The Council of Australian Governments (COAG) meeting on October 5 marked a new era of mass surveillance in this country, as the leaders of all states and territories signed on to the Turnbull government’s proposal for a national facial recognition system.
The National Facial Biometric Matching Capability is a system that will provide federal and state police, along with security agencies, with real time access to photos of the general public that can be matched with CCTV footage via a hub that will link federal and state databases.
The federal government has already been utilising facial recognition technology since November last year. However, unlike the new system that will be automated and instantaneous, the current system is run manually and can take up to week to identify an individual.
The reach of this system is significant, as it was agreed at the COAG meeting that all state and territory driver licence photos will be contained on the database. The federal database that is currently utilised only contains passport, immigration and citizenship images.
Big Turnbull is watching you
Prime minister Malcolm Turnbull said that the biometric face matching system is not some Orwellian measure, but rather it’s a modernisation of existing data-sharing systems. “It doesn’t involve surveillance, or indeed mass surveillance,” Mr Turnbull told reporters.
But despite this doublespeak, the hoarding of most of the population’s images in huge databases and linking them up through an exchange, so they can be instantaneously matched to identify people captured on CCTV cameras in public does sound a lot like mass surveillance.
Turnbull also made assurances that the system would not be used on live CCTV footage. He said it would be used at places like airports and by law enforcement agents to identify people. The attorney general’s department factsheet states it will only be used with still images taken from CCTV footage.
More than just terrorism
The initial justification for the system was counterterrorism. However, the COAG agreement on identity matching services outlines a whole range of other ways in which it will be used.
These include in the investigation or prosecution of offences that carry a maximum penalty of three years or more, security and criminal background checking, investigating missing persons, and identifying individuals who pose a threat to public health and safety.
Private sector organisations will also be able to access the system’s facial and document verification services “for matching against identity information held” by the government databases.
Under the subheading “Why these services are necessary,” the attorney general’s department factsheet states that “the Australian Government is investing in this new system to help combat identity crime, which is one of the most common crimes in Australia.”
However, a major criticism that has been made by digital rights and civil liberties groups is that these large databases storing personal information about almost the entire population are ripe for hacking and identity theft.
Rights in the digital age
Electronic Frontiers Australia is a non-profit organisation that promotes and protects digital rights. Established back in January 1994, the independent organisation has been at the frontline of monitoring the encroachment upon the rights of Australians in the digital environment.
Sydney Criminal Lawyers spoke with Jon Lawrence, executive officer of Electronic Frontiers Australia, about the implications of the biometric facial matching system, the government’s plans to access encrypted messages, and why Australia needs to have a conversation about a bill of rights.
Firstly, Jon, the government has announced the National Facial Biometric Matching Capability will be established. Electronic Frontiers Australia has been highly critical of this system.
What are the overall implications of the government implementing it?
There’s a number of really serious issues. One is that it is a fundamental invasion of the privacy of pretty much every adult Australian to have their image uploaded into this database to then be available to be checked and referenced in real time.
This is the stuff out of science fiction. It is clearly a step too far towards a ubiquitous surveillance state. By definition, it’s a massive invasion of privacy. It clearly subverts and almost completely undermines the principle of the presumption of innocence.
It’s treating any person walking down a street, or going to the football, or any sort of public event as a potential suspect. And that’s not how society is supposed to work.
We already know it is going to be used for things way beyond counterterrorism. We’ve had Cory Bernardi come out and say, “Let’s start using this to crackdown on welfare fraud.”
It’s inevitable that it will be used in identifying protesters at public rallies and so forth. And that has huge implications for freedom of expression and association.
Then there are all the risks associated with the misuse of the data. The likelihood that a jealous police officer is going to use it to track down and stalk an ex is essentially 100 percent. It will be misused by somebody at some point. That’s inevitable with a system like this.
And then there are issues around the security of the data itself and it being hacked. We’ve just seen in the last couple of days, news of a defence contractor being comprehensively owned by a hacker for many months and downloading detailed texts about F-35 fighter jets.
But, the prime minister has played down this risk. How much confidence do you have in the federal government being able to prevent hackers from accessing it? And what are the dangers if this does happen?
