US tax agency waives facial recognition
U.S. citizens will not have to use facial recognition to access their records with the IRS in the future. The authority announced on Monday that it will no longer use the system going forward. Members of parliament had previously warned of the consequences of a data leak, among other things.
The U.S. tax agency said on Monday it would “quickly” develop a new authentication system without facial recognition. The switch should take place in the coming weeks, it said. The tax agency did not yet provide further details on the new system.
Originally, starting in the summer of 2022, all users were to be required to use the company’s ID.me system to access their tax records online. The IRS had already begun with the implementation. Those who did not yet have a user account had to register with ID.me. Only those already registered were to be able to log in with a password until the summer. For online identification, taxpayers would have had to photograph, for example, their driver’s license and film themselves via smartphone or webcam. ID.me then uses facial recognition to automatically compare whether it is the same person.
The IRS’s plans had drawn sharp criticism. “We understand the concerns that have been raised,” commented the IRS Commissioner, Chuck Rettig. However, the authority did not provide further details on the decision.
The IRS also did not respond to an inquiry from The Washington Post about what will now happen to the data of citizens who have already registered with ID.me. While individuals can, in principle, have their biometric data stored with ID.me deleted, the Washington Post refers to an IRS document that says the company is required to keep the data for at least seven years. According to the company, ID.me also stores millions of facial images to detect identity theft.
Representatives spoke out against plans
Last week, Republican Senators had criticized the plans, warning that users would have to submit sensitive biometric data to ID.me. By yesterday (Monday), Democratic congressmen and congresswomen had also joined the criticism, calling on the IRS to halt the deployment of the system.
Like privacy activists before them, they had pointed out that the biometric data used for facial recognition cannot be changed. Individuals can be identified by it for the rest of their lives. In this context, the deputies warned of the risk that this sensitive data could be compromised by an IT attack.
On Monday, Democratic U.S. Senator Ron Wyden had also called on the Internal Revenue Service to abandon facial recognition. Instead, he said, the agency should rely on the government-run service Login.gov. Doing so would involve personal verification of users’ identities, such as by the United States Postal Service. He also criticized working with a private company. The digital infrastructure of the authorities should be operated by the government, he said.
Unreliable technology
Democratic senators had also criticized the use of facial recognition software because it is considered unreliable. They cited a 2019 study by the U.S. National Institute of Standards and Technology. According to the study, the error rate for people with dark skin color is 10 to 100 times higher than for white people. Women of darker skin color experience the highest rate of misidentification. The deputies cautioned that marginalized groups could thus be denied access to IRS online services.
ID.me had claimed that internal testing of the technology found no evidence of racial or gender discrimination. However, congressmen criticized that the alleged test results had never been made public. Earlier, computer scientist Joy Buolamwini, who researches discrimination through facial recognition, had criticized ID.me for misinterpreting or not citing earlier research findings in its reports.
Other agencies to follow suit
On Monday, the civil liberties’ organization Surveillance Technology Oversight Project welcomed the Internal Revenue Service’s decision. However, Albert Fox Cahn, director of the organization, also criticized the agency by saying it should never have considered using the controversial technology. “Facial recognition is biased, error-prone and invasive.” When using facial recognition technology, he said, it is a “question of when, not if, the biometric data will be hacked, leaked or misused.”
Other U.S. agencies are also using ID.me. CNN had already reported last year on its use at half of the employment offices in all U.S. states, among others. According to the Washington Post, some 70 million Americans have so far had their identity checked using the system, for example to apply for unemployment benefits. The Social Security Administration also uses the ID.me service.
Together with other organizations, the Surveillance Technology Oversight Project is now calling on these agencies to cancel their contracts with ID.me as well. Cahn commented, “No one should have to hand over their biometric data to access what they’re entitled to by law.” (js)