Time for an about-face? Flaws in facial recognition plan
10 Aug 2018|

Search for news articles about the face identification service and you won’t find much. At one level, that’s curious because it’s about to usher in a potentially far-reaching change to law enforcement and Australian society. On another level, the lack of focus is understandable because of the complexity of the scheme and draft implementing legislation.

Major holes in the proposed legislation have been identified in various parliamentary submissions, and the Parliamentary Joint Committee on Intelligence and Security will hold another round of public hearings later this month. But these concerns have so far failed to attract much attention. Two of the biggest problems with the current draft bill are the loose wording that allows the use of biometric facial matching for purposes as diverse as ‘preventing’ crime and ‘road safety activities’; and the ability of states and territories to use biometric facial matching for any crime or petty offence (subject to state and territory laws).

The genesis of the proposal was a Council of Australian Governments agreement in October 2017, when the prime minister and state and territory leaders agreed to establish national facial biometric matching services. The emphasis was placed squarely on the counterterrorism potential, not the two most likely future uses of the capability: general policing and digital identity (the latter is covered in a forthcoming policy brief from ASPI’s International Cyber Policy Centre). As the prime minister said at the time: ‘Imagine the power of being able to identify, to be looking out for and identify a person suspected of being involved in terrorist activities walking into an airport, walking into a sporting stadium … This is a fundamentally vital piece of technology.’

The national facial biometric matching capability is actually made up of two systems:

  1. The face verification service (FVS): ‘a one-to-one, image-based verification service that can match a person’s photo against an image on one of their government records (such as a passport photo) to help verify their identity’
  2. The face identification service (FIS): ‘a one-to-many, image-based identification service that can match a photo of an unknown person against multiple government records to help establish their identity. Access to the FIS will be limited to police and security agencies, or specialist fraud prevention areas within agencies that issue passports, and immigration and citizenship documents.’

The FVS and FIS will be made possible through the creation of a Commonwealth-run hub that connects various photographic identity databases run by states and territories (e.g. driver’s licences) and by the Commonwealth (e.g. passports).

The legislation that will allow for its creation is the Identity-matching Services Bill 2018. For a scheme so amenable to overreach, the bill is remarkably loosely worded. Reading the COAG agreement that the bill implements, you could be forgiven for thinking at least some controls are in place. For example, the COAG agreement states:

Agencies with access to the FIS may only use the FIS for one or more of the following permitted purposes: … (b) General law enforcement—the prevention, detection, investigation or prosecution of an offence under Commonwealth, state and/or territory laws carrying a maximum penalty of not less than three years imprisonment.

In reality, this three-year threshold (which is omitted from the draft bill) applies only to use of the FIS between jurisdictions (e.g. NSW police running a biometric search on a Victorian resident). In practice, state police will mostly be investigating residents of their own jurisdictions. So, for the overwhelming majority of cases, the three-year rule won’t apply. It’s up to states and territories to decide what, if any, minimum threshold applies before biometric matching can be used.

The institutional logic for police forces around the country is to seek permission to use the FIS for as many activities as possible to create internal efficiencies; for state and territory governments, it’s to save money. With the increasing use of CCTV and improvements in biometric matching, expect a lot more automated policing for ever less serious offences. For those interested in civil liberties, the question will become what threshold for use of the FIS is tolerable—automated fines for double parking, littering, jaywalking?

Unfortunately, the problems with the FIS are not isolated. As the My Health Record controversy suggests, it is part of a growing pattern where digitisation initiatives are built with the wrong user in mind. The convenience for a government department is prioritised over the citizens they serve. Repeatedly, Australians are assured everything is fine, only to discover they have been hoodwinked. Opt-in becomes opt-out. Safe and secure, it is later discovered, means warrantless police access.

And each time the public’s trust is broken, it becomes harder to roll out other digitisation initiatives that are essential to a 21st-century economy and society. Getting things back on track won’t be easy. It requires a complete overhaul in approach: putting citizens at the centre.