A Privacy Impact Assessment (PIA) report was developed for the Facial Recognition Project at the Passport Canada Office of the Department of Foreign Affairs and International Trade. The objectives of the PIA were to determine if there were privacy issues or risks associated with the Project, and if so, to provide recommendations on mitigation measures. Although the project has not yet started, this Executive Summary provides some background information on the Facial Recognition Project and the recommendations provided in the completed PIA. Due to substantial changes, the PIA is currently being revised and its Executive Summary will be posted on this website when completed.
The mission of the Passport Canada Office is to issue secure travel documents that are recognized internationally. The Office issues three types of travel documents: passport, Certificated of Identification (COI) and Refugee Travel Document (RTD).
Canadian passports are issued to Canadian citizens who apply on their own behalf and/or on behalf of their dependents. Official travel passports are issued to government employees travelling on official business. Passport application information that is supplied by individuals who are citizens or government employees is used to establish the identity and citizenship of applicants and to confirm their immediate and ongoing entitlement to a passport.
Non–Canadians who reside in Canada or are in Canada under the authorization of a Minister’s permit and who cannot obtain passports from their countries of origin may be issued Certificates of Identity or Refugee Travel Documents. Information collected on the application forms for these documents is used to establish the identity of applicants and to confirm their immediate and ongoing entitlement to a travel document in accordance with Canadian law and international conventions.
The Passport Office has increased scrutiny of all applications for Canadian travel documents since the events of September 11th, 2001. As one of the measures to increase the scrutiny of applications, the Facial Recognition Proof of Concept Project was initiated. The Project was initiated to investigate whether Facial Recognition (FR) technology could further improved the security of Canadian travel documents.
The objective of the FR Proof of Concept Project was to determine whether a Facial Recognition System was feasible, affordable and whether it effectively verified a travel document applicant’s photograph or its digital rendering against those in a query database.
The FR processing is accomplished by using FR software to take biometric measurements from a digital image then converting the measurements into an alphanumeric photo biometric identifier using an algorithm. Because biometric measurements can change depending on the characteristics of the photograph, such as its orientation, the alphanumeric biometric identifier can change from photograph to photograph.
To conduct the FR Proof of Concept testing, a stand–alone mock up query database of suspect ineligible individuals for Canadian travel documents was established from photographs supplied by Royal Canadian Mounted Police (RCMP), Citizenship and Immigration Canada (CIC) and Canadian security and Intelligence Service (CSIS). A mock up of a database of travel document applicants modeled on the Passport Applicants Database (IRIS) was also established in the Passport Office unconnected to any personal information or Passport Office applications. The databases were used to test facial recognition systems from various vendors and integrators. The FR software was tested to determine from the mock–up applicants databases whether the software succeeded in flagging two different pictures of the same individual as potential matches. Test operators then confirmed the results as duplicate pairs of images, that is, two different images for the same individual that were known as such. The images were randomly numbered to track the FR software success in prompting the match.
The goal of the Proof of Concept Project was to determine whether or not there is a positive business case for FR technology to sustain or to improve the integrity of Canadian travel documents by better ascertaining if an individual is ineligible for the travel document applied for. Based on the results of the business case, the Passport Office intended to proceed to obtain approval to implement a Facial Recognition System.
The proposed Facial Recognition System would be implemented in the Security Division of the Passport Office. Digital renderings of photographs would be obtained from source departments. The photographs or their digital renderings of the following categories or individuals are proposed for use in the Facial Recognition System:
Source Department: Category of Individuals
CIC: Permanent Residents who come to Canada undocumented or whose ID is dubious
CIC: Refugees who come to Canada undocumented, who stop reporting to their immigration officials or who have abandoned their claim and against whom an arrest warrant and/or removal order has been issued
CSIS: National Security Threats
RCMP: National Security Investigations
RCMP: Probation Orders not to Leave Canada
RCMP: Canada–wide Arrest Warrants
Separate system Alert (SA) Databases would house the data obtained from each source department.
