition and will continue to collaborate with government partners to develop new authentication methods to protect taxpayer data.

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said IRS Commissioner Charles Rettig. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

The IRS, part of the Treasury Department, says it will continue to accept tax filings during the transition.

The agency announced in November that starting in summer 2022 all individuals wishing to use its online portal to access tax records and make payments would be required to register through identity verification company ID.me. An attempt in January to use the system by journalist Brian Krebs brought attention to the transition — and concerns about the company’s verification times and customer service.

Questions about the IRS’s contract with the ID.me grew more frequent after it disclosed it lied about not using a stronger form of facial recognition technology that research shows pose greater risks of inaccuracy and racial bias.

The IRS previously used ID.me in 2021 to enroll recipients of advance child tax credit payments.

“The Treasury Department has made the smart decision to direct the IRS to transition away from using the controversial ID.me verification service, as I requested earlier today” Sen. Ron Wyden, D-Ore., said in a statement. “I understand the transition process may take time, but I appreciate that the administration recognizes that privacy and security are not mutually exclusive and no one should be forced to submit to facial recognition to access critical government services.”

Wyden is one of more than a dozen lawmakers who wrote to the agency in the last week urging it to reevaluate or cease its use of facial recognition.

Have I mentioned recently how much I love Senator Wyden?

It’s not clear how many Americans have already registered for IRS accounts through ID.me. The IRS declined to answer any questions on what would happen to that data of users who registered for ID.me accounts, though ID.me has previously said that user data is kept for 7.5 years after an account is deleted, per federal guidelines.

The IRS is far from the only government agency contracting with ID.me. The company provides identity verification services to nine other government agencies including the Veteran’s Affairs Administration and Social Security Administration, as well as verification services for 30 states’ unemployment benefits programs. Advocates say that they’ll now be turning their attention to calling on other federal agencies to end their contracts.

And so they should, in my opinion.

“No one should be coerced into handing over their sensitive biometric information to the government in order to access essential services,” Caitlin Seeley George, campaign director at Fight for the Future, wrote in a statement. “The lawmakers who led the charge against the IRS use of this technology should immediately call for an end to other agencies’ contracts, and there should be a full investigation into the Federal government’s use of facial recognition and how it came to spend taxpayer dollars contracting with a company as shady as ID.me.”

ID.me declined to comment. I wonder why. Not.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson