The Internal Revenue Service (IRS) of the US will require people to submit a facial scan through a third party provider to make payments or file taxes online. The system raises obvious privacy concerns.
Currently, users only require a username and password to log into their IRS accounts. But starting the summer of 2022, users will need to verify their identity through a third-party identity verification company called ID.me. The change was first noticed by Krebs on Security.
The first step is creating an account with ID.me, which requires uploading a primary identification document such as a driver’s license or passport.
Then a user is asked to take a live selfie video using their smartphone’s camera or computer’s webcam. The company compares the selfie with the image on your identification document.
If the verification process fails or is flagged for some reason, the user will be asked to join a recorded video call with a representative from ID.me.
The company was launched in 2010, the initial focus being helping online stores verify the identities of customers eligible for discounts, like teachers, veterans, students, and first responders.
During the pandemic about 27 state governments used ID.me to verify the identities of those seeking unemployment and other benefits to avoid losing money to identity thieves.
But the system collects a great deal of information, something that will make privacy activists sound the alarm.
After submitting the selfie, the system asks you to confirm your phone number. To complete the whole process you will also have to submit two secondary identification documents, which include a birth certificate, Social Security card, W-2 form, bank statement, or electric bill.
ID.me requires users to submit a gold mine of personal identifying data and biometric data. In a white paper, the company insists there is a difference between facial recognition and its face match system.
“Face match is equivalent to an airport agent comparing your face to the photo on your government ID card,” ID.me said. “Facial recognition is equivalent to giving your picture to the same agent, putting him on stage at a rock concert, and asking him to pick your face out of the crowd.”
The company also claims it does not share, sell, or lease the data it collects with third parties. It only shares some data with “select partners.”
The company could also “comply with a request from law enforcement or government entities where not prohibited by law.”
After deleting your ID.me account, the company’s policy states it might retain your data for up to 7.5 years.