First, the Internal Revenue Service reversed course from its recent announcement that it was partnering with ID.me, a third-party identity verification service, to use facial recognition for verification of users managing many aspects of their taxes online. Now, ID.me—which provides identity verification services for dozens of government agencies—says it will drop its facial recognition requirement entirely for these agencies, in a victory for privacy and security.
This is an important win: facial recognition is a dangerous surveillance tool. Coercing facial recognition to interact with the government is especially pernicious, as it unnecessarily forces people to give up their privacy in exchange for necessary services. Worse still, forcing people to hand their biometric data over to a third party, which is bound by fewer privacy restrictions and regulations, would have put huge swathes of the public’s personal data at risk of being misused.
Why did the IRS, and ID.me, back down? The IRS plan was roundly criticized by researchers, grassroots advocates, civil liberties experts, and other branches of government. Congress members Ted Lieu and Ron Wyden expressed their concerns about the plan. Likewise, FTC Commissioner Christine Wilson lambasted it, noting that federal rules would require biometric data to be stored for at least seven years, a lengthy period that makes privacy breaches more likely, and that ID.me would not be bound by legislation on how it could use this biometric data. The General Services Administration, which oversees Login.gov and provides services to 200 websites run by 28 federal agencies, also came out against the plan, saying GSA would not use facial recognition “or any other emerging technology for use with government benefits and services until rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations.”
Coercing users of the IRS website, which is one of the federal government’s most frequently visited sites, to hand over their biometric data to a third party would have been a dangerous step. At the moment, it’s still unclear if the Treasury will simply look elsewhere for biometric services. But now that ID.me is loosening its facial recognition requirement for all government services, it’s likely that any plans to require facial recognition for this government service will face blowback. Additionally, while it is good that the Treasury has backed away from this plan, and that facial recognition won’t be required for ID.me users to interact with government services, questions remain about how and why the Treasury decided to force taxpayers into turning over their biometric information to a private company in the first place. Additionally, how has ID.me’s facial recognition requirement been in place for years with such little oversight? Congress should hold public hearings with both Treasury officials and representatives from ID.me to answer these questions.
The Fight is Far From Over
Separate from ID.me, many other federal government agencies have begun using facial recognition or have plans to do so. State and local governments have also begun using them for identity verification or for “safety,” despite a growing number of bans on government use of face recognition technology at the local level.
No government service should coerce the use of dangerous face surveillance technology to access services. Partnering with an unaccountable third party to collect the data and store it for seven years would have been even worse. We hope these moves by the IRS and ID.me are the beginning of a serious move away from government use of this tech, and not just a way to sidestep concerns.