https://krebsonsecurity.com/2022/05/senators-urge-ftc-to-probe-id-me-over-selfie-data/ Advertisement [13] Advertisement [2] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking Senators Urge FTC to Probe ID.me Over Selfie Data May 18, 2022 5 Comments Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for "deceptive statements" the company and its founder allegedly made over how they handle facial recognition data collected on behalf of the Internal Revenue Service, which until recently required anyone seeking a new IRS account online to provide a live video selfie to ID.me. [irs-gov-5-17-22] In a letter to FTC Chair Lina Khan, the Senators charge that ID.me's CEO Blake Hall has offered conflicting statements about how his company uses the facial scan data it collects on behalf of the federal government and many states that use the ID proofing technology to screen applicants for unemployment insurance. The lawmakers say that in public statements and blog posts, ID.me has frequently emphasized the difference between two types of facial recognition: One-to-one, and one-to-many. In the one-to-one approach, a live video selfie is compared to the image on a driver's license, for example. One-to-many facial recognition involves comparing a face against a database of other faces to find any potential matches. Americans have particular reason to be concerned about the difference between these two types of facial recognition, says the letter to the FTC, signed by Sens. Cory Booker (D-N.J.), Edward Markey (D-Mass.), Alex Padilla (D-Calif.), and Ron Wyden (D-Ore.): "While one-to-one recognition involves a one-time comparison of two images in order to confirm an applicant's identity, the use of one-to-many recognition means that millions of innocent people will have their photographs endlessly queried as part of a digital 'line up.' Not only does this violate individuals' privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed." "This risk is especially acute for people of color: NIST's Facial Recognition Vendor Test found that many facial recognition algorithms have rates of false matches that are as much as 100 times higher for individuals from countries in West Africa, East Africa and East Asia than for individuals from Eastern European countries. This means Black and Asian Americans could be disproportionately likely to be denied benefits due to a false match in a one-to-many facial recognition system." The lawmakers say that throughout the latter half of 2021, ID.me published statements and blog posts stating it did not use one-to-many facial recognition and that the approach was "problematic" and "tied to surveillance operations." But several days after a Jan. 16, 2022 post here about the IRS's new facial ID requirement went viral and prompted a public backlash, Hall acknowledged in a LinkedIn posting that ID.me does use one-to-many facial recognition. "Within days, the company edited the numerous blog posts and white papers on its website that previously stated the company did not use one-to-many to reflect the truth," the letter alleges. "According to media reports, the company's decision to correct its prior misleading statements came after mounting internal pressure from its employees." Cyberscoop's Tonya Riley published excerpts from internal ID.me employee Slack messages wherein some expressed dread and unease with the company's equivocation on its use of one-to-many facial recognition. [tonyarileytweet] In February, the IRS announced it would no longer require facial scans or other biometric data from taxpayers seeking to create an account at the agency's website. The agency also pledged that any biometric data shared with ID.me would be permanently deleted. But the IRS still requires new account applicants to sign up with either ID.me or Login.gov, a single sign-on solution already used to access 200 websites run by 28 federal agencies. It also still offers the option of providing a live selfie for verification purposes, although the IRS says this data will be deleted automatically. Asked to respond to concerns raised in the letter from Senate lawmakers, ID.me instead touted its successes in stopping fraud. "Five state workforce agencies have publicly credited ID.me with helping to prevent $238 billion dollars in fraud," the statement reads. "Conditions were so bad during the pandemic that the deputy assistant director of the FBI called the fraud 'an economic attack on the United States.' ID.me played a critical role in stopping that attack in more than 20 states where the service was rapidly adopted for its equally important ability to increase equity and verify individuals left behind by traditional options. We look forward to cooperating with all relevant government bodies to clear up any misunderstandings." As Cyberscoop reported on Apr. 14, the House Oversight and Reform Committee last month began an investigation into ID.me's practices, with committee chairwoman Carolyn Maloney (D-N.Y.) saying the committee's questions to the company would help shape policy on how the government wields facial recognition technology. A copy of the letter the senators sent to the FTC is here (PDF). This entry was posted on Wednesday 18th of May 2022 12:55 PM A Little Sunshine The Coming Storm biometrics Blake Hall Cyberscoop facial recognition Federal Trade Commission FTC Chair Lina Khan id.me Internal Revenue Service Sen. Alex Padilla Sen. Cory Booker Sen. Edward Markey Sen. Ron Wyden Tonya Riley Post navigation - When Your Smart ID Card Reader Comes With Malware 5 thoughts on "Senators Urge FTC to Probe ID.me Over Selfie Data" 1. John Oram May 18, 2022 ID.me is a trusted VA partner and 1 of only 4 Single Sign-On providers that meet the U.S. government's most rigorous requirements for online identity proofing and authentication. ID.me provides the strongest identity verification system available to prevent fraud and identity theft.Feb 18, 2022 Privacy And Security On VA.gov | Veterans Affairs https://www.va.gov/resources/privacy-and-security-on-vagov/ Reply - 2. Jeff B May 18, 2022 Claiming to prevent fraud while also committing it... The (alleged) hypocrisy here is indefensible. Particularly in a role as a validator of identity and trust, and even more so when in support of government services, the organizational and process integrity must be fully transparent and of the highest ethical standards. Reply - 3. Steven May 18, 2022 The bigger question on this: 1. What do they do with this data? 2. How are we guarenteed that this data isn't leaked? 3. What happens to the business if it does get leaked? (Do we get the ceo thrown in jail?) What's their incentive to actually do a good job with this? 4. What assurances(and protection for assurances) do we get to force them to wipe our personal data? 4.1 What is the evidence that is given to demonstrate that they don't have it? 5. What happens to the dervivative data from this? I.e. Face geometry? 6. Who do they sell the data to? (In the US it's probably unreasonable to assume that who might they sell it to.. it's probably safe to assume they've already have) Reply - 4. EP May 18, 2022 As always, appreciate these articles. I'm also extremely frustrated in general with how the average American's privacy is often an afterthought. My question is why the entire Senate hasn't signed this letter? Why only four? Reply - 5. Donald Goldstein May 18, 2022 "NIST's Facial Recognition Vendor Test found that many facial recognition algorithms have rates of false matches that are as much as 100 times higher for individuals from countries in West Africa, East Africa and East Asia than for individuals from Eastern European countries." - Isn't this like saying that NTSB found that many cars aren't that safe? What specific algorithm is being used by ID.me and what is that false rate? Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [3] Advertisement Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * Senators Urge FTC to Probe ID.me Over Selfie Data * When Your Smart ID Card Reader Comes With Malware * DEA Investigating Breach of Law Enforcement Data Portal * Microsoft Patch Tuesday, May 2022 Edition * Your Phone May Soon Replace Many of Your Passwords Spam Nation Spam Nation A New York Times Bestseller! Thinking of a Cybersecurity Career? Thinking of a Cybersecurity Career? Read this. All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Russia's War on Ukraine * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security