The IRS directed 7 million Americans to the facial recognition vendor ID.me before abandoning plans to make the service mandatory this week, raising new worries about the security of records already submitted to the company.
In the letter, Maloney also pressed IRS Commissioner Charles Rettig on plans to instruct the provider, ID.me, to destroy the biometric data and on how the agency will ensure that ID.me does not use the data for “unapproved or unauthorized purposes.”
“Those Americans’ highly personal information may continue to be held by a third party outside of the IRS’s direct control — increasing the potential for exposure due to bad actors and other cybersecurity incidents,” she wrote.
The letter follows weeks of controversy over the program, which would have required anyone who wanted to access tax-related records online to record a video of their face with their computer or smartphone. The IRS announced on Monday that it would abandon those plans amid backlash from members of Congress and privacy advocates.
ID.me said on Wednesday that it would drop the facial recognition requirement in its software, which is used by 30 states and 10 federal agencies. The company also told The Washington Post that effective March 1, anyone would be able to delete their selfie or photo data.
Maloney wants answers about how the IRS will oversee these steps or how it may affect the agency’s record retention process. She also raised concerns that the IRS’s “about-face” on its two-year, $86 million contract could negatively affect taxpayers. She asked Rettig how much money has already been expended on the contract and how much it would cost to terminate it.
The letter follows years of controversy over the government’s expanding use of facial recognition software, despite warnings from the General Services Administration that the face-scanning technology has too many problems to justify its use. In 2019, House lawmakers held hearings on the impact of the technology and the ways that it can discriminate against women and people of color.
There is no federal law regulating how facial recognition can be used or how it should be secured.
“This technology remains virtually unregulated, and increasing transparency and accountability is crucial,” Maloney wrote.
On Tuesday, six Republican senators said they would introduce a bill that would bar the IRS from requiring taxpayers to submit face scans or other biometric data.
Maloney also writes that 13 percent of ID.me users since June had struggled to use the software and were referred to customer service, where representatives would attempt to verify their identities over video chat. The letter says this underscores the “widespread issues related to the use of the nascent facial recognition technology.”