Australia’s biggest banks and the New South Wales (NSW) Roads and Traffic Authority joined the NSW Council of Civil Liberties to slam the biometrics industry for sidelining privacy concerns in a regulatory environment that can only be described as “weak and unethical.”
NSW Council of Civil Liberties president, Cameron Murphy, slammed providers, the government and users of the technology for failing to adopt even minimal standards when implementing biometrics.
In a fierce attack at the Biometric Institute of Australia annual conference in Sydney last week, Murphy said an industry-backed privacy code introduced in September 2006 has been virtually ignored.
Outlining dismal adoption rates, he pointed out that four out of 61 user groups and 63 vendors have signed the Biometrics Institute Privacy Code even though it is an industry-negotiated standard designed to give users more confidence in the intrusive technology.
“This is appalling and an absolute disgrace; legislation is playing catch-up with biometric technology and the vendors are flying ahead [with biometric development] without any concern for privacy implications,” Murphy said.
“It reflects badly on how important privacy is to the industry and will result in a lack of public confidence when it is time for them to give-up their information when adopting biometrics.”
Formed in 1963 as a self-funded body for the protection of civil rights, the NSW Council of Civil Liberties and has around 2000 members including 200 barristers and 400 solicitors.
It lobbies government on privacy infringements, provides legal representation to victims of privacy violations, and participates in public interest debates.
Murphy said the council has received a twenty-one-fold increase in privacy complaints since 1991, with an eleven-fold rise in complaints centered on biometrics.
“Despite Europe’s hard-line privacy regulations, Australian privacy laws are weak [and] the privacy office is under-resourced because it takes three to five years for a complaint to be fully investigated,” he said adding that the council will put in a submission to government allowing people to sue for privacy breaches if business is holding information against their will. Function-creep is one of the biggest privacy threats posed by biometrics, according to Murphy, who said government, law enforcement, and industry have regularly acquired biometric data for use outside of its intended purpose.
“Think of the wider context that biometric technology can be used outside its normal function; it is used by governments to track people, and we get cases of the police acquiring employee data such as fingerprints, for completely unrelated cases,” he warned.
Privacy concerns related to biometrics are worse than the current 100-point system because “you can’t get DNA back if it is stolen or acquired.”
Murphy said no-one in industry can guarantee to protect biometric data despite technology advancements.
“Biometrics can reduce the quantity of ID thefts, but the risks are greater because it requires more sensitive information,” he added.
Phillip Youngman, director of the Biometrics Institute, and privacy officer for the Roads and Traffic Authority (RTA), also tore-into the weakness and proliferation of state and federal privacy laws, claiming too many privacy acts are built around a poor opt-out policy.
He said function-creep is a major problem with biometric technology, noting that there has been pressure on the RTA by the financial sector to provide customer ID verification for banks.
“In Australia, there is significant collection of identification which is now used for data-matching; national security is just a catch-cry for allowing government to do whatever [it] wants to do,” Youngman said.
According to Westpac Bank head of information security risk, David Palmer, who ensures projects are compliant with the bank’s security policy, architectures, and regulations, business should only be allowed to collect the absolute minimal amount of raw data required for biometric verification by law.
Murphy, Palmer and Youngman smashed suggestions of any sort of centralized biometric database designed to reduce the proliferation of individual biometric databases which contain raw data such as fingerprints, voice recordings and DNA.
Palmer said Westpac will apply the principal to the design of its biometric applications which the bank plans to roll-out in place of its existing customer PIN verification system.
“Our biometrics would be based on our PIN architecture which is designed to only verify whether a password is correct, so it does not contain information that could be supplied to Police,” Palmer said.
He stressed that biometrics must be non-invasive and said Westpac will mandate biometric identity management, like password selection, to be controlled by customers.
St George Bank gold segment manager, Fiona Keough, favored a voice-authentication biometric solution. Keough said it was implemented for staff password management but staff have been slow in take-up due to privacy concerns.
“The system replaces a arduous IVR six-step password-rest system with a voice system that only includes an employee number and their voice,” Keough said.
“About 30 percent of staff have signed-up [and] many do because they trust my intentions, rather than the system.”
An officer from the Commonwealth Bank criticized the agility of biometrics claiming that raw biometric data cannot be reset like a pin number, and said current accepted identification materials, such as name, address and date of birth are openly accessible through the Department of Births, Deaths and Marriages
Participants at the conference identified a range of flaws with the NSW Council of Civil Liberties disclosing a number of privacy cases that are under investigation.
For example, the council has received a case of one privacy infringement involving a Western-Sydney warehouse which supplied police with staff fingerprints contained in its bundy system for a unrelated criminal investigation.
Another case involved a NSW RSL Club which similarly provided law enforcement with patron licenses collected through its scanner, despite RTA recommendations against storing driver license information.