A group of Republican Senators led by Mike Crapo of Idaho has sent the Internal Revenue Service a letter expressing concerns about the agency’s partnership with facial recognition service ID.me. Starting this summer, taxpayers will have to register for an ID.me account to be able to access the online services IRS offers, including the ability to file taxes through its website. To be able to sign up, they have to send ID.me a copy of their government ID, a utility bill and a video selfie of themselves. The Senators called the last one the “most intrusive verification item,” since it’s more than just submitting a picture of one’s face and can’t be easily replaced like a password. 

In the letter, the group said that it’s “deeply concerned for many reasons,” starting with the government’s “unfortunate history of data breaches.” It mentioned the attacks on the Office of Personnel Management back in 2015 as an example. If you’ll recall, two separate attacks on the agency compromised the information of millions of then-current and former federal employees and led to the theft of 21.5 million Social Security Numbers. 

The group also cited an IRS report in 2019, wherein it estimated that it faces 1.4 billion cyberattacks a year. “It is highly likely, with personal information on a reported 70 million individuals, including biometric data, ID.me could be a top target for cyber-criminals, rogue employees, and espionage,” the Senators wrote. They’ve asked the agency a series of questions meant to shed light on the partnership in the letter. The Senators want to know if the IRS did due diligence to ensure taxpayers’ information would be protected before it approved the partnership and what kind of oversight the agency has over the company. they also asked IRS if it made sure ID.me’s system had gone through an independent cybersecurity audit, among many other things. 

The CEO of ID.me recently admitted that the system uses a more powerful method of facial recognition than previously claimed. In a statement, he said ID.me employes a 1:many approach, which means it matches images against those in a database. He previously said it only uses a 1:1 approach that compares one’s face to a photo on their government ID. A Bloomberg report published after that said the Treasury Department is reconsidering the IRS’s partnership with the company and is now looking for alternatives to its facial recognition software.