What Happens When National Governments and Law Enforcement Agencies Use Biometric ID and Surveillance Systems Illegally?

Note to readers: For the past 24 hours I have had a rather unpleasant stomach bug that has made writing this post, particularly the later stages, a bit of an ordeal. Apologies in advance for any typos or other errors.

The answer, it seems, is nothing. But some governments, including the UK and Australia, are now modifying their laws to make sure it is no longer illegal. 

In October last year, the UK’s Minister of Policing (and former McKinsey & Company consultant) Chris Philip unveiled plans to create a vast facial recognition database out of passport photos of people in the UK. It was as brazen and as egregious an example of mission creep as you’re likely to find. Forty-six million passport holders who had given their facial images for travel purposes alone will soon have that data used by police to conduct facial recognition searches without their consent.

It now turns out that British police departments have been doing this all along, without public knowledge or approval, for years. The covert practice has been going on since at least 2019, according to documents obtained by The Telegraph and Liberty Investigates.

The facial recognition searches were conducted despite the fact that Philip did not raise the possibility of using the passport database in this way until October 2023. Now the UK government wants to make legal a covert practice that has already been going on for years. Also, in December it was revealed that police forces will soon be able to conduct facial recognition searches on a database of Britain’s 50 million driving licence holders, and have already been carrying out similar searches of the UK immigration database, which holds information on foreign nationals.

“No Explicit Legislative Basis”

Most of the biometric searches of the passport database took place during the first nine months of 2023 when law enforcement agencies used the technology to comb through passport images more than 300 times. The Home Office has defended the practice, noting that the searches were conducted for the most serious offences. But there are serious questions about its legality.

“The UK still lacks a dedicated legal framework with some experts questioning whether the use of the technology has a sound legal basis,” notes an article in Biometric Update, an industry publication on the global biometrics market. “In December, the UK Parliament’s Justice and Home Affairs Committee conducted a probe against police deployment of live facial recognition.”

David Davis, a former Conservative cabinet minister, said there was “no explicit legislative basis” for using facial recognition technology in the UK:

The data on both the UK passport database and the immigration database was not provided for these purposes. For the police to act like this undermines the data relationship between the citizen and the state. At the very least, the House of Commons should be informed precisely who authorised this and who carried it out.

As regular readers are aware, the UK Government is determined to make full use of facial recognition technologies as part of its crackdown on political protests crime, including minor offences such as shoplifting. In early August, we reported  that live facial recognition (LFR) surveillance, where people’s faces are biometrically scanned by cameras in real-time and checked against a database, is being used by an increasing number of UK retailers amid a sharp upsurge in shoplifting — with the blessing, of course, of the UK government.

Police forces are also being urged to step up their use of LFR, even as the UK’s facial recognition lead recently conceded that they do not have the legal powers (yet) to deploy this technology:

The government’s new Data Protection and Digital Information Act, expected to become law in the coming months, seeks to abolish the roles of the Biometrics and Surveillance Camera Commission (BSCC), an independent advisory board that was, to some extent, helping to hold the public sector to account for its use of AI. In its bid to eliminate the BSCC, the government clearly wants to have even freer reign to surveil and control the lives of British. The outgoing Biometrics and Surveillance Camera Commissioner, Professor Fraser Sampson, described the move as “shocking” and “tantamount to vandalism”.

A Similar Case Down Under

But the UK is not the only country where the government and/or law enforcement agencies have been using biometric identity or surveillance systems illegally, or without public disclosure. In Australia, one of the countries in the “Collective West” furthest along the path to launching a fully fledged digital identity system, government departments were accused in October last year of conducting hundreds of millions of identity checks illegally over a period of four years. From The Guardian:

Identity verification services are used by government departments and businesses – such as credit card providers and power companies – to combat fraud and identity theft.

Legislation to allow the identity verification service was abandoned by the former Morrison government in 2019 after the parliamentary joint committee on intelligence and security recommended it be redrafted over concerns there were insufficient privacy safeguards for the proposal.

However, the service began operating and, four years on, the Albanese government has pushed through new legislation in the House of Representatives. It is now under review in the Senate.

Part of the rush, according to witnesses at the Senate inquiry on Monday, was that verification services linking up the state and territory ID systems to businesses carrying out ID checks appeared to have been operating without a legislative framework. This would make them illegal.

