As the government moves ahead with plans for a giant “hub” storing driver’s licence photos, passport photos and other facial images for new recognition technology, the Greens have called for a wider debate on Australia’s creeping surveillance state.
The Australian government is developing a system that will pool state and territory facial recognition technologies so that driver’s licence photos, passport photos, and even stills from CCTV footage taken around the country could be used to identify people of interest to the Australian Federal Police, spy agencies, Customs and Border Protection and other law enforcement agencies.
The Attorney-General’s Department has allocated $12.6 million in funding for the implementation and operation of the hub, and an additional $5.8 million to assist the states and territories to connect to the hub. According to the department there are more than 100 million facial images held by government agencies that are responsible for issuing ID documents.
The “capability”, as it is being called within the department, was brought up by Greens Senator Scott Ludlam in an estimates hearing this week, where it was established that the system would be able match official photos in one jurisdiction with those of another. For example, a passport photo could be matched against a driver’s licence photo in Victoria. The system will also be able to take a photo of someone’s face that the authorities don’t know, and check it against the 100 million faces in the database for a match.
In estimates, assistant secretary for cyber and identity security policy Andrew Rice said for those poor-quality photos, there would often be difficulty in matching the faces in the system, but there would be a “specialised capability” to deal with the errors in recognising faces.
Attorney-General George Brandis confirmed the government would not be introducing new legislation to bring about the new facial recognition system, and Rice said existing laws should cover the capability:
“In terms of ingesting them, in terms of the legal purpose, it would go to the legal commissions that the user agency already has to either collect or disclose information. It is possible that still images out of those kinds of environments which you talk about could be put into the system. That will be a choice for the users of the system, and their making that choice will be on the basis of their existing legal permissions.”
Rice insisted that only ever in the most serious cases would agencies look to match a photo without knowing the name of the person they were looking for.
Ludlam told Crikey he was concerned that the system would have internal oversight for privacy and auditing of the system, but unlike data retention, there would be no public debate on it through legislation or parliamentary inquiry.
“The problem is this is a process, not a product. They haven’t said ‘here’s the end state of this thing we’re calling the capability’. It’s much more of a process that is going to change, and adapt and grow.”
He said that assurances that external privacy organisations would be consulted as part of the development of the system were no comfort.
“That’s a very long way from any kind of public process of oversight. Once this hub is built — they’re at pains to say they’re not digitising more faces — they’re creating a hub that will be able to cross-match different collections. I’m obviously very concerned about how quickly that scope could creep,” Ludlam said.
It could start with passports, but if agencies have scraped images from social media — legally — then that could be included in the hub.
“At the point they only talk about being stills, but of course videos are very rapid collections of stills. At the point where you can patch in CCTV cameras, the system starts to approach a point of ubiquity, and I think it is important we catch it before it gets that far.”
The department said earlier this year that although it couldn’t take direct CCTV feeds, the system would be able to process still images from CCTV.
Ludlam said there needed to be a public debate on the system, similar to the debate on data retention, detailing who can access the system, and collect the data.
“Both of those debates need to be public, and not a conversation with the AGD, and police agencies, which is what they appear to be attempting.”
But Ludlam is not convinced the Greens should launch another Senate inquiry into another surveillance measure being implemented by the government.
“I am getting a little bit tired of chasing these things from behind, as they race away in front of us. I think we need a much deeper conversation about digital rights as they relate to human rights in this country. There’s facial recognition now, at some point they’re going to be patching DNA holdings and fingerprint holdings into this thing … these things are kind of getting enmeshed around us, and we don’t have a response except these one-off fights.”
On the issue of mandatory data retention, the Attorney-General’s Department confirmed in estimates hearings an exclusive report from Crikey that the department would keep $2.9 million of the $131.3 million funding to be allocated to telecommunications companies to build systems to store customer communications data for two years on behalf of the government.
AGD data retention taskforce officer Samantha Chard told the committee the $2.9 million would be for support staff, IT systems, administration processes, and a grants program to allow telcos to apply for funding online. As was predicted, most telcos are not compliant with the data retention legislation, despite the deadline to submit implementation plans or applications for an extension out to April 2017 passing earlier this month.
“The department has received 227 implementation plans, or applications for exemption or variations from providers. Decisions have been made on 79 of those, as at 13 October. All of the decisions that were due within the statutory time frame for consideration have had decisions made against them,” Chard said.
The remaining plans will be assessed over the next two months, Chard said, and those late with applications would most likely not be penalised for it.
“The priority for the department is to work collaboratively with any providers during the 18-month implementation period. That is going to be our predominant focus — to work with those providers who have yet to submit any applications. We will not be looking to pursue enforcement action within the implementation period unless it is an absolute last resort,” she said.