The Passport Office is currently creating digital renderings of photographs and scanning travel document applications for retention in a system named IRIS. This enables the Passport Office to print passport photos in the new more secure passport book. A Travel Documents Issued (TDI) Database would be established in the Security Division to maintain a copy from IRIS of the digital renderings of photographs of applicants for travel documents.
The digital renderings of photographs would be converted into a template taking the form of an alphanumeric string referred to as a photo biometric identifier that is created using facial recognition software. Each new applicant’s photograph for a travel document would have the alphanumeric photo biometric identifier compared to the identifiers in the TDI Database and then to each SA Database. The system would provide matches of identifiers within a predefined tolerance level to a Security Division operator for review. After that, where appropriate (that is when the operator is satisfied that the suggested match seems positive), follow up with source departments and an investigation.
The PIA report identified the following privacy issues/risks, and the following measures were recommended to mitigate the issues/risks.
In Canada there has been very little experience with FR technology. The Chatham–Kent, Windsor and York Region Police Services are operating a facial recognition pilot project to compare photographs or artists’ sketches of suspects with the mug shot databases simultaneously over the Internet. In the Government of Canada, the Facial Recognition Project appears to be the first use of FR technology.
The Electronic Privacy Information Centre (EPIC) describes the privacy issues and risks associated with facial recognition technology in the following manner:
Devices using biometric identifiers attempt to automate this FR process by comparing the information scanned in real time against an “authentic” sample stored digitally in a database. The technology has had several teething problems, but now appears poised to become a common feature in the technological landscape. There are significant privacy and civil liberties concerns regarding the use of such devices that must be addressed before any widespread deployment. Briefly there are six major areas of concern:
Concern: Privacy Issue
Storage: How is the data stored, centrally or dispersed? How should scanned data be retained?
Vulnerability: How vulnerable is the data to theft or abuse?
Confidence: How much of an error factor in the technology’s authentication process is acceptable? What are the implications of false positives and false negatives created by a machine?
Authenticity: What constitutes authentic information? Can that information be tampered with?
Linking: Will the data gained from scanning be linked with other information about spending habits, etc.? What limits should be placed on the private use (as contrasted to government use) or such technology?
Ubiquity: What are the implications of having an electronic trail of our every movement if cameras and other devices become commonplace, used on every street corner and every means of transportation?
The previous Privacy Commissioner of Canada came out strongly against the RCMP application of the video surveillance technology and launched a court challenge under the Charter of Rights and Freedoms in 2002. On July 4, 2003, the Interim Privacy Commissioner of Canada instructed Counsel to withdraw its appeal.
While the Passport Office’s proposed use of facial recognition technology differs from the surveillance of individuals in public places, the use does attract a number privacy risks usually associated with the use of biometrics. Among the privacy risks are:
The authority for purposes of the Privacy Act for a department to collect personal information is described in the TBS Policy on Privacy Data Protection as:
The legislation states that government institutions shall not collect personal information unless it relates directly to an operating program or activity. The policy requires that institutions have administrative controls in place to ensure that they do not collect any more personal information than is necessary for the related programs or activities. This means that institutions must have parliamentary authority for the relevant program or activity, and a demonstrable need for each piece of personal information collected in order to carry out the program or activity. Parliamentary authority is usually contained in an Act of Parliament or subsequent regulations, or approval of expenditures proposed in the Estimates and authorized by an Appropriations Act.
The authority for the Passport Office to collect personal information for a Facial Recognition System are expressly set out in most cases in the Canadian Passport Order, and for certain other aspects of the Project, are based on the Crown prerogative.
These authorities of the Passport Office are not sustained by overall government legislative or policy framework for the use, disclosure and retention and destruction of biometric identifiers. However, the Office of the Privacy Commissioner (OPC) has proposed a four–part test that the Passport Office has completed.
The PIA report concluded that a DFAIT/Passport Office legislative framework is advisable.
In the Publication Biometrics and Consumer Applications issued by the Office of the Information and Privacy Commissioner/Ontario, the point was made that it is possible for biometric technology to be used in a manner that does not compromise informational privacy. However, the publication goes on to note that targeted legislative, procedural and technical safeguards are necessary to ensure privacy is protected. Ontario did enact a legislative framework for the use of finger scanning to authenticate applicants for social assistance, although the finger scanning has not been implemented. During the preparation of the PIA report, Canadian public opinion surveys on the use of FR technology and privacy could not be located.
