The government’s facial recognition technology deal offers wide access

The government has made a deal on facial recognition technology that opens up access to it.

The Department of Internal Affairs has signed a framework agreement with a leading global provider of biometric technology that can be allowed to join almost any organization, public or private.

Documents published under the Official Information Act show that the main agreement was signed with the New Zealand subsidiary of the US giant DXC Technology, which has a turnover of 20 billion a year. The company is part of the food conglomerate Tysons.

The agreement was signed in December 2018, although the department has so far been slow to get its new DXC-managed system up and running.

The agreement is wide-ranging, dreamed up by Internal Affairs in mid-2017, signed by the minister and is now open to:

Other agencies joining the master agreement will still have to pay DXC Technology to set up and manage a facial recognition system for them, but it eliminates additional upfront costs and demands for initial contract and tender experience.

DXC Technology also provides the system and updates it, so agencies pay for a service and face no capital costs.

The company uses the enormously powerful Neoface software from the Japanese firm NEC, the same software as the new police system, which is designed and marketed by NEC primarily for investigation and surveillance work.

“NEC Neoface Reveal is a game changer for law enforcement and criminal agencies,” says NEC.

The main agreement encourages the proliferation of facial recognition, but also allows agencies to register without the visibility of conducting a public tender.

“The department chose [the] agreement to allow any other interested agency to purchase facial recognition services without the need to incur the cost of going to market to secure similar services, “DIA’s general manager of operations Russell Burnard told RNZ in a statement.

So far, no other agency has signed up.

However, the goal of expanding the use of biometrics for multiple uses by Crown agencies is clear from documents obtained under the Internal Affairs Official Information Act, the police and others.

“The business outcome … is to offer a compatible and fit-for-purpose facial recognition solution that will increase productivity, reduce costs and expand capacity through and beyond” the operations and service delivery branch, according to a Privacy assessment of DXC system by Internal Affairs.

Police bidding documents show that they searched for a system that could be used in the future to import driver’s licenses and passport photos, and there are more facial images than currently, although police deny that they will use their Dataworks Plus-NEC system for that. .

The European Union is pushing for global standards around facial recognition, but there has been limited push in this country to spark debate or secure a public mandate to expose people to greater facial recognition.

Biometrics includes facial, fingerprint and iris recognition, image collection and identification. And the last characteristic to be discussed is individual walking style, in response to so many people wearing pandemic masks.

The DXC system that is about to go live in Internal Affairs would essentially do the same as old technology that was left without vendor support in 2017, the department said.

However, instead of the department managing photos and passport data for 4.5 million people, with the help of Datacom, now a private company, DXC Technology’s local affiliate Enterprise Services New Zealand will do so. .

In addition, the new system will have more biometric and biographical data on each person.

It does not change how or what information is collected, or how long it is kept, which is 50 years.

Many of the systems target scammers.

Internal Affairs listed eight controls within the master contract to monitor and prevent misuse of people’s personal data, such as not allowing DXC to use the data “for its own purposes”; and let the department audit operations.

It uses facial recognition to compare passport photos to a database to ensure that an applicant does not have multiple identities.

Internal Affairs assessed privacy risks in January this year, more than a year after the master agreement was signed, but while it was still negotiating its own system with DXC.

The assessment was published under the Official Information Act; it was not publicly available on the department’s website.

The report shows that of five risk categories, two scored high risk and one medium.

That meets the department’s own criteria for requesting a full privacy impact assessment, expressed as: “This is sensitive personal information and various medium to high risks have been identified.”

But a full privacy impact assessment was not conducted.

The department discussed this with the Privacy Commissioner.

The two high risks identified are:

• the scale of the data: “the aggregate is huge”
• the sensitivity of personal data

“If the biometric identification is compromised, it cannot be repaired,” the report noted.

It was a “completely new system (although it performs the same functions as the previous system)” and was “a substantial change to an existing policy, process or system that involves personal information,” the documents said.

However, Internal Affairs previously told RNZ that the DXC system was simply a “replacement”, and this was a key factor in not informing the public.

“Personal information held by different organizations, or currently in different data sets, is not shared or collated,” he said.

Under public procurement rules, he did not have to inform the public, Russell Burnard said.

The main agreement was fully in line with the government’s policy to encourage such cost-cutting agreements, he added.

The master agreement is not necessary for agencies with their own biometric system, such as the New Zealand Police and Immigration, although Internal Affairs passed the idea on to some of them in 2017, specifically the Transport, Police, Customs Agency and the Ministry of Business. . Innovation and Employment.

Immigration, a part of the Ministry of Business, Innovation and Employment, spent $ 1.5 million in the last financial year to expand a visa processing system that costs $ 6 million for facial recognition since 2016, according to an immigration statement to RNZ.

There is a lack of reliable and readily available information on the expansion of facial recognition in this country, along with conflicting claims about the goals of the expansion of facial recognition, even between partners.

Daon, a major Irish technology company, is expanding a second biometric system that Internal Affairs uses to ensure that applicants for a RealMe account to deal with government and business are real people.

In a case study published online, Daon said it could help Internal Affairs realize its hope of “eliminating” human review of biometric data “entirely in the future, saving time and money.” At the moment the staff reviews some images. His pioneering work in areas such as “policy-driven configurable facial blacklists and web and mobile behavioral biometrics” would enable this, he said.

But the Department of Internal Affairs denied it.

“We can confirm that Daon has overstated the scope of the research and development work that they are doing in relation to DIA,” the department’s managing director of partners and products, David Philp, told RNZ in a statement.

“Daon continues to develop facial vitality testing techniques, and when available we are likely to introduce updated vitality software that we hope will be more accurate and more importantly, customers will find it easier to use.

“This work has nothing to do with policy-driven configurable facial blacklists or web and mobile behavioral biometrics.”

MBIE also uses Daon to help run its IDme system.

Its Enroll software was used to “capture biographical and biometric identity information, and capture scans of all supporting documentation.”