Update: The IRS has decided to stop using ID.me for identity verification. In a statement, IRS Commissioner Chuck Rettig said, "Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition."

In IRS Using Facial Scanning, I reported on the IRS’s move to use the identity proofing and authentication services from ID.me for logging into their online services. ID.me has contracts with other federal agencies like Veteran’s Affairs and numerous states.

One of the controversial aspects of ID.me’s service is an identity proofing service that matches a selfie to the uploaded picture of a government credential. This is called 1:1 facial matching: one selfie, one credential picture.

ID.me’s original press release, since updated, claimed that the company didn’t use 1:many (one-to-many) facial matching where the selfie or ID photo is compared to a database of pictures. But after an internal discussion on ID.me's Slack where an engineer pointed out that the company does, in fact, use AWS’s Rekognition service for 1:many facial scanning, ID.me backtracked.

In admitting that ID.me uses 1:many facial recognition, the company ignited a firestorm with privacy watchdogs piling on. A recent EFF article, written before the ID.me revelations, states “Face recognition isn’t just face identification and verification: It’s also photo clustering, race analysis, real-time tracking, and more.” Many are echoing these concerns. And, of course, the fact that ID.me lied about what they were doing is not inspiring confidence. I imagine their management team has had better weeks. In the wake of the revelation, the IRS is reportedly exploring alternatives to ID.me's service. This is a bit disingeuous since it's likely the IRS that pushed for 1:many facial recognition.

In ID.me CEO backtracks on claims company doesn’t use powerful facial recognition tech, Tonya Riley at CyberScoop details the turn around and the events that led up to it. One of the Slack messages reportedly said “We could disable the 1:many face search, but then lose a valuable fraud-fighting tool. Or we could change our public stance on using 1:many face search.” There were no details about how the 1:many facial recognition is used to fight fraud, but there are some obvious ideas.

One way 1:many facial recognition might be used to fight fraud is to keep copies of all the pictures that have been uploaded. If someone tried to steal identities by using fake IDs, then the system would flag that the same face shows up on multiple IDs. I can see why the IRS would want to do this since one way people defraud the IRS is claiming other people’s refunds. And it’s not hard to do with all the personal data for sale on the dark web. Facial recognition could cut this dramatically.

ID.me retains selfies uploaded during the verification process for seven and a half years after an account is closed, per federal guidelines. Of course, you don’t really close your account with the IRS until you’re dead, so that’s a long time.

I don’t like that the IRS is using a third party to do this. But I wouldn’t really like it if they were using login.gov either (yeah, that’s a thing). Regardless of who does it, having a huge trove of biometric information sitting out on the internet is just asking for trouble.

As I said last week, the right solution is to use verifiable credentials. They have cryptographic properties that prevent the fraud without a big, new trove of biometric and personal data. Specifically the credential exchange can prove the person presenting the credential is the same person who it was issued to. For this to work without at least 1:1 facial scaning, there would have to be a system for in-person identity proofing. Of course, RealID provides exactly that if state governments were on board.

Whether you are a fan of or hate the idea of a national ID, ID.me is on the path to become one. I don’t think having a private third party run the national ID system is a good idea. If we’re going to do it, then let’s architect it correctly and securely. But we can keep the current, decentralized system of identification in the US and also prevent fraud with technology available today. I vote for that.

Photo Credit: Face Detection from Sylenius (CC BY 2.0)