A Defacto National ID from ID.me; Technometria - Issue #39
Last week’s newsletter reported ID.me’s claim that they were not doing 1:many facial recognition. Turns out that’s not true…
Whether you are a fan of or hate the idea of a national ID, ID.me is on the path to become one. I don’t think having a private third party run the national ID system is a good idea.
In IRS Using Facial Scanning I reported on the IRS’s move to use the identity proofing and authentication services from ID.me for logging into their online services. ID.me has contracts with other federal agencies like Veteran’s Affairs and numerous states.
One of the controversial aspects of ID.me’s service is an identity proofing service that matches a selfie to the uploaded picture of a government credential. This is called 1:1 facial matching: one selfie, one credential picture.
ID.me’s original press release, since updated claimed that the company didn’t use 1:many facial matching where the selfie or ID photo is compared to a database of pictures. But after an internal Slack discussion where an engineer pointed out that the company did use AWS’s Rekognition service for 1:many facial scanning, the company backtracked.
In admitting that ID.me uses 1:many facial recognition, the company ignited a firestorm with privacy watchdogs piling on. A recent EFF article, written before the ID.me revelations, states “Face recognition isn’t just face identification and verification: It’s also photo clustering, race analysis, real-time tracking, and more.” Many are echoing these concerns. And, of course, the fact that ID.me lied about what they were doing is not inspiring confidence. I imagine their management team has had better weeks.
In ID.me CEO backtracks on claims company doesn’t use powerful facial recognition tech, Tonya Riley at CyberScoop details the turn around and the events that led up to it. One of the Slack messages reportedly said “We could disable the 1:many face search, but then lose a valuable fraud-fighting tool. Or we could change our public stance on using 1:many face search.” There were no details about how the 1:many facial recognition is used to fight fraud.
One way 1:many facial recognition might be used to fight fraud is to keep copies of all the pictures that have been uploaded. If someone tried to steal identities by using fake IDs, then the system would flag that the same face shows up on multiple IDs. I can see why the IRS would want to do this since one way people defraud the IRS is claiming other people’s refunds. And it’s not hard to do with all the personal data for sale on the dark web. Facial recognition could cut this dramatically.
ID.me retains selfies uploaded during the verification process for seven and a half years after an account is closed, per federal guidelines. Of course, you don’t really close your account with the IRS until you’re dead, so that’s a long time.
I don’t like that the IRS is using a third party to do this. But I wouldn’t really like it if they were using login.gov either (yeah, that’s a thing). Regardless of who does it, having a huge trove of biometric information sitting out on the internet is just asking for trouble.
As I said last week, the right solution is to use verifiable credentials. They have cryptographic properties that prevent the fraud without a big, new trove of biometric and personal data. Specifically the credential exchange can prove the person presenting the credential is the same person who it was issued to.
Whether you are a fan of or hate the idea of a national ID, ID.me is on the path to become one. I don’t think having a private third party run the national ID system is a good idea. If we’re going to do it, then let’s architect it correctly and securely. But we can keep the current, decentralized system of identification and also prevent fraud with technology available today. I vote for that.
End Notes
That’s all for this week. Thanks for reading.
Please follow me on Twitter.
If you enjoyed this, please consider sharing it with a friend or twenty. Just forward this email, or point them at my news page.
I’d love to hear what you enjoyed and what you’d like to see more (or less) of. And if you see something you think I’d enjoy, let me know. Just reply to this email.
P.S. You may be receiving this email because you signed up for my Substack. If you’re not interested, simply unsubscribe.
Photo Credit: Face Detection from Sylenius (CC BY 2.0)
© 2021 Phillip J. Windley. Some rights reserved. Technometria is a trademark of PJW LC.
By Phil Windley
I build things; I write code; I void warranties
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue