WASHINGTON – U.S. Sen. Roger Wicker, R-Miss., ranking member of the Senate Committee on Commerce, Science, and Transportation, today sent a letter to Internal Revenue Service (IRS) Commissioner Charles Rettig requesting information about the IRS’s transition to an account security system that will require taxpayers to submit a video of their face to a private company, ID.me, to verify their identity. This system has raised significant data privacy and security concerns, given the sensitivity of both the facial recognition data and the taxpayer information it is meant to secure. 

The full letter can be found here and below.

Commissioner Rettig:

Last week, the Washington Post reported that the IRS will begin requiring taxpayers seeking to log into their accounts to submit a video of their face to be scanned to verify their identity. This “video selfie” would be sent to a private company called ID.me which carries out the verification process. According to the report, approximately 70 million Americans have already submitted to this face scanning process through ID.me’s partnerships with a number of federal and state government agencies. Additional reporting has asserted that the IRS may be seeking to move its identity verification process from ID.me to an alternative vendor.

As Ranking Member of the Senate Commerce Committee, and as Chairman last Congress, one of my primary areas of focus has been on protecting the privacy and security of consumers’ personal data. Americans are increasingly being asked to provide greater amounts of information to government entities, businesses, and other third parties to obtain necessary services. This trend has only accelerated since the start of the COVID-19 pandemic, as activities that were once largely conducted in person have moved online. The responsibility of Congress and the rest of the federal government to protect Americans’ data privacy and security is therefore greater than ever.

Given the sensitivity of the personal data that ID.me or a successor vendor will compile on many millions of Americans and the sensitivity of the financial and other data that this system is intended to protect, the IRS must treat its responsibility to protect the privacy and security of American taxpayers’ data with the utmost seriousness. Lawmakers must also be fully informed of the steps IRS is taking to live up to this responsibility.

To assist the Committee minority in its continuing oversight of data privacy matters, please provide responses to the following:

1. Please explain how the IRS arrived at the decision to compel American taxpayers to submit their biometric information through a “video selfie” to the agency in order to access their tax documents.

2. Will the IRS allow Americans to opt-out of this requirement and provide another form of identity verification? If not, why not?

3. What controls are in place on ID.me’s use of taxpayer data, whether enumerated in the company’s contract with the IRS or in IRS or Treasury Department regulations? How does the IRS ensure that ID.me is adhering to limitations on its use of taxpayer data? 

4. Will the IRS notify U.S. taxpayers of any material changes in its contract with ID.me that impact the collection and retention of their personal information?

5. Has the IRS conducted its own assessment of ID.me’s privacy and security controls to protect against possible data breaches or unauthorized access of the personal information of American taxpayers? 

6. Does the IRS have a process in place to monitor the accuracy of ID.me’s results? If so, describe this process and any trends in inaccurate results the agency has observed.

7. Is the Treasury Department and/or the IRS in fact searching for a replacement vendor for the services currently provided by ID.me as reported in the press? If so, when did this search begin, and what issues with ID.me prompted the search?

8. Why did the IRS decide to use a facial recognition system as opposed to any other means of identity verification?

9. Did the IRS consult with any data privacy or data security experts, including the Federal Trade Commission and the National Institute of Standards and Technology, prior to making this decision to employ facial recognition technology for identity verification? If not, why not?

Please provide written responses to these questions as soon as possible, but by no later than February 17, 2022. Thank you for your prompt attention to this important matter.