The Privacy Commissioner’s Office has offered a four–part test of justification for the use of biometric identifiers and/or technologies:
The Passport Office has developed a response to the four–part test that incorporated aspects of the PIA report for FR.
An analysis of the Charter of Rights and freedoms concluded that further lawful authority needs to be established in order to implement the Facial Recognition Project.
Recommendation 1a: Legislation and/or regulation specific to the Passport Office be developed to provide a framework for the operation of a Facial Recognition System and the legislation/policy provide direction for the use, disclosure, retention, disposal of biometric identifiers and complaint processes. The Passport Office may want to determine if it is feasible to implement this recommendation through the Canadian Passport Order.
Recommendation 1b: The Passport Officer and/or source departments establish the lawful authority for proposes of section 8 of the Charter of Rights and Freedoms for the collections and/or disclosure of personal for the operation of a Facial Recognition System.
It has not determined what, if any, control will be exercised on photographs or their digital renderings supplied by source departments. For example, source departments may impose requirements on the use of the photographs, retention period or disclosure to third parties including other source departments.
When an operator confirms a match, the source department will be contacted to ascertain if the individual is still ineligible. The Passport Office intends to stipulate in a Memorandum of Understanding (MOU) with source departments that there is an obligation on their part to keep photographs or their digital renderings up–to–date and to notify PPT if a photograph should be replaced in or removed from the Facial Recognition System. This is critical given the “time–sensitive” nature of the photographs or their digital renderings. An individual may be an undocumented landed immigrant at the point at which the image is supplied to the Passport Office from CIC, but may be a citizen at the time of a match.
The privacy risk is that personal information may be inappropriately used or disclosed when the source department has not exercised its control over personal information.
The Passport Office and source departments establish through a Memorandum of Understanding and within the framework of the Privacy Act the control and accuracy requirements that source departments will exercise on photographs or their digital renderings supplied to the Passport Office.
The Facial Recognition System will create an alphanumeric photo biometric identifier of a photograph. The biometric identifier will be unique to the photograph rather than to an individual. Depending on the level of tolerance set by the system, the facial recognition software may or may not produce a suggested positive match. As one measure to control the possibility of function creep, the algorithm used to create the alphanumeric photo biometric identifier should be constructed in such a way that it is useable only by the Passport Office. For purposes of the PIA report, it is assumed that the photograph cannot be recreated using the alphanumeric photo biometric identifier. The project lead has confirmed that such is the case because the alphanumeric string is a translation of measured key points in the facial oval, thus recreating the “facial image” from this template is not possible.
The privacy risk is that the information could be used for secondary purposes.
Recommendations 3a: The algorithm used to create the alphanumeric photo biometric identifier be useable only by the Passport Office to prevent the creation of the same alphanumeric photo biometric identifier by other parties.
Recommendation 3b: The contractual arrangements with the supplier of facial recognition software include a requirement that the unique algorithm be under the control of the Passport Office in such a way that the supplier cannot recreate it.
Passport Office intends to keep the source department information in separate databases. The information in the Systems Lookout (SL) Databases may have different security classifications. Because the purpose of the disclosure of information by source departments is travel document control, information in one SL database should not be matched against another SL database.
The privacy risk is that information may be used in the future without the appropriate authority required by the Privacy Act.
Recommendation 4: Memorandums of Understanding with source departments have a provision that prevents Passport Office from conducting data matching between SL databases.
Because the alphanumeric photo biometric identifier is not a unique identifier of an individual, and because a level of tolerance is set for suggested positive matches, a facial recognition system produces both false positive suggested matches and false negative suggested matches. A false positive match means that match is being proposed, but in fact the photographs represent two different individuals. A false negative match means that a catch that should have been made was not made.
