Face-off: South Africa’s population register is on course to becoming a criminal database – with your mugshot
South African police have long dreamt of using facial recognition technology to hunt suspects. It’s a dream edging ever closer to reality. But researchers have issued a stern warning: in a world of smartphones and surveillance cameras, the technology creates a new opportunity for authorities to track citizens – and people of colour are more likely to become targets. While activists, governments and industry players around the world are calling for stricter regulation of police facial recognition use, SA authorities are proposing warrantless searches.
Lucky Gwebu won’t get bail. Out of jail after serving eight of 18 years for armed robbery, he’s facing fresh accusations: he allegedly robbed two men at gunpoint while on parole.
At his bail hearing, it emerged that Gwebu tried to switch names with another prisoner in the identity parade. That cemented the judge’s decision to deny bail.
Such identity fraud has spurred justice authorities in SA to track detainees with biometrics – biological markers unique to an individual, like fingerprints or facial characteristics. Their plans didn’t materialise, but the department of correctional services wanted to start verifying prisoners’ identities with facial recognition software back in March 2010 – the month of Gwebu’s hearing.
The process could work like this: A database contains all prisoners’ facial photographs, along with their names, ID numbers and offences. If an inmate says their name is Alex Smith, an official could type “Alex Smith” into the system, and this would return the picture attached to that name, plus the other details.
Next, a camera scans the face of the inmate claiming to be Alex. Then software (more specifically, an algorithm powered by artificial intelligence) enables a comparison between this new image and the database photo. If the images are similar enough, Alex’s identity is confirmed. The same can be done with other biometrics, like fingerprints.
This process is called a one-to-one verification, since one picture is compared to another. It’s used, for instance, when you unlock your phone with your face or fingerprint.
Who are you?
Then there’s a far more controversial way to use facial recognition. Known as “identification”, the South African Police Service (SAPS) has repeatedly expressed interest in finding suspects with this method.
Whereas verification confirms that someone is who they say they are, identification entails naming someone unknown. An unnamed suspect’s photo is fed into a photo database of known persons. A match reveals the suspect’s identity. It’s called a one-to-many comparison, since one photo can be compared to millions. Again, the same is possible with other biometrics.
Overseas, however, a backlash is building against the technique.
In the United States in 2016, a landmark study found that the Federal Bureau of Investigation (FBI) could do facial recognition searches on ID and driver’s licence photos of 117 million Americans. The research was conducted by Georgetown Law’s Center on Privacy and Technology.
Centre director Alvaro Bedoya said the FBI had effectively placed half of US adults “in a massive virtual line-up. This has never been done for fingerprints or DNA. It’s uncharted and frankly dangerous territory. Innocent people don’t belong in criminal databases”.
The report warns that facial recognition carries risks that other biometrics don’t: “You only leave your fingerprints on the things you touch. When you walk outside, your face is captured by every smartphone and security camera pointed your way”.
It’s a concern shared by US lawmakers who have held several hearings on the subject and who last year introduced the Facial Recognition and Biometric Technology Moratorium Act of 2020, which aims to pause government use of facial recognition until legislation is in place.
Without oversight, researchers argue, police could track protesters – this year’s 6 January attack on the US Capitol refuelled debate about the issue, despite the riot’s illegality.
The New York Times reported a 26% increase in the use of Clearview AI, a controversial facial recognition system used by 2,400 policing organisations. To build its database, Clearview scraped three billion facial images from sites like Facebook and Twitter. (They may have your pictures too.)
But the issue runs deeper than the surveillance of political dissidents.
Being black in Detroit
Last year in the US, Detroit police arrested Robert Julian-Borchak Williams at his home, handcuffing him in front of his wife and two small children. He had no criminal record. The NY Times reported that police found Williams after running an image of a shoplifting suspect caught on a security camera through a database of 49 million driver’s licence photos.
