Biometrics and Identity in the Global South

20 December 2017 - A Workshop on Other in Geneva, Switzerland

Also available in:
Full Session Transcript

>> MARIA PAZ CANALES:  Good morning.  We are here for biometrics and identity in the South.  I'm extremely nervous, so if I make any mistake, just keep with me, forgive me. 



We have an extremely well‑rounded panel today.  I'm very glad that I have them joining us.  In my left, we have Leandro Ucciferri, a special focus on privacy and freedom of expression issues.  He is a researcher for civil rights in Argentina. 



To his side, we have Martin Borgioli, a lawyer from Blas Pascal University.  From his side, we have (?) in Delhi where she specialises in civil liberties and privacy. 



To my other side, we have Olivier Ali, social technologist researcher and entrepreneur, who (?) insurance health programme for refugees in silent that uses biometric identification. 



To his side, we have professor (?) Stark, a professor at law school.  I'm sure you know him.  He's the co‑founder of Open Net Korea, and he serves as commissioner at the Korean communication standards commission.  If I keep reading his bio, we're going to be here all morning.  Such an amazing career. 



So, we have been having as a community, a technology community, we have been having this conversation about implementations of biometric technologies in many places.  There are several layers to this conversation.  What we are aiming to do today in this panel is go through some of the implementations of biometric technology in the Global South and how they interact with the human rights. 



There is a (?) in the way of technologies implemented.  They are often portrayed as a way to ensure and to make available economic and social rights for people.  To serve several social economic issues.  There are places where they are portrayed as a solution to violence, to issues and security in public environment. 



However, as our panelists will tell you, there is attention between those implementations and the way we are allowed the conduct ourselves in the ‑‑ in our public and private lives. 



So, I'm going to start with Leandro.  Leandro, Argentina is currently seeing one of the most pervasive uses of biometric technology through the federal system for biometric identification.  What do you think are the challenges for human rights as a consequence of this policy?  So please tell us a little bit about how this policy has been implemented in Argentina. 



>> LEANDRO UCCIFERRI:  Thank you, Marianne.  So first, in order to give a little bit of background on the system that Marianne mentioned, the system is basically a national centralised biometric database, which was introduced in 2011 by an executive decree.  I mention this specifically because a lot of the policies we see on biometric usually avoid or sort public debate.  So it's not a minor detail that it was introduced by only the will of the executive power. 



So there was no debate in congress or even public hearings about it. 



The system basically collects fingerprints and facial recognition patterns from citizens and even foreigners.  For citizens, when they renew or when they make the national identity cards and the biometric passports, and for every foreigner visiting Argentina by plane or by ships, if it's even a cruise, a cruise ship or a ferry from Montenegro, they have to give their fingerprints and their facial recognition patterns to the immigrations office. 



So we not only have every citizen in Argentina on the database, but also every foreigner who's ever visited Argentina from 2011 and on. 



So basically, the users of the system are the four main federal forces under the Administration of Security, which are law enforcement bodies.  And I already mentioned the immigrations office as well as the citizens registry.  Not only that, but as we are a federal country, each of the provinces in Argentina can sign sort of cooperation agreements, so each provincial police can access the database at the national level.  So it's not only the registries for that specific province, but nationwide. 



By the beginning of this year in 2017, the system was broadened even more, giving access to certain bodies from the judiciary and the executive who signed also agreements.  This is not mandatory for the bodies within the executive and the judiciary, but anybody within those powers can sign agreements, so we can see that the system is being ‑‑ has been widened really broadly in the past six years. 



Although the database is restricted to specific employees, that have security levels, the access to the database does not require a warrant.  So, again, we see another failure in terms of checks and balances that should be in place. 



What has happened as a result is the system has been used in investigation for petty crimes most commonly, so agents from the federal law enforcement or even not even doing judicial investigations or law enforcement investigations, but also people from administrative offices have access to the database, and there's little transparency on what cases and under which circumstances those registries are searched. 



Furthermore, one of the most important things that has happened is that when we talk about biometric databases, like centralised databases, where every citizen or foreigner that visits the country is registered, is that it basically poses a threat to the presumption of innocence that is guaranteed in the Argentine constitution, because it turns everyone in the database into a possible suspect of a crime that's being investigated.  So that person would only be exonerated after someone from the law enforcement who is researching or who is doing an investigation under a criminal case identifies everyone in the database just to sort out the people who are not guilty of the crime. 



So we see that there's a reversal in the burden of proof, to say the least, in terms of citizens being searched and identified before they committed even a crime or during the investigation. 



This has led to the expansion of biometric activity.  In 2017, we've seen two concerns in the use of biometric data.  Those are really recent.  One is during the 11th Ministry of conference on the WTO, the federal police in the region, they registered fingerprints from not only the citizens living in a specific neighborhood in the city of Buenos Aries, but also every employee who worked in a company or who had offices in that specific neighborhood where the ministerial was going to take place.  So the specific law enforcement forces collected, again, fingerprint data from a bunch of people, even if they weren't living in the neighborhood. 



And there was not much transparency ‑‑ there was not transparency at all, to say it bluntly.  We submitted several information requests and they basically said it's all a secret operation, so we can say anything.  So we are trying to challenge that sort of transparency and accountability when the government just decides to collect fingerprint data out of thin air. 



We don't know if it also complements the information they have within CVS, or if it was something that this specific law enforcement agency was doing as an operation just for the WTO meeting. 



