ID.me, the facial recognition technology provider used by the IRS, has a public relations problem on its hands. The controversy stems from its facial recognition methods.
In the world of facial recognition technology, the so-called 1:1 face match, in which a user’s face is matched against a self-provided picture like a selfie, is generally regarded as a safe method, although it has its detractors.
Matching a photo against a lineup of possibilities, known as a 1:many face match, raises a slew of privacy, security, accuracy, and racial bias concerns. ID.me uses 1:1 matching, but its founder, Blake Hall, recently revealed that the company does an initial 1:many match during enrollment for government programs that are frequently targeted by organized crime, like unemployment benefits programs.
Hall says the 1:many matches are done strictly to prevent identity theft, are not for identity verification purposes, and do not involve any external or government databases. But in the days since his comments, the privacy community has been asking ID.me for more information on how the 1:many match works, especially because the company does not use outside databases.
Then again, the company already has a pretty wide-reaching internal database — it provides digital identity services to 70 million Americans, 10 federal agencies, 30 states, and 540 companies.
The ID.me controversy is not good news for the IRS, which has consistently weathered criticism over its recent decision to use ID.me for biometric identification.
The IRS partnered with ID.me in 2017 for a pilot program to verify information provided by taxpayers who had received correspondence from the IRS asking them to verify their identity to process a federal income tax return, also known as a 5071C letter.
From there, the IRS decided to use ID.me for its child tax credit program. In June 2021 it opened a new child tax credit update portal, allowing families to verify their eligibility, receive advance monthly credit payments, and handle related administrative affairs.
Initially, taxpayers could sign in with an existing IRS username or an ID.me account with a verified identity but that will soon change. By this summer all portal users will have to verify their identity with a form of photo identification using ID.me. Those who choose to opt out simply receive their payments in a lump sum after filing tax returns.
The IRS has now decided to use ID.me for several other online services. In November 2021 the agency announced that taxpayers will need to be verified through ID.me for multiple online services, including accessing their online accounts, obtaining transcripts, getting identity protection personal identification numbers, and applying for payment plans. In the meantime, taxpayers will be able to use their old, non-biometric credentials to sign in until September.
Tax professionals will have a new sign-in system opening this summer using ID.me biometric verification to access specific applications, like those used to request powers of attorney or tax information authorizations online.
Taxpayers, too, should expect that more functions will eventually require biometric identification. In a statement, the IRS said that additional applications will transition to ID.me identification over the next year.
These identity verification updates are part of the IRS’s Identity, Credential, and Access Management initiatives to provide more ways for taxpayers to verify their identity and access IRS tools. These updates also suggest the IRS is building a system in which biometric verification is essentially treated as a requirement rather than an option.
But that may change. The IRS reportedly is looking into alternatives to ID.me because of taxpayer concerns, according to CBS News.
The IRS is not alone in pursuing biometric verification. Around the world, tax administrations are adopting biometric identification tools with varying levels of controversy. From these examples, a few common threads emerge that could be instructive for the IRS or any tax administration considering a biometric verification system.
The first is that privacy-wary taxpayers appreciate voluntary systems. They want to feel like they may opt into facial verification systems, as opposed to feeling like they have to opt out if they are uncomfortable. Here, tax authorities are treading lightly and are providing backup options for taxpayers who do not want to engage with biometric identification.
Second, authorities are fielding additional scrutiny over the handling of sensitive biometric data. Taxpayers are concerned about how their data are used and stored and are asking questions.
Third, taxpayers do not want to be penalized if they decline to use a biometric verification system. They want to be able to access the same level of benefits and do not want to be disadvantaged in receiving credits or refunds based on their decision. The IRS’s decision to grant advance child tax credit payments to ID.me users deviates from this.
In Australia the government’s fledgling myGovID digital identity program has enjoyed some momentum since going live in 2019. As of December 2021, 6 million individuals and businesses are using the voluntary system, which was developed by the Australian Taxation Office.
But the next few months may be a trial period, considering that at the end of August 2021 the government incorporated a new, biometric verification component.
