Auditor labels Australia's Biometric Identification Service 'deficient'

Management of the Australian Criminal Intelligence Commission's now shuttered AU$32 million biometric project has been called out as poor by the country's Auditor General.

The Australian National Audit Office (ANAO) has blasted the execution of Australia's Biometric Identification Services (BIS) project, labelling it deficient in almost every way.

The BIS project, awarded to NEC Australia, kicked off before the July 2016 creation of the Australian Criminal Intelligence Commission's (ACIC), which was formed following the merger of the CrimTrac agency, the Australian Crime Commission (ACC), and the Australian Institute of Criminology (AIC).

must read

What's actually in Australia's encryption laws? Everything you need to know

All the big questions answered on Australia's encryption laws answered.

Read More

It had an initial budget of AU$52 million.

The project, ANAO said, was meant to replace the existing National Automated Fingerprint Identification System (NAFIS) and provide facial recognition capabilities to enhance law enforcement's biometric capabilities.

At the time, Minister Assisting the Prime Minister on Counter Terrorism cum Minister for Human Services and Digital Transformation Michael Keenan said the new platform would give law enforcement agencies access to not only fingerprints, but also palm prints and facial images, as the NAFIS only provided police agencies with access to fingerprint data.

He also said the new platform would give police the ability to undertake facial recognition matching with approximately 12 million existing images that were already held in police databases nationally.

In its report [PDF], ANAO said the NEC BIS project encountered difficulties at an early stage and was subsequently terminated on June 15 last year.

As a result, ACIC renegotiated with Morpho, the company that operated the previous NAFIS, with ANAO labelling the cost of this "a substantially higher price" than the AU$52 million NEC initially asked for.

Morpho has since continued to operate the NAFIS and that contract will expire in May 2020 -- after the ACIC extends the deal for a year from May this year -- with ACIC yet to determine its future.

In terminating the NEC project, ACIC CEO said it was shuttered "in light of project delays". However, NEC at the time said the BIS was ready to be handed over to ACIC for acceptance testing.

"Administration of the BIS project by CrimTrac and ACIC was deficient in almost every significant respect," ANAO wrote. "The total expenditure on the project was AU$34 million. None of the project's milestones or deliverables were met."

ANAO said the approach to negotiating and entering the contract did not effectively support achievement of outcomes.

"This was a result of the contract not explaining the milestones and performance requirements in a manner that was readily understood and applied," the auditor continued.

According to the report, ACIC did not effectively manage the BIS project with its approach characterised by: Poor risk management; not following at any point the mandated process in the contract for assessing progress against milestones and linking their achievement to payments; reporting arrangements not driving action; non-adherence to a detailed implementation plan; and inadequate financial management, including being unable to definitively advise how much they had spent on the project.

NEC Australia was awarded the contract after CrimTrac focused on a value for money outcome, ANAO said. The approach to market received only two valid tenders.

ANAO highlighted that ACIC had agreed to more than AU$12 million in additional work, some of which may have been unnecessary or already covered under the original contract.

Records were also not appropriately kept, with ANAO saying many staff did not use any of the government's electronic document and records management systems and instead kept records on their own computers, in uncurated network drives, or in email inboxes.

Further to this, ANAO said the project timeline and milestones were not adhered to; it also said financial management of the BIS project was poor.  

"ACIC's corporate finance area had no responsibility for management of the financial aspects of the BIS project; neither did the project team have a dedicated financial or contract manager," ANAO wrote. "ACIC was unable to advise definitively how much they had spent on the project. ACIC made a 'goodwill' payment of AU$2.9 million to NEC which was not linked to the achievement of any contract milestone."

ACIC was also not able to provide details of how this payment was calculated either.

The Department of Home Affairs is now responsible for the operation of a central hub of a facial recognition system that will link up identity-matching systems between government agencies in Australia.

The Australia-wide initiative will allow state and territory law enforcement agencies to have access to the country's new face matching services to access passport, visa, citizenship, and driver licence images from other jurisdictions.

The Face Verification Service (FVS) is a one-to-one image-based verification service that will match a person's photo against an image on one of their government records, while the Face Identification Service (FIS) is a one-to-many, image-based identification service that can match a photo of an unknown person against multiple government records to help establish their identity.

Access to the FIS will be limited to police and security agencies, or specialist fraud prevention areas within agencies that issue passports as well as immigration and citizenship documents.

The FVS is now operational, providing access to passport, immigration, and citizenship images. The FIS will come online soon, with the Department of Home Affairs telling a Parliamentary Joint Committee on Intelligence and Security in May it had purchased a facial recognition algorithm from a vendor to be used for the FIS, despite claiming immunity on disclosing the contracted vendor.

RELATED COVERAGE