Mozilla's Open Letter To Expert Committee Drafting India's First Data Protection Law Slams Aadhaar Biometric Identity System
from the the-lizard-wrangler-speaks dept
Techdirt has been covering India's monster biometric database, Aadhaar, since 2015. Media in India, naturally, have been on the story longer, and continue to provide detailed coverage of its roll-out and application. But wider knowledge of the trailblazing identity project remains limited. One international organization that has been working to raise awareness is Mozilla, home of the Firefox browser and Thunderbird email client.
Last May, an opinion piece entitled "Aadhaar isn't progress -- it's dystopian and dangerous", by Mozilla Executive Chairwoman and Lizard Wrangler Mitchell Baker and Mozilla community member Ankit Gadgil, appeared in India's Business Standard newspaper. In July 2017, Mozilla released a statement on the Indian Supreme Court hearings on Aadhaar. A blog post in November pointed out that the Aadhaar system is increasingly being used by private companies for their services, something Techdirt covered earlier. Similarly, after it was revealed that anybody's Aadhaar details could be bought for around $8 each, Mozilla issued a statement saying "this latest, egregious breach should be a giant red flag to all companies as well as to the UIDAI [Unique Identification Authority of India] and the [Indian] Government."
Following the creation of a committee to draft India’s first comprehensive data protection law, Mozilla has now paid for an open letter to appear in The Hindustan Times. It was written by Baker, and co-signed by 1,447 Mozilla India community members. Although the letter welcomes the work being carried out by the committee of experts, it criticizes Aadhaar for its many failings, and points out some serious omissions in the committee's report on data protection:
The current proposal exempts biometric info from the definition of sensitive personal information that must be especially protected. This is backwards, biometric info is some of the most personal info, and can’t be "reset" like a password.
The design of Aadhaar fails to provide meaningful consent to users. This is seen, for example, by the ever increasing number of public and private services that are linked to Aadhaar without users being given a meaningful choice in the matter. This can and should be remedied by stronger consent, data minimization, collection limitation, and purpose limitation obligations.
Instead of crafting narrow exemptions for the legitimate needs of law enforcement, you propose to exempt entire agencies from accountability and legal restrictions on how user data may be accessed and processed.
Your report also casts doubt on whether individuals should be allowed a right to object over how their data is processed; this is a core pillar of data protection, without a right to object, consent is not meaningful and individual liberty is curtailed.
On a Web page called "Key challenges and the way forward", Mozilla calls on the Indian government to "pause further roll out of Aadhaar until the major problems with Aadhaar have been addressed." It also has a further suggestion:
The Indian government must release Aadhaar as true open source software rather than use language of open source, and encourage the use, development, and adoption of open source as a pillar of the Aadhaar system
Of course, you might expect an open source foundation like Mozilla to say that, but nonetheless it's good to see what is at heart a software organization engaging with global problems that affect huge numbers of people in this way. Others should do the same.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: aadhaar, biometrics, database, india, privcy
Companies: mozilla
Reader Comments
Subscribe: RSS
View by: Time | Thread
Mozilla doesn't have much room to talk though: it's again getting 325 million a year from GOOGLE, after at least 3 prior years of 300 million per year. For that, Mozilla puts exceptions for GOOGLE in -- and who knows if visible are the only ones?
You know how necessary the SQL database is in Firefox? -- NONE! I've deleted the 10 meg file entirely, and it rebuilds when started again. That SQL file is entirely for SPYING, it doesn't help users at all.
So, phooey on Mozilla: it's just the usual tactic of finding some other horror to direct attention away from own evils.
[ link to this | view in thread ]
Biometrics
They might lead a legitimate, appropriately conducted, law enforcement investigation to look at me closer, but they are not, in and of themselves, indicators of criminality. There are too many ways for them to be faked to be indicators of actual guilt. Watch the many TV cop shows for various examples. I could have a stone cold unbreakable alibi verified by 50 other people. What do they do with their biometrics then?