He was interrogated, fingerprinted, photographe and had a DNA sample taken. He was locked up for 30 hours and then released on $1,000 (about R14,000) bail. Next, he heard an attorney would cost $7,000 (just over R100,000).
Fortunately for Williams, the American Civil Liberties Union (ACLU) assisted him, and the state prosecutor apologised. But he’d still have to endure a formal process to have his record expunged.
With Williams, civil groups argue, invasion of privacy wasn’t the only issue: He’s black. Activists have long argued that the technology is less accurate with identifying people of colour, since the algorithms are mostly trained on images of white people. Police have admitted that the tech isn’t perfect.
Days after the NY Times story on Williams appeared, Vice reported Detroit police chief James Craig saying it wasn’t police policy to rely only on software, since “96% of the time it would misidentify”.
Williams’ story illustrates how flawed technology dependent on racist human judgement harms people of colour. Other countries also see the danger.
Last year the Appeals Court in Britain ruled that the South Wales police’s use of facial recognition was unlawful, saying police didn’t properly assess the software’s potential gender and racial bias.
On 20 January this year, the European Parliament passed a resolution that the European Commission should consider a moratorium on police use of facial recognition until technical standards were rights compliant and non-discriminatory, and until strong safeguards against abuse were established.
Meanwhile, in South Africa
Yet even as calls against unregulated facial recognition increase globally, South African authorities are set on adopting it.
In 2018, the department of home affairs (DHA) announced its new biometrics database: the automated biometric identification system (Abis).
Every South African, as well as foreign national (upon entering the country legally), will have their biometric information captured in Abis. The DHA’s 2019/2020 annual performance plan states that Abis will allow for “identification, verification and latent search functionalities through fingerprint, facial recognition and ten (10) fingerprint search” (sic) and later through “iris, palm-print and infants’ footprint” (sic).
Abis will replace the outdated home affairs national identification system (Hanis) that’s been in operation since 2002. Hanis only stores fingerprints and facial photographs. If you have a South African ID, all your fingerprints and your mugshot are in Hanis. They’ll also be in Abis.
Although it’s a DHA project, law enforcement funded Abis. The DHA’s 2019/2020 annual performance plan states that SAPS and the department of justice and constitutional development allocated R264-million and R156-million respectively towards Abis – a total of R410-million. The tender that went out for Abis’ development was worth R409.8-million.
The 2019/2020 DHA plan further states that Abis will “enhance” information-sharing between law enforcement agencies by interfacing “online, in real time with other systems of the criminal justice institutions”.
And whereas the department of correctional services hoped to use facial recognition to verify the identities of criminals like Lucky Gwebu, plans for Abis indicate that SAPS, like the FBI, could in future identify an unknown person through a one-to-many facial recognition search in a database with all citizens’ and visitors’ faces.
A criminal database
Using facial recognition to search for a suspect through a database of convicted felons is nothing new. The International Criminal Police Organisation (Interpol) has a criminal database with a facial recognition system containing mugshots from 180 countries.
But this type of database isn’t good enough for SAPS. They already have something similar.
Only capable of fingerprint searches, SAPS’ automated fingerprint identification system (Afis) lets them take fingerprints from crime scenes (known as a latent fingerprint) and do one-to-many identification searches with a database of convicts’ fingerprints. But it’s useless if the suspect has no record.
Most recently the civilian secretariat of police told parliament in October last year that adding DNA samples from all citizens to Abis is being considered to assist police in criminal investigations.
SAPS started advocating for access to citizen biometrics over a decade ago, resulting in the Criminal Law Amendment Act 6 of 2010.
The act forces all state departments, and specifically the DHA, to let police do “comparative” searches for investigative purposes against the fingerprints and facial photographs in all their databases.
By 2011, the DHA had created a “duplicate civil database” for SAPS, according to research from Wits University. Through this database (located on DHA premises), police officers could run identification searches with latent fingerprints against citizens’ fingerprints in Hanis.
