Republican senators demand briefing on IRS decision to require ID.me 'selfies'

The White House has yet to comment on the controversy surrounding the IRS use of ID.me.
Written by Jonathan Greig, Contributor

A group of Republican senators on the Finance Committee have formally called for the Internal Revenue Service (IRS) to provide more information about its plan to incorporate facial recognition provider ID.me into its processes.

In November, the agency announced that by the summer of this year, taxpayers will need to have an ID.me account in order to access certain IRS online resources. The IRS signed an $86 million contract with ID.me, according to the Washington Post, which noted that more than 70 million Americans who filed for unemployment insurance, pandemic assistance grants, child tax credit payments, or other services that have already been scanned.

In order to check on the status of a return, view balances and payments received, obtain a transcript, and enter into an online payment agreement, people will need to create an ID.me account and give the private company either a government ID, passport, birth certificate, W-2 form, social security card, a bill of some kind or a "selfie," among a host of other private documents they may ask for. 

The plan has caused significant outrage among many privacy experts who question why a private company that already has a track record of lying about its platform would be hired for something as sensitive as access to the IRS. A number of people, including security researcher Brian Krebs, have already reported issues with the platform. 

Jay Stanley, senior policy analyst at the ACLU, added that ID.me would not be subject to various oversight rules like the Freedom of Information Act and the Privacy Act of 1974, something the letter also notes.

The letter -- signed by 15 Republican senators and addressed to IRS Commissioner Chuck Rettig -- explains that using ID.me "appears to subject taxpayers to the terms of three separate agreements filled with dense legal fine print: a privacy policy agreement, terms of service agreement, and a 'Biometric Data Consent and Policy.'" 

They also expressed concern about the possibility of cyberattacks leaking the biometric data of millions of Americans who are being forced to entrust a private company with sensitive data. 

"There is ample evidence to be very concerned about an IRS contractor's ability to safely manage, collect and store this unprecedented level of confidential, personal data. To put this in perspective, in 2019 the IRS estimated it faced 1.4 billion cyber-attacks annually. It is highly likely, with personal information on a reported 70 million individuals, including biometric data, ID.me could be a top target for cyber-criminals, rogue employees, and espionage," the Senators wrote.

"The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services. The decision millions of Americans are forced to make is to pay the toll of giving up their most personal information, biometric data, to an outside contractor or return to the era of a paper-driven bureaucracy where information moves slow, is inaccurate, and some would say is processed in ways incompatible with contemporary life. Of concern, also, is that ID.me is not, to our knowledge, subject to the same oversight rules as a government agency, such as the Freedom of Information Act, the Privacy Act of 1974, and multiple checks and balances."

The letter includes several questions about ID.me and how the IRS decided to hire the company for this process. They demand answers to the questions by February 27 and also ask for a briefing on the issue. 

The White House and IRS did not respond to requests for comment. None of the Democratic senators on the Finance Committee responded to requests for comment outside of Senator Ron Wyden.

Wyden's spokesperson would not send along any statement or comments about the issue, only pointing to two tweets he has previously sent out. 

Representative Ted Lieu also sent out a tweet about the issue, calling it a "very, very bad idea by the IRS." 

"It will further weaken Americans' privacy. And facial recognition is less accurate for darker skin individuals. The IRS needs to reverse this Big Brother tactic, NOW," Lieu said. 

Fight for the Future, Algorithmic Justice League, EPIC, and other civil rights organizations launched a website this week -- called Dump ID.me -- allowing people to sign a petition against the IRS plan

Caitlin Seeley George, campaign director at Fight for the Future, told ZDNet that they are thankful more legislators are taking action and questioning how the IRS' plan will impact their constituents. 

"The letter from these Senators raises a number of important questions about how we got to this point where millions of people could have to hand their biometric information to a private company and put their most sensitive information in danger in order to access essential governmental services," Seeley George said. 

"And while these are critical questions that must be answered in order to ensure the IRS is doing its due diligence to fully protect taxpayers, there is no process that involves facial recognition or any biometric verification process that will ensure the safety of peoples' information and rights."

Facial recognition is already used widely across multiple government agencies, alarming many who point to dozens of studies proving how flawed the technology is, particularly for people of color and women. Even the National Institute of Standards and Technology has found a higher rate of false positives on one-to-one algorithms for Asian and African American faces.

Fast Company reported that ID.me is now used by the Department of Veterans Affairs, the Social Security Administration, and several other federal agencies. The ACLU's Stanley noted to ZDNet that dozens of state agencies across the country also mandate facial recognition in order to access government benefits. 

Editorial standards