Questions linger after IRS’s about‑face on facial recognition

Cyber Security

Why would a tax agency contractor’s privacy policy mention collecting information about my Facebook friends?

The IRS has made a U-turn on facial recognition, but what about the Social Security Administration or the California Department of Motor Vehicles’ use of the same contractor?

In the last few weeks, the US Internal Revenue Service (IRS) made a clear error of judgement when it announced a partnership with authentication company ID.me in order to implement facial recognition to authenticate taxpayers when they access their IRS accounts. In an attempt to combat the tax fraud and identity theft that dog the US tax system every year, the proposed solution of facial recognition technology to verify the taxpayer’s identity was clouded when ID.me CEO Blake Hall admitted that facial images may be subject to a one-to-many comparison, as opposed to just a one-to-one. (The comparison using one-to-many utilizes a large database of images as opposed to a direct comparison with only the stored image of the individual user.)

As was surely expected, the privacy movement jumped on the issue of facial recognition being an infringement of individuals’ privacy rights and the IRS backed away from the proposed solution.

A login chain

The conversation has centered around the use of facial recognition to validate identity, and while I am sympathetic to this cause, I am also sympathetic to the need for improved authentication to stop tax fraud. The partner for authentication, ID.me, has numerous government and state contracts that enable account login for holders of an ID.me account. Some other notable partners are the Social Security Administration, the US Department of Veterans Affairs, and many more at a state level; for me, the most convenient is the California Department of Motor Vehicles (DMV).

The convenience of a single sign-on solution for multiple government services, both federal and state, does provide benefit – one password, one account, one multifactor-authentication configuration, etc. Just create a single trusted account with ID.me and you are up and running. Hang on – there are options, ID.me allows you to create an account using a pre-existing identity from one of their partners such as Facebook (Meta), Google, or LinkedIn, all of whom are keen to be the single sign-on solution for users. This proxy situation creates an authentication chain: logging onto the California DMV and selecting login with ID.me displays an option to type in my ID and password credentials, or to log in using one of their partners.

To test the experience, I created an ID.me account, via the option to connect a Facebook account utilizing Facebook Connect, which is Meta’s single sign-on solution. I can now access my DMV account using my Facebook credentials, via ID.me. Think of this in logical terms: Facebook approves my login to ID.me, then ID.me approves my login to CA-DMV.

   

Out of curiosity I took this login chain one step further – by connecting a LinkedIn account. I created a LinkedIn account by using their option to link my Google single sign-on credentials. Then I connected the LinkedIn account to the ID.me account and removed the Facebook association. I logged into LinkedIn using the Google login option, then opened my ID.me account and proceeded to access my DMV account. If anyone reading this has experienced the DMV support line, can you imagine explaining the login chain – Google, LinkedIn, ID.me, and then DMV? Should you have an account access issue, it may cause the representative to put you back on hold indefinitely.

Data of my friends

As a privacy advocate, I also read the rather lengthy ID.me Privacy Policy (version 6.3.1., updated February 4th, 2022) to ascertain the permissions that I granted to ID.me when agreeing to the policy during account creation. Section 11.4 states, “If there is information about the User’s ‘friends’ or people with whom the User is associated via the Facebook account, the information we obtain about those ‘friends’ or people with whom the User is associated, may also depend on the privacy settings such people have with Facebook.”. By default, the friends list in a Facebook account is publicly accessible.

Excerpt from the ID.me Privacy Policy

Excerpt from the Facebook Data Policy

 Default Facebook settings

In a desire to simplify login and improve security for federal and state agencies, why would the company providing such services state that they can, if the Facebook permissions are still default, collect information on and about my friends? Whether they do or not is irrelevant – the permission is granted by the user when agreeing to the privacy policy, and the intent to do so must be there; otherwise, why state it in the policy? This raises an interesting privacy question: is the personal data derived from my friends list classified as non-personal or personal data? If the former, then sharing it with third parties is less restricted and it could possibly be shared.

This desire to grab friends’ data may be explained when other services offered by ID.me are taken into account – for example, discounted shopping, something not often associated with a specialized secure authentication company. As an ID.me user you have access to age- or occupation-based discounts at retailers. These discounts are revenue-generating affiliate relationships between ID.me and retailers and appear to work the same way as most affiliate relationships on the internet – you are transferred to the retail site with an affiliate ID in the URL or through a cookie by the introducer, in this instance ID.me, earning them a commission on your transaction.

An expectation of mine, and I am sure of many others, is that any secure authentication company bidding to be the trusted partner of government agencies to secure access to extremely sensitive and personal data should be focused on one thing: secure authentication. Attempting to monetize the relationship with the consumer who was driven, perhaps even required, to create an account in order to access a federal or state agency system, via a side business such as discounted shopping, does not fill me with a warm, trusting feeling. In fact, it feels strange.

There is a clear requirement to have a secure, verified login to cut fraud and identity theft. The U-turn by the IRS, however, should be a wake-up call to all federal and state agencies to do this with great consideration and thought for not only the privacy of the individual, but to do it with a partner that is committed to providing a secure and trustworthy feeling to the user. A login via my LinkedIn or Facebook accounts to access my DMV account, let alone my Social Security Administration account, does not achieve this.

Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *