Facial recognition project

Privacy impact assessment report

Summary

This is a summary of the Privacy Impact Assessment (PIA) for the Facial Recognition Project at the Passport Office an agency of Foreign Affairs Canada (FAC). The objectives of the PIA were to determine if there are privacy issues or risks associated with the Project, and if so, to provide recommendations on mitigation measures.

The mission of the Passport Office is to issue secure travel documents that are recognized internationally. The Office issues three types of travel documents: passport, Certificate of Identification and Travel Document.

The Passport Office has increased scrutiny of all applications for Canadian travel documents since the events of September 11th, 2001. As one of the measures to increase the scrutiny of applications, the Facial Recognition Proof of Concept Project was initiated. The Project was initiated to investigate whether Facial Recognition (FR) technology could further improve the security of Canadian travel documents.

The objective of the FR Proof of Concept Project was to determine whether a Facial Recognition System was feasible, affordable and whether it effectively verified a travel document applicant's photograph or its digital rendering against those in a query database.

The FR processing is accomplished by using FR software to take biometric measurements from a digital image then converting the measurements into an alphanumeric photo biometric identifier using an algorithm. Because biometric measurements can change depending on the characteristics of the photograph, such as its orientation, the alphanumeric biometric identifier can change from photograph to photograph.

To conduct the FR Proof of Concept testing, a stand-alone mock up query database of suspect ineligible individuals for Canadian travel documents was established from photographs supplied by stakeholder agencies. A mock up of a database of travel document applicants modelled on the Passport Applicants Database was also established in the Passport Office unconnected to any personal information or Passport Office applications. The databases were used to test facial recognition systems from various suppliers. The FR software was tested to determine from the mock up query and the mock-up applicants databases whether the software succeeded in flagging two different pictures of the same individual as potential matches. Test operators then confirmed the results as duplicate pairs of images, that is, two different images for the same individual that were known as such. The images were randomly numbered to track the FR software success in prompting the match.

The goal of the Proof of Concept Project was to determine whether or not there is a positive business case for FR technology to sustain or to improve the integrity of Canadian travel documents by better ascertaining if an individual is ineligible for the travel document applied for. Based on the results of the business case, the Passport Office intends to proceed to obtain approval to implement a Facial Recognition System.

The proposed Facial Recognition System would be implemented in the Security Division of the Passport Office. Digital renderings of photographs would be obtained from source departments. The photographs or their digital renderings of specific defined categories of individuals are proposed for use in the Facial Recognition System: the Privacy Impact Assessment (PIA) revised the proposed categories and provides an opinion as to the appropriateness to include them in the proposed deployment, as well as other recommendations pertaining to notice to the public.

Separate System Alert (SA) Databases would house the data obtained from each source department.

The Passport Office is currently creating digital renderings of photographs and scanning travel document applications for retention in their system. This enables the Passport Office to print securely passport photos in the new more secure passport book.

The digital renderings of photographs would be converted into a template taking the form of an alphanumeric string referred to as a photo biometric identifier that is created using facial recognition software. Each new applicant's photograph for a travel document would have the alphanumeric photo biometric identifier compared to the identifiers in the Database and then to each SA Database. The system would provide matches of identifiers within a predefined tolerance level to a Security Division operator for review. After that, where appropriate (that is when the operator is satisfied that the suggested match seems positive), follow up with source departments and an investigation.

This report identified the following privacy issues/risks, and measures are recommended to mitigate the issues/risks.

1. Authority to Collect and the Use of Personal Information to Establish a Facial Recognition System

The Electronic Privacy Information Centre (EPIC) describes the privacy issues and risks associated with facial recognition technology in the following manner:

Summary

Devices using biometric identifiers attempt to automate this (FR) process by comparing the information scanned in real time against an "authentic" sample stored digitally in a database. The technology has had several teething problems, but now appears poised to become a common feature in the technological landscape. There are significant privacy and civil liberties concerns regarding the use of such devices that must be addressed before any widespread deployment. Briefly there are six major areas of concern:

Major areas of concern
Concern Privacy Issue
Storage How is the data stored, centrally or dispersed? How should scanned data be retained?
Vulnerability How vulnerable is the data to theft or abuse?
Confidence How much of an error factor in the technology's authentication process is acceptable? What are the implications of false positives and false negatives created by a machine?
Authenticity What constitutes authentic information? Can that information be tampered with?
Linking Will the data gained from scanning be linked with other information about spending habits, etc.? What limits should be placed on the private use (as contrasted to government use) of such technology?
Ubiquity What are the implications of having an electronic trail of our every movement if cameras and other devices become commonplace, used on every street corner and every means of transportation?

While the Passport Office's proposed use of facial recognition technology differs from the surveillance of individuals in public placesFootnote 1 the use does attract a number of privacy risks usually associated with the use of biometrics. Among the privacy risks are:

  • "Function creep": that means using the information in the future for a purpose beyond the original purpose
  • Third party access to the information to link the information to that of the third party without the consent of the individual
  • Centralized retention of the information
  • Loss of control by individuals on the use and dissemination of one's personal information.

The authority for purposes of the Privacy Act for a department to collect personal information is described in the Treasury Board of Canada (TBS) Policy on Privacy and Data Protection as:

The legislation states that government institutions shall not collect personal information unless it relates directly to an operating program or activity. The policy requires that institutions have administrative controls in place to ensure that they do not collect any more personal information than is necessary for the related programs or activities. This means that institutions must have parliamentary authority for the relevant program or activity, and a demonstrable need for each piece of personal information collected in order to carry out the program or activity. Parliamentary authority is usually contained in an Act of Parliament or subsequent regulations, or approval of expenditures proposed in the Estimates and authorized by an Appropriations Act.

The authority for the Passport Office to collect personal information as described in this PIA Report for a Facial Recognition System are expressly set out in most cases in the Canadian Passport Order, and for certain other aspects of the Project, are based on the Crown prerogative.

These authorities of the Passport Office are not sustained by overall government legislative or policy framework for the use, disclosure and retention and destruction of biometric identifiers. However, the Office of the Privacy Commissioner of Canada (OPC) has proposed a four-part test of justification for the use of biometric identifiers and/or technologies:

  • The measure must be demonstrably necessary in order to meet some specific need
  • It must be likely to be effective in achieving its intended purpose
  • The intrusion on privacy must be proportional to the security benefit to be derived
  • And it must be demonstrable that no other, less privacy-intrusive, measure would suffice to achieve the same purpose.

The Passport Office has developed a response to the four-part test that incorporates aspects of this PIA Report.

A summary analysis (which is client-solicitor protected) of the Charter of Rights and Freedoms concludes that further lawful authority needs, for certain aspects of the proposed deployment, to be established in order to implement the Facial Recognition Project described in this Report.

Given the:

  • Nature of the privacy risks associated with a Facial Recognition System
  • Lack of an overall government legislative or policy framework for the use biometric technology,

he PIA report concluded that a FAC/Passport Office legislative framework is advisable.

Summary

Recommendation 1a: Legislation and/or regulation specific to the Passport Office be developed to provide a framework for the operation of a Facial Recognition System and the legislation/policy provide direction for the use, disclosure, retention, disposal of biometric identifiers and complaint processes. The Passport Office may want to determine if it is feasible to implement this recommendation through the Canadian Passport Order.

Recommendation 1b: The Passport Office and/or source departments establish the lawful authority for purposes of section 8 of the Charter of Rights and Freedoms for the collection and/or disclosure of personal for the operation of a Facial Recognition System.

Project management expressed dissent with the recommendations, considering:

  • that the proposal for deployment is compliant with current policies,
  • compliant to TBS guidelines,
  • that most of the following recommendations in the PIA are accepted in principle, thereby establishing a comprehensive regime for FR use;
  • which regime, legitimacy and considerations are further detailed and responsive to the Office of the Privacy Commissioner of Canada (OPC) proposed four-part test of justification for the use of biometric identifiers and/or technologies;
  • Passport Order amendments clearly setting out legal authorities to create and use new personal information in the form of photo template have been adopted.

2. Control of Personal Information from Source Departments

It has not been determined what, if any, control will be exercised on photographs or their digital renderings supplied by source departments. For example, source departments may impose requirements on the use of the photographs, retention period or disclosure to third parties including other source departments.

When an operator confirms a match, the source department will be contacted to ascertain if the individual is still ineligible. The Passport Office intends to stipulate in a Memorandum of Understanding (MOU) with source departments that there is an obligation on their part to keep photographs or their digital renderings up-to-date and to notify the Passport Office if a photograph should be replaced in or removed from the Facial Recognition System. This is critical given the "time-sensitive" nature of the photographs or their digital renderings. An individual may be a person meeting the criterion definition of the Security List (SL) group at the point at which the image is supplied to the Passport Office, but the individual status could have changed at the time of a match.

