Risks of using biometric verification technology in utility databases flagged

One forum heard of the significant risks of governments going too far to create national identity databases that control who gets public services.

Photo: 123RF

At the same time, officials and companies are talking about the prospects of rolling out more biometrics if New Zealand is successful.

The World Economic Forum states that “having a reliable and verifiable database [digital] identity is essential.”

This was echoed at the annual Digital Trust Forum in Wellington. His promos said that few things were “so essential to the future prosperity of Aotearoa and the well-being of its people”.

Graeme Prentice works for NEC, one of the largest providers of facial recognition and other biometric verification technologies in New Zealand and around the world.

“We’ve pushed people into this digital world, we’ve closed branches, we’ve reduced physical locations, we’ve encouraged digital transactions – we need to think carefully about the infrastructure and support we provide to these people,” Prentice told the forum.

The mantra of decision makers is that they will ensure that services are accessible and secure, and that it will be up to you, the individual, to participate and reap the rewards. These include airline passengers, who increasingly have the option of. using a biometric ID from NEC as a boarding pass.

Simon Thomas, also of NEC, said the individual would still have choice and control over their digital “wallet”, likely kept on their phone.

“I, the user, am responsible for the information in my wallet, and how it is used or how it is presented and how it is used,” Thomas said.

However, cyber-privacy experts, such as US National Security Agency General Counsel April Falcon Doss, have repeatedly warned that there is an acute power imbalance between individuals who know about it. rarely so much about the data captured and how it is used, and the data collectors who do.

Home Affairs identification consultant Joanne Knight warned against overreaching.

“Here in New Zealand currently we don’t have a social license to have a national ID card,” Knight said.

“And yet, in many cases, our identity practices develop a national, even global identifier, without most of us realizing it.”

Setting comprehensive standards was a remedy – although she warned the forum that the country “woefully” lacked the expertise to do so.

Mass digital identity systems are attracting more and more lawsuits.

India wanted to use the world’s largest biometric database system, Aadhaar, to control school enrollment, but courts have restricted it – while maintaining the system itself as constitutionally valid.

India started building its biometric database in 2009 saying it was to tackle benefit fraud. A similar fraud argument was made for a $27 million identity management system set up by Immigration NZ in 2017, according to OIA documents.

Aadhaar sports a card with a unique number linked to an individual’s fingerprints, face and eyes.

The government claims that Aadhaar is widely trusted and helps minorities, which is disputed by critics.

Maori tech entrepreneur Kaye-Maree Dunn said research was being done overseas into the risks of harming digital ID systems.

“In Kenya they have a system called Huduma Namba – it’s like [NZ government’s] Realme on steroids.

“So you can be imprisoned if you don’t follow the law and you can’t access any government service – you can’t get married, you can’t drive a car, unless you download this particular app and use it,” Dunn said.

Courts have blocked Kenya’s rollout of its $140 million system and blocked government attempts to collect people’s DNA for the central population database.

Closer to home, Australia spends hundreds of millions on digital IDs, and last year two million people had government digital IDs.

The goal is to create networks of interoperable systems between countries – increasing complexity where systems are faulty or contested. The new NZTA driver’s license processing system had to be interoperable with Australia.

The size of the major technological players facilitates interoperability. For example, biometric identity authentication company ID.me, which is under contract with Immigration NZ, also performs biometric selfie checks to access US government tax services.

Here, the Independent Data Ethics Advisory Group, based at Stats NZ, has previously warned that solutions are being built before it has a say.

Kaye-Maree Dunne said much the same, among many Maori demanding they have a real, early say on data sovereignty.

“What does the treaty look like in a practical format, especially with regard to the commercial management of digital identity, the sharing of data with iwi, but also the practice of protecting individuals and citizens with their data as well?” she asked the forum.

Digital identity companies, like JNCTN led by Dan Stemp, say the right digital ID technology, used correctly, can deliver huge benefits.

“We help businesses and individuals avoid the normal trade-offs between privacy and compliance versus convenience and efficiency,” Stemp said.

There are also other trade-offs – between convenience and control, between service and surveillance – say the ethicists. If players are successful, they still face a race against a scale of threats never before imagined.

April George of San Francisco identity management firm Okta said ransomware attacks “absolutely” skyrocketed in 2019 and [https://itbrief.co.nz/story/delinea-report-finds-organisations-are-struggling-to-grasp-identity-related-security protections have been brittle’.

“The terrifying thing is, when I was doing the research on this, the numbers are actually growing 168 percent year-on-year,” she said.

“So we are actually growing faster as far as reported attacks than any other region that I could find.”

The response

The US is leading a push for what is, ironically, called ‘zero trust’ security, where everything is suspect and must be authenticated. This follows cyber attacks, such as on SolarWinds, that exposed many weaknesses in US IT infrastructure.

In New Zealand, lan Bell of Internal Affairs, is the leading bureaucrat for digital identity, building an identity checking system online.

He said the Government was pressing on with the digital trust framework bill to set up a secure digital i.d. system, and he is pressing on, too.

“We will bring forward [DIA’s] Identity Check and we will also begin development of verifiable credentials,” Bell said.

Identity control will use facial recognition on passport photo and driver’s license databases.

One industry player was keen to point out that this involves a photo-to-photo match, not a multiple-photo-to-photo match, as is done in China to scan CCTV feeds.

Bell promised not to charge in advance but to consult widely with Maori and industry.

“Progress moves at the speed of trust, and that takes time.”

What do the ethicists and researchers, who were not on the forum scene, think?

RNZ solicited the data ethics advisory group, but its former chair said it had not met since December 2020.