IRS has second thoughts about selfie requirement

The Internal Revenue Service is backing away from a proposed requirement that people submit selfies to access their information on the agency's website.

First of all, to be clear: The IRS was not requiring that every taxpayer filing a return submit a selfie. It was only to verify the identities of people seeking to set up an account with the IRS to see their past returns or get information about child tax credit payments.

Still, it's an overreach, says Emily Tucker, director of the Center on Privacy and Technology at Georgetown Law.

"The consequences of not agreeing to give up a photo of yourself, which is then stored in a corporate database, which is protected only by that corporation's own easily changeable privacy policies, is that you may not be able to comply with federal tax law under some circumstances," she told NPR.

The IRS says because of a lack of resources, it contracted out the identity verification to a Virginia-based company called ID.me. That is where taxpayers would have submitted their photos to, and that is where the photos would have been kept.

Jeramie Scott, senior counsel at the Electronic Privacy Information Center, says one of the problems with outsourcing this information is whether it's kept safe. "What it does is create another kind of target for criminals. Obviously, data breaches are a big issue. And, you know, the more areas that sensitive information is, the more likely it [will] be the target of a data breach."

18 federal agencies use some sort of facial recognition technology

ID.me says it does not sell the personal information of its users. "We do not sell data. Period. We will never sell data," ID.me co-founder and CEO Blake Hall told NPR. "Our mission as a company, the reason we exist, the reason I founded this company, is to put people in charge of their own information and to get it out of the hands of data brokers and credit bureaus, many of which are owned by foreign corporations."

And the IRS is not alone in using the company; 10 other federal agencies do, as well as many states, according to the company's website. A Government Accountability Office report last summer found that overall, 18 federal agencies use some sort of facial recognition technology, including law enforcement to spot criminals and Customs and Border Protection to check the identities of people entering the United States.

And its widespread use is part of the problem for privacy advocates like Scott. "You no longer have control over identity," Scott says. "And when that infrastructure is in place, it just takes, you know, a few bad actors to really kind of muck things up."

Scott also notes that research has shown that "to varying degrees, some of these algorithms have a racial bias and do not work as well on people of color."

But Hall says that while early algorithms were biased, that's no longer the case.

"The question now is not whether they're accurate — they're unbelievably accurate. The question is how they're used," he says.

Not everyone thinks facial recognition technology is a bad idea. Ashley Johnson, a senior policy analyst at the Information Technology and Innovation Foundation, which is partially funded by the tech industry, says as long as safeguards are in place, it can be a useful tool.

"I would say that it can definitely have a lot of great benefits for users and for the organizations that are using them," she says.

But she cautions that the government needs to step up its cybersecurity protections. "There have been many high-profile data breaches of various different government agencies in the past that have involved government employees' employment information being stolen, citizens' information being stolen," Johnson says. "And this is the real privacy concern, in my opinion, just based on the history that we've seen of this happening in the past."

In a statement on its website, ID.me says its face match is comparable to taking a selfie to unlock a smartphone. But the company admits it also uses a form of verification called "1:many" in which it compares the submitted picture with an array of other photos. It says it does this for government programs targeted by organized crime.

Some in Congress are pushing back on the IRS' use of facial recognition software

Senate Finance Committee Chairman Ron Wyden, D-Ore., tweeted that he is "very disturbed" by the IRS plan and that "no one should be forced to submit to facial recognition as a condition of accessing essential government services." In a letter to IRS Commissioner Charles Rettig, Wyden wrote that "it is simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online, including to access essential government programs."

And one lawmaker, Rep. Bill Huizenga, R-Mich., has proposed legislation forbidding the IRS from using facial recognition software, calling it "a huge mistake" by the agency and raising questions about its constitutionality.

ID.me's Hall says, "You can't hate everything. You know, if you hate government benefits [fraud] and identity theft fraud, then you can't be against the selfie. If you hate wait times and long processing things and bad customer service, then you can't hate the gains brought by automation."

Still, the IRS says it will be "transitioning away" from using ID.me to verify its accounts in the coming weeks.