
France Set to Roll Out Nationwide Facial Recognition ID Program - montalbano
https://www.bloomberg.com/news/articles/2019-10-03/french-liberte-tested-by-nationwide-facial-recognition-id-plan
======
mytailorisrich
This is a rather poor and click-baity article.

According to the French government's page on this system [1] (in French):

The system is an app that generates login details to allow online access to
(public?) services.

You install the app on your smartphone. It uses NFC (I suppose) to read your
picture (also other details?) from your passport's chip, and stores it locally
on the phone. It then uses this to perform facial recognition using the phone
camera in order to identify the phone's user. No biometric data leave the
phone according to [1].

The stated aim is to allow people to conduct administrative tasks (forms,
applications) fully online where it is not currently possible because a "hard
ID check" is required. It will not be compulsory.

It sounds a bit like Apple's Face ID but backed by official documents
(passports) and with the government's seal of approval, some sort of passport
check performed by your smartphone.

[1] [https://www.interieur.gouv.fr/Actualites/L-actu-du-
Ministere...](https://www.interieur.gouv.fr/Actualites/L-actu-du-
Ministere/Alicem-la-premiere-solution-d-identite-numerique-regalienne-
securisee)

As an aside comment, in France most people have a passport, and everyone has
an ID card, which requires having photo and fingerprints taken. So this does
not give the government anything that they don't already have (or could have)
and it seems that they took precautions to avoid unnecessary transmissions of
biometric data.

~~~
jokoon
I'm french, I've heard of this biometric thing, and so far it doesn't seem
people are really scared of this, so... yeah, it sounds click-baity.

French people are very sensitive to their rights and liberties, and are very
quick to organize protests. Many steps were taken to monitor potential
terrorists since the Paris attacks, and those were not well received, but
politically it was hard to not implement those measures.

I might be a little patriot, but generally the french state does a good job,
mainly because french citizens and voters are forcing the government to have
pretty high standards.

~~~
ekianjo
> French people are very sensitive to their rights and liberties

Oh really, like the non-existing demonstrations against the increase of
surveillance in the past 10 years?

~~~
mratsim
Surveillance by which country?

~~~
ekianjo
Well first and foremost the French government.

------
cm2187
These things always start with an innocuous purpose.

The French national DNA database initially was a sexual assault database, to
be able to identify rapists. Now your DNA is collected even if you are
arrested in a demonstration and never charged.

It is like laws. When a new law is on the table, the question is never about
the reasonable use of that law, it is all about how it can be abused in the
worst possible case, because that always ends up happening sooner or later.

~~~
mytailorisrich
This system reads the data from your passport (which the government collected
when you applied for one and stored there) and store them on your phone.
Software then uses facial recognition to check that the person holding the
phone matches the picture from your passport.

Hardly 1984...

~~~
cm2187
If you build a system you can query for any face and get the identity, it will
not take very long for someone asking for it to be used to identify violent
criminals. Then terrorists at airport gates. Then demonstrators. etc.

~~~
laumars
This app doesn't provide the government any new information (it uses ID the
government already issue) nor invent any new technology (face recognition
already exists). If French government - or any government for that matter -
wished to do what you described then this app wouldn't be the proverbial
gateway drug to that point. In fact, the entire point of passports _is to_
identify people at airport gates and other national borders.

~~~
mieseratte
> This app doesn't provide the government any new information

> wished to do what you described then this app wouldn't be the proverbial
> gateway drug to that point.

It's not about "gateway drug" \- it's about taking small, incremental steps to
get from point A to point B such that you don't realize it, and each action is
a small change from the previous. This is widely known as Salami Slicing[0],
though I like to call it "slow boiling a frog."

This is the same tactic I use to slowly bring errant teams and projects up-to-
code at work, start off slow with a build server, add in pass-fail rules, add
in style rules, add in test requirements, add in code review to ensure these
things are up to snuff and before you know it we have a nice compliant
project, whereas if I walked in on Day 0 and laid down the law there is
guaranteed revolt.

[0] -
[https://en.wikipedia.org/wiki/Salami_slicing](https://en.wikipedia.org/wiki/Salami_slicing)

~~~
icebraining
But it's not an incremental step. The French government already had that
database. This is just using the data _they already had_ in a new way.

~~~
mieseratte
> But it's not an incremental step. The French government already had that
> database. This is just using the data they already had in a new way.

Yes, it is a new, small, incremental step!

This is introducing a new procedure, a procedure they can change later to move
the needle forward.

This is the whole point, doing small incremental steps. Each of which appears
rather banal and unobjectionable.

That you don't care is proof it works!

~~~
icebraining
Anything can change later, even removing a procedure could be a prelude to
adding a new, more invasive one.

An incremental step requires an increment. Nothing gets incremented here. The
French government already had this data, and already used it to biometrically
identify people. The only thing this inches toward is to a reduction in the
number of public functionaries. This is the automated checkout system for
State services, nothing more.

~~~
mieseratte
> Nothing gets incremented here.

People's expectations and willingnesses are moved forward. Overton Window.

> This is the automated checkout system for State services, nothing more.

Look beyond the superficial, at larger issues.

Anyone can shoot any idea down by reducing it to a simple, innocuous sounding
concept to make the other look ridiculous.

Claiming "there's nothing here" is wrong, saying "I recognize the potential
for bad, but choose to accept that risk" is a different story.

~~~
pushpop
> Anyone can shoot any idea down by reducing it to a simple, innocuous
> sounding concept to make the other look ridiculous.

Just as anyone can argue that any change to process is salami slicing even
when nothing of any real value is being incremented.

I do understand your concern and I think healthy skepticism is a good thing.
I’m just not convinced your so arguments are consistent with the facts being
presented.

------
moksly
Android only? I’m sure it’ll get an iOS version too, but what about people who
don’t have smartphones? In Denmark we’re seeing more and more public services
move to Apps. It used to be that there was an offline version, like in the
case of our “NemID”, but now we’re talking about digital only drivers licenses
and social security cards.

The private sector had long embraced mobile apps, and it’s really hard to buy
tickets, do banking and so on without a smartphone, but now we’re truly
locking people into their mobile devices. And these devices aren’t free, I
mean, it’s not just going to be “Android” only, it’s going to be “google play”
or “Apple store” only. I’m not sure that’s very democratic.

Don’t get me wrong, I’ll absolutely use these things and I currently use most
of the available ones with great satisfaction, but it does concern me if we’re
locking public services into privately owned ecosystems.

~~~
LeYaude
The information at [1] (in French) clearly states that alternative methods
remain available. Here is the translation of an excerpt:

"Creating an Alicem account is not mandatory. Users remain free of using
available alternatives: \- account creation on the specific service
[Translator's note: this identification method is destined at the national SSO
that is only one way of logging in the various public services] \- other
electronic identification methods on FranceConnect [Translator's note:
FranceConnect is the name of this SSO. This includes at least fiscal number +
password and social security number + password and maybe other methods] \-
traditional physical administrative procedures"

I am not necessarily a fan of this identification method and for myself I
consider it less secure than a sufficiently strong, properly stored and
regularly updates password. Still, the argument of locking the users or making
the smartphone mandatory does not stand.

As for the collected biometric data, it is collected from the passport's chip,
so technically the administration is already in possession of this data, there
is nothing new here.

I see this as completely independent from facial recognition surveillance
(hence mandatory), which in my opinion we must fight against.

[1] [https://www.interieur.gouv.fr/Actualites/L-actu-du-
Ministere...](https://www.interieur.gouv.fr/Actualites/L-actu-du-
Ministere/Alicem-la-premiere-solution-d-identite-numerique-regalienne-
securisee)

------
gbersac
Don't worry, if capgemini or accenture win the project (as they often do), the
project will never work

/s (but no so sarcastic either)

~~~
ElFitz
Oh, Capgemini! Had to work with one of their SDKs once. Oh my. Wish I hadn't.

But maybe we could suggest them to pick, say... Steria? Louvois was such a
success[^1]

Reminds me of [https://projectfailures.wordpress.com/2008/06/24/project-
fro...](https://projectfailures.wordpress.com/2008/06/24/project-from-hell/)

[1]: [http://en.rfi.fr/africa/20140404-faulty-software-robs-
french...](http://en.rfi.fr/africa/20140404-faulty-software-robs-french-car-
troops-bonuses)

------
dsfyu404ed
>France says the ID system won’t be used to keep tabs on residents. Unlike in
China and Singapore, the country won’t be integrating the facial recognition
biometric into citizens’ identity databases

That's what they all say but once the systems exists the temptation is there
to use it and each successive bunch of authoritarians will use it a little bit
more. They don't even need to be more than a small minority of government to
do it so long as they do it in small incremental steps (integrating it with
more and more government functions).

~~~
black_puppydog
Don't see why this is getting downvoted. The list of examples is just too
long. Germany recently changed their laws to allow easier access to registered
information. It went from "we'll only use it for those pedo-bio-nuclear-
terrorism cases that we keep telling you about" to "well but also for
organized crime" to now supposedly "well or copyright infringement or petty
theft".

------
jacquesm
One day we will regret this computer revolution in ways that we currently
can't begin to imagine.

~~~
Ensorceled
I would say quite a few sci-fi authors have done a good job on this ...

~~~
lucb1e
My favorite author in that genre is Daniel Suarez, who makes some scarily
accurate thrillers. It's not all 100% realistic, but as someone who is often
annoyed at the deus ex machina[1] of other (science) fiction, this is really
great. The author is a former software engineer, so I guess they know quite
well how technology works in general.

[1]
[https://en.wikipedia.org/wiki/Deus_ex_machina](https://en.wikipedia.org/wiki/Deus_ex_machina)

~~~
Ensorceled
That is one of my favourites as well, World of Warcraft meets the Real World
in a way that, while not necessarily believable, did not cause retinae
detachment from extreme eye-rolling.

------
starfox64_
It's not stated clearly in the official publication but it seems that their
medium term goal, beyond using this on government websites, is to also allow
private companies access to the tool.

It'd be pretty useful as a way to standardize the way various companies do
identity verification online.

I'm honestly pleasantly surprised to see such a thing coming directly from our
government, as it can be sometimes quite outdated.

------
Tade0
Why not have banks act as identity providers?

We have this in Poland and it works great - as a contractor I have to send
certain tax documents every month and I only ever authenticate via my bank and
associated 2FA.

The other method stopped working after I lost the password and discovered that
reset didn't actually send an email like it should have.

