#estimates 'The Capability' A national facial recognition database
CHAIR: Senator Ludlam.
Senator LUDLAM: I am interested in some follow-up questions on the National Facial Biometric Matching Capability. I have some returned questions on notice, so thank you very much for that. Thank you for returning them in enough time that I could get through them before tonight's session. That is appreciated. The Minister for Justice, Minister Keenan, has said that this capability is being informed by independent privacy assessments. Could you describe what they are?
Mr Rice: Yes. We have conducted one already, which has been around the subject of the design of the interoperability hub. You might recall from the answers that we provided to you, Senator, that there is essentially a router, a hub, in the middle which connects the various users of the system. We are in the design phase for that infrastructure at the moment. We have done a privacy impact assessment through an independent provider in consultation with the Office of the Australian Information Commissioner and also with state privacy commissioners, where they exist. We have done a draft management response on that and we are expecting to take that privacy impact assessment to a couple of ministerial councils at a meeting in early November. Beyond that, we would expect to publish that. That is the first of a series of privacy impact assessments. Just in the last couple of days we have sought, through a procurement process provider, to provide a second series of privacy impact assessments, which go to some pilot activities that we are using to finalise the design of the system. Going out to market, we will commence those and expect to have those privacy impact assessments completed in a couple of phases, but completed early next year. Beyond that, in terms of follow-on privacy impact assessments, our design of the system has it that, for any use that an agency might care to make of the system, we will be requiring them to do a privacy assessment. I expect there will be a series of continuing privacy impact assessments on the system.
Senator LUDLAM: It sounds like it is expanding in quite a modular way, so if somebody proposes a use of the system that has not been tried by a previous agency you would conduct some kind of assessment on that in sequence. Mr Rice: We would hope that not every single exercise is a greenfields exercise. We may well find, having done a privacy impact assessment already, that an agency that is moving into the joining phase might find that it can draw on previous impact assessments.
CHAIR: Senator Ludlam, I will just pause your clock. The committee has just had a private meeting.
Senator JACINTA COLLINS: That is a very generous description! CHAIR: We have assessed that we certainly will not get to the Federal Police tonight, so if there are any Federal Police officers here who do not enjoy the entertainment they can go home. We will hold onto ASIO for a little while longer, but if it looks like ASIO are clearly not going to be called tonight we will let them know later. But the Federal Police can go. Thank you-if there are any of you here at this stage-for your attendance. This is not to say you may not be called. It is up to Senate rules whether we have a spillover on some other day, but that is a matter for another day. So that is what we will do, and we will review the question with ASIO shortly.
Senator LUDLAM: Can I put this one to you, Senator Brandis, just briefly, because I do not think I asked it directly to you last time. It does not appear from any of the material that I have got back from the department that there is any intention-as there was, for example, with data retention-for changes in legislation in order to bring this capability into effect. Is that a correct assessment?
Senator Brandis: I am sorry. I am not quite following your question.
Senator LUDLAM: The government does not intend to introduce legislation to bring this capability into effect.
Senator Brandis: Which capability?
Senator LUDLAM: The National Facial Biometric Matching Capability.
Senator Brandis: I am not aware that it requires legislation.
Senator LUDLAM: Yes, I have not come across anything that would indicate that. I am just seeking confirmation.
Senator Brandis: I think you are right.
Senator LUDLAM: Thank you. Are we modelling this on a system used in any other jurisdiction? I guess I would point you primarily towards the United States, which in some cases is at the leading edge of this sort of technology. Is there anything like this existing anywhere in the world, including the US? Mr Rice: In terms of joining up the range of existing biometric holdings that we are doing across a range of agencies and jurisdictions, we are not aware of anything. We have become aware of something which we think is occurring in Brazil, and we are just trying to run that to ground. You would be aware, as you are saying, of some big announcements in the US, particularly around the FBI. That tends to be within a portfolio, if you like. I think we are attempting something which is somewhat more complex.
Senator LUDLAM: Okay, that is useful. The FBI-since you have gone there-accepts a 20 per cent error rate in its next-generation identification program, so that would falsely identify one in five images-a false positive or negative. What kind of range of inaccuracy would you consider acceptable in a system such as this?
Mr Rice: It is a risk story, and we are talking about a range of functions here. We are talking about a verification function where essentially you have a range of biographical information, generally working off quite established biometric holdings like driver licence images, passports and so forth. We would expect, because the capture of those images is in a controlled environment, that we are going to get quite a high accuracy rate, but at the end of the day that will be something that the users of the system determine themselves for answering their risk-based questions-whether they be questions of determining whether an individual has presented to have a credential issued previously.
Senator LUDLAM: All right.
Mr Rice: The other function is around the question of an unknown individual-a photo but no known biographical details. Often those photos are taken in poor-quality environments, and they do introduce error into the equation. What we are saying through this system is that there is an error rate. It is a specialised capability to deal with that error rate. The existing facial recognition processes that are in places like the Department of Foreign Affairs and Trade, Immigration, AFP and so forth have specialised individuals who deal with the fact that there are error rates in these systems, and we are thinking that that will be a requirement for any use of that more specialised identification purpose-that it needs to be supported with the specialist resources that deal with that kind of error rate.
