The Department of Home Affairs has told a Parliamentary Joint Committee on Intelligence and Security that it has purchased a facial recognition algorithm from a vendor to be used for Australia's Face Identification Service (FIS).
Notification on almost all goods and services procured by the Australian government is published for public consumption, but the department told the joint committee on Thursday that it will remain tight-lipped on the vendor contracted after receiving immunity.
"The FIS enlivens significantly a threat to assumed identities, so that's security and law enforcement covert operatives and witnesses under protection, so we received an exemption under the Commonwealth procurement rules to not publish the identity, the name of the vendor that's providing the facial recognition service," Assistant Secretary of Identity Security Andrew Rice explained.
"It's just reducing the potential vectors of attack."
Rice told the joint committee that as all of the vendors providing biometric or facial recognition services use different algorithms, naming the vendor employed would potentially increase the threat of attack.
The Australian government in February introduced two Bills into the House of Representatives that would allow for the creation of a system to match photos against identities of citizens stored in various federal and state agencies: The Identity-matching Services Bill 2018 (IMS Bill) and the Australian Passports Amendment (Identity-matching Services) Bill 2018.
The first Bill authorises the Peter Dutton-led department to operate a central hub for communicating between agencies, while the second would allow for real-time crime fighting, according to Foreign Minister Julie Bishop.
The pair of Bills make good on an agreement reached at COAG in October to introduce a national system allowing for biometric matching.
Of concern to the joint committee probing both Bills is that not publishing the identity of the vendor providing the system will result in minimal transparency being provided to the public on the performance of the FIS.
"The system is not an evidentiary system, it isn't designed to be the sole mechanism for the identification of an individual, and the agency that is using it is still responsible for identifying the individual and that there will always be facial recognition specialists in the loop," a spokeswoman for the Department of Home Affairs said in response.
Senator Jenny McAllister asked for further clarification from the department, saying the government is required to make public figures of accuracy, as one example, and that not naming the vendor contracted could stifle the reporting requirements.
"There may be mechanisms for the government to ensure itself of that without it necessarily being made public," the spokeswoman continued.
Rejecting the idea that the FIS uses artificial intelligence to match an individual, the department attempted to clarify the tech that supports the FIS, starting with the existing document verification service (DVS) used to verify government-issued documentation such as passports.
"The document verification service has existed for a decade, and what it does is check the authenticity of credentials based on biographic and document information that is provided ... it doesn't say my mum's maiden name was X, it just says yes or no, and it works on a hub-and-spoke model," Rice explained, noting the Attorney-General's Department handed the responsibility of the Interoperability Hub for the DVS to Home Affairs as part of the machinery of government change.
"The document verification service is excellent for getting to Mickey Mouse at 1 Smith Street on a licence ... it's no good at dealing with me taking Steve's biographical details and putting my face on it."
The joint committee heard that the differences between the DVS and the FIS are that the former returns an absolute result and the latter produces a probabilistic score, with Rice noting it may report a 98 percent certainty.
Rice, who also came from the Attorney-General's Department, said Home Affairs looked at the architecture of the DVS system and the privacy protections in place and looked to produce that in "the same kind of way for the face-matching service".
"There already are existing collections of facial images -- driver licence, passports, visa, and citizenship images -- and in the case of passports, visa, and citizenship images, there already are facial recognition systems there, there are algorithms that compare faces and allow you to make decisions on the basis of probability," he explained.
"We looked at linking up, through the Interoperability Hub, that just like the DVS, it is a big router -- it's like the router at home that connects off to the various holdings -- it doesn't store any data, it doesn't do any matching, what it does is allow a user to pose a query ... the Interoperability Hub routes that request ... and says yes/no in the case of verification."
After labelling a suggested warrant requirement to access the FIS a "resource-intensive" process that could cause significant delays to matters of national security and potentially undermine law-enforcement investigations in its submission to the joint committee last month, Home Affairs on Thursday held firm on its view to keep warrants out of it.
"We're looking to put this tool, particularly the Face Identification Service, in the hands of agencies that need to make rapid decisions in order to protect the community against law enforcement and national security threats," the department said, echoing remarks made at the time of COAG.
"To implement a warrant regime into that process would significantly slow down that process.
"Because what we're doing is putting the information in a place where it can be accessed."
The department believes the privacy benefits of requiring agencies to obtain a warrant would likely be "significantly outweighed" by the decreased ability of agencies to carry out their law-enforcement and national security functions.