Government agencies have implemented a facial recognition system to share driver’s license photos with the Covid-19 vaccine passport program.
Documents show the Ministry of Social Development (MSD) is in talks to run people’s photos through the system to verify recipients’ identities – although it denies ever doing this – and is talking about using it in schools.
The documents show that the One Time Identity (OTI) system has been developed since 2019 by the Department of Home Affairs (DIA) – although the department told RNZ it was a “pilot”.
A February 2022 internal document from Waka Kotahi said that “in conjunction” with the Department of Health and Home Affairs, OTI “has been successfully delivered to enable access to driver images for verification of identity as part of the vaccine passport initiative”.
The Department of Health (MOH) denied having had access to the driver’s license photos, but later said it had considered accessing them.
Internal Affairs also denied sharing photos with any agency through OTI.
However, emails from 2020 showed the privacy commissioner was concerned about Internal Affairs sharing selfies of people with MSDs.
“MSD is seeking to receive and retain the selfie to assist with identity verification” of customers at the counter, one email said, asking for more information on “why MSD must retain the selfie.”
The Department of Education said it pulled out after the DIA notified OTI agencies and police also said, “We are not involved in this project.”
“As the OTI check confirms identity against passport and driver’s license photos, we felt it was not useful at this time to enroll children in early learning or school. ‘, the Department for Education’s digital manager, Stuart Wakefield, said yesterday.
When asked to comment on the discrepancy between public statements and internal records, the government’s chief digital officer, who also leads internal affairs, said in a statement that OTI, also known as identity check, was still under development but had been used in citizenship, passports and RealMe application processing since 2019.
“The department does not share photo images or a facial recognition algorithm with any other agency,” the DIA said.
OTI is part of government initiatives worth more than $80 million to develop digital identity technology and public confidence in it.
The NZTA said the OTI was “at the heart” of this.
A bill before Parliament establishes a framework of trust and touts the benefits of transparency.
When RNZ first asked the Department of Health about its collaboration on driver’s license photos, it said the information was “not accurate”.
After seeing the NZTA document, the department said it “does not (and never had) access to driver’s license photographs for the purpose of verifying a person’s identity as part of of the vaccine certification process”.
He had access to written driver’s license information, he said.
After a third approach from RNZ, the department said yesterday it had considered using photos from driving licenses or passports for My Health Account, but did not.
“It was determined that for the purposes of supporting My Covid Record this was neither warranted nor practical, so it was never adopted.”
Emails showed DIA in 2019 how to release the OTI system with “business model options” and how to test it to see if it “meets the business needs of potential client organizations.”
The system works when a person takes their picture on their phone and puts it into OTI, which compares it using facial recognition to a passport or driver’s license. When an identity is confirmed, it is shared with the provider of the service the person wants.
It’s similar to the old system, RealMe, except customers don’t need to create an account.
In 2020, DIA was well advanced in sharing people’s photos with MSD.
“The selfie is used to verify a customer’s identity when visiting a service center,” MSD said.
The privacy commissioner said “the sharing of information between MSD and DIA to facilitate the OTI tool is significantly complex” and asked for more information.
The DIA completed a Privacy Impact Assessment two years ago that made 14 recommendations to reduce the privacy impacts and risks of the system.
The evaluation showed that DIA would only retain the selfie, metadata and Google Analytics for a few months.
The emails showed that the privacy commissioner was largely happy with OTI, except that MSD stores selfies indefinitely.
Yesterday, the Office of the Privacy Commissioner said it had provided advice to the DIA to ensure that the use of personal and sensitive biometric information was protected in accordance with the Privacy Act.
“Ultimately, the safe and lawful use of this information is the responsibility of the organization that collects, maintains and uses it,” he said.
Although the email record suggests otherwise, MSD denied ever using selfies to identify customers.
“At no time did we use customer ‘selfies’ as an identification tool,” he said last night.
RNZ has requested under the Official Information Act documents on this.
MSD said it was still “exploring” the use of OTI, more than two years after long talks in 2020. It would not be mandatory and would not use selfies but would rely on obtaining a ‘return notification … confirming an individual’s identity’. He didn’t say who.
Facial recognition is already being used to create and verify passports and fight identity fraud.
The OTI software comes from the same Irish tech company Daon that runs RealMe; it runs on DIA’s own onshore infrastructure.
The DIA leads the government’s work on digital identities.
He created a framework agreement in 2018 that public and private organizations could sign, to have US tech big DXC Technology run a facial recognition system for them.
Legislation to establish a trust framework attracted an impressive 4,500 submissions, but 3,600 of them were inundated in the last four hours of December 2021.
“We attribute this influx to social media disinformation campaigns that have led many perpetrators to believe that the Covid-19 vaccination bill is passing,” the select committee said.
“The authors made it clear that greater transparency would improve trust in the framework.”
The lack of a framework “undermines trust” and “creates privacy and security risks,” when having one would save the economy $1.5 billion a year, according to the committee’s report.