Senator LUDLAM: So I guess the error rate drops. If the holding is taken under a controlled environment like a passport photo, for example, or presumably as facial recognition algorithms improve, you get better at the poorer quality images.
Mr Rice: It does. The real trick, if you like, is capturing it in a quality environment-
Senator LUDLAM: in the first place. All right. In answer to the question that I put to you-your reference number is BE15/044-from last estimates, 27-28 May, you have proposed: ... (the Capability) will provide a mechanism for secure, automated and auditable sharing of facial images between those agencies ... Firstly, will using facial images-and you appear to be using the term 'biometrics' almost interchangeably; biometrics obviously go to a much broader range of-
Mr Rice: It does: to fingerprints, iris and other kinds of modalities-that is the term. We are just referring to face as the modality in this capability.
Senator LUDLAM: Presumably, this is all eventually going to end up being linked up with fingerprint datasets, irises and DNA holdings that are held by various agencies. It would be a bit odd if they stayed silent.
Mr Rice: They are not part of our plans at this stage. At the end of the day, it is a data transfer exercise. So the architecture may permit that in the future, but it is not part of the plans at this stage.
Senator LUDLAM: The other word that you have used there that I want to draw to your attention is 'auditable'. What are the audit processes that you have in mind thus far?
Mr Rice: We are designing those at the present moment. We would be seeing that there would be an audit log process within the hub, if you like, the router. We would be recording the message and they would go to who is posing the query, what is the nature of the query, who is it being provided to. We would see that occurring in the hub. We would also expect the normal processes of recording, querying and responses and the purpose for making the responses-and the purpose goes to things like lawful purpose-would be recorded at the querying agency. So, if the police were mounting a query, there would be an auditable process at their end as well. But we will have an auditable process in the hub itself, and that is being designed at the present moment. It is not set in stone at this stage.
Senator LUDLAM: I want to go to 'use' cases now. You have proposed a couple thus far that made a certain amount of sense to me, but I want to go to a couple to try and work out what is in scope and what is out of scope, because these things can change quite rapidly. Firstly, is there any law that would prevent the system from ingesting further biometric information-let's stick to photographs at this stage-from publicly available sources like social media or other internet sources? Mr Rice: In terms of ingesting them, in terms of the legal purpose it would go to the legal commissions that the user agency already has to either collect or disclose information. It is possible that still images out of those kinds of environments which you talk about could be put into the system. That will be a choice for the users of the system, and their making that choice will be on the basis of their existing legal permissions.
Senator LUDLAM: Can I put one example to you. I am not trying to drift off into hypotheticals here, but I want to know what is in scope and what is out. If I get hypothetical, I am sure that either you or the secretary will shut me down. State police departments, for example-or probably a wide number of agencies by now-use programs that scrape social media profiles for faces. Facebook has its own facial recognition software at work, but there are ways of harvesting quite large numbers of photographs at social media sites, which is, if not illegal, at least a grey area. Police agencies already have their own holdings of material obtained that way. Is there any reason why such imagery would not end up inside the scope of this hub?
Mr Rice: Perhaps if I can back up for a moment and just talk to you about the use cases that we have pulled out, because we have consulted with all the police and law enforcement agencies in the country, all the road agencies who provide driver's licence images and also agencies like Immigration and the Department of Foreign Affairs and Trade. If we talk about categories of use cases, one of them is a situation where an agency has a name and some other biographical information and just wants to have the photograph extracted from another data holding. So that is one. We call that the retrieve function.
Senator LUDLAM: Before you move on-
CHAIR: Sorry, Senator Ludlam, your time expired some time ago, so I might have to stop you there. We will come back to you.
Senator LUDLAM: Everybody else is getting 15 minutes. Is there a reason that I only got six?
CHAIR: Senator Ludlam? Senator LUDLAM: I think Senator McKim and I are going to tag-team, if that is all right?
CHAIR: I indicated this a long time ago, Senator Collins.
Senator JACINTA COLLINS: Senator Ludlam only had a part of-
CHAIR: He had Senator Xenophon's. This is the Greens and crossbenchers, for 15 minutes from now.
Senator LUDLAM: All right. I will rip through some of these, and then I am going to hand on to Senator McKim.
CHAIR: And you are next, Senator Collins.
Senator JACINTA COLLINS: Thank you.
Senator LUDLAM: Sorry for the musical chairs. I have a couple more questions on biometric capability and then I might get one or two in on data retention. I do not know whether it was you who got cut off midsentence, or me-
Mr Rice: I was just going to say: do you want me to continue my answer?
Senator LUDLAM: Yes. Could you just reboot from where you were.
