Even as the Internal Revenue Service and other federal agencies pushed to require Americans to consent to facial recognition to sign on to government websites, the government’s central management office has refused to use the technology on its own secure log-in service, Login.gov.
Dave Zvenyach, director of the GSA’s Technology Transformation Services, told The Washington Post that the agency “is committed to not deploying facial recognition … or any other emerging technology for use with government benefits and services until rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations.”
The Treasury Department last year awarded a two-year, $86 million contract to a private contractor, ID.me, that would require taxpayers to send in video scans of their face before they can verify their identities and access their tax records online. The plan was scheduled to go into effect this summer.
But the IRS announced Monday it has abandoned that plan after news of the contract stirred a firestorm because facial recognition systems are unregulated in the United States and have been shown in federal tests to work less accurately for people with darker skin. Members of Congress and privacy advocates also voiced concern that the systems could undermine Americans’ privacy rights or unfairly disadvantage people without access to a smartphone, laptop camera or the Internet.
The GSA’s Login.gov already provides sign-in services to 200 websites run by 28 federal agencies and has been used by more than 40 million people. It was built and is operated by government employees to accomplish the same tasks as ID.me by relying on more traditional methods of identity verification, such as scanning government records and credit reports.
IRS officials visited Capitol Hill on Friday after details of the IRS plans were published by The Washington Post and other outlets, sparking criticism from both Democrats and Republicans. According to a Treasury Department official and two other people who spoke on the condition of anonymity because they were not authorized to speak publicly, the officials told members of Congress that they were actively considering an identity-verification option that would not use facial recognition.
Two people familiar with the discussions told The Post that the IRS officials did not specify the alternative under consideration during a briefing Friday to a bipartisan group of senators. And the IRS statement abandoning the plan on Monday didn’t specify what would replace it.
The GSA’s opposition to the use of facial recognition technology underscores a wider tension within the federal government over a technology that is rapidly gaining adoption amid promises it will boost security and combat fraud, despite many questions about its accuracy and the lack of government regulations governing its use.
In a letter sent Monday to IRS Commissioner Charles Rettig, Sen. Ron Wyden (D-Ore.) called on the IRS to reverse its decision, calling it “simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online.”
Wyden urged the IRS and other agencies to use Login.gov, saying it was already piloting ways to verify a person’s identity without facial recognition through in-person partnerships with the U.S. Postal Service and Veterans Affairs. Wyden called on those government pilots to be expanded, alongside a call center operation for verifying people over video calls.
Wyden noted in the letter that Congress first required federal agencies to use a single sign-on service in 2015 and blamed limited adoption of Login.gov on agencies ignoring the congressional mandate and presidential administrations failing to “prioritize digital identity.”
That inaction, Wyden said, had allowed for billions of dollars in fraud, fueled a market for stolen personal data and “enabled companies like ID.me to commercialize what should be a core government service.”
“The infrastructure that powers digital identity, particularly when used to access government websites, should be run by the government,” he wrote. Treasury officials declined to comment on the letter.
Wyden’s letter followed three others in the last week sent from members of Congress to IRS leaders calling for an immediate halt to the facial recognition plan.
A group of Senate Republicans on Thursday cited the government’s “unfortunate history of data breaches” and criticized the IRS for having “unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services.”
Sens. Jeff Merkley (D-Ore.) and Roy Blunt (R-Mo.) called the plan to require “taxpayers to capture and deliver their most sensitive biometric data … an egregious accessibility and privacy concern.”
And Sen. Roger Wicker (R-Miss.) urged the IRS to “treat its responsibility to protect the privacy and security of American taxpayers’ data with the utmost seriousness.”
On Monday, four Democrats in the House — Reps. Ted Lieu (Calif.), Yvette D. Clarke (N.Y.), Pramila Jayapal (Wash.) and Anna G. Eshoo (Calif.) — joined the critics, writing a letter calling it “simply wrong to compel millions of Americans to place trust in this new protocol” and urging the IRS to consult with “a wide variety of stakeholders before deciding on an alternative.”
ID.me, a private company based in McLean, Va., runs the identity-verification systems for hundreds of companies, 30 states and 10 federal agencies that have used the software to look for fraud among recipients of unemployment insurance, pandemic assistance grants and child tax credit payments.
ID.me officials said in a statement Sunday that they are “committed to working together with the IRS to implement the best identity verification solutions to prevent fraud, protect Americans’ privacy, and ensure equitable, bias-free access to government services.”
The company said people’s data is encrypted and protected, that the company uses a face-scanning algorithm that is “exceptionally accurate with incredibly small variation across demographic groups and skin color,” and that the company is “flexible to adapt to feedback from policymakers.”
The company has pledged that any personal data gathered for government identity verification will not be used for promotional purposes. ID.me does, however, allow advertisers to offer special discounts to people who have opted into the service, and consumer marketing accounts for 10 percent of its revenue.
Before Monday’s announcement, Treasury officials argued they had to look beyond Login.gov, which calls itself “the public’s one account for government,” on the basis that facial recognition is a gold standard for identity verification.
A person familiar with IRS practices, who spoke on the condition of anonymity because they were not authorized to speak publicly about internal discussions, said the agency evaluated five companies and chose ID.me because it was the only candidate to meet the agency’s security requirements. The lack of facial recognition in Login.gov, the person said, was seen as a dealbreaker, given the IRS’s heightened risk of identity theft and fraud.
Federal guidelines published in 2017 by the Commerce Department’s National Institute of Standards and Technology urged agencies to follow identity-verification standards, known as “Identity Assurance Level 2,” that include collecting a person’s facial image, fingerprint or other “biometric sample,” either in-person or remotely, to help tamp down on fraud.
ID.me has offered services at those standards to 30 states and 10 federal agencies, including signing a contract with the Department of Veterans Affairs in 2019 worth potentially $58 million.
Login.gov, the government’s in-house system, launched in 2017 and relies on “a variety of authentication and identity proofing methods,” Zvenyach said. The GSA in December awarded a $34 million contract to two companies, including the data broker LexisNexis, for access to the vast trove of public records it has gathered on Americans’ lives.
To establish a Login.gov account, a person is asked to upload an image of a government-issued ID and provide a phone number whose account is linked to their name.
ID.me defenders argue that their system offers benefits beyond Login.gov, including the option to connect via live video call to an ID.me employee for verification. But many who have gone through that process have complained of hours-long wait times, and the company has said it employs fewer than 1,000 video-chat agents for the entire country.
The inner workings of ID.me will also be subject to less oversight than a government-run project bound by public-records laws, privacy advocates argue. No federal laws govern how facial recognition should work.
The IRS announced last week that it was ready to receive the first tax returns on 2021 income.