Last week’s article discussed why the IRS should increase transparency in its development, acquisition, and use of technology that affects taxpayers. (Prior analysis: Tax Notes Federal, Mar. 7, 2022, p. 1330.) This week we’ll look at what the IRS can do for identity verification to better respect taxpayers’ privacy interests than it did with its implementation of the facial recognition system last year.
Congress may leave the IRS no choice but to abandon its plans to use facial recognition. Lawmakers were a little late to the table, having largely ignored the major change in practice when it was rolled out during last summer’s implementation of the advance child tax credit portals. But the multiple recent letters from both Democratic and Republican senators and House members to the IRS on the topic indicated that there is little support in Congress for the agency’s use of facial recognition technology.
On February 22 Sens. Jeff Merkley, D-Ore., and Roy Blunt, R-Mo., announced the No Facial Recognition at the IRS Act (S. 3668) to ban the use of biometric recognition technology by the Service. The proposed bill would prohibit the IRS from using or contracting to use technology that measures a biological or behavioral characteristic for automated recognition. In focusing exclusively on biometric technology, the proposal solves the immediate technology-specific problem.
It would be better to establish a principle of meaningful, pre-implementation disclosure at the IRS for any planned technology that could affect taxpayers’ substantive rights or privacy interests. A public process would benefit both the IRS and taxpayers. For the agency it would offer protection from exactly the kind of publicity it has experienced recently, and for taxpayers it would provide an important bulwark for privacy interests.
Moving on From Facial Recognition
The IRS’s foray into facial recognition for identity verification last year was surprising because it seems to have begun with little balancing of taxpayers’ privacy interests against the government’s interests. A question from Republican senators about the IRS’s choice is key: “How did the IRS decide to require taxpayers to submit their personal information, including biometric data, to an outside vendor, in order to access certain online IRS resources?” The process for finding a way to secure both taxpayer data and the IRS’s systems while also respecting individual privacy interests and fundamental rights will be a recurring issue as the IRS continues in its modernization plans.
There will likely never be a single technical solution for every issue now and in perpetuity, which is why the selection process matters. Instead it’s necessary to have a framework for ongoing consideration of security issues alongside privacy interests. The IRS has offices that can implement that.
Since 2005 agencies have had to designate a senior official for privacy, and Treasury has one. That official has overall responsibility and accountability for ensuring the agency’s implementation of information privacy protections, including full compliance with federal laws, regulations, and policies regarding information privacy, such as the Privacy Act of 1974.
The IRS also has a Privacy, Government Liaison, and Disclosure office, which is responsible for preserving and enhancing public confidence “by advocating for the protection and proper use of identity information.” It’s also charged with protecting the personal information of taxpayers from unauthorized access — and does so through privacy and records policies — and coordinating privacy protection guidance throughout the IRS.
On the technical side, the mission of the Customer Service Domain of the IT office is to enable service and communication with internal and external customers. The Internal Revenue Manual explains that the domain “will design, develop, test, deploy and maintain applications and systems that provide . . . access to taxpayer account data,” as well as “design, acquire, develop, test, deploy and maintain the modernized information systems that meet customer needs in the research, update, analysis and management of taxpayer accounts” (IRM section 1.1.12.4.7). The Customer Service Domain’s role encompasses centralized contact centers for telephone, written, and electronic inquiries; self-service via the telephone and internet; field assistance; web services; and management of taxpayer accounts.
Picking a Model
The model that the IRS was apparently pursuing when it selected the facial recognition technology program was supposed to be a competitive one in which multiple identity verification services were available to taxpayers to choose from. That didn’t happen during last year’s launch of the secure access digital identity (SADI) initiative. Instead, taxpayers were presented with only one identity verification service.
The IRS expressed some hope in September 2021 that there would be more choices of credential service providers (CSPs) available in the future but didn’t indicate when that might happen. National Taxpayer Advocate Erin Collins mentioned in her annual report to Congress in January that the IRS is researching other possible vendors. “Relying on a single CSP to serve all U.S. taxpayers must be a short-term plan, not a long-term solution,” she wrote.
But a marketlike model with multiple private businesses offering their alternatives isn’t the only option. The IRS’s SADI program “requires a third-party CSP to conduct identity proofing and credential management for the IRS,” according to the taxpayer advocate report. That’s a choice the IRS made in designing the SADI initiative. It’s possible that it did so because it didn’t think it had the technological capacity to develop an identity verification program in-house, perhaps because of budgetary pressures. The IRS already has a large IT deficit, and its need to update its basic computer systems and software is widely reported. The contract with the CSP now providing identity verification services is $86 million, and according to USAspending.gov, $56.6 million of that agreed-to amount has already been spent.
The IRS might also have viewed its decision to rely on private contractors as consistent with the 2011 National Strategy for Trusted Identities in Cyberspace, based on the premise that “the private sector will lead the development and implementation of this Identity Ecosystem, and it will own and operate the vast majority of the services within it.” That premise may not have the same level of support today that it enjoyed a decade ago.
