The IRS won’t make you verify your identity with facial recognition after all

The IRS announced plans Monday to back away from a third-party facial recognition system that collects biometric data from U.S. taxpayers who want to log in to the agency’s online portal.

The IRS says it will abandon the technology, built by a contractor called ID.me, in the coming weeks. The agency says it will instead swap in an “additional authentication process” that doesn’t collect facial images or video. The two-year contract was worth $86 million.

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig said. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

The update to the U.S. tax collection agency’s online verification system, set for a full roll-out over the summer, was roundly criticized for collecting sensitive biometric data on Americans.

Many tax filers already encountered the ID.me system live on IRS.gov, where they were required to submit facial videos to create an online login. If that system failed, tax filers were put into lengthy queues to have their identities manually verified in video calls with a third-party company.

In a letter to Rettig, Reps. Ted Lieu (D-CA), Anna Eshoo (D-CA), Pramila Jayapal (D-WA) and Yvette Clarke (D-NY) raised concerns that allowing a private company to collect face data from millions of Americans posed a cybersecurity risk. The lawmakers also pointed to the body of research demonstrating that facial recognition systems are often built with inherent racial bias that makes the technology far more accurate for non-white faces.

“To be clear, Americans will not have the option of providing their biometric data to a private contractor as an alternative way to access the IRS website,” the lawmakers wrote.

In choosing to roll out the facial recognition technology, the IRS ran afoul of privacy hawks but also the federal government’s own General Services Administration, which has publicly committed to not implement facial recognition tech unless such a system undergoes “rigorous review” to evaluate if it will cause unforeseen harm. The GSA’s existing identity verification methods eschew the need for biometric data, relying instead on scans of government records and credit reports.

US lawmakers want to restrict police use of ‘Stingray’ cell tower simulators

According to BuzzFeed News, Democratic Senator Ron Wyden and Representative Ted Lieu will introduce legislation later today that seeks to restrict police use of international mobile subscriber identity (IMSI) catchers. More commonly known as Stingrays, police frequently use IMSI catchers and cell-site simulators to collect information on suspects and intercept calls, SMS messages and other forms of communication. Law enforcement agencies in the US currently do not require a warrant to use the technology. The Cell-Site Simulator Act of 2021 seeks to change that.

IMSI catchers mimic cell towers to trick mobile phones into connecting with them. Once connected, they can collect data a device sends out, including its location and subscriber identity key. Cell-site simulators pose a two-fold problem.

The first is that they’re surveillance blunt instruments. When used in a populated area, IMSI catchers can collect data from bystanders. The second is that they can also pose a safety risk to the public. The reason for this is that while IMSI catchers act like a cell tower, they don’t function as one, and they can’t transfer calls to a public wireless network. They can therefore prevent a phone from connecting to 9-1-1. Despite the dangers they pose, their use is widespread. In 2018, the American Civil Liberties Union found at least 75 agencies in 27 states and the District of Columbia owned IMSI catchers.

In trying to address those concerns, the proposed legislation would make it so that law enforcement agencies would need to make a case before a judge on why they should be allowed to use the technology. They would also need to explain why other surveillance methods wouldn’t be as effective. Moreover, it seeks to ensure those agencies delete any data they collect from those not listed on a warrant.

Although the bill reportedly doesn’t lay out a time limit on IMSI catcher use, it does push agencies to use the devices for the least amount of time possible. It also details exceptions where police could use the technology without a warrant. For instance, it would leave the door open for law enforcement to use the devices in contexts like bomb threats where an IMSI catcher can prevent a remote detonation.

“Our bipartisan bill ends the secrecy and uncertainty around Stingrays and other cell-site simulators and replaces it with clear, transparent rules for when the government can use these invasive surveillance devices,” Senator Ron Wyden told BuzzFeed News.

The bill has support from some Republicans. Senator Steve Daines of Montana and Representative Tom McClintock of California are co-sponsoring the proposed legislation. Organizations like the Electronic Frontier Foundation and the Electronic Privacy Information Center have also endorsed the bill.

This article was originally published on Engadget.