May 18, 2022
Senators seek FTC probe of IRS provider ID.me selfie technology
A group of Democratic senators has asked the Federal Trade Commission to investigate whether identity verification company ID.me illegally misled consumers and government agencies over its use of controversial facial recognition software.
ID.me, which uses a mixture of selfies, document scans, and other methods to verify people's identities online has grown rapidly during the coronavirus pandemic, largely as a result of contracts with state unemployment departments and federal agencies including the Internal Revenue Service.
The company, which says it has more than 80 million users, has also faced growing questions about that role as well as whether a private contractor should be allowed to act as a de-facto gatekeeper to government services. It is already the subject of an investigation by the House Oversight and Reform Committee.
Key to the concerns have been questions about ID.me's use of facial recognition technology. After long claiming that it only used "one-to-one" technology that compared selfies taken by users to scans of a driver's license or other government-issued ID the company earlier this year said it actually maintained a database of facial scans and used more controversial "one-to-many" technology.
In a letter sent to FTC chairman Lina Khan requesting an investigation, Senators Ron Wyden, Cory Booker, Ed Markey and Alex Padilla on Wednesday asked the regulator to examine whether the company's statements pointed to its use of illegal "deceptive and unfair business practices."
ID.me's initial statements about its facial recognition software appeared to have been employed to mislead both consumers and government officials, the senators wrote in the letter.
"Americans have particular reason to be concerned about the difference between these two types of facial recognition," the senators said. "While one-to-one recognition involves a one-time comparison of two images in order to confirm an applicant's identity, the use of one-to-many recognition means that millions of innocent people will have their photographs endlessly queried as part of a digital "line up."
The use of one-to-many technology also raised concerns about false matches that led to applicants being denied benefits or having to wait months to receive them, the senators said. The risk was "especially acute" for people of color, with tests showing many facial recognition algorithms have higher rates of false matches for Black and Asian users.
Questions over ID.me's use of facial recognition software surfaced in January after the publication of a Bloomberg Businessweek article on the company. That coincided with growing concerns over an $86 million contract with the IRS that would have required American taxpayers to enroll in ID.me in order to use online services. The IRS has since announced that it is looking at alternatives to ID.me.
In interviews with Bloomberg Businessweek as well as in a January blog post by Bake Hall, its chief executive officer, ID.me had defended the fairness of its facial recognition systems partly by saying the company merely used a one-to-one matching system that compares a selfie taken by the user with their photo ID. "Our 1:1 face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use 1:many facial recognition, which is more complex and problematic," Hall wrote in the post.
A week later, Hall corrected the record in a post on LinkedIn, saying the company did use a one-to-many facial recognition system, in which an image is compared against often-massive databases of photos.
Hall, in that post, said the company's use of a one-to-many algorithm was limited to checks for government programs it says are targeted by organized crime and does not involve any external or government database.
"This step is not tied to identity verification," Hall wrote. "It does not block legitimate users from verifying their identity, nor is it used for any other purpose other than to prevent identity theft. Data shows that removing this control would immediately lead to significant identity theft and organized crime."
While researchers and activists have raised concerns about privacy, accuracy and bias issues in both systems, multiple studies show the one-to-many systems perform poorly on photos of people with darker skin, especially women. Companies such as Amazon.com Inc. and Microsoft Corp. have as a result paused selling those types of software to police departments and have asked for government regulation in the field.
According to internal Slack messages obtained by CyberScoop, ID.me's software, demonstrated to the IRS, made use of Amazon's Rekognition product, the very same one that Amazon has stopped selling to law enforcement.
The company had not disclosed its use of Rekognition in a white paper on its technology issued earlier that month.
Privacy and artificial intelligence safety advocates have also complained that ID.me has not opened up its facial recognition systems to outside audit.
©2022 Bloomberg L.P.
Distributed by Tribune Content Agency, LLC.