Here’s what’s wrong with an IRS proposal to use facial recognition technology for tax filing
Even if you grant that the IRS use of the technology is appropriately limited, this is potentially the start of what could quickly snowball to many government agencies using commercial facial recognition companies to get around legal limits on their powers.
The U.S. Internal Revenue Service is planning to require citizens to create accounts with a private facial recognition company in order to file taxes online. The IRS is joining a growing number of federal and state agencies that have contracted with ID.me to authenticate the identities of people accessing services.
The IRS’s move is aimed at cutting down on identity theft and the growing number of tax filings from people claiming to be others. Fraud in pandemic relief programs has also been a major concern.
The IRS decision has prompted a backlash, in part over concerns about requiring citizens to use facial recognition technology and in part over difficulties some people have had in using the system. The reaction has led the IRS to revisit its decision.
As a computer science researcher and the chair of the Global Technology Policy Council of the Association for Computing Machinery, I have been involved in exploring some of these issues. There have been a great number of concerns raised over the general use of this technology in policing and other government functions, often focused on whether the accuracy of these algorithms can have discriminatory affects. In the case of ID.me, there are other issues involved as well.
ID.me is a private company that started out with an ID service so that military service members could prove they qualified for discounts at various companies. The U.S. Department of Veterans Affairs began using the technology in 2016.
To use ID.me, a user loads a mobile phone app and takes a selfie — a photo of their own face. ID.me then compares that image to various IDs that it obtains either through open records or through information that applicants provide through the app. If it finds a match, it creates an account and uses image recognition for ID. If it cannot perform a match, users can contact a “trusted referee” and have a video call to fix the problem.
A number of companies and states have been using ID.me for several years. News reports have documented problems people have had with ID.me failing to authenticate them. Also, the system’s technology requirements could widen the digital divide, making it harder for many of the people who need government services the most to access them.
But much of the concern about the IRS and other federal agencies using ID.me revolves around its use of facial recognition technology and collection of biometric data.
To start with, there are a number of general concerns about the accuracy of facial recognition technologies and whether there are discriminatory biases in their accuracy. These have led the Association for Computing Machinery, among other organizations, to call for a moratorium on government use of facial recognition technology.
A study of commercial and academic facial recognition algorithms by the National Institute of Standards and Technology found that U.S. facial-matching algorithms generally have higher false positive rates for Asian and Black faces than for white faces, although recent results have improved. ID.me claims that there is no racial bias in its face-matching verification process.
There are many other conditions that can also cause inaccuracy — physical changes caused by illness or an accident, hair loss due to chemotherapy, color change due to aging, gender conversions and others. How any company, including ID.me, handles such situations is unclear.
A weekly overview of opinions, analysis and commentary on issues affecting Chicago, Illinois and our nation by outside contributors, Sun-Times readers and the CST Editorial Board.
So one question that arises is what level of information the company shares with the government, and whether the information can be used in tracking U.S. citizens. It’s not difficult to imagine a requirement for identification from ID.me or one of its competitors to access government services, get medical coverage and even to vote.
Another issue is who audits ID.me’s cybersecurity? While no one is accusing ID.me of bad practices, security researchers are worried about how the company may protect the incredible level of personal information it will end up with. Imagine a security breach there that released the IRS information for millions of taxpayers.
These are early days for government use of private companies to provide biometric security, and some of the details are still not fully explained. Even if you grant that the IRS use of the technology is appropriately limited, this is potentially the start of what could quickly snowball to many government agencies using commercial facial recognition companies to get around legal limits on their powers.
The U.S. stands at the edge of a slippery slope, and while that doesn’t mean facial recognition technology shouldn’t be used at all, I believe it does mean that the government should put a lot more care and due diligence into exploring the terrain ahead before taking those critical first steps.
James Hendler is professor of Computer, Web and Cognitive Sciences at Rensselaer Polytechnic Institute.
Send letters to firstname.lastname@example.org