Nationwide facial recognition ID program underway in France
The program is called Alicem – an acronym for “certified online authentification on mobile”. It was developed jointly by the Ministry of the Interior and the National Security Title Agency (ANTS), which maintain that it’s going to a) simplify getting online services while b) fighting identity theft, c) keeping the biometric data safe on the phone, making it disappear after validating identity, and d) not letting third parties get at the data.
France had planned to launch the Android-only app by Christmas. But now, it’s greasing the wheels and plans to have it up and running in November 2019, Bloomberg reports.
Privacy watchdogs are not pleased
The country’s privacy regulator, CNIL, says the program breaches the EU’s rule of consent. Europe’s General Data Protection Regulation (GDPR) mandates free choice. Bloomberg spoke to Emilie Seruga-Cau, the head of law enforcement at CNIL, who said that the independent regulator has made its concerns “very clear.”
The publication, which was able to check out the app, reports that Alicem will be the only way for French citizens to create a legal digital ID, and facial recognition will be the only way to do it.
It will require that residents use an Android app to take one-time selfie videos that capture their expressions and movements at different angles, to compare with photos of themselves stored in their biometric passports.
Meanwhile, the French privacy rights group La Quadrature du Net (LQDN) has filed a lawsuit over the program in France’s highest administrative court.
LQDN lawyer Martin Drago told the Telegraph that the government is rushing people into using Alicem and facial recognition:
The government wants to funnel people to use Alicem and facial recognition. We’re heading into mass usage of facial recognition. [There’s] little interest in the importance of consent and choice.
Security claims questioned
As Bloomberg points out, we might have just cause to question the Interior Ministry’s assurances that it can be trusted to guard the biometric data it plans to collect.
On 17 April 2019, the French Government launched a secure encrypted messaging app called Tchap that was hailed as being more secure than Telegram or WhatsApp, to be accessed only by officials and politicians with email accounts associated with email from government domains.
Two days later, it took 75 minutes for French security researcher Robert Baptiste – better known by his Twitter username, Elliot Alderson – to find a security loophole that allowed anyone to sign up an account with the Tchap app and access groups and channels without requiring an official email address.
The French government has promised that the security of Alicem is of the highest “state level” – a promise that doesn’t ease Baptiste’s concerns over its being rushed into use. Bloomberg quotes the researcher:
The government shouldn’t boast that its system is secure, but accept to be challenged. They could open a bug bounty before starting, because it would be serious if flaws were discovered after people start using it, or worse if the app gets hacked during enrollment, when the facial recognition data is collected.