In the proposed Passport Office application of FR technology, an operator in the Security Division would confirm a suggested computer match of the photographs using FR software. Confirmation by the operator requires a judgment call that the individual in the two photographs appear to be the same individual. The operator then has to confirm the status of the individual remains the same. This is to ensure that the individual continues to be in a category that makes them ineligible for a travel document. Once this status has been confirmed, the Security Division undertakes an investigation. Or, if the confirmed match is against the Travel Documents Issued Database, an SL would be placed on the individuals travel document file while an investigation takes place.
Studies noted in the PIA report indicated that accuracy is a privacy issue of concern with FR technology. The project leader’s view is that relying on any technology to automate the “function rich” entitlement determination to any program poses a risk. Technology only suggests potential matches that remain to be confirmed by an operator.
The Passport Office Proof of Concept Project provided tests results on the efficiency of FR technology. The tests revealed that the FR software proposed for purchase identified the correct match in the first position 75% of the time. The correct match is proposed within the top 10 positions by the technology over 90% of the time. These figures apply for the images of the best quality. For images of a lower quality such as RCMP–provided photographs, the percent in the top then choices drops to 75%. For more complete results, please refer to the document prepared by the Passport Office.
In the case of refugees (not subject to a deportation order) and landed immigrants, the fact that CIC will be contacted about the status of an individual by the Passport Office discloses the fact that the individual may have applied for a passport for which he or she is ineligible. The inquiry may in fact be about the wrong person. At this point in the process and before an investigation is launched, the inquiry should not be recorded by CIC against the individual.
The privacy risk is that inaccurate information about an individual may be used tin the future.
Recommendation 5a: A Memorandum of Understanding with CIC have a provision that prevents CIC from indicating that a status enquiry was made form the initial suggested match by the Passport office operator.
Recommendation 5b: The Passport Office document the measures that will be taken where appropriate to ensure that false positive matches, once verified as false positive, are not recorded against an individual’s file.
Recommendation 5c: The Passport Office document the procedures to be followed to prevent the use and retention of inaccurate information resulting from an operator–confirmed match, once it is determined that the information is inaccurate.
The performance requirements of the program custodian for privacy matters have not been documented nor have performance measurements been developed for the requirements. Examples of requirements if a Facial Recognition System is implemented are:
The privacy risk is that there might not be accountability for implementing and maintaining privacy requirements.
Recommendation 6: The Passport Office document the performance requirements and measurements related to privacy for the program custodian if a Facial Recognition System is implemented in the Passport Office.
The Passport Office would need to include the Facial Recognition component of the passport application process in the notice of the purpose of the collection of personal information. The notice is required under section 5 of the Privacy Act.
The privacy risk is that individuals would not be informed at the time of collection how their personal information would be routinely used.
Recommendation 7: The Passport Office include the use of facial recognition technology in the Notice of the Purpose of Collection of personal information on applications for travel documents.
The TBS Policy on Data Matching applies to data matching of personal information for an administrative purpose. Administrative purpose is defined in section 3 of the Privacy Act as the “use of that information in a decision–making process that directly affects that individual”.
For purposes of the PIA report, it is assumed that the data matching activities in the Facial Recognition System will invoke the requirements of the TBS Policy on Data Matching.
For photographs of applicants for travel documents collected by the Passport Office as part of the application process, it appears that the use of the photographs and a few data elements of personal information would be consistent with the stated purposes of the collection of personal information.
The Facial Recognition System proposes to collect the photograph or its digital rendering of all refugees and landed immigrants. For permanent residents of Canada it is proposed to use the digital rendering of the photograph taken for the Permanent Resident Card (PRC) issued by CIC. The PIA report indicated that there is authority to disclose the PRC digital rendering of landed immigrants’ photographs and the digital rendering of refugees’ photographs.
Although a refugee or landed immigrant would be ineligible to apply for a passport, there are no factors presented as part of the PIA process to indicate that these broad categories of individuals are likely to make ineligible applications for passports.
Following consultations and discussions surrounding the preparation of the PIA for FR, the Passport Office is proposing to limit the collection of photographs to those refugees who have abandoned their refugee claim and have stopped reporting to Immigration authorities (whereabouts unknown). In addition, the photographs of refugees and landed immigrants who came to Canada undocumented, thereby preventing easy identification, would also be collected.
