Singapore skyline showing plans for facial verification for national digital ID

Planned Facial Verification Scheme for Singapore’s National Digital ID Raises Serious Privacy Concerns

The government of Singapore is rolling out biometric facial verification technology as part of its national digital identification system, something that has privacy advocates concerned. It would make the island state of more than five million the world’s first to incorporate facial scanning into a national ID system, requiring biometric verification to access a mix of some 400 public and private services.

Where facial verification will be required

The National Digital Identity (NDI) program is currently being piloted at a number of kiosks throughout the nation, installed so that residents without mobile phones can be scanned.

Initially reported in the Strait Times in early 2020, there is currently no scheduled start date for any sort of mandatory changeover. But once in operation, the facial verification system would tie in with the current SingPass government service system. This system is used by residents to interact with some 60 government agencies and 200 individual services such as filing taxes, applying for various types of public assistance, and accessing the “Central Provident Fund” mandatory savings and pension plan.

Though it appears that facial verification will eventually be required to access these various SingPass-connected services, the government is pointing to the fact that biometrics will not be scanned until the end user gives positive consent to do so. Privacy advocates counter by pointing out that a valid form of “consent” is not really being obtained in this situation given the power imbalance between the individual and the government, and the fact that the individual may be denied essential services if they do not agree to it.

The Singapore government has said that none of the data from the national digital ID system will be shared with the private sector, and that the selfie used for verification will only be stored on government servers for 30 days. Critics point to problems with the scanning process itself that have been identified in facial verification systems that have been tested in other countries. For example, tests conducted by the US government in 2019 found that even the best of the available private sector facial recognition systems had significant error rates, particularly when attempting to match the faces of ethnic minorities. In the US tests the faces of black women were subject to false matches 10 times more frequently than those of white women, and in general the systems were less accurate with female subjects and became more inaccurate the darker the subject’s skin was.

And though the private sector will not have direct access to the data the government collects and stores, some elements of it will have access to the technology. Kwok Quek Sin, senior director of national digital identity at GovTech Singapore, expressed the belief that the national digital ID system would be beneficial for the country’s businesses as they could immediately implement facial verification without having to build any systems themselves. The technology could be put into use when opening a bank account, during testing at universities, and in security applications in elevated risk areas such as ports. Private sector organizations using the system would see a numerical score indicating how closely the subject’s current selfie matches the picture that the government has on file.

A reliable addition to the national digital ID system?

The facial verification software that is used in the national digital ID system is provided by iProov Ltd., a UK-based biometric authentication firm. iProov’s other clients include the US Department of Homeland Security and the UK National Health Service (NHS). While the company has furnished similar facial verification systems to numerous private clients, this is the first use of it on this scale and to monitor the entire population of a country.

Though technical details have not been revealed, iProov claims that the “Genuine Presence Assurance” system can verify that an actual person is present — it will not respond to pictures or video held up to a camera, or to a subject wearing a mask. The technology appears to work as advertised given that US government agencies have opted to make use of it in airports, but this would be the first time that a cloud-based verification system would be deployed at this sort of scale.

Government is pointing to the fact that face will not be scanned until the user gives positive #consent to do so, raising doubts whether this is ‘valid’ consent. #privacy #respectdata Click to Tweet

The activation of this system on a national scale (and making it compulsory) would be an unprecedented test, particularly considering that the plan for it is to replace physical documentation entirely. What would happen if an error in the facial recognition database caused someone to be misidentified at some critical juncture (such as bringing up medical records in an emergency)? Or what if a hacker gained access to the cloud-based infrastructure and altered or deleted information? With other nations and states putting moratoriums (if not outright bans) on facial verification technologies, Singapore may wind up being the world’s petri dish for all of the potential issues of this previously untested form of national digital identification.

 

Senior Correspondent at CPO Magazine