Biometrics as an Identity: Privacy Risks and Digital Discrimination

blog2“Biometric identification” is the process by which a person’s unique physical and other traits and recorded by an electronic device or system that uses a algorithmic matching software to compare and verify personal identity. The basis of this method of identification is that presupposition that everyone is unique and an individual can be identified by his/her intrinsic physical traits that remain constant through time. Fingerprints, retina/iris scan, DNA, facial recognition are some of the most commonly used biometric identifiers in the world of forensic science.

In today’s world, an individual’s biometric information is not only restricted to forensics wherein the information is used as evidence to identify the perpetrators by fingerprints or DNA left at the crime scene; but has also extended into an identity authentication technology that has become increasingly common in corporate and public security systems, consumer electronics such as smartphones and digital economies as a means of authentication. Identification through biometric attributes is becoming more preferable over conventional passwords as it is more convenient than remembering numerous PIN based passwords. There is also an argument to be made for biometrics being more secure as the person to be identified has to be physically present at the time of identification.

This changing world of security and identity authentication provides a good platform to talk about how biometrics is being increasingly incorporated in digital economies and whether the use of biometrics is making transactions more secure or more vulnerable to cyber attacks. There are some inherent risks and privacy concerns in relation to biometric information being used as a method of identification by big corporations and the distribution of this personal information without the consent of the individual by government agencies to private corporations. It therefore begets to analyse whether the convenience of using biometrics is worth the privacy risks being posed by it.

Biometrics and Electronic Economies

blog3Globally, companies such as Apple, Visa, Western Union have already started incorporating biometric authentication for mobile-based payments (which form a big part of the digital economy) since 2014. Apple Inc. came out with Apple Pay and lets users pay through their iPhones with just a touch of their fingers. It started including ‘Touch ID’ — a fingerprint recognition technology that authenticates users — on their devices so that consumers could unlock their device and make Apple Pay transactions with their fingerprints. Apple Pay uses near-field communication (NFC) technology which is being adopted globally by retailers to allow secure wireless transactions. So, how does Apple Pay actually work? Biometric information from the Touch ID scan of the user’s finger is transferred and verified internally by the Apple device. The way it works is users are requested to input their VISA, MasterCard, or American Express credit-card details into their phone and upon receipt of this detail, the bank network connects their account to a secure element within the iOS device via a transaction security key. The iPhone stores and accesses the user’s credentials through their fingerprint authentication. The biometric information of the consumer is securely stored in the iPhone device. Apple Pay currently allows users to pay for goods that they buy at brick and mortar stores through normal contactless transaction terminals and also through supported iOS Apps. All the users need to do to pain is hold their Apple device to the point of sale system and authenticate the payment via Touch ID sensor detection of their fingerprint.

UIDAI Aadhaar card

Meanwhile, India is coming up with its own biometric enabled mobile-based payments system called BHIM-Aadhaar Pay. The Aadhaar scheme is already being termed as the most ambitious implementation of a national identification program linked to biometric data. As of March 2017, 1.12 billion residents in India already had an Aadhaar card, which translates to roughly 88.6 percent of the projected population. Aadhaar Pay goes a step further than Apple Pay in a way that customers won’t need any device to make payments at retail stores — just their fingerprints, provided that the customer’s bank account is linked to their Aadhaar card.

India’s Aadhaar Pay is being modelled after Brazil’s version of the Aadhaar scheme called The Brazilian Association of Digital Identification Technology Companies (ABRID). Brazil is spearheading the implementation of biometric enabled authentication for banking transactions, an initiative which is similar to the Aadhaar enabled Payments System in India. In Brazil, users can withdraw money from ATMs by using a fingerprint scanner, even without a plastic card.

Extension of India’s Biometric Database

blog 6Even as the Supreme Court of India discusses its stance on making Aadhaar a mandatory obligation for all Indian citizens, another Bill that was proposed to the parliament in 2015 sought to create a DNA database in India. Not only would the database collect profiles of criminals (some of whose crimes are minor offenses and not likely to utilize DNA as evidence), but also that of missing persons and their relatives, unidentified dead bodies, victims of crimes and the very ambigously defined category – ‘volunteers’. While the current usage of the database has been registered for forensic investigations and identification of the missing/unidentified dead, the Bill does allow for the scope of use to be extended without informing the donors. Above all, much like the Aadhaar Act, there has been no provision made for withdrawal of voluntarily donated profiles.

