A provision of the “foreign fighters” national security bill currently being considered by Parliament would allow the same department that accidentally published details of thousands of asylum seekers’ identities to collect fingerprint and retina scans of every person entering and leaving Australia without legislative approval, store them and share them across government, creating a treasure trove of personal data that, if stolen, could never be amended or overwritten.
The provision, which has received little attention, is in schedule 5 of the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014 currently being considered by the Joint Committee on Intelligence and Security. According to the bill’s Explanatory Memorandum,
“Amendments to sections 166, 170 and 175 of the Migration Act will authorise a clearance authority, which is defined as a clearance officer or an authorised system, to collect and retain personal identifiers (specifically a photograph of the person‘s face and shoulders) of citizens and non-citizens who enter or depart Australia or who travel on an overseas vessel from one port to another within Australia. The amendments will also permit the disclosure of that information for specified purposes … The amendments include new subparagraphs 166(1)(d)(ii), 170(1)(d)(ii) and 175(1)(d)(ii) that will allow an authorised system to collect other personal identifiers …”
Those other identifiers are to be prescribed by regulation. According to the EM, “other personal identifiers such as a persons‘ fingerprints or iris scan may be prescribed in the Migration Regulations”. That is, the government could decide to give itself the power to collect fingerprints and retina scans of everyone entering and leaving Australia merely by regulation, not by legislation.
Labor’s Anthony Byrne, deputy chair of JCIS, pushed an official of the Department of Immigration and Border Protection to justify the new laws at a committee hearing last Friday. The official insisted there were adequate safeguards around the current database for personal identifiers (which is in essence facial recognition data) and sharing procedures, which were based on needing to have a reason to access the data, similar to accessibility of metadata. It wasn’t enough to satisfy Byrne.
“Do you think it might be a bit helpful, if we do approve this legislation, to have very, very strict terms and conditions in terms of who you can share this biometric-style metadata with?” he asked. “From my perspective,” the official replied, “the protections lie in the reasons for the exchange. It is not so much in the organisations it can be shared with; it is the reasons for the exchange — not for any general purpose but simply for the purposes of –” But Byrne interrupted him: “That is the same with metadata, and you can see how there has been mission creep all over that in terms of who can access that. If the bill ever comes towards the committee we will be looking at that very substantially. We looked at it at the previous committee. There were too many people who had access to it. So, my point to you is that if you have this really important information, you would need to be very clear about who you would share this information with — and not just a series of ideas; you would need to stipulate and limit who you shared this biometric data with.”
Even more alarming is that the Immigration and Border Protection portfolio has a woeful record on data security. In February, in an astonishing security breach, the Department was revealed to have published online personal details about nearly 10,000 asylum seekers, potentially placing their lives in danger if they were returned to their home countries. This year, the department has also sought to cover up details of grossly inadequate health care services for detainees while confidential information has been leaked to News Corp tabloids for favourable coverage.
Neither the provisions of the bill, nor the EM, nor the responses of the official attempting to justify them to Byrne address the fundamental concern about biometric data: that once stolen, leaked or accidentally transferred to unauthorised people, the damage can’t be undone. Fingerprints and retinas can’t be changed like a credit card number can, and a database of millions of Australians’ and international visitors’ fingerprints and retina scans will prove an irresistible honeypot not merely for other law enforcement and security agencies but criminals as well.
Given Immigration’s form, we may be lucky it doesn’t simply publish them online for all to collect.