Huge government agencies battle it out to mandate facial recognition

The Internal Revenue Service headquarters building on April 27, 2020, in the Federal Triangle section of Washington, DC (Chip Somodevilla, Getty Images/TNS)

Even as the Internal Revenue Service and other federal agencies push to force Americans to consent to facial recognition to log into government websites, the government’s central management office has refused to use the technology on its own secure login service, Login.gov.

The General Services Administration, which oversees federal offices and technology, says face-scanning technology is too problematic to justify its use as an identity verification service.

Dave Zvenyach, director of GSA’s technology transformation services, told the Washington Post that the agency “is committed to not deploying facial recognition…or any other emerging technology for use with government benefits and services.” until rigorous review gives us confidence that we can do so fairly and without harming vulnerable populations. »

Last year, the Treasury Department awarded a two-year, $86 million contract to a private contractor, ID.me, that would require taxpayers to send in video scans of their faces before they could verify their identity and access to their online tax records. The plan is expected to come into effect this summer.

The contract caused a storm because facial recognition systems are unregulated in the United States and have been shown in federal tests to work less accurately for people with darker skin tones. Members of Congress and privacy advocates have also expressed concern that the systems could infringe on Americans’ right to privacy or unfairly disadvantage those without access to a smartphone, camera laptop or the Internet.

GSA’s Login.gov already provides login services to 200 websites operated by 28 federal agencies and has been used by more than 40 million people. It was built and is operated by government employees to perform the same tasks as ID.me by relying on more traditional methods of identity verification, such as scanning government records and credit reports.

IRS officials visited Capitol Hill on Friday after details of the IRS plans were published by the Washington Post and other media, drawing criticism from Democrats and Republicans. According to a Treasury Department official and two others who spoke on condition of anonymity because they were not authorized to speak publicly, the officials told members of Congress that they were actively considering an option to identity verification that does not use facial recognition.

Two people familiar with the discussions told the Post that IRS officials did not elaborate on the alternative being considered during a Friday briefing to a bipartisan group of senators.

The GSA’s opposition to the use of facial recognition technology underscores broader tension within the federal government over a technology that is rapidly gaining adoption amid promises it will boost security and combat fraud, despite many questions about its accuracy and the lack of government regulations governing its use.

In a letter sent Monday to IRS Commissioner Charles Rettig, Sen. Ron Wyden, D-Ore., said the IRS should reverse its decision, calling it “simply unacceptable to force Americans to submit to scans using facial recognition technology as an interaction condition”. with e-government.

Wyden urged the IRS and other agencies to use Login.gov, saying it was already experimenting with ways to verify a person’s identity without facial recognition through in-person partnerships with the US Postal Service and Veterans. Wyden called for the expansion of these government pilots, alongside a call center operation to verify people through video calls.

Wyden noted in the letter that Congress first required federal agencies to use a single sign-on service in 2015 and blamed the limited adoption of Login.gov on agencies unaware of Congressional mandate and presidential administrations. not having “prioritized the digital identity”.

This inaction, Wyden said, enabled billions of dollars in fraud, fueled a market in stolen personal data, and “allowed companies like ID.me to market what should be a basic government service.”

“The infrastructure that powers digital identity, especially when used to access government websites, should be managed by the government,” he wrote. Treasury officials declined to comment on the letter.

Wyden’s letter followed three others last week sent by members of Congress to IRS leaders calling for an immediate halt to the facial recognition plan.

A group of Senate Republicans on Thursday cited the government’s “unfortunate history of data breaches” and criticized the IRS for “unilaterally deciding to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services”.

The senses. Jeff Merkley, D-Ore., and Roy Blunt, R-Mo., called the plan to require “taxpayers to capture and provide their most sensitive biometrics … a glaring accessibility and privacy concern.” confidentiality”.

And Sen. Roger Wicker, R-Miss., urged the IRS to “treat its responsibility to protect the privacy and security of U.S. taxpayer data with the utmost seriousness.”

On Monday, four House Democrats – Representatives Ted Lieu of California, Yvette Clarke of New York, Pramila Jayapal of Washington and Anna Eshoo of California – joined the critics, writing a letter calling it “simply coercing millions of Americans to trust this new protocol” and urging the IRS to consult “a wide variety of stakeholders before deciding on an alternative”.

ID.me, a private company based in McLean, Va., manages identity verification systems for hundreds of companies, 30 states and 10 federal agencies that have used the software to check for fraud among beneficiaries of the unemployment insurance, pandemic assistance grants, and child tax credit payments.

ID.me officials said in a statement Sunday that they are “committed to working with the IRS to implement the best identity verification solutions to prevent fraud, protect Americans’ privacy, and ensure fair and unbiased access to government services”.

The company said that people’s data is encrypted and protected, that it uses a face scanning algorithm that is “exceptionally accurate with incredibly small variations between demographic groups and skin color”, and that the company is “flexible to adapt to feedback from policy makers.”

The company is committed that personal data collected for government identity verification will not be used for promotional purposes. ID.me does, however, allow advertisers to offer special discounts to people who have opted in to the service, and consumer marketing accounts for 10% of its revenue.

Treasury officials have argued they need to look beyond Login.gov, which calls itself “the only public account for government,” on the grounds that facial recognition is a gold standard for verifying credentials. ‘identity.

A person familiar with IRS practices, who spoke on condition of anonymity because she was not authorized to speak publicly about internal discussions, said the agency assessed five companies and chose ID.me as he was the only candidate to meet the agency’s security requirements. The lack of facial recognition in Login.gov, the person said, was seen as a deal breaker, given the increased risk of identity theft and IRS fraud.

Federal guidelines released in 2017 by the Department of Commerce’s National Institute of Standards and Technology urged agencies to follow identity verification standards, called “Identity Assurance Level 2,” which include the collection of facial image, fingerprint or other “biometric sample” of a person, either in person or remotely, to help combat fraud.

ID.me has offered services in line with these standards to 30 states and 10 federal agencies, including signing a contract with the Department of Veterans Affairs in 2019 potentially worth $58 million.

Login.gov, the government’s internal system, was launched in 2017 and relies on “a variety of authentication and identity verification methods,” Zvenyach said. In December, the GSA awarded a $34 million contract to two companies, including data broker LexisNexis, for access to the vast trove of public records it has collected about the lives of Americans.

To create a Login.gov account, a person is asked to upload an image of a government-issued ID and provide a phone number whose account is linked to their name.

ID.me advocates say their system offers benefits beyond Login.gov, including the ability to connect via live video call to an ID.me employee for verification. But many who went through this process complained of hours-long wait times, and the company said it employed fewer than 1,000 video chat agents nationwide.

The inner workings of ID.me will also be subject to less oversight than a government-run project bound by public records laws, privacy advocates say. No federal law governs how facial recognition works.

The IRS announced last week that it was ready to receive the first tax returns on 2021 earnings.

Ashley C. Reynolds