The Attorney General’s Department plans to add as many as 12 million passport photographs to its Face Verification Service this year – one issue prompting calls for a Biometric Commissioner to be appointed to safeguard Australians’ privacy.
The Face Verification Service (FVS) was unveiled in November last year by the Minister for Justice. Michael Keenan.
Initially the FVS held only citizenship images of people born overseas who apply for Australian citizenship. That image is provided as part of the application process, and is held by the Department of Immigration and Border Protection.
In 2017 an estimated 12 million images from biometrically enabled passports are slated to be made available to the FVS service.
The FVS is intended to help guard against identity theft by matching an image against a verified facial biometric.
It is expected to play a key role in the Digital Transformation Agency’s Govpass digital identity framework currently under development.
Rachel Dixon DTA’s head of digital identity demonstrated the current beta version of Govpass to Angus Taylor, assistant minister for cities and digital transformation, last week.
While Mr Taylor has made clear that Govpass will be an opt-in service, the FVS and Face Identification Service (FIS) continue to be built-out with biometric data, regardless of whether a citizen has opted to be included or not.
According to a spokesperson for the Attorney General’s department negotiations are also underway with States and Territories to include access to millions of driving licence images.
Queensland Privacy Commissioner Philip Green said that although there had been a trial involving the Northern Territory, the inclusion of images from other States and Territories was “no lay down misere” and that State/Commonwealth politics and costs could pose significant barriers.
He said States were willing to share information for law enforcement purposes, but expressed concerns about the risk of scope creep for identify verification services, especially when that might include the banks, as has been canvassed by the DTA for Govpass.
“We don’t want to build a huge monster of a system and use it for more than it was intended,” he said, adding that individual State Privacy Impact Assessments would probably be needed ahead of any image sharing agreement.
A Privacy Impact Assessment of the underlying platform for the FVS and FIS, was conducted in 2015 by Information Integrity Solutions.
That made a series of recommendations (accepted in full or part by the Federal Government) but noted that its remit did not extend to assessing or commenting on the potential privacy impact of the scheme itself. Its focus instead was on the design and governance.
A paper in the current issue of the UNSW Law Journal does however assess the privacy implications of face verification and identification.
Dr Monique Mann, lecturer at the Queensland University of Technology and a director of the Australian Privacy Foundation, and Marcus Smith, adjunct professor at the University of Canberra, identify a “significant governance gap”, with respect to the Commonwealth’s proposed use of biometric information.
It also notes the extent to which the Federal Government is already collecting data from a range of sources. The paper references the $1.6 million awarded to the Australian Federal Police in 2016 to mine external data sources including social networks.
The authors note that to collect biometrics such as fingerprints or voice prints the Government needs either the knowledge or consent of the individual. That is not the case with the harvesting of photographs from social media.
Australia’s lack of a Constitutional Bill of Rights, and the extent of exemptions in privacy legislation, have led to a biometrics governance gap according to the authors.
They also note that the FVS, FIS (and hence the biometric element of Govpass) have been introduced through the Commonwealth’s administrative framework rather than legislatively which might have attracted more scrutiny and public debate.
Dr Mann told InnovationAus.com; “If you look to overseas jurisdictions there have been a series of high profile cases indicating that the retention of biometric information can contravene fundamental privacy rights” and that at present Australians would have no obvious avenue for complaint.
Following the UK lead and appointing a Biometrics Commissioner could help address the governance gap she said.
While the FVS allows agencies to verify an identity and will support Govpass, the FIS will match a photo of an unknown person against multiple government records to help establish their identity.
“The FIS will be used to detect people using multiple fraudulent identities and/or suspects of serious and organised crime. For example, it may be used to identify a suspected paedophile from child exploitation material, or to identify an armed robber from a still image taken from CCTV footage,” according to a spokesperson from the Attorney General’s department.
“Access to the FIS will be limited to police and security agencies, or specialist fraud prevention areas within agencies that issue passports and immigration and citizenship documents. It will not be used for minor offences such as littering or parking infringements. The FIS is expected to commence in 2017.”