India Opening Up World's Largest Biometric Database For Commercial Applications, Despite Inadequate Privacy Protection

from the India-Stack-attack dept

Fri, Mar 3rd 2017 3:13am — Glyn Moody

Techdirt has been following India's construction of the world's largest biometric database, called Aadhaar, since July 2015. Concerns include the fact that what was billed as a voluntary system has been morphing into a compulsory one, and evidence that Aadhaar simply can't cope with real-life biometrics. Undeterred, the Indian government wants to expand the system even further by opening it up for use by companies, as the Wall Street Journal reports:

The Indian government has gathered digital-identification records, including fingerprint impressions and eye scans, of nearly all of its 1.2 billion citizens. Now a government-backed initiative known as "India Stack" aims to standardize ways to exchange the data digitally to facilitate the transfer of signatures and official documents that citizens need to get jobs, make financial transactions or access government services.

By allowing developers to incorporate use of government identification records in their commercial websites and apps, the initiative envisions Indians -- with mobile phones in hand -- using iris and fingerprint scans to sign up for insurance, invest in mutual funds, receive health-care subsidies and verify their identity for school examinations.

In itself, there's nothing wrong with this approach. Indeed, it has many benefits, notably making it easier for people to deal with India's bureaucracy, and helping to fight corruption. But those advantages could be compromised if privacy is neglected. And here the Indian government is sending all the wrong signals:

Prime Minister Narendra Modi's government has delayed a new bill that would bring India's privacy laws more in line with those of major European nations. Meanwhile, the government has questioned a constitutional right to privacy in pleadings before the Indian Supreme Court.

Without adequate privacy protection, the system seems ripe for abuse, both by unscrupulous companies targeting hapless consumers, and by state organizations, which might use it as a powerful surveillance tool. If the Indian government wants to become a world leader in using biometric-based digital identity for its citizens, as the Wall Street Journal article suggests, it should make crafting effective privacy protection laws a priority.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: aadhaar, biometrics, india, privacy

6 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Yes, I know I'm commenting anonymously, 3 Mar 2017 @ 3:56am

Stopwatch ready
So, How long until biometric data of Indian citizens is useless for anything? (Because it is freely available online to criminals as well).
More importantly, How long will it take from that point for the Indian government realizes this?

Anyone want to place a bet?
/sarcasm
[ link to this | view in chronology ]
- JoeCool (profile), 3 Mar 2017 @ 7:35am
  
  Re: Stopwatch ready
  I'll bet $5 on right after the President (or whatever they call the position in India) has his/her bank account emptied because their fingerprint is now online. Nothing EVER gets done until someone rich or powerful is targeted, then half the time, they double down on the stupidity.
  [ link to this | view in chronology ]
Anonymous Coward, 3 Mar 2017 @ 4:38am

"By allowing developers to incorporate use of government identification records in their commercial websites and apps, the initiative envisions Indians -- with mobile phones in hand -- using iris and fingerprint scans to sign up for insurance, invest in mutual funds, receive health-care subsidies and verify their identity for school examinations. "

Meanwhile, back at the ranch, crooks cheer this easily hacked gold mine while they busily defraud everyone they possibly can.

What was that saying about eggs in a basket?
[ link to this | view in chronology ]
Ninja (profile), 3 Mar 2017 @ 5:44am

While I do agree their utility approach could be useful and make things easier for the citizens there are privacy and security concerns. I'm very wary of people being able to use biometrics to sign up for things that cost money or even could make a mess of the citizens lives. And I'm not talking about how they do their encryption homework or how they will limit abuses from govt employees accessing and selling the data. The worry is more mundane: once your biometrics are copied, you can't change them. I'm gonna echo what every single security expert says about the matter: biometrics should be the ID, not the key. And I'd go further by adding a 2nd step to validate the operation other than a password. Of course I'm also ignoring that many people won't be able to understand, much less do security right (weak passwords anyone?).
[ link to this | view in chronology ]
I Love Capitalism, 3 Mar 2017 @ 6:59am

Targeted advertising
Wouldn't you rather have more relevant advertising?
[ link to this | view in chronology ]
Shilling, 3 Mar 2017 @ 10:24am

Laws??
Instituting privacy laws will not protect your privacy in the long run because laws can be changed. The only way a government can protect privacy is to stop collecting this data period.
[ link to this | view in chronology ]