Bangladesh Brings In Nationwide Digital Identity Cards Linking Biometrics To Mobile Phone Numbers

from the no-scope-for-abuse-there dept

Techdirt has been writing about the apparently unstoppable introduction of the Aadhaar identity card system in India for some time. Judging by this article on Global Voices, it seems that India's eastern neighbor, Bangladesh, has not noticed the serious problems that are emerging with the idea:

On October 2, the Bangladeshi government inaugurated Smart National ID cards (NID) as part of their Digital Bangladesh initiative, aiming to distribute the cards to 100 million people in Bangladesh.

As with Aadhaar, the plan seems to be to use the new cards for a wide range of everyday activities:

Banking, passport details, driving licenses, trade licenses, tax payments, and share trading are among the 22 other services that can be accessed through the cards, with more to follow. The cards will also be associated with an individual's mobile phone SIM card. Once issued, they will be valid for 10 years.

As that mentions, the NID goes even further than Aadhaar by linking biometrics to an individual's mobile phone, making it the perfect surveillance system. That's new, but the main problem with the NID is familiar enough:

The cards hold biometric details of the cardholder: impressions of all ten fingers, as well as pictures of the iris. In total, 32 types of unique citizen data will be "embedded within its microchip," according to Election Commission officials

That means that if details are stolen, there is no way to revoke or change them. Here's what Bangladesh's Election Commisson has to say on the issue of security:

Citizens' data are safe from unauthorised access as the database servers are "fully protected", but there have been no explicit mentions of how the data is stored, and whether or not it is encrypted.

So, pretty much "trust us, it'll be fine," even though massive breaches of "fully protected" databases are becoming routine around the world. Users of the system may not be reassured by the following:

On the first day of card distribution, bdnews24.com reported that many citizens had to leave without the smart ID cards after providing their biometric samples, due to a "software malfunction."

And beyond what may just have been teething troubles, there are deeper issues of exactly the kind being faced by India's Aadhaar:

Biometric data collection en masse has also generated unexpected problems, specifically fingerprints: a technical staffer of the Election Commission was quoted saying "difficulties are being faced in cases where the fingers are scarred, or the lines on fingers have become unclear owing to heavy manual labour." This is likely to be a recurring problem given the large percentage of the population in Bangladesh employed in manual labour, or who have been in the past. This brings with it questions of sustainability: If a person gives their fingerprints now, and then engages in manual labour for 10 years, will they still be recognisable by the system?

Sadly, it seems that governments in India and Bangladesh are too excited by the prospect of the "efficiencies" such a digital identity framework could in theory offer -- to say nothing of the unmatched surveillance possibilities -- to worry much about tiresome practical details like the system not working properly for vast swathes of their people.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: bangladesh, biometrics, national id, nationwide id, privacy

India's High-Tech Billion-Person Aadhaar Identity System Can't Cope With Real-Life Biometrics

from the well,-that's-awkward dept

We first wrote about India's Aadhaar system, which assigns a unique 12-digit number to all Indian citizens, a year ago. Mainstream media are finally waking up to the scale of the project, as this article in the Guardian indicates:

The Aadhaar scheme was launched in 2009, under former prime minister Manmohan Singh, but the current government, led by Narendra Modi, is credited with rolling it out across India. According to the latest figures in May 2016 from the Unique Identification Authority, more than a billion people have been given Aadhaar numbers. Within the next few months, the details of every person in India will be in the government database.

To