The privacy risk is that personal information may be inappropriately used or disclosed when the source department has not exercised its control over personal information.

Summary

Recommendation 2: The Passport Office and source departments establish through a Memorandum of Understanding and within the framework of the Privacy Act the control and accuracy requirements that source departments will exercise on photographs or their digital renderings supplied to the Passport Office.

The recommendation was accepted in principle by project management, to be implemented prior to deployment of the technology, if approved and funded.

3. Creation of an Identifier

The Facial Recognition System will create an alphanumeric photo biometric identifier of a photograph. The biometric identifier will be unique to the photograph rather than to an individual. Depending on the level of tolerance set by the system, the facial recognition software may or may not produce a suggested positive match. As one measure to control the possibility of function creep, the algorithm used to create the alphanumeric photo biometric identifier should be constructed in such a way that it is useable only by the Passport Office. For purposes of this PIA it is assumed that the photograph cannot be recreated using the alphanumeric photo biometric identifier. The project lead has confirmed that such is the case because the alphanumeric string is a translation of measured key points in the facial oval, thus recreating the "facial image" from this template is not possible.

The privacy risk is that the information could be used for secondary purposes.

Summary

Recommendation 3(a): The algorithm used to create the alphanumeric photo biometric identifier be useable only by the Passport Office to prevent the creation of the same alphanumeric photo biometric identifier by other parties.

Recommendation 3(b): The contractual arrangements with the supplier of facial recognition software include a requirement that the unique algorithm be under the control of the Passport Office in such a way that the supplier cannot recreate it.

Project management expressed dissent with recommendation 3(a), given there are no tangible benefits in accepting it. That is so because there are as many different templates as there are different pictures of the same individual. Thus the use of the same algorithm (software producing the algorithm) by another user will not generate the same template (biometric identifier) unless the very same picture is enrolled in both systems. Finally, since no image can be rejigged from a template, whether the software commercially available is sold to another user, the external user could not rejig the photo from an "intercepted" (or hacked) template from the Passport Office database.

Recommendation 3(b) was accepted in principle, provided it is feasible technically (to be verified with the supplier), if and were the deployment of the technology be approved and funded.

4. Systems Lookout Databases

Passport Office intends to keep the source department information in separate databases. The information in the Systems Lookout (SL) Databases may have different security classifications. Because the purpose of the disclosure of information by source departments is travel document control, information in one SL database should not be matched against another SL database.

The privacy risk is that information may be used in the future without the appropriate authority required by the Privacy Act.

Summary

Recommendation 4: Memorandums of Understanding with source departments have a provision that prevents Passport Office from conducting data matching between SL databases.

The recommendation was accepted in principle by project management, to be implemented prior to deployment of the technology, if approved and funded.

5. Level of Accuracy

Because the alphanumeric photo biometric identifier is not a unique identifier of an individual, and because a level of tolerance is set for suggested positive matches, a facial recognition system produces both false positive suggested matches and false negative suggested matches. A false positive match means that a match is being proposed, but in fact the photographs represent two different individuals. A false negative match means that a mach that should have been made was not made.

In the proposed Passport Office application of FR technology, an operator in the Security Division would confirm a suggested computer match of the photographs using FR software. Confirmation by the operator requires a judgment call that the individual in the two photographs appear to be the same individual. The operator then has to confirm the status of the individual remains the same. This is to ensure that the individual continues to be in a category that makes them ineligible for a travel document. Once this status has been confirmed, the Security Division undertakes an investigation. Or, if the confirmed match is against the Travel Documents Issued Database, an SL would be placed on the individuals travel document file while an investigation takes place.

Studies noted in this PIA Report indicate that accuracy is a privacy issue of concern with FR technology. The project leader's view is that relying on any technology to automate the "function rich" entitlement determination to any program poses a risk. Technology only suggests potential matches that remain to be confirmed by an operator.

The Passport Office Proof of Concept Project provided tests results on the efficiency of FR technology. The tests revealed that the FR software, when probing images against a reasonable sized database (50,000 images), identified the correct match in the first position 88% of the time. This figure applies when probing images of the best quality. These are images compliant to the newly released International Civil Association Organization (ICAO) specifications (the "no smile" pictures). For images of a lower quality such as stakeholders' photographs, the percent in the top ten choices drops to 75%.