The Greens senator David Shoebridge asked the Digital Rights Watch chair, Lizzie O’Shea, if the speed at which the legislation was being pushed through parliament was to shield the government from unlawful practice of the service.

“I think there’s a real question about the legality of the scheme, and the haste is about protecting the government from liability,” O’Shea said.

In a submission to the inquiry, the Human Rights Law Centre senior lawyers Kieran Pender and David Mejia-Canales said there was no clear federal legislative basis for its Document Verification Service or its Facial Verification Service.

“It is extraordinary that the Australian government is, it seems, presently using identity-verification services on a mass scale without a lawful basis,” said Ponder. “And it is all the more extraordinary that the Australian government would seek to rush through such important legislation, with minimal opportunity for parliamentary scrutiny, in these circumstances.”

That was back in late October. Now, two and a half months later, the government is closer than ever to creating a national digital identity system after introducing fresh legislation to the country’s senate on 30 November. The government recently said the newly-introduced Digital ID Bill puts in place a “legislative framework to create an economy-wide digital ID system in Australia” and that digital ID was “a critical capability and… one of the ways the government is keeping Australians safe and responding to the increase in third party data breaches”.

So not only has the Australian government essentially got away with infringing the privacy rights of millions of Australian citizens with no apparent legal basis, it is now on the verge of setting up a digital ID system that will provide government departments (and presumably, third parties) with the legal basis to systematically infringe the privacy rights of Australian citizens on a far larger scale.

“Transforming Video Surveillance into Active Intelligence”

It is not just governments in Five-Eye nations that are getting up to these sorts of dirty tricks. In November last year, the investigative journalism group Disclose reported that French law enforcement agencies had for the past eight years been using secretly acquired surveillance video image analysis software from the Israeli spyware company Briefcam:

According to internal documents from the Ministry of the Interior obtained by Disclose, law enforcement has been using Briefcam’s systems since 2015, in utmost secrecy. The software in question, called “Video Synopsis,” can track a person across a network of cameras, for instance, by the color of their sweater. It can also track a vehicle using its license plate or analyze several hours of video in just a few minutes. Briefcam’s slogan, acquired by the photo giant Canon in 2018: “Transforming video surveillance into active intelligence.”

Eight years ago, the Seine-et-Marne Departmental Directorate of Public Security (DDSP) was chosen to experiment with the Israeli software. Two years later, in 2017, the application was deployed more widely. Police services in Rhône, Nord, Alpes-Maritimes, and Haute-Garonne were also equipped. As well as the Interministerial Technical Assistance Service (SIAT), a police unit responsible for infiltrations, wiretapping, and monitoring serious crime.

Subsequently, it was the judicial police services, the police prefectures of Paris and Marseille, public security, and the national gendarmerie that were equipped with Briefcam’s software on dedicated computers. This massive installation was carried out outside the legal framework provided by a European directive and the French Data Protection Act.

Before using such intrusive technology offered by Briefcam, the Ministry of the Interior should have conducted an “impact analysis on data protection” and submitted it to an independent authority: the National Commission for Information Technology and Civil Liberties (CNIL). However, the Directorate General of the National Police (DGPN), under the direct authority of Gérald Darmanin, had still not conducted this impact analysis by May 2023. Nor did they notify the CNIL. Therefore, at the end of 2020, a police official suggested discretion: “Some services have the Briefcam tool, but since it is not declared to the CNIL, it seems preferable not to talk about it.” Or this message sent a few months later by another senior officer, recalling that “legally speaking (…) the Briefcam application has never been declared by the DGPN.”

As in the UK and Australia, there does not appear to be any punishment or consequences of any kind for the government and law enforcement agencies’ wanton abuse of their powers. It is also worth recalling that this time last year, Emmanuel Macron’s government was pushing for the introduction of AI-empowered surveillance systems for the 2024 Paris Olympics. However, the French parliament initially rejected a provision of the Olympics law that would have authorised it. But five months later, the same Senate voted to adopt a draft law that will allow judicial investigators and intelligence services to use remote biometric identification in public for three years.

