UK biometrics boss bows out, bemoaning bureaucratic blunders
Questionable institutional change and myriad IT issues pervade the governance landscape
The farewell report written by the UK's biometrics and surveillance commissioner highlights a litany of failings in the Home Office's approach to governing the technology.
Dr Fraser Sampson's final annual report [PDF], published late last week, comes months after he stepped down from the role that's soon to be abolished, and among many damning claims suggested that Whitehall has failed to offer the support required to carry out the commissioner's duties.
"My time as the biometrics and surveillance camera commissioner has been interesting, challenging, and at times frustrating, in part because of a lack of engagement across Whitehall and often an absence of support in obtaining the resources needed to fulfill my functions: at no time have I had a full complement of staff," Sampson wrote. "This frustration has also been exacerbated by the uncertainty surrounding the future of the office."
The joint biometrics and surveillance commissioner role was established as part of the Protection of Freedoms Act 2012 but will soon be abolished when the Data Protection and Digital Information (DPDI) Bill comes into force this spring.
New UK law stripping out oversight a data rights
Sampson said it was "peculiar" that the UK appeared to be "moving in the opposite direction" at a time when other leading nations are increasing oversight and governance in the areas of biometrics and surveillance.
There is no clear plan in place to replace many of the commissioner's key functions, potentially opening up the UK to greater regulatory complexity.
Once the DPDI Bill is enacted as law, the commissioner's biometrics-related duties will transfer to the Investigatory Powers Commissioner's Office (IPCO). Additionally, the DPDI Bill is also expected to remove the requirement to publish the Surveillance Camera Code of Practice – a move that will create further vulnerabilities for users of the technology and for the rights of those subject to it.
The code was established under the Protections of Freedoms Act 2012 and provides local authorities and police with guidance on how to use surveillance technology appropriately. Sampson described it as a "touchstone document" for users.
Removing the need to publish the Surveillance Camera Code of Practice is effectively removing it altogether, he argued, with the current thinking that the commissioner's surveillance-related functions will be recategorized as data issues and picked up by the Information Commissioner's Office (ICO) and its Video Surveillance Guidance.
This was the chief concern of Sampson's report, citing "significant, demonstrable differences" between the Code and the ICO's guidance. The conflation of surveillance into data protection potentially is expected to limit the recognition of surveillance-specific harms, leading to a reduction of meaningful oversight.
The ever-evolving areas of surveillance camera technology and biometrics can't be adequately governed with a data protection lens alone, he argued.
The IPCO's ability to tackle biometrics was also a concern, not least because of the Home Office's narrow focus on biometrics generally, which largely focuses on just DNA and fingerprints. Developing areas such as live facial recognition (LFR), for example, are unlikely to receive the proper attention after the DPDI Bill is enacted and isn't in the remit of the IPCO.
Significant IT issues persist
The system used to make and log National Security Determinations (NSDs) regarding the extended retention of biometric data for law enforcement purposes is mired in IT issues that have led to the widespread belief that these are now inaccurate.
Legally required updates are still yet to be implemented and so in some cases these NSDs are filed under the wrong legislation, simply because the more recent law hasn't been added to the system.
Other cases have seen chief police officers unable to amend an NSD to reduce the period of time they're allowed to hold on to any given piece of biometric data because the system just won't allow for amendments. Sampson said if he challenged a chief police officer's retention decision, asking them to drop it by a few years, there is no way to make that change in the system, leading to biometrics being held for disproportionate periods.
Search functionality also plagues the system, requiring the commissioner to manually search every NSD record for any given piece of information – an issue that has led to him being unable to fulfill certain data governance duties.
"I think it fair to say that all those forced to use the application acknowledge its many failings, and I was dismayed to hear recently that funding previously made available to at least do some remedial work had been 'de-prioritized'," Sampson wrote.
"At the time of writing, however, I am advised that an upgrade has been resurrected and hope that the revivified system both supports the production of basic management information and also that my successor is permitted access to it."
- UK spy agencies sharing bulk personal data with foreign allies was legal, says court
- GCHQ was rebuked for ignoring spy law safeguards as pandemic hit Britain
- MI5 still risks breaking the law on surveillance data through poor controls – years after it was first warned
- Whistleblowers have come to us alleging spy agency wrongdoing, says UK auditor IPCO
Incoming powers from the National Security Act 2023 will also allow chief officers to make NSDs for offenses related to espionage and sabotage, meaning there will be a further influx of NSDs made using failing IT.
Ethics a work in progress
While Sampson's work has helped usher in the Public Procurement Bill that sought to prevent the deployment of technology made in China, and thus subject to its law requiring it to share data at the request of Beijing, current procurement processes have clear issues.
A recent survey of police forces revealed a concerning lack of awareness of surveillance technology's capabilities among staff, either at the point of purchase or after software updates were applied.
The figures showed Chinese kit was frequently deployed, although Sampson's latest report acknowledged that forces have taken active steps to remove this and prevent ethically dubious procurement going forward.
There is also little to no use of penetration testing among forces when considering the cybersecurity of their kit, Sampson said.
According to the same 2022 police survey, which received a 91 percent response rate, "only two respondents stated that their equipment was subjected to penetration testing when assessing the cyber security of their equipment, while other respondents relied on encryption, VPNs, or 'health checks.'"
"This lack of proactive testing makes it hard to see how forces derive their assurances around data security," Sampson said in the survey's writeup.
Ethical considerations regarding the growing presence of AI will also need to be taken by the public bodies tasked with overseeing biometrics and surveillance in the UK. However, this comes at a time when even the more fundamental aspects of the technologies risk being overlooked by the Home Office's new approach.
But Sampson is leaving his role with a negative outlook on the future of biometrics and surveillance governance, staunch in the view that the commissioner's role shouldn't be abolished. "I am not confident, following my interactions with the Home Office over many months, that the benefits of bringing the two offices together and the multiplicity of work that the single office covers will be readily addressed elsewhere.
"That will be for others to judge over the coming months and years as biometrics and the expansion of surveillance camera technology increase against the backdrop of leaden-paced legislative change."
Tony Eastaugh has been appointed as Sampson's successor. A former commander in the Metropolitan Police, his tenure will be short and primarily focused on overseeing the transfer of powers to the IPCO. ®