And another news that just break ‑‑ like, break ground in October ‑‑ yeah, in October during the primary elections.  The national electoral court implemented biometric technology to identify as a pilot programme, so it was not mandatory, it was voluntary, in six northern provinces they used biometric technologies to identify the people who were going to the schools to vote.  So they would contrast the identity of the person who was willing to put their fingerprint on the reader with the voter registry they had printed.  So they did that as a pilot programme in order to not go through, to just let it process, to reform the electoral law, but there's nothing that blocks them from actually reforming the law, even more so when the executive now is trying to push for electronic voting. 



So we've seen those two big cases in terms of how the state is actually broadening their activities concerning the collection of biometric data. 



That leads me to the final points that I want to make.  Please let me flow if I'm going over time. 



In terms of threats, the threats that biometrics pose to human rights, I want to first start saying there's been in the past, I don't know, five years, I guess, naturalisation in how biometric technologies are present in our daily lives.  So if you have a smart phone from the last five years, it most certainly will have a fingerprint reader.  If you have an Amazon Echo or Google Assistant or whatever voice assistant that's on the market right now, you've given your voice recognition patterns to a company. 



To we've seen several biometric technologies being introduced to our daily lives, and we've sort of come to a point where it's natural to us to unlock our phones with our fingerprint or now with our face. 



So that in itself is a little bit tricky, because people are not thinking on the ways that it may affect them in terms of how am I allowed to exercise my rights, or how does that interfere with certain liberties that I have. 



Another thing is, with biometrics, talking about, like, inherent vulnerabilities of the technology, biometrics are essentially public, so we can all see our faces, we can all take photographs of ourselves when we're at a public venue or at a public space.  We leave our fingerprints on a range of stuff that we touch throughout the day, and they're easily recovered by forensic methods that are pretty cheap.  There's a really big case at the CCC, I can't remember if it was last year, that a hacker showed how he recovered the fingerprints of the Ministry of Defense, the German Ministry of Defense from just a photo.  And it actually worked.  



That leads me to another point, which is that biometric information is not easily replaced, or cannot be replaced at all in some places.  Your fingerprints cannot be replaced.  Your face cannot be replaced.  Your blood cannot be replaced.  Your DNA.  So we need to think that when we're talking about, like, for example when the government wants to implement biometric systems, replacing password, for example, or when they talk about how the systems are not vulnerable or are actually really accurate.  And we've seen through a lot of research ‑‑ I just want to highlight the research done by Georgetown University on facial recognition and how algorithmic bias is a big thing, and not even big law enforcement agencies in the U.S. run tests to acknowledge what algorithmic biases. 



So basically, the discrimination that Georgetown discovered is that in the U.S., almost a lot of people of color are identified as possible criminals more than white people, and that's actually a thing that we need to address if we want to do ‑‑ to implement systems critically, is how accurate are they.  Who are the people in charge of, say, developing the technology.  Are the people in charge ‑‑ do you have, I don't know, a multi‑cultural group within the people developing the technology? 



And I will end with saying that biometrics, when we talk about the implementation on public spaces, it's taking to a point where we are redefining what we understand as public spaces, where we ‑‑ maybe a few years ago, we believed if we were in a park, we would be ‑‑ we had certain anonymity, and now with CCTV and facial recognition, that's not the case anymore.  Not even with friends tagging us on Facebook photos at a party.  We think, okay, no one's going to tag me because I don't have Facebook, but Facebook is running Facebook recognition algorithms even if you don't want to. 



So those are some starting points, just to kick off the debate after we have some questions from the audience and from other panelists.  Thank you. 



>> MARIA PAZ CANALES:  Thank you.  Particularly, fingerprint identification, allegedly for safety reasons, for public safety reasons and to curb delinquency. 



Martin, Peru is also implementing more and more uses of fingerprint identifications, allegedly for safety reasons.  However, there seems to be similarly a lack of adequate public policies in place for guaranteeing certain controls with regards to the safeguard of the special information that is being gathered.  Would you please tell us a little bit about the Peruvian experience in implementation of biometrics technologies.  And do you think that in the Peruvian case particularly, but also in Latin America as a whole, is it possible to address this issue just by creating certain standards of responsibility on how this data is managed? 



>> MARTIN BORGIOLI:  Well, good morning, everyone.  Thank you, Marianne.  Definitely yes.  Maybe that is the very best challenge that our government has nowadays, is to explain and decide how to implement biometrics in the environment of legality and proportionality. 



In Peru, the biometrics legal framework is not a good example of that.  Its implementation was a product of different interests by different entities that wanted the use biometrics.  But unfortunately, the discussion of this implementation never passed through the Congress. 



So today, we have an obscure and no structure of how biometrics works.  If it is safe, who use it, who process the biometrics database, and most importantly, who control it.  Well, the Peruvian case is quite a mess, so I wanted to firstly to give you some details of the background of the law and the early uses of biometrics in Peru. 



And secondly, I will address some mapping of the entities that are used in biometric verification. 



In Peru, biometric verification has been implemented for more than 20 years.  In the early '90s, it was used to identify the official of the National Register of Real Property, and afterwards, the National Identity Register began to use fingerprint recognition to collect biometric data of all the citizens. 



