Australia government illegally conducted hundreds of millions of ID checks, inquiry suggests

Australia’s government illegally performed hundreds of millions of identity verification checks over the last four years, according to testimony last week in a Senate hearing.

In 2019 the Morrison government proposed legislation to allow third parties to use the government’s identity verification service. Financial institutions wanting to confirm customers’ identities, for example, could send a request to the government’s service which would check the customers’ identification documents — including photos — against the government’s database.

Due to serious privacy concerns the legislation was never approved, but witnesses told senators last Monday that the government has been performing the service for third parties anyway. 

In 2022 alone the government used its Document Verification Service to perform over 140 million such checks for 2,700 public and private organizations. In the last fiscal year government agencies conducted over 2.7 million checks using the service, which verifies identification photos.

Operating such a program without a legislative framework makes it illegal, notes the Guardian, which is why the current government has been scrambling to push legislation through the House of Representatives to legalize it.

“I think there’s a real question about the legality of the scheme, and the haste is about protecting the government from liability,” Digital Rights Watch Chair Lizzie O’Shea told Greens Senator David Shoebridge.

The legislation originally proposed by the Morrison government would have allowed one-to-one face matching, where authorities would match a submitted driving license photo against another photo ID in the database, as well as one-to-many matching, where police could take an unknown face and search for it in a larger database of known faces.

But the newly proposed legislation would only allow one-to-many searches in cases involving undercover operatives or those in witness protection to ensure that their identifications can be erased.

“It is extraordinary that the Australian government is, it seems, presently using identity-verification services on a mass scale without a lawful basis,” Human Rights Law Centre senior attorneys Kieran Pender and David Mejia-Canales told the Senate. “And it is all the more extraordinary that the Australian government would seek to rush through such important legislation, with minimal opportunity for parliamentary scrutiny, in these circumstances.”

The inquiry comes the week after the Australian Federal Police were exposed for using controversial facial recognition software, supposedly without knowledge or approval from higher authorities.

PimEyes allows users to upload a photo of a person’s face and conduct an image search across the web for other photos of that individual. The algorithm is said to be highly accurate and can yield facial images despite differences in background, lighting, objects, or even features like haircuts.

According to PimEyes CEO Giorgi Gobronidze, the Tbilisi-based company has a database of about three billion faces and facilitates up to 118,000 searches per day.

Between January and August there were hundreds of connections between Australian Federal Police (AFP) devices and PimEyes as well as a similar site called FaceCheck.ID. When questioned about their use of the programs, the AFP said that only “a small number of members” had accessed the sites for “training” and to explore their potential use in “the law enforcement or criminal environment.”

AFP has admitted to testing PimEyes for operational use at least nine times, and once with FaceCheck.ID, although AFP leadership claims it was not aware of this until the FOI request.

“Pimeyes.com is a particularly dangerous facial recognition tool . . . and has been repeatedly criticised for enabling unlawful surveillance and stalking,” said Senator Shoebridge, who is part of an inquiry on the AFP’s use of the programs. “This keeps happening with the AFP, whether it’s Clearview, PimEyes or FaceCheck.”

In 2021 AFP was found to have breached privacy rules with its use of Clearview AI, a database which has scraped over 30 billion photos of private citizens from the web without permission.