Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsIRS to Stop Using Facial Recognition Software to Identify Taxpayers
The Internal Revenue Service (IRS) had enlisted a third-party vendor, ID.me, to perform identity verification services on taxpayers. The decision had been motivated by concerns of identity theft. Amidst an increase in the unintentional dissemination of personally identifying information, the IRS saw a value in taking extra precautions to make sure to properly identify taxpayers. They wanted verification to include pieces of data beyond what a hacker could have learned about a person in a credit bureau data breach, or a data breach at a hospital, or financial institution.
The approach that ID.me was utilizing was to request users to scan in a copy of an official photo identification, such as a driver’s license or passport photo and then also require the user to take a selfie. ID.me’s identity verification technology would then be able to identify the taxpayer correctly, with data that likely wouldn’t have been in the possession of a hacker that gained access to credit bureau, hospital, or financial records.
The measure was opposed on the basis of privacy concerns. Some people were concerned about the fact that the new approach required the collection of sensitive biometric data. Biometric data is generally considered to be sensitive personal information and of higher concern than other personal information collected. A simplistic explanation for the particular concern here is that it represents the capture of one of your immutable characteristics. Collection of someone’s address, IP address, and digital account information are all concerning, but the individual can always move, which will likely change their address and IP address. They can delete, modify, or make new digital accounts. These pieces of personal information are mutable. The particular markers of your face are in most cases immutable, except in the case of accidents or surgeries.
Privacy advocates were concerned about taxpayers being required to share this permanent, sensitive personal information, in order to file their taxes. After some uproar about the required collection of sensitive biometric data, the IRS has backtracked and said that it would “transition away” from using a third-party service for facial recognition to help verify identities.
In the instant case, the privacy concerns seem to be trumping the identity theft concerns. But there are in fact privacy concerns on both sides. If someone is able to trick the IRS into treating them like they are you, it seems like that in itself creates a privacy risk, potentially a very significant one.
It actually has an analog to ethical philosophy’s deontology versus consequentialism debate. Ethical deontology consists of bright line rules like “Don’t lie. Don’t steal.” Privacy deontology’s equivalent could be “Don’t collect biometric information.”
Ethical consequentialism may permit lying or stealing in certain circumstances as long as the consequences of the actions themselves are good even if the actions themselves are generally considered to be bad. Robin Hood’s philosophy of stealing from the rich to give to the poor was probably based in consequentialism. Privacy consequentialism too may permit the collection of biometric information in circumstances where a greater privacy good is achieved as a result. Requiring selfies and the collection of sensitive biometric information may in fact prevent countless worse privacy harms if identity thieves are able to deceive the IRS as impostors and gain access to other personal information and sensitive personal information about the people whom they pretend to be.
The decision by the IRS to backtrack on using ID.me’s biometric identity verification for taxpayers is certainly a win for privacy deontologists, and even probably a win for privacy consequentialists. Factoring in the increased risk of identity theft in the absence of the protection that was intended by the identity verification feature, pure consequentialists, not just focused on privacy, may actually the count the regression as a loss.
In the current regulatory regime, it is generally becoming safer for the consumer when a business has collected their personal information. Companies like Clarip provide solutions for businesses to comply with data subject requests regarding their personal information. Businesses can be compelled to delete some of the personal information they collect about consumers, or to not sell or share that information. Clarip helps businesses with other aspects of privacy compliance, such as data mapping, website scanning, and vendor and consent management. Visit us at www.clarip.com or call us at 1-888-252-5653 to learn more.
Other Articles on this Topic:
The IRS, ID.me, and Biometric Information
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