Arguments in Favour of Biometric Identification

Biometrics Fingerprint ScanningThe Indian government is claiming that with the introduction of biometrics and the linking of government welfare schemes with Aadhaar, it will promote a cashless and a secure economy and help in preventing frauds in government welfare schemes. Also, by specifically incorporating biometric attendance with the Government’s flagship employment scheme — NREGA it hopes to prevent leakage of funds due to fake attendance.

The recent move by the Modi Government to make Aadhaar mandatory for filing Income Tax Returns and lowering the cap of cash transactions to Rs. 2 lacs, was fuelled by its desire to curb the circulation of black money in India. Unlike developed countries, India is still a cash intensive economy making it easier for individuals to hide their actual wealth and pay tax only on a small part of their incomes. With making digital transactions compulsory above Rs. 2 lacs, and linking an individual’s bank accounts and PAN card with the biometric identifier — Aadhaar, can be successful in catching tax evaders and money launderers.

Aadhaar Enabled Payment System (AEPS) and Aadhaar Payment Bridge System (APBS) managed by the National Payments Corporation of India (NPCI) guarantees simultaneous online authentication of transaction — user, device and operator—that takes place in real time. It makes it hard to escape the electronic audit trail and end-to-end visibility.

Although the reports from the US Justice Department suggest that DNA database has helped solve more crimes and aided in effective policing, statistics in the UK suggest that only 0.3% of the cases were solved because of DNA database. A DNA database, if used strategically, can definitely be an additional tool for the law enforcement that will not only improve prosecution rates but also improve case clearance rates, prevent backlogs and act as a deterrent for crime reduction. A database can be crucial in linking crimes that occur in different geographic regions or are of different nature and makes it possible to identify serial offenders. Moreover, it may be just the tool needed to resolve a lot of the cold cases that are pending prosecution.

Is our data secure?

blog7Cyber-security experts, since the inception of the Aadhaar scheme, have been constantly warning about the inherent privacy risks involved with the adoption of biometrics in India.With the worldwide implementation and incorporation of biometrics in digital economies, it is also necessary to delve into the privacy issues and risks involved with biometric authentication.

There have already been reports of a number of privacy breaches of Aadhaar Card holders and their personal information such as home address, bank account details etc. have been recklessly published online. Recently digital identities of more than a million citizens were compromised by a programming error on a website maintained by the Jharkhand Directorate of Social Security. The glitch revealed the names, addresses, Aadhaar numbers and bank account details of the beneficiaries of Jharkhand’s old age pension scheme. This still happened when the publishing of Aadhaar numbers publicly is in contravention of Section 29 (4) of the Aadhaar Act.

India is a country where people are just are beginning to understand the importance of privacy in this digital age. Politicians and bureaucrats involved in the framing and execution of various policies related to the Aadhaar scheme do not themselves understand the overarching privacy concerns if personal information is leaked online or hacked. This can be evidenced from the fact that in Jharkhand, where the recent breach happened, “officials were surprisingly sanguine about the breach, suggesting that they had been aware of the situation for several days.”

Presently, different states in India have outsourced biometric data collection to different data collection companies throughout India and these companies don’t have a standardised data collection system. This means that  a central repository of all states’ data couldn’t be achieved due to lackadaisical planning and even if all this data could be merged into a central repository, citizens’ biometric and private data would be at risk as private companies would share extremely confidential and sensitive information with each other. Any information stored in electronic forms is susceptible to breach, since with considerable skill and patience, it can be hacked and the information may be leaked. This leaking of information is problematic since it violates the very basic principle of privacy that almost all democratic constitutions across the world recognize as a fundamental right.

In order to avoid the potential breach and leaking of information that is stored electronically, there are various sorts of encryptions that servers use to protect the information. The most secure form of encryption commonly used today is the AES 256 bit encryption. However, an analysis of the current IT infrastructure in India reveals that most governmental agencies do not employ even AES 128 bit encryption, which is the most basic form of encryption one can use. Although UIDAI, in itself employs a high 2048 bit encryption, it has not made it mandatory for companies which interact with the UIDAI servers on a daily basis to also upgrade their encryption levels meaning that locally stored biometric information could be easily hacked. Not only that, one of the key points that was discussed by experts at the Securing Cyber Space convention held in Delhi in on 14-15 July 2017 is the lack of indigenous infrastructure to support data storage and security within the country. It is feared that the cost of hosting router-servers from outside India, mostly in the US, comes with an unclarified political cost of cyber space subordination.

blog1]Essentially, the poor cyber security and outdated encryption of these government servers, combined with the large bundles of sensitive biometric and personal information, not only makes them the most likely targets of cyber attacks, but also leave the citizens (who are the major stakeholders) without any recourse.