Since 2006, and as an entity responsible for issuing the IDs, the Reniec acquired the system of fingerprint impressions, the office, a software from the company Morfo.  Despite the fact that this software initially served to detect the duplication of registries, impersonation of ideas, fraudulent identifications, and to find people with unknown identity, it was ‑‑ now it is the responsibility for processing the fingerprints digitally obtained in the reenrollments. 



Since that, the use of biometric verifications has increased exponentially.  In 2013, the office was updated with a promotion of the use of the electronic ID cards.  The system began to collect fingerprints of both hands and facial features of the citizens.  It went from being (?) with two‑dimension facial recognition. 



So not only Reniec expand the number of records in its database, but also the monopoly of the ID verification. 



As you can figure, the owner of our identity become a digital authentication system.  All these measures will aim to reduce the level of fraud and commercial transaction and to increase security.  Reniec started promoting implementation of these intermediary without transparency.  Actually, we don't know who manages the database, how the fingerprint and biometric registration is designed, which digital certificates are implemented and what practice is involved, or whether it's limited to public agency or share with private parties, locally and externally. 



Today, there are several private acts that require biometric verification.  Obviously, this service is provided by Reniec.  In fact, the public budget for 2018 states that Reniec will provide this service without charging any fee.  Some of them are the public notaries, the real estate registries, the commercial banks, to qualify and approve transactions, and since this year, mobile phone providers. 



This last thing is related to the creation of registry of cell phones, of cell phone users, in which every mobile provider has to gather biometrics from its customers and match it with the same on the cell phone that she or he is providing.  These providers are obligated to give metadata from the users to the police without a warrant.  So the use of biometric verification causes the perfect circle of mass surveillance, which is CCTV, metadata, and biometrics. 



The board of immigration offices has recently issued new biometric passport and use such data to identify travelers.  The office also use the courts and the prosecutor's office to condemn people with the (?) who have to register he or she fingerprints every month in the criminal court. 



Looking forward, the progressive implementation of electronic (?) that they are promoting and encourage the use of electronic ID is a matter of concern. 



To conclude, our public policy of biometric information remains unclear.  It seems the government start to use this service without considering transparency, and we as owners of our identity and personal data need to know how the public and private policies are applied, how the interoperability exposes our biometrics information, and how could it affect or help the exercise of others' rights, such as privacy and anonymity.  Thank you. 



>> MARIA PAZ CANALES:  Thank you.  There is this constant discourse that is about attention, and a tradeoff between different rights. 



India has been building and is still building the world's largest ‑‑ the biometric database, which has been framed as something to help boost the economy and help include people who have been long excluded from social services systems.  However, its validity as a mandatory system is contended, something that it might be violating basic human rights. 



So what do you think about this tradeoff?  Do you think that ‑‑ why we might recognise that including these people who have been, in fact, excluded from basic rights, is something that is necessary to do, and why biometrics might be useful for that, using the trade of justified uses?  Can you tell us about that? 



>> CHINMAYI ARUN:  Sure.  Thank you for putting this together.  Specifically your question, my immediate answer is that we can answer this on two different levels.  First, there's a very basic concept that your fundamental rights cannot be traded or should not have to be traded for whatever cause there is. 



And second, specific to this particular question that you mentioned, the biometric database in India is being portrayed as something that will help include people who do not have access or people who are being denied access to social welfare schemes that are being provided by the government. 



And whatever the case, each particular scheme is important and there is a fundamental right, there's a lot of data that suggests that this particular biometric identity system isn't really going too far in helping improve the situation for these people. 



So I'll take a few steps back and explain how the project came about.  The idea of biometric identity at a national level was first proposed back in 2009.  The project was meant to be implemented by this unique identification authority of India and was put in place again by way of an executive order and not lower passed by parliament, similar to what happened in Argentina. 



The idea was to provide a way to verify the identity of individuals, including the individuals who didn't have existing forms of nationally ‑‑ or government issued identification, and use this verification to target the delivery of welfare schemes that the government has in place.  Many of these welfare schemes have traditionally been plagued by issues of corruption.  For example, if it was access to food grains, the grains would be siphoned off, and the argument that was made was that putting in place such a system that has individuals' identities verified would help get the benefits directly across to them. 



So this unique biometric based identity, it's called Aadhaar, and it was meant to be very easy to obtain.  Any resident could apply for it.  They needed to provide the demographic information as well as biometric information, so your fingerprints, basically.  And whereas this didn't have any other form of ID, they could be introduced by another resident, and that would be sufficient to kind of prove their identity. 



But since 2009, the use of this biometric identity system has expanded by leaps and bounds and there have been attempts to make the use of this number mandatory for most government services and for many private services as well, and the ones being (?) with other numbers and you require in some cases, I think in quite a few cases a number to be provided to issue that certificate. 



All of this has happened despite the fact that firstly between 2009 and 2016 there was no law in place.  The law only came about and enacted in 2016, to govern this entire system. 



And apart from that, there is to date a pending case before the Supreme Court of India which challenges the constitutional validity of the scheme as a whole.  The challenge is on several grounds.  This includes the fact that, you know, the biometric system infringes the rights of those involved.  There's national security issues, there's welfare issues. 



And since 2013, the Supreme Court has been issuing orders saying that the use of this number cannot be made mandatory until the court finally hears and decides upon the validity of the scheme.  And now in 2018, and even last week, the court had to once again issue an order delaying (?) that made it mandatory to link your Aadhaar number with everything from bank accounts to your cell phone numbers, your SIM cards, to welfare cards that provide children with free meals at schools and schemes that provide free access to medicines for people who need it. 



So we've been tracking this case and writing about it extensively, so I'd be happy to share more information on this with anyone who is interested.  Our interest in this stems primarily from the privacy issues that exist in this context.  And while we did have a big win in terms of the affirmation of the right to privacy, the fundamental right in India earlier this year, the Supreme Court affirmed that this is a fundamental right.  There's many privacy issues that continue to exist within this other project, and I'll just give you a few examples. 



So the law that came about in 2016 says that the number of ‑‑ the biometric identity number is meant to be voluntary and that consent must be obtained before the data is collected for issuing this number.  When you make it mandatory for providing other services, that consent becomes redundant.  The number itself, the demographic numbers that you provide and all the transactions that you engage in using this number, that are linked to this number, are all scored on a central database, and the central database is meant to be critical information and infrastructure, it's meant to be secure, but we all have had evidence showing that the larger databases are almost impossible to secure. 



The law also makes it illegal to publish the Aadhaar number, but there have been several cases of leaks of this number from different avenues, including different government departments, and this clearly at the very least, they need to educate about the fact that this is not something that ‑‑ this is something that's private, it shouldn't be published. 



And from a more legal perspective, under this 2016 law, the only way to prosecute a data breach is to report it to the authority itself.  You cannot go to court.  The authority will then decide whether they want to take it further or not. 



So if I have a couple minutes, I want to close with three fairly recent examples that show the range of the use of this number, and also the complexity of issues that we see in this context, apart from just privacy. 



So October this year, the media was awash with this really sad story about a case where an 11‑year‑old girl in one of the more rural areas in India, she died of starvation because her family was not able to obtain the food rations that they're entitled to by way of the social welfare benefits schemes.  Because they had problems with ‑‑ they weren't able to link their Aadhaar number, and they just weren't given the food because it was assumed that they didn't exist. 



And this is not the only case that we've seen of the sort.  There's several examples of people engaging in manual labour or farmers who their fingerprints don't work, so they're unable to ‑‑ their fingerprints are not read by the machines, or in rural areas, there's no connectivity, there's no data connectivity and they're unable to identify their numbers in time. 



Moving to a slightly more open context.  In November, we saw several reports about how one of the larger E‑commerce entities in India was ‑‑ you know, specifically the Aadhaar number to track lost packages and refunds.  This is a private company.  We have no mandate from the company to do this, but we don't know yet why that was the case. 



And my last example is as recent as this week.  We have been seeing reports about how one of India's largest telecom companies which now has a payments bank, which is like a small bank, has while they have been rolling people for SIM cards, they have also automatically enrolled them in open bank accounts without telling them, and linked it to their Aadhaar numbers.  Because they were linked, several of the direct cash benefits that government schemes make available to these individuals, whether it's pensions, subsidies for certain services, all of these cash benefits were automatically rerouted to these payment bank accounts without informing these people that they had new bank accounts or informing them about where the money was going. 



So I think I'll close with that, and we can discuss this. 



>> MARIA PAZ CANALES:  Okay.  Circling back a bit about what all of you have said, there are many cases where the use of biometric technologies that is implemented under discourse of inclusion has actually begin to exclude people.  Doesn't necessarily match what the system expects from them.  I am thinking, for instance, in Venezuela, where I am from, the biometrics are used in order to control how people access to food and medicines.  People from LGBTQ communities have been excluded from being able to buy food at all. 



And so the thing here is that, as Leandro was saying before, the thing with biometric data is that it's not exactly the same as the concept of personal data that we have been handling so far.  Because while it is extremely bad if ‑‑ I don't know, if your address is leaked, you can technically ‑‑ it's very hard, but you can move.  But it's really harder the change your face or your fingerprint.  This means that while we address these issues of privacy issues, which they certainly are, there are also many other aspects behind this use of biometrics data that are linked to our bodies, our concept of selves, of autonomy. 



We have been talking about biometric implementation mostly by governments, but there are many places in the world where biometrics are implemented pervasively by private actors for banking systems, for paying systems. 



At the best places, we still have this database of just ‑‑ under the protection frameworks.  There are some scholars that think that a shift in paradigms is needed.  So professor Park, do you think that in societies where biometric technologies are being implemented on a more global level, not only a fingerprint ‑‑ we've been talking about fingerprint a lot, but also facial recognition, it engaged recognition, do you think that these are different concerns than the use of biometrics by states. 



And do you think that the current framework is enough to regulate the use of biometric data by state actors and by private actors? 



>> PANELIST:  I think that either we need something additional to data protection law, or build something into data protection law to prevent phenomenon that I call paradox of trust.  By paradox of trust, I mean the phenomenon whereby the more reliable identification system you try to build, the more likely it will be abused, defeating the purpose for which you create the system. 



I saw that phenomenon happening with South Korea's resident registration number.  Resident registration number, it's not even biometric identification, it's just numbers given to the ‑‑ all individuals born in Korea.  It was invented back in 1970s, primarily to detect supplies from North Korea, but because it was implemented so thoroughly to all people born in South Korea, people began to ‑‑ people, governments, agencies began to rely on the reliability or trust of those numbers. 



