Saturday, 20 June 2026 Secure tips Subscribe Sign in
Meridian.

Independent world journalism

Technology

Technology

Your city bought face-recognition it was told didn't exist

Procurement records reveal surveillance tools deployed without a public vote.

Technology · Meridian

The cameras on Lindenmarkt have been there for years, mounted on grey poles above the tram stop, indistinguishable from the dozens of other municipal lenses that watch the square. What changed last spring was not the hardware but a software licence — line item 4471-B in a maintenance invoice — that gave those cameras the ability to measure the geometry of a passing face and match it against a watchlist in under two seconds. No notice was posted. No committee voted. For most of the year, the only public record that the capacity existed at all was a single annexe to a contract that almost nobody had read.

Meridian has reviewed that contract, three subsequent purchase orders, and an internal procurement file obtained through a records request. Together they describe a working face-recognition system bought, installed and switched on by the city's transport and security directorate — even as senior officials told residents, and at least one council subcommittee, that no such system was in use and that deploying one would require a public vote the city had never held.

The line item nobody voted on

The paper trail begins with a framework agreement signed in 2023 to "modernise and maintain" the municipal camera network. On its face it is unremarkable: a four-year deal for cabling, storage upgrades and "video analytics modules." But Annexe 4, headed Optional Capability Packages, lists among the priced extras a module described only as "biometric template extraction and 1:N matching." The phrasing is bland enough to pass a casual reader. It is also the technical definition of face recognition.

Document

Purchase order PO-2024-1190, dated 14 May 2024, authorises activation of the "1:N matching package" across 38 fixed cameras for a one-off fee of €214,000 plus an annual licence of €61,500. The approving signature is that of a directorate official, not an elected member. The box marked "Council resolution reference" is blank.

Under the city's own procurement rules, capabilities that "process special categories of personal data on a population scale" are supposed to clear a council vote and a published impact assessment before going live. Biometric data is, by statute, a special category. Yet the activation was processed as a routine variation to an existing maintenance contract — the bureaucratic equivalent of upgrading the office printer.

What officials said

The gap between the records and the public account is the heart of this story. In a written reply to a councillor's question in September 2024, the directorate stated that the camera network "does not perform automated facial recognition" and that any such deployment "would be subject to a full council decision and prior consultation." A near-identical line appears in a briefing to the city's data-protection oversight group two months later.

By the dates of both statements, PO-2024-1190 had already been signed and the matching package was, according to the system's own configuration logs, running on at least a dozen cameras.

The capability was not hidden in the technical sense. It was hidden in the democratic one.

When Meridian put the discrepancy to the directorate, a spokesperson said the matching function had been activated "in a limited evaluation mode" and characterised it as a "technical pilot" that did not, in the department's view, meet the threshold for a council vote. The spokesperson did not dispute that the system extracted biometric templates from members of the public, nor that those templates were checked against a list.

If you build a watchlist and you run faces against it on a public square, that is a deployment, not an experiment. The label on the invoice does not change what the cameras are doing to people walking past.Dr Hanne Brauer, public-law scholar, Institute for Civic Technology

The numbers in the logs

The configuration and billing records allow a partial reconstruction of how far the system went. They do not name a single individual, and Meridian has redacted device identifiers, but the scale is visible in the procurement figures alone.

Procurement and deployment figures for the municipal matching system, 2024.
ItemDetail
Cameras with matching enabled38 fixed units (of 211 networked)
Activation fee€214,000 one-off
Annual licence€61,500
Watchlist entries (peak)2,340
Council votes held0
Published impact assessmentNone located

Three findings stand out from the file:

  • The watchlist was populated from at least two sources — an internal "persons of interest" register and a separate list shared by the transport police — without any record of a legal basis for combining them.
  • Retention of unmatched biometric templates was set, by default, to 30 days; the contract's own privacy schedule had specified immediate deletion.
  • An audit-logging feature that would have recorded each match was licensed but left switched off, meaning the city cannot now say how many people were checked.

How the threshold was sidestepped

What the documents describe is less a conspiracy than a procedural sleight of hand made possible by vague categories. Because the capability was sold as a "module" within an already-approved framework, no fresh approval was triggered in the finance system. Because it was internally branded a "pilot," officials told themselves — and then others — that the consultation requirement had not yet kicked in. Each step was individually defensible. The sum was a population-scale biometric system operating outside the one process designed to authorise it.

This is the pattern that should worry residents of any city, not only this one. Surveillance capability increasingly arrives not as a dramatic new programme to be debated, but as a checkbox in a maintenance renewal — a feature that can be turned on with a signature and turned off, if challenged, before anyone has to defend it on the record. The vote that officials invoked as a safeguard becomes a thing that is always about to happen, and therefore never does.

What is still open

The directorate says the matching package has now been "paused" pending a review, and the city's data-protection oversight group has opened an inquiry into whether the activation breached its own rules. Neither step answers the questions the records raise: who authorised the watchlists, why the deletion schedule was overridden, and how many residents were scanned during the months the system ran. With audit logging disabled, some of those answers may no longer exist to be found. What the procurement file establishes is narrower but harder to wave away — that a tool the public was assured did not exist had a price, a purchase order and a switch, and that the switch was flipped before anyone was asked.

How we sourced this 6 sources logged

Corrections. Spotted an error? Tell us. Meridian is reader-funded and carries no advertising; no staff member holds a financial interest in any entity named here. Read our editorial standards.

Lena Völker

Technology Correspondent

Lena Völker covers technology and the state for Meridian's Capital desk, reporting on surveillance, procurement and the public-records trail behind civic technology.