SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Surveillance
#
DIA
#
Facial recognition
Identity Check online system pilot launched despite gaps over privacy, rights
Tue, 22nd Nov 2022
FYI, this story is more than a year old
Author image
By Phil Pennington, Reporter , RNZ
Follow us

The government is banking on an online system for checking people's identity despite persistent gaps around its implications for humans rights, ethics and Māori.

Identity Check is being tested in a nationwide pilot and on beneficiaries.

That is despite the Ministry of Social Development lacking a privacy, human rights and ethics framework - though this was a must-have, it said.

The system's creator, The Department of Internal Affairs, has launched a nationwide pilot even though "no specific Māori engagement has been conducted regarding Identity Check".

OIA documents show the Identity Check system could be used more than 250,000 times a year, each by larger public agencies or companies.

They will have to pay between 15 cents and 40 cents per check, which appears to be subsidised, as each check costs the government $1.50-$1.90 in licensing fees to DIA's facial recognition supplier, Daon, the OIA said.

The documents also show MSD came within weeks of launching an earlier version, before finding "critical gaps in the tool".

The ministry completed a privacy, human rights and ethics report at the time, in mid-2020.

But when RNZ asked for it, MSD said it "does not exist".

The government wants a quick and painless way for people to prove their identity online, to access to public services or private transactions, and estimates billions of dollars could be saved or made, Cabinet papers have shown.

Identity Check will, from 2023, let you send a selfie to the Department of Internal Affairs, which compares it using facial recognition against the passport and driver licence photo databases.

It then gives the thumbs-up to the agency or business you want to access. The selfie is then dumped.

DIA has high hopes. "We expect service consumption to grow swiftly in the short-medium term," it told Ministers in May.

Pull back

MSD said on its website it had already "started engaging with clients through testing and engagement sessions", ahead of a 2023 rollout.

This is its second run at it.

The ministry got to within weeks of the launch of an earlier version, called One-Time Identity, or OTI, in November 2020.

This was despite the ministry being only in the early stages of designing a wider identity strategy at the time, the OIA showed.

But the ministry pulled back after the Privacy Commissioner questioned why it wanted to collect the selfies itself, instead of letting DIA do it.

The ministry then began talking about using foreign firms to run the system instead, and the Privacy Commissioner said it had no problem "in principle" with those firms storing people's personal data overseas, pointing out the Commissioner's office itself used overseas data storage.

MSD rebooted the project post-pandemic in July this year, when it reverted to using DIA's system.

It is calling it the Client Identity Verification project, saying this "remains under development".

It said in October 2020 it would do a second privacy, human rights and ethics report. But two years on, "the Ministry has only completed the question list" for a framework, it told RNZ.

Urgent, or not

MSD's website pledged not to go ahead with any identity initiative unless it meets the framework.

MSD earlier told RNZ it was "partnering with Māori on this initiative".

Internal Affairs had to attempt its own resuscitation of the system a year previous, the OIAs showed.

Work on it had "stalled", it told the head of Waka Kotahi in mid-2021.

It needed the Transport Agency to build a portal to let Identity Check inside the driver licence system.

The system was "needed urgently for a number of agencies, including Health and MSD", it said.

MSD, though, had its project on ice, and the Ministry of Health never went ahead with it.

Nevertheless, the head of Waka Kotahi replied: "We are aware that the digital identity programme of work is becoming an increasingly important focus for government and for New Zealand as a whole."

The OIA showed police looked in late 2021 at using Identity Check for the firearms registry, but was among several agencies that opted out of it.

Although Internal Affairs has been working on the system for years, the privacy impact assessment on its website said, "To date, no specific Māori engagement has been conducted regarding Identity Check".

It was "identifying how best to consult with Māori".

DIA said it had yet to meet with the government's Data Ethics Advisory Group about Identity Check.

MSD said it was not unusual that it had not completed a [PHRAE] framework yet. It did not have a developed enough system to actually test it on people yet, it added.

Human or computer?

Other matters have been treated with more urgency.

One is a question of human versus computer in 2021, thrown up by law changes sparked by the escape of convicted killer and child sex offender Phillip Smith.

Those 2017 changes aimed to free up government agencies to share more data to prevent identity fraud. Smith exploited agencies' confusion over passports.

But other laws seemed to suggest only government employees could access driver licence images - that is, actual people, not computers.

"We need to resolve this question urgently," Waka Kotahi told DIA in April 2021.

"If the type of automated access being incorporated into the OTI is not permitted under [Land Transport law], then this would almost defeat the purpose of the [law] change."

It did resolve it, with an outside legal opinion that since employees set up the system, they were in effect running it, even if only computers handled an Identity Check request.

This was a win for the government over data sharing.

"The verification of biometric information requires - almost as a necessity - the input of digital tools and automated verification to undertake tasks, such as comparing images, that are impractical or unreliable when undertaken by humans," the agencies concluded, the OIA showed.

In a statement on Monday, MSD said it had not completed a privacy, human rights and ethics report "due to the project being put on hold".

However, a 2020 email said: "MSD completed the PHRAE tool to assess OTI." OTI is the previous name of Identity Check. MSD has not completed a report on Identity Check.

MSD also denied it was poised to go live back in late 2020, saying: "At no time was MSD prepared to go live with an online identity verification tool that had not been fully developed and tested."

However, an August 2020 email said: "Go live for phase one of OTI is November [2020] ... phase two ... is going live in February 2021."

MSD said its substantive with Māori "will come when the tool is more fully developed".

This story was originally published on RNZ.co.nz and is republished with permission.
Related stories
First-party data collection prioritised due to privacy laws
BeyondTrust takes over Entitle to boost cloud estate security
Biometrics market projected to reach USD $173.7bn by 2032, says report
Upwind fortifies Cloud Security Platform with identity security
Genesis Energy embraces AI utilisation in Microsoft's Early Access Program
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
Armis warns of major cyber-attack risk to 2024 global elections
i-PRO to support Genetec SaaS with new AI-enabled camera models
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption