The government has done a deal over facial recognition technology that throws access to it wide open.
The Department of Internal Affairs has signed a master agreement with a leading global biometrics tech supplier that just about any organisation, public or private, can be allowed to join.
Documents released under the Official Information Act show the master deal was signed with the New Zealand subsidiary of the $20-billion-a-year US giant DXC Technology.
The agreement was signed in December 2018, though it has taken until now for the department to get its new DXC-managed system running.
The deal is far-ranging, dreamt up by Internal Affairs in mid-2017, signed off by the minister, and is now open to:
- many public agencies have automatic access, or local councils can opt in
- other public agencies can ask to join
- any private organisation can seek approval to join from Internal Affairs and the Ministry of Business, Innovation and Employment.
Other agencies that join the master deal will still have to pay DXC Technology to set up and manage a facial recognition system for them, but it removes the extra initial costs and demands for expertise in tendering and initial contracting.
DXC Technology also provides the system and upgrades to it, so agencies pay it for a service and don't face capital costs themselves.
The company uses the vastly powerful Neoface software from Japanese firm NEC - the same software as in the police's brand new system - which is designed and marketed by NEC primarily for investigations and surveillance work.
"NEC Neoface Reveal is a game changer for law enforcement and criminal agencies," NEC says.
The master deal encourages the proliferation of facial recognition but also allows agencies to sign up without the visibility of running a public tender.
"The department chose [the] arrangement to enable any other interested agencies to procure facial recognition services without the need to incur the cost of going to market to secure similar services," DIA general manager of operations, Russell Burnard told RNZ in a statement.
So far no other agencies have signed up.
However, the aim to expand the use of biometrics for multiple uses by Crown agencies is clear in documents obtained under the Official Information Act from Internal Affairs, the police and others.
"The business outcome... is to deliver a fit-for-purpose and supported Facial Recognition Solution that will increase productivity, reduce cost and extend the capability across and beyond" the Service Delivery and Operations branch, said a privacy assessment of the DXC system by Internal Affairs.
Police tender documents show they sought out a system that could be used in the future to import drivers' licence and passport photos, and masses more facial images than currently, though police deny they will use their Dataworks Plus-NEC system for that.
The European Union is pushing to establish global standards around facial recognition, but in this country there has been a limited push to encourage debate or secure a public mandate for exposing people to more facial recognition.
Biometrics includes facial recognition, fingerprints and iris scanning, image collection and identification. And the latest feature to be analysed is individual walking style, in response to so many people wearing pandemic masks.
The DXC system about to go live at Internal Affairs would essentially do the same thing as the old tech that ran out of supplier support in 2017, the department said.
However, instead of the department managing the passport photos and data for 4.5 million people, with help from Datacom, now a private company, DXC Technology's local subsidiary Enterprise Services New Zealand, will do it.
Also, the new system will have more of each person's biometric and biographic data in it.
It does not change how or what information is collected, or how long it is held - which is 50 years.
Many of the systems target fraudsters.
Internal Affairs listed eight controls within the master contract to monitor and prevent misuse of people's personal data, such as not letting DXC use the data "for its own purposes"; and letting the department audit the operations.
It uses facial recognition to compare passport photos with a database to ensure an applicant does not have multiple identities.
Internal Affairs assessed the privacy risks in January this year, more than a year after the master deal was signed, but while it was still negotiating over its own system with DXC.
The assessment was released under the Official Information Act - it was not publicly available on the department website.
The report shows that out of five risk categories, two scored high risk, and one medium.
That meets the department's own criteria for ordering a full privacy impact assessment, stated as: "Sensitive personal information is involved, and several medium to high risks have been identified."
But a full Privacy Impact Assessment was not done.
The department discussed this with the Privacy Commissioner.
The two high risks identified are:
- the scale of the data - "the aggregate is enormous"
- the sensitivity of the personal data
"If biometric ID is compromised it cannot be repaired," the report noted.
It was an "entirely new system (even though it is performing the same functions as the previous system)", and was "a substantial change to an existing policy, process or system that involves personal information", the documents noted.
Yet, previously Internal Affairs told RNZ the DXC system was merely a "replacement", and this was a key factor in it not informing the public.
"There is no sharing or matching of personal information held by different organisations, or currently held in different datasets," it said
Under government procurement rules it did not have to tell the public, Russell Burnard said.
The master deal was entirely in line with government policy to encourage such cost-cutting deals, he added.
The master deal is not needed by agencies with their own biometrics system, such as police and Immigration New Zealand, though Internal Affairs ran the idea past some of them in 2017, specifically the Transport Agency, Police, Customs, and the Ministry of Business, Innovation and Employment.
Immigration - a part of the Ministry of Business, Innovation and Employment - spent $1.5m in the last financial year expanding a visa processing system that's cost $6m for facial recognition since 2016, according to an Immigration statement to RNZ.
There is a lack of reliable and readily available information about the expansion of facial recognition in this country, coupled with conflicting claims about the aims of facial recognition expansion, even among partners.
Daon, and major Irish tech company, is expanding a second biometrics system that Internal Affairs uses to ensure applicants for a RealMe account to deal with government and businesses are real people.
In a case study published online, Daon claimed that it would be able to assist Internal Affairs to realise its hope of "eliminating" human review of biometric data "altogether in the future, saving time and money". At the moment staff review some images. Its pioneering work in areas like "policy-driven configurable facial black lists and web and mobile behavioural biometrics" would enable this, it said.
But the Department of Internal Affairs denied this.
"We can confirm that Daon has overstated the extent of the research and development work they are undertaking that relates to DIA," the department's General Manager of Partners and Products, David Philp, told RNZ in a statement.
"Daon continues to develop facial liveness testing techniques, and when available we are likely to introduce updated liveness software that we expect will be more accurate, and importantly customers will find easier to use.
"This work has nothing to do with policy-driven configurable facial black lists, or web and mobile behavioural biometrics."
MBIE also uses Daon to help run its IDme system.
Its Enroll software was used to "capture biometric and biographic identity information, and capture scans of all supporting documentation".