The IRS on Monday announced plans to move away from a third-party facial recognition system that collects biometric data from US taxpayers who want to log into the agency’s online portal.
The IRS says it will abandon the technology, built by a contractor called ID.me, in the coming weeks. The agency says it will instead switch to an “additional authentication process” that does not collect facial images or videos. The two-year contract was worth $86 million.
“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised.” IRS Commissioner Chuck Rettig said. “Everyone should feel comfortable with how their personal information is protected, and we are quickly looking at short-term options that don’t involve facial recognition.”
The US tax collection agency’s online verification system upgrade, slated for a full rollout this summer, has been heavily criticized for collecting sensitive biometric data from Americans.
Many taxpayers have already found the ID.me system live on IRS.gov, where they were required to submit facial videos to create an online login. If that system failed, taxpayers were placed in long lines to have their identities manually verified in video calls with a third-party company.
On a letter to Rettig, Representatives Ted Lieu (D-CA), Anna Eshoo (D-CA), Pramila Jayapal (D-WA) and Yvette Clarke (D-NY) have raised concerns that allowing a private company to collect facial data from millions of Americans posed a cybersecurity risk. Lawmakers also pointed to the body of research demonstrating that facial recognition systems are often built with inherent racial bias that makes the technology too accurate for non-white faces.
“To be clear, Americans will not have the option of providing their biometric data to a private contractor as an alternative way to access the IRS website,” the lawmakers wrote.
By choosing to deploy facial recognition technology, the IRS has run afoul of privacy hawks, but also the federal government’s General Services Administration, which publicly committed not to implement facial recognition technology unless such a system undergoes “strict review” to assess whether it will cause unforeseen harm. The GSA’s existing identity verification methods avoid the need for biometric data, relying on government record scans and credit reports.