All Watched Over
Look up, facial recognition is already here by Russell Marks
Just before Christmas, it became compulsory in China for anyone wanting a new SIM card for a smartphone to submit to a facial recognition (FR) scan. To say China is charging ahead with the FR revolution is something of an understatement. Consumers’ faces work as digital wallets. Jaywalkers in Shenzhen and people wearing pyjamas in public in Suzhou have been shamed on huge, public screens that display not only faces but also names and partly redacted ID documents. Hong Kong’s police already had access to FR surveillance technology for three years before the pro-democracy protests commenced in March. The New York Times reported last year that Beijing was using facial recognition to track and control ethnic Uighurs – perhaps the first time a government has intentionally used artificial intelligence technology for racial profiling. It’s predicted there will be 570 million Fr-enabled CCTV cameras across China this year. Leaked documents obtained by the Financial Times show that Chinese companies are influential in the development of United Nations’ standards for the use of FR surveillance technology.
For most Australians, these stories – which appear frequently in our press – seem like science fiction. But in cities and towns across Australia, state and local governments, and private companies, have been installing – and quietly trialling – new CCTV cameras enabled with FR technology. At the 2018 Gold Coast Commonwealth Games, for instance, Queensland police used cameras to scan the faces of everyone going in and out of stadiums. Software automatically compared faces with photographs contained in the state’s database of licensed drivers.
Governments are keeping their FR cards very close to their bureaucratic chests. When the Commonwealth Games concluded, Queensland’s police minister, Mark Ryan, refused to say how the state’s FR system would be used in future. Darwin’s city council has promised not to use FR software, even though facial recognition was a central plank in its application for federal funding to support the installation of cameras across the city’s centre.
At the heart of these developments is an agreement between all federal, state and territory governments to take Australians into the brave new world of regulated FR tech. At least three years in the making, the Intergovernmental Agreement on Identity Matching Services was signed at a Council of Australian Governments (COAG) meeting in October 2017. In accordance with its terms, state and territory parliaments have been passing new laws that remove existing limitations on police access to identity data held by other government agencies, and which allow their stores of citizens’ ID data to be made accessible to a National Facial Biometric Matching Capability. That’s a mouthful, so in some policy circles it’s being informally referred to simply as “the Capability”.
On the eve of the COAG meeting, the then prime minister Malcolm Turnbull painted a vision: “All of these databases are used already, you know,” he told a press conference in a pointedly passive tense, skirting questions about who uses them and under what restrictions. “Drivers’ licences are accessible now and are accessed. What we need to do is to make them immediately available, combine them with other biometric data like passport photographs, for example, so that we’re in a position to identify people in real time. I mean, imagine the power of being able to identify a person suspected of being involved in terrorist activities, walking into an airport, walking into a sporting stadium.”
In other words, our drivers’ licences, our passports and anything else featuring our photos are being drafted into a giant new national ID system that has the potential to identify us in real time. And we’ve never voted for it.
Since Turnbull’s announcement, the government has been hosing down expectations (and fears) that the system will be live. Bureaucrats say the Capability can’t deliver anything like what’s happening in China. “It can’t be connected directly to a live CCTV feed,” explained Andrew Rice, of the Department of Home Affairs’ Identity and Biometrics Division, to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which ran a two-part inquiry either side of last year’s election into the federal bill that would enact it. The committee was told that live FR surveillance wouldn’t be technically possible under the Capability’s current design.
Press conferences, departmental submissions and parliamentary inquiry hearings indicate a building frustration among ministers and bureaucrats. Legal and human rights experts, they say, fundamentally misunderstand – and therefore misrepresent – the Capability and its implications for individuals’ privacy. Its proponents say the Capability will simply automate and regulate the use of existing databases to provide better and more secure services to identify wrongdoers (for police and intelligence agencies) and to verify the identities of people who want passports, social security, mobile phones, and a range of other state and state-regulated services.