When the Passport Office contacts the source agency to verify the status of an individual who has been matched by the FR system, the Passport Office discloses the fact that the individual may have applied for a passport for which he or she is ineligible. The inquiry may in fact be about the wrong person. At this point in the process and before an investigation is launched, the inquiry should not be recorded by the stakeholder against the individual.

The privacy risk is that inaccurate information about an individual may be used in the future.

Summary

Recommendation 5(a): A Memorandum of Understanding with the source agency have a provision that prevents the latter from indicating that a status inquiry was made from the initial suggested match by the Passport Office operator.

Recommendation 5(b): The Passport Office document the measures that will be taken where appropriate to ensure that false positive matches, once verified as false positive, are not recorded against an individual's file.

Recommendation 5(c): The Passport Office document the procedures to be followed to prevent the use and retention of inaccurate information resulting from an operator-confirmed match, once it is determined that the information is inaccurate.

Recommendation 5(a) was accepted in principle by project management, to be implemented prior to deployment of the technology, if approved and funded.

Recommendation 5(b) was not supported, given it may be advisable to note on a subject's file that a suggested match has been dismissed as false, to prevent future inconvenience to the client. Ex. : twins, strong resemblance to a security subject which has been confirmed as a "false hit".

Recommendation 5(c) was not supported, given all "confirmed" alerts must be pursued and investigated, and eventually, the file gets cleared for processing and a passport is or is not issued. This process is subdued to administrative "fairness" which is to be documented.

6. Program Custodian Responsibilities

The objective of the FR Proof of Concept projet was to determine whether a Facial Recognition application was mature and effective enough to meet program objectives which are to deter access to non eligible applicants. The key performance requirements were thus technical. Before deploying such technology, performance requirements of the program custodian for privacy matters should be documented. Given the project's objectives, this was not done nor have performance measurements been developed for the requirements. Examples of requirements if a Facial Recognition System is implemented are:

  • Determining what contractual privacy provisions are necessary and security classifications required if technology positions for the implementation or operation of a Facial Recognition System are filled by individuals on personal contracts or retained through technology companies
  • Arranging for routine audits to determine if privacy requirements are complied with
  • Complying with the TBS Policy on Data Matching
  • Ensuring that purpose(s) of the collection of personal information is documented. The purpose(s) can be documented in the MOUs with source departments and in the Personal Information Bank (PIB) entry for Infosource
  • Determining what, if any, information will be made publicly available about the Facial Recognition PIA
  • Ensuring the development of a Communications Plan to explain how the personal information in the Facial Recognition System will be managed and protected.

The privacy risk is that there might not be accountability for implementing and maintaining privacy requirements.

Summary

Recommendation 6: The Passport Office document the performance requirements and measurements related to privacy for the program custodian if a Facial Recognition System is implemented in the Passport Office.

The recommendation was accepted in principle, to be implemented prior to deployment of the technology, if approved and funded.

7. Notice of the Purpose of Collection

The Passport Office would need to include the Facial Recognition component of the passport application process in the notice of the purpose of the collection of personal information. The notice is required under section 5 of the Privacy Act.

The privacy risk is that individuals would not be informed at the time of collection how their personal information would be routinely used.

Summary

Recommendation 7: The Passport Office include the use of facial recognition technology in the Notice of the Purpose of Collection of personal information on applications for travel documents.

The recommendation was accepted in principle, to be implemented prior to deployment of the technology, if approved and funded.

8. Data Matching Activities

The TBS Policy on Data Matching applies to data matching of personal information for an administrative purpose. Administrative purpose is defined in section 3 of the Privacy Act as the "use of that information in a decision-making process that directly affects that individual".

For purposes of this PIA it is assumed that the data matching activities in the Facial Recognition System will invoke the requirements of the TBS Policy on Data Matching.

For photographs of applicants for travel documents collected by the Passport Office as part of the application process, it appears that the use of the photographs and a few data elements of personal information would be consistent with the stated purposes of the collection of personal information.

The Facial Recognition Project proposes to collect the photograph or its digital rendering of some categories of individuals, whose legal / factual status in the country would make them ineligible to passport services.

Although the individuals of some of the proposed groups would be ineligible to apply for a passport, there are no factors presented as part of the PIA process to indicate that these broad categories of individuals are likely to make ineligible applications for passports.

Hence, for some groups or part of thereof, there is a privacy risk that the digital renderings of the photographs of these individuals will be used:

  • For a secondary, unrelated purpose
  • For a secondary purpose that may be broadened in the future.

