ICBC and Facial Recognition

Those of you who follow my twitter stream will have seen a discussion between myself and ICBC's representative about their offer to participate in identifying the Vancouver rioters using their facial recognition database.

I have fought against surveillance technologies for a number of years -- most recently my efforts have been focused on ALPR, which I perceive as an even more intrusive and more easily deployed technology -- however, those who know me will know that I have taken a stand against getting a Canadian passport due to the Privacy Commissioner's damning report involving the passport office and their handling of identity documents and biometrics. I've been mocked by friends and family, I've declined airline vacations and speaking invitations in the US, even declined to visit the nearby San Juan Islands because of it -- but I have chosen this path to protect my biometric privacy rights.

Instead, because and only because one needs identification to function in this society, I was forced to use the lesser of two evils -- a BC Enhanced Drivers License. Part drivers license, part identity document, it allows you to travel to the US by car or boat, but not by air, and participate in the 'Can I see some ID for that' society -- which is fine by me. I did my research, actually read the contract, and made sure I understood the privacy legislation governing the EDL program. I was certain the EDL biometrics were not shared except as permitted by FIPPA (like when travelling temporarily abroad as an example) -- at all other times, ICBC is responsible under BC's exceptionally strong privacy legislation for maintaining the safe, secure and privacy-respected use of this information only for the purpose of administering the drivers licensing system and addressing insurance claims.

But then a riot happened, Christy Clark went on a power trip, and the evil of agenda setting was invoked. The announcement was that ICBC would help identify Vancouver Rioters -- a goal I think most British Columbians, including myself, support. However, the how of the system is where the agenda setting and the scope creep towards a surveillance society begins to chip away.

To identify a person in a picture, you must compare the biometrics of a user in the database (like me) to that of the biometrics found in the picture. Now, I haven't done anything wrong, and I certainly wasn't in Vancouver during the Stanley Cup final. No probable cause to access my biometrics could possibly be shown, and for that reason I am confident that a court would have to have errored to have ordered ICBC to analyze them. Occam's Razor says they probably have not made such an order.

The laws that govern privacy in BC are called PIPA (Personal Information Protection Act) and FIPPA (Freedom of Information and Personal Privacy Act)... the latter deals with government bodies, of which it turns out ICBC is considered. Both these laws have strong protections for both the use and the disclosure of your personal information, which in the case of a compelled identity document and biometrics is clearly personal information.

The relevant sections of the FIPPA regulations are 32, 33, and 34. Now, I am not a lawyer but I do privacy research, and I firmly believe that to use my biometrics for a non-ICBC purpose, the corporation will require my consent or a court order. Instead, it appears as if the corporation, given little more than a request is prepared to compare my personal biometrics to that of a picture and to then inform the police if there is a match and that they need a court order to access the now-found information. I believe this comparison, given that I have not committed any crime is a violation of the privacy of my biometrics and the trust I have given to ICBC to keep my biometrics confidential against such use.

Instead they seem to be arguing that s. 32(c) of the act somehow permits this use. I strongly disagree, and it is my belief that 32(c) of the act only governs information that is ordered for release -- and will not permit them to search any information that is not specified in the order. In other words, my biometric profile is off-limits for comparison to a picture of a John Doe.

As this is my belief, and one I firmly believe the court will share -- I will be demanding information from the corporation about how my biometrics have been accessed, used and if applicable how they have been shared. At the same time, I am seeking council and will pursue this matter in the courts if required. I am simply not prepared to live in a surveillance society for which biometric identifiers are compelled.

I really do hope we identify as many rioters as possible, but if it requires treating me, and all other British Columbians as suspected criminals in the process, then we have lost much more than a few windows and store stock to these rioters -- we have lost another small part of our privacy, liberty and right to be anonymous in public space. If we are to give up our biometrics, well, we should also ask for fingerprints and DNA too as a requirement to get an identity document. We would certainly solve a lot more crimes with a more complete biometric database -- however, I'm sure most people would feel just as violated as I do right now.

Click read more to see the transcript of the back and forth with ICBC via twitter.


@KevinSMcArthur: If the ICBC facial data is to be used for criminal profiling they needed to get consent for that purpose, which they did not receive.
@icbc: @kevinsmcarthur No, we don't need to get consent. It's included in the FOIPA. We already use it to catch fraudsters.
@KevinSMcArthur: @icbc I'll be on the complaint if that data is used for that purpose and I wasn't in Vancouver.
@KevinSMcArthur: @icbc Specifcally what exemption from PIPA do you believe using this data for unrelated law enforcement activity falls under?
@icbc: @kevinsmcarthur FIPPA permits us to disclose to the police for a specific investigation or to comply with a “subpoena, warrant or order”.
@KevinSMcArthur: @icbc We'll see what order you get, however, I would expect a privacy complaint should you use personal information not covered by the order
@icbc: @KevinSMcArthur We don't need an order. It's already a part of the act.
@KevinSMcArthur: @icbc I'm familiar with the act. S 33.2(a) and 34 I don't believe will apply. Leaves 33.2(b).
@KevinSMcArthur: @icbc The stance that we have all somehow all been facially fingerprinted for the police and no one noticed simply will not play with FIPPA.
@icbc: @KevinSMcArthur We're allowed 2 share our data w/ police if we have a court order - which we do. This is only 4 exceptional circumstances.
@KevinSMcArthur: @icbc you now have a court order? Is it public/published?
@icbc: @kevinsmcarthur The police need 2 give us a court order when they have a specific suspect in mind. We wont be giving them our whole database
@KevinSMcArthur: @icbc I do not agree that ICBC has the right to compare the biometric profiles of the general public to that of a suspect. /2
@KevinSMcArthur: @icbc I will be following up shortly with a request for the order and for how many times and for what purpose my profile has been accessed.
@KevinSMcArthur: @icbc I am confident the courts will find that ICBC may not use this database as a police search engine. I would hope your council would too
@KevinSMcArthur: @icbc remember privacy legislation not only covers the disclosure of personal information, but also the internal use of that information.
@icbc: @kevinsmcarthur There is no one specific order. The police are not using it as a "search engine." They need a court order for each suspect.
@icbc: @kevinsmcarthur Police give us a picture, we run it thru our database, if there's a match, they give us a court order to release the name.
@KevinSMcArthur: @icbc that use would require accessing my biometric profile to compare. I believe that use to be a privacy violation.
@KevinSMcArthur: @icbc ICBC may disclose a specific subjects information given a court order. They may not use my information to compare to a suspect.
@icbc: @kevinsmcarthur Correct. We wouldn't give any personal info to police w/out a court order & after ensuring it's a match.
@KevinSMcArthur: @icbc I contend you need an order to make that match. An order that specifies use of the entire database.
@KevinSMcArthur: @icbc I do not agree that you can compare my biometric profile to that of a submitted picture, without consent or order. Will follow up.
@KevinSMcArthur: @icbc the course of action you are suggesting may impact the privacy rights of millions of british columbians. I would suggest a PIA review.
@icbc: @kevinsmcarthur You're welcome to follow up, but we are allowed to disclose under section 32 (c) of the act
@KevinSMcArthur: @icbc 32(c) refers to the disclosed information. Not my information that is not subject to any order.
@KevinSMcArthur: @icbc I realize your organization is just trying to help, and I support identifying the rioters -- however, this precedent cannot be set.