Katitza Rodriguez & Maira Sutton
Electronic Freedom Foundation
April 1, 2012
Last week, the Conseil Constitutionnel, the highest authority on the French Constitution, declared the provisions of a law permitting judicial and police use of a centralized national ID database to be unconstitutional. 200 members of the French Parliament referred the law to the Conseil following the law’s adoption on March 6th. The Conseil determined that the use of the centralized database was incompatible with France’s fundamental rights, including the right to privacy and the presumption of innocence.
The proposed legislation mandated compulsory civilian ID cards containing a chip designed to store personal and biometric information, including home address, marital status, eye colour, and fingerprints. Proponents argued that the biometric ID card would be used to stop “honest folk” from becoming the victims of identity fraud. In fact, the law would have enabled the “honest folk” database to be used for criminal and judicial purposes. The Conseil correctly determined that such uses constituted a serious incursion into the right to private life, disproportionate to the law’s stated objective.
Another provision in the law would have allowed for a second, optional chip to be used for online authentication in e-commerce transactions. The Conseil determined that such use would require too broad a range of personal data to be collected without any guarantees of security and confidentiality. Furthermore, it condemned the law’s vague conditions for authenticating individuals, especially minors. EFF welcomes the Conseil’s decision to strike out substantial parts of the legislation to protect privacy. Nevertheless, the Conseil should explain their unmotivated reasoning behind leaving significant anti-privacy portions of the law intact, namely biometric data collection for the purpose of preventing ID fraud.
The argument for biometrics is predicated on the flawed assumption that a national biometric ID scheme will prevent identity fraud. Massive databases already invite security breaches and a biometrics database of this scale is a honeypot of sensitive data vulnerable to exploitation. Such a data breach is not just costly—it is irreversible, you cannot change your fingerprints or your irises. Recently the UC Berkeley School of Law conducted an in-depth analysis of the costs of establishing a biometric employment identity card in the United States. They found that such a program would cost an upwards of “$40 billion in initial costs, but also $3 billion in ongoing annual expenditures.” They also concluded that such a program’s lack of proven effectiveness and its high risk of error would lead to “a Pandora’s box of civil liberty violations.”
In its decision, the Conseil emphasized that they are not ruling either for or against biometrics [PDF, in French] (p.21):
This decision of the Council’s should not be interpreted as being either in favour of biometrics or against it. Nor is the Council expressing any opinion either in favour of a register of biometric data or against it. What the Council is saying is that the safeguards involved in the creation and deployment of this register are inadequate. In the circumstances, the Council is not in a position to over-ride the wishes of the legislature.
The Conseil’s ambivalent statement is politically understandable. Regulators tend to romanticize the security and accuracy of biometric systems. In fact, there is a lack of evidence to demonstrate the reliability and proportionality of this new technology. Jean Marc Manach, a blogger and journalist from Owni.fr, argues that biometrics has proven inaccurate and therefore ineffective in fighting identity fraud or anything else. As long ago as August 2009, The Register magazine suggested that our trust in biometric technology is a delusion.
Last year, a French report revealed that 10% of biometric passports were fraudulently obtained [French]. The introduction of biometrics is exacerbating the problem of identity fraud instead of solving it. The French government already has several powerful surveillance technologies available to track people’s movements, including mobile phone logs, web usage logs and credit card usage logs. They must provide evidence first that they can use this technology to enhance security before spending taxpayer money on another National ID biometric scheme.
French smart card and biometrics companies have lobbied heavily for the “honest folks” law. Their trade association, GIXEL (Professional Association of Industry and Electronic Components) gained notoriety in 2004 when they won the infamous French “Big Brother” award, for their systematic attacks on the right to privacy. Ironically, GIXEL got the award for their proposal to “educate” children under 6 years old and their parents about the need for biometric “security.”
The proposed collection of this vast amount of biometric information gives governments too much unchecked power and opens the door for government abuse. In their referral to the Conseil, French parliamentarians quoted Martin Niemöller’s chilling poem “First they came.” They argued that had this kind of database existed during WWII, the Nazis and collaborators in Vichy France could have more easily arrested French Résistance fighters based on their fingerprints or facial scans.
EFF, as one of 80 civil liberties organizations, has requested the Council of Europe in 2011 to investigate if National ID biometrics laws in Europe comply with the Council of Europe Privacy Treaty and the European Convention on Human Rights.
In light of the long list of privacy concerns surrounding biometrics, and the guarantee of future security breaches, biometric national ID laws cannot be justified. As more nations continue to adopt and implement biometric ID laws, now is the time for the Council of Europe to comply with its duty to seriously confront all of these issues. Under our watch, we refuse to let states collect massive amounts of biometric data without regard to our privacy rights.
Please visit Electronic Frontier Foundation to support Internet freedom and privacy.