Cutting down on fraud is a worthy goal, but facial recognition should not be introduced so swiftly without clear guardrails around the data. The IRS hired a private company, ID.me, to handle the facial verification system, and it is currently required to store data for at least seven years due to IRS auditing requirements. While the company promises not to do anything with the data beyond share taxpayers’ selfies with authorities if a fraud issue comes up, there is no federal law regulating how this sensitive information can be used. And let’s not forget that hackers exposed the personal information of more than 140 million Americans when they broke into Equifax — itself once an IRS verification company. If hackers were able to obtain the ID.me selfie records, it could be especially damaging, with potential uses ranging from committing fraud and identity theft to blackmailing people — or the company.