US House asks what happens to face biometrics of 7M already registered with ID.me
The Chairwoman of the influential House Committee on Oversight and Reform has written a letter to the Internal Revenue Service (IRS) Commissioner requesting more information about how the agency plans to safeguard the biometric data of the seven million taxpayers who had already registered their face biometrics with ID.me, and the costs associated with what is stated as the IRS’s “about-face” on the $86 million contract with the private company. Meanwhile, a new fraud case shows flaws in ID.me’s systems.
The U.S. Treasury Department had been considering user authentication alternatives as of late January. The IRS had a briefing with the Committee on 4 February. A few days later the IRS announced a “transition away from use of third-party verification involving facial recognition” but now it appears the IRS had already been looking to cancel its two-year contract with ID.me.
Committee Chairwoman Carolyn Maloney wrote to Commissioner Charles (‘Chuck’) Rettig following the committee briefing with the IRS where she learned that seven million Americans had already been directed by the IRS to sign up for ID.me. Maloney is concerned that a third party, beyond the control of the IRS, has biometric data which can be held for seven years before the IRS can request deletion.
The IRS defended its selection of ID.me in the briefing, according to the 11 February letter, but Maloney also notes that the IRS “may have sought to terminate the contract” with ID.me, but were it to do so, millions of taxpayers’ biometric data could still be held by the company.
“I welcome your decision to reconsider the use of facial recognition technology, but I remain concerned about the ongoing impact on the millions of Americans who have already turned over their biometric data to a private company as well as the potential costs to American taxpayers given the agency’s about-face on this multimillion-dollar contract,” wrote Chairwoman Maloney.
Maloney notes the increased possibility of bad actors accessing biometric data if held for seven years, and that 13 percent of people trying to sign up for ID.me had encountered trouble and needed to be referred to customer service to undergo manual authentication via video call.
As the U.S. House of Representatives’ investigative committee, the Committee has the power to pursue a wide rand of issues and has set the IRS Commissioner a list of questions on how it intends to handle the fall out of the ID.me contract, to be answered by 25 February.
This follows a group of Republican Senators also writing to IRS Commissioner Rettig over similar concerns.
Biometric Update contacted ID.me for clarification on the extent of the cancellation as ID.me conducts other checks on registrants and has a two-year contract with the IRS. ID.me’s PR firm responded by simply referring all questions on the issue to the IRS. In what now looks like a last-ditch attempt to salvage the situation, ID.me, did announce a change to its offering to allow users to request their photos captured at sign up be deleted.
In the meantime, the IRS notice on the matter states that the IRS “will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.”
The notice also quotes Commissioner Chuck Rettig as saying: “The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised.
“Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”
Data gathering and scams
The Washington Post reports how a New Jersey man obtained multiple ID.me accounts via the face recognition route and was paid $900,000 in false unemployment payments from the State of California. While wearing a curly wig.
The report contains the multiple selfie photos and corresponding fake IDs the man submitted around the same day in December 2020 which were verified by ID.me, thus allowing him to make the fraudulent claims. The documents were evidence in a criminal complaint filed in December 2021.
The article also states that ID.me collects phone location records and uses software from data-mining company Palantir, yet the fraudster was still able to pass through authentication for multiple identities.