The bill on the Implementation of Biometrics in the electronic voting system in Paraguay which name is “Modifying Articles 98, 201 and 208 of Law 834/96”, presented on October 16, 2019, by Senators Fidel Zabala, Stephan Rasmusse, Patrick Kemper, Antonio Apuril, Georgia María Arrúa.
According to the motive of the bill, “ it is of vital importance to guarantee the identification of the voter and that another person does not use the identity card of a third party to vote in his name”. It is to add the implementation of a computer or electronic device of biometric readings, whether fingerprint, iris and/or facial recognition of citizens enabled to vote. The database of biometric data will be provided by the National Police through their identification departments, delivered to the Electoral Court of Justice through the Co-Directorate of the Electoral Registry of the identification department.
First of all, we as TEDIC we alert the Government and the National Congress about the risks of this draft bill that undermines the fundamental rights enshrined in the National Constitution such as: freedom of expression, anonymity, intimacy (privacy), and other constitutional norms such as the secret vote for the democratic exercise. As we did in previous publications, we reiterate the call for attention on the implementation of electronic voting and its implications for the democratic system.
Secondly, the Paraguayan State has the obligation to respect and protect the right to freedom of opinion and expression and privacy, in accordance with articles 19 and 17 of the International Covenant on Civil and Political Rights (ICCPR), ratified by Paraguay on June 10, 1992, as well as Articles 11 and 13 of the American Convention on Human Rights (“American Convention”), ratified on August 24, 1989. These rights are closely linked and “the right to privacy is understood as often as an essential requirement for the realization of the right to freedom of expression ”(A / HRC / 23/40).
Surveillance, social control and violation of our rights
What guarantees do we have so that the identity of the person authorized to vote is not correlated with the vote itself? How is the constitutional right to the secrecy of the vote guaranteed? Are safeguards planned to prevent manipulation and adulteration of copies of fingerprints and facial recognition that the TSJE intends to use? Just as the service of providing electronic voting machines is outsourced, will biometric reading devices from the private sector also be rented? Will they have access to the biometric database? How will the sale of biometric databases be avoided, as is the case with the identity card base? Will there be penalties in case of abuse by those responsible for the databases? What will they do if the biometric data is cloned? These are just some questions and concerns that arise from the analysis of this bill.
Although TEDIC recognizes that fraud prevention in national elections may be a legitimate objective of public order, we are concerned that the collection of identity information required by the bill is unnecessary and disproportionate under article 19 (3 ) and of article 13 (2) and articles 26 of Freedom of expression, 33 rights to privacy and 118 of the Suffrage enshrined in the National Constitution. The articles of the bill require that all persons disclose their biometric identity data, regardless of whether or not they have been suspected of misconduct and without any apparent guarantee. It is worrying that this indiscriminate collection of biometric identity data is not the “least intrusive means” necessary to prevent fraudulent activity. In other words, to justify the collection of biometric data, which are sensitive data, alternative forms that affect the rights of people to a lesser extent and can achieve the objectives pursued must be analyzed.
For his part, the former Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (UN), Frank La Ruey, the High Commissioner for Human Rights (UN), Navi Pillay has expressed concern about violations of the right to privacy due to the lack of effective protection measures in the use of biometric technologies.
“The cases in which biometrics are not stored in an identity document, but in a centralized database, increases the risks to information security and leaves vulnerable individuals. As biometric information increases, error rates can increase significantly ”- Martin Scheinin – UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms in the fight against terrorism.
According to the international organization Privacy International: “Biometric data are automated methods that can accurately recognize an individual based on physical or behavioral characteristics. The technology used in biometrics includes the recognition of fingerprints, hands, facial, vein patterns, iris, voices and other exposures of the body including DNA and the sequence of the keystrokes, among others ”. That is, biometrics refers to the measurement of and distinctive physical, biological and behavioral characteristics used for the identity of people.
It should be noted that biometrics, in this case facial recognition or fingerprint for example, is not about the face or finger, but how that digital identity can be used to determine rights. It is an identity that cannot be changed, the fingerprints or faces are not reprinted when they have been cloned by third parties such as could be the case of the identity card.
Biometric identification methods can result in errors, and are likely to be deceived and can delay the electoral process. Among some of the cases, the cloning of fingerprints to mark the entry into Argentina Airlines in 2019, the capture of prints of the German defense minister through photographs of her without her consent in 2014. On the other hand international studies reviewed 11 different biometric identification systems in which they tested copies of fingerprints created in gelatin, and found that the 11 sensors accepted the gelatin fingerprints, with more than 60% positive acceptance of the system.
The absence of a comprehensive personal data protection law as a possible safeguard to avoid the collection and the unnecessary and disproportionate use of identity information also causes us a strong concern. Due to the fact that the bill does not meet the conditions of legality established in articles 19 (3) and 13 (2) and what is expressed in the National Constitution. The bill does not indicate how the data collected will be stored and if there will be restrictions on access, use and retention of such data by the government or third parties. Without these safeguards, the citizens authorized to vote will have complete ignorance about whether their personal data will be secured or protected.
The Paraguayan legislative proposal does not present a previous impact analysis to justify the implementation of this type of system. An impact evaluation is mandatory, according to the data processing standards. There is little legitimacy in the use of these types of systems: only 2 countries in the world use automated biometric data on the voting day and are: Venezuela and Brazil (the latter partially).
It is suggested that the bill be postponed to have a broad multi-stakeholder debate, or simply the rejection because it does not consider the concerns cited above and that it violates the constitutional precepts and rules of public international law.
A comprehensive personal data protection law is urgently needed. It is intended to be implemented without a legal framework that allows to ensure the treatment of biometric data adequately by the State and the private sector. In the event of abuses or leaks of biometric data, the State does not have a competent authority to ensure their protection.
The biometric data is a sensitive data, which requires better safeguard mechanisms that this bill does not contemplate. The challenges to guarantee the care of the data to possible discriminatory practices that could be made from the correlation of identification of the person authorized to vote and their vote, are not taken into account in the text of the project.
It is vigilance. Fingerprints can be another control mechanism that could aggravate surveillance and harassment practices to minorities and vulnerable groups. The deficiencies that the State has to protect the private information of citizens makes these registers even more problematic and with a high risk of being leaked.
There is no impact assessment for the use of the biometric data system: A previous impact analysis was not performed to assess the importance of implementing a biometric data collection system. Any interference by the State must be based on solid foundations, based on serious and independent data and diagnoses, in order to meet the conditions of necessity and proportionality required for the legitimacy of any measure that seeks to limit fundamental rights.
There are few countries in the world, including Venezuela and Brazil (partial) in America and countries in Africa, which use biometric data to register the person authorized to vote on the day of voting. It is noted that in the European Union it is not used.