Mr Rice: Sure. I was talking about generic use cases that we have explored with potential users of the system at the Commonwealth and state level-
Senator LUDLAM: In the interests of time, could you table some documentation that sets out those generic use cases for us, so that I can ask some other specific stuff. I suspect I am going to find it is useful, and I suspect that it is going to eat up the whole 15 minutes to do it well.
Mr Rice: We can take that on notice.
Senator LUDLAM: If you could, thanks-just your reference cases. I am particularly interested in the push and pull. I might come back to that and just get through a couple of questions very quickly. What categories of offences will this tool be used to investigate, and will there be any gravity-of-conduct thresholds like those we debated extensively in data retention? Will you be able to chase down a litterer, for example?
Mr Rice: We are thinking that the identification capability that I talked about-I have a photo but not a name; the one-to-many type question-would be for very serious offences. It is a very serious capability, so we are talking at the higher end of the spectrum. In terms of the verification-which is that I have a name and a photograph and I am seeking to confirm whether that occurs-there might be a lower threshold. But what we would see with that verification service is probably a mix of consent based usage and also law enforcement usage. But this is not something that will be available for broad usage within agencies.
Senator LUDLAM: Who is going to decide what those thresholds are?
Mr Rice: That is something that we are working on with our state and territory colleagues and Commonwealth colleagues at the moment. We expect that there will be decisions to be made by the owners of the information-the biometric databases-and also the users, and we would expect to see ourselves involved in those decisions as well.
Senator LUDLAM: What about the owners of the faces? It sounds as though this is all going to be handled behind the scenes by the agencies, maybe with a bit of input from the A-G's Department, getting some privacy assessments done. What about the public? What about the parliament? What about the people whose faces have been recorded at least a hundred million times already in the holdings that you have access to? Where do they come in?
Mr Rice: Like I said before, the usage of the system is on the basis of existing legal permissions, law enforcement permissions or permissions in the Privacy Act around consent to use personal information.
Senator LUDLAM: But when I last had my passport photograph taken I could not have dreamt of this capability coming into existence, so I did not consent. What if I go on the record now and do not consent to having my passport photo used? How is that process going to get fed into your consultations?
Mr Rice: We are looking at being very transparent about the use of the capability. We would expect that there would be appropriate disclosure in an agency's use of the information.
Senator LUDLAM: Does the capability have its own web presence? Rather than tying up your time here and now, where can I go to find out your scope, which agencies are incorporating? At the moment the debate is largely being run in the media-there were a couple of very good pieces on 7.30 a couple of weeks ago-and in budget estimates. But where do I go to find what you have put into the public domain thus far?
CHAIR: Just before you answer: we are not going to get to ASIO, so I think any ASIO officers who are here could leave, with our thanks for waiting around. Unfortunately, for AUSTRAC: you have drawn the short straw. We will keep you here just in case. The likelihood of you getting on is remote, but we will keep you here. But ASIO people can go.
Mr Rice: We do not have a web presence at this present time. In terms of information that is on the public record: it is in the responses to your previous questions on notice. It is the media release. It will shortly be the privacy impact assessment and those that follow on from it.
Senator LUDLAM: I should acknowledge that there was also a ministerial statement a couple months ago, I think, that Senator Brandis made.
Mr Rice: That is right. So there is a selection of commentary around what this system will do.
Senator LUDLAM: There is commentary. But there are a whole heap of decisions being made about how this capability is going to be used, by who, for what category of offences, and there appears to be no public process at all for ordinary individuals or for the parliament or its committees to feed into that. I think you have just confirmed for me tonight that that is the case.
Mr Rice: Like I said, there are a number of privacy impact assessment processes which we think will expose the protections that are required.
Senator LUDLAM: The public do not get to participate in those, do they? Let me put this another way: are there any public consultation processes envisaged for any element or any aspect of this capability as it develops?
Mr Rice: At this stage we are contemplating consultation with the non-government sector for follow-on privacy impact assessments. Senator LUDLAM: Just for the purposes of clarity: who would you characterise as being in the nongovernment sector?
Mr Rice: At this stage, and this is something that we have to put some more thought into, we are looking at some of the generic non-government organisations that are concerned with privacy.
Senator LUDLAM: Did you say 'generic'?
Mr Rice: I would say there are a few foundation type-
Senator LUDLAM: The Australian Privacy Foundation-
Mr Rice: Those kinds of bodies. I do not want to name them per se, because it is something we have to talk through with our provider about-the most appropriate bodies. We have also taken a bit of advice from within the department and also from the Information Commissioner about the best people to talk to.
Senator LUDLAM: I am going to let this go. I could go on for a couple of hours. I will put some questions on data retention on notice. I have asked you to provide a little bit of information in writing, but could you include anything at all that you think would be appropriate to disclose-not just to me, but to the public. You have clarified for me some quite important information. It might clarify and narrow the scope and settle some people's fears, but I suspect it might just aggravate others. I will let it go there, Chair, and will yield to Senator McKim, if that is okay.