They all began to ‑‑ these agencies and companies began to require production of their number as a condition of providing service or opening an account, to a point within a couple decades ‑‑ to a point where so many agencies and companies have those numbers of many people, which made it difficult for the numbers to operate as any form of a password or to operate as a condition of obtaining service, because so many companies and services have your name and number combination. 



The other thing is because so many companies and agencies have required these numbers as a condition, the resident registration number became some sort of a key data that weaves through all these different parts of individuals' lives, libraries, when you check out a book from a public library, you leave your resident registration number.  When you go to hospital, you leave your resident ‑‑ when you go to school, you leave it there.  When you get a bus idea, bus pass, you leave a number there. 



So the fraudsters who want to do identity theft, if they can have access to just this number, they can have access to all different facets of that individual. 



So, imagine the availability of numbers is increasing.  So many companies are requiring that.  And then the value of the number is also increasing, because it becomes a key data through all these different parts of life. 



So what can be the relate?  Well, Korea is hit with mass data breaches periodically, to a point where I hear rumors that you can buy a database of 100 million sets of Korean resident registration numbers for, like, 100 U.S. dollars, you know, in overseas market, and South Korea is only 50 million in population.  So I don't know where they get the 100 million sets of ‑‑ probably it's overlapping data sets. 



So what I'm trying to say is the reason that the agency is trying to build a biometric identity system is because of its non‑replaceability, they think that it is more reliable, but the problem is because it's reliable, it has the danger of function, where more and more functions are added on.  More and more functions are made available as a result of using that identity, using that biometric identity. 



So I think it is very important that when you are trying to build a system that has extreme identifiability, then it is also deeper privacy implication.  So when we define privacy, there are two factors here, identifiability and confidentiality.  The more identifiable the data is, there's greater privacy implications.  Also, the more confidential it is, more privacy implications there. 



Most people think only about the confidentiality side, but if the data is extremely identifiable as biometric identity because of non-replaceability, then we need to take special measures, and that's what I mean when we say we need something either within or in the existing data protection law to limit the function of the supposedly reliable identity system. 



Can I respond to some of the comments earlier? 



Because of the privacy implications of extremely identifiable personal data, we should definitely put law enforcement's act of unmasking a person to a warrant requirement.  I think another person mentioned how accessing the database without warrant is a problem, and the government agencies think that, hey, biometric identity, you leave your faces out, and look at yourself.  We are covering every parts of body except your face.  Why do we do that?  Because we want other people to do, you know, manual facial recognition continuously, right?  I leave my face out so that I can be recognised as you.  Although, you know, all these ultraviolets kill my skin, but I still want to be recognised by you. 



So the faces are out there in the open, so the government agencies are thinking that this is public information.  You know, why should we get judicial authorization for identifying a person.  But privacy is not just about confidentiality.  The extreme identifiability has its own privacy implication, and it's not about biometric identity, but we have ‑‑ we have had the experience in Korea where law enforcement has accessed the database of ‑‑ database kept by platforms of real names of people who put otherwise anonymous postings.  We challenge that as warrant is surveillance.  We didn't win.  But the lawsuit itself forced the platforms ‑‑ so after the lawsuit, the platforms announced that they stopped turning over the data unless they are presented by warrant. 



So that practice of unmasking otherwise anonymous individuals online has stopped.  And that analogy can be made to unmasking a person to the biometric identity database.  It should be subject to requirement.  I think it's an emerging area of law.  I think we should have ‑‑ you know, we should take the first step in the right direction, even from the beginning.  Thank you. 



>> MARIA PAZ CANALES:  Thank you, Professor Park. 



I have heard some people ‑‑ particularly people working in the technology field saying that these issues that we are posing aren't actually issues about biometric technology itself, but about the way the biometric technologies are implemented. 



For instance, the act of unmasking someone before an administrator will be public or private isn't really necessary.  That, for instance, so when that is going to allow us to use a health system, a public aid system, that needs to know if our fingerprint matched the set, but they don't need to know our name and our address and all of this other information. 



And so they are proposed as a solution that it's just about the way the systems are being built. 



So, Olivier, most of these initiatives regarding biometric identification systems portray them as an opportunity for the achievement of socioeconomic rights.  These are actually issues that exist.  Do you think that there are technology measures that can be taken in order to take advantage of the possibilities of biometric technologies, while at the same time protecting other human rights that are intentioned with this application?  Tell us a little bit about your experience working with biometrics. 



>> PANELIST:  I have been working on the project for about 20 years now in Thailand to build a non‑profit.  And we need to know that in Thailand, today, five million people are (?) and 1.5 of these migrants are illegal.  There's no way to organise them, because they don't have ID.  All these migrants go to two different clinics, the clinics just to (?). 



So it was working for quite a while until this clinic was not able to be still free, and some people, especially from Doctors Without Borders thought we could (?) non‑profit for these migrants, and these people, they don't speak English, they don't have an ID.  And so also, we wanted to have something really mobile, and so the possibility to go into the field and to organise these people. 



So we test a lot of different solutions, and for most of these people, it was not working because the fingerprint most of the times are quite bad.  And also because we were not able to bring the technology to really rural parts of Myanmar and Thailand. 



And so we came up with one solution.  It was to have a tablet and to have a specific system on this tablet, and with this tablet, we are going to mix all the different (?) especially Myanmar and Thailand.  So we were taking a picture of them, and we were giving them a card ‑‑ already printed card with a code.  And so they were able to (?) this programme. 



