Revealed: Australia’s national facial recognition system

The new national identification system. Photo: ZDNet

The Australian government has unveiled new details surrounding highly controversial changes to ‘anti-terrorism’ measures this week, including the introduction of a new national facial recognition system, following the Coalition of Australian Governments (COAG) meeting in Canberra last month.

The changes, outlined in draft documents released this week, describe the use of new ‘federated identity ecosystems’ (or ‘identity federations’) to share information between authorised agencies, including the introduction of a new ‘trust framework’ system to replace traditional legal processes.

BACKGROUND

On October 1st, following a mass-shooting in Las Vegas, it was confirmed that the Australian government would use the event to further push for an even tougher overhaul of current ‘anti-terrorism’ legislation at a special Council of Australian Governments (COAG) meeting in Canberra.

In the meeting, state leaders and ministers unanimously approved a counter-terrorism package that “enhances” public safety by increasing surveillance of private citizens – including utalising new national facial recognition capabilities – and removes longstanding rights for those suspected of terrorist involvement.

The overhaul will see all states and territories handing over driver’s licenses and passport photos for a national identification database, allowing for real-time facial recognition when matched to state CCTV footage, bypassing current state restrictions and laws on obtaining such information.

FACIAL RECOGNITION SYSTEM

OVERVIEW:

Following the COAG meeting in Canberra in October, it was revealed that government officials had agreed to establish National Facial Biometric Matching Capability systems, and signed an Intergovernmental Agreement on Identity Matching Services to outline the changes.

The documents revealed the new system “will make it easier for security and law enforcement agencies to identify people who are suspects or victims of terrorist or other criminal activity, and prevent the use of fake or stolen identities — which is a key enabler of terrorism and other serious crime”.

Under the Agreement, agencies in all jurisdictions will be able to use new face matching services to access passport, visa, citizenship and driver licence images – while attempting to maintain robust privacy safeguards.

PART I – FRAMEWORK

Today, details of the framework have been revealed under the Trusted Digital Identity Framework Structure and Overview, where accreditation for the “identity federation” will be based on a ‘Trusted Digital Identity Framework’ rather than traditional service level agreements (SLAs) in order to provide ‘more transparency and scale’.

The 14 draft documents, published on the Digital.gov.au website, include the following:

Trust Framework Structure and Overview
Trust Framework Accreditation Process
Privacy Assessment; Core Privacy Requirements
Core Protective Security Requirements
Core User Experience Requirements
Core Risk Management Requirements
Core Fraud Control Requirements
Digital Identity Proofing Standard
Digital Authentication Credential Standard
Information Security Documentation Guide
Risk Management Guide.

The new ‘Trusted Digital Identity Framework’ refers to how citizens’ digital identity information must be managed, which is said would sit alongside the current Govpass digital platform.

“The framework sets out a nationally consistent approach to how digital identity will be managed,” Assistant Minister for Digital Transformation, Angus Taylor said on Thursday.

“This includes documents outlining how providers will be accredited, privacy, security, risk, and fraud management requirements, as well as standards for usability and accessibility. The framework sits alongside the Digital Transformation Agency’s Govpass technology platform, which is currently in private beta.”

“It provides the required structure and controls to deliver confidence to participants that all accredited providers in the identity federation have met their accreditation obligations and as such may be considered trustworthy.”

The Trusted Digital Identity Framework Core Privacy Requirements [PDF] outlines privacy requirements that must be fulfilled under the trust framework, with companies handling such data must have a “privacy champion” with overall responsibility and accountability for privacy.

The Trusted Digital Identity Framework Core Protective Security Requirements [PDF] covers the minimum security controls that applicants must provide for an identity system, including the applicant undertaking an active role in protecting their identity service.

Other key documents include the Trusted Digital Identity Framework Core Risk Management Requirements [PDF] and the Trusted Digital Identity Framework Core Fraud Control Requirements [PDF], which both define the controls for preventing, detecting, reporting, investigating, and supporting the victims of fraud.

Finally, the Trusted Digital Identity Framework Core User Experience Requirements [PDF] ensures an applicant’s identity system is “simple and easy for all to use”.

PART II – FACE MATCHING

The new framework for Australia is set to be active by mid-2018 in Australia, with all jurisdictions able to use new ‘face matching’ services within the framework to access passport, visa, citizenship and driver licence images shortly after.

The Face Verification Service (FVS) is a one-to-one, image-based verification service that can match a person’s photo against an image on one of their government records (such as a passport photo) to help verify their identity. Often these transactions will occur with the individual’s consent.

The Face Identification Service (FIS) is a one-to-many, image-based identification service that can match a photo of an unknown person against multiple government records to help establish their identity. Access to the FIS will be limited to police and security agencies, or specialist fraud prevention areas within agencies that issue passports, and immigration and citizenship documents.

Under the plan, companies using the FVS within the Trust Framework would collect a facial image of their customer and send it to the “Biometric Interoperability Hub”.

The hub then uses the national database to check the photo against an image on one of their government records, such as a passport or driving license photo, to verify that it is the same person. The company would receive a yes/no response, without seeing the image held by the government or having direct access to the database

RESPONSE

This decision by COAG has been described as ‘nothing less than a complete betrayal of a fundamental civil liberty of all Australians’. If implemented, it will ensure that the presumption of innocence no longer has any effective meaning in this country. Such an untargeted, mass surveillance database is just the latest attempt by governments to categorise everyone as potential suspects, not citizens.

The government is accepting feedback on its 14 draft documents until December 8.

Note: We will be continuously updating this article in greater detail the more we read through the documents. Please check back or subscribe to TOTT News for FREE to have notifications of new posts directly to your email!

For more TOTT News, SUBSCRIBE to the website on the right hand panel for FREE and follow us on social media for more exclusive content:

Facebook — Facebook.com/TOTTNews
YouTube — YouTube.com/TOTTNews
Instagram — Instagram.com/TOTTNews
Twitter — Twitter.com/EthanTOTT