29 Jul 2022

Risks of biometric verification technology use in public services databases flagged up

2:11 pm on 29 July 2022

A forum has heard about stark risks of governments over-reaching to create national identity databases that control who gets public services.

Facial recognition technology.

Photo: 123RF

At the same time, officials and businesses are talking up the prospects of rolling out more biometrics if New Zealand gets it right.

The World Economic Forum declares that "having a trusted, verifiable [digital] identity is essential."

That was echoed at the annual digital trust forum in Wellington. Its promos said few things were "as critical to Aotearoa's future prosperity and the wellbeing of its people".

Graeme Prentice works for NEC, one of the biggest providers of facial recognition and other biometric verification technology to New Zealand and the world.

"We've pushed people into this digital world, we've shut down branches, we've reduced the physical locations, we've encouraged digital transactions - we have to think carefully about the infrastructure and the support that we give these people," Prentice told the forum.

The mantra from the decision-makers is they will make sure services are accessible and secure, and that it will be up to you, the individual, whether to take part and reap the rewards. These include airline passengers, who increasingly have the option of. using a biometric ID from NEC as their boarding pass.

Simon Thomas, also of NEC, said the individual would always have the choice, and the control over their digital 'wallet', probably kept on their phone.

"Me, the user, I'm responsible for the information on my wallet, and how it gets used or how it's presented and how it gets used," Thomas said.

However, cyber privacy experts, such as US National Security Agency general counsel April Falcon Doss, have repeatedly warned there is an acute power imbalance between individuals who rarely know as much about what data is captured and how it is used, and the data harvesters who do.

The Department of Internal Affairs identification consultant Joanne Knight warned against over-reach.

"Here in New Zealand, currently, we don't have a social licence to have national ID," Knight said.

"And yet in many cases our identity practices are developing a national identifier, if not global identifier, without most of us even realising it."

Setting comprehensive standards was one remedy - though she warned the forum that the country was "woefully short" of the expertise to do that.

Mass digital identity systems are sparking more and more lawsuits.

India wanted to use the world's largest biometric database system, Aadhaar, to control school enrolments, but courts constrained that - while upholding the scheme itself as constitutionally valid.

India began building its biometric database in 2009 saying it was to combat benefit fraud. A similar argument around fraud was made for a $27m identity management system set up by Immigration NZ in 2017, OIA documents show.

Aadhaar sports a card with a unique number tied to an individual's fingerprints, face and eye scan.

The government claims Aadhaar enjoys wide trust and helps minorities, which is disputed by critics.

Māori hi-tech entrepreneur Kaye-Maree Dunn said research was going on overseas into the risks of doing harm with digital ID systems.

"In Kenya, they have a system called Huduma Namba - it's like [NZ government's] Realme on steroids.

"So you can be imprisoned if you do not comply with legislation and you cannot access any government services - you cannot get married, you cannot drive a car, unless you have downloaded this particular app and utilise it," Dunn said.

Courts stalled Kenya's rollout of its $140m system and blocked government attempts to collect people's DNA for the central master population database.

Closer to home, Australia is spending hundreds of millions on digital identity, and by last year two million people had a government digital identity.

The aim is to make webs of inter-operable systems between countries - increasing the complexity where systems are flawed or challenged. NZTA's new driver licence processing system was required to be interoperable with Australia.

The size of the big tech players makes interoperability easier to achieve.

Here, the independent data ethics advisory group, based at Stats NZ, has previously warned that solutions are being built before it gets a say.

Kaye-Maree Dunne said much the same thing, among many Māori demanding they get a real and early say on data sovereignty.

"What does the Treaty look like in a practical format, especially when it comes down to the commercial management of digital identity, the sharing of data with iwi, but also practice of protecting individuals and citizens with their data as well?" she asked the forum.

Digital identity businesses, like JNCTN run by Dan Stemp, say the right digital i.d. tech, used right, can deliver huge benefits.

"We help businesses and individuals to avoid the normal trade-offs between privacy and compliance versus convenience and efficiency," Stemp said.

There other trade-offs, too - between convenience and control, between service and surveillance - say ethicists. If the players get that right, they still face a race against a scale of threats never before imagined.

April George of San Francisco identity management company Okta, said ransomware attacks "absolutely" exploded in 2019 and [https://itbrief.co.nz/story/delinea-report-finds-organisations-are-struggling-to-grasp-identity-related-security protections have been brittle'.

"The terrifying thing is, when I was doing the research on this, the numbers are actually growing 168 percent year-on-year," she said.

"So we are actually growing faster as far as reported attacks than any other region that I could find."

The response

The US is leading a push for what is, ironically, called 'zero trust' security, where everything is suspect and must be authenticated. This follows cyber attacks, such as on SolarWinds, that exposed many weaknesses in US IT infrastructure.

In New Zealand, lan Bell of Internal Affairs, is the leading bureaucrat for digital identity, building an identity checking system online.

He said the Government was pressing on with the digital trust framework bill to set up a secure digital i.d. system, and he is pressing on, too.

"We will bring forward [DIA's] Identity Check and we'll begin the development of verifiable identity credential as well," Bell said.

Identity Check will use facial recognition on the passport and driver licence photo databases.

An industry player was keen to point out that this entails one-photo to one-photo matching, not many-photos to one-photo matching, as is employed in China to scan CCTV feeds.

Bell promised not to charge on ahead but to consult widely with Māori and industry.

"Progress moves at the speed of trust, and that takes time."

What do the ethicists and researchers, who were not on stage at the forum, think?

RNZ sought out the data ethics advisory group, but its former chair said it had not met since December 2020.

  • Māori data specialists not consulted on facial recognition technology - data sovereignty expert
  • Identity revealed: New facial recognition technology expected within the next year
  • What you need to know: Ministries toy with facial recognition