By Gabriela Manuli

For more than a year and a half, the Mexican government has been collecting an unprecedented amount of biometric data from minors ages 4 to 17 as part of a youth ID card program. The Personal Identity Card for minors, a document authorities say is intended to help streamline registration in schools and health facilities, comes embedded with digital records of iris images, fingerprints, a photograph, and a signature for each minor.

Documents obtained by EFF under Mexico’s Transparency and Access to Information Act show that as of this past May, nearly 4 million minors had been enrolled into registries associated with the new ID. Public records also revealed that more than 1.2 million ID cards had been issued in the states of Baja California, Baja California South, Colima, Chiapas, Distrito Federal, Guanajuato, Jalisco, Sinaloa, and Morelos. Of those who were issued cards, 1,345 had to go through the registration process again because the quality of their biometric data was inadequate for identification.

The ID card project is part of the integration of Mexico’s National Population Register (RENAPO), which is intended to provide a unique identity system to conclusively prove identities of all Mexican citizens. Under the program, the Ministry of the Interior will issue Citizen Identity Cards and Personal Identity Cards containing biometric information, first to youth, and later extending to Mexico’s entire adult population.

Since July of 2009, when President Felipe Calderón officially announced the creation of RENAPO, numerous observers have sounded the alarm that the endeavor violates individuals' privacy rights. Despite serious concerns raised by a governmental accountability agency and a special commission tasked with studying the program, in January of 2011 Mexico nevertheless became the first country in the world to use iris scans as a component of ID cards.

Mexico’s Secretary of Government (SEGOB) claims that the use of iris recognition, along with other biometric data, serves to combat crime such as human trafficking and to streamline registration and enrollment procedures in schools and health care programs. In official statements, SEGOB claims that "it is a free, official document containing biometrics that make it impossible to forge.” Although Mexican authorities argue that the new document will be 99 percent reliable and “one of the safest in the world,” security researchers have shown otherwise, recently demonstrating security flaws even in ostensibly trustworthy iris scanners.

In April of 2010, The Federal Institute for Access to Public Information (IFAI), an autonomous organization established by Mexico’s freedom of information law to promote a new regime of government transparency, issued a 91-page report outlining the problems associated with such biometric IDs, putting forward several alternative recommendations. The IFAI concluded that requiring just one fingerprint would yield a 99 percent reliability rate, and that the collection of any additional biometric data is wholly unnecessary. The report was also critical of the fact that there are currently no legal protections regulating the use of iris images in Mexico.

IFAI ultimately recommended that Mexico remove some of the biometric data on the new ID cards by gradually reducing the amount of data required. The report argued that capturing the image of both irises, plus ten fingertips, was not proportional to the stated objective of the program. IFAI further concluded that any biometric ID system should be subjected to periodic third-party verifications of the collection, storage, and use of biometric data. Aside from these concerns, IFAI cited huge costs of the project, a lack of transparency in the bidding process, and the risks the program poses to the right to privacy.

Another important voice of dissent also emerged in April 2010, when a special Commission of the Parliament was created to review the development of the ID card. One of the commission’s first measures, which was later ignored by the government, was to call for temporarily halting the implementation of the ID to encourage further research and to include the perspectives of more stakeholders in the process. Significantly, the commission noted that there were no “necessary measures related to data protection [or] transparency ... This means that until we have all the elements in place, it is terrible that the project continues.”

The Commission also seized upon the risk of duplication, as the original idea behind the program was to use this ID to gradually replace the current electoral card, which is presented for voting.

Vanessa Lara Carmona, a professor from the Autonomous University of Mexico (UAEM) who conducted research in tandem with the Latin American Network of Surveillance, Technology and Society Studies, concluded that the ID card for minors would not solve the problem of human trafficking in Mexico—one of its officially stated purposes. Carmona also noted that criticism of a lack of security around the data was the reason why the national ID was not being initially implemented for the entire population, as originally intended.

Despite this serious criticism, the project is still going forward. According to SEGOB, the government’s goal is to issue almost 4.5 million IDs by the end of the year, continuing the collection of massive amounts of biometric data. The next step of the project, expected to unfold in 2013, is to extend the ID cards to adults.

Meanwhile, researchers and government accountability agencies aren’t the only ones raising concerns about Mexico’s biometric ID card policy. A group from a Mexico-based hacker collective that runs public workshops promoting the use of free software for technological autonomy and activism also weighed in to express concerns about what the ID cards mean for Mexico.

“At Hacklab Autonomo, we think that all people should have the choice of whether or not to participate in a database that describes them,” the collective members wrote in a statement sent to EFF. “We are against the growing tendency in our society to monitor, and the way in which this monitoring classifies and discriminates against others and ourselves. We believe that access to technology should be free and we want people to exercise their technological autonomy. When you start the collection of biometric data with the kids and casual laborers, the Mexican government is taking advantage of the defenseless and people in precarious situations as they strive to achieve their goals. … The question is not only what will the Mexican government do with this information, but also, who will they sell it to this time?”