Alicem, France’s mass-usage facial recognition ID program
The French government passed a law on facial recognition coupled with access to online public services in the early summer, when most observers are busier relaxing on beaches than checking daily news about digital identity projects.
Alicem, which means “Authentification en LIgne CErtifiée sur Mobile” (Certified online authentication on mobile phones) is a project that aims at including facial recognition on users’ smartphones to allow them to connect to government services applications. More globally, its goal is to allow French citizens and legal residents to prove their identity online in a secure manner. According to the Ministry of Interior, Alicem will comply with the “high” security level defined by the European eIDAS (electronic IDentification, Authentication and trust Services) regulation and is in the process of certification by ANSSI (Agence nationale de la sécurité des systèmes d'information – National agency for information systems security).
To use the application, French citizens will have to use their Android NFC-enabled handset to read their own biometric passport, and then to go through an enrolment process than compares their face, through a selfie video, with the one stored in their passport. According to the Ministry, the app and the passport communicate in a secure manner. Supporters of the project also promise the photos will not be stored in a central database but kept securely in each user’s handset. Then, every time Alicem will be used, the system will have to connect to the national population register managed by ANTS (Agence NAtionale des Titres Sécurisés – National agency for secure documents). Alicem creates a connection between biographic and biometric data and also with phone numbers, emails, and transaction logs.
Interestingly, opponents not only include civil rights groups but also the very official CNIL (Commission Nationale de l'Informatique et des Libertés - National Commission on Informatics and Liberty), the French privacy regulatory body. The CNIL points out that Alicem would go against the principles set up by the European GDPR (General Data Protection Regulation) as Alicem sets up biometrics as a mandatory requirement to create a digital ID. Also, according to the CNIL, the different security levels (low, substantial, high) for digital ID are not respected as Alicem (a high level means) could be required to access low security services such as the one protected by France Connect, so far accessible by a login and password. Also, the CNIL established that the explicit consent requirement for biometric data usage is not made clear to the citizen and that the project does not propose any alternative for high security digital identity for citizens who refuse to use face recognition.
La Quadrature du Net, a French association that “promotes and defends fundamental freedoms in the digital world,” filed a case to the Conseil d’Etat (French supreme court for administrative justice) stating that the decree creating Alicem is illegal for several formal issues and as it does not respect the rules set up by RGPD, especially for an explicit and informed consent of the citizen. La Quadrature also point out that facial recognition used in the public environment has been deemed especially intrusive by the CNIL. In addition, as refusing the use of facial recognition blocks the creation of an Alicem account, no alternative is proposed to the citizen requiring a high level digital identity.
With this project, the French government is seen as being emulating countries like China with its “social credit” system or India with the fingerprint-based Aadhaar, that impose wide scale biometrics to their population. For the time being, the French government says Alicem is not mandatory, but who knows what could happen when a majority of the population is enrolled?
It may appear consistent for a country with two world champions in the field of government identity Thales (including Gemalto) and Idemia to become a testbed for the integration between mobile communication, face recognition and government ID. At the same time, France is also the home of Human Rights and French citizens are known to be ready to protest against new technologies they may not totally understand and master.
What is at stake is the development of potentially invasive technologies, or applications that could be misused from their initial purpose while the legal framework is still not finalized thus leading to degradation of the level of citizen privacy.