The IRS announced on Monday it’s dropping plans to require taxpayers to sign up for and use facial recognition software. The plan had been to require people to use a service provided by a third-party company, ID.me, to verify their identities when accessing documents or making payments online. It was already being rolled out for people who created new online accounts this year, and was going to kick in for existing accounts by this summer.
The decision comes after backlash from advocates and lawmakers over privacy concerns. Tonya Riley, a privacy and cybersecurity reporter at CyberScoop, joins us to discuss. The following is an edited transcript of our conversation.
Tonya Riley: The idea that the IRS wanted to use facial recognition just so people could log on to an account to see their tax records was not one that was very well received by privacy advocates, civil liberties advocates and, maybe more surprisingly, members from both parties in Congress. There were a lot of concerns about such a massive amount of Americans’ data being collected by a third-party private company. We’re talking about biometric data — this isn’t something like your credit card number. You can’t replace your face in quite the same way. There were a lot of concerns, you know, what is this company? What are they doing to secure this data? Why does the IRS need to use facial recognition? And there just weren’t many answers from the agency, so we saw a lot of lawmakers acting quite swiftly to try to get those answers and privacy and security advocates saying, “Hey, this is a really bad idea.”
Kimberly Adams: What is the IRS doing now?
Riley: The IRS announced on Monday that it would no longer be using the service ID.me. And what it’s going to do instead is develop a separate identity verification process that doesn’t require facial recognition. We don’t know exactly what that’s going to look like yet. The IRS said it’s working with other government agencies. So there’s not quite a sense of … we don’t have a new company name or a new product name. But we know that this next one isn’t going to require facial recognition technology. And in the interim, they want people to know that they can still file their taxes, that this should not interrupt the tax process. But in terms of long-term changes, we’re going to see a much different system, going forward.
Adams: It begs the question, Why didn’t they just do that to begin with?
Riley: I think that’s a question a lot of people had initially. So, the federal government does have its own log-on service. It’s called “login.gov,” which sounds fake, but it’s a real program. One of the problems is that that service did not have the same level of verification technology, so it couldn’t do face matching in the way that ID.me does. It doesn’t necessarily require facial recognition, and login.gov has very explicitly said it won’t use facial recognition. It just wasn’t quite ready for full use yet. So I think now we’re going to see a stronger investment in that program and hopefully, moving forward, there’s a little more interest, I think, from lawmakers, in seeing the government build out this kind of technology on its own, rather than sourcing it out to the private sector.
Adams: The IRS is not the only government agency that uses ID.me, right?
Riley: That’s correct. There are nine other federal agencies that use it, including the Social Security Administration, and the Department of Veterans Affairs. There are also 30 different states that use it, primarily for unemployment benefits. From what I hear from activists, the next step in this is trying to get these other agencies to cancel their contracts, pressing lawmakers to ask these other agencies, “What’s going on with your contracts? Why is this being used?”. We also still don’t have a lot of answers in terms of why the IRS decided to use facial recognition in the first place. So, I think we’re going to see some questions that need to be answered there. How did this happen?
Adams: I can’t help but wonder, if this was being used in nine other government agencies, in all of these states, why was its use by the IRS that triggered all this backlash?
Riley: I think part of the issue with the state use is that we’ve known for a while that individuals in different states were having issues with this technology, but I don’t think people quite saw it a comprehensive picture. For some of these other agencies, the uses weren’t as explicit as like, you know, people thought they were going to have to sign on to ID.me just to file taxes with the IRS. And any time you talk about taxes and privacy, you’re going to get people on both sides of the political spectrum very interested. And so I think this was just a matter of timing and activists being able to mobilize very quickly to bring attention to it, and lawmakers paying attention to it very quickly, which we all know doesn’t happen quite that often. So it was kind of the perfect storm of everyone stepping back and saying, “Wait a minute, we’re not sure that should be happening.”
Adams: This isn’t the first time that ID.me has faced some public criticism over its software. What’s been their defense, typically?
Riley: ID.me has been emphatic in face of all criticism that they are offering the best technology that the government could use right now — to clamp down on fraud, to provide individuals with a faster way of getting to government services, in terms of their product’s accuracy, in terms of their customer service. They’ve been very consistently emphatic that their product is accurate, that there aren’t concerns with racial bias and that they’re giving the government something that it just can’t do it on its own right now.
Related Links: More insight from Kimberly Adams
Here’s the official statement from the IRS about this “transition,” as the agency is calling it, which emphasizes the change will not interfere with the taxpayer’s ability to file their return this year, or pay taxes.
So, sorry, you can’t use this as an excuse.
This story is moving pretty quickly. Here’s a link to Tonya’s reporting on CyberScoop with the latest on this.
And for a bit more how ID.me became the government’s go-to on facial recognition, here’s a Bloomberg story that gets into that history.
ID.me has been highlighting the cases of attempted fraud its identify verification services have interrupted, including by people who try to use costume masks to trick the software.
ID.me told us four states have credited the company with helping prevent $210 billion in fraud.
One thing that came up as I was talking with Tonya is that it’s not quite clear yet what happens to all the taxpayer biometric data ID.me already has in its possession. She says that under federal regulations, had the contract stayed in place, the company would have kept that data for seven-and-half years.
We asked the company what happens to that data now, and a spokesperson told us to check with the IRS.
It’s tax season and they are a little busy … so we may have to wait a bit to find out.
The future of this podcast starts with you.
Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.