But unlike SAPS’ Afis and the future Abis, Hanis wasn’t built for such criminal searches. It’s a civilian database meant to verify known identities; all ten fingerprints (submitted with the cooperation of the owner in a controlled environment) were needed for a certain, instant match.
A police officer in the Wits study said searching with one print could take Hanis three days, frequently coming up blank or yielding false matches. (By comparison, the police’s Afis could run 1,950 searches a day). The DHA also didn’t have personnel to process SAPS’ requests – hence the separate database.
SAPS told Daily Maverick the database didn’t exist. We sent them a copy of the Wits study for clarification. They did not respond.
Whatever the case, by 2015 a Hanis search with only four fingerprints was, officially, possible. By 2018, then DHA minister Malusi Gigaba told parliament that “SAPS have access to the Hanis system” for “verification or identification of SAPS clients whose biometrics are stored on Hanis”.
If there’s a match, SAPS gets your name, mugshot, contact information, date and country of birth, gender, marital status, type and date of marriage, and your residential and postal addresses.
Thus, despite Hanis’ limitations, the legal groundwork is laid for SAPS to search through all South Africans’ fingerprints and facial photographs. Now, Abis could provide SAPS with the identification system of their dreams.
Daily Maverick asked the DHA how SAPS would use Abis’ facial recognition capabilities and how it would be regulated, but received no answers.
However, the DHA’s draft official identity management policy, released on 22 December 2020, confirms that Abis will support biometric identification searches (to identify unknown people), and will be “expandable to include additional biometrics such as iris scans, palm and footprints and facial recognition”.
Although the draft policy makes facial recognition sound like a later addition, it was always slated to be an Abis function. When the tender for Abis went out in 2016, a qualification requirement for bidders was the provision of facial recognition software. According to the 2019/2020 DHA annual performance plan, facial recognition was part of the first phase of Abis’ development.
It also looks as if the DHA is serious about facial recognition, as the policy suggests using ISO 29794-part 5. This is the international standard for facial images to ensure they’re of sufficient quality for facial recognition algorithms to work properly. (The current photographs in Hanis do not meet these specifications, nor do SAPS’ mugshots.)
While the DHA continues to make plans for facial recognition, SA has no legislation regulating police use.
ENACT is a project jointly implemented by the Institute for Security Studies, Interpol and the Global Initiative against Transnational Organised Crime.
In a detailed study about biometric surveillance in SA and Kenya, ENACT found that regulations to oversee centralised government biometric databases like Abis are non-existent in SA.
Daily Maverick asked SAPS how they would regulate facial recognition searches. SAPS said only that they were legally allowed to “perform comparative searches against fingerprint or photographic image databases kept by any other government department for purposes of exclusion or inclusion”.
The DHA failed to answer questions, but their draft identity management policy recognises “there are no documented and transparent guidelines” regulating how the DHA shares people’s identity data.
The policy further acknowledges that the DHA’s information systems security policy isn’t aligned with the Protection of Personal Information Act (Popi). The act regulates how government and private entities use citizens’ personal information, including biometrics. The DHA draft policy recognises that Popi isn’t fully enforced, but recommends there should be independent oversight with legal powers to “ensure compliance” with the legislation.
Regarding policing, it states that the “use (of identity data) for enforcement-related activities must be noted in writing” to “promote accountability”. It suggests any processing of identity data for “crime-related purposes” must be legally authorised, and that the DHA only disclose citizens’ information if there’s a court order.
But there’s a caveat. The policy suggests that sharing biometric data should be excluded from the court order requirement, and that all personal information – including biometrics – can be disclosed “in the interest of national security on the approval of the director-general or delegated officials”.
It is unclear whether the policy is referring to the director-general of the DHA or the ministry of state security – the leading department on national security.
A 2018 high-level review panel appointed by President Cyril Ramaphosa, as well as recent hearings at the Zondo Commission, have seen testimony of major criminality within the ministry’s State Security Agency (SSA). The DHA did not answer our questions about the SSA’s access to Abis data.
