The Internal Revenue Service has abandoned its plan to require millions of Americans to submit to a facial recognition check through a private company to access their online tax accounts following a firestorm of criticism from privacy advocates and members of Congress.
The agency originally had said that starting this summer all taxpayers would need to submit a “video selfie” to ID.me to access their tax records and other services on the IRS website. But lawmakers and advocates slammed the idea of mandating the technology’s use nationwide, saying it would unfairly burden Americans without smartphones or computer cameras, would make sensitive data vulnerable to hackers and would subject people of color to a system known to work less accurately on darker skin.
“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Charles Rettig said in a statement announcing the decision. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”
Sen. Ron Wyden (D-Ore.), one of nearly two dozen members of Congress who had urged the IRS to halt the plan, said in a statement Monday, “I appreciate that the administration recognizes that privacy and security are not mutually exclusive and no one should be forced to submit to facial recognition to access critical government services.”
Earlier Monday, Wyden had urged the IRS in a letter to abandon working with ID.me, calling it “simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online.”
“The infrastructure that powers digital identity, particularly when used to access government websites, should be run by the government,” he wrote.
The government runs a separate sign-in service, Login.gov, whose leaders told The Washington Post last week that they would not use facial recognition until a “rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations.”
IRS and Treasury officials did not respond to questions of how the change could affect the two-year, $86 million contract that Treasury signed with ID.me last summer, or what would happen with the personal or facial data that Americans have submitted to ID.me already.
In a letter to the IRS last week, 14 Republican members of the Senate Finance Committee pointedly asked what would happen to taxpayers’ personal information if the IRS ended its work with the company. The group has yet to receive a response, a committee aide said.
IRS officials said the change will not affect people’s ability to pay their tax bills or file their returns. But Treasury officials have warned of “enormous challenges” this year at the agency due to millions of unprocessed filings, and officials in the first days of tax season last year suspended the mailing of certain notices due to a backlog of returns.
The company currently offers a backup option that allows people who have failed a facial recognition check to confirm their identity by showing official documents to a company representative over a live video call. But some people who have gone through that process have reported technical glitches and hours-long waits for help, and the company’s chief told The Post that they have fewer than 1,000 agents handling video calls for the entire country.
The reversal sparked questions of whether ID.me’s other clients across the country will follow suit. Roughly 70 million Americans have used its service to verify their identities while filing for unemployment insurance, pandemic assistance grants, child tax credit payments or other services, the company’s chief told The Post last month. On its client list: 10 federal agencies, including Social Security, Labor and Veterans Affairs; 30 states, including California, Florida, New York and Texas; and 540 companies nationwide.
The Surveillance Technology Oversight Project, a digital rights advocacy group, celebrated the change and called on state governments to drop the technology’s use.
“When government agencies use this technology, it’s question of when, not if, this biometric data is hacked, leaked or misused,” the group’s executive director, Albert Fox Cahn, said in a statement.
ID.me has said its system has stored tens of millions of people’s face scans in a database to look for identity theft. People can request to delete their information, but the company stores the data for at least seven years due to federal auditing rules, according to an IRS filing.
The controversy has highlighted a key tension within the U.S. government over facial recognition. Federal agencies are increasingly using the technology for security and investigative purposes, and 10 of them — the departments of Agriculture, Commerce, Defense, Homeland Security, Health and Human Services, Interior, Justice, State, Treasury and Veterans Affairs — told government auditors last year that they intended to expand their face-scanning capabilities in the coming months.
But the government’s central management office, the General Services Administration, has said face-scanning technology has too many problems to justify its use and has refused to include it in the Login.gov sign-in system.
Two hundred websites run by 28 federal agencies use the Login.gov service and more than 40 million people have opened accounts with it. It was built and is operated by government employees to accomplish the same tasks as ID.me by relying on more traditional methods of identity verification, such as scanning government records and credit reports.
A bipartisan group of congressional lawmakers have in the last week called on the government to make verifying the identities of its own citizens a federal priority, as opposed to a task managed by a private company.
In his letter Monday, Wyden urged the IRS and other agencies to use Login.gov, saying it was already piloting ways to verify a person’s identity without facial recognition through in-person partnerships with the U.S. Postal Service and Veterans Affairs. Wyden called on those government pilots to be expanded, alongside a call center operation for verifying people over video calls.
Wyden noted in the letter that Congress first required federal agencies to use a single sign-on service in 2015 and blamed limited adoption of Login.gov on agencies ignoring the congressional mandate and presidential administrations failing to pursue the issue.
That inaction, Wyden said, had allowed for billions of dollars in fraud, fueled a market for stolen personal data and “enabled companies like ID.me to commercialize what should be a core government service.”
Wyden’s letter followed three others in the last week sent from members of Congress to IRS leaders calling for an immediate halt to the facial recognition plan. Republicans on the Senate Finance Committee criticized the IRS for having “unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services.”
On Monday, shortly before the IRS’s announcement, four Democrats in the House — Reps. Ted Lieu (Calif.), Yvette D. Clarke (N.Y.), Pramila Jayapal (Wash.) and Anna G. Eshoo (Calif.) — sent the agency a letter calling it “simply wrong to compel millions of Americans to place trust in this new protocol.”
The option to create a new account using ID.me’s facial recognition service had been offered on the website for months, and some taxpayers who had proactively gone through the process expressed frustration following news of the IRS’s reversal.
Jamal Le Blanc, who lives in suburban Maryland, said he was told a month ago he’d need to create a facial scan to access his tax records. Because of a disability in his arm, he said, he required his daughter’s help to run through the process. Now, he worries how the data will be used or secured in the years to come.
“I am not the only person whose biometric information is now in the possession of an unknown government contractor because I needed my own tax records,” he said.
An earlier version of this story incorrectly stated that 15 Republican members of the Senate Finance Committee had signed a letter to the IRS. Each party has only 14 members on the committee. The 15th Republican who signed, Marsha Blackburn of Tennessee, is not a member of the committee.