Agencies shouldn't use facial recognition for ID verification, groups say

A coalition of human rights and tech organizations are calling on government agencies to stop using identity verification vendor ID.me or other identity verification tools that use facial recognition.

The Internal Revenue Service announced last week it would stop using ID.me, which has historically relied on facial recognition for identity proofing, although it recently announced it would offer other options. The IRS had received pressure both from outside groups and from Capitol Hill. 

"We call on other federal and state government agencies using or considering use of ID.me to follow suit and cancel the use of ID.me and other facial verification tools," the Feb. 14 open letter states. "This third-party technology should not be forced upon individuals by government agencies."

The letter, led by the Electronic Privacy Information Center with the Algorithmic Justice League and Fight for the Future, has 46 signees including the American Civil Liberties Union and the Project on Government Oversight.

ID.me has at least 10 federal agency customers including the IRS, Social Security Administration and the Department of Veterans Affairs. The firm also works with over 20 states for their unemployment insurance programs and is known in the government contracting community as the credential needed to log into the System of Award Management.

The biggest issue, the group writes in the recent letter, is that "there is no comprehensive law regulating the collection, use, disclosure and retention of biometric data."

The group also outlines concerns with bias in facial recognition technology, particularly a 2019 study by the National Institute of Standards and Technology that found that the majority of facial recognition systems have demographic bias, and ID.me's backtracking as to what type of facial recognition it uses. 

Additionally, the groups are concerned about the security of end users. 

"The use of a third-party face verification service also creates needless security issues facilitated by government agencies forcing individuals to hand over biometric data to a private company," the letter states.

Last week, ID.me announced that it's no longer requiring biometrics as the only option for identity verification through the company.

Government agencies that work with the vendor will be able to offer the option to work with an ID.me employee to verify their identity via video chat or in-person without submitting any selfies.

ID.me also announced that people will be able to delete their photo used for ID.me verification beginning March 1. A spokesperson for ID.me told FCW that deletion will take place seven days after users submit a request.

But the groups are concerned that the non-facial recognition option is only offered if agencies specifically procure it, and they point to a history of delays among end users trying to get verified through human operators at ID.me. 

Questions also remain about how the company and the IRS will move forward. 

"We're continuing to push for some sort of investigation into the partnership between ID.me and the IRS and other government agencies," said Caitlin Seeley George, campaign director at Fight for the Future, a nonprofit digital rights advocacy group.

Lawmakers are also continuing to ask questions. Sen. Robert Menendez (D-N.J.), Catherine Cortez Masto (D-Nev.), Cory Booker (D-N.J.) and Alex Padilla (D-Calif.) sent a letter to IRS Commissioner Charles Retig on Tuesday. 

They asked for the IRS and ID.me to spell out if facial recognition will still be available during the 2022 tax season; for a list of law enforcement agencies that have access to the company's biometrics and for both to contact taxpayers to tell them about their ability to delete selfies. 

It is also unclear how the data deletion will work.

Although ID.me has announced the new options for deleting biometrics, the company's privacy policy, updated Feb. 4, says that the company's retention policy is seven and a half years for legal, contractual and policy obligations. 

The company also notes that while an individual can seek deletion of images and other data, they "may keep track of certain information if required by law." The website also states that "may be impossible for us to completely delete all of your information because we periodically back-up information."

A press representative for ID.me told FCW that the company will be updating it's FAQ pages and privacy policy to reflect recent changes.

It's also currently unclear if Americans who've been verified through ID.me already to access IRS online services will be able to continue to access them as the IRS moves away from ID.me. The IRS did not respond to requests for comment.