For example, in a February 7 letter to the IRS, Senate Finance Committee Chair Ron Wyden, D-Ore., wrote that “in addition to the serious privacy and civil liberties issues associated with the use of facial recognition technology, it is also alarming that the IRS and so many other government agencies have outsourced their core technology infrastructure to the private sector.” He added that “quite simply, the infrastructure that powers digital identity, particularly when used to access government websites, should be run by the government.” Republican senators similarly expressed concerns about private contractors as gatekeepers between citizens and necessary government services, particularly when they are not subject to the same oversight rules as a government agency, such as the Freedom of Information Act, the Privacy Act, and multiple checks and balances.
A bipartisan proposal in the Improving Digital Identity Act of 2021 would have established a new task force for digital identity and charged it with developing a framework that considers methods to protect the privacy of individuals, while addressing security needs and the needs of potential end-users and individuals that will use services for digital identity verification. Note the order of the items that the bill wants the task force to consider.
The bill also requires that the framework be updated periodically. That type of iterative, evolutionary process is a needed component of any program, because new developments will necessitate changes to ensure that the priorities of protecting privacy, ensuring civil liberties, and providing security continue to be met.
Alternatives
Albert Fox Cahn of the Surveillance Technology Oversight Project said the IRS has alternatives for a secure identity verification framework. He noted that the agency is well positioned to identify millions of taxpayers because it already has a trusted relationship with them, established through correspondence and the connection between taxpayers’ bank accounts and the agency for tax payments and refunds.
“Except for extreme cases of persistent fraud, that existing relationship is going to be hard to fake over the long term,” Cahn noted. But it could be bolstered to protect taxpayers and the IRS against fraud by giving taxpayers a specialized digital access credential, he said.
A cryptographic key would translate the relationship between the IRS and individuals into a secure identification that could be used between taxpayers and preparers and the IRS, but wouldn’t have the same ramifications of broad-based surveillance, Cahn said. The simplest form of this would be to send every taxpayer a letter in the mail with a unique password that could be used to confirm their identity online. That approach would allow the IRS to establish that taxpayers are who they say they are when logging into the agency’s website without spilling over into every other area of online life, Cahn said.
Or it might be possible to integrate the IRS into login.gov, but only with ironclad statutory protections against federal law enforcement agencies commandeering that information, Cahn said. The IRS shouldn’t put itself in the position of essentially becoming a law enforcement census of every American’s IP address, he added.
Another option is the inverse of the model that SADI deployed. Instead of having taxpayers submit their biometric information to an outside service, the system could be designed so that biometrics, if used at all, never leave their personal devices. That type of system is advocated by the FIDO Alliance, and one of the crucial pieces of the authentication process is that the device creates a new key pair when a user registers with an online service. The public key is registered with the service, and the private key stays on the device, to be unlocked when the user opens the device, using biometrics or a personal identification number, for example. Biometrics aren’t even required for that type of system.
The options available to the IRS present a new opportunity. “We haven’t really had the opportunity to revisit assumptions about how users log into systems for a long time,” said Eric Mill of the Office of Management and Budget on a January 25 online forum hosted by the Better Identity Coalition, the FIDO Alliance, and the Identity Theft Resource Center. He noted that the shift toward identity verification without passwords provides an opportunity to try out new paths. In addition to encouraging creativity and finding new best practices, it is important to communicate key properties for authentication, including that biometrics — where used — never leave a user’s device, because a user authenticates themselves to their own device and the device vouches to the website that they did so, Mills said. He noted that the properties, which include user choice over ways to unlock their device that do not require biometrics and provide a simpler user experience, are not necessarily obvious.
In announcing that it had added a new option for taxpayers to sign up for IRS online accounts without submitting biometric data, the IRS said on February 21 that it will work with partners across government to implement login.gov as an authentication tool. Despite prior preferences for buying privately developed technological solutions, the federal government designs software in-house, and the most likely partners are in the General Services Administration. The mission of Technology Transformation Services of the GSA is “to design and deliver a digital government with and for the American people.” The Tax Court used the digital consulting office of Technology Transformation Services, called 18F, to build the DAWSON case management system that was rolled out in early 2021.
18F says its default position for new projects is to use free and open-source software, “develop our work in the open,” and publish all source code created or modified by the office. There are big transparency benefits to open-source code for public projects like those that the IRS must undertake, and they need not come at any expense to security. As 18F explains, open-source software “is often preferred for use in sensitive systems, due in part to its increased auditability.”
Beyond Tech
Congress has at least one simple, and relatively inexpensive, option to help the IRS combat identity theft refund fraud: It can raise the costs of getting caught for bad actors. Increasing the penalties wouldn’t eliminate fraud, but it would add an extra deterrent.
The underlying problem in the IRS’s recent identity verification challenges is not what the agency was attempting to accomplish, which was to administer the tax laws and ensure that bad actors have diminished opportunities to plunder the system or commit identity theft. The problem is what its choices presage about administrative decision-making more generally. The IRS had a reasonable intention consistent with its legislative mandate to enforce the law, but the agency must pursue its objectives through a more public strategy that prioritizes technical security, transparency, and the preservation of privacy and other taxpayer interests.