
Facial recognition: School ID checks lead to GDPR fine - rbanffy
https://www.bbc.com/news/technology-49489154
======
Barrin92
Good. Not only does this ensure that the students enjoy privacy, monitoring
children in school with surveillance systems could have come straight out of
foucault's discipline and punish.

Maybe we should think about how we make schools spaces of freedom for our
children rather than turning them into the next panopticon.

~~~
Iv
School is the most authoritarian experience one typically experiences in a
democracy. Here is a place where a strict hierarchy is enforced, through means
of parental and peer pressure, anxiety over your future. Your schedule is
planned by the minute, even peeing requires an authorization. Chatting is
banned except on very limited time spans.

The fact that we have kept a part of middle-age inside our modern societies
keeps fascinating and frightening me.

~~~
Zenst
I can think of a few HR departments over time, that would make the worst
school experience look like a walk in the park. Let's be fair, I never got a
written warning for slouching in a chair at school...

~~~
acollins1331
A written warning for slouching in your chair? Quit your job holy shit

------
ysleepy
"The regulator noted that although some parts of the school could be deemed to
be "public", students had a certain expectation of privacy when they entered a
classroom.

It said there were less intrusive ways that their attendance could have been
detected without involving camera surveillance."

Yeah, especially considering the students do not have a choice about being
there.

~~~
Rapzid
Eyeball surveillance. I remember school. The teachers eyes were far more
piercing than any camera.

Seriously though, where exactly is the privacy if attendance is taken either
way?

~~~
altfredd
That depends on the person, who tracks attendance.

If the teacher sells attendance reports (together with detailed lesson
transcripts and audio recordings) to Google, Amazon, Netflix, US and Russian
governments, all major data brokers and The USA Association of Rich
Pedophiles, all at the same time — yes, there is no difference. Otherwise
there is a substantial difference.

It is amazing, that a person, directly reporting such detailed information to
elsewhere, would be considered a pervert and criminal, but using an automated
camera to do the same thing is somehow alright?!!

~~~
throwaway2048
Its alright if your job depends on that sort of business model.

------
cameronbrown
Good! I was forced to use biometric data (fingerprint) to purchase food and
read books in the library (yep) for seven years at my UK school. That was
already too much. Facial recognition has zero place in a school.

~~~
whazor
The only time I liked to give my fingerprint is for the fitness lockers. Not
needing a key or remember a pass code is great.

~~~
xxs
could wear a bracelet instead

------
diveanon
There is a disturbing trend of using schools as beta test groups for invasive
surveillance.

~~~
revyuh
True..

------
havkom
The main parts of the wrong-doing:

\- The school had obtained consent from the pupills and each one of the
pupills could opt out at any time. The Swedish Data Protection Agency (DPA)
did however find that due to the power balance of a school vs a pupill, these
consents are not ”freely given”, and thus are void. The school therefor have
no legal basis of processing special categories of data/sensitive data, which
processing face recognition data (”biometric information”) for identification
purposes is. Violation of GDPR Article 9.

\- The school had not completed a sufficient Data Protection Impact Assesment
which properly identified risks of this processing. In addition, due to the
nature of this processing, they would have been obliged to consult with the
DPA about this impact assessment before starting. Violation of GDPR Article
35&36.

\- The DPA also found that the processing was more extensive than necessary,
since attendance could be taken in less invasive ways. This a violation of
GDPR article 5.1c (the data minimisation principle).

I hope the decision will be appealed by the school, which is run by the
municipality. There are several interesting questions, such as if consent can
be freely given in schools, if the data minimization principle was really
breached (the school claimed this way of taking attendance saves a calculated
72,000h of teachers time per year in just this school), etc. I am not sure
however that the municipality has the right resources and competency to make a
competent appeal.

~~~
Iv
> the school claimed this way of taking attendance saves a calculated 72,000h
> of teachers time per year in just this school

Which is 197h per day. I find this number extremely dubious.

~~~
nmstoker
The figure I saw (on the BBC article and the linked Swedish article) was
17,000 hours per year in this school.

That still seems suspect: estimating a school year of 35 weeks that's 175
days, thus 97 hours per day across all teachers. Even if it were some mega
school of 1,000 pupils and maybe 100 teachers that seems high, would imply
they spent perhaps ten minutes of every hour in a six hours day taking &
dealing with attendance on average! (obviously based on assumptions, so this
could vary)

It feels like a number that was come up with (or at least inflated) to justify
the project.

~~~
TazeTSchnitzel
Perhaps it is a number based on the time that would be required for teachers
to perfectly track attendance. But of course they don't in practice!

~~~
havkom
My fault. 17 280 h per year was the calculated savings

------
codedokode
Collected data can be used later - for example, the school or teachers can
sell face models to advertisers, shopping mall owners, data brokers, Facebook,
Google etc. So it is a right decision to shut down such a dubious project.

The school could simply use RFiD cards for tracking attendance.

~~~
sokoloff
My friend can use my RFID card too.

Why not use a fingerprint reader if automation is needed, or just place trust
in the teacher to not cheat and give them a web page or app to enter absences?

Attendance is a safety thing (or viewed that way). If my 8 year old
unexpectedly doesn’t show up to school, I would like to find that out at 8:30
rather than 15:00.

~~~
Faark
> My friend can use my RFID card too.

Yes, just like you and your friend can do a lot of other cheating in school.
And the mechanism used to prevent that is severe punishments once caught by a
teacher.

I don't see much difficulty in spotting an empty desk that should be occupied
according to today's automatically generated seating chart.

On another note, I feel like I'd be more okay with facial recognition and
other biometrics in the form of you going to a scanner and initiating a scan.
But certainly not surveillance with recognition built on top. Article doesn't
seem to specify what they used, though the image chosen implies surveillance.

------
concordDance
I'm struggling to see any actual harm from this use of facial recognition if
the video is deleted promptly after processing and conversion to an attendance
list.

