The US Internal Revenue Service plans to require citizens to create accounts with a private facial recognition company in order to file their taxes online. The IRS joins a growing number of federal and state agencies that have contracted with ID.me to authenticate the identity of people accessing services.
The IRS decision aims to reduce identity theft, a crime that affects millions of Americans. The IRS, in particular, has flagged a number of tax returns from people claiming to be other people, and fraud in many programs administered under the US relief package has been a major concern for the government.
The IRS decision provoked a backlash, in part because of concerns about requiring citizens to use facial recognition technology and in part because of the difficulties some people have had using the system, especially with some state agencies that pay out unemployment benefits. The reaction prompted the IRS to reconsider its decision.
As a computer scientist and chair of the Association for Computing Machinery’s Global Technology Policy Council, I have been involved in exploring some of the issues surrounding government use of facial recognition technology, the both its use and its potential flaws. Many concerns have been raised about the general use of this technology in policing and other government functions, often centered on whether the accuracy of these algorithms may have discriminatory effects. In the case of ID.me, other issues are also involved.
Point ID who?
ID.me is a private company that formed as TroopSwap, a site that offered retail discounts to members of the armed forces. As part of this effort, the company created an identification service so that military personnel who qualified for discounts at various companies could prove that they were indeed military personnel. In 2013, the company rebranded itself as ID.me and began marketing its ID service more widely. The US Department of Veterans Affairs began using the technology in 2016, the company’s first government use.
To use ID.me, a user loads a mobile phone application and takes a selfie – a photo of their own face. ID.me then compares this image to various IDs obtained either through open registrations or through information provided by applicants through the application. If it finds a match, it creates an account and uses image recognition for identification. If it cannot complete a match, users can contact a “trusted referee” and make a video call to resolve the issue.
A number of companies and states have been using ID.me for several years. News reports have documented issues people have had with ID.me failing to authenticate them, and with the company’s customer support to resolve those issues. In addition, the technological requirements of the system could widen the digital divide, making it more difficult for many people who need government services to access these services.
But much of the concern about the IRS and other federal agencies using ID.me revolves around its use of facial recognition technology and biometric data collection.
Precision and bias
To begin with, there are a number of general concerns about the accuracy of facial recognition technologies and whether there are discriminatory biases in their accuracy. These have led the Association for Computing Machinery, among other organizations, to call for a moratorium on the government’s use of facial recognition technology.
A study of commercial and academic facial recognition algorithms by the National Institute of Standards and Technology found that US face-matching algorithms generally have higher false positive rates for Asian and black faces than for white faces, although that recent results have improved. ID.me claims there is no racial bias in its face-matching verification process.
There are many other conditions that can also lead to inaccuracies – physical changes caused by illness or accident, hair loss due to chemotherapy, color change due to aging, gender conversions and others. How any company, including ID.me, handles such situations is unclear, and it’s an issue that has raised concerns. Imagine having a disfiguring accident and not being able to log into your medical insurance company’s website due to facial damage.
So a question that arises is what level of information the company shares with the government, and whether the information can be used to track US citizens across regulated borders that apply to government agencies. Privacy advocates left and right have long opposed any form of mandatory uniform government ID card. Does handing over identification to a private company allow the government to achieve this primarily through subterfuge? It’s not hard to imagine that some states — and perhaps eventually the federal government — might require ID from ID.me or one of its competitors to access government services, get a medical coverage and even vote.
As Joy Buolamwini, an MIT AI researcher and founder of the Algorithmic Justice League, has argued, beyond issues of accuracy and bias lies the question of the right not to use biometric technology. “Government pressure on citizens to share their biometrics with the government affects us all – no matter your race, gender or political affiliations,” she wrote.
Too many unknowns for comfort
Another issue is who audits ID.me for its app security? While no one is accusing ID.me of bad practices, security researchers are concerned about how the company can protect the incredible level of personal information it will end up with. Imagine a security breach that made IRS information public for millions of taxpayers. In the rapidly changing world of cybersecurity, with threats ranging from individual hacking to international criminal activity, experts would like to know that a company that has been provided with so much personal information is using state-of-the-art security and the keeps up to date.
Much of the questioning of the IRS decision comes from the fact that these are the early days of the government using private companies to provide biometric security, and some details are still not fully explained. . Even if you admit that the IRS’ use of technology is appropriately restricted, it’s potentially the start of what could quickly snowball for many government agencies using commercial facial recognition companies to circumvent regulations that have been put in place specifically to limit the powers of government.
The United States is on the edge of a slippery slope, and while that doesn’t mean facial recognition technology shouldn’t be used at all, I think it does mean the government should take a lot more care and due diligence in the exploration of the land. in advance before taking these crucial first steps.
This article is republished from The Conversation under a Creative Commons license. Read the original article.