Thursday, April 27, 2017

Mission creep

When the government introduced facial recognition technology in passports back in 2006, they assured us that it was about border control and visa processing and that our biometric information would be protected. But fast forward a decade, and we get this:

DIA is a world leader in identity verification and issuing secure passports. Facial Recognition (FR) is a cornerstone of the automated rules processing in the Passports System. DIA is now seeking to replace the current FR solution and look more broadly at its usage across DIA.

DIA is looking to take advantage of industry improvements both now and for the future and move to a service delivery model as an operational cost rather than ongoing capital investment. DIA is therefore taking an as a service approach to procuring a FR capability.

DIA recognises that other New Zealand Government agencies may currently or in the future wish to utilise a DIA Lead FR Service. On this basis, DIA wish to proceed with an Open Syndicated Contract. This will allow any other Government agency to use the contract. DIA will act as the Lead Agency and deal with all aspects of the contract development and management.

[Emphasis added]

Facial recognition as a service means inevitably that the contractor will have to be given a copy of DIA's RealMe and passport photo databases so they can check images against them. Some of our most sensitive personal information will be handed over to a foreign company and stored int he cloud where it can be accessed by hackers and foreign intelligence services - without asking our permission.

Meanwhile, the "open syndicated contract" suggests wider use of facial recognition by the government. At the moment, its mostly used by Immigration for passport control purposes (for NZ citizens, this basicly means Smartgate, which throws your photo after confirming your identity). But DIA seems to expect it to be more widely used, perhaps by police, WINZ, and CYFS (and probably by the spies as well). And again, they're doing this in secret, without asking our permission.

Two of our most basic privacy principles are that our information will only be used for the purposes for which it is collected, and that it will not be shared without our permission. DIA seems to be pissing on that. No wonder they're trying to keep this quiet.