In August, DIGIT reported on the heated debate surrounding the Home Office’s decision to trial facial recognition technology at the Notting Hill Carnival. Despite its limited use, the trial was met with strong criticism from civil liberties organisations, including the Open Rights Group, which claimed that facial recognition tech presents a ‘unique threats’ to human rights.
Now documents released under Freedom of Information laws have revealed that Australia’s federal government is considering selling access to its national facial recognition database to private companies. According to The Guardian, the documents show that the Attorney General’s department is in discussions over the use of the tech, starting as early as 2018.
The documents indicate a ‘strong interest’ from financial companies in accessing the data.
The Australian Government claims that the use of facial recognition technology is now a necessity for national security. It has also stressed that private companies will only be able to access the database with the customer’s consent.
But experts and liberties organisations have expressed concerns over the lack of transparency surrounding the deal. At the time of the Notting Hill Carnival, the Open Rights Group warned: “We do not know, for example, in which public places automated facial recognition is in use; where and how the images captured are stored; how long the images are stored for; how and when the images are deleted; what databases the images are being matched against; … whether any or all of the footage, images, or other data is shared with a third party, … whom the software provider is and how much is paid for the service; how accurate the software is; and whether the software has been tested for accuracy biases.”
Monique Mann, director of the Australian Privacy Foundation, said: “There are questions about whether individuals are able to make voluntary informed decisions and opt out of these schemes, even if they are aware that it is happening.
“If the alternative would be not being able to access important services, like opening a bank account, can you really say that customers are giving their consent freely?
“In practice, this program will effectively encourage private companies to build their own facial recognition databases. Once that data is created, it becomes very difficult for people to know how securely it will be stored, who it will be shared with and what information it will be connected to, and to what end.”
Huge Data Breaches
Private companies’ track record in protecting the private data of their customers has been dismal. US credit giant Equifax suffered a major data breach in July this year, compromising the information of 143 million American citizens and 15 million British citizens. Last week, Uber also admitted that it had suffered a hack affecting 57 million users of its ride hailing service.
Both of these breaches also have an uglier underbelly. Equifax delayed reporting on its breach for five weeks, while Uber allegedly attempted to ‘cover up’ its breach entirely by paying the hackers in question $100,000 to quietly delete the data they had stolen.
The Australian Government made clear its intentions to expand its facial recognition technologies network with a deal struck last month to share the data between local and federal police branches. The government faced criticism at the time, but now it has emerged that private firms too may be getting access to this database. These latest documents reveal that at the time the deal was stuck, 50% of the population was already included in the national database. The Guardians claims that the federal Attorney General’s Department plans to expand this number to 85% of Australians.
The partially redacted documents reveal: “the [Attorney General’s] Department is currently in exploratory discussions with some of the major telecommunications carriers [redacted] regarding their potential use of the [Face Verification Service].”
Under the deal, companies using the FVS would gather a facial image of the individual using their service and send it to a “Biometric Interoperability Hub.”
Document Verification Service
This means that the access between private company and government database could be similar to the Document Verification Service (DVS), currently in place in Australia. This system has been available to private companies since 2014, and is used by firms to verify information on customers’ official documents, such as customers’ driving licenses, passports, etc.
The DVS also requires interested firms to pay the government a fee. The service itself is very widely used, with some 15.5 million private business transactions being processed, mostly by telecommunications companies. “This has provided a consistent and growing source of revenue to fund further security initiatives. Private sector use of the FVS could provide similar benefits,” the released documents attest.
“Use of the FVS would address vulnerabilities created by identity takeover… [and] support the financial sector in complying with their obligations under the anti-money laundering/counter terrorism financing regulations and be positive generally for identity security”.
No Pilot Programs – Yet
A spokesperson for the Attorney General’s Department said that no pilot programs had started, but declined to give details how far discussions had so far progressed. According to the department spokesperson: “Any private sector organisations using the FVS would need to demonstrate their lawful basis to do so under the Privacy Act, and could only use the FVS where they gain a person’s consent to use their images.
“These and other controls will be included in legally binding arrangements with the commonwealth into which all users of the service will enter. The arrangements for private sector access will be informed by an independent privacy impact assessment.
“Use could initially be for access to images held by commonwealth agencies. Access to driver license images would be subject to the agreement of state and territory governments.”
With the coming of GDPR, experts have voiced concerns that a tidal wave of ‘no-win-no-fee’ claims may engulf companies that do not protect information. Of course, governments and other public bodies are also vulnerable to cyberattacks, as the hacks against the Scottish Parliament, Houses of Parliament and the NHS earlier this year show.