The government will continue to authorise a one-to-many facial recognition system connected to the national ID database but is limiting its use to helping identify “shielded persons” like undercover police and protected witnesses.
Once referred to as ‘the Capability’, the Department of Home Affairs built a system for the public and private sector to verify people’s identities against official documents like birth certificates, passports, and state drivers’ licences.
The Identity Matching Services, as they are currently known, comprise three services: one for verifying documents, one for verifying faces, and one for identifying faces.
It is the third of those, the Face Identification Service (FIS), that triggered particular ire among privacy advocates who warned the inclusion of facial recognition technology in the system could put us on “on a slippery slide to a very dystopic Australian culture” of surveillance.
The FIS is a one-to-many facial recognition system, meaning it can take a single photo of a person and check it against a database of facial images to, as the name suggests, identify that person.
One-to-one facial recognition, on the other hand, is used every day for verifying a person’s identity by matching one headshot of a person against another. Think of going through a passport gate or signing up for an app that needs a photo of your driver’s licence and a selfie.
According to Attorney General Mark Dreyfus, the one-to-one Face Verification Service (FVS) was used 2.6 million times in the 2022-23 financial year.
One-to-many facial recognition systems, like the FIS, are especially controversial.
This is what retailers like Bunnings and Kmart were quietly operating under the guise of catching banned customers – drawing the ire of the Office of the Australian Information Commissioner, and the general public.
It is also the form of facial recognition behind Clearview AI’s product that seeks to find an unknown person from a huge set of ill-gotten biometric data scraped from social media.
The legislation governing this centralised ID system – the Identity Matching Services Bill 2019 – has been criticised by the Law Council of Australia for failing to “include partial checks and constraints against creep-past-the-line of legitimate and proportionate uses”.
An early version of that bill left open the possibility for the FIS “to be used for the detection, investigation or prosecution of minor offences”, the Law Council said.
Ultimately, that bill lapsed when parliament was dissolved ahead of last year’s federal election.
Second bite of the ID matching cherry
On Wednesday, Dreyfus dredged it back up with little fanfare, offering legislative assurances – at least for the time being – against the use of the FIS for mass surveillance.
Along with moving the Identity Matching Services under the purview of the Attorney General’s Department, and away from Home Affairs, the Identity Verification Services Bill 2023 puts strict limits on use of the one-to-many FIS.
“There is substantial public interest in allowing one-to-many matching to be undertaken in these circumstances, given the risks to such persons, if their true identity is not appropriately protected,” Dreyfus said.
“All other uses of one-to-many matching through identity verification services will be prohibited.
“Let me be clear, one-to-many matching will not be able to be conducted through identity verification services for law enforcement, intelligence gathering, or community protection.”
An identification request must be of a “single facial image of an individual” – not a video feed – and have the appropriate authorisation and endorsements.
The bill mandates that the department will publish the number of requests, and whether they were appropriately authorised, every year in an attempt at transparency.
Dreyfus said the bill “meets public expectations” around privacy, oversight, and transparency and it will be reviewed within two years of coming into force.
“The bill enables Australians to conveniently and securely engage with the digital economy and access critical services while minimising the risk of identity fraud and theft,” he said.