The ATO has been working on myGovID for the better part of 10 years, and it replaced the government’s previous AUSkey identification system, which some users complained could not integrate with sophisticated business systems.
The new myGovID system is only available as an app, downloadable from the App Store or Google Play, and asks users to select one of three identity strengths: basic, standard, or strong. Those levels in turn determine whether users can access all or some of the government’s participating online services.
Overall, this tiered system is good news for taxpayers, who can divulge personal information based on their comfort level, and essentially allows them to opt into choosing how much they want to share rather than feeling as though they need to opt out of the entire program.
Basic users simply enter their full name, date of birth, and email address. Standard users must do the same as basic users but also verify at least two Australian identity documents, including a passport, birth certificate, visa, driver’s license, or Medicare card. Strong identity users must verify their passport, another identity document, and verify their photo using face verification. This is a one-off scan that is compared against the user’s passport photo.
The only tax activity that requires a strong profile is applying for a tax file number online. Otherwise, a standard account is the level required for most online services, including online services for agents and businesses.
Like several other countries, the government doesn’t control the biometric identity portion; it outsources the work to iProov, a U.K.-based digital biometric authentication provider that says it will only conduct 1:1 face matching. So far there hasn’t been any controversy over the 1:1 face matching, but the system does have some apparent glitches.
In 2020 two security researchers ran some experiments on the system and found that it is vulnerable to what they say are easily implemented “code proxying attacks.” These attacks allow a malicious website to proxy a person’s myGovID login and reuse that authentication to log in to the person’s account.
The problem is that very perceptive users might notice the activity, but most probably will not, according to the researchers. They shared the information with the ATO, but the office told the researchers that it didn’t plan to fix the issue.
In the meantime, the researchers have warned that users should avoid myGovID until the government makes it more secure. Despite the troubling findings, the fact that the ATO has devised a system in which taxpayers can receive full services without offering their biometric data arguably lessens the impact of the problem and works in the favor of myGovID because taxpayers can simply opt out until they feel like the system is safe.
In 2020 Singapore tapped iProov to provide biometric verification services for the Singpass national digital identity program.
Singpass gives Singaporeans access to online services at over 460 government agencies and private businesses. Singapore launched the program in 2003 and over the years it has modernized it, keeping in line with digital trends.
But the facial verification system was a significant step because it marked the first time that cloud facial verification was used in a national digital ID scheme, according to the government.
In the tax context, Singpass users can file their tax returns online after undergoing a facial biometric scan. That is a significant change from the previous system, in which taxpayers could file their tax returns or view their tax obligations on their mobile phones using a Singpass two-factor authentication system.
But the biometric scan — which is a two-factor authentication option — is not mandatory, and users can continue using other two-factor authentication methods if they prefer.
Like the ATO system, Singpass uses face verification as opposed to face matching, and compares the user’s face to a photo held in the government’s biometric database. But Singapore’s program raises questions about data collection and storage.
The issue is that photos submitted during the face verification process are retained for 30 days on government servers. Considering that the photos are taken for a one-time match, users may question why the government needs to maintain a database of user photos, even if for a brief period. But the government says it keeps the images for audit reasons and does not use them for surveillance or commercial purposes.
Because Singpass is used by private businesses, there are also questions about whether those private parties have access to user data. According to the government, businesses do not have access, because face scans in the Singpass system are tagged with anonymized identifiers, encrypted, and protected with tamper-evident logging. Also, data are accessed and handled securely by the Government Technology Agency of Singapore.
The South African Revenue Service (SARS), which has long suffered from low taxpayer compliance rates, is hoping that technology can help boost voluntary compliance.
It has embarked on a SARS Vision 2024 campaign to increase its technological capabilities. Importantly, SARS is centering its hopes on biometric identity verification.
SARS has worked on some biometric identity verification tools, but the service says they have been limited and mostly involved in-person biometric fingerprint verification in SARS branches. After reviewing its technology options, SARS now wants to expand into multimodal biometric identity verification and authentication of both taxpayers and officials performing transactions.