One such noteworthy instance is when Scroll.in, a well known digital daily, filed an RTI, requesting information regarding the security measures employed by the UIDAI for the purposes of storing sensitive biometric information, and their proficiency in case of a cyber attack. This RTI, was met with a response that the system followed by the UIDAI to keep the data secure cannot be shared under Section 8(1)(a) of the RTI Act and Clause 7 of the Aadhaar data security regulations which is essentially the argument of ‘National Security’. Filing an RTI for information regarding the number of breaches of the UIDAI’s repository was met with a similar response.

This insecurity may also extend to other databases included within or without the UIDAI repository. The Aadhaar Bill is worded in such a way that there is a possibility that DNA may also be added to the list of biological attributes that are collected for identification purposes. Even if that does not happen, the DNA Profiling Bill proposes that similar personal details, including caste demographic details, is linked to your DNA profile as well. Unlike fingerprints and iris/retina details, DNA is the biological basis of our identity and carries more information than just being linked to the name we go by. DNA can give other information such as hereditary diseases, phenotypic propensities and familial links – all sensitive information that poses significantly different ethical and social concerns. In a world where data is power and in a country where data security has repeatedly failed, the attempt to collect such a vast amount of personal data in the absence of proper legislation leaves the citizens vulnerable to not only privacy violations, but discrimination and harassment.

The only database currently existing in India is the fingerprint database AFIS which has been outsourced to different companies such as TCS, Deloitte etc. in different states for structure and maintenance. Some states such as Bihar and Andaman & Nicobar Islands are yet to build a functional fingerprint recording system, whereas some states like Bhopal are in want of software updates and maintenance. A smooth and fast link between regional, state and central databases is yet to be established and made accessible to all police centres across India. In the face of such lacking in one criminal database, it is disconcerting that the government proposes to establish another one without first ensuring the proper infrastructure to built, maintain and dissipate databases.

Misuse of big data

blog4Government agencies have already started misusing the UIDAI database, which is strictly listed to be used for ‘civilian and non-forensic purposes’ and higher courts have supported such directives. One such instance that has already set precedent was when the Goa court, in 2014, requested the UIDAI to cooperate with an ongoing rape investigation of the CBI by divulging all biometric information recorded by the state. It is easy to see how the government can be tempted to use such large amounts of relevant data that has been collected, but once these floodgates open, it means that lakhs of innocent citizens will be put under the scanner repeatedly without their knowledge.

Presently, private companies like banks, insurance companies, start-ups, can request UIDAI for an individual’s biometric information and if the UIDAI thinks the corporations are working in the field of public welfare, it can provide them with the information. This essentially means that corporations could get away with acquiring information from the government and in case of any violations of Section 8(2) of the Act, an individual shall not have the right to be informed that his private information is being given by the government to private agencies without the individual’s consent and even if he/she gets to know about this, he/she cannot initiate action in a Court of Law.

Privacy risk and lack of recourse

blog9From a legal standpoint, it is also necessary to look at Section 47(1) of the Aadhaar Act which bars Courts from taking cognizance of any violations of these provisions. According to the provisions of the Act, a private individual can’t approach the Court of Law if his ‘private information’ has been breached by either the Government or private corporations without the individual’s consent. The sole authority to raise any complaints with regard to an individual’s privacy breach is with the UIDAI.

The same provision is made in the Human Profiling DNA Bill, where the sole authority to present cases of abuse of the database rests with the overseeing DNA Profiling Board. In cases where the suspect has not be prosecuted, s/he is liable to have their DNA profile, if taken, removed from the criminal database. The Bill is vague about the authority that ensures that this happens, and neither does it guarantee the donor access to his/her profile information.

In both Aadhaar Act and the Human DNA Profiling Bill, there is no provision yet for withdrawing records where voluntarily donated. This creates a strong conflict of interest, almost pointing suspiciously to the government’s intent of collecting such data. However, in light of the current on-going discussion between the nine-judge bench in Supreme Court, we might soon have more clarification on the issues of citizen’s privacy, and possibly legislation to that effect, which might regulate and/or change these provisions.

Is biometrics really error-proof?