~~~
mattlutze
In order to make a positive ID of a student, you need to have a biometric
photo of them, or a set of unique indicators that your recognition system will
be able to compare against.

This facial fingerprint will need to be pretty strongly unique so as to avoid
false positives or false negatives. If that information is stolen, the thief
has the fingerprint for your face, which is very difficult for you to change.

The level of protection for that stored information then must be very high,
because the damage to the individual in case of its loss is very high. The
GDPR is in place, in part, to make certain that the justification is
sufficient for an organization requiring you to handover such personal and
valuable data.

"I want to take attendance" is apparently not sufficient. Further if someone
wanted to get creepy, we can imagine what could happen should someone place a
foreign agent along the video-recognition-attendance workflow, which then told
its owner when and where certain students positively were at any time.

~~~
zaroth
I couldn't find online if Anderstorp High has Student IDs, but assuming that
they do, the school _already has_ a photograph of every student.

~~~
mattlutze
Student ID photos and biometric photos aren't necessarily the same, and a
software system that tracks with certainty where each student is anywhere in
the building has implications, as I mentioned just briefly above.

------
zaroth
> According to the DPA ruling, although the school secured parents' consent to
> monitor the students, the regulator did not feel that it was a legally
> adequate reason to collect such sensitive personal data.

It’s this kind of second-guessing which is extremely concerning about GDPR-
type regulation.

Not that the information was not secure, or leaked, or mishandled, or consent
wasn’t obtained, but even if all that is done, just, “We don’t think you had a
good enough reason.”

~~~
jdietrich
The GDPR doesn't specify what you _can 't_ do with personal data, it specifies
what you _can_ do. Personal data is private by default; you can only use my
data if it is explicitly lawful for you to do so. If you're not absolutely
sure that what you're doing is in line with the GDPR, you shouldn't do it.
That's by design, not by accident.

The GDPR's fundamental principles are set out in article 5. You should collect
the least amount of data possible, you should process it only for specific,
explicit and legitimate purposes and you should delete it as soon as possible
once you've finished.

Can anyone legitimately argue that a facial recognition system is the least
intrusive way of collecting attendance data? Would any reasonable person
believe that constant video surveillance with facial recognition technology is
no more intrusive than taking the register at the start of class? I think not.

The actions of the school authorities were in flagrant breach of the GDPR and
they fully deserve to be fined. There's no second-guessing in this case, no
grey area, just an organisation that used advanced surveillance technology to
monitor children without giving a moment of thought to the privacy
implications. This fine is precisely in line with the intentions of the
European Parliament when they signed the GDPR into law.

[https://gdpr-info.eu/art-5-gdpr/](https://gdpr-info.eu/art-5-gdpr/)

~~~
mytailorisrich
The issue with the GDPR as worded and this ruling is that they remove the
possibility of informed individual decisions.

In this case it seems that all involved were informed and OK with it but that
did not matter.

I would also think that knowing where pupils are at all times is quite a
legitimate aim for a school.

~~~
jdietrich
Recital 38:

 _" Children merit specific protection with regard to their personal data, as
they may be less aware of the risks, consequences and safeguards concerned and
their rights in relation to the processing of personal data."_

Recital 43:

 _" In order to ensure that consent is freely given, consent should not
provide a valid legal ground for the processing of personal data in a specific
case where there is a clear imbalance between the data subject and the
controller, in particular where the controller is a public authority and it is
therefore unlikely that consent was freely given in all the circumstances of
that specific situation."_

A school cannot rely on consent as a lawful basis for processing the personal
data of pupils.

[https://gdpr-info.eu/recitals/no-38/](https://gdpr-info.eu/recitals/no-38/)

[https://gdpr-info.eu/recitals/no-43/](https://gdpr-info.eu/recitals/no-43/)

~~~
Zenst
Does Google's et all EULA cater for this as fairly sure many childrens phones
track them and fall foul of this.

Oyster cards in London, your journeys are tracked, consent not asked for. Let
alone giving special privilege for children.

Then the whole aspect of under-age (children) commiting crime and evidence. A
smart lawyer could abuse the whole aspect to squash any evidence that placed
them at a scene of a crime as they never gave consent and if they did - they
didn't know what they were doing.

Basically - if a school can't rely upon consent from children - nobody can.

~~~
goodcanadian
_Basically - if a school can 't rely upon consent from children - nobody can._

I think that is a fairly well established legal principle. In many places, a
contract cannot be enforced against a minor no matter whether it was freely
entered. Statutory rape laws say it doesn't matter if the minor consented. And
so on . . .

~~~
Zenst
"Statutory rape laws say it doesn't matter if the minor consented" that is
probably an extreme example that some might find unpalatable, but it does
support the point.

------
ummonk
What is the personal data being unnecessarily collected here? Reference
pictures for facial recognition? Cause attendance would be collected
regardless...

~~~
hiharryhere
The biometrics of the face.

Linked article states: "The General Data Protection Regulation, which came
into force last year, classes facial images and other biometric information as
being a special category of data, with added restrictions on its use."

~~~
bryguy32403
But the school probably already has pictures of the students for
ID/yearbook....

------
SomeOldThrow
Meanwhile in the US, we still use a 10 digit number for our identification,
regardless of who is holding it. I'm not sure which is worse :/

EDIT: phone numbers are 10 digits, SSN is 9.

~~~
pkaye
I thought we use a passport or drivers license for identification?

~~~
Broken_Hippo
Yes, but no.

Most folks don't have passports. Children do not have drivers licenses or
state ID's. Some places want more than one form of ID and some require a SS#,
though you don't always need the card.

