In November, France will become the first European country to debut a nationwide facial recognition ID program known as Alicem. The government-run program, which is being rolled out by the French Interior Ministry in the name of greater “efficiency” for the state, will require French citizens looking to access certain government services to enroll in the program. Perhaps not surprisingly, given the controversy already surrounding facial recognition technology around the world, this new digital identity system has already generated a number of privacy and security concerns.
The case for using facial recognition technology
In theory, the use of the Alicem (an acronym for Certified Online Authentication on Mobile) digital ID system will make things easier and more convenient for French citizens. Instead of having to type in a lot of different passwords or remember a lot of different user names, French citizens will have a single digital identity that is tied to their biometric data (i.e. their face). You can think of this as a much more efficient authentication program for online or mobile than what exists today. For example, the whole system of proving your identity by responding to a text message sent to your phone solely to access a website is clearly inefficient. And you will never have to worry about losing paper documents (such as a birth certificate) because you can’t “lose” a digital identity once you’ve completed the enrollment process.
A secure digital identity system based on facial recognition will also (at least, in theory) make it a lot harder for hackers to break into accounts or to fake an identity because no two faces are alike. If, say, someone tried to board an airplane with a boarding pass using your name (purchased with a credit card in your name), facial recognition cameras installed at the airport would be able to spot the “fake” passenger. The same is true if a hacker tried to file a tax return for you using a government website – even if the hacker knew information such as your name and passport number, he or she still would not be able to access the website without your face.
Privacy concerns about the use of facial recognition technology
But here’s the problem – in order for the Alicem facial recognition system to work, it needs to do a scan of your face. Without a scan of your face, it will not be possible to obtain a legal digital ID. Thus, users will need to create a “selfie video” that captures various expressions, movements and angles of their face. Then, they will use a secure government mobile app to compare this facial recognition data to the photo that exists in their passport. Doing so will create a link between their biometric data and all the other elements of their personal identity (such as date of birth). At some point, though, the phone app and passport (via an embedded chip) will have to exchange information, and that creates the risk of facial recognition data being stolen or hacked.
So you can see why so many people are upset about Alicem, which has the support of President Emmanuel Macron. For one, there are fears that the French state will be able to compile a massive database of people’s faces that it can then use for a variety of different purposes beyond just accessing government services online. French law enforcement officials, for examples, might use this facial recognition data to find specific people in a crowd. Anywhere you walk in France, security cameras could look for your image, thereby enabling the government to track wherever you go. For that reason, the privacy group La Quadrature du Net is challenging the mass use of facial recognition data in administrative court.
And then there are all the problematic issues surrounding the right to consent, which is enshrined in the 2018 European General Data Protection Regulation. If the French government is forcing all citizens – whether directly or indirectly (as in, you won’t be able to access certain government services if you don’t enroll in the program) – to join the Alicem facial recognition ID program, then there is no consent. That’s why France’s data regulator, CNIL, says that Alicem breaches the fundamental right to consent and is a no-go.
Security concerns about the use of facial recognition technology
If those privacy concerns around facial recognition technology are troubling, just consider all the security issues involved in such a program. In an earlier test of a “secure” government-issued messaging app, for example, a hacker was able to breach the system in under an hour. It might take hackers more than an hour to break into Alicem, but it’s clearly a potential risk. Imagine if hackers got access to all the facial recognition data for the city of Paris (with 2.14 million residents). Or imagine if hackers were able to use your “face” in order to access all the other aspects of your identity.
Facial recognition technology around the world
France is hardly alone in using facial recognition technology, Bloomberg reports. It might be the first country in Europe to deploy the technology, but it is not the first in the world. China, Singapore and India have experimented with facial recognition ID programs for government services. And the use of biometric data to perform certain tasks (such as the use of your fingerprint to unlock your phone) is becoming increasingly mainstream, making it almost a certainty that national ID systems based around some form of biometric data are going to become the norm, and not the exception.
The problem, of course, is that any new technology – such as facial recognition technology – is not inherently good or bad. It’s how governments choose to use it that is the main problem. In an authoritarian state, for example, the use of facial recognition data is the key to suppressing dissent, tracking opposition voices and limiting freedom of speech and expression. Even in democratic nations, facial recognition data might be used to discriminate against certain demographic groups, or to give law enforcement too much power. Given this context, the French rollout of the Alicem facial recognition ID system is especially problematic. It may be well intentioned, but the privacy and security risks are simply too high.