After a recent successful campaign for the Internal Revenue Service (IRS) to dump its facial recognition program, privacy activists are now turning their attention to other agencies that use the technology.
Reports last month of IRS requirements for taxpayers to upload selfies for an identity verification program run through ID.me prompted immediate backlash from public interest groups and lawmakers from both parties. Sen. Ron Wyden (D-Ore.) urged the IRS to discontinue the service, while Sen. Roy Blunt (R-Mo.) demanded a comprehensive ban on the IRS’s use of such biometric data collection. A number of public interest groups, including the Electronic Privacy Information Center (EPIC) and Media Alliance, joined the calls for the IRS to abandon its plan.
Their campaign was successful. The IRS said Feb. 7 that it will not use a third-party company to verify new accounts with facial recognition.
The privacy activists aren’t stopping with the IRS. EPIC and a coalition of 40 other interest groups released a letter Feb. 14, calling for other government agencies to end their facial recognition programs.
“The use of a third-party face verification service also creates needless security issues facilitated by government agencies, forcing individuals to hand over biometric data to a private company. Biometric data, particularly faceprints, are increasingly becoming targets for fraudulent activity,” the groups said.
“The likely result of federal and state agencies using faces as a credential to access sensitive information will be large-scale data breaches of a credential that cannot easily be changed.”
Sens. Wyden, Cory Booker (D-N.J.), and Elizabeth Warren (D-Mass.) joined in the chorus a day later with a letter to the Department of Labor, urging it to help state unemployment agencies abandon ID.me.
According to the letter, more than half of the states require workers filing for unemployment insurance to first register for an account with ID.me. Government agencies’ use of facial recognition accelerated after the start of the COVID-19 pandemic, when most of their business started happening online.
“It is concerning that so many state and federal government agencies have outsourced their core technology infrastructure to the private sector,” Wyden, Booker, and Warren wrote in their letter. “It is particularly concerning that one of the most prominent vendors in the space, ID.me, … uses facial recognition and lacks transparency about its processes and results.”
ID.me did not respond to a request for comment about the public campaign against it.
On Feb. 8, the company announced a new option to verify identity without using automated facial recognition.
“We have listened to the feedback about facial recognition and are making this important change, adding an option for users to verify directly with a human agent to ensure consumers have even more choice and control over their personal data,” said ID.me CEO, Blake Hall.
“In recent weeks, we have modified our process so government agencies can empower people to choose to verify their identity with an expert human agent without going through a selfie check. Agencies can now select this configuration. Additionally, all ID.me users will be able to delete their selfie or photo at account ID.me, beginning on March 1.”
Not everyone thinks it’s a good idea for government to abandon facial recognition. The Information Technology & Innovation Foundation (ITIF) said Feb. 8 that the “IRS was wrong to give in to hysteria.”
“As tax season gets under way, it is disappointing to see that the IRS has succumbed to the concerted attacks by advocacy groups opposed to any and all forms of facial recognition,” the ITIF said. “Every year, the IRS attempts to stop billions of dollars of refund fraud, identity theft, and other financial crimes that hurt everyday Americans, and greater use of facial recognition would have been a step in the right direction.”