Your face is becoming the latest weapon in the world of digital surveillance, and the humble driver's licence looms as a game-changer in tracking individuals through both the real and virtual world.
Experts warn your biometric data may already be vulnerable to misuse by criminals and terrorists, as the proliferation of mobile cameras combined with social media and ubiquitous CCTV feeds mean we're caught on screen more than ever before.
- Biometric data builds an online profile using your photo, age and address
- This can then be matched against photos gathered from the internet or CCTV
- The data can be used by government agencies, along with companies and criminals
Driver's licences will be added to the Commonwealth Government's already vast biometric databases after it struck an agreement with the states and territories, handing authorities access to an unprecedented level of information about citizens.
A system known as "the interoperability Hub" is already in place in Australia, allowing agencies to take an image from CCTV and other media and run it against a national database of passport pictures of Australian citizens — a process known as "The Capability".
But soon driver's licences will be added to the system, allowing both government and private entities to access your photo, age and address.
It is a $21 million system being sold as a way to tackle terrorism and make commercial services more secure.
But experts warn people now risk losing control of their biometric identity entirely as commercial interests, governments and organised crime gangs all move to capture more personal metadata for their own gain.
Driver's licences change the biometric game
Technology and legal expert Professor Katina Michael said about 50 per cent of the population already had some kind of visual biometric stored in a nationally-accessible database, but the inclusion of drivers licenses would see the proportion of Australians scooped up in the net swell to about 80 per cent.
She said one of the biggest risks of the collection of biometric data was not deliberate misuse by the AFP, ASIO or another government agency, but rather vulnerabilities in the way biometrics work.
Who can access your biometric data?
Document Verification Service (DVS) – government and private sector
- Companies and government can run an identity document through a database to see if it matches information held on file, and that the document has not been revoked
- Individual must consent before DVS used
Face Verification Service (FVS) – government and private sector
- Enables a facial image of an individual to be compared against government records of that same individual, such as passports and drivers licences
- Individual must consent or a legislative basis must be established to collect the information, and use must comply with the Privacy Act
Face Identification Service (FIS) – only law enforcement agencies can use
- A facial image can be compared against multiple facial images held on a government database, including Australian citizens' passport photos and now driver's licences.
- Multiple records of people who have a close match to the image are usually returned
- An agency must have a legislative basis or authority to collect and use the information
- Access is restricted to law enforcement agencies or those with national security related functions
"It's not like a one-on-one match, where you put (in) an individual's face and say: 'they're a suspect'," Professor Michael said.
"But rather what you get returned is a number of possibilities … you might get back 15, or 20, or 30, or 50 matches.
So you might have 50 innocent people being suspects, rather than the person that you're trying to catch.
Professor Michael said this meant that while over time a person's name might be cleared, their data could remain in a database linked to a criminal investigation.
"And then I'm thinking, what happens to their level of innocence as time goes on, because they accidentally look like a minority group?" she said.
She said real criminals and terrorists would opt out of the system, choosing not to have passports and driver's licenses in a bid to escape the net.
"Of course, if you've done nothing wrong, the old adage says you're fine. But increasingly, we don't know if we're fine," she said.
The rise of 'uberveillance'
Professor Michael said modern surveillance methods employed by law enforcement were not just limited to CCTV — they now incorporated vast amounts of metadata and social media, leading to a concept known as "uberveillance" in which people were constantly monitored.
"What we have now are digital footprints that we all leave behind," she said.
"Phone call records, internet searches, credit cards and even the data on your electronic train or bus ticket can be used to track your movements and activity.
"It brings together all these various touchpoints, telecommunications records, travel data via tokens, facial recognition on federal databases, your tax file number … that's accessible depending on the level of crime and social media.
"You've got this very rich almost cradle-to-grave kind of data set that's following you."
Organised criminals want your identity
Stephen Wilson runs Lockstep Consulting, a Sydney-based firm which researches and tracks trends in biometrics in the corporate and government spheres, and advises clients on best-practice.
He said at the moment very secure biometric systems took quite a long time to process images accurately.
Problems arose when consumer convenience, such as being able to unlock a phone or access a bank account with a quick face or fingerprint scan, trumped security.
"No police force, no public service, no business is ever perfect, there is always going to be corrupt people," Mr Wilson said.
"The more exposure we have to electronic databases, the more exposure we have to biometric matching, it's only a matter of time before these bad actors succumb to temptation or they succumb to corruption and they wind up using these systems inappropriately."
Your biometric twin is out there
Mr Wilson said biometrics were creeping into consumer services like bank accounts and online betting facilities, with customers asked to send a picture of their licence and a "selfie" that will be run through an identity matching service.
"The real risk is that bad actors will take people's photos, ask for a match, and get back a series of matches of people that are kind of like your biometric twin," he said.
"We've all got doppelgangers, we've all got people in public that look just like us.
"If you're trying to perpetrate a crime, if you're organised crime, and you're trying for example to produce a fake driver's licence, it's absolute gold for you to be able to come up with a list of photos that look like 'Steve Wilson'."
Technology companies like Apple and Samsung have championed the use of biometrics such as fingerprints, and this has taken a step further with facial recognition becoming more common thanks to the release of the iPhone X.
However Mr Wilson said a key difference was that information stayed on the phone, while banking and other commercial interests trying to use your biometrics to confirm your identity could be storing it on a server anywhere.
"Do you really want your photo, which is a pretty precious resource, sent off to a company perhaps on the other side of the world just so you can get a quick bank account or quick betting service set up?" he asked.
What will happen next?
An annual industry survey conducted by the Biometrics Institute, known as the Industry Trend Tracker, has nominated facial recognition as the biometric trend most likely to increase over the next few years.
Respondents believed privacy and data protection concerns were the biggest constraint on the market, followed by poor knowledge of decision makers, misinformation about biometrics and opposition from privacy advocates.
The Australian law reform commission says biometric systems increasingly are being used or contemplated by organisations, including in methadone programs, taxi booking services, ATMs and online banking, and access to buildings
Dr Michael said governments needed to be very cautious about how they applied this rich new source of data in the future.
She said governments were building these agreements between themselves and corporations in a bid to stamp out fraud, but that goal was not always achieved and the potential for mistakes was vast.
"What we have is this matching against datasets, trying to find the needle in the haystack," she said.
"Often what happens is we don't find the needle."
A statement from the Department of Home Affairs said the Australian Government was exploring making the Face Verification Service available to the private sector, but nothing had started at this point.
It said arrangements for private sector access would be informed by an independent privacy impact assessment and those using it would need to demonstrate their lawful basis to do so under the privacy act and where they had gained consent to use a person's image.