When the IRS announced last year that it was working to roll out a government-administered tool to securely grant taxpayers access to online services, it seemed like a triumph for critics calling on the agency to end its controversial partnership with ID.me, a service that largely uses automated facial recognition to verify a taxpayer’s identity.
But a year and another tax season later, the IRS still offers ID.me exclusively with no alternative vendor or in-person options. The lack of progress raises questions about the federal government’s slow rollout of Login.gov and its reliance on a growing industry of private vendors to verify Americans’ identities in order for them to access public services online.
Launched in 2017 to offer the public an easy way to securely log in to federal websites, Login.gov was supposed to streamline the way Americans interact with the federal government. Five years later and more than $187 million in government investment later, however, it still hasn’t been widely rolled out.
In Login.gov’s absence, the IRS started using ID.me, a partnership that went relatively unnoticed until last January when, ahead of tax season, some taxpayers were surprised to find that in order to set up an account with the IRS online they would be required users to submit selfie data to ID.me. The IRS had already used ID.me for the implementation of the enhanced Child Tax Credit earlier that summer but now it would be required to access tax records and payment history. (Taxpayers do not need to have online accounts to file taxes.)
Making matters worse, ID.me’s CEO initially told the public it did not use “more complex and problematic” facial recognition, only to reverse course days later and acknowledge it uses the technology to check users against an internal database in order to detect fraud. The technology, known as 1:many facial recognition, matches images against those in a database and is generally less accurate than 1:1 matching, which compares a user’s face against only their own photo.
After the outcry, the IRS introduced an option to allow taxpayers to verify with a live ID.me agent over video chat instead of submitting biometric data.
The agency described that solution as “short-term” but has still not presented a roadmap for how it plans to transition away from only using ID.me. The IRS did not respond to multiple requests for comment about its transition to Login.gov or its use of ID.me.
Lawmakers have been left in the dark about the IRS’s progress. The Senate Finance Committee requested an update from the IRS on its adoption of alternative services in January.
“The Finance Committee is looking forward to an update from the IRS soon,” said Keith Chu, spokesperson for Sen. Ron Wyden, D-Ore., chair of the Senate Finance Committee. “Senator Wyden’s priority is ensuring Americans aren’t forced to endure hours-long lines or submit to facial recognition scans just to access essential government services.”
Ongoing debate over facial recognition
The government’s use of facial recognition has attracted scrutiny due to the sensitivity of the data involved and the serious implications of when the technology serves up false positives, such as ones that lead to wrongful arrests. Critics often point to a federal study conducted in 2019 showing that facial recognition algorithms were up to 100 times more likely to misidentify Asian and African American individuals than white men. They also note that, unlike information such as a Social Security number, biometric information if breached cannot be changed.
Proponents of the use of facial recognition technology say it has improved significantly in the past five years and that no form of remote identity proofing will be completely error-free. A 2021 National Institute of Standards and Technology study found that in simulated airport conditions, the error rates of the most accurate facial recognition vendors were as low as less than 1% and “error rates are so low that accuracy variations across sex and race are insignificant.” Recent testing shows that factors like aging, photo quality and even the similarities between twins remain barriers to accuracy. Paravision, the vendor used by ID.me, has ranked consistently among the highest-performing vendors in ongoing NIST tests.
The initial concerns with ID.me weren’t just over privacy. There were also complaints from lawmakers and the public over long wait times when using the company’s identity verification tools. In a House Oversight Committee investigation published in November, lawmakers concluded that ID.me inaccurately characterized wait times to conduct identity verification services to the IRS and state partners. ID.me attributed the long wait times to a “massive volume, the impact of COVID, and the lack of modern technology in state governments” and denied intentionally misleading any partners.
ID.me gained popularity during the COVID-19 pandemic as a solution to rampant fraud involving the theft of pandemic relief funds. The most recent estimate by the Government Accountability Office puts losses of pandemic unemployment benefits to fraud at more than $60 billion. The Department of Labor puts total improper payments, which includes fraud, at a floor of $191 billion.
