My colleagues Christopher Parsons (Citizen Lab, University of Toronto, Canada), Erik Zouave (Centre for IT & IP Law, KU Leuven, Belgium) and I have just published an open-access article in a special issue on ‘Australian Internet Policy’, in the open-access journal Internet Policy Review. In light of the onset of domestic law enforcement use of computer network operations (CNOs) (more popularly termed ‘lawful hacking’) and the difficult legal questions that accompany these developments, the article offers critical insight into the implications that accompany government’s domestic use of CNOs in Australia, but also more broadly.
Computer Network Operations (CNOs) refers to government intrusion and/or interference with networked information communication infrastructures for the purposes of law enforcement and security intelligence. The following article explores how CNOs are lawfully authorised in Australia, and considers the extent to which the current use of CNOs are subject to ‘counter-law’ developments. More specifically, the article finds that the scope and application of CNOs in Australia are subject to weak legislative controls, that while such operations might be ‘lawful’, they undermine rule of law and disturb core democratic freedoms.
Australian government plans to increase the use of facial recognition in its counter-terrorism strategy raise concerns about privacy and how the technology will be used in everyday policing.
Details of the A$18.5 million National Facial Biometric Matching Capability were announced last week by Michael Keenan, the minister for justice and the minister assisting the prime minister on counter-terrorism.
Keenan said the scheme – known as “the capability” – will allow Commonwealth agencies and state law enforcement to try to match a photograph of an unknown person with photographs on government records, such as passports and driving licences. The aim is to help put “a name to the face of terror suspects, murderers and armed robbers” and other criminals.
These amendments are expected to add even more records to the more than 100 million facial images already held by agencies that feed into the capability.
A closer examination of the capability reveals a number of concerns about its expected effectiveness and its impact on privacy.
If your passport, credit card, PIN or tax file number are compromised due to a security breach, they can be replaced fairly easily. Not so with your facial features. If a biometric database is hacked, the information can potentially be abused by criminals over your entire life.
The government insists the capability entails “strong privacy safeguards” but does not provide much detail beyond noting that facial recognition records will not be stored in a centralised database.
Instead, the records will be held by participating agencies, which will be able to reach in to one another’s records. But will it be effective? And what are the risks for privacy and human rights?
Current research shows that the latest facial technology is still plagued with error rates and inaccuracies.
Images collected through CCTV or social media platforms are hampered by poor lighting or indirect angles of faces, so it is often difficult to find an accurate match. For example, even with the volume of footage of the Boston Marathon bombing suspects, facial recognition wasn’t enough to identify the assailants.
It is also unclear how much the use of facial recognition is actually helping police make arrests.
In Australia there is no clear indication what authorities are willing to accept as an error rate when using facial recognition technology.
Like the data retention amendments, regulation of the collection and sharing of biometric identifiers in Australia is subject to executive ministerial discretion. Any other regulation of the capability is left to weak privacy legislation (which many of the agencies involved in the capability are exempt from) in the absence of a formal bill of rights.
From overseas wars to domestic policing
Facial recognition has been a part of military and intelligence operations in overseas conflicts in Afghanistan and Iraq.
Now the technology will find its way into routine policing environmentsin Australia, aided by mobile hand-held devices such as tablets, smartphones and even wearable cameras.
In a policing context, this raises new questions that push the legal envelope on the collection of biometric identifiers without meaningful consent when using mobile devices in the field.
The use of facial recognition identification in policing introduces the possibility that law enforcement might want to stop an individual simply to check, and potentially collect, their facial recognition print. They could also use the technology to identify people at a political protest or major sporting or music event.
The Australian government is seeking to quell any concerns about privacy over the mass biometric archive by insisting that the capability will not be a centralised database.
But an integrated network of shared records is actually even more vulnerable to penetration simply because the prospective attack surface is larger.
The only way to actually ensure privacy is to limit initial collection and restrict the use of any biometric records. If they are to be used at all, it should be for only very specific purposes.
Given that there is no clear evidence on the expected effectiveness of the capability, which has already spread into a whole-of-government initiative, critical questions remain about the risks posed by Australia’s newest mass surveillance weapon.
The following piece on the challenges posed by the increasing use of computer network exploitation (CNE) by security intelligence and police appeared in Canada’s The Mackenzie Institute as a shortenedonline article.
The December 2014 Issue of The Walrus Magazine features an article on the creeping potential for the militarization of policing in Canada. The article, by John Lorinc, discusses my research into the Vancouver Police Department’s ‘Military Liaison Unit’.
In the past month, my colleague Christopher Parsons (@caparsons) and I have been researching the technical attributes of the BC Services Cards. Recently, I guested on Christopher’s excellent blog, Technology, Thoughts, and Trinkets, with a post about the security vulnerabilities (and associated privacy concerns) surrounding the use of NFC ‘smart’ chips in the proposed BC Services Card (see: Smart Chip, Simple Illusions: NFC and the BC Services Card). In short, while the chips are offered as an enhanced security feature by the BC government, they actually introduce a range of vulnerabilities into the network environment, serving as a potential beachhead that opens the door to serious privacy breaches.
Welcome to Boundaries of Surveillance, a venue for the professional and personal projects of Adam Molnar, PhD Candidate and Lecturer at Deakin University.
This website features a range of reflections, from commentary and media, to working papers and articles, as a public workshop for themes related to my academic research. Many of the posts you’ll on encounter here examine a range of issues associated with digital surveillance, contemporary technological trends in public safety and law enforcement, and associated information privacy issues.
Please take a moment to follow me on Twitter at @admmo for regular updates on issues of surveillance, law, and technology in security and policing.