And now when they are going to hospital in Thailand, next to the border, they will be able to use this small card.  So we have a code with their name, and someone is able to scan this card and just to organise them, so the picture is going to pop up.  Their name also is going to pop up.  We are going to know if they can have access to the clinics or not.  So it was a solution that we were able to set up because we were going in some places in Thailand or in Myanmar without electricity, without nothing, and we add that technology. 



So we came up with this solution. 



Now that the project is running, we spend about six months developing the platform in Bangkok.  The platform was (?).  We have right now about 1,000 people inside the (?) and it's on the database.  Technically, we were able to print the database, but also, the database of illegal migrant in Thailand.  So if tomorrow (?) all the illegal migrants in the territory, they can ask for the database.  So it's still an issue, and we don't really have the solution.  We know how to protect it, and so we are having a team on the database. 



But we still have issues. 



>> MARIA PAZ CANALES:  Thank you. 



Well, now, we're going to open the floor up for questions or comments.  Here, but also for the remote participants.  I don't know if there are questions from the remote participants.  If someone wants to ask a question, make a comment, say something.  Okay.  Over there.  Red button.  Yeah.  Again.  Now. 



>> PARTICIPANT:  Perfect.  Hi, my name is Veronica Rios.  I am from Peru.  I know that one of the main problems that we have in the Global South is security, but security on the streets.  We have a lot of violence in the streets, and that's a major thing for all of us.  And one of the easiest solutions that the government has for this problem is cameras, and they are implementing cameras everywhere, and not just on the streets, but also inside buildings.  And not just public buildings, but private buildings.  I mean, when we see this on a very (?) environment, maybe live in a building, then the community of your building will say oh, we need to put more cameras so we can protect ourselves from other people. 



So I would love to hear from you, maybe you can share some best practices that we can ‑‑ how can we tackle this security issues but as well protect ourselves from being in this mass surveillance problem that we already have, because if we put a lot of cameras, then that gets risks that people says that we need to have those cameras because they will protect us.  But then there is mass surveillance. 



So how can we mix that?  How can we work on that?  I don't know, maybe you have some examples that may be helpful for everybody here.  Thank you. 



>> MARIA PAZ CANALES:  Anyone want to jump in?  Yes?  No? 



>> PANELIST:  Just along the lines that I outlined in my first presentation, we are born anonymous.  That you recognise my face, the features doesn't mean that you know who I am.  Unless you get my ID and my passport, seeing my face, that's not ‑‑ you know, that doesn't give you much about me, right?  While it picks up implications for privacy is when you can match my face with other data about me. 



So let's say I'm walking around in public space, the CCTVs record my face.  Unless the police can unmask me, unmasking an open mask, an open face is really kind of a difficult thing to talk about, but unless the police can match my face with certain other official identity, the privacy implications is not that great yet.  Well, it becomes interesting when they do the matching. 



Now, what we are seeing and what Martin is seeing as well is when the police go back and look at the facial recognition database, they have to get a warrant to get my official identity after seeing my face.  That can be one of the ways that ‑‑ I mean, the police are going to say, oh, it's going to take time, the law enforcement activities.  We are not saying the police should not do it.  Do it, but under judicial scrutiny.  Do it when you can prove, when you can show the probability that this person with this face is doing something criminal, or something harming the public interest that is justifying the investigation. 



>> PANELIST:  I agree with the colleague on the panel here, in terms of the needs of a warrant or checks and balances, in how they access and use the systems.  But I would have a slightly different approach in terms of I would challenge completely the implementation of CCTV and face recognition, just for the sake of being in Civil Society, and I don't want those systems in place in my city. 



The main concern being that they don't usually help at all with the fighting of crime, to deal with crime, or to ‑‑ all they serve as changing the hot spot.  They move the hot spot of the crime in the city geographically.  Not even realistically.  Because the crime moves elsewhere, where there are no cameras. 



So the thing with CCTV is that they sell politically.  They sell to the narrative of the political party in charge.  They are good for marketing purposes, for propaganda.  So the thing is that if you want to challenge the implementation of such technologies, your better approach ‑‑ or your best approach, sorry, is to ask them what are the actual ‑‑ the wins that they got in terms of the fight against crime, ask them, submit information reports, requests. 



Martin, I'm sure he will be more than happy to help in Peru. 



Just fighting transparency in terms of, okay, so how many cases you've solved thanks to the CCTV.  How many robs, how many, I don't know, murders.  I don't know.  So challenging those narratives, basically you need to first tackle what is the problem that the government is saying they are trying to solve.  If they are saying problem is A and they don't have evidence to support that claim, that's your winning argument.  And I say winning in quotes, because we know the government is going to just do whatever they want. 



But you have leverage in terms of pushing public ‑‑ pushing voters to say, okay, so the government is doing this, they are trying to solve this problem, and maybe if you shift the narrative towards your advantage and make people realize that it's not that useful as the government wants it or presents it to be, then what a public official just wants is to get votes.  So changing the perception of how the voters see the implementation of the technology that the politician wants to implement, that's kind of powerful.  But, again, it depends on the context of the country.  I'm not sure about Peru specifically.  Maybe Martin can address that. 



But as a general basis, that's what I would do in terms of CCTV. 






>> MARTIN BORGIOLI:  Well, I wanted to say the same as Leandro.  We were talking recently that next panel, when we talk about biometrics, we should come with masks, gloves, and voice changers in order to not be identified. 



