That January, the IRS sparked a public backlash over discrimination and privacy concerns over its online account verification contract with startup ID.me, which uses selfies and facial recognition to verify new accounts. A WIRED story about the use of NIST standards-driven technology referred to Login.gov documentation, which says it sometimes asks users to upload selfies to check IDs.
GSA notified WIRED after publication that Login.gov’s documentation was inaccurate and that Login.gov does not use facial recognition, and updated the article. A few days later, in early February, seven months after his insider tip about facial recognition, Zvenyach wrote to federal agencies using Login.gov, informing them that it did not actually meet NIST requirements, the OIG report said. , due to his team’s stance on face recognition.
“We have decided not to use facial recognition, liveness detection or any other emerging technology in relation to government benefits and services until rigorous scrutiny convinces us that we can do so fairly and without causing harm to vulnerable people,” he said. wrote. Zvenyach later told investigators he was unaware of NIST’s requirements, but Login.gov leaders knew they were not compliant as early as 2020, the report said.
These NIST requirements aimed at curbing identity fraud attempt to solve a thorny problem. When a person visits a government service, the agency needs to check who they are, a process called proofreading. It is enough to get the ID card for verification in person, but it is more difficult to go online. For sensitive data or access, NIST’s digital identity standard calls for remote digital proofing, which uses facial recognition to compare a smartphone selfie to the photo on an ID card, and liveness detection, which analyzes an image to detect if it contains a real-life person or fake.
Rebecca Williams is a member of the American Civil Liberty Union’s Countersurveillance Lab and previously worked for the White House Office of Management and Budget. In that role, she researched the government’s efforts to modernize digital identity, met frequently with Login.gov staff, and heard complaints about the service. “On the list of things that Login.gov is doing, I might complain, having someone refuse biometrics is not one of them,” she said.
Williams said last year’s IRS facial recognition scandal and this month’s new report on Login.gov underscore the need for a conversation that includes citizens and lawmakers about the types of authentication they’re familiar with And whether people need digital forms of authentication at all. That should mean not using biometric technologies like facial recognition, and never sharing biometric data collected by federal agencies with law enforcement, Williams said.
After a dispute over its ID.me contract, the IRS gave people the option to confirm their identity via video call with a proxy instead of facial recognition. ID.me says people can also bring a photo ID at any of 650 retail locations in the US, which is only a handful in a large country.