Dozens of states contracted with ID.me (often using federal funds) to help verify record numbers of unemployment claims remotely. However, by the summer of 2021, an increasing number of media reports highlighted the frustrations of individuals struggling to use the technology and enduring hours-long wait times just to get verified and access unemployment benefits.
The IRS, which even before the pandemic was looking for technological solutions to combat growing identity theft-based fraud, awarded ID.me an $86 million dollar contract that June.
In terms of the wait times, ID.me’s chief experience officer David Kensick says that the company has taken steps since last year to reduce delays through a combination of staffing and product enhancements. The company also now allows users to schedule video interviews in advance. According to Kensick, the changes have helped reduce wait times for video interviews by 86% and average wait times are now under 10 minutes.
He told CyberScoop that so far the company hasn’t run into issues with IRS accounts this tax season.
According to ID.me, between 85 to 90% of users coming in through the IRS opt for the company’s automated matching technology. ID.me says that more than 70% of verifications for IRS accounts are successful. ID.me’s in-person verification option is not available to IRS customers.
The long and slow rollout of Login.gov
The lack of action from the IRS comes amid broader concerns about the progress of a national identity verification solution and questions about the readiness of Login.gov, the General Services Administration-led effort. Since Login.gov launched, federal agencies’ adoption has been slow and the product does not currently offer the same level of identity proofing as private-sector competitors like ID.me.
In a May Senate Appropriations Committee hearing, Charles Rettig, who was then IRS commissioner, told committee members that prior to using ID.me, 60% of users were unable to authenticate their accounts without further assistance. He said that Login.gov did not meet the agency’s needs, including its lacking a higher standard of NIST identity proofing verification.
“Login.gov can handle less than 30 transactions per second,” Rettig told lawmakers. “We need more than about 1,500 transactions per second.”
Rettig said that the IRS was working with GSA to meet these standards but it’s unclear how much progress has been made. The IRS expanded its use of ID.me over the summer, requiring tax professionals to migrate accounts to the company from the IRS’s legacy system in order to access services, including e-file applications.
“I’m not surprised that IRS has not shifted a year later,” said Jeremy Grant, coordinator of the Better Identity Coalition and a former NIST official. “Digital identity proofing presents real challenges — particularly when it comes to use cases that require high assurance digital identities — and there aren’t a ton of options in the market that can deliver user-friendly and equitable solutions. And I don’t know that the GSA is in a position to meaningfully change that.”
Login.gov contracts with data broker LexisNexis for identity verification and anti-fraud services, a partnership that has raised concerns from privacy advocates and industry critics. GSA leadership hasn’t ruled out the use of facial recognition in Login.gov in the future and in the fall announced plans to study the potential barriers to equity posed by remote identity-proofing technologies, including facial recognition.
(Both ID.me and LexisNexis are members of the Better Identity Coalition.)
Groups that have called for the government to drop its ID.me contracts still have concerns about the IRS’s reliance on the vendor. “There was really clear opposition to using it and, a year later, not enough has happened,” said Caitlin Seeley George, campaign director at Fight for the Future.
“Any system that tracks and utilizes biometric data is going to have an issue with privacy and data retention and we should be avoiding those systems for those reasons,” she said, also citing concerns about the accessibility of the technology to individuals without strong internet access and the ability of users to meaningfully opt-out.
“Often there are these conversations around facial recognition where they talk about the idea of it being opt-in and that being a method of gaining consent,” she said. “If your two options are to go through facial recognition or to wait in a queue to get on a video with some stranger to have your face cross-checked against your driver’s license, that’s not a meaningful option to people.”
In the interim, ID.me’s partnerships with federal and state governments have grown. Between 2022 and 2023 its number of federal partners increased from nine to 12 and its number of state contracts also increased.
The post A year after outcry, IRS still doesn’t offer taxpayers alternative to ID.me appeared first on CyberScoop.