To address privacy and security concerns related to the IRS’s plan to use facial recognition on millions of Americans who use the agencies website, lawmakers urged the agency to reverse its decision and halt its work with facial-recognition identity verification provider, ID.me.
Facial recognition technology is polarizing in general, and for many the concept of the government trusting a third-party to manage such personal data is unacceptable. For many others, the concept of the government itself having facial recognition data is equally unacceptable.
It’s clear that there are a number of potential and unresolved issues with the selected vendor. While the immediate emphasis is on stopping the process from moving forward, time should be spent on how a vendor was selected with all these apparent issues.
Last edited 1 year ago by Tim Erlin
Lecio DePaula Jr , FIP, CIPM, CIPP/US, CIPP/C, CIPP/E, Data Privacy Director
InfoSec Expert
February 8, 2022 2:25 pm
Requiring American citizens to submit a government issued ID as well as a video to verify to the IRS portal is extremely privacy intrusive as that data would then be stored and processed by the third party contractor — which may be using data for a variety of other purposes (potentially sharing to law enforcement). This is one of those cases where the ends do not justify the means. The portal can be just as secure by leveraging strong password requirements as well as two-factor authentication for the end users, which is a much more inexpensive, less intrusive and unbiased way to secure the portal without needing to leverage a third party. I hope the portal begins to head in the right direction because once one government agency adopts a standard, others begin to follow. If the United States had a robust privacy law which protected the biometric information of individuals, that would be a different situation. However, without any protection for the data of American citizens, adopting this technology at this scale would be privacy malpractice.
Facial recognition technology is polarizing in general, and for many the concept of the government trusting a third-party to manage such personal data is unacceptable. For many others, the concept of the government itself having facial recognition data is equally unacceptable.
It’s clear that there are a number of potential and unresolved issues with the selected vendor. While the immediate emphasis is on stopping the process from moving forward, time should be spent on how a vendor was selected with all these apparent issues.
Requiring American citizens to submit a government issued ID as well as a video to verify to the IRS portal is extremely privacy intrusive as that data would then be stored and processed by the third party contractor — which may be using data for a variety of other purposes (potentially sharing to law enforcement). This is one of those cases where the ends do not justify the means. The portal can be just as secure by leveraging strong password requirements as well as two-factor authentication for the end users, which is a much more inexpensive, less intrusive and unbiased way to secure the portal without needing to leverage a third party. I hope the portal begins to head in the right direction because once one government agency adopts a standard, others begin to follow. If the United States had a robust privacy law which protected the biometric information of individuals, that would be a different situation. However, without any protection for the data of American citizens, adopting this technology at this scale would be privacy malpractice.