Menu Close

Brazil’s biometrics-based federal services platform is a risk to rights, liberties: report

The merging of registers, including biometrics, to create a centralized database for authenticating users of Brazil’s government services platform was done without a data protection impact assessment despite the legal requirement, and poses risks to fundamental rights and civil liberties from the way the systems were created and by excluding individuals from accessing services, finds a report by Data PrivacyBR (Data Privacy Brasil Research Association).

Funded by the Open Society Foundations, the year-long project culminated in the 109-page policy paper: “Between visibility and exclusion: mapping the risks associated with the National Civil Identification system and the usage of its database by the gov.br platform.” The paper is now available in English via support from Privacy International.

Merged databases for ‘platformized’ government via biometric access

Brazil historically has a bumpy track record with implementing new ID schemes. In 2017, the government enacted a federal law to establish the National Civil Identification System (Identificação Civil Nacional, ICN).

This pooled together in a central database – the BDICN – made up of several other government databases, including the biometrics register of the electoral system. By June 2022, 130 million users were biometrically registered to vote, making 80 percent of all eligible voters (those aged 18 or over), or 60 percent of the overall population.

The target is to collect the biometrics of the entire electorate by 2026. The Electoral Court has been moving towards expanding the biometric database, such as by incorporating the National Civil Identification Action for Prisoners, according to the paper.

The government has created gov.br, a web platform for government services, akin to other platforms emerging elsewhere such as Britain’s gov.uk. User access is authenticated by ICN via user biometrics, making the platform the main use of ICN, states the paper.

The government aims to digitize all government services by the end of 2022. (A check of gov.br for this article finds the latest government figures of 4,825 services available, 87 percent of services digitized and 53 percent of user reviews being positive.)

To set up an account and access government services via gov.br, citizens need to already be included in a new database. To be included there, they need to already have an existing identity credential such as a birth certificate. Logging in requires entry of a user’s tax number and password, or via online banking or digital certificate.

McKinsey & Co.’s report on the impact of digital IDs on a selection of economies found that of the seven countries analyzed, Brazil could enjoy the biggest boost. If it implemented digital ID, it could add 13 percent to its GDP by 2030.

Two-fold risks and a missing impact assessment

The research found multiple risks to Brazilians’ fundamental rights and civil liberties. It considers them as two types: the “abusive processing of personal data due to the ICN’s information governance architecture” and the exclusion from services when an ICN-based authentication for gov.br access is required.

“In a Brazilian context marked by profound socioeconomic and regional inequalities, formulating public policies to universalize civil registration and broaden access to public services — in other words, ensuring that all citizens are visible to the State — is essential,” argue authors Bruno Bioni, Marina Garrote, Marina Meira and Nathan Paschoalini.

A centralized system, containing vast amounts of sensitive, personal data is seen as vulnerable to attack and the researchers are concerned with what authorities may do with the pooled data. The new BDICN database is providing data to be used in ways that the policies of the constituent databases did not cover.

Issues of exclusion include the 9 million voters who faced difficulty casting their ballots in 2018 due to biometrics issues, more than 12 percent of those voting. The Electoral Court said the figure “was equivalent to those of voters who had not used biometrics because the identification process could not be concluded, and voters who were only able to be biometrically identified after several failed attempts.” A small number face issues of duplication.

Those under 18 who have not yet undergone full biometric enrollment as voters also cannot go through full authentication for gov.br. Other groups facing exclusion are those without identification documents, such as those without birth certificates. Other include those with issues or errors with their credentials, including trans people and those with disabilities.

“Despite a lack of specification in the local General Data Protection Law (LGPD) of what poses high risks to data subjects’ fundamental rights and civil liberties, the National Data Protection Authority (ANPD) has been issuing some guidelines in that sense,” find the researchers.

“More specifically, CD/ANPD Resolution No. 2 of January 2022, states that large-scale data processing and the use of sensitive personal data (such as biometrics) — both of which characterize the ICN and the gov.br data uses — are triggers for high-risk findings. Moreover, the Brazilian DPA [Data Protection Authority] has a guideline that argues that producing a DPIA would be highly recommended in scenarios in which sensitive data were being processed on a large scale.”

The policy paper was a follow up to the first phase of Data PrivacyBR’s project, the publishing of an investigation into the implementation of Brazil’s digital identity system. The merging of registers, including biometrics, to create a centralized database for authenticating users of Brazil’s government services platform was done without a data protection impact assessment despite the legal requirement, and poses risks to fundamental rights and civil liberties from the way the systems were created and by excluding individuals from accessing services, finds a report by Data PrivacyBR (Data Privacy Brasil Research Association).

Funded by the Open Society Foundations, the year-long project culminated in the 109-page policy paper: “Between visibility and exclusion: mapping the risks associated with the National Civil Identification system and the usage of its database by the gov.br platform.” The paper is now available in English via support from Privacy International.
Merged databases for ‘platformized’ government via biometric access
Brazil historically has a bumpy track record with implementing new ID schemes. In 2017, the government enacted a federal law to establish the National Civil Identification System (Identificação Civil Nacional, ICN).

