ITIF, former DHS exec push back on criticisms of facial recognition use by US agency
The Internal Revenue Agency (IRS) should have taken a more measured response to the controversy around its use of identity verification company ID.me, the Information Technology & Innovation Foundation (ITIF) suggests, even as a report by CyberScoop alleges that the company was two-faced in its public assertion that one-to-many facial recognition technology was not used to identify unemployment benefits applicants while it continued to quietly use biometric identification technology. The deployment also found a defender in a former DHS official, who writes for the Washington Post that proposed alternatives will negatively impact U.S. taxpayers.
ID.me campaign downplayed facial recognition
As ID.me organized a public media campaign to argue that it did not use a form of facial identification it admits introduces a higher probability of error, it persisted in its application for fraud prevention services, says a report from CyberScoop.
The news site was given state documents by the American Civil Liberties Union (ACLU) which include guidance from ID.me that show the company emphasized the difference between recognition and verification biometrics in public communications guidance last July, following CNN report critical of the use of facial recognition in the benefits application process and the opt-out schemes provided. The guidance was issued even while ID.me was comparing individuals with a large database through facial recognition in a 1:N matching system, a practice which began in February, 2021, according to CyberScoop.
The company advised policy-makers to talk-up the difference while maintaining course with at least some implementations of the technology for its identity verification service used by the thirty U.S. states that contracted ID.me for fraud prevention services during the COVID-19 pandemic amid an upswell of fraudulent unemployment claims. ID.me provides some digital identity services without biometrics, in addition to solutions that do include the technology.
ID.me replied to media inquiries from various outlets, arguing that it did not do 1:N facial recognition, according to an email of talking points distributed internally and to state partners like the Oregon Employment Department (OED). Yet the company later admitted the use of facial recognition in a LinkedIn post that responded to the company’s work with the IRS.
The OED told CyberScoop that the agency held an understanding that ID.me did not use 1:N facial recognition. ID.me says it only uses 1:N facial recognition for fraud prevention and “is carefully configured to minimize impact to legitimate users who are moved to verify with an expert human agent.” But Olga Akselrod, a senior staff attorney at the ACLU, told CyberScoop that “ID.me is really making a distinction without a difference and it’s not one that can absolve the apparent misrepresentations they’ve made about their process.”
The same distinction is made widely, including by NIST in its Face Recognition Vendor Tests.
CyberScoop notes that U.S. government agencies are dropping or reconsidering the use of facial recognition, particularly after the IRS announced it would move away from ID.me’s services for fraud prevention. But states say that there are no viable alternatives currently for verification that can compete with ID.me.
An OED official recently said the agency’s system has “good safeguards in place” to deal with potential challenges related to the technology.
IRS should have kept facial recognition, says defenders of program
Earlier in February, the IRS reversed course on a requirement to apply facial recognition via short video to verify the identities of taxpayers amid an upsurge in fraud and unemployment claims. The proposal was quickly barraged by a hailstorm of disapproval from federal legislators, civil rights groups, and citizens over privacy concerns, allegations of racial biases, and the potential for security vulnerabilities, which forced the tax revenue agency to review alternatives to the service provided by ID.me. But supporters for the program argue both in the Washington Post and ITIF that this was an unwise move by the IRS.
Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security, writes in the Post that facial recognition technology has substantially improved in terms of distinctions in accuracy between people from different races, citing a 2018 study from the National Institute of Standards and Technology that found “massive gains in accuracy,” and research from two DHS agencies that showed no race or gender differences in the field.
And while critics like Senator Ron Wyden recommends hiring more people to verify identities rather than invest in algorithms, Baker compares human verification to automated verification and finds it lacking. He references studies that show 81 percent of human “super-recognizers” are accurate, compared to a 95 percent success rate from automated systems. Baker concludes by saying a complete reversal to human verification by the IRS will mean “taxpayers would get worse service that costs more.”
Daniel Castro, vice president of the ITIF, argues it was wrong for the IRS to succumb to “hysteria” over facial recognition because the IRS already maintains an extensive database of highly sensitive financial and personal documents, which makes a collection of selfies not particularly important or valuable by comparison. Also, he says false negative photos can usually be retaken with no consequence to the user. Castro adds that the IRS contracts to many companies with access to personal data, which raises questions as to why ID.me was singled out as a particular offender. Furthermore, Castro contends that faces are not secret, and facial recognition was going to be used as only a liveness check to ensure the photo was not downloaded or stolen, not as a password.
Making a plea for the IRS to modernize or be “destined to fail,” Castro makes a final point that facial recognition technology and biometrics would reduce the workload burden for already stretched IRS employees.