As I say, there are plenty of examples in the news right now showing that the federal government is not good at protecting data. It’s giving out high-level defence clearance to organisations that have one part-time IT employee. That’s not sensible. And the track record is really not good.
And the implications are huge. A database like this is of enormous value to identity thieves and criminals of all sorts of persuasions. It will be enormously attractive to them. So, they will be going for it all the time.
Eighteen US states have already been using facial recognition technology in a similar manner. These states share information with the federal government, including driver licence photos.
What sort of outcomes has this system had in the States?
It’s fairly clear if you look at what is going on in the US that it is certainly not making anyone any safer. Las Vegas is arguably one of the most heavily CCTV surveilled places on earth. And yet, we saw what happened there.
There’s no evidence to suggest that this technology does make anyone safer. There’s certainly no evidence to suggest that it leads to crime reduction.
The reality is that we are seeing very high false positive rates coming out of these US states. And I’ve seen reports of up to 15 percent. Now, that’s an enormous false positive rate with technology like this.
So, the likelihood that perfectly innocent Australians are going to be dragged off into a backroom at an airport or a football ground, and get strip searched and held without charge for hours, if not days, while their identity is sorted out is extremely high. And that’s really unacceptable.
The COAG agreement outlines that private sector organisations will be able to access parts of this system for a fee.
How can the government go from stating it’s establishing a system for counterterrorism purposes to opening it up to private companies? And what are the implications of allowing private sector access to such a large database of personal information?
Clearly, the more organisations that have access to the database the greater the risk of misuse and the data being compromised. That’s just the logical extension of doing that.
We have various organisations – Australia Post is certainly leading this with their digital ID product – that are looking at using facial recognition as a clear and central aspect of their identity verification processes. But, some of these things are being done in a way that actually doesn’t require access to this sort of database.
There do obviously need to be very strong controls around that use. And there needs to be very limited circumstances in which way that sort of access is granted.
But essentially the more organisations that have access to this information, the higher the likelihood that it will be misused or compromised. So, that’s a massive issue.
Malcolm Turnbull also made assurances that the technology will not be used on live CCTV footage.
In your understanding how will the technology be used? And do you trust the prime minister’s assurances?
If they don’t want to use it for that, then what is it for? My understanding is they are looking ahead – for example at the Commonwealth Games coming up on the Gold Coast – and wanting to be able to pick potential terrorists out of the crowd in real time.
Now, if that’s not part of the agenda then I actually wonder what the justification is. Because if it is really just about identifying people after the fact, then arguably they probably wouldn’t do anything because they’ve already got offline, or not in real time, access to this sort of information as it is.
Mr Turnbull’s statements have been really contradictory, and quite confusing. They suggest that the government hasn’t thought this through. And it gives me the suspicion that this is one of those things where the government feels it needs to be seen to be doing something. And this is something.
On April 13 this year, the complete version of the Australian government’s mandatory metadata regime came into effect. Telcos and ISPs are now required to store the metadata of their customers – including the time and date of calls, emails, text messages and internet sessions – for a period of two years. But, the system actually began back in October 2015.
What sort of developments have transpired in regard to this system since it began? And what’s its impact been so far?
It’s very early days. And we don’t really have much in the way of information yet. But, what we do know is that the number of requests has declined. And that’s a clear function of the fact that the number of agencies able to access the data has been dramatically shrunk down to 21.
So, that’s a very good thing. We’ve always supported restricting access to that information to legitimate law enforcement organisations like the police, and the crime commission.
One other thing we know is that the Australian federal police completely failed to respect one protection outlined in the legislation about requiring a warrant to look at a journalist’s data. So, that is a pretty worrying first news story on this issue.
The Turnbull government announced in July that it wants to enact laws that allow Australian security agencies to gain access to private encrypted messages stored by social media and technology companies. This is again being spruiked as a counterterrorism measure.
What would this mean for your average citizen? And why is the federal government so determined to undermine encryption?