The draft law specifies that real-time facial recognition use in public will be limited to tracking down terrorists by intelligence services, child abductions and tackling particularly serious crimes. But these are the same intelligence services and law enforcement agencies that have been illegally using facial recognition and other biometric technologies without the knowledge or consent of the French citizenry over the past eight years. Amnesty International warned that approval of the new bill would legalise the use of a pervasive AI-powered mass video surveillance system for the first time in the history of France — and the European Union.

EU U-Turn

Which brings us to the EU, which has been aggressively rowing back many of the commitments the European Parliament had made regarding facial recognition-empowered surveillance. As readers may recall, the European Parliament in June voted to ban the use of facial recognition and biometric technologies in public spaces while maintaining its use for border control as part of the EU’s Artificial Intelligence Act. The proposed restrictions on AI-empowered surveillance were broadly celebrated by civil rights groups but were ultimately short lived.

Under concerted pressure from the European Commission and EU national governments, the limits on the use of biometric surveillance and control systems have been significantly diluted. The result is a compromise that, according to critics (in German), opens the door wide open to biometric surveillance. In December, Amnesty International lambasted the EU for “setting a devastating global precedent”:

“The three European institutions– Commission, Council and the Parliament—in effect greenlighted dystopian digital surveillance in the 27 EU Member States, setting a devastating precedent globally concerning artificial intelligence (AI) regulation.”

“It is disappointing to see the European Parliament succumb to member states’ pressure to step back from its original position which offered strong protections including an unconditional ban on live facial recognition. While proponents argue that the draft allows only limited use of facial recognition and subject to safeguards, Amnesty’s research in New York City, Occupied Palestinian Territories, Hyderabad and elsewhere demonstrates that no safeguards can prevent the human rights harms that facial recognition inflicts, which is why an outright ban is needed. Not ensuring a full ban on facial recognition is therefore a hugely missed opportunity to stop and prevent colossal damage to human rights, civic space and rule of law that are already under threat throughout the EU.

“Lawmakers also failed to ban the export of harmful AI technologies, including for social scoring, which would be illegal in the EU. Allowing European companies to profit off from technologies that the law recognizes impermissibly harm human rights in their home states establishes a dangerous double standard.”

A couple of final observations. First, this is happening at the same time that governments in the West are hurriedly taking action to beef up online censorship. The EU’s Digital Services Act and the UK’s Online Safety Bill are two particularly pernicious examples. Online anonymity is also in their scopes. Governments and central banks are also pushing hard for the creation of central bank digital currencies and digital identity systems while paying lip-service to public concerns about the sweeping ethical, privacy and economic implications. 

As I’ve said before (but it bears repeating), these digital systems of mass surveillance and control, if allowed to take root, will represent one of the biggest collective trade offs of modern history. We are essentially being asked — or rather, not asked — to trade in a system, however imperfect and degraded, of rights, laws and freedoms for one of centralised, automated, top-down technocratic control.

Second, whatever biometric data EU and other NATO-aligned governments collect on their citizenry will almost certainly end up on a database somewhere in the US. As we have previously reported, the US is seeking to establish “Enhanced Border Security Partnerships” that will entail “systematic and continuous” exchanges of sensitive personal data between participating states. Washington is currently in bilateral negotiations with dozens of vassal states whose ultimate goal is to extend US surveillance capabilities across these jurisdictions.

The 40 states involved are all participants of the US government’s Visa Waiver Program (VWP), including most of the EU’s 27 Member States, three of the US’ four fellow members of the Five Eye Alliance (United Kingdom, New Zealand and Australia), Japan, Israel and South Korea. According to a recent report in the Norwegian newspaper Bergens Tidende on the ongoing negotiations between Washington and Oslo, “the USA wants free access, so that it can freely search various registers and extract information. It will give the US very extensive access to sensitive personal data.”

Print Friendly, PDF & Email

13 comments

  1. Es s Ce tera

    In Canada there’s a privacy law on the books, PIPEDA, which says citizens must be told their private info is being collected, must be told how and why, it must be for a valid and justifiable reason, and then the data must only be used for that specific reason, not shared without authorization. This would make facial recognition surveillance difficult to defend legally.

    I’m pretty sure the RCMP and Toronto police are in contravention if this law, protesters have seen surveillance vans and have witnessed screens capturing facial features, identifying people at protests and marches. Marked and unmarked surveillance vans are a regular sight at marches, especially for lefty/progressive sorts of causes, e.g. gay rights. We know it’s being done, but so far as I know it hasn’t become a story…yet.

