When the French government quietly announced, in the middle of a holiday weekend, the merging of two files to create a megadatabase holding the biometrics of almost 60 million French citizens, it was clearly hoping to avoid an outcry.
It failed.
Among those lining up to criticize the government’s move are its own minister of state for the Digital Sector and Innovation, and the National Digital Council, a body created by the government to provide independent recommendations on all matters relating to the effect of digital technologies on society and the economy.
Minister of State Axelle Lemaire told French journalists the megadatabase used 10-year-old technology and had real security problems.
For the Council, the creation of TES (from the French abbreviation for Secure Electronic Identity Documents) will result in abuses “as inevitable as they are unacceptable.”
TES is a dramatic expansion of an existing database used for the creation of biometric passports. The government plans to merge it with the (non-biometric) database of holders of the French national identity card
This cycle of clandestine database development followed by public outcry is nothing new: France has been here before. Several times.
In 1973 the French government began working in secret on SAFARI, a project to identify every citizen with a unique number that it could then use to link all the information it held about them in different databases. After newspaper Le Monde revealed SAFARI’s existence on March 21, 1974, the resulting furor led to the creation of the 1978 law on computing and freedom that limits the storage and processing of personal identifying information to this day. (In an early display of targeted marketing, Le Monde’s report on state surveillance appeared alongside ads for a camera zoom lens and a photocopier.)
French reaction to SAFARI was so visceral because of the use that had been made of an earlier national identity database, created by the Vichy régime during the Nazi occupation of France, to single out Jews and foreigners.
There was a fear that if France once again fell under such a regime, the existence of a ready-made national identity database could facilitate crimes against humanity, according to a history of the project written by the National Center for Scientific Research.
In 2008 the government tried again with a project called EDVIGE.
That too ran into trouble over a plan to record details of people’s sexuality, race and health in a database of criminals, potential criminals, and also past, present and potential elected officials — categories with the potential to include almost everyone.
The government was forced first to modify, then withdraw its plan for EDVIGE.
But now the idea has come around again — just as Paris is about to host a summit of the Open Government Partnership.
Most worrying for the National Digital Council is the government’s selection of a centralized architecture to store everyone’s biometric details.
One of its concerns is that this will present a rich target for cybercriminals and hostile state actors.
The U.S. has already seen the danger such systems present. In 2015 the U.S. Office of Personnel Management said hackers had accessed the details of 4.2 million government employees in its databases, and those of 21.5 million people who, as current, former or prospective government employees, had been subject to background investigations.
But the Council is also concerned about freedom.
“History has shown that the creation of such databases leads to function creep, whether the databases are operated legally or illegally, as until recently were those of the security services. To think that our country will be an exception is to ignore the lessons of history,” it said. “The rise of populism, in Europe and in the U.S., makes such bets on the future unreasonable.”
It called on the government to suspend the creation of the database until all the security implications have been studied.