A group of Democratic lawmakers has urged the Federal Trade Commission to investigate identity verification company ID.me, claiming that its CEO made misleading comments about how the company uses facial recognition.
“We write to urge the Federal Trade Commission (FTC) to investigate evidence of deceptive statements made by ID.me—a provider of identity verification services widely used by federal and state government agencies—about its use of facial recognition,” the letter, sent to the FTC and signed by Senator Ron Wyden, Senator Alex Padilla, Senator Cory Booker, and Senator Edward Markey, starts.
Earlier this year ID.me was set to provide its services to the IRS as part of a $86 million contract. ID.me would let taxpayers log into their accounts after verifying their identity. In February, the IRS said it would stop the use of ID.me after multiple members of Congress and senators as well as activists urged the IRS to halt the deployment. That concern came from ID.me’s use of facial recognition as part of its authentication service, which used Amazon’s facial recognition product called Rekognition, Cyberscoop reported at the time.
Do you work for a facial recognition company? Are you a customer? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The lawmakers’ new letter to the FTC highlights apparent inconsistencies in ID.me’s comments about whether it uses one-to-one facial recognition, which compares one photo to one point of reference, such as identity document, or one-to-many recognition, which compares a photo to a database of images of other faces. The latter “means that millions of innocent people will have their photographs endlessly queried as part of a digital ‘line up.’ Not only does this violate individuals’ privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed,” the letter states.
As the letter notes, since at least June 2021 ID.me claimed in blog posts and white papers that the company did not use one-to-many facial recognition. In January, ID.me CEO Blake Hall said in a statement that ID.me “does not use 1:many [one-to-many] facial recognition,” and acknowledged that the method was “tied to surveillance applications.”
In a LinkedIn post two days later, Hall said that ID.me does use one-to-many recognition. “Within days, the company edited the numerous blog posts and white papers on its website that previously stated the company did not use one-to-many to reflect the truth,” the letter from lawmakers says.
In Cyberscoop’s report on ID.me using Amazon’s Rekognition, the publication said it had obtained internal ID.me communications where an engineer wrote “I was in a conversation with the IRS on 1/19 where we explicitly discussed using AWS Recognition for 1:many face search.”
“But it seems we can’t keep doing one thing and saying another as that’s bound to land us in hot water,” one of the messages read.
The lawmakers’ letter says that ID.me’s statements were harmful in misleading consumers about how the company was using their biometric data, and that government officials selecting ID.me for their agencies have a right to know that “selecting ID.me would force millions of Americans–many of them in desperate circumstances – to submit to scanning using a facial recognition technique that ID.me itself acknowledged was problematic.” As the lawmakers’ new letter to the FTC notes, many more government agencies are still using ID.me, including to access services like state unemployment insurance.
“We therefore request that you investigate evidence of ID.me’s deceptive public statements to determine whether they constitute deceptive and unfair business practices under the Section 5 of the FTC Act,” the letter concludes.
ID.me told Motherboard in a statement that “Five state workforce agencies have publicly credited ID.me with helping to prevent $238 billion dollars in fraud. Conditions were so bad during the pandemic that the deputy assistant director of the FBI called the fraud ‘an economic attack on the United States.’ ID.me played a critical role in stopping that attack in more than 20 states where the service was rapidly adopted for its equally important ability to increase equity and verify individuals left behind by traditional options. We look forward to cooperating with all relevant government bodies to clear up any misunderstandings.”
Update: This piece has been updated to include a statement from ID.me.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.