The federal Identity-matching Services Bill is mostly silent on how the Capability would work in practice. Full of acronyms, the bill would allow the home affairs department to “develop, operate and maintain” both an “interoperability hub” and the “NDLFRS”, and sets initial controls on who can access the five “services” – the FIS, the FRAUS, the FVS, the IDSS and the OPOLS – and in what circumstances. These initial limitations are legislatively designed to be relaxed later. Footnotes in the bill explain what these acronyms are short for, and then refer the reader to the longer (but not much clearer) intergovernmental agreement to find out more about them.
“The final identity solution decision still needs to be made by the user agency,” Andrew Rice explained to the PJCIS with all the eloquence of a technical manual. “The system has been specifically designed this way to ensure there is always a person in the loop.” This distinguishes the Capability from equivalent overseas systems, such as China’s and Japan’s, which are fully automatic and can be run live.
The intergovernmental agreement isn’t law, though, and is only a COAG meeting and a system upgrade away from amendment. Submission after submission to the PJCIS warns of the ease with which the Capability might be switched in future to a live system of CCTV cameras equipped with facial-recognition tech capable of tracking each of us as we walk down the street.
Despite bureaucratic assurances, experts point out that the Identity-matching Services Bill says nothing at all about prohibiting a live mass surveillance system. The Human Rights Law Centre has called the bill “manifestly and dangerously insufficient” to enact the terms of the intergovernmental agreement. At one point, Victoria threatened to pull out of the agreement, claiming the bill gives powers to the home affairs minister – currently Peter Dutton – to expand the Capability in the future in ways to which the states didn’t agree. Despite its qualms, Victoria uploaded its residents’ drivers’ licence photos to the national system in September. A government spokesperson says they can only be accessed by Victorian government agencies, which raises the question of why they were uploaded at all.
Indeed, the bill falls on the wrong side of all risk factors identified by Georgetown University’s law school, in Washington, DC, for the use of facial recognition by police and other government agencies: it supports “dragnet” searches for facial biometrics in public with no requirement for warrants; it supports the use of databases full of information about everyone (not just of previously convicted offenders, for example); and it supports searches that are “invisible”, or panoptical, so that we won’t know when our facial biometrics are being captured.
When he announced it, Turnbull described the Capability as merely the “logical next step” in identity verification. As things stand, anyone hoping to verify someone’s identity – Centrelink, employers, mobile phone retailers – must rely on the existing Document Verification Service that, since 2008, has simply confirmed that an ID document (such as a driver’s licence) is valid. The DVS can’t, however, confirm that a particular licence belongs to a particular person. Enter the Capability, which, via facial recognition, promises precisely that. Peter Dutton told parliament it will reduce “identity crime”. The Department of Foreign Affairs and Trade says it will also help police and intelligence agencies act “without delay” during events such as the Lindt cafe siege, when police couldn’t confirm Man Haron Monis’s identity for more than four hours.
But can Australia’s Capability deliver? Scotland Yard has been running its own trials of Fr-enabled CCTV, which purport to identify people in real time, since 2016. One of the trials, at the Notting Hill carnival, misidentified 95 innocent people as wanted suspects and had an error rate of 98 per cent. Trials in other domains would be abandoned at that point. The Yard forged on, apparently taking the view that the tech could only improve.
In the Chinese city of Ningbo, FR systems notoriously mistook a face in an ad on the side of a bus – that of Dong Mingzhu, a well-known businesswoman – for a jaywalker and publicly shamed her.
Failures like these should be a reality check for those who claim to be unconcerned about increasing surveillance. It’s a common refrain: if you don’t break the law, there’s nothing to worry about. A more accurate refrain might be: if you don’t break the law, and the government (and each of its tens of thousands of employees) don’t break the law, and the computers don’t malfunction, and the system is well designed and maintained, and the government doesn’t economise on its implementation, and nobody enters data incorrectly, and all of the system’s users are adequately trained and think critically about it, and nobody hacks into it, and identities aren’t stolen, then there’s nothing to worry about.