It’s actually pretty clear that this is a fundamental misunderstanding on the part of many people. It’s very easy to come out and say if only we could access the encrypted WhatsApp chats of these people, everyone would be a lot safer. And it’s just simply not true.
The reality is that ASIO has extensive powers already to install malware on people’s phones that allows them to read every message and everything that is going on in that phone, before it’s encrypted and on the way back after it’s unencrypted. They don’t need this at all.
It’s also impossible for this to occur without compromising the integrity of the encryption itself. And that makes everyone less safe.
These sorts of exploits are as much a threat to government as anyone. And we’ve seen recently that Russian agents had been able to get into the NSA and get their database to technically exploit.
I would argue that calling to undermine encryption in this way, apart from basically being just really misinformed, is a bit of a threat for national security.
The Five Eyes alliance allows the security agencies of the USA, UK, Canada, New Zealand and Australia collect and share private and commercial communications data with one another. It was established in 1946, under the UKUSA Agreement.
The alliance held a meeting in Ottawa in late June. A communique released by the alliance states that “encryption can severely undermine public safety efforts by impeding” law enforcement.
Can we draw a link between the operations of this alliance and the desire of the Australian government to access the general public’s private messages stored on digital communications platforms?
Absolutely. This has clearly been driven by the Five Eyes. No question about that at all.
There are clear reasons why it is Australia’s turn to take the lead on this issue. It’s pretty clear that the US and UK governments are struggling with significant credibility problems. I suspect the Canadian government was disinterested in taking the lead on this. And the New Zealand government was running into an election.
So, it is Australia’s turn to step up for the Five Eyes and take a lead on this issue. It’s definitely being driven by that association.
Electronic Frontiers Australia has been around since January 1994. So, your organisation has been monitoring these developments for some time now.
Looking back, how would you describe what has occurred in regard to digital rights and the laws? And overall, what sort of effect has it had on society?
What is interesting if you look back at the history of the digital rights movement is that the same issues continue to emerge every few years.
The Crypto Wars are essentially at the centre of the digital rights movement. The struggle between government and military use of encryption, and personal and private sector use of encryption is at the centre of that whole story. That’s going on now as much as it was 10 to 15 years ago.
One thing that is really starting to happen – and we’re really starting to see some real evidence of this over the last year or two, particularly since things like the Census and the Centrelink “Not My Debt” issue, and now with the facial recognition announcement – we’re starting to see that these sort of digital privacy issues are becoming mainstream.
A lot of people that wouldn’t have even thought about the concept of digital rights before are now starting to realise that these human rights are essential to the civil liberties of the society that we want to live in. They need to be protected.
That actually gives us a bit of optimism about making progress on this. And obviously, we’re going to be continuing to do what we can. We’re working closely with a number of other organisations around the country, and you would have seen we put out a press release last week with six other organisations.
It’s been part of our agenda for a long time to get these issues into the mainstream. And I’m not saying that we’ve caused it, but it is really starting to happen now, which is really important. Particularly in this country because we have no constitutional protections whatsoever, apart from an implied right to freedom of speech.
It’s critical that these things are debated in the mainstream. We’re talking to all sides of politics about this at the moment. About making sure that we do put meaningful protections in there about the idea of enforceable rights in this area.
We have some reason to be optimistic, but it’s a long hard road.
So, you’re suggesting a bill of rights should come into play?
It’s a conversation that definitely needs to be had. Whether that is the right way to go is something to be debated. We would certainly want to see some sort of enforceable protection to privacy. And there’s a number of ways that can happen.
We’ve been campaigning for a long time for a statutory tort of privacy. That would be an important element to give people the ability to seek redress where their privacy has been breached.
We’re seeing things like these state laws around enforcing the rights of people where sexual imagery has been shared without consent. Although, that does infringe on freedom of expression, clearly the right to privacy trumps that quite significantly. We are reasonably comfortable with those sorts of things emerging.
A national standardisation of those laws would be ideal.
There are some reasons to be optimistic. We’re starting to see in the last couple of weeks, a lot of people in the mainstream media talking about having a meaningful conversation about a bill of rights. And that’s the conversation Australia needs to have.
Jon thanks for taking the time out to have this chat with us today.