Then there is the whole non law enforcement use, which should be illegal from the get go. Why should any non government agency have access to such information? Why (other than nefarious reasons) would they need to? It is my personal information. Mine! And unless someone gives me a compelling reason to give it to someone other than the government (and their compelling reasons have some extremely serous dubious intentions) then they should not have access to it, at any price. And if they do, then the decision to share it further is up to me, not them. Even if I derive some benefit from the sharing of information. Passing it along should be opt in, and not a blanket opt in, but a case by case opt in, with full disclosure as to who and why it is being shared as well as how it will be used.
My information is my information whether it is a part of doing business with another entity or not. It is still, my information. States should not share drivers license databases (photos in the case of biometrics), ISP's should not share IP addresses (potential location information, which does not mean a person, just a user, and the location might be which end point I choose for my VPN today), and phone carriers should not share location information (which might be someone to whom I lent my phone, but not me (which would be a great trick as I don't have a phone)) without a warrant. Under any circumstances. And, those warrants should be hard to come by, that is, no rubber stamping and the judge in question committing some interrogatory that verifies the probable cause in front of a clerk that takes down and records for posterity (no seals) everything said.
Now I realize this article is about India, and that their laws are not the same as US laws, but the underlying principles should not be different.
The big problem is getting the governments of the world to understand that they are not in control, and that at some point they will find out so. One way or another. Do they need to control criminal activity? Yes. Do they need these things to do so? No. Are there other ways to convict criminals and OMG 'terrorists'? Yes. They used to do so before all this 'technology' came about. Sometime they did it well, and sometimes they did it conveniently and therefore incorrectly. Today, they should be doing it both correctly and inconveniently. Takes more effort? So what?
[ link to this | view in thread ]
Re: Biometrics
[ link to this | view in thread ]
Re: Mozilla doesn't have much room to talk though: it's again getting 325 million a year from GOOGLE, after at least 3 prior years of 300 million per year. For that, Mozilla puts exceptions for GOOGLE in -- and who knows if visible are the only ones?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Mozilla doesn't have much room to talk though: it's again getting 325 million a year from GOOGLE, after at least 3 prior years of 300 million per year. For that, Mozilla puts exceptions for GOOGLE in -- and who knows if visible are the only ones?
[ link to this | view in thread ]
bAGGED, TAGGED, AND IN THE fRIG..
but somewhere int he past, people hand them out as a SORT of ID, which is against the law(look it up)
NOW the Credit Bureau's and OTHERS have gotten it into their heads that they can ASK anytime they wish.
Then comes Companies SHARING your data that they receive, and you get MORE and MORE SPAM..this is the old style from Catalog mails..and your MAIL ends up being FULL of magazines you never asked for, and TONS of other crap you never heard of.
Then comes the INTERNET BROWSER,.. before this, we could be MOSTLY Anon, running around the internet..and NOW you have to give info to ALMOST EVERY SITE, just to see it. WHICH can be collected and shared with EVERY person, company, site, ANYONE that wishes to pay a small fee for it..
With all the DATA being SWAPPED around, they can Correlate, JUST ABOUT everything about you..from your location, State, county, city, and ADDRESS, to your age, and year you were born, to how many DOGS/CATS/KIDS you have AND if you really understand this, you can ALSO Garner/gather/expect WHAT a person is watching/reading/ANYTHING. BECAUSE you BOUGHT the info from certain companies that GROW FLOWERS/PAYLESS/WALLMART/PAYLESS/HARBOR FRAIGHT/../.../... They can tell you WHAT TV you have to WHAT CAR you own..
YOU CAN..call many up and ASK to be removed from the lists..OR NOT to use your name on your SALES MAGS.. You can ask them to do many things, BUT ITS ABIT LATE..
The FUNNY part of this, is that MOST of the police forces dont know/understand this..
The Average sale of a full name and address and other info, is AROUND $200+ per name, depends on the amount of info..
[ link to this | view in thread ]
[ link to this | view in thread ]