Skip to main content

 

Rep Anna Eshoo

Reps. Eshoo, Lieu, Jayapal, and Clarke Urge IRS to Halt Plan to Use Facial Recognition Technology

February 7, 2022

WASHINGTON, D.C.Today Congresswoman Anna Eshoo (D-CA), Congressman Ted W. Lieu (D-CA), Congresswoman Pramila Jayapal (D-WA), and Congresswoman Yvette Clarke (D-NY) sent a letter to IRS Commissioner Charles Rettig urging the IRS to halt its plan to employ facial recognition technology and consult with a wide variety of stakeholders before deciding on an alternative. This summer, the IRS plans to require anyone seeking to access their records on the IRS website to provide images of their driver's license, state-issued ID, or passport and take a live video of their face so ID.me, a private contractor, can confirm their identity. The Members cite concerns related to cybersecurity, accuracy and bias issues, and the lack of transparency in the IRS's contract with ID.me and the company itself.

A PDF of the letter can be found here and the text is below:

Dear Commissioner Rettig:

The Internal Revenue Service (IRS) plays a crucial role in helping Americans understand their tax responsibilities and enforcing the law with integrity and fairness for all. We write to you with great concern regarding the IRS's plan to employ face recognition software requiring millions of Americans to have their face scanned by a private contractor. Any government agency operating a face recognition technology system – or contracting with a third party – creates potential risks of privacy violations and abuse. We urge the IRS to halt this plan and consult with a wide variety of stakeholders before deciding on an alternative.

This summer, the IRS plans to require anyone seeking to access their records on its agency website to provide sensitive biometric data to ID.me, a private contractor. Specifically, Americans will have to upload images of their driver's license, state-issued ID, or passport and then take a live video of their face with a computer or smartphone so ID.me can confirm their identity. Despite this new IRS policy not being a universal requirement for several months, it is already required for individuals who do not have IRS login credentials and want to access online tools. These new biometric requirements will be necessary for accessing a wide array of vital tools the IRS provides, including confirming a payment, using the Child Tax Credit Update Portal, and accessing a tax transcript. To be clear, Americans will not have the option of providing their biometric data to a private contractor as an alternative way to access the IRS website. They will be compelled to do so. The decision by the IRS raises several alarming issues.

First, Americans will be forced to put sensitive data into a biometric database, which is a prime target for cyberattacks. In 2019, a cyberattack on a U.S. Customs and Border Protection (CBP) subcontractor exposed the face images and license plates of thousands of U.S. travelers. The subcontractor cyberattack and ensuing fallout was significant, but the cybersecurity risk with the IRS's plan is far greater: millions of Americans use the IRS website annually for a variety of vital functions, and, as a result, each of them will be forced to trust a private contractor with some of their most sensitive data.

Aside from the cybersecurity risk, the accuracy and bias issues of face recognition systems disproportionately impact people of color. ID.me has stated that the use of their technology promotes "access, equity and inclusion," but even one-to-one face recognition algorithms – where a facial image is compared only with an image of the same face – has been shown to exhibit significant racial bias. A 2019 National Institute of Standards and Technology study showed that one-to-one matching algorithms "saw higher rates of false positives for Asian and African American faces" compared to white faces – often by a factor of 10 to 100 times. ID.me's CEO has stated that the company runs internal tests on its software and has found no signs of racial or gender bias, but none of those tests have been made available to the public or even reviewed by external researchers. Already, ID.me's face recognition technology has reportedly failed to identify Americans attempting to access government services. In addition to those it fails to identify, the new login system discriminates against those unable to afford reliable broadband and the required video capabilities, which may result in less Americans filing for the earned income tax credit.

We are also concerned about the lack of transparency in both the IRS's contract with ID.me and ID.me itself. The company had repeatedly stated, including in a press release just weeks ago, that ID.me does not use one-to-many face recognition, which compares a facial image to a mass database of other facial images and is more privacy invasive and prone to error. Yet, in the same month, ID.me's CEO then publicly stated that his company does, in fact, use one-to-many face recognition technology. Furthermore, the IRS's Privacy Impact Assessment neglects to mention ID.me is even using this technology on Americans. Given these issues, it is simply wrong to compel millions of Americans to place trust in this new protocol.

In addition to halting these planned changes, we also request that the IRS provide the following information:

  • Why does the IRS's Privacy Impact Assessment, as required by the E-Government Act, not comprehensively disclose what technology ID.me will be using? Was IRS not aware ID.me would be using one-to-many face recognition technology while conducting its assessment?
  • What review process did the IRS undergo to ensure the mass database ID.me will be operating does not pose a data breach risk to millions of Americans?
  • What, if any, information regarding fraud or other identity-related issues has the IRS publicly shown to prove that this technology must be required for all Americans? Given the privacy and cybersecurity risk, were any other alternatives identified?
  • Millions of Americans either do not have access to reliable broadband or smartphones and computers. How are they expected to access vital IRS resources? Has the IRS publicly disclosed an alternative plan for individuals unable to comply?
  • Given the risks that face recognition technology poses to women and people of color, what processes or steps has the IRS taken to ensure these communities will not face greater difficulty accessing the IRS website?
  • Prior to agreeing to this login change, did the IRS consult with any stakeholders in the civil rights and civil liberties communities?
  • What guardrails are in place to ensure that ID.me is prevented from disseminating or otherwise using the biometric data it collects for any purpose other than the IRS login system?

Thank you for your prompt attention to this important issue. We look forward to receiving your response to these questions.

Sincerely,

###