IRS Announces New Biometric Requirements for Tax Account Access as World Marks Data Privacy Day

File your taxes. But first, Americans may need to take a selfie. That’s the news this week when the U.S. Internal Revenue Service announced that to access IRS tax accounts later this year, individuals will need to record videos of their faces and send it to a private contractor—ID.me—to confirm their identity.

The IRS contracted with ID.me and launched the identify verification program in November 2021 as a way to improve the sign-in process and enable secure access for IRS services, including Child Tax Credits, online accounts, transcripts, Identity Protection PINs, and online payment agreements. 

“Identity verification is critical to protect taxpayers and their information,” said IRS Commissioner Chuck Rettig in a statement. “The IRS has been working hard to make improvements in this area, and this new verification process is designed to make IRS online applications as secure as possible for people.”

ID.me has faced scrutiny for how effective its technology is and the method that it uses to authenticate an individual. CEO Blake Hall previously claimed that ID.me used a 1:1 face match system, similar to the approach that a smartphone uses to unlock a device. In a LinkedIn post on Wednesday originally reported by CyberScoop, however, Hall said the company uses 1:many facial recognition. 

“ID.me uses a specific '1 to Many' check on selfies tied to government programs targeted by organized crime to prevent prolific identity thieves and members of organized crime from stealing the identities of innocent victims en masse,” Hall wrote. “This step is internal to ID.me and does not involve any external or government database. It occurs once during enrollment, and exists to make sure a single attacker is not registering multiple identities.”

CyberScoop reported that ID.me’s database is made up of images that are uploaded to the company. “ID.me retains selfies uploaded during the verification process for seven and a half years after an account is closed, per federal guidelines,” CyberScoop explained. “Biometric information is shared with a government agency ‘when there is apparent fraud and identity theft tied to the account associated with the agency, according to the company’s response.” 

The IRS is not the only U.S. government agency requiring selfies to access accounts. The Social Security Administration and 19 others use a digital identity system called Login.gov from the General Services Administration to require selfies to verify a person’s identity.

“ID.me is supplying something many governments ask for and require companies to do,” said Elizabeth Goodman, who previously worked on Login.gov and is now senior director of design at federal contractor A1M Solutions, in an interview with WIRED.

Other government agencies in Denmark, New Zealand, and the United Kingdom also use similar methods to verify digital identities to access government services. “Many international security standards are broadly in line with those of the United States, written by the National Institute of Standards and Technology," WIRED explained.

But the change in login and verification procedure is raising alarms for researchers and privacy advocates who have expressed concern about how the facial images and personal data sent to ID.me will be protected.

“There is no federal law regulating how the data can be used or shared,” according to The Washington Post. “While the IRS couldn’t say what percentage of taxpayers use the agency’s website, internal data show it is one of the federal government’s most-viewed websites, with more than 1.9 billion visits last year.” 

The United States remains an outlier for its lack of national privacy regulation. Approximately 148 countries have data protection laws on the books, including 34 countries in Africa and China’s recent Personal Information Protection Law (PIPL) that went into effect on 1 November 2021. The United States and Europe also currently lack a data sharing agreement for international data transfers after the dissolution of the Privacy Shield agreement due to concerns that private companies provided personally identifiable information on Europeans to U.S. intelligence agencies.

Negotiators may be close to creating a new Privacy Shield agreement, said Dominque Shelton Leipzig, partner at Perkins Cole, in a panel discussion hosted by the International Association of Privacy Professionals on Friday. But “the big issue is whether it will withstand scrutiny” from the European Court of Justice, she said. “Without a federal data protection law, we might still have trouble.” 

Data privacy is also a national security concern, said U.S. Senator Ron Wyden (D-OR) in a panel discussion hosted by the R Street Institute on Thursday. Currently there are no restrictions against selling American’s personal data to foreign companies and governments; Wyden added that he is “concerned about foreign adversaries getting commercially acquired data” on Americans, such as location data from U.S. troops who were using fitness applications while stationed at military bases overseas.

Wyden has put forth legislation that would require the U.S. Commerce Department to identify categories of sensitive information and countries where data exports should be controlled—like Russia and China—because it could be used to harm American interests. His proposals, however, have not moved forward in the U.S. Senate.

The lack of a national U.S. law has become problematic as privacy awareness has risen, regulations are expanding, and data privacy is seen as “mission critical” for organizations around the world, according to new research from Cisco.

The 2022 Data Privacy Benchmark Study found that 90 percent of 4,900 professionals in 27 countries consider privacy a business imperative. And privacy legislation has been well received with 83 percent of respondents seeing a “positive impact.” 

“Privacy has become a true business imperative and a critical component of customer trust for organizations around the world,” Cisco said in a statement on the report’s release. “For the second year in a row, 90 percent of the respondents said they would not buy from an organization that does not properly protect its data, and 91 percent indicated that external privacy certifications are important in their buying process.”