UK Vaccine Passport App Sends Biometric Facial Recognition Data to Private Company, Shares With Law Enforcement

By Author:
794 0
Theatre goers queue to scan their contact tracing app on July 21, 2021 in London, England. The NHS App vaccine passport uses iProov, a private company, to collect biometric facial recognition data for account verification. The NHS provides iProov with government identification data to complete the match. This information can also be queried by law enforcement.
Theatre goers queue to scan their contact tracing app on July 21, 2021 in London, England. The NHS App vaccine passport uses iProov, a private company, to collect biometric facial recognition data for account verification. The NHS provides iProov with government identification data to complete the match. This information can also be queried by law enforcement. (Image: Chris J Ratcliffe/Getty Images)

The vaccine passport app used by the United Kingdom’s public health system is using a private company to collect and process biometric facial recognition data, and the National Health Service (NHS) admits the data collected can be accessed by UK law enforcement, according to a new report. 

In a Sept. 16 exposé by The Guardian, the NHS App, which serves not only as a vaccine passport, but allows users to view their health records, fill repeat prescriptions, and book medical service appointments, verifies citizens’ identities by having them upload a video of their face, which is used to compare against the photo registered with their government identification. 

The video is sent to a UK-based company called iProov with connections to Conservative Party donors. iProov is provided with “anonymised photo IDs already held by the government” used to compare against the videos in order to make or reject a match.

The user is flashed with an array of colors by the iProov Flashmark software when the video is filming to verify they are legitimately present. Users also must provide the app with their date of birth, postal code, phone number, and an additional copy of their driver’s license or passport photo during the process.

While facial recognition is the default method the NHS App seeks for account verification, users do have the ability to opt out.

The Guardian notes the government’s contract with iProov for biometric recognition was awarded by NHS Digital in 2019, but has still not been publicly disclosed. The paper says a NHS spokesperson confirmed that “law enforcement bodies were able to request data,” but anchored the caveat that “a special panel reviewed such requests, taking into account the health service’s duty of confidence” to the admission.

Both NHS Digital and iProov told The Guardian that facial recognition data uploaded in the app is anonymized and claimed that the private sector company is using a “privacy firewall” that separates it from knowing anything besides the video and the anonymized photo provided by the customer and NHS. 

However, the NHS also said it had neither publicly disclosed the contract, nor completed a privacy risk assessment on the app for “security reasons.” iProov would not tell The Guardian how long it retained the data it collects for, only stating it is “not stored for longer than is necessary under the contract.”

“While the contract hasn’t been published, documents on the government’s ‘digital marketplace’ website show that it typically charges an annual service fee of up to £1.4m and a cost per user of £1.50,” noted The Guardian.

According to the article, iProov also sells its technology to banks and the U.S. Department of Homeland Security.

In July, the NHS boasted that more than 10 million citizens were now using the NHS App, a number which rose by 6 million after the app transformed into a vaccine passport.

The article also paraphrased iProov founder Andrew Budd as having “spoken of his desire for facial recognition to be used in more settings in the UK, including on the door of venues such as nightclubs.”

Cori Crider, Director or Foxglove, a group of UK lawyers established to challenge technocracy, summed up her organization’s concerns in comments to The Guardian, “So long as this system to log into the NHS app is optional then it may be fine but officials definitely shouldn’t be ‘nudging’ patients to log in with their faces to access healthcare.”

“We should all also reflect on whether we’re heading towards a world where people have to use their faces just to walk into the supermarket or the pharmacy or the nightclub.”

While Stephanie Hare, a doctor, told the outlet, “Once this stuff is brought in, it’s very difficult to get rid of. It’s the thin end of the wedge and Covid is an opportunity for companies to get a foothold.”

In May of 2020, Financial Times published an article reflecting on the experience its author, an overseas visitor, had with the Chinese Communist Party’s QR code surveillance state, which was installed by the regime to control citizens under the pretext of struggling against the pandemic, that serves as an experiential caution, “Sometimes it feels every transaction — even entering a park — is subject to government approval.”

“Over the past two months, local authorities across China have rolled out health code systems, accessed through smartphone applications, to control the movement of people and identify those who had been diagnosed with the virus or visited areas of high infection,” read the article. 

“In China, many of the restrictions on movement are now being lifted and life is returning to normal. But the code system still lingers in many places…The temptations of keeping such a system of control in place, or even to centralise and strengthen it, must hold a strong attraction for the Chinese government.”

  • Neil lives in Canada and writes about society and politics.