IRS to drop biometric requirement for online access – Krebs on Security
The internal revenue department (IRS) today said it will stop requiring biometrics from taxpayers who want to access their records on the agency’s website. The reversal comes as privacy experts and lawmakers have pushed the IRS and other federal agencies to find less intrusive methods to validate one’s identity with the US government online.
Late last year, the IRS login page was updated with text advising that by summer 2022, the only way for taxpayers to access their records on irs. gov will be by ID.mean online identity verification service that collects biometric data, such as live facial scans using a mobile device or webcam.
The IRS first announced its partnership with ID.me in November, but the press release received virtually no attention. On January 19, KrebsOnSecurity published the story IRS will soon require selfies for online access, detailing a difficult experience registering for IRS access via ID.me. This story immediately went viral, bringing this site an almost unprecedented amount of traffic. A tweet about it quickly garnered over two million impressions.
It was clear that most readers had no idea that these new, more invasive requirements were being put in place at the IRS and other federal agencies (the Social Security Administration is also directing new ID.me registrations).
ID.me says it has around 64 million users, with 145,000 new users signing up every day. Yet the bulk of these users are people who were forced to register with ID.me as a condition of receiving state or federal financial assistance, such as unemployment insurance, child tax credit and pandemic assistance funds.
In the face of COVID, dozens of states have collectively lost tens of billions of dollars to identity thieves posing as unemployed Americans seeking unemployment insurance. Some 30 states and 10 federal agencies now use ID.me to detect identity thieves applying for benefits in someone else’s name.
But ID.me has been problematic for many legitimate applicants who have had their benefits denied or delayed because they couldn’t complete ID.me’s verification process. Critics accused the IRS plan of unfairly disadvantage people with disabilities or having limited access to technology or the internet, and that facial recognition systems tend to be less accurate for people with darker skin tones. dark.
Many readers were appalled that the IRS was asking people to turn over their biometrics and personal data to a private company that started in 2010 to help veterans, teachers and other public servants qualify for retail discounts. These readers had reasonable questions: Who has (or will have) access to this data? Why should it be stored indefinitely (post verification)? What happens if ID.me is hacked?
The Washington Post reported today that in a meeting with lawmakers, IRS officials said they were considering an alternate identity verification option that would not use facial recognition. The same time, Chairman of the Senate Finance Committee, Ron Wyden (D-Ore.) challenged the Treasury Department and the IRS to reconsider biometric requirements.
In a statement today, the IRS said it was discontinuing the use of a third-party facial recognition service to help authenticate people creating new online accounts.
“The transition will take place over the next few weeks to avoid greater disruption for taxpayers during filing season,” the IRS said. “During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with intergovernmental partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.
“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” the IRS commissioner said. chuck rettig wrote. “Everyone should feel comfortable with how their personal information is secured, and we are quickly looking at short-term options that don’t involve facial recognition.”
The statement further emphasized that the transition announced today does not interfere with the taxpayer’s ability to file their return or pay taxes owed. “During this time, the IRS will continue to accept tax returns, and it has no further impact on the current tax season,” the IRS said. “People should continue to file their taxes as they normally would.”
It remains unclear what other service or method the IRS will use in the future to validate the identity of new account registrations. Wyden and others urged the IRS to use Login.gov, a single sign-on service that Congress required federal agencies to use in 2015.
“Login.gov is already used to access 200 websites operated by 28 federal agencies and more than 40 million Americans have accounts,” Wyden wrote in a letter to the IRS today. “Unfortunately, login.gov has yet to reach its full potential, in part because many agencies have flouted Congress’s mandate to use it, and because successive administrations have not prioritized digital identity The cost of this inaction has been billions of dollars in fraud, fueling a black market for stolen personal data and allowing companies like ID.me to market what should be a service basic government.
Login.gov is operated by the United States General Services Administration, who told The Post that he had “committed not to deploy facial recognition … or any other emerging technology for use with government benefits and services until rigorous review gives us assurance that we can do it fairly and without harming vulnerable populations. ”