Government could allow private firms access to facial recognition data

Screenshot (15) — New details of biometric framework released. Photo: Attorney-General’s Department.

The federal government is considering allowing private companies to use its national facial recognition database for a fee, documents released under Freedom of Information laws have revealed.

The partially redacted documents released this week show that the Attorney General’s Department is in discussions with major telecommunications companies about pilot programs for private sector use of the new national facial recognition system in 2018.

BACKGROUND

In was announced in October that state leaders and ministers had unanimously approved a counter-terrorism overhaul package that “enhances” public safety by increasing surveillance of private citizens, including utilising new national facial recognition capabilities.

It was revealed soon after that the overhaul will see all states and territories handing over driver’s licenses and passport photos for a national identification database, allowing for real-time facial recognition when matched to state CCTV footage, bypassing current state restrictions and laws on obtaining such information.

Information will be shared amongst agencies in the Trusted Digital Identity Framework, using the Face Verification Service to identify individuals in the system. The measures were all unanimously approved in the Agreement on Identity Matching Services released last month.

Australia’s leading privacy and civil liberties organisations have since condemned the decision by the Council of Australian Governments (COAG) in October, calling the plans ‘unnecessary’ and ‘fundamentally incompatible with a free and open society’.

ACCESS TO YOUR IDENTITY

According to the documents, participating agencies in the programs will be required to enter formal data sharing agreements containing safeguards for the sharing and use of personal information, with regular audits will help ‘ensure that these protections are functioning properly’.

Below is a diagram of the ‘safeguards’ required to share information with external parties:

Screenshot (12) — Safeguards for releasing identities to third parties. Photo: Attorney-General’s Department.

Agencies will also continue to be subject to independent oversight by a range of existing external bodies such as privacy commissioners, ombudsmen and anticorruption or integrity commissioners for their use of personal information. The operation of the system will be audited by the Office of the Australian Information Commissioner.

“The [Attorney General’s] Department is currently in exploratory discussions with some of the major telecommunications carriers [redacted] regarding their potential use of the [Face Verification Service].”

Under the plan, companies using the FVS would collect a facial image of their customer and send it to the ‘Biometric Interoperability Hub’.

The documents also note that in addition to discussions with the telecommunications companies “large financial institutions have shown a strong interest in accessing the FVS.”

“Use of the FVS would address vulnerabilities created by identity takeover… [and] support the financial sector in complying with their obligations under the anti-money laundering/counter terrorism financing regulations and be positive generally for identity security”.

A spokesperson for the Attorney General’s Department said that no pilot programs had currently commenced, but declined to answer questions about which companies the department is in discussions with for pilot programs or how far those discussions have progressed.

According to the department spokesperson:

“Any private sector organisations using the FVS would need to demonstrate their lawful basis to do so under the Privacy Act, and could only use the FVS where they gain a person’s consent to use their images.

These and other controls will be included in legally binding arrangements with the commonwealth into which all users of the service will enter. The arrangements for private sector access will be informed by an independent privacy impact assessment.

Use could initially be for access to images held by commonwealth agencies. Access to driver license images would be subject to the agreement of state and territory governments.”

In order to use the FVS as planned, private companies which are not currently collecting biometric data will need to start gathering facial images of their customers to send for verification.

Once they have invested in creating and verifying the images, there are concerns that companies are unlikely to simply delete them.

BACKLASH

Monique Mann, a director of the Australian Privacy Foundation and a lecturer at the faculty of law at the Queensland University of Technology, said that requiring companies to ask for consent may not be enough to protect consumers’ rights or mitigate the risks involved with biometric data, and would encourage firms to store more data.

“There are questions about whether individuals are able to make voluntary informed decisions and opt out of these schemes, even if they are aware that it is happening.

If the alternative would be not being able to access important services, like opening a bank account, can you really say that customers are giving their consent freely?

Privacy advocates have also expressed concerns that the overhaul will encourage private companies to build their own facial recognition databases. Once that data is created, it becomes very difficult for people to know how securely it will be stored, who it will be shared with and what information it will be connected to, and to what end.

Public submissions on the new changes are due to be released in early 2018.

For more TOTT News, SUBSCRIBE to the website on the right hand panel for FREE and follow us on social media for more exclusive content:

Facebook — Facebook.com/TOTTNews
YouTube — YouTube.com/TOTTNews
Instagram — Instagram.com/TOTTNews
Twitter — Twitter.com/EthanTOTT