The Claim
“Exempted a facial recognition system storing data of innocent citizens from standard procurement policy disclosure rules. The excuse is a reliance on security through obscurity rather than actual security. Accuracy figures are also not published.”
Original Sources Provided
✅ FACTUAL VERIFICATION
The core claim is TRUE - the Department of Home Affairs did receive an exemption from Commonwealth procurement rules requiring disclosure of the facial recognition vendor. In a May 2, 2018 parliamentary hearing before the Parliamentary Joint Committee on Intelligence and Security (PJCIS), Assistant Secretary of Identity Security Andrew Rice explicitly confirmed: "We received an exemption under the Commonwealth procurement rules to not publish the identity, the name of the vendor that's providing the facial recognition service" [1].
Rice justified this non-disclosure by citing security concerns: "It's just reducing the potential vectors of attack. The FIS enlivens significantly a threat to assumed identities, so that's security and law enforcement covert operatives and witnesses under protection" [1]. He explained that since different facial recognition vendors use different algorithms, naming the vendor could provide attackers with information to exploit vulnerabilities in that specific system [1].
The claim about accuracy figures is partially verified but requires context. Senator Jenny McAllister at the parliamentary hearing explicitly raised this concern, stating "the government is required to make public figures of accuracy, as one example" [1]. The Department of Home Affairs' response was carefully qualified: "There may be mechanisms for the government to ensure itself of that without it necessarily being made public" [1]. This indicates accuracy figures were not being published publicly, though the government suggested it had internal mechanisms to verify performance.
The Face Identification Service (FIS) is a probabilistic matching system (not artificial intelligence-driven absolute identification) that produces probability scores (e.g., 98 percent certainty matches) [1]. The system was designed to supplement, not replace, manual verification by trained facial recognition specialists [1].
Missing Context
The claim omits several important contextual factors:
Existing facial recognition infrastructure: Facial recognition systems had already existed within Australia's government for over a decade. The existing Document Verification Service (DVS) used facial matching on passports, visas, and citizenship documents [1]. The new system was primarily consolidating and automating processes that were already happening manually.
Legitimate security rationale: The exemption was not arbitrary. Naming the vendor would genuinely expose law enforcement and national security operations to targeted attack. The government noted that "covert operatives and witnesses under protection" could be identified or endangered if the vendor's system vulnerabilities were known [1]. This is a recognized cybersecurity principle - protecting sensitive infrastructure from disclosure.
Comparative context - Labor government support: Critically, this was not a uniquely Coalition policy. Victorian Labor Premier Daniel Andrews (heading a Labor government) told COAG in October 2017: "State and territory motor vehicle and driver's licensing agencies have been manually providing this information for a very long time. To say that it was inefficient or not fit for purpose is an understatement. In my judgement, it would be unforgiveable to not make changes like that when the technology is available, the competence, the know-how, and safeguards are available to effect that change" [2]. Labor states unanimously approved this system at COAG.
Parliamentary oversight structure: While vendor secrecy was maintained, the system included parliamentary oversight mechanisms. The Identity-Matching Services Bill 2018 required annual parliamentary reports on system usage and a mandatory statutory review after five years [3]. Consultation with the Information Commissioner and Human Rights Commissioner was also required [3].
Data minimization principles: The system only stores transaction audit data, not facial images. Images are stored separately in federated databases (passports, visas, driver licenses) controlled by different agencies [1]. The "hub" system does not store personal information - it only routes matching requests [3].
Public concern: A Roy Morgan poll conducted in October 2017 found 67.5 percent of Australians were unconcerned by the proposed facial recognition system, with younger respondents showing the most concern (but still not a majority within any age bracket) [3].
Source Credibility Assessment
ZDNet (primary source): ZDNet is a mainstream technology news outlet (owned by Ziff Davis) with established editorial standards and credentials. Asha Barbaschow (author of the primary article) is a professional contributor. The article presents direct parliamentary testimony and government statements without sensationalism. This is a credible source [1][2][3].
The claim's secondary reference to "security through obscurity" (Wikipedia link) is philosophically relevant but not a primary factual source. Security through obscurity is a recognized infosecurity concept meaning that keeping system details secret should not substitute for genuine security hardening. However, the government's position here involves both obscurity (vendor secrecy) AND substantive security architecture (federated storage, hub-and-spoke model, no centralized data storage) [1].
Labor Comparison
Did Labor do something similar?
The facial recognition system was jointly approved by Coalition and Labor governments. At the October 2017 COAG meeting, all state and territory leaders (both Labor and Coalition-governed states) unanimously approved the proposal [2]. This was not a partisan initiative.
