Comparitech analyzes government use of biometrics, surveillance and data sharing
A recent investigation into surveillance states and data privacy carried out by Comparitech concludes that not even top-ranked European countries are experts at protecting citizen privacy but instead engage in active citizen surveillance. The research company analyzed the use of biometrics, surveillance cameras and data sharing in 47 countries.
Mass surveillance is actively used in countries such as China and Russia, while among EU members, the General Data Protection Regulation (GDPR) has had a significant contribution in improving privacy laws. There are still loopholes in terms of data sharing with third parties and the regulation does not prevent the active use of biometric surveillance. For example, EU countries have signed agreements to share citizens’ data. However, the study says only five countries out of the 47 reviewed “have adequate privacy safeguards,” following the positive of GDPR with local legislation.
Globally, there is a growing interest in collecting and storing biometric data such as fingerprints and facial features, according to the report. Government surveillance mostly affects immigrants and their border crossing.
“Identity Cards and Biometrics” is one of the 14 categories countries are judged in, with scores out of five aggregated for a national overall score. The criteria considered for the “Identity Cards and Biometrics” category are whether the country has an ID card, and if so whether it includes biometric data, whether biometrics are commonly used, and whether this use is to aid privacy or surveillance, and whether there is a privacy debate around biometrics use in country and whether “most (are) happy with the technology.”
China is one of the main countries where pervasive government surveillance breaches citizens’ privacy and where there is little interest in data privacy, anyway. Chinese privacy laws are vague so they can not be properly implemented. China has made ID cards mandatory for all citizens aged 16 and over and actively uses biometrics and facial recognition to keep track of citizens. China’s biometric surveillance has raised concerns that is was used for repressive surveillance efforts against the Muslim minority in Xinjiang Province. According to Comparitech, surveillance cameras with facial recognition are the “norm.”
Russia comes close to China when it comes to the lack of interest in protecting privacy and government surveillance. The country’s regulatory body, the Federal Service for Supervision of Communications, Information Technologies and Mass Media (Roskomnadzor), has started creating Russia’s own censored internet used for surveillance. Facial recognition is actively deployed or planned for deployment at airports to collect data.
Although it does not have any regulations for data privacy, India is actively embracing biometrics, having collected, through its Aadhaar Identification Scheme, the largest biometric database with information on 1.23 billion people, including purchases, bank accounts and insurance. The country has recently announced that Aadhar would expand to ‘mobile ATMs’ as credentials could be unified and wants WhatsApp to use digital fingerprints in messages. Future plans include hi-tech border surveillance at key crossings.
In Thailand biometrics are used for national ID cards, to open bank accounts, and to even buy a SIM card. Although surveillance cameras are used, local law says people have to be informed they are monitored. All travelers to Thailand will have to give biometric data such as fingerprints to be allowed to enter the country.
To reduce fraud and identity theft, Malaysia has made national IDs and fingerprint collection mandatory for all citizens aged 12 and older. For up to twenty years, the card collects critical data such as bank information and health records, and it can also be used for payments. IDs associated with children will also collect information related to religion, birth, and education. Malaysia is one of the countries where facial recognition deployments are expanding. In February, GRAB Malaysia announced it would submit to the country’s Ministry of Transport a recommendation to use advanced facial recognition technology to enhance safety features for drivers and passengers. In 2010, Malaysia passed a data protection law, however it needs updates to cover biometric technology.
Italy‘s national ID has biometric data, and facial recognition has been deployed at airports to speed up the immigration process and is used with CCTVs systems.
A member of the European Union, Hungary‘s national ID cards include fingerprints and the country is actively working on creating a facial recognition database based on photos taken of its citizens and tourists. Hungarian employers can integrate biometrics to boost security and to authorize access.
Slovenia, according to Comparitech, has not adhered to EU’s GDPR even though it is a union member and has integrated biometric data in its passports. In 2021, it will release biometric ID cards that will include security features aligned with passports, such as a contactless chip and the holder’s photograph and fingerprints for biometric identity verification.
Germany has integrated biometric technology in a number of projects including in national ID cards and CCTV cameras.
Norway is noted as the only European country that is not a member of the EU to have taken “adequate safeguards” to ensure data privacy protection. The country plans to introduce biometric technology in national ID cards in 2020 and will allow law enforcement access to the data.
Biometric technology has also sparked interest in South Africa, with new deployments on the rise. Recent integrations include fingerprint data on South Africa ID cards.
Switzerland shares data with other European countries listed in this article and allows workplace monitoring without permission. The country has not made biometric ID cards mandatory.
Another country the study has looked at is Argentina which has been looking at improving data privacy. Although biometrics are actively deployed and widely accepted by citizens, ID cards do not have any biometric information stored.
Canada has laws similar to EU’s GDPR and is collecting biometric information from tourists applying for visas. It is part of data sharing agreements with other countries. A survey conducted by non-profit Digital ID and Authentication Council of Canada (DIACC) found that 70 percent of Canadians would adopt digital ID and think the government should join forces with the private sector to implement a Digital ID framework for better access to government benefits, healthcare, e-commerce, and financial services.
Ireland ranks first in the report for privacy and surveillance protection. The country is fighting the initiative of including biometrics on ID cards although it is a requirement of the European Union for all member states. This year, biometric photo ID company DPS rolled out encrypted photo service in Ireland for online biometric passport renewals and Northern Ireland police agreed to publish a formal biometric data retention policy.
While France does not currently require biometrics for the mandatory French ID card and the country’s regulator CNIL is preventing the use of biometrics in areas such as workplaces, the French Interior Ministry will deploy facial recognition for enrollment into its national digital identification program.
Portugal absolutely forbids biometric databases and barely shares any data with other countries because it lacks a DNA database.
The United States is interested in biometric technology and in the next four year aims to implemented its Biometric Exit Program that will process nearly 97 percent of people leaving the country. Biometrics are caught up in a grey legislative area, and there are several ongoing discussions about the use of biometric in law enforcement and whether police can demand users unlock their phones with biometrics. Recent lawsuits under Illinois’ Biometric Information Privacy Act (BIPA) against retailers The Home Depot and Lowes show that any company in Illinois capturing images of people, including on video security cameras, should be ready to be targeted by a potential class action suit. The US is building a biometric database of digital facial images and fingerprints of more than 200 million people that have ever crossed or tried to cross the border into the US.
The United Kingdom still needs to be compliant with GDPR, but despite privacy regulations, the country is actively looking into adopting biometrics and using CCTV surveillance. A member of the Prüm Convention, as are Austria, Belgium, Bulgaria, Estonia, Finland, France, Germany, Hungary, Luxembourg, Netherlands, Romania, Slovakia, Slovenia, Spain, and with membership pending for Greece, Italy, Portugal, and Sweden, law enforcement in the UK is allowed to share DNA profiles and biometric details with all member states.