WASHINGTON — Millions of Americans will soon have to scan their faces to access their Internal Revenue Service tax accounts, one of the government’s biggest expansions yet of facial recognition software into people’s everyday lives.
Taxpayers will still be able to file their returns the old-fashioned way. But by this summer, anyone wanting to access their records — including details about child tax credits, payment plans or tax transcripts — on the IRS website will be required to record a video of their face with their computer or smartphone and send it to the private contractor ID.me to confirm their identity.
About 70 million Americans who have filed for unemployment insurance, pandemic assistance grants, child tax credit payments or other services have already been scanned by the McLean, Va.-based company, which says its client list includes 540 companies; 30 states, including California, Florida, New York and Texas; and 10 federal agencies, including Social Security, Labor and Veterans Affairs.
But ID.me’s $86 million contract with the IRS has alarmed researchers and privacy advocates who say they worry about how Americans’ facial images and personal data will be safeguarded in the years to come. There is no federal law regulating how the data can be used or shared.
The system itself also is drawing complaints. Some people have reported frustrating glitches and hourslong delays that have kept them from important benefits, and researchers have argued the company has overstated the abilities of a face-scanning technology that could wrongly flag people as frauds.
Jeramie Scott, senior counsel of the Electronic Privacy Information Center, a research group in Washington, said the IRS’s outsourcing of identity checks to a private company could weaken the public’s ability to know how information is being used, especially because no federal laws govern how facial recognition should work nationwide.
“You go from a government agency, that at least has some obligation under the Privacy Act and other laws, to a third party, where [there’s a] lack of transparency and understanding, and the potential risks go up,” Scott said.
“We haven’t even gone the step of putting regulations in place and deciding if facial recognition should even be used like this,” he added. “We’re just skipping right to the use of a technology that has clearly been shown to be dangerous and has issues with accuracy, disproportionate impact, privacy and civil liberties.”
The IRS said in a statement that ID.me’s services will “create a better user experience” and that it “takes any reports of inequities in service seriously.” Federal records show the Treasury entered into the two-year contract covering ID.me software and maintenance last summer.
The IRS couldn’t say what percentage of taxpayers have used the agency’s website, but internal data show it is one of the federal government’s most-viewed websites, with more than 1.9 billion visits last year. The agency received more than 169 million tax returns last year, most of which were filed online.
To verify one’s identity, ID.me requires scans of a person’s face as well as copies of identifying paperwork, such as a driver’s license, government-issued ID or utility bill. The company then uses facial recognition software to assess whether a person’s “video selfie” and official photo match.
If the system flags an issue, the person will have to join a live video call with one of the company’s “trusted referees,” who then asks them to hold up physical copies of personal documents such as a passport, birth certificate or health insurance card.
Though people can ask ID.me to delete their biometric data, the company is required to store the data for at least seven years in keeping with federal auditing rules, an IRS filing shows.
Hall said in an interview that the company’s system has met tough security and accuracy standards. He compared the identity checks to someone being asked to present an ID when opening a bank account, saying, “We’re digitizing a process Americans are already quite used to.”
The partnership with ID.me has drawn the attention of Sen. Ron Wyden, D-Ore., who tweeted that he was “very disturbed” by the plan and would push the IRS for “greater transparency.” The Senate Finance Committee is working to schedule briefings with the IRS and ID.me on the issue, a committee aide said.
Hall dismissed most of the early criticism of the company’s work as either misinformed or fueled by “propaganda” from the credit bureaus and data brokers the government once relied on to verify identities.
Equifax, the credit-reporting company that previously confirmed taxpayers’ data for the IRS, had its $7 million contract suspended in 2017 after hackers exposed the personal information of 148 million people.
As to why the country is paying a private firm to validate its own citizens, Hall said the government’s previous attempts had underperformed ID.me’s product — proof, he said, that “the government is not fast enough to innovate on the access and security side.”
“Folks want to throw stones because we were able to get there first … before the government was ready,” Hall said, but the company’s growth should be regarded as “a sign of the best of our country at work.”
ID.me’s work with the IRS will start in full this summer, when the agency stops accepting previously created online accounts and forces everyone to use newer accounts verified through ID.me. The shift will come at a time when Treasury officials are warning of “enormous challenges” for the IRS, which is overwhelmed by a backlog of returns and years of budget cuts.
The company says 9 of 10 applicants can verify their identity through a self-service face scan in five minutes or less. Anyone who hits a snag is funneled into the backup video-chat verification process; in a chart the company shared with The Washington Post, the average wait time in the second half of 2021 was less than eight minutes, and the busiest weeks saw average waits of about 50 minutes. (The company said it does not track the demographic information of the people not immediately verified.)
But some who have tried to verify their identities through ID.me have reported agonizing delays: cryptic glitches in Colorado, website errors in Arizona, five-hour waits in North Carolina, dayslong waits in California and weeks-long benefit delays in New York. The security blogger Brian Krebs wrote last week that he faced a three-hour wait trying to confirm his IRS account, three months before the tax-filing deadline.
