The Kremlin’s Quest for Biometric Data

Photo: Biometric security, non-contact hand scan. Credit: Worklife Siemens/Flikr
Photo: Biometric security, non-contact hand scan. Credit: Worklife Siemens/Flikr

Russia’s government has directly intervened to seize control of biometric data belonging to Russian citizens, and is refusing to detail how it will be used by security agencies.

Russian authorities have assigned “state system” status to the country’s uniform biometric database (UBS). The system aims to confirm identity in online banking and primarily consisted of bank clients’ facial images and voice samples. The new status (established on December 30) might appear to be a formality — in fact, it shows that the government is seizing ever-more control over biometric data of everyone resident in Russia. This carries serious risks for their rights.

For years, the Russian government has been exploring the potential of biometrics for surveillance and monitoring. Since at least 2017, the authorities have been using cameras with facial recognition technology in public places to identify and prosecute peaceful protesters — a practice that is only increasing. And during the pandemic, facial recognition technology was used to track and fine those violating the self-isolation rules.

Now that the country’s primary biometric database is fully under government control, the authorities can seek to corral people into handing over their data, expand the types and uses of such data, as well as filter out and take over commercial databases.

In recent years, civil society groups have expressed concerns about privacy, data security, and technical flaws associated with the government’s use of facial recognition. The authorities have largely ignored these concerns and expanded the use of this technology as part of a broader push to integrate artificial intelligence into essential public services, and under the pretext of protecting public security.

The government, however, needed a larger database for biometrics to become an effective tool for surveillance and monitoring.

In 2018, the authorities created the UBS, a central database of biometric data, supervised by the Digital Development Ministry together with the Central Bank, and operated by the state-owned Rostelecom, Russia’s largest digital services provider. Any authorized bank can access the information in the UBS to identify clients or authenticate their identity. The authorities required banks to “donate” facial images and voice samples of clients who consented to the UBS.

The government contended that having a single, unified database would make banking more convenient, and eliminate the costs of each bank maintaining its own, separate biometric database. Meanwhile, Russia’s opaque legislation on surveillance and public security granted authorities, such as the Interior Ministry and the Federal Security Service, access to this database.

Since then, the authorities have made numerous attempts to accelerate entries in the uniform biometrics database. Banks were authorized to collect and share with UBS the biometric data of people seeking access to remote financial services, even if they were not the bank’s clients. They tried, unsuccessfully, to persuade banks to develop the UBS together with Rostelecom by officially forming a joint venture.

Russians were skeptical that the UBS could ensure the security of their biometric data. Banks appeared reluctant to spend money collecting something unpopular with clients and, reportedly, were concerned that this would lead to sharing their customers’ data with competitors.

In 2020, the government authorized certain bodies—including government service centers, which people in Russia use for everything ranging from property registration to passport applications—to upload to the UBS biometric data of anyone willing to provide it.

The authorities also expanded the list of services available remotely for those submitting their biometrics, including notary and insurance services, and experimented with other features, such as remote university exams.

Yet by the end of 2021, the UBS had only 216,000 entries. It is now hard to see how the government will meet its target of collecting facial images and voice samples from 70 million people (about half the population) by 2024.

Governmental concern over the project is clear. In November, President Vladimir Putin said that only the state should have full “responsibility for biometric data collection” to ensure its security, and that it should also regulate access by third parties.

Only a month later, parliament adopted amendments to the Law on Information that did just that. UBS was declared a “state system,” giving the government full control, including regulating access to it, while Rostelecom remains its operator. The Digital Development Ministry is working to transfer commercial biometric databases to the UBS.

Other amendments set to take force in March will require any organization that gathers biometric data for identification and authentication purposes to be accredited by the government.

While state accreditation could establish oversight over the private use of sensitive data, some of the accreditation requirements exclude foreign companies and companies with stocks in foreign ownership. This effectively bars accreditation for some of Russia’s major IT companies.

To pressure people to hand over their biometric data this year, the authorities are planning to integrate the UBS with gosuslugi.ru, the online portal used by 90 million Russians for remote access to government services, like paying for speeding tickets or scheduling an appointment with a doctor at a state hospital.

The authorities also want gosuslugi.ru users to submit biometric data via an app installed on a user’s device, despite privacy and data security experts’ concerns that this would drastically raise the risks of data breaches. Previously, biometric data could be submitted only in person.

After digital rights experts expressed concern over potential discrimination against gosuslugi.ru users refusing to submit data, digital development minister, Maxut Shadayev, gave assurances that no inequities would result. “Students will need to submit biometric data to sit exams remotely, “he said. “However, users will always be able to do it in person.”

It is unclear how exactly the authorities will ensure meaningful offline alternatives to services provided online — whether exams or other governmental services — that will not in practice compel people to choose the remote option, and therefore to hand over their biometric data.

It is even harder to see how the centralized, mass storage of sensitive biometric data guarantees its “security,” as the authorities claim. The lack of transparency and independent oversight around storage, access to, and security of biometric data in Russia are longstanding concerns. There is also no transparency around the circumstances under which, for example, the Interior Ministry or Federal Security Service can access the data.

Biometric data is sensitive, and breaches can cause permanent damage. There have already been recurring reports about leaks of data gathered by the state using facial recognition technology.

Russian authorities are using the premise of convenience and dubious claims of security to pressure people to hand over their data. Creating a centralized, government-controlled database comprising the biometric data of millions of people in Russia is highly unlikely to pass any reasonable test of its necessity in a democratic society, or a justified interference with privacy and related human rights.

In fact, the centralization and monopolization of biometric data is a logical step in authorities’ march toward a police state. For people living in Russia, it signifies a “convenient” and “secure” transition into the Orwellian era.

Anastasiia Kruope is an assistant Europe and Central Asia researcher at Human Rights Watch.

 


Photo: Biometric security, non-contact hand scan. Credit: Worklife Siemens/Flikr

February 3, 2022