Identity, Privacy

IRS to halt use of facial recognition tech after pressure from Congress, privacy experts

Members of Congress are turning up the heat on the IRS over its planned use of facial recognition for taxpayers seeking to access their IRS.gov accounts. Pictured: The IRS building on April 15, 2019, in Washington. (Photo by Zach Gibson/Getty Images)

*This article was updated to reflect IRS decision to transition away from facial recognition technology.

The IRS announced it will "transition away" from using third-party identity verification services that use facial recognition in the coming weeks, an about face from earlier plans to make the use of "video selfies" mandatory for taxpayers to access their IRS.gov accounts later this year.

"During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools," the agency said in a release sent to reporters today.

With this decision, the IRS becomes the latest government agency to see their plans for widespread use of facial recognition crash and burn in the face of scrutiny from digital rights experts and members of Congress. It comes two years ago after Customs and Border Protection similarly backed off plans to require travelers coming in and out of the United States, including U.S. citizens, to undergo biometric screening. The controversies highlight the tricky balance agencies face as they try to improve services through emerging technologies and crack down on rampant fraud and identity theft, all without compromising privacy and civil liberties.

The agency said the transition is not expected to interfere with tax season or the ability of citizens to file for returns or pay their taxes. The agency said people "should continue to file their taxes as they normally would."

"The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig said in a statement. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition."

The shift comes as multiple Democratic and Republican members of Congress in the House and Senate wrote to the IRS over the past week asking the agency to halt its use of ID.me’s facial recognition system to verify the identity of taxpayers before they can access their IRS.gov accounts. Members asked that the agency consider alternatives that do not rely on the same technologies.

Senator Ron Wyden, D-Ore., sent a letter to IRS Commissioner Charles Rettig saying that while there were "good intentions” behind the effort to use facial recognition as a means to crack down on fraud and identity theft, it remains “unacceptable” to force Americans to submit their photos in order to access their accounts.

“I write to urge the Internal Revenue Service to reverse its recently announced implementation of facial recognition screening software for Americans who wish to access their historical tax documents online,” Wyden wrote. “The IRS does not use facial recognition for tax filing or to receive a refund, and the agency should not require facial recognition for any of the other important services it provides taxpayers.”

Wyden cited “serious privacy and civil liberties issues” around many facial recognition algorithms and said it was “alarming” to see the IRS become the latest government agency to use a commercial third-party provider for core parts of their technology infrastructure.

Wyden’s letter was first reported by CyberScoop.

Last year, the General Services Administration received $187 million from the Technology Modernization Fund to to build new cybersecurity capabilities into LogIn.gov, outlining three areas of focus for the project that include enhanced capabilities around cybersecurity and identity verification.

"First, it will increase cybersecurity identification and protection for current and future users. Second, it will add equitable identity verification and in-person options for vulnerable populations. Third, it will grow the Login.gov environment by reducing the barrier to entry for agencies to allow for Login.gov to increase usage to a higher percentage of citizen participation," the GSA said last year.

Such technologies and the data they create should be owned, operated and secured by the government, and he pointed to Login.gov, a single sign-on service the government developed for citizens when accessing government websites, as a possible long-term alternative. While Login.gov “has not yet reached its full potential,” Wyden noted it is already used for more than 200 websites across 28 federal agencies and does not rely on facial recognition or one-to-one matching to verify identities, and pilot programs by the Department of Veterans Affairs and the United States Postal Service rely on human verification protocols. Further adoption by agencies like the IRS could help further mature the technology to make it a suitable alternative for verifying the identities of IRS.gov account holders in the future.

The same day, Reps. Ted Lieu, D-Calif., Anna Eshoo, D-Calif., Pramila Jayapal, D-Was., and Yvette Clarke, D-N.Y., also wrote to Rettig, saying the decision to place potentially highly sensitive tax-related biometric information in the hands of a private company makes it “a prime target for cyberattacks.” As an example, they pointed to the 2019 hack of Perceptics, a CBP subcontractor, that resulted in the publishing of thousands of photos of travelers – including U.S. citizens, their cars, license plate numbers and other information.

At the time, CBP officials told Congress that the photo database created by Perceptics to store the information was not authorized in contract language and that “the contractor physically removed the photographs from the camera itself and put it onto their own network ... in violation of contract."

Nevertheless, Lieu, Eshoo, Clarke and Jayapal said the scope of damage to American privacy if a similar incident were to happen with the IRS would be much graver.

“The subcontractor cyberattack and ensuing fallout was significant, but the cybersecurity risk with the IRS’s plan is far greater: millions of Americans use the IRS website annually for a variety of vital functions, and, as a result, each of them will be forced to trust a private contractor with some of their most sensitive data,” the members wrote.

They members also highlight 2019 research from the National Institute for Standards and Technology showing accuracy and bias issues that some facial recognition algorithms have around detecting and matching people with darker skin hues, particularly African-American, Asian-American and Native American faces and raise concerns about how transparent ID.me has been regarding its use of one to many matching, which CEO Blake Hall initially called “problematic” and denied using before reversing course days later and admitting they relied on the practice to detect fraud.

In addition to calling on the IRS to halt the program, its members are asking why ID.me’s use of one-to-many matching wasn’t included in the agency’s Privacy Impact Assessment, the internal agency review process used to determine that ID.me’s database of photos does not pose a data breach risk, any alternatives considered to using facial recognition, whether they engaged with privacy or civil liberties stakeholders before moving forward and what "guardrails” are in place to prevent other agencies from tapping into the database for other uses.

Last week, Sen. Roger Wicker, R-Miss., sent his own letter to Rettig outlining similar concerns.

SC Media has reached out to the IRS for comment.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.