The IRS announced plans Monday to back away from a third-party facial recognition system that collects biometric data from U.S. taxpayers who want to log in to the agency’s online portal.
The IRS says it will abandon the technology, built by a contractor called ID.me, in the coming weeks. The agency says it will instead swap in an “additional authentication process” that doesn’t collect facial images or video. The two-year contract was worth $86 million.
“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig said. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”
The update to the U.S. tax collection agency’s online verification system, set for a full roll-out over the summer, was roundly criticized for collecting sensitive biometric data on Americans.
Many tax filers already encountered the ID.me system live on IRS.gov, where they were required to submit facial videos to create an online login. If that system failed, tax filers were put into lengthy queues to have their identities manually verified in video calls with a third-party company.
In a letter to Rettig, Reps. Ted Lieu (D-CA), Anna Eshoo (D-CA), Pramila Jayapal (D-WA) and Yvette Clarke (D-NY) raised concerns that allowing a private company to collect face data from millions of Americans posed a cybersecurity risk. The lawmakers also pointed to the body of research demonstrating that facial recognition systems are often built with inherent racial bias that makes the technology far more accurate for non-white faces.
“To be clear, Americans will not have the option of providing their biometric data to a private contractor as an alternative way to access the IRS website,” the lawmakers wrote.
In choosing to roll out the facial recognition technology, the IRS ran afoul of privacy hawks but also the federal government’s own General Services Administration, which has publicly committed to not implement facial recognition tech unless such a system undergoes “rigorous review” to evaluate if it will cause unforeseen harm. The GSA’s existing identity verification methods eschew the need for biometric data, relying instead on scans of government records and credit reports.