Recently, students at the Institute of Chemical Technology in Mumbai were able to beat their college’s  biometric attendance system. They used small layers of a widely-used resin adhesive and pressed their thumbs against them, embossing them with their fingerprints. These films were then used by their friends to mark attendance for their absent friends. This brings us to the question that if a biometric machine can be fooled so easily with just commercially available resin adhesive, how safe is it really to authenticate our digital transactions with the use of biometrics.

With the pace that DNA technology has advanced in the last 30 years, it is only time before synthesizing complete DNA profiles from digital information becomes a reality. As it is, we have already found techniques to synthesize genes artificially in vitro and amplify them to desired quantities using Polymerase Chain Reaction.

The debate between privacy & security

The United States, although one of the most developed nations in the world, has undertaken several surveillance programs that enable the government to monitor the activities of its citizens. These surveillance programmes have been the topic of several debates, from the perspective of violation of privacy of citizens, since surveillance does not only entail a question of national security, but also poses pertinent questions regarding the extent to which governments may curb privacy of its citizens. In a developing nation like India, these questions are more pertinent than ever before, where citizens who may not even understand the implications of submitting their biometric data to the government, are being made to do so to avail various benefit schemes of the government.

The implications of this poor data security are more severe than the citizens who have volunteered this information to the government realize. If the government’s servers were to be subjected to a cyber attack, then all biometric and personal information of the citizens of India would be susceptible to misuse. This becomes even more problematic with the Government increasingly making the people’s bank transactions and other government approvals subject to Aadhaar card enrollment.

As security around the world gets increasingly digital, it creates huge caches of data that can be used to affect personal and political agendas. As the likes of Snowden and Barr have revealed already, the NSA has been guilty of using this date to surveil their citizens, from telecommunications to physical whereabouts. This makes it apprehensive for people to hand over their intimate biological data to the government for the fear of it being used against them to fulfil political agendas when regimes change. Such large data could also be used for demographic studies for mapping criminality, which might lead to inappropriate discrimination for members of certain races and castes. Therefore the linking of biometric profiles to personal details should be monitored carefully so as to not disadvantage the donor on any accord.

blog10

The importance of analysing the risks posed by digital economies in today’s increasingly technologically dependent world, provides an avenue to critique the quality of government and also enables the citizens to hold the government accountable when they take private and personal information for purposes of maintaining ‘national security’. If our biometric information is susceptible to cyber attacks, then there’s always potential misuse by terrorists who would then use this information to create fake IDs and sell them on the ‘Dark Web’. This has far-reaching consequences as illegal immigrants would then be able to take on someone else’s identity and circumvent border laws. Not only that, there is also no defined legislation on the extent to which such information will be shared with foreign offices. This might pose a risk to the safety of political refugees and operatives functioning outside the country.

A larger question that arises upon analysing these security laws is, whether governments making such biometric data submission mandatory to avail such schemes, is violative of any principle embodied in the Constitution. This has also been challenged in the Supreme Court. Advocate Shyam Divan recently argued in the Supreme Court against making Aadhaar mandatory for all government welfare schemes citing the overreach of the state into owning sensitive individual biometrics and the chances of misuse. His main argument was that the State has no competence to nationalise anyone’s biometric data and that the concept of eminent domain is confined to the land and not to the body of the individual. The State can at best act as a trustee or a fiduciary over the personal biometric information of an individual.

India doesn’t have any data privacy laws at present and if a person’s biometric information is hacked, there is practically no recourse available in law. Nandan Nilekani, hailed as the architect of Aadhaar scheme, is also of the view that India desperately needs strong data protection and privacy laws. In his words, “Digitization in India has certainly created an urgency to put in place an advanced data protection, security and privacy law, and for creating enough digital literacy, so that the people of the country are aware of what digitization means”. He also argued that measures to make private entities accountable for data breaches need to be strengthened. According to him, the government could mandate data security methods and processes such as the use of encryption or use of digital certificates, but that hasn’t been done yet.

Having said this, strategic and transparent use of biometric information within stringent data protection laws has the potential to overcome many challenges in today’s digital economies and help in fighting crimes, closing cases and proper delivery of government welfare schemes. However, biometric authentication is not yet a fully mature technology, nor is it a remedy for all problems related to securing payment transactions. Understanding its potential, how it works, when to use it — and when not to — is the current challenge for IT professionals in the digital world.

 

Written by Anshul Bajaj (JGLS’14) and Poulomi Bhadra

Edited by Poulomi Bhadra

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s