Unlawful biometric mass surveillance practices in the European Union go even deeper than previously reported and are accelerating towards becoming systematic for being able live in Europe, according to a new study from the EDRi (European Digital Rights).
“The Rise and Rise of Biometric Mass Surveillance in the EU” examines the legal basis for biometric processing in Germany, Poland and the Netherlands. Students at the Edinburgh International Justice Initiative (EIJI) collaborated with EDRi staff to compare domestic, EU and international law with the application of biometric mass surveillance in each country.
The study found disproportionate use of intrusive systems in all three, plus the repeated use of ‘pilot’ and ‘trial’ schemes to give a sense of a temporary timeframe for unlawful projects as attempts to avoid regulatory scrutiny. A Polish project is allegedly using the perceived threat to public health of breaches by people self-isolating for COVID-19 reasons to introduce compulsory biometric surveillance.
The study finds that such projects are operating not in response to firm threats but to act “indiscriminately as a precautionary or deterrent measure.”
Biometric surveillance schemes have been found to be deployed disproportionately against certain groups and focus on protected characteristics such as sexuality and religion, notably in Germany, and entire communities in the Netherlands have been turned into experiments of surveillance without their knowledge or consent.
The paper finds that the enforcement of restrictions around the deployment of biometric surveillance – and the holding to account of private enterprises or government authorities behind projects – are sliding. This could create a society where compliance with surveillance becomes necessary for a normal life as those unwilling to comply “will find it increasingly difficult to access civic services, to travel, and even to go to the shops, without being tracked, profiled, and monitored via their biometric characteristics.”
The researchers predict “an open-ended use of biometric mass surveillance” in the future: “In our analysis, such practices consistently engage (and fail to comply with) principles of necessity and proportionality found in both domestic and European legal frameworks, as well as having deeper implications for the right to dignity that underpins fundamental human rights principles in Europe and beyond.”
EDRi produces frequent reports into biometric surveillance in Europe. This latest study found that while biometric surveillance is not as widespread in Poland as in the Netherlands and Germany, it seems to be progressing through similar database-building stages its neighbours to the west have already passed through.
The researchers found that law enforcement is purchasing and installing ‘biometric ready’ surveillance equipment without having a declared specific purpose, which is against both national and EU laws requiring that personal data processing always be necessary and proportionate to the specific circumstance.
“The fact that the police would install biometric mass surveillance devices without any specific purpose, covering areas where people could easily be associated to their protected characteristics (e.g. their religion or sexuality) and therefore with high risks of discrimination – simply for the purpose of ‘just in case’ — is not only chilling, but flouts the principles of data protection and fundamental rights.”
Biometric surveillance is not simply happening in the present in Germany. According to the report, there is increasing evidence that facial recognition algorithms are being applied to previously collected footage.
Private biometric system providers are offering highly sophisticated services. Dresden-based Cognitec advertises a system that is able to answer questions on personal relations between people such as identifying the last time when two people were seen together.
‘Living Labs’ turn streets and communities into real-time biometric surveillance hotspots. Initially created on a provisionally temporary basis and usually without the knowledge or consent of the people living there, they have been found to continue beyond their original timeframes.
They combine biometric surveillance modalities such as gait recognition and voice monitoring with social media surveillance to determine levels of aggression and “for purposes such as inferring if young people are hanging out on a street and predicting their future life outcomes on this basis,” according to the report.
“Not only does this raise serious ethical concerns, it is also a brazen attempt to circumvent the rules governing the police’s ability to collect such data, making citizens complicit in the unlawful biometric mass surveillance of their communities.”
The study deems the ‘trial’ nature of such schemes as a “pretext for violating people’s rights, and the persistent collection and storage of people’s biometric data without a legal basis” and which is ultimately a misuse of national and European law.
Private security cameras are another area of concern for the researchers. The Dutch police created a database in 2016 for registering the security cameras of individuals or business. Once registered, in the event of a crime near a camera, police are able to access its footage and run it through their CATCH facial recognition software. The police can also force the owners of registered cameras to hand over footage and fine them for not doing.
Called ‘Camera in Beeld’ it is not only free and easy to register, but incentivized. Police offer a ‘free scan’ of the quality of the cameras, but by signing up for that, the owner’s camera is enrolled in the system.
Almost 230,000 cameras were registered by December 2019. Eighty-eight percent of the cameras registered film public space at least partially.
“Even though the Dutch police do provide some guidance to camera owners to ensure that the cameras do not infringe upon privacy rights, they paradoxically also tell camera owners that cameras are allowed to be placed in a location where it is inevitable that part of public space is filmed. They have also explicitly reassured users that they should not be afraid of being caught violating data protection laws.”
The report finds that the footage constitutes biometric data and the police’s ability to match footage with photo databases could be considered mass surveillance.
Sixteen percent of Dutch households use a smart doorbell. Municipalities in the Netherlands are encouraging their use as well as the Camera in Beeld database. Some schemes have even given Ring doorbells out for free and linked them to the Camera in Beeld database.
This could be classed as the authorities assisting individuals to act unlawfully, according to the report.
COVID-19 has presented a different issue with biometric surveillance in Poland. The government commissioned a mobile phone app to check whether people required to self-isolate are where they said they would be. For the authorities this was supposed to lead to efficiencies in terms of fewer in-person checks.
TakeTask built the Kwarantanna Domowa (‘Home Quarantine’) app in just three days. It was initially released for voluntary use in March 2020 but a few weeks later was made mandatory.
Those required to isolate are sent an SMS requiring them to download the app. Not installing it can lead to criminal sanctions. They then register by taking a selfie while at their declared place of quarantine. This becomes the reference photo for checking subsequent photos which are requested at random. The phone’s geolocation is captured during the registration and follow-up selfies have to be submitted within twenty minutes of the request. Failure to do so automatically sends a notification to the police.
The report questions whether this use of facial recognition is necessary or proportionate, as legally required, for protecting public health. It notes that Polish police stated in March 2020 that there were 600 probable breaches of quarantine when investigating 83,000 people – a fraction of one percent.