Early in 2020, a US Treasury Department watchdog warned the IRS that the agency needed to do more to protect against identity fraud. In recent data breaches, the report said, “much of the information the IRS uses to provide assurance of the taxpayers’ identities may have been stolen.”
The pandemic soon underscored the danger. When the IRS launched a web page for taxpayers to enter bank details for stimulus checks, it verified users by asking for data such as a person’s birth date and Social Security number. Some people logged on only to find fraudsters had got there first.
In response to such problems, the IRS adopted a new technology to verify people online: face recognition. Last June, the Treasury entered an $86 million contract with ID.me, which checks a person’s identity by using algorithms to match an image of a photo ID against a video or still selfie. In November, the IRS deployed ID.me for several online services to little public notice.
Then, last month, the IRS’s new security system caught public attention and became a political liability. Taxpayers, activists, and lawmakers complained that face recognition is invasive and can be biased. Monday, the IRS said it would “transition away from using a third-party service for facial recognition,” without specifying an alternate way of protecting taxpayers’ data.
The conflicting pressures on the IRS—fight fraud, but not by checking faces—illustrate a long-standing problem of the online age. On the internet, nobody knows you’re a dog—and proving that you are the dog you say you are is tricky. “The IRS found themselves in a no-win situation,” says Jeremy Grant, a managing director at law firm Venable who previously managed online identity projects at the National Institute of Standards and Technology. “It’s not like there is an obvious solution to this problem sitting out there.”
That problem is known as identity proofing—verifying that a person accessing a service for the first time is who they claim to be.
In person, most people can pull out a government photo ID. Over the phone or internet, companies and government agencies such as the IRS historically used a process called knowledge-based verification. It involves asking detailed questions about the financial and personal history of the account holder, often pulled from a credit agency, on the assumption that only that person could know the answers.
That assumption became less safe in the age of social networks, data breaches, and dark web markets. It got notably less trustworthy in 2015, when files on 22 million people spilled from the the US Office of Personnel Management, and in 2017, when data on 143 million Americans was exposed by an attack on Equifax, a credit agency used by companies and agencies, including the IRS, to underpin knowledge-based identity proofing.
“Pretty much everybody’s personal information has been breached and is available out there to criminals who know where to look,” says Mason Wilder, research manager at the Association of Certified Fraud Examiners. That’s created headaches for many taxpayers, and for the IRS. In 2016, IRS commissioner John Koskinen told Congress that stolen data helped fraudsters use an online “Get Transcript” service to access the information of 724,000 people in the preceding two years, leading to an estimated 250,000 fraudulent returns.
Most PopularThe End of Airbnb in New YorkBusiness
Such problems led the IRS and many others to switch to alternatives, such as sending a code to a phone number checked against credit agency records. They also informed a 2017 overhaul of the federal guidelines for digital identity, which recommended that access to systems that can leak sensitive data or cause financial harm should require verifying a person with a photo ID or a biometric like a fingerprint. The photo check can be done in person, via video chat, or using algorithms that compare images or video of a person’s face to their ID.
ID.me, a Virginia-based startup, pioneered face recognition for identity proofing at government agencies, and in 2018 it became the first provider certified against NIST’s 2017 guidelines. The pandemic has boosted its business. More than two dozen state employment agencies have deployed ID.me since the pandemic began, often touting the service as a way to speed the processing of claims while preventing the fraud that has plagued pandemic aid programs.
Even before the recent outcry about IRS use of ID.me, the company had its critics. Individuals complained of waiting for hours or even months to remedy a failed selfie check; privacy experts pointed out that harvesting selfies creates new vulnerabilities. California’s state auditor said last year that while the company’s system improved processing of employment claims, it rejected an estimated 20 percent of legitimate claimants in its early months of use.
Daniela Urban, executive director of the Center for Workers’ Rights, a Sacramento, California, nonprofit that helps low-wage workers and their families, says that when California’s Employment Development Department adopted ID.me in late 2020 it immediately created “a huge barrier” for many of her clients.
