The Internal Revenue Service raised serious red flags about the protection of confidential taxpayer information and fundamental civil liberties when it announced a major expansion of its collaboration with ID.me.
It would have required taxpayers to submit to ID.me a trove of personal information, including sensitive biometric data. While IRS Commissioner Chuck Rettig has since announced the IRS is pursuing short-term options that do not involve facial recognition, we need to know what verification tools the IRS plans on transitioning to, and what data security measures are in place to protect individuals’ privacy when they create or access accounts online. As Ranking Member of the Senate Finance Committee, I have been leading an effort to raise these concerns and questions with the IRS.
At the end of 2021, the IRS announced its intention that starting in the summer of 2022 it would require taxpayers to have an ID.me account to access key IRS online resources, including to check on the status of a return, view balances and payments received, obtain a transcript, and enter into an online payment agreement. As part of the registration process, ID.me requires a considerable amount of personal information, which may include a photo ID, birth certificate, social security card, video "selfie," bills, recorded video interview with an ID.me employee, and more. The most intrusive verification item was the required "selfie," which is much more than simply uploading a picture; it is submitting one's face to be digitally analyzed by ID.me into a "faceprint."
Identity verification is important in benefit-paying programs to prevent fraud. Unfortunately, the IRS has been expanded from a tax collecting agency to a mixed-purpose entity increasingly involved in paying out benefits, including refundable credits to those with no income tax liability. That has put increasing pressure on the IRS to have to root out fraudsters trying to get quick payouts from the IRS. Biometric identity verification at the IRS is not the way to relieve those pressures.
In its most recent announcement, the IRS seems to be backing away from using mandatory biometric data submission or facial recognition to help authenticate people creating new online accounts, but we cannot let up in pressing the IRS to focus on protecting taxpayers’ data and preventing fraud--not exposing taxpayers to unnecessary facial recognition or bank reporting requirements.
The IRS’s expanded use of sensitive information is especially concerning given the government’s unfortunate history of data breaches. Examples are many. They include the U.S. Office of Personnel Management (OPM) breach, where the government failed to protect some of its critical employees' most sensitive identity details; the recent ProPublica leak, which exposed the legally protected confidential taxpayer information of many American taxpayers; and an IRS breach when hackers gained access to the tax returns of over 300,000 people.
To put this in perspective, in 2019, the IRS estimated it faced 1.4 billion cyber-attacks annually. It is highly likely, with personal information on a reported 70 million individuals--including biometric data--ID.me could be a top target for cyber-criminals, rogue employees and espionage.
Americans should not be forced to pay the toll of giving up their most personal information--biometric data--or return to the era of a paper-driven bureaucracy where information moves slow, is inaccurate, and some would say is processed in ways incompatible with contemporary life. It is basically asking Americans to decide which bad outcome they prefer (neither, thank you). I will continue to push back against efforts to require unprecedented levels of confidential, personal data, which would be used simply to meet the responsibilities the federal government places on Americans.