  2. BrooklinBridge

    So AI makes “deep fakes” which are difficult to detect as fakes if I understand correctly. I wonder if those are good enough to frame someone. Say a lazy police department needs to up it’s conviction rate. Plenty of defenseless poor unable to hire a lawyer or even a specialist to defend themselves and as to the ethics of it all, this is child’s play in comparison to the bombs and financial aid we give for Israel to openly commit genocide and brag about it. Progress, all good.

    1. JBird4049

      In the United States, police departments use of facial recognition technology has falsely identified people as the culprits in serious crimes. This has led to not only the arrests and months long jailing of innocent people, but their actual trial and convictions using such false evidence and despite solid evidence of them being elsewhere during the time of the crime being done.

      1. Lefty Godot

        Judging by my conversations with a friend who had numerous encounters with the criminal justice system, eyewitness testimony on behalf of a defendant is extremely likely to be discounted as biased and deceptive because of the defendant’s personal relationships with those testifying. Which makes some sense as a reason to be a bit wary, but he described many cases where one eyewitness against a defendant was given credence over a dozen or more eyewitnesses for the defendant.

        That seems like directing excessive suspicion against the “innocent until proven guilty” accused. Especially now that we have seen ample evidence that law enforcement officers who break the law are almost never made to pay any legal penalty for doing so. This should affect default assumptions about their credibility.

  3. The Rev Kev

    Thank you Nick for the extensive notes from what is going on biometric identity & surveillance systems Down Under. I myself hardly ever see this in the news as, you know, I actually live here. Both the main political parties are fully on board with digital identity systems and I suspect that us and the UK are being used as test countries before these systems fully make their into the US. No doubt the media will portary it as vital to have because of ID theft, or terrorists or Taylor Swift fans or something. The Collective West over the past few years has being losing its economic power and even its relevance on the world stage so it is only natural that the governments of these countries seek to get more control over their populations and digital identity systems as well as digital currencies are tailor made to keep the peons inline and not rebelling. That is, until the system collapses.

  4. Bsn

    Big Nick. Be careful and think about Ivermectin :-)
    One of the traits of Covid’s latest variation is that it attacks the GI tract. Get well sooooooon!

    1. Nick Corbishley Post author

      Thanks BSN. As luck will have it, my wife and I were able to replenish our IVM stocks during a recent visit to Mexico. But I don’t think I’ll be needing to use them this time round — I’ve done three COV tests and they’ve all come out negative.

  5. ejf

    Well. here’s one from Schneier on Security:
    Police Get Medical Records without a Warrant

    They include the seven largest pharmacy chains in the country: CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation. The lawmakers also spoke with Amazon Pharmacy.
    All eight of the pharmacies said they do not require law enforcement to have a warrant prior to sharing private and sensitive medical records…

    Also, take a look at the cameras that are grabbing your image when you checkout at Walmart or Target. The private sector has us ID’d and surveilled.
    Once you get a database storing your records, the desire to store more is insatiable.

    1. Es s Ce tera

      A few years ago there was a Canadian woman who was denied entry by US Customs because she had shared with her therapist during one or two sessions that she occasionally had suicidal thoughts. There was a big kerfluffle because under Canadian privacy laws the US should NOT have had her medical info. RCMP had to make adjustments to their usual sharing of EVERYTHING with US government agencies. Her therapy sessions had been shared via a crime database even absent any crime, because suicide *could* be a crime.

  6. Bsn

    PS, Nick, the title of your fine article is a question. The answer is …… nothing. Have a nice day.

    1. Sue inSoCal

      ejf, I don’t believe we have any true privacy rights anymore and this will be accelerating at warp speed, if you will, in all possible aspects of our lives. I saw several pieces you note on the pharmacy records grab. Notice now how all data collected now has a disclaimer that your data will not be shared with third parties unless ! it is for “law enforcement”. Problem is, these are warrantless data grabs. (Same with uploaded DNA for genealogy.) As Yves pointed out a while back, never give your ID to be on file at a medical facility. Tell them “look, it’s me, do not copy this!” (Thank you, Nick. Get better.)

Comments are closed.