IRS collected face-scan data from 7M taxpayers, congresswoman says
Feb. 12 (UPI) — The Internal Revenue Service collected facial recognition data from 7 million taxpayers using ID.me software as questions have been raised about how the agency plans to safeguard the biometric data after canceling its contract with the private company.
Senior IRS officials had briefed the House Oversight Committee last week after announcing that the tax collection agency would stop the use of facial recognition technology provided by ID.me to authenticate users accessing its online services just months after implementing the technology.
The IRS entered an $86 million contract with Veterans Tech, the company behind the ID.me services, in June and began directing taxpayers in November to use the technology to verify their identity when accessing certain data online.
The agency gave taxpayers until summer 2022 to continue using their existing credentials to access their data but already received millions of ID.me sign-ups before the contract was canceled over privacy, security and equitable access concerns.
Rep. Carolyn B. Maloney, chair of the House Oversight Committee, sent a letter Friday to IRS Commissioner Charles Rettig noting that she “remained concerned about the ongoing impact” to taxpayers who already handed over their biometric data.
“Under IRS’s records retention requirements, ID.me will continue to possess biometric information on these individuals for seven years before the IRS can request for the information to be deleted,” Maloney wrote.
“As a result, although the IRS may have sought to terminate the contract, those Americans’ highly personal information may continue to be held by a third party outside of the IRS’s direct control-increasing the potential for exposure due to bad actors and other cybersecurity incidents.”
Maloney, D-N.Y., also expressed concerns about the “potential costs to American taxpayers given the agency’s about-face on this multimillion-dollar contract.”
The congresswoman cited an article from Vice which discussed how other users of the technology seeking unemployment benefits have been locked out of important systems because the technology failed to properly identify users.
“Many should-be beneficiaries have had to wait days or weeks to reach an ID.me ‘trusted referee’ who could confirm what the technology couldn’t,” the article reads.
Maloney said IRS officials revealed in the briefing last week that 13% of users since June had difficulty authenticating through the ID.me service “which caused them to be referred to a customer service representative who would attempt to manually verify identity over video chat.”
“This technology remains virtually unregulated, and increasing transparency and accountability is crucial,” she said.
The House Oversight Committee requested the IRS provide it with its contract file with Veterans Tech and address a number of questions regarding how it plans to safeguard the data and how much money has already been spent on the contract, as well as the cost to withdraw from it.
Veterans Tech assured the committee that taxpayers can begin requesting to have their data removed from its services on March 1.