If you have nothing to hide, you have nothing to fear, right? Wrong. By JANE DUNCAN.
US attorney Brandon Mayfield had nothing to hide, yet he had everything to fear. In 2004, life as he knew it came to a crashing halt when he was falsely linked to the Madrid train bombings. The Federal Bureau of Investigation (FBI), who were involved in the global investigation of the crime, matched the attorney’s fingerprints incorrectly to those found at one of the scenes of the crime.
Mayfield’s fingerprint had found its way into an Interpol database after an arrest two decades earlier on a charge that was subsequently dropped. It was this false match that caused all the trouble. In addition to his matched fingerprint, Mayfield became a prime suspect because he had converted to Islam and, as an attorney, had represented a person accused of attempting to assist the Taliban.
Another suspect who did not fit this profile was ignored because – for the FBI – Mayfield fitted their profile of a terrorism suspect. In other words, he was Muslim. It took Mayfield two years to clear his name.
Fingerprints are what are known as biometric information. Biometrics involve the measurement and analysis of unique physical characteristics for the purposes of identification. So biometrics is quite literally the measurement of the body. The most commonly used biometric identifiers are irises, fingerprints, voice or facial features, and Deoxyribonucleic Acid (DNA).
It is in everybody’s interests for governments and private companies such as banks to have accurate ways of identifying people, and biometrics apparently provide them with the means to do just that.
Biometrics can be used to check that people are who they say they are when their identity is known (verification), or at least claimed, and to identify a person by matching these characteristics against those of others when their identity is not known (identification).
Biometric forms of identification have existed for some time now. What has changed, though, is the application of computers to biometric enrolment and processing, which allows state and private entities to process huge amounts of biometric data. They can also link to one another’s biometric databases so that searches can be made across several databases to build up a composite picture of an individual (known as interoperability).
Biometrics are being used for an array of public administration purposes. Their users assume that this form of identification is much more reliable than barcodes or Personal Identification Numbers (PIN), as they relate to a person’s unalterable features.
If biometrics are such an effective form of identification, then why have they become so controversial? The fact that physical characteristics are used for identity management at all trigger privacy concerns, in that some of the most personal features of an individual are being collected and stored by the state for identification purposes.
Giving images of more and more of your body parts to governments is creepy.
Fingerprinting is also inherently associated with criminality. Sorting individuals according to their physical characteristics is dehumanising, and can become a dangerous tool in the hands of authoritarian governments bent on social sorting according to particular characteristics such as race, gender or age.
Biometrics can enable state surveillance in very powerful ways. They provide the state with an ostensibly accurate form of identification, exposing some of the most intimate details about a person to monitor them and track their movements. This form of surveillance has become known as “biosurveillance”, or surveillance using images of a person’s body parts.
Fewer privacy issues arise in verification systems as compared to identification systems, though. The former involves one-to-one matches – where an institution is verifying that you are who you say you are – rather than one-to-many searches, where an institution can identify you from a large database if you have, say, been photographed participating in a perfectly legitimate protest.
The collection of biometric information interferes with a person’s bodily autonomy as an aspect of privacy. This is why South Africa’s Protection of Personal Information (POPI) Act applies to biometric information.
Given the sensitivity of biometric information, the information/ privacy regulator established in terms of the POPI Act should apply the strongest data protection measures possible. For instance, they should ensure that people should give clear and express consent for biometric collection. The regulator should also ensure that only the most necessary information should be collected, and the purposes for which it is collected should be strictly limited.
If biometrics are collected for one stated purposes, then the regulator should ensure that the owners of the biometric data should give their consent before it is used for other purposes. This is because biometric information may be used for purposes for which it was never intended when the person enrolled their biometrics. This “function-creep” risks violating a person’s right to determine how his or her personal data is used (known as “data sovereignty”).
The regulator should ensure that an incident that occurred in Canada in 2011 does not occur here. In that year, the British Columbia Privacy Commissioner criticised the Insurance Corporation of British Columbia and the police for using the corporation’s drivers licence database to identify people involved in a protest at a hockey match. People who had provided their information to the corporation for one purpose had not agreed to it being used for another purpose.
Concerns about biosurveillance do not stop at privacy, though. Biometrics also suffer from controversial margins of error, including false matches (“false positives”, which is what happened to Mayfield), or biometrics not being recognised (“false negatives”). This is because they offer only a probability of a match based on the likeness of stored physical characteristics.
Fingerprints have the highest rate of error, but facial recognition is not foolproof, either, and the potential for false matches is greater for black and young people.
Some people, such as miners and others who work with their hands, have difficulty enrolling as they may not have well-defined fingerprints. In India’s massive biometrically based state identity system, Aadhaar, up to 20% of people cannot be recognised by the system as they don’t have sufficiently well-defined fingerprints.
Edward Snowden’s leaks revealed that the US National Security Agency (NSA) was collecting millions of faces from web images as part of its mass surveillance programmes, with the intention of running them through facial recognition software and increasing their ability to find intelligence targets around the world. As the Mayfield case showed, if there is a false or indeterminate match, it can be difficult to impossible to clear your name.
Biometric databases are also vulnerable to hacking, which can lead to biometric information being stolen, altered or even destroyed. Yet if this happens, the consequences could be much more serious than breaches involving databases that are not biometrically based.
For instance, in 2015, the Office of Personnel Management was hacked, leading to 5.6-million fingerprints of US federal employees being stolen. While they claimed that information security experts had assured them that the hackers’ ability to exploit the fingerprints were limited, this may change over time.
People’s personal information has been leaked from Aadhaar and sold on WhatsApp. While Aadhaar’s administrators have claimed that the system is hack-proof, Australian cybersecurity expert Troy Hunt has challenged this claim.
