The Treasury Department and IRS could have a third-party contractor store taxpayers’ biometric data for multiple years to aid investigations, according to internal slides and other documents reviewed by POLITICO.
A proposed framework with identity verification company ID.me — which already administers photo and video authentication for several federal websites, including the IRS’s — would give the company much longer control of biometric information collected when people register an account on IRS.gov, which is used by tens of millions of people.
Biometric scans would be held by ID.me as long as an account is active and then 36 months after an account is deleted. They could only be accessed by the government as part of law-enforcement or inspector general investigations, according to a slideshow Treasury presented to IRS staff on April 16.
The IRS and Treasury would have to serve ID.me with a “subpoena, warrant or present other legally compelling justification” to obtain this information, according to the company’s privacy policy.
The proposal follows previous tensions over the IRS’s embrace of facial-recognition technology, which taxpayer groups, privacy advocates and a bipartisan group of lawmakers have long urged the agency not to use.
What’s more, a data-retention policy like the one being put forward could be implemented at a time of rising scrutiny of how the federal government handles Americans’ personal data, including when it’s turned over to a third-party vendor. In recent months, the Trump administration has admitted that its Elon Musk-led Department of Government Efficiency may have misused Social Security data, while an unrelated data-sharing agreement between the IRS and Immigration and Customs Enforcement is mired in litigation.
"The federal government cannot share ID.me biometric data across agencies because ID.me does not share that data with the government in the first place,” an ID.me spokesperson said in a statement to POLITICO. “ID.me only shares biometric data if compelled by a court through a mandatory legal process, like a warrant or subpoena.”
The company declined multiple requests to answer POLITICO’s detailed questions about its technology, its facial recognition practices and its vendor-client relationship as the IRS’s credential service provider.
The 36-month period in the proposed framework would be far longer than the current retention policy Treasury and ID.me agreed on in 2022 to aid with "detection of stolen, synthetic and AI enabled fraud that often surfaces well after initial account creation," according to the Treasury slides.
The IRS states on its website that this data is deleted automatically, while an agency document reviewed by POLITICO says biometric data must be deleted “within 24 hours.” ID.me’s privacy policy also says that certain customers require it to purge the data within 24 hours of a successful verification.
The Treasury Department declined to comment, but an IRS spokesperson said changes to data-retention policies are under discussion.
One IRS employee, granted anonymity to discuss the proposal, said there were potential privacy concerns with how a private entity — with what the employee described as little direct government oversight — might handle sensitive taxpayer biometric data for a prolonged period.
“The 36-month period after account deletion is scary,” the employee said. “How many email accounts have you requested be deleted because you stopped using them? My Hotmail account from my high school days is still active even though I don’t use it.”
Other parts of the presentation show plans for the IRS to crack down on deepfake-enabled fraud by allowing ID.me to use a data analytics method known as “one-to-many comparison” — also known as “1:N” — in which biometric data is cross-referenced across the company’s databases. That practice has been criticized by privacy advocates, lawmakers and academic researchers as overly invasive and prone to inaccuracy, particularly with respect toward people of color. The IRS itself acknowledged these issues with facial recognition technology in a separate document also reviewed by POLITICO.
An IRS spokesperson said in an emailed statement that the IRS and Treasury have discussed recommendations to “implement expanded data retention timeframes” and “1:many matching against biometric data during identity proofing to combat emerging fraud schemes.”
The spokesperson noted the IRS and Treasury Inspector General for Tax Administration could subpoena ID.me’s biometric data “in cases they identify as being suspicious and generally fraudulent.
“The IRS has acknowledged that privacy considerations are the reason the Service currently limits ID.me’s biometric data-retention policy for IRS users,” the spokesperson said.
Public perception and the fight against deepfakes
Lawmakers and privacy advocates bristled at the IRS in 2022 when the agency started requiring facial verification through ID.me for online accounts. The IRS responded by dropping the facial-recognition requirement and creating an option of verifying identifications through virtual interviews with a live agent.
Democratic lawmakers who oversee the IRS told POLITICO they were wary about a potential new data-retention proposal involving taxpayers’ biometric information.
“Following abuses of taxpayer privacy under the Nixon Administration, Congress established and has maintained a robust set of laws safeguarding taxpayers’ personal information,” Sen. Mark Warner (D-Va.), who sits on the Senate Finance Committee, said. “Taxpayer privacy is critically important, and the IRS should take the utmost care to safeguard taxpayer biometric data.”
Sens. John Cornyn (R-Texas.) and Todd Young (R-Ind.), of the Finance Committee, declined to comment through spokespeople. Other Republicans on the Senate Finance and House Ways and Means committees did not respond to requests for comment.
