The IRS said Monday that it is abandoning its push to use facial recognition technology on taxpayers after massive bipartisan pushback from senior lawmakers, who called the idea a disaster for privacy and security.
Agency officials said the move was intended to weed out scammers to protect taxpayers who wanted to look at their records.
But the IRS‘s record of computer problems and the involvement of a third party to run the service left Democrats and Republicans fuming.
“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig said. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”
The IRS said the transition will be made “over the coming weeks” as the agency tries to manage the current tax-filing season without major disruptions.
Taxpayers have been able to file returns electronically and pay their bills without having to submit to the technology. But those who wanted to check their child tax credit information, get a tax transcript or set up an online payment plan were going to be told to register with ID.me, a private vendor, for verification.
The system was announced late last year and was supposed to go into effect this summer. It would have required a Social Security number, photo identification and a video “selfie” to prove the requester’s identity.
Having that sort of information in the hands of a private company was troubling to Democrats and Republicans, who applauded the IRS’s about-face.
“The Treasury Department has made the smart decision,” said Sen. Ron Wyden, Oregon Democrat and chairman of the Senate Finance Committee.
Facial recognition technology has become one of the key touchstones in the debate over tension between cybersecurity and privacy.
Government agencies and private companies are desperate for tools to prevent cybercrime, which is estimated to cost trillions of dollars each year.
Facial recognition offered an opportunity to confirm the identities of people accessing services.
But the technology has drawbacks, including false negatives, particularly among some minority populations. Having that sort of biometric data stored by the government or its contractor was worrying, given the history of hackers’ ability to breach government systems.
The IRS in 2019 said it battled 1.4 million cyberattacks each year and suffered a major breach during the Obama administration, in what became known as the “Get Transcript” hack.
Hackers were able to match personal information, such as a Social Security number and date of birth, along with some taxpayer information, to access hundreds of thousands of records.
The IRS also has had several high-profile leaks of taxpayer information, Republican senators pointed out in a letter late last week.
“The decision millions of Americans are forced to make is to pay the toll of giving up their most personal information, biometric data, to an outside contractor or return to the era of a paper-driven bureaucracy where information moves slow, is inaccurate, and some would say is processed in ways incompatible with contemporary life,” the senators wrote.
As the furor intensified, ID.me defended its technology late last month.
The company said its plan was to make verifications using “1:1 face match technology.” The user’s face is matched to a stored image, similar to unlocking a phone, it said.
The company contrasted that with “1:many facial recognition,” which scans an image against a database of many faces. The company said it uses 1:many technology to try to spot anyone registering multiple accounts, which could be an indication of fraud. But it said that’s not a verification tool.
The company said a state agency had conducted “independent testing” and found no discernible bias in the technology’s success rate when comparing demographic groups. ID.me also said a live agent could step in to help those whose faces couldn’t be verified by a selfie and matching algorithms.
“Many government agencies rely on credit bureaus and/or data brokers alone to verify identity for access to online services. These solution providers leave many groups behind,” ID.me founder Blake Hall said.
It’s not clear what will become of the company’s two-year, $86 million contract with the IRS.
The Washington Post reported Monday that the General Services Administration, which handles basic services for much of the federal government, won’t use facial recognition technology for its own service.
GSA said it didn’t have confidence that the technology could be deployed in a fair way.