The privacy risk is that the digital renderings of the photographs of these individuals will be used:
Some 750 Certificates of Identity and 5500 Refugee Travel Documents are issued annually by the Passport Office. The Passport Office already has the digital renderings of the photographs of these individuals. Refugees who are subject to Deportation Orders are already identified within the RCMP category of individuals subject to Canada–wide arrest warrants.
Recommendation 8: The Passport Office comply with the requirements of the TBS Policy on Data Matching prior to the implementation of a Facial Recognition System.
If a Facial Recognition System is implemented, the System will have to be scheduled for retention and disposition according to the requirements of the Privacy Act Regulations and TBS Policy on the Management of Government Information Holdings.
The privacy risk is that personal information could be destroyed in contravention of government policy or that personal information could be retained for longer than necessary.
Recommendation 9: The Passport Office have the Facial Recognition System scheduled for retention and Disposition as required by the Privacy Act Regulations and TBS Policy on the Management of Government Information Holdings.
A Threat and Risk Assessment is planned and a consultant has been engaged.
Security procedures for the collection, transmission, storage and disposal or personal information have not been documented. It is unclear how photographs or their digital renderings will be transmitted to the Passport Office from source departments.
It is likely that a Facial Recognition System (containing Protected to Secret information) will need to be isolated from other Passport Office systems with its own network. Access controls would have to be developed for a Facial Recognition system to limit access to the system on a “need–to–know” basis. A plan for quality assurance and audit to assess the ongoing state of the safeguards applicable to the proposed Facial Recognition System should be developed.
There are no documented procedures in place to communicated security violations to the data subject, law enforcement authorities as appropriate and relevant program managers.
The privacy risk is that security measures appropriate to the sensitivity of the personal information would not be in place. The recommendations below also deal in part with the privacy risks associated with the creation of an identifier including function creep.
Recommendation 10a: The Passport Office document procedures:
Recommendation 10b: The Passport Office develops an audit plan to assess the ongoing state of the safeguards applicable to the proposed Facial Recognition System.
DFAIT has not determined what information would be available to the public and, where appropriate, to individuals whose photographs are entered into the proposed Facial Recognition System. DFAIT has not determined if it is appropriate to establish an informal complaint process before resorting to the complaint process in the Privacy Act when the results or the application of the results of facial recognition are in dispute.
The privacy risk is that there would not be an appropriate degree of transparency in personal information management practices. On the other hand, the Passport Office is concerned that disclosure of mechanisms put in place to verify eligibility would defeat the very purpose for which the Passport Office collected the information.
Recommendation 11a: DFAIT make information available to the public, where appropriate, on the use of facial recognition technology in the travel document application process.
Recommendation 11b: DFAIT document the process for review within the Passport Office when the results or the application of the results of facial recognition are in dispute.
If a Facial Recognition System were implemented, a Personal Information Bank (PIB) would have to be established. A PIB is a collection or grouping of personal information as described in section 10 of the Privacy Act. PIBs are published in Infosource, a TBS publication, for the information of the general public. The description of a PIB would include the identification of any use of the personal information for a consistent purpose.
The privacy risk is that the public would not be informed about a collection of personal information as required by the Privacy Act.
Recommendation 12: The Passport Office document and register a PIB if a Facial Recognition system is implemented.
In conclusion, the PIA report found a number of privacy risks associated with the Facial Recognition Project and measures were recommended for their mitigation or elimination.
Although Passport Office has determined that there are appropriate authorities for purposes of the Privacy Act for the PPT collection of the digital renderings of photographs, this is not supported by an overall government legislative or policy framework for the use, disclosure and retention and destruction of biometric identifiers. In addition, an analysis of section 8 of the Charter of Rights and Freedoms indicates that lawful authority is lacking for certain components of the project.
The PIA report therefore identified the need for an overall legislative framework in PPT for the operation of a Facial Recognition System and that the legislation and supporting policy provide direction for the use, disclosure, retention and disposal of biometric identifiers and a complain processes.