The service’s default workflow required both a smartphone and a laptop or other device, something many low-income people lack. And helping people from a distance became much harder. When clients now call with ID.me problems, Urban and her staff tell them to apply using paper forms instead. “We found this was the easiest workaround, because claimants were spending weeks or months trying to find someone they knew with a computer or phone who could help them,” Urban says.
The IRS did not respond to a query about how it would verify identity without using face recognition. Kathleen Moriarty, chief technology officer at the Center for Internet Security, says the strong backlash to the IRS may prompt security experts and standards-setters to reconsider if or when face recognition is an acceptable way to verify identity online. “Sometimes we come to a place where we have to rethink decisions on how to use technology,” she says.
ID.me’s CEO, Blake Hall, says he has been rethinking some of his own decisions. “There’s a group of users we didn’t account for,” Hall says. “We’re now very aware there’s a need to offer them a pathway too.” ID.me will now let agencies offer people a choice between automated processing with face recognition or a video chat with an agent, a process that was previously only a fallback if face recognition failed. Hall says he is hiring hundreds more agents to staff those chats, but that early tests suggest more than 95 percent of people choose face recognition. The company also has 700 locations for in-person ID verification across the US.
Even before the IRS controversy, at least one federal agency was skittish about using face recognition for online ID checks. The Social Security Administration warned NIST in 2020 of “privacy, usability, and policy concerns” about the technology. “In preliminary testing, we have found a sizable number of customers are uncomfortable submitting a photograph or lack the technical knowledge or hardware to do so successfully,” the agency wrote. It cited concerns about potential bias affecting minority groups and asked that alternatives be permitted. NIST is due to publish an updated draft of its digital identity guidelines this year, and after public comment will finalize it in 2023.
For now, the IRS and other agencies are likely to rely on established but imperfect mechanisms like verification codes sent by text message—despite the growth of “SIM-swapping” attacks that can hijack the process.
Most PopularThe End of Airbnb in New YorkBusiness
In the longer term, the about-face on face recognition at the IRS might add momentum to growing corporate and government interest in mobile driver licenses—digital twins of the conventional plastic card protected with cryptography and loaded onto a smartphone. Online services could then accept a digital credential as proof of identity on the basis that it could only have been obtained by visiting the DMV in person.
Iowa and Utah are both piloting digital driver licenses. Apple has said it is working with those states and six others to offer mobile licenses this year inside the iPhone’s Wallet app, which can also store credit cards and boarding passes. The company says people will be able to present their license at airport security with a tap of a watch or phone. Congress passed legislation in 2020 making way for federal acceptance of mobile driver licenses. The EU is working on a similar digital credential that would work across its member states.
Grant of Venable says asking the government to take a more active role in securing online credentials makes sense. “The government is the only trusted provider of identity, but those credentials are stuck in the world of paper and plastic,” he says. Grant also works with the Better Identity Coalition, an industry group that argues government should create digital identity tools linked to traditional credentials; its members include JPMorgan, Microsoft, and CVS. It supports a House bill introduced last year by bipartisan sponsors that would have directed the White House to establish a task force on digital identity and would have funded state DMVs to digitize their ID cards.
Jay Stanley, a senior policy analyst at the ACLU, last year warned in a report that digital driver licenses could damage citizens’ security and privacy at the same time as enhancing them. Digitizing ID checks could encourage agencies and companies to demand them more often, he says, and create logs of interactions like police stops or doctors’ visits that might inspire new surveillance programs. “The fact we don’t have good digital identity systems can’t become a rationale for rushing to create systems with Kafkaesque fairness and equity problems,” Stanley says.
Digital driver licenses would, like selfie verification, also be difficult for people without smartphones or reliable internet access to use. Asked how digital driver licenses might serve the low-income people she works with in Sacramento, Urban says “I'd prefer non-tech solutions, because that's what my clients need.”
More Great WIRED Stories📩 The latest on tech, science, and more: Get our newsletters!How Bloghouse's neon reign united the internetDoes anyone even want Big Tech's metaverse?Apps and gadgets to help you cope with tinnitusAmerican spy agencies are strugglingThe physics of the N95 face mask👁️ Explore AI like never before with our new database💻 Upgrade your work game with our Gear team’s favorite laptops, keyboards, typing alternatives, and noise-canceling headphones