The thing is that, adding to what Leandro said, is that we should also request the government to implement safe words and to give good remedies to ask for the information, and obviously to educate people, no?  Because, for example, when we ask for information about how the biometric system works in Peru, they gave us a guideline, so, yeah, you have to put the finger in this machine.  No, we don't want that.  We need to know what's the security implemented, what's the digital certificates that they are using, who control it, or who is processing that data.  That's the kind of information the government should give to the people. 



So I think that ‑‑ yeah.  More than the practical things, we should also address the legal issues. 



>> MARIA PAZ CANALES:  Thank you.  I think we have time for one, maybe two more questions.  This gentleman here. 



>> PARTICIPANT:  Hi.  My name is Mikel Pavel.  I think biometrics is a solution looking for a problem.  It's being seen that the solution for a lot of things that are just popping on because someone needs to set it, like the point that you made.  But if you take a step back, because I come from a country where my biometrics are being forced from me and taken forcibly from me, we need to look at this from a cost‑benefit analysis perspective, saying what is the cost of risking losing this data versus the benefit of having this data.  And we've seen very shoddy implementation in our country, where, for example, the access to the centralised database was being run by a government department on STTP instead of CTTPS, because there were apps which were able to access that database and pull data out. 



We've seen instances where fingerprints have been cloned by students.  Fingerprints have been even stolen to create fresh national IDs, which are fake national IDs.  And as we know, fingerprints can be cloned from photographs.  I've just got my fingerprint on my phone.  Even if I touch the screen. 



The risk of losing this data because it can't be changed, it is permanent, is far too high for it to be allowed to be collected and stored and shared.  Unfortunately, in India, we're doing all of those things, and I would urge everyone to avoid going down this biometrics path, because it puts people in danger.  I would see this as a human rights violation. 



>> MARIA PAZ CANALES:  Thank you.  The gentleman in the back has a comment. 



>> PARTICIPANT:  Yes.  Hi, my name is Said, and I am coming from Afghanistan. 



There was a study by National Law University in Delhi, India, where it says that poor democratic ‑‑ countries with a poor democratic record are more likely to mandate a system, and you hear the example in India.  Like Professor Park said, that we need to have these data protection laws.  For countries like Afghanistan, we are spending hundreds of millions of dollars on a similar identification system, where you're trying to collect biometrics of citizenship so that we can provide better security against terrorism and the whole nine yards. 



So in a situation where we don't have data protection law to protect the citizens, but the government is far ahead in implementing projects such as we call this (?) project.  My colleague is the director of that particular project.  It is way ahead of the legislation coming forth and protecting the data of the citizens. 



So I believe from e‑Government perspective, from management perspective, I think it's a lot more difficult, and just like the other gentleman said, we need to educate people.  So we are in a situation that we need to educate people.  We need to bring in laws.  But yet, the government has reached out so far ahead in this particular aspect, which shows that poorly democratic nations, for some reason, or the other, they prefer using biometric systems, and it kind of answers a lot of our questions, but then again, we need to address that probably.  It's not a question, just a comment.  Maybe someone can give some feedback on that.  Thank you. 



>> MARIA PAZ CANALES:  Thank you.  To take it back to the panelists ‑‑ oh, there's a question over there.  Or a comment.  I don't know. 



>> PARTICIPANT:  Hi.  My name is John Lopez, I am from Colombia.  In Colombia, we have a huge problem called the Citizen Folder, and it's a centralised database with all the data that we produce in our relation with the state.  It's put all this information on the Internet centralised.  And they are contracting out this system, and they are creating access to biometric information. 



So we have all these issues that you have mentioned, mixed in one big problem.  So we have privacy problems, surveillance problem, inclusion problems, and, yeah, welfare access, too, and also the problem of contracting out our biometric database, which are private. 



So my question is, recommendations to address this?  That's all. 



>> MARIA PAZ CANALES:  There are some recommendations.  Okay. 



>> MARTIN BORGIOLI:  Commonly, the governments exclude from data protection.  We cannot request them access rectification, consolation, or object of the ‑‑ the right to object to the government.  But they are gathering a lot of data, personnel data, and they are not implementing ‑‑ or they are not respecting all the principles of the data protection laws, why you want to use this data, to what thing, or data security.  That's a thing that I wanted to put in the comment, because it is important nowadays to recognise that the government is not complying with the data protection law, and, yeah, we need to do something about it. 



>> LEANDRO UCCIFERRI:  Just a reaction to Martin's comment.  I totally agree.  I think that we need to be careful when thinking about data protection frameworks as the holy grail, that they will save us from the collection of data by the governments and by private companies.  Not because they're bad.  Well, usually, that's the case.  In Argentina, you do have specific rights with the government, although the permissions are kind of lax when it comes to the government's inherent activities and functions. 



But if you don't have powerful and strong enforcement bodies, that framework won't be much useful. 



And the other thing is ‑‑ that's it?  I don't have time? 



We also need to be careful when talking about biometric data as sensitive data, because not every biometric data is sensitive data under the terms of data protection laws.  Data protection laws may vary country to country and region to region, but as we understand, all the biometric data that may identify ethnicity, religion, political orientation must be understood as sensitive data, and not every biometric recognition allows that. 



So we need to be careful when talking specifically about legal provisions in terms of biometrics. 