The logical next step. It’s a phrase loaded with meaning for long-time observers of technology. In 1954, French sociologist Jacques Ellul warned that the logic of what he called “technique” was all-pervasive. If something could be done more efficiently, or more exactly, or more certainly, then it would be – regardless of social consequences. Each new technique both solves some existing deficiency and creates the next problem to overcome. Max Weber had already found this logic in the modern bureaucracy, which is forever seeking better means to collect, store, retrieve and use the more and better data it needs to rationalise the tasks it performs. The Capability bill’s main purpose, the home affairs department explained to the parliamentary committee, is to authorise the department “to collect, use and disclose identity information in order to operate the technical systems that support the provision of face-matching services” [my emphasis]. Technique creates the demand. Because they can, they will – and they need more of our data to do it.
Australian government departments have for a very long time wanted centralised databases full of as much information as they can possibly get about us. They use and re-use all kinds of justifications. The need to control rations justified Australia’s first, short-lived ID card during World War Two. And it was the need to smash tax fraud, welfare fraud and illegal immigration that in September 1985 led Bob Hawke’s treasurer, Paul Keating, to sell to voters an idea that would become the greatest of all cautionary tales for a generation of Australian bureaucrats.
First proposed by Australian Tax Office officials in April of that year, the idea of a national identity card – an “Australia Card” – was taken up with gusto by Medicare’s administrator, the Health Insurance Commission, which quickly convinced the government it was the agency to run such a scheme. Newspaper editorials and opinion polls cast nearly everyone as supporters. Who wouldn’t be in favour of clawing back millions from tax cheats?
Its proponents were always a little fuzzy as to how exactly the “Australia Card” would achieve that end. And it had some staggering implications. Employers
who gave anyone a job, or indeed paid an employee, without first seeing their card would commit a criminal offence. Likewise, anyone opening a bank account or selling or renting out their house. Social security and other government benefits would simply be impossible to access without producing a card. And anyone who lost or damaged their card and couldn’t prove that loss was accidental faced two years in prison.
Concerns about these and other implications led the majority of a parliamentary committee – including Labor’s John Saunderson, a former Telecom technician – to “unequivocally reject” the Australia Card even before they saw legislation. Undeterred, the Hawke government then rushed the Australia Card Bill through the lower house, only to meet a Senate blockade. The bill was again defeated the following April, providing Hawke with a double-dissolution trigger. He pulled it. The government was returned – this was the “Joh for Canberra” campaign – and introduced the bill a third time. Its inevitable defeat would have led to a joint sitting of both houses, where a Labor majority would inevitably have passed it.
Meanwhile, however, opinion leaders from across the political spectrum had coalesced in a group they called the Australian Privacy Foundation, which from late August 1987 ran a remarkably effective campaign against the Australia Card. Peter Garrett, Democrats Senate leader Janine Haines and writer Frank Hardy found themselves strange bedfellows – Hawke’s famous phrase – with Alan Jones and the late conservative philosopher Lauchlan Chipman. Every Sunday night for weeks they had an anonymous Health Insurance Commission bureaucrat leak a new piece of information about the Australia Card’s opaque administration. Garrett called the card “the greatest threat Australia had ever faced”.
Historian Geoffrey Blainey compared the revolt against the Australia Card to the goldminers’ rebellion against compulsory licences at Eureka. Letters flooded into newspaper editors. Thousands took to the streets in centres from Perth to Orange in the largest public demonstrations since the Vietnam War moratoriums. Giant mock Australia Cards were burned on university campuses. What happened next is now the stuff of policy wonk legend. At the eleventh hour, a retired public servant noticed what, incredibly, nobody else had: that certain penalty clauses would only come into effect on a date to be determined by regulation, which in turn could be disallowed indefinitely by the hostile Senate. In other words, the scheme would pass into law but remain forever unenforceable. The government had to redraft the bill and start again, so the joint sitting was no longer available to it. But with support for the card down to 39 per cent and falling, it didn’t bother. The Hawke government’s Australia Card experience has given governments wanting a national ID system pause ever since.