Specifically, Labor Premier Daniel Andrews of Victoria was one of the strongest advocates, telling COAG: "In my judgement, it would be unforgiveable to not make changes like that when the technology is available" [2].
Under Labor governments since 2022 (after this system was deployed during Coalition governance), the facial recognition system has continued to operate without major changes or legislative reversals, indicating acceptance of the basic framework.
Balanced Perspective
The government's position: The Department of Home Affairs argued that vendor non-disclosure was a legitimate security measure - similar to not publicly disclosing cybersecurity vulnerabilities in critical infrastructure. They presented this as protecting law enforcement operations, not as "security through obscurity" in the pejorative sense. The government implemented additional safeguards including parliamentary oversight, Information Commissioner consultation, and federated rather than centralized data storage [1].
Legitimate criticisms: Senator Jenny McAllister raised valid privacy concerns at the parliamentary hearing, specifically about the lack of public accuracy reporting. The claim that accuracy figures are not published is factually accurate [1]. There is a genuine tension between operational security (protecting system design from adversaries) and democratic transparency (allowing public scrutiny of system performance).
The "security through obscurity" framing: The term "security through obscurity" carries a negative connotation in cybersecurity, suggesting reliance on secrecy instead of genuine security measures. However, in this case, the system combined obscurity (vendor secrecy) with multiple security layers:
- Hub-and-spoke architecture (no centralized data storage) [1]
- Federated queries to existing agency databases [1]
- Probabilistic matching requiring human verification [1]
- Annual parliamentary reporting [3]
- Information Commissioner consultation [3]
This differs from pure security-through-obscurity approaches that lack substantive technical safeguards.
Accuracy reporting gap: The genuine issue here is that accuracy metrics were not disclosed publicly. The government's response that "there may be mechanisms for the government to ensure itself" is evasive. Public reporting of system accuracy would have enabled external scrutiny without compromising vendor identity. This remains a legitimate accountability gap.
Key context: This policy enjoyed bipartisan support from Labor and Coalition governments. The COAG unanimous approval indicates this was not a controversial partisan matter at the time, but rather a consensus view among law enforcement and security agencies across Australia that facial recognition capabilities could modernize identity verification while maintaining appropriate safeguards.
PARTIALLY TRUE
6.0
out of 10
The factual claims (exemption from procurement disclosure, lack of public accuracy figures) are accurate. However, the characterization as primarily a "corruption" or "security through obscurity" issue significantly misrepresents the policy context. The system was based on:
- Legitimate law enforcement modernization needs (automating 7+ day manual processes)
- Bipartisan support from Labor and Coalition governments
- Substantive security architecture beyond just "obscurity"
- Parliamentary oversight mechanisms
The valid criticism is the lack of public accuracy reporting, which represents an accountability gap. However, this is a transparency/oversight issue rather than evidence of corruption or reckless security practices.
Final Score
6.0
OUT OF 10
PARTIALLY TRUE
The factual claims (exemption from procurement disclosure, lack of public accuracy figures) are accurate. However, the characterization as primarily a "corruption" or "security through obscurity" issue significantly misrepresents the policy context. The system was based on:
- Legitimate law enforcement modernization needs (automating 7+ day manual processes)
- Bipartisan support from Labor and Coalition governments
- Substantive security architecture beyond just "obscurity"
- Parliamentary oversight mechanisms
The valid criticism is the lack of public accuracy reporting, which represents an accountability gap. However, this is a transparency/oversight issue rather than evidence of corruption or reckless security practices.
📚 SOURCES & CITATIONS (4)
-
1
Home Affairs exempt from disclosing Face Identification Service provider
The newly minted department has purchased a facial recognition algorithm, but it won't be disclosing from where after receiving immunity from Commonwealth procurement rules.
ZDNET -
2
Australian national security COAG says yes to facial biometric database
The group of Australian state and territory leaders has unanimously approved the prime minister's request for a country-wide database of citizens' driver's licence details.
ZDNET -
3
Legislation for Australian automated facial recognition enters Parliament
Proposed laws are touted to reduce identity crime, prevent terrorism, and keep people safe at this year's Gold Coast Commonwealth Games.
ZDNET -
4
Warranted access to face-matching system thrown out by Home Affairs
The Department of Home Affairs said built-in privacy safeguards are sufficient, and that the Commonwealth Bill is not intended to regulate access to the services by other agencies.
ZDNET
Rating Scale Methodology
1-3: FALSE
Factually incorrect or malicious fabrication.
4-6: PARTIAL
Some truth but context is missing or skewed.
7-9: MOSTLY TRUE
Minor technicalities or phrasing issues.
10: ACCURATE
Perfectly verified and contextually fair.
Methodology: Ratings are determined through cross-referencing official government records, independent fact-checking organizations, and primary source documents.