>> MARIA PAZ CANALES:  We need to be closing already, but I want to take it back to the panelists for a very quick question, because I'm thinking of the Chilean case particularly regarding facial recognition, and I'm thinking that the way these technologies are framed by governments and by companies, the society's reaction is often to embrace them because they actually think that this is going to solve the problems. 



So I would like for you to please tell me, like, really briefly how has each of your countries reacted to these implementations in means of the general population.  You know, you as activists feel very strongly, but that might not always be the case, and this has a lot of influence in our ability to actually fight these implementations and to advocate for other solutions. 



>> PANELIST:  Sure.  I think in the India perspective, I think initially most people just ‑‑ with the biometric identity system, most people just accepted it for what it was because there was some level of trust in the government that this is something that will be helpful to people.  But increasingly, they're seeing so many failures of the system that I think that ‑‑ I don't know, maybe this is me being optimistic, but the tide is changing a little bit. 



Sadly enough, I feel like it is probably changing, because the middle class and the upper class are being affected by this, because now the linking with the bank accounts, the linking with the phone numbers, those things are coming about now.  Initially, it was just welfare benefits that don't really affect middle class and upper class people. 



So there is some talk about whether the ‑‑ you know, at least in the sense there's some talk about whether it's necessary or how ‑‑ you know, the fact that this will mean failures and how to fix that.  We have to see where it goes. 



I also quickly wanted to talk about the study that we did.  So the reason we did that study really was because one of the bigger arguments that is being made constantly by the government is that everyone is doing this, everyone is doing biometric identity systems and using biometric technology, it is futuristic, why are you fighting it?  So we wanted to kind of understand if it's true, and which countries are implementing it and how they are going about implementing it. 



So we tried to set about a few parameters, the kind of systems that they use, the kind of ‑‑ the services that the biometric systems are being used, whether it's a passport or social welfare benefits, whether it's finance, whether it's for law enforcement, and whether there are data protection laws in place in these countries. 



And even in India, we don't have a data protection law.  Apparently, we'll get one soon.  But we are in a similar situation. 



So I just wanted to ‑‑ the reason we did the studies to understand how this works, so we haven't gone into an analysis and established causation, but there is some sort of correlation between the democratic indexes and the use of biometric identity systems. 



I also wanted to point out that it seems to be the same companies that are providing these services in all of these countries.  Martin mentioned ‑‑ you know, it's in India apparently the same companies.  I know they're doing this in a lot of South African countries, so there might also be a lot of money there that's pushing this. 



>> MARTIN BORGIOLI:  I just wanted to point out what Veronica said about the people ‑‑ the people's opinion about these policies.  For example, in Peru, when the CCTV and the metadata policies was published, were published, people approved it for more than 80%.  So it's really difficult to change that point of view of the people, so we need to work hard now, and now with all these biometrics issues that we have, we are trying to educate people from the beginning. 



So how it works, how well can we handle these kind of policies, and what the government is doing, only to educate people. 



>> MARIA PAZ CANALES:  Thank you.  Leandro, do you have any other remarks? 



>> LEANDRO UCCIFERRI:  Yeah, just to address your question.  One of the things that we set our minds to do as a long‑term goal is to put these systems on the spotlight.  Giving people enough information to sort of empower them to exercise their rights.  To have more information on how the government works, how the state works, what kind of data is being held and collected by the state and how they're using that data. 



But the thing is that, at least in Argentina, there's not ‑‑ there is no challenge to the implementation of these policies by the general population, because it's normal to carry with you a national identity card that was given to you since a law from a military dictatorship. 



So people have come to sort of normalise their relation between your own self and an identity number, and that has translated as well to biometric data. 



So the narrative is pretty strong in terms of why wouldn't I be identified like with 100% certainty when dealing with the government or when exercising civil rights, for example.  When I need to vote, when I need to, I don't know, travel.  They are keeping my safe.  So it's really kind of hard and tricky to advocate for changes in these policies, because there's such normalisation on how people perceive the implementation of these technologies. 



>> MARIA PAZ CANALES:  Thank you.  Olivier, do you have any closing remarks? 



>> PANELIST:  Maybe just that what we were saying and what is sometimes (?) from the government.  Need to be more to the citizens and more transparency how everything is working.  There is also a lot of projects (?) also.  So accountability. 



>> MARIA PAZ CANALES:  Yes.  Professor Park? 



>> PANELIST:  I will just use this time to tell you the part two of the Korean side of resident registration number.  Because the numbers lost their value as a reliable system, the government shifted to SIM card registration.  So now when previously people are required to enter their registration numbers to use online senior vises.  Now they input their mobile numbers, and because mobile numbers are required to register ‑‑ required to match with official identifications, it also works as identity system. 



So, yes, fighting spread of CCTVs, it's a great goal, but as Martin said, I think the train has left the station.  I mean, all the individuals are carrying around cameras to take pictures of whatever they see in public places, asking only the government, only the police not to take those pictures.  It is politically very difficult statement to justify this day and age. 



I think a better fight can be had with stopping SIM card registration and stopping other forms of identification creeping up.  Thank you. 



>> MARIA PAZ CANALES:  Thank you.  I want to thank all of our panelists for this very interesting conversation.  Sadly, we are out of time.  I want to thank you all, all of you for coming and for listening and for asking great questions. 



Thank you.  Have a nice day. 



[ Applause ]