~~~
black_puppydog
Turns out there's no guarantee that any particular private bank has to offer
you their service, so there are some people who simply don't have a bank
account. If you're gonna do anything to do with official papers, you have to
be at 100% (not 99.999...%) coverage. Which IMHO is just one more reason why
this kind of thing is dead on arrival, given that it requires a smartphone.

------
BlueTemplar
> "It took a hacker just over an hour to break into a “secure” government
> messaging app this year, raising concerns about the state’s security
> standards."

Can stop reading right there, considering that the messaging app was in beta,
and the fix was quickly rolled out - so everything worked as designed, _for
once_ \- this is the equivalent of

> "It took a hacker just over an hour to break into a computer, raising
> concerns about the security standards of people that use computers."

------
pascalmahe
I don't know much about infosec but I know enough to see that this tool is not
ready. It's really scary. Also the fact that it's not discussed much, here in
France. It's the first time I've heard of it. From a country that has had a
government agency for protecting digital liberties since 1978 (which made laws
about what data you can and cannot keep as a software provider) it's a big
change of direction.

~~~
seszett
What is scary about it, though? It's really just adding a new way of
authenticating on government websites. I like the idea of how it works, but I
don't find it very secure, compared to Belgium's chip and pin system for
example (this application is the equivalent to Belgium's itsme, which I use
often enough).

However it's probably the best we can do in France since we don't want to have
a centralised citizens database.

~~~
epse
itsme has me really scared about it's security, especially since they are so
handwavy about it. I browsed their site for a long time before enrolling, but
didn't find anything useful.

~~~
seszett
What were your concerns about it?

------
andrerm
So if police or someone can get your phone they can just point the phone to
your face and get access to all info ?

~~~
yohannparis
No, the app just compare the face in front of the camera with the photo saved
in the NFC chip in your passport. So that the government agrees that the user
of the phone and the passport are the same person. Once this is done, the
photo is destroyed as well as the comparaison. It's an app that does what
every custom officer do when you cross a border.

------
baybal2
EU already have a EU-wide identity database with passport photos. This is how
EU automatic border gates work.

------
mathieuh
We have essentially the same thing in the UK, called Gov Verify.

[https://www.gov.uk/government/publications/introducing-
govuk...](https://www.gov.uk/government/publications/introducing-govuk-
verify/introducing-govuk-verify)

------
neonate
[http://archive.is/ZyZOf](http://archive.is/ZyZOf)

------
k__
Wasn't gait recognition much better?

------
yardie
Can we give french citizens the benefit of the doubt here. Living there I can
tell you the resident are much quicker to point out these new systems as
fascist than, say, Americans.

Even in Paris, the number of surveillance cameras was dramatically lower than
London. The police would tout the crime fighting advantages of having these
cameras in certain areas, someone would write an opinion on Nazi occupied
Paris, the camera talk would go dormant for a few more years. New director
arrives and wants to install cameras in certain areas...

~~~
black_puppydog
First, I think the argument is not against how French _citizens_ deal with
this, but how the government is pushing this stuff to begin with.

Second, I'd like to agree with you, I really would. BUT: After the charlie
hebdo and bataclan attacks, seeing...

* completely unopposed état "d'urgence" being prolonged for TWO YEARS when the real urgency was over within a few days * the way that it was abused [1], and largely not discussed let alone really opposed in public or by my relatively tech savvy colleagues and friends in private conversation * how some of the most outrageous parts have been made into regular law now * how we still have military patrolling everywhere * bag checks at university lecture halls (seen yesterday) * the vigipirate logo (which looks like straight out of a dystopian scifi comic [2]) plastered all over town * the kindergarden on my way to work still being surrounded with concrete barriers blocking the parking, to ostensibly (and practically completely irrelevantly, given the geometry of the place) block a car from driving through the fence

after all of that, I have little to no confidence that France is any less
prone to a slide into totalitarianism than any other country. :(

[1]:
[https://wiki.laquadrature.net/%C3%89tat_urgence/Recensement](https://wiki.laquadrature.net/%C3%89tat_urgence/Recensement)
[2]:
[https://en.wikipedia.org/wiki/Vigipirate#/media/File:Vigipir...](https://en.wikipedia.org/wiki/Vigipirate#/media/File:Vigipirate_2014.svg)

------
mtrycz2
And so... it has come to this.

------
mosselman
> Saying it wants to make the state more efficient,

That is bold. Normally when governments want to destroy your privacy they
claim they want to combat terrorism or something more horrible. They are going
with making their processes more efficient?

~~~
baud147258
I think the goal, as explained by other comments, is to allow to do thing
remotely with your smartphone, instead of having to go to the city
hall/administration building.