Higher wait times in the past few weeks, Hall said, were linked to workers out because of the coronavirus and the snowstorms that pummeled Northern Virginia, where much of the company’s support staff is based. (In late 2020, Hall said call delays in California were partly related to Nigerian cyberattacks.)
The company said it intends to expand its workforce beyond the 966 agents who now handle video-chat verification for the entire country. It has also opened hundreds of in-person identity-verification centers — replicating, in essence, what government offices have done for decades.
Face-scanning software has become an increasingly prominent way for people to access secure corporate and government systems, from work-from-home shifts to air travel to schools and college exams. Ten federal agencies said they are planning to expand their facial recognition capabilities in the next year.
Proponents say the systems are quicker, simpler and more reliable than old verification systems, and they have likened the checks to the increasingly mainstream uses of facial recognition in software such as Face ID, which people can use to unlock their iPhones.
Critics say there’s a big difference between a person deciding to use software, which locks their face data on their phone, and being required to send it to a company that retains control of the data for years. Advocates also have warned that the technical demands of an Internet-connected video camera can unfairly burden the millions of Americans with spotty online access or old phones.
Face-scanning software used to verify whether two images are of the same person, known as “one-to-one matching,” is built to address a simpler challenge than the “one-to-many” systems used by federal agents, immigration officers and the police to pick out suspects or witnesses from databases with millions of faces.
But the technology isn’t perfect, and researchers say identity-verification errors can block a person from accessing vital services or allow an impostor to get through. Even the best systems, they add, can make mistakes when shown blurry, dim or low-quality images. Police facial recognition systems have also been blamed for the wrongful arrests of at least three Black men.
ID.me has attempted to address concerns by publishing technical reports such as a 25-page white paper defending the technology’s use in promoting “access, equity and inclusion,” claiming that “combining algorithms with multiple layers of human review mitigates any potential bias that might arise.”
But Joy Buolamwini, an artificial intelligence researcher whose work in 2018 helped reveal the stark racial and gender biases of major tech companies’ face-analyzing systems, said the company’s reports have misconstrued or failed to cite earlier research into the technology’s failures.
Buolamwini pointed to research in 2019 from the National Institute of Standards and Technology, a federal testing laboratory, that found higher rates of false positives on one-to-one algorithms for Asian and African American faces than Caucasian faces. Depending on the algorithm, those rates could be “10 to 100 times” higher, the researchers said.
ID.me, Hall said, licenses its software from two companies that are “best of breed”: Paravision, for one-to-one matching, and iProov, for detecting whether the face on a video is real or a mask. Paravision’s algorithm has ranked among the better performers in the NIST tests, institute data show. (The companies confirmed they work with ID.me but declined to share terms of the deal.)
“To compare a general result across the field with the specific algorithms we use is simply not appropriate,” Hall said. “If someone is going to bring a false assertion, they need to bring proof that the specific algorithms we’re using do in fact discriminate, because there is zero evidence of that.”
Hall said the company has run internal tests on its software and found no signs of racial or gender discrimination. Those tests, however, have not been published or reviewed by external researchers. Hall said the company has also invited other agencies to corroborate their findings, and that officials with an unnamed state government agency had showed similarly positive results in a recent audit of ID.me’s system. That study is also not yet public.
That lack of transparency has raised its own questions. In a statement Monday, Hall said the company did not use one-to-many matching, calling it “more complex and problematic.” But on Wednesday, he reversed his stance, writing on LinkedIn — in a post first reported by the news site CyberScoop — that the company did, in fact, use it to make sure no one registered multiple identities.
Hall, who served as an Army Ranger, co-founded the company in 2010 as TroopSwap, a military-focused deals site that began verifying veterans’ service for store discounts. In the years since, ID.me has exploded with help from tens of millions of dollars in private investments and public government contracts, largely from states seeking to verify unemployment claims.
In 2017, Hall told The Washington Post that the company wanted to “create a ubiquitous ID network” and thought it was a “fundamental problem that digital identity is in the hands of two advertising companies, Facebook and Google.”
But advertising is a key part of ID.me’s operation, too. People who sign up on ID.me’s website are asked if they want to subscribe to “offers and discounts” from the company’s online storefront, which links to special deals for veterans, students and first responders. Consumer marketing accounts for 10 percent of the company’s revenue.
Buolamwini, now the founder and executive director of the research advocacy group Algorithmic Justice League, said the company should open its system to outside scrutiny and allow its internal tests to be peer reviewed. Improvements to the systems’ precision, she added, should not obscure broader concerns about the risks of any technology that could deny people access to basic government services en masse.
Federal agencies have run facial recognition searches on some official databases created for other purposes, including for driver’s license and passport photos. Private contractors that collect data on Americans can also find themselves targeted by cyberattacks. Thousands of Americans’ face photos were exposed after a surveillance company working with U.S. Customs and Border Protection was hacked in 2019.
“The potential for weaponization and abuse of facial recognition technologies cannot be ignored, nor the threats to privacy or breaches of civil liberties diminished, even as accuracy disparities decrease,” Buolamwini said.