WASHINGTON (KTVZ) — In a letter sent Thursday to Internal Revenue Services Commissioner Charles Rettig, Oregon Senator Jeff Merkley and Missouri Senator Roy Blunt demanded the IRS immediately discontinue any programs that collect, store, and use any type of biometric data to identify American taxpayers.
The lawmakers’ letter comes after the IRS announced that they will be requiring users to undergo facial recognition scans in order to access basic government services and tax information.
In the letter, Merkley and Blunt raise their concerns about taxpayers’ loss of privacy and control of their sensitive biometric data, given the involvement of a third party vendor and the IRS’ poor history of protecting taxpayer information, citing incidents as recent as last year. They also note that there are reports of facial recognition’s propensity to misidentify people of color and women.
The two senators urge the agency to continue looking for a consistent, safe, non-invasive, and reliable way to verify taxpayers’ identities.
“We are especially concerned about the IRS outsourcing biometric verification to third party vendor ID.me,” wrote the senators. “Taxpayers will be required to capture and send a live, video ‘selfie’ of themselves to this third party in order to access fundamental government services at IRS.gov. This process will be burdensome, invasive, and potentially impossible for taxpayers who do not have the proper equipment or knowhow to ’download an app’ or ’take a selfie.’
“While taxpayers should never be driven to a laborious third party process to access fundamental government services, this is especially true for IRS.gov, which was one of the federal government’s most highly trafficked websites in 2021,” they continued. “With expectations of an especially congested tax filing season this year, more taxpayers than ever are likely to seek online services and in turn face intrusive biometric data requirements.”
Merkley and Blunt have also led bipartisan efforts to ensure American citizens know their right to opt out of federal programs that use sensitive biometric data. Last month the two Senators teamed up on a letter addressing the use of biometric data and facial recognition within U.S. Customs and Border Protection (CBP) entry/exit programs.
The lawmakers have asked the following questions, requesting answers by February 28, 2022:
1. Will the IRS stop its use of facial recognition technology? If so, will the IRS commit to following a specific timeframe for elimination of this practice?
2. How does the IRS currently ensure that a taxpayer’s biometric facial data is adequately stored and protected after it is sent to ID.me? If the program is discontinued, how will the IRS ensure the data is permanently deleted and not compromised or made public?
3. What are all the methods used by ID.me to verify the identity of a taxpayer, including methods other than one-to-one matching? Can the IRS ensure ID.me has not used one-to-many technology?
4. What measures are ID.me and the IRS taking to prevent this data from cyberattacks or any other form of unauthorized distribution or release?
The full letter can be viewed below:
###
February 3, 2022
Dear Commissioner Rettig,
We write to ask the Internal Revenue Service (IRS) immediately discontinue any programs that collect, process, and store facial recognition or other types of biometric data of American taxpayers. In addition, we urge the IRS to implement a comprehensive ban on the use of such biometric data collection at the agency.
The IRS has a poor record of protecting taxpayer data. Just last year, the website ProPublica published a series of articles that appeared to be based on confidential taxpayer information held by the IRS. The IRS has not announced if this data was leaked or hacked or if steps have been taken to prevent another data breach. In 2015, criminals used the “Get Transcript” tool on the IRS website to steal the tax documents of over 700,000 American taxpayers. We understand the IRS is searching for new ways to provide better service to taxpayers, but requiring taxpayers to capture and deliver their most sensitive biometric data is an egregious accessibility and privacy concern.
We are especially concerned about the IRS outsourcing biometric verification to third party vendor ID.me. Taxpayers will be required to capture and send a live, video “selfie” of themselves to this third party in order to access fundamental government services at IRS.gov.
This process will be burdensome, invasive, and potentially impossible for taxpayers who do not have the proper equipment or knowhow to “download an app” or “take a selfie.”
While taxpayers should never be driven to a laborious third party process to access fundamental government services, this is especially true for IRS.gov, which was one of the federal government’s most highly trafficked websites in 2021. With expectations of an especially congested tax filing season this year, more taxpayers than ever are likely to seek online services and in turn face intrusive biometric data requirements.
Additionally, ID.me has a history of user complaints when technology was used by state unemployment agencies for identity verification. For example, there are numerous reports of users facing delayed disbursements of their unemployment benefits during the COVID-19 pandemic due to technical problems during the verification process. Further, given data showing that facial recognition technology is more likely to misidentify people of color and women, there is a concern that IRS’ use of the technology could disproportionately burden certain groups. Given these technical issues surrounding facial recognition technology, we strongly urge the IRS to pursue alternative avenues to protect taxpayer privacy and streamline services.
Please respond to the following questions by February 28, 2022:
1. Will the IRS stop its use of facial recognition technology? If so, will the IRS commit to following a specific timeframe for elimination of this practice?
2. How does the IRS currently ensure that a taxpayer’s biometric facial data is adequately stored and protected after it is sent to ID.me? If the program is discontinued, how will the IRS ensure the data is permanently deleted and not compromised or made public?
3. What are all the methods used by ID.me to verify the identity of a taxpayer, including methods other than one-to-one matching? Can the IRS ensure ID.me has not used one-to-many technology?
4. What measures are ID.me and the IRS taking to prevent this data from cyberattacks or any other form of unauthorized distribution or release?
American taxpayers expect and deserve that the IRS take the necessary steps to protect their privacy. We are awaiting your swift response to our inquiry. Thank you.
Sincerely,