Biometric identification is important for SARS because it is planning to substantially expand its taxpayer base over the coming years. SARS expects that 15 million taxpayers would initially be subject to biometric identification, but over the next decade the agency hopes to expand that number to 25 million and is open to multiple forms of biometric verification.
At first, it would like to prioritize facial recognition and voice recognition but is open to including other biometric modes later. If SARS succeeds, it will be a creative departure from the facial recognition scans that taxing authorities seem to favor.
As such, SARS in December 2021 closed a request for information on a potential biometric identification system. The service had three objectives in issuing the request:
- making it easy for taxpayers and traders to fulfill their tax obligations;
- detecting taxpayers and traders in noncompliance, and making that noncompliance “hard and costly”; and
- modernizing the SARS systems to provide digital and streamlined services.
Under the request for information, SARS asked about products in the market and their specifications and availability, as well as potential rates, pricing, and delivery timing.
Since closing the process, SARS has offered little information on what is next, but its project will be one to watch over the next two years. It presents another angle different from that of the United States, Australia, and other developed countries: using biometric verification as a tool for building compliance in low-tax environments.
The South African argument for taxpayer flexibility (allowing uncomfortable taxpayers to use non-biometric verification) is a bit challenging, because the perception is that strict biometric methods are needed to induce taxpayer compliance.
The European Union is another area to watch. The bloc now requires member states to issue biometric ID cards containing the holder’s facial image and fingerprints.
The rules, under Regulation (EU) 2019/1157, went into effect in August 2021 and are part of the European Commission’s ongoing strategy to build an EU-wide digital single market.
One benefit of this national ID system is expedited tax return filing in some EU member states, according to the European Commission. At least eight countries — Austria, Belgium, Croatia, Estonia, Luxembourg, the Netherlands, Slovakia, and Slovenia — allow taxpayers to use their national IDs to submit tax returns.
That’s just under a third of the EU’s 27 member states, and the commission is actively encouraging other member states to follow suit. But it remains to be seen which ones will do so, and under what parameters.
On the other hand, India provides an example of the fallout that can happen when tax authorities require biometric verification for tax return filing and do not allow backup options.
India’s national biometric ID system, Aadhaar, is the world’s largest; about 90% of the country’s adults have been scanned into the system, which is mostly used for welfare benefits. Under the system, residents must submit a facial photograph, fingerprints, and iris scans in exchange for a unique 12-digit ID number.
But the government also designed Aadhaar to streamline and simplify governance and help crack down on fraud while improving compliance. As part of that, the government linked Aadhaar to tax return filing in 2017.
Before Aadhaar, the government administered individual tax ID cards that did not contain biometric data. But authorities slowly phased these out because of fraud and evasion concerns.
Court challenges ensued and several petitioners who opted out of the Aadhaar scheme over data privacy and bodily sovereignty concerns argued that the government was trying to seize their bodily information without consent.
Those petitioners scored a partial victory in 2017 when the Supreme Court of India found that the national constitution does in fact have a right to privacy embedded in its guarantee to the right to life and personal liberty. This overturned a roughly 50-year-old ruling that found no constitutional right to privacy.
Relatedly, the Supreme Court ruled that taxpayers who had opted out of Aadhaar could not be forced to participate and could continue to use their tax ID cards. That changed after a subsequent 2018 Supreme Court ruling, Puttaswamy v. India, WP(C) No. 494 of 2012, that affirmed the government’s right to use Aadhaar for tax returns.
The Court found that the government had a legitimate interest in linking the two and ruled that the government could make Aadhaar mandatory for tax returns. It has now done so, under section 139AA of the Income Tax Act, 1961.
Just a few years ago the idea of using biometric data for taxpayer verification seemed far-fetched. But the examples above demonstrate how the idea is gaining favor with tax authorities for various reasons.
Although biometric verification is a controversial and difficult sell, it is possible, and the countries that have succeeded in doing so prove that authorities can persuade privacy-conscious taxpayers on a difficult idea if they do two things outside of standard data privacy guarantees. First, they must offer a little flexibility, and second, they must treat their access to biometric data as a privilege and not a right.