According to slides of a separate presentation ID.me presented to the IRS in December 2024, the company said it needed to change the terms of a prior contract with the agency to stop emerging fraud threats from generative AI and deepfakes. The company proposed solutions including longer data-retention periods and deepfake detection in video chats, another verification method used for IRS.gov accounts.
“We can do this in an inclusive and responsible manner by using algorithms tested by government and providing human fallbacks, as we always do,” one of the slides read.
A May 2025 internal IRS report, also reviewed by POLITICO, cited public opinion in explaining why the agency hasn’t been able to harness biometrics to crack down on AI-enabled and deepfake fraud.
“Public perception of the practice is also a significant factor as to why the IRS does not retain biometric data including the inability to protect an individual if their biometric data is compromised or stolen,” the report read. “Furthermore there are ethical concerns with the use of biometrics, such as the ability to control or delete their collected data. Another concern being facial recognition systems that may not recognize people of color accurately.”
Rise of AI-assisted fraud
People who sign up for an IRS online account are directed to an ID.me page, where they are asked to submit video selfies and government identification. ID.me uses an authentication technique called “one-to-one” facial matching in which the contours of a user’s face in the selfie are compared with the submitted ID document, according to its website. Users who don’t consent to this method have the alternative of a video chat with a live agent to confirm their identities, a service also provided by ID.me.
Digital fraud experts have been divided on whether more advanced biometric data matching methods IRS and Treasury are exploring are better ways to reduce AI-enabled fraud.
“AI has fundamentally changed the threat ecosystem by making deepfakes significantly easier, cheaper and more effective to pull off,” said Jake Parker, the senior director of government relations at the Security Industry Association, a trade group for security vendors. “There is simply no equivalent alternative to using biometric comparison.”
According to ID.me, AI-driven scams jumped by more than 1,210 percent in 2025, with deepfakes involved in more than 30 percent of high-impact impersonation attacks, which are incidents in which a malicious actor mimics the identity of a trusted individual such as an executive.
A government official familiar with identity certification, referred to POLITICO by ID.me and granted anonymity to speak candidly about how the technology is used, added that 1:many verification was “definitely needed” to capture fraud.
“The government already has all your data,” the official said. “We use this to secure that individual’s account. If we can’t confirm that they are who they say they are, then they’re at risk for fraud.”
But V.S. Subrahmanian, an artificial intelligence and cybersecurity researcher at Northwestern University, said that 1:many comparison was not the only way to detect deepfakes or other forms of AI-generated fraud.
“Comparing an AI-generated image with a real image of the person in question may reveal some anomalies, but such anomalies may lead to a high error rate,” he said. “But image deepfake detection algorithms may do equally well or better without needing a large database of images that could potentially end up in a data breach.”
The Treasury Department last year extended its contracting vehicle, known as a blanket purchasing agreement, for ID.me’s identity authentication services in a five-year deal worth up to $1 billion, though the Treasury and IRS can opt out early.
Internal records reviewed by POLITICO show the Treasury and IRS would require ID.me to delete biometric data no later than “36 months after account closure” except in the case of any suspicious or fraudulent activity. An invoice shows the company billed the government for nearly $16 million worth of its services in April, the first month under the new purchasing agreement.
“The proliferation of sophisticated identity-theft schemes leveraging AI technology requires the IRS to reassess its existing data-retention policy using best practices to better protect taxpayer data,” the IRS spokesperson said. “Such a reassessment also will bring the IRS data-retention policy into alignment with the retention policy adopted by ID.me’s other customers, including other federal agencies.”
ID.me also contracts with the Center for Medicare and Medicaid Services and Department of Veterans Affairs. Those agencies did not respond to requests for comment.
These arrangements are concerning because the federal government doesn’t govern how biometric data is retained or used, said Jeramie Scott, a senior counsel at the Electronic Privacy Information Center, a privacy-rights group based in Washington.
“You don’t have federal law that provides the type of transparency, accountability and oversight for this type of endeavor where you’re going to push people towards giving up their biometric data,” he said.
Nina Olson, the executive director of the advocacy group Center for Taxpayer Rights and a former IRS taxpayer advocate, said she was concerned that the agency had impaired its ability to oversee ID.me after its workforce shrunk by 25 percent last year amid the Trump administration’s downsizing of the federal workforce. Many of those job losses occurred in the agency’s procurement and information technology units.
Without assurances about how their data is handled, Olson said, taxpayers will share less information with tax officials.
“If taxpayers start suspecting they file with the IRS and that information is retained by a private entity for three years, and they have no idea how it is being used, and there’s no transparency on it, they will start changing their filing behavior,” she said. “They will disclose less.”
from Politics, Policy, Political News Top Stories https://ift.tt/MhWR7Aq
via IFTTT
No comments:
Post a Comment