This pooled together in a central database – the BDICN – made up of several other government databases, including the biometrics register of the electoral system. By June 2022, 130 million users were biometrically registered to vote, making 80 percent of all eligible voters (those aged 18 or over), or 60 percent of the overall population.

The target is to collect the biometrics of the entire electorate by 2026. The Electoral Court has been moving towards expanding the biometric database, such as by incorporating the National Civil Identification Action for Prisoners, according to the paper.

The government has created gov.br, a web platform for government services, akin to other platforms emerging elsewhere such as Britain’s gov.uk. User access is authenticated by ICN via user biometrics, making the platform the main use of ICN, states the paper.

The government aims to digitize all government services by the end of 2022. (A check of gov.br for this article finds the latest government figures of 4,825 services available, 87 percent of services digitized and 53 percent of user reviews being positive.)

To set up an account and access government services via gov.br, citizens need to already be included in a new database. To be included there, they need to already have an existing identity credential such as a birth certificate. Logging in requires entry of a user’s tax number and password, or via online banking or digital certificate.

McKinsey & Co.’s report on the impact of digital IDs on a selection of economies found that of the seven countries analyzed, Brazil could enjoy the biggest boost. If it implemented digital ID, it could add 13 percent to its GDP by 2030.
Two-fold risks and a missing impact assessment
The research found multiple risks to Brazilians’ fundamental rights and civil liberties. It considers them as two types: the “abusive processing of personal data due to the ICN’s information governance architecture” and the exclusion from services when an ICN-based authentication for gov.br access is required.

“In a Brazilian context marked by profound socioeconomic and regional inequalities, formulating public policies to universalize civil registration and broaden access to public services — in other words, ensuring that all citizens are visible to the State — is essential,” argue authors Bruno Bioni, Marina Garrote, Marina Meira and Nathan Paschoalini.

A centralized system, containing vast amounts of sensitive, personal data is seen as vulnerable to attack and the researchers are concerned with what authorities may do with the pooled data. The new BDICN database is providing data to be used in ways that the policies of the constituent databases did not cover.

Issues of exclusion include the 9 million voters who faced difficulty casting their ballots in 2018 due to biometrics issues, more than 12 percent of those voting. The Electoral Court said the figure “was equivalent to those of voters who had not used biometrics because the identification process could not be concluded, and voters who were only able to be biometrically identified after several failed attempts.” A small number face issues of duplication.

Those under 18 who have not yet undergone full biometric enrollment as voters also cannot go through full authentication for gov.br. Other groups facing exclusion are those without identification documents, such as those without birth certificates. Other include those with issues or errors with their credentials, including trans people and those with disabilities.

“Despite a lack of specification in the local General Data Protection Law (LGPD) of what poses high risks to data subjects’ fundamental rights and civil liberties, the National Data Protection Authority (ANPD) has been issuing some guidelines in that sense,” find the researchers.

“More specifically, CD/ANPD Resolution No. 2 of January 2022, states that large-scale data processing and the use of sensitive personal data (such as biometrics) — both of which characterize the ICN and the gov.br data uses — are triggers for high-risk findings. Moreover, the Brazilian DPA [Data Protection Authority] has a guideline that argues that producing a DPIA would be highly recommended in scenarios in which sensitive data were being processed on a large scale.”

The policy paper was a follow up to the first phase of Data PrivacyBR’s project, the publishing of an investigation into the implementation of Brazil’s digital identity system.  Read More  Biometric Update 

Generated by Feedzy

Disclaimer

Innov8 is owned and operated by Rolling Rock Ventures. The information on this website is for general information purposes only. Any information obtained from this website should be reviewed with appropriate parties if there is any concern about the details reported herein. Innov8 is not responsible for its contents, accuracies, and any inaccuracies. Nothing on this site should be construed as professional advice for any individual or situation. This website includes information and content from external sites that is attributed accordingly and is not the intellectual property of Innov8. All feeds ("RSS Feed") and/or their contents contain material which is derived in whole or in part from material supplied by third parties and is protected by national and international copyright and trademark laws. The Site processes all information automatically using automated software without any human intervention or screening. Therefore, the Site is not responsible for any (part) of this content. The copyright of the feeds', including pictures and graphics, and its content belongs to its author or publisher.  Views and statements expressed in the content do not necessarily reflect those of Innov8 or its staff. Care and due diligence has been taken to maintain the accuracy of the information provided on this website. However, neither Innov8 nor the owners, attorneys, management, editorial team or any writers or employees are responsible for its content, errors or any consequences arising from use of the information provided on this website. The Site may modify, suspend, or discontinue any aspect of the RSS Feed at any time, including, without limitation, the availability of any Site content.  The User agrees that all RSS Feeds and news articles are for personal use only and that the User may not resell, lease, license, assign, redistribute or otherwise transfer any portion of the RSS Feed without attribution to the Site and to its originating author. The Site does not represent or warrant that every action taken with regard to your account and related activities in connection with the RSS Feed, including, without limitation, the Site Content, will be lawful in any particular jurisdiction. It is incumbent upon the user to know the laws that pertain to you in your jurisdiction and act lawfully at all times when using the RSS Feed, including, without limitation, the Site Content.  

Close Bitnami banner
Bitnami