The IRS is facing the music, so to speak, on its controversial plan to require facial recognition to access its website. The Treasury Department now says the agency is "reconsidering" the plan and looking at alternatives, after getting widespread blowback from privacy advocates, civil rights groups, and lawmakers from across the political spectrum.
The agency had planned to roll out the new security program this summer, which would have required a series of invasive steps in order to access personal documents or online accounts on the IRS website, but not to file taxes. Leeza Garber, cybersecurity and privacy attorney, says the requirements were alarming. "It is definitely a scary idea to have to submit not just your e-mail and phone number, but identification documents like your driver's license...and then in addition not just photos of your face, but an actual video selfie," she tells KTRH.
What made it more alarming to privacy advocates was all of this info is to be collected by an outside firm called ID.me, which signed an $86 million contract with the federal government. "ID.me is a private company, they're only 12 years old, and just last year Forbes still called them a startup," says Garber. "So the concern is why is a third party vendor holding on to my biometric data related to government activity?"
The other big concern is there is no clear federal law regulating how that data can be used once it is in the hands of a company like ID.me. "Privacy laws in the United States are still a messy patchwork that needs to be updated," says Garber. "And until that's done...we have to be sure that all of that data is really secure."
For now, the IRS has temporarily shelved the plan, but has been vague on what alternatives are under consideration. Garber believes this was a step too far, too soon. "For the IRS to try to move forward with a contract with a third party vendor, to collect facial recognition data...that's a scary prospect," she says.
Get Leeza Garber's book, Can. Trust. Will.: Hiring for the Human Element in the New Age of Cybersecurity