Summary

Recommendation 8: The Passport Office comply with the requirements of the TBS Policy on Data Matching prior to the implementation of a Facial Recognition System.

The recommendation was accepted in principle, to be implemented prior to deployment of the technology, if approved and funded.

9. Retention and Disposal

If a Facial Recognition System is implemented, the System will have to be scheduled for retention and disposition according to the requirements of the Privacy Act Regulations and TBS Policy on the Management of Government Information Holdings.

The privacy risk is that personal information could be destroyed in contravention of government policy or that personal information could be retained for longer than necessary.

Summary

Recommendation 9: The Passport Office have the Facial Recognition System scheduled for retention and Disposition as required by the Privacy Act Regulations and TBS Policy on the Management of Government Information Holdings.

The recommendation was accepted in principle, to be implemented prior to deployment of the technology, if approved and funded.

10. Security Measures Unclear

A Threat and Risk Assessment (TRA) is planned and a consultant has been engaged. The TRA, along with this PIA, constitute an intricate part to the Business case for funding that is being developed by the Passport Office. The findings of both documents will help determine feasibility and cost of the project.

Hence, at this early stage of the project, suffice to note that security procedures for the collection, transmission, storage and disposal of personal information have not been documented. It is unclear how photographs or their digital renderings will be transmitted to the Passport Office from source departments.

It is likely that a Facial Recognition System (containing Protected to Secret information) will need to be isolated from other Passport Office systems with its own network. Access controls would have to be developed for a Facial Recognition System to limit access to the system on a "need-to-know" basis. A plan for quality assurance and audit to assess the ongoing state of the safeguards applicable to the proposed Facial Recognition System should be developed.

There are no documented procedures in place to communicate security violations to the data subject, law enforcement authorities as appropriate and relevant program managers.

The privacy risk is that security measures appropriate to the sensitivity of the personal information would not be in place. The recommendations below also deal in part with the privacy risks associated with the creation of an identifier including function creep.

Summary

Recommendation 10(a): The Passport Office document procedures:

  • For the collection, transmission, storage and disposal of personal information, and access to the personal information
  • To communicate security violations to the data subject, law enforcement authorities as appropriate and relevant program managers.

Recommendation 10(b): The Passport Office develop an audit plan to assess the ongoing state of the safeguards applicable to the proposed Facial Recognition System.

Both recommendations were accepted in principle, to be implemented prior to deployment of the technology, if approved and funded, in the case of 10(a), and to be actioned in the course of yearly external audits conducted within the organization

11. Transparency in Personal Information Management Practices

FAC has not determined what information would be available to the public and, where appropriate, to individuals whose photographs are entered into the proposed Facial Recognition System. FAC has not determined if it is appropriate to establish an informal complaint process before resorting to the complaint process in the Privacy Act when the results or the application of the results of facial recognition are in dispute.

The privacy risk is that there would not be an appropriate degree of transparency in personal information management practices. On the other hand, the Passport Office is concerned that disclosure of mechanisms put in place to verify eligibility would defeat the very purpose for which the Passport Office collected the information.

Summary

Recommendation 11(a): FAC make information available to the public, where appropriate, on the use of facial recognition technology in the travel document application process.

Recommendation 11(b): FAC document the process for review within the Passport Office when the results or the application of the results of facial recognition are in dispute.

Recommendation 11(a) was accepted in principle, when and if the project gets approved and financed. Recommendation 11(b) was accepted in principle, noting that denials of service based on any ground can be judicially reviewed. Additionally, client complaint resolution as well as Ombudsman can intervene. The recommendation may be actioned contemporary to deployment.

12 Personal Information Bank

If a Facial Recognition System were implemented, a Personal Information Bank (PIB) would have to be established. A PIB is a collection or grouping of personal information as described in section 10 of the Privacy Act. PIBs are published in Infosource, a TBS publication, for the information of the general public. The description of a PIB would include the identification of any use of the personal information for a consistent purpose.

The privacy risk is that the public would not be informed about a collection of personal information as required by the Privacy Act.

Summary

Recommendation 12: The Passport Office document and register a PIB if a Facial Recognition System is implemented.

The recommendation was accepted in principle, to be implemented as soon as practically feasible once project is approved and funded.

Footnotes

Footnote 1

Surveillance in public places is a use of the technology where tests have shown a high level of inefficiency because of the lack of control over the quality of the images.

Return to footnote 1 referrer