Until recently, it seems.
Technological advances since the mid 1980s allow surveillance and data-matching on a scale that dwarfs anything the Australia Card could have promised. A list of privacy-threatening tech contained in a 1983 Australian Law Reform Commission report now reads like a catalogue of Get Smart props: miniature tape recorders that could be concealed inside cigarette packets; binoculars with built-in cartridge cameras; microphones hidden in watches, pens and business cards. For a person to enjoy the same level of privacy she did just three decades ago, she would need to avoid using mobile phones, the internet, credit cards, toll roads; she’d need to avoid engaging with government services and going anywhere that CCTV is installed or mobile phones are being used by others; she’d need to constantly pester marketing, credit and government agencies for copies of the data they hold about her. Such a person would seem entirely paranoid.
By matching facial-recognition data to existing government databases, our faces effectively become “Australia Cards” we can’t lose or reject.
We still resist physical intrusions by authorities, insisting on warrants and consent. We wouldn’t be comfortable with police officers routinely stopping us in public to take our fingerprints. But our facial biometrics are just as unique, and – through existing databases – are linked to much more than just our criminal histories. It’s been observed that the computerised “king” now enters the Englishman’s castle without the occupant being aware he’s even there. Soon his electronic eye, with its data-matching superpowers, will be able to know exactly where each of us is.
Polls say most of us aren’t comfortable with the extent to which we’re tracked, especially when our harvested data is traded and used in ways to which we didn’t consent. And we don’t really know the extent to which the mere possibility of being watched and tracked regulates what we do and even how we think. But facial recognition hasn’t sparked mass protests, and the youngest of us are both the least worried and the most likely to voluntarily publicise their private lives through social media, most obviously via Facebook’s platforms, including Instagram. Surveillance researchers have long written about its “two faces”: in return for our privacy and anonymity we have enjoyed the benefits of email, the web, safer roads (via speed and red-light cameras), mobile phones and then smartphones, Facebook, algorithmic data-matching, smart cards and digital wallets.
The federal Digital Transformation Agency’s recent marketing video doesn’t tell us what its new “digital ID” is, or how to use it, though the video does use reassuring words such as “easy”, “secure”, “choice”, “control”, “inclusive”, “comfort”, “confidence”, “simpler” and “accessible”. But experts say we should be deeply sceptical about bureaucracies, police forces and governments’ claims about the benefits of the data-matching surveillance technologies that make up the Capability. While its proponents say the Capability is necessary to combat identity theft, experts point out that creating centralised stores of biometric data could instead increase the opportunities for such theft. Recent breaches have leaked personal data held by the Australian Bureau of Statistics, the Australian Electoral Commission, hospitals, public transport ticketing systems, TAFES, state and federal government departments, universities and federal My Health records, not to mention the frequent data breaches at private companies. The
Imagine Fr-enabled CCTV cameras, already installed in Australia’s cities, with the ability to identify every single climate protester, striking worker or anti-war demonstrator.
Office of the Australian Information Commissioner reports regularly on data breaches and finds that, while some are caused by “system errors”, more are caused by human error. And many more, just under two thirds of all breaches, are caused by malicious or criminal hacks. Once hacked, experts say, biometrics can no longer be used as identifiers.
Australia’s Capability won’t initially allow for live mass surveillance. But the technology exists. The Identity-matching Services Bill – if passed – would allow it. And when a major crime happens that real-time identification might have prevented, we’ll clamour for it.
When it was touting for the Australia Card, the Health Insurance Commission advised the Hawke government to “use a staged approach for implementation” so as to “minimise any adverse public reaction”. Just what do Australia’s bureaucracies have in the FR pipeline?
The Capability will allow much more rigorous, and more efficient, identity verification. Because verifying ID and data-matching will be cheaper and easier, departments will do more of it. Agencies that now receive hundreds of ID verification requests every year expect to field thousands per day under the Capability. Where will those requests come from?
It’s not difficult to speculate. Services Australia (formerly the Department of Human Services), which