Identity theft is more common in biometrically based single reference systems such as centralised national population registers, as they create a single point of failure, and centralisation increases rather than reduces the potential for fraud. Doppelganger matches also become more likely in large-scale databases.
These uncertainties mean that there needs to be a record to refer back to, such as physical fingerprints. Yet, too many governments are failing to build these safeguards into these systems, in their overzealous bids to modernise and transform themselves into paperless societies.
Criminals can also synthesise (or “spoof”) biometric identifiers and create fictional identities. Some security experts have scoffed at these concerns, arguing that that if biometric identifiers are compromised, they are useless unless the actual person presents him or herself to a biometric reader. But they dismiss the dangers too readily.
Researchers have shown how facial authentication spoofing attacks can be used to fool facial unlock features on phones; 3D fingerprints have been used to fool smartphone features. University of North Carolina researchers have built 3D faces that have fooled facial readers.
Peoples’ identities could be compromised permanently when their biometrics are compromised, as they cannot replace their fingers, eyes or voices. Such breaches create the risk of someone becoming an “un-person”, unable to prove that they are who they say they are. Biometric forms of identification can’t be reset like a password can.
The quality of the biometric systems is key, though, and anti-spoofing measures are being developed all the time. For instance, some systems include “proof of life” or liveness detection capabilities, which can detect whether the biometric identifier is being presented by a live human being and prevent spoofing attacks. But these systems are not cheap, and for cash-strapped state entities, the temptation exists to deploy less secure systems.
Yet, not even these protections have been enough to assuage the concerns of citizens in many countries, who have resisted attempts by states to collect and use their biometric information. In fact, the tide has begun to turn against centralised biometric databases in the north, and an increasing number of countries have lost the political will to establish them, or have had to dismantle them if they have.
For instance, the Mauritian government decided to compel its citizens, on pain of imprisonment, to enrol in a biometrically based national identity system. However, after massive public opposition, they were forced to dismantle the one-to-many capabilities of the system, leaving only one-to-one verification intact.
Some northern countries have refused to subject their own populations to biometrics, but have nevertheless implemented the technology in border control. Britain halted its plans to introduce a biometric ID card system after public controversies.
In spite of these controversies, South Africans have been muted about the risks of biometrically based identity systems. In any event, the Department of Home Affairs has had a centralised national population register for many years to formalise the country’s population.
Given the vulnerabilities of the green barcoded identity documents, the department went on the search for a more secure form of identification. A biometrically based smart chip-based identity card appeared to offer just that.
The government decision to use smart cards also opened the card up to being used for a range of other government functions, and becoming a record of a citizen’s interactions with the state. However, the government’s plans were thwarted by the fact that an interoperable biometric standard had not been developed, which of necessity would have to be an open standard.
This technical challenge was a blessing in disguise from a privacy point of view. When all data is accessed by all parts of the administrative system, there may well be benefits for citizens as they become more visible to the state. But this heightened visibility also heightens the dangers of peoples’ most sensitive personal information being misused for surveillance purposes.
In the case of the social security system, the introduction of a biometrically based identity system has certainly contributed to bringing down the number of fraudulent claims, but it has also introduced new problems and frustrations for grant-holders.
It has also made the state dependent on private entities whose interests appear to be driven primarily by profit, potentially threatening the integrity of the most sensitive personal information of some of the most vulnerable members of South African society.
In fact, the government has not really interrogated its own assumptions about biometric forms of identification, assuming their inherent technical superiority without considering their vulnerabilities.
The Home Affairs Department is planning to augment its fingerprint-based smart ID card system by collecting iris prints and facial photographs. This, it reasons, will address some of the weaknesses of a fingerprint-based system.
This means that in time to come, the government will have a massive stash of peoples’ biometric data. South Africans should pay close attention to how the department plans to realise its ambitions to make this the government database of choice to provide a single view of the citizen.
Already, the police have live, real-time access to this database. Now, the POPI Act does not apply to policing matters, except if it can be proved that existing privacy protections are inadequate. This is an important caveat, as it means that the police should not be allowed to access the department’s database willy-nilly.
In order to satisfy the public that their personal information won’t be abused, the police should develop a publicly available policy that specifies the conditions under which peoples’ biometric and biographic information will be accessed, and forbids them from accessing peoples’ biometrics for the purposes of political profiling.
Home Affairs’s public statements about the smart ID card system suggest that it intends to share data across departments, and that implies that function creep is considered to be unproblematic. This is in spite of the fact that the POPI Act requires the department to give people a meaningful say in any data-sharing arrangements.
The more actors become involved in the ID card system, the more likely data breaches become. While the department claims not to have been breached, other government departments have. If Aadhaar can be breached, then almost certainly the department’s database can be too.
South Africa suffers from a legacy of lack of respect for privacy, and it still lacks public policy around key privacy issues. Many public, semi-private and private entities are cashing in on the lack of safeguards, and gathering, storing and processing biometric information.
Cyril Ramaphosa’s administration must ensure that policy catches up with data exploitation practices, and that the privacy regulator is empowered to deal with this problem.
The objectives of entities such as Home Affairs may be well-intentioned. But the road to a panoptic, dystopian surveillance hell – where the state and corporations have more and more access to what people do and think, while people have less and less access to what the state and corporations do and think – is likely to be paved with good intentions. DM
Jane Duncan is a professor in the Department of Journalism, Film and Television at the University of Johannesburg. Her new book is called Stopping the spies: constructing and resisting the surveillance state in South Africa (forthcoming from Wits University Press).
Photo by Ricky Romero via Flickr