Unlike in SA, there’s been much discussion about specific facial recognition regulation internationally.
Proponents say a complete ban robs understaffed police of a valuable resource, and that the real problem lies with the humans who use it.
The Information Technology and Innovation Foundation (Itif) is an industry-funded think-tank that gives scientific advice to US lawmakers. In a 2019 written statement to legislators, Itif vice-president Daniel Castro explained the alternative to facial recognition: police officers manually wading through a database of mugshots, or asking communities to identify suspects – a slow, inaccurate and costly process.
Itif recommended that US lawmakers not simply ban the tech, but instead direct government departments to develop oversight protocols. There’s also a need to deal with the broader issues, like police use of force against people of colour, and requiring warrants to track suspects regardless of what technology is involved.
Protocols were blatantly disregarded when Detroit police arrested Robert Williams. The search was done with a blurry photo taken from surveillance footage. The technician who performed the search told police that the results were “not probable cause for arrest”, but only a lead, according to the NY Times. Police were supposed to find more evidence first, like an eyewitness.
But Itif also challenged assertions that the technology was inaccurate, citing major improvements.
That’s true. The US’ National Institute for Standards and Technology (Nist) has been testing facial recognition software since 2000. In 2019, to inform the raging public debate about algorithm bias against black people, Nist tested the effects of age, race and gender on the accuracy of 189 facial recognition algorithms from 99 developers – the “majority of the industry”. They used 18.27 million photographs of 8.49 million people from 24 countries across Africa, Europe, Asia and the Americas.
Nist found the best algorithms to be extremely accurate and unaffected by race, gender or age. But demographics affected accuracy for “the majority” of the algorithms. Those affected in one-to-one verifications were normally less accurate with one-to-many identifications, too. Nist reiterated Itif’s recommendations: it’s the police’s responsibility to understand the software’s limitations.
It’s at this juncture that activists and the security sector find common ground. Georgetown Law acknowledged that facial recognition has benefits, and has been used to apprehend violent criminals.
Speaking to the NY Times about Williams’ arrest, Clare Garvie, the lead researcher on the 2016 Georgetown study, said: “There are mediocre algorithms and there are good ones, and law enforcement should only buy the good ones.”
For South Africa, the best isn’t good enough
When we asked SAPS whether they would use Abis to conduct real-time, online facial recognition searches, they replied, “No. SAPS does not envisage to conduct facial recognition searches in the near future.”
They’ve got that right.
Starting this year, Hanis was supposed to be phased out and gradually replaced by Abis, but tender irregularities have stalled the process.
By law, the State Information Technology Agency (Sita) had to handle the Abis tender for the DHA. But the 2018/19 Sita financial audit found that the tender was awarded irregularly to EOH Mthombo. The matter was under investigation by auditors Nexia SAB&T on behalf of the DHA, and the department is scheduled to report back to Parliament on the issue on 23 February.
Meanwhile, NEC Africa, an unsuccessful bidder for the Abis contract, has taken Sita and the DHA to court over the bid. The Japanese multinational provided the automatic fingerprint identification system (Afis) for Hanis in the early 2000s. NEC Africa says its facial recognition algorithms are used in over 70 countries and regions in various organisations, including police, immigration and national identification systems.
They’re also consistent top performers in Nist tests. Nist stated in its 2019 report on algorithmic racial and gender bias that the company’s NEC-3 algorithm was “on many measures, the most accurate we have evaluated”.
The DHA said Abis’s development continues. For now, at least, the tender issue has created a reprieve for citizens marked for subjection to powerful government surveillance capabilities.
The DHA failed to answer any of Daily Maverick’s questions, despite repeated follow-ups. DM
Heidi Swart is an investigative journalist who reports on surveillance and data privacy issues. This story was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s Department of Journalism, Film and TV and Unisa’s Department of Communication Science.