If you want to use their website; WaPo has the story here. But it's one of those public/private partnerships where data leaks and hacks and thefts happen. To their credit, the Post went to Joy Buolamwini, whose work proved that facial recognition systems work best on white men and worst on Black women. But even a perfectly functioning system is frightening. First, it would unquestionably worsen the divide between those who have good Internet and those who don't, making convenient access to tax records contingent on having a sufficient income and computing skills. Also, of course, facial recognition is bad - the potential for misuse is so great, and the record is so permanent, that Woody Hartzog and Evan Selinger argue it ought to be legally impossible to consent to. (for an overview of the debate, see Selinger and Leong here).
One of the biggest problems with data is that it gets leaked and hacked, of course, but another big problem is that companies sell it to pretty much whoever arrives with cash. The company handling IRS facial recognition claims they'll turn it over to law enforcement, but the Post says there's no federal law proscribing what they can do with it. And they're switching companies and authentication strategies because of a massive data breach at Equifax a few years ago. So its not like nobody has ever heard of a data breach.
Oh, and ID.me, the company getting the contract, totally wants to sell you stuff:
"But advertising is a key part of ID.me’s operation, too. People who sign up on ID.me’s website are asked if they want to subscribe to “offers and discounts” from the company’s online storefront, which links to special deals for veterans, students and first responders. Consumer marketing accounts for 10 percent of the company’s revenue."
What could possibly go wrong? Well, if you look up the ID.me privacy policy, you discover that most of the usual things can go wrong. For example, they don't police 3rd party use of the data, which they encourage you to opt-in to:
"To avoid any confusion, Users should understand that, while we own and operate the Service and Website, we do not own or operate websites owned and operated by third parties who may avail themselves of the ID.me Service (collectively referred to hereafter as the “Third-Party Websites”). This Privacy Policy is intended to inform Users about our collection, use, storage, and disclosure, destruction and disposal of information that we collect or record in the course of providing the Website and the ID.me Service. Please note, we are not responsible for the privacy practices of Third-Party Websites and they are under no obligation to comply with this Privacy Policy. Before visiting Third-Party Websites, and before providing the User’s ID.me or any other information to any party that operates or advertises on Third-Party Websites, Users should review the privacy policy and practices of that website to determine how information collected from Users will be handled. Please further note, depending on a User’s particular interaction with us (e.g., Users who solely navigate the Website versus Users who create an account and use the ID.me Service at Third-Party Websites), different portions of this policy may apply to Users at different times."
Also, they reserve the right to change their privacy policy at any time, and it's your job to read it frequently to see:
"If we decide to change this Privacy Policy, we will post those changes to this page so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. We reserve the right to modify this Privacy Policy at any time, so please review it frequently. If we make material changes to this policy, we will notify you here, by email, or by means of notice on our home page."
That's item 1 on the policy. Nothing else matters. This is typical corporate privacy boilerplate that lets them do whatever they want with your facial biometric information. Good job IRS!
Recent Comments