The IRS announced last fall that it was adding a new security requirement for IRS filing meant to provide an “improved identity verification and sign-in process.” This entailed software from a vendor called ID.me, which included facial recognition technology. That software is already used by several states.
Researcher Brian Krebs created an account and found it difficult to use the software. CBS News reported last week that the Treasury Department was “rethinking” its use of the software for ID purposes.
Representative Ted Lieu (D-CA) said on Twitter last week that the ID.me deal was “a very, very bad idea by the IRS,” and that "The IRS needs to reverse this Big Brother tactic, NOW.”
Now, a major newspaper is also calling for the government to rethink the deal.
The Washington Post Editorial Board wrote over the weekend that the IRS should not require the use of the software, which would require users to “take a selfie” of themselves for facial recognition purposes.
“The IRS wants to start this extra verification procedure this summer," The Post said in its unsigned editorial. “That would be a mistake. This cannot be the only way to access an account online, as 90 percent of tax filers currently do.”
The newspaper listed several reasons for its opposition, including that low-income taxpayers may have trouble with the technology, as well as the questions about racial discrimination in facial recognition software.
There are also questions, the Post said, about exactly what ID.me will do with the data that it collects from those “selfies.”
“While the company promises not to do anything with the data beyond share taxpayers’ selfies with authorities if a fraud issue comes up, there is no federal law regulating how this sensitive information can be used,” the Post said, adding that Equifax, which suffered a high-profile breach that exposed the data of 140 million Americans, was itself once an official IRS verification company.
The Post also noted that the “selfie” facial recognition proposed by ID.me is different from Apple’s FaceID in a couple of key ways. FaceID is not required, as Apple allows iPhone users to use a passcode instead. Also, Apple uses “one to one” facial recognition, while ID.me admitted recently that they use “one to many,” which means the image is checked against a larger database.
“There have been encouraging reports that the IRS is reconsidering its sole reliance on ID.me for online verification for website access,” the Post concluded. “At a minimum, the IRS must offer other verification options and clearly articulate guidelines on what happens to all facial data.”
Stephen Silver, a technology writer for The National Interest, is a journalist, essayist and film critic, who is also a contributor to The Philadelphia Inquirer, Philly Voice, Philadelphia Weekly, the Jewish Telegraphic Agency, Living Life Fearless, Backstage magazine, Broad Street Review and Splice Today. The co-founder of the Philadelphia Film Critics Circle, Stephen lives in suburban Philadelphia with his wife and two sons. Follow him on Twitter at @StephenSilver.