Facial recognition has long been a divisive issue.
Proponents say the technology is an effective tool for catching bad guys and verifying who we say we are. Critics counter that it is an invasion of privacy, potentially inaccurate and racially biased — and may even result in wrongful arrests. Because of the complexity of the issue, AARP has not taken a position at this time.
As a consumer, you may welcome the ease of unlocking your smartphone by showing your face. However, you may be less keen about the prospect of having to upload a selfie and use your mug to access tax data online. Yet that was what the Internal Revenue Service had been asking people to do — until the agency announced a change in plans in early February.
IRS moves away from facial recognition
Under a controversial new identity verification process that had been scheduled to kick in this summer, taxpayers who wanted to log in to IRS.gov would have provided a photo from a driver’s license, state ID or passport and have it matched against an uploaded selfie captured via smartphone or webcam.
The IRS was planning to use a private Virginia-based verification company called ID.me that has its facial recognition technology in use at other federal agencies and in 30 states, in some instances to verify the identities of people filing unemployment insurance claims.
ID.me says its technology helps combat fraud perpetrated by people using fake identities, and that it has prevented the loss of hundreds of billions of dollars in government benefits over the past 18 months. The company’s accounts are also used to verify the identity of military veterans so that they can earn discounts on products ranging from Oakley sunglasses to HP laptops.
But critics such as Caitlin Seeley George, campaign director at the Boston-based digital advocacy group Fight for the Future, called for the IRS to halt the plan.
“Unlike a Social Security number or credit card number, you can never change your face.”
“This is an example of just how facial recognition has spread widely to a point where it is touching so many parts of really everyone’s lives,” George said before the IRS announcement. “In this specific case, it’s really raised to a level of concern because everyone has to do taxes.”
She worried that a database of biometric scans, images of government IDs and those selfies would “more than likely be shared with different departments within the government” and also become a huge target for hackers, she said. George was concerned that ID.me’s privacy language was “obviously very vague and unsettling,” suggesting that it retains the right to share data with other partners under certain circumstances.
ID.me declined an AARP request for an interview. Instead, the company directed AARP to its blog, where a distinction was made between one-to-one (1:1) facial recognition, which is similar to the way you unlock a smartphone, and one-to-many (1:many), in which a photo of your face is compared with others in a database.
“Selfies are critical to verifying identity and preventing fraud,” the company wrote. “We use ‘1:1’ matching for identity verification, and ‘1:many’ for fraud detection. We do not share selfies with any government agency unless fraud is detected.”
ID.me added that “1:many is internal to ID.me and does not involve any external or government database. It occurs once during enrollment and exists to make sure a single attacker is not registering multiple identities. The selfie is turned into a mathematical representation of a face and then compared against multiple accounts to see if a single person has registered multiple different identities that do not belong to them.”
As part of a LinkedIn post in late January, ID.me founder and CEO Blake Hall wrote: “We avoid disclosing methods we use to stop identity theft and organized crime as it jeopardizes their effectiveness.”
But after the IRS backed away from its facial recognition plans, Hall also retreated. He announced that ID.me would provide its government clients an alternative verification option that does not involve facial recognition.
New manual review offered
ID.me in late February put together what it is calling a Human in the Loop team of reviewers to weigh in if an ID card or selfie match is rejected during the automated process with the company’s government partners. If the information passes this manual review, users can continue identity verification through the automated process. If the document or selfie doesn't pass muster, then users are directed to a one-to-one live video chat to verify with a human agent.