The CEO of ID.me, a service used by dozens of states to verify unemployment benefits claimants as well as several federal agencies, has walked back previous claims that the company does not use a more powerful method of facial recognition.
— ID.me (@IDme) January 26, 2022
“ID.me uses a specific ‘1 to Many’ check on selfies tied to government programs targeted by organized crime to prevent prolific identity thieves and members of organized crime from stealing the identities of innocent victims en masse,” Blake Hall said in a statement. “This step is internal to ID.me and does not involve any external or government database.”
That contrasts with comments Hall made earlier this week. “Our 1:1 face match is comparable to taking a selfie to unlock a smartphone,” he said. “ID.me does not use 1:many facial recognition, which is more complex and problematic.”
The 1:many approach involves matching images against those in a database, whereas 1:1 is a case of ensuring someone matches their own photo. For 1:1 matching, ID.me compares a user’s selfie against a piece of government ID that they upload.
Privacy advocates have criticized both approaches. Research has indicated that some facial recognition systems struggle to identify people with darker skin tones, and concerns have been raised about the security risks of storing biometric data.
Hall said ID.me’s 1:many check “occurs once during enrollment, and exists to make sure a single attacker is not registering multiple identities. This step is not tied to identity verification. It does not block legitimate users from verifying their identity, nor is it used for any other purpose other than to prevent identity theft.”
He claimed data shows that dropping the 1:many check “would immediately lead to significant identity theft and organized crime. The 1:1 Face Match step is the only step used to verify identity as explained in our earlier reports.”
According to Cyberscoop, some ID.me workers expressed concern that the company’s public statements didn’t align with what it was actually doing. “We could disable the 1:many face search, but then lose a valuable fraud fighting tool. Or we could change our public stance on using 1:many face search,” an engineer is said to have posted to an ID.me Slack channel this week. “But it seems we can’t keep doing one thing and saying another as that’s bound to land us in hot water.”
“If companies and the government have to lie about facial recognition in an effort to avoid public scrutiny, they shouldn’t be using it,” Fight for the Future campaign director Caitlin Seeley George said in a statement. “We already know this company is willing to say anything in order to get more government contracts. The CEO of ID.me has been peddling erroneous numbers about unemployment benefit fraud, but the fact that the IRS knew about this discrepancy is a big problem. The only responsible thing for the IRS and any other state or federal agency using ID.me to do is to stop these contracts immediately.”
ID.me came back under the spotlight recently after cybersecurity reporter Brian Krebs tried to set up an account, which will be required to log into the Internal Revenue Service’s online portal by this summer. Krebs ran into difficulties during the verification process, and ID.me placed him in a queue to join a video call with a live agent. The system gave Krebs an estimated wait time of three hours and 27 minutes.
Hall said ID.me works with 10 federal agencies, 30 states and 540 companies. Last year, some users reported having to wait months to receive their benefits after the system failed to verify their identity. In some cases, folks said they had no success with the video chat system either.