Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

What the IRS got wrong about biometrics

By Tom Thimot
facial-recognition-freepik1170x658.jpg
March 10, 2022

Last year, in an attempt to address the growing problem of fraud targeting taxpayers, the Internal Revenue Service (IRS) signed a two-year, $86 million contract with identity verification company ID.me to provide facial recognition services for users accessing IRS services online. ID.me’s solution was rolled out in stages starting in November 2021, accompanied by a single, brief press release from the IRS that was met with indifference by the public.


Their apathy didn’t last long. By January, the IRS’s implementation of ID.me’s solution received widespread criticism from advocacy groups and bi-partisan legislators who maintained that forcing taxpayers to provide biometric data was an invasion of privacy. Specifically, critics took issue with the fact that ID.me did not allow taxpayers to opt-in; the IRS was effectively forcing people to use a system for verifying and authenticating their identity, without giving them an alternative method for doing so. 


The controversy came to a head on Feb. 7 when the IRS announced it would “transition away from” ID.me’s system. Although the statement seemed to indicate it would abandon the ID.me engagement altogether, the IRS announced two weeks later that the company’s solution would continue to be offered as one of several authentication options, albeit with significant changes. To begin with, users would no longer be required to submit a selfie or biometric data. Instead, taxpayers who opted in to verification by ID.me would have their identity confirmed through a video call with a live agent. In addition, ID.me agreed to destroy any biometric data it had already collected.


While ID.me avoided a complete split with the IRS, there’s no telling how deeply or for how long the debacle will hinder prospects for the company and its technology. Already, plans to deploy ID.me technology in several states are receiving pushback from activists and constituents, and lawmakers in D.C. are pushing for other government agencies using ID.me to find alternatives. 


The IRS was in the process of rolling out the technology to combat Stolen Identity Refund Fraud (SIRF), its most pervasive type of fraud. In the 2013 tax filing season, over 5 million tax returns were filed using stolen identities, totaling $30 billion in refunds. But the IRS failed to effectively communicate these eye-popping statistics as the basis for their decision to require facial verification. They also neglected to clarify to taxpayers that the selfies collected in the authentication process would be stored in ID.me’s cloud databases, not the government’s. Disclosing this information at the outset — and providing an opt-out option — is imperative to preserve user trust. And the government should have been offered the choice to bank this information in its own cloud-based databases.


It was also reported that ID.me would check the collected selfies against other selfies in their database. The purpose of this was to flag faces that had been previously submitted using alternate identity information, a form of one-to-many (1:many) matching typically associated with surveillance by law enforcement. The IRS and ID.me made a critical mistake in failing to disclose their use of 1:many facial recognition. Critics equate 1:many facial recognition with ”Big Brother”-type privacy violations, a viewpoint that resonates with many Americans in today’s fraught social and political climate. Regardless of how accurate this depiction is, the IRS should have known better than to spring ID.me’s 1:many facial recognition technology on taxpayers without allowing them the choice to opt-in. 


The path the IRS chose may have been a case of “too much, too soon.” Presumably, the IRS and ID.me went with 1:many matching to try to verify users’ identity AND detect fraudulent activity. Some of the blowback could have been avoided had the IRS and ID.me instead focused on the former, using one-to-one (1:1) facial biometric matching. Performance of 1:1 matching ensures an individual is who they claim to be. This claim is made by the individual performing the action, under their control and consent. This would be a more viable option for government agencies and other groups that need to be particularly sensitive to privacy rights and public perception. 


If large government agencies such as the IRS don’t understand the technology they procure, there’s a good chance they’ll fumble both the deployment of the solution and the crucial outreach that accompanies it, missteps that will just end up reinforcing the public’s mistrust. Had the IRS fully understood the identity authentication technology they selected, they might have foreseen the controversy and executed an information campaign leading up to the rollout. A robust communications plan touching on ethical concerns, user experience, education, and transparency might have helped to dispel the public’s concerns about facial recognition. 


What can the IRS and other government agencies learn from this?


To protect government services and the data of its citizens from identity fraud and cyberattacks, the White House recently issued mandates for federal government agencies and contractors to implement zero-trust network access strategies that adopt new methods of user authentication. That edict might be tenable for these groups, which are accustomed to strict security measures, but the general public should have the right to choose how they access government services — and accommodating those choices must be part of the government’s policies. In requiring the use of facial authentication without providing other options, the IRS was trying to eliminate, in one sweeping move, a vulnerability that fraudsters had exploited with abandon for years. But especially in today’s fractious environment, the government can’t operate on an “all-or-nothing” basis. People need to be given choices about how they verify their identities online, and when, how and why the government uses their likeness. Private companies provide opt-outs and other privacy options, and the government should do the same.


Had the IRS given users an alternative to ID.me’s facial recognition authentication and executed a decent communications strategy, they may have been surprised by the number of taxpayers who would have been happy to go the ID.me route. Even with just a few lines of text on the login screen, explaining how the technology works and why the IRS is using it ($30 billion in fraudulent refunds!), the opt-in rate — while not 100% — would likely have been high. A November 2020 AARP survey of 9,000 Americans over the age of 17 found that 90% had encountered a fraud attempt in the preceding year. And the Federal Trade Commission (FTC) estimates that repairing the damage caused by having your identity stolen takes an average of 200 hours of work over six months. Ask a victim of fraud whether they would prefer to endure that ordeal again or use biometric authentication. I have no doubt which one they’d choose. 


Finally, many of the same people who complained about the IRS using ID.me are also fiscal conservatives who bristle at the idea of government waste. Would they be swayed knowing that this technology could protect billions of dollars in tax revenue that otherwise would have been lost to criminals?


There are government initiatives that some people will never get on board with, no matter how clear the risks and costs of not taking action. But more foresight, care and respect for the end user, coupled with an information campaign reflecting all of those things, might have turned the IRS / ID.me partnership into a positive gamechanger for all stakeholders. The IRS may eventually release figures on the percentage of taxpayers who opt in to the ID.me solution, but those results will almost certainly be lower than they might have been had the implementation been better managed. As it stands, it seems that the IRS and ID.me have learned little from the tumult of the past few months. Though the IRS opted to continue offering ID.me as an authentication option, there has been no accompanying information campaign or improvements to the interface. The implementation continues to be a source of confusion and frustration for taxpayers.

KEYWORDS: biometric security cloud security consumer protection facial recognition risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Tom Thimot is the CEO of authID.ai and has spent the majority of his career redefining cloud computing markets through data analytics, machine learning and micro-service architecture. Thimot spearheaded significant growth at multiple high-growth technology firms, including Socure, Clarity Insights (now Accenture AI), Case Central (now part of Oracle) and GoRemote. Contact him via Twitter @Thimot.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • smart home

    Everything in your home will be connected (what could possibly go wrong?)

    See More
  • cyber web freepik

    What you need to know about the deep and dark web

    See More
  • corporate-freepik1170x658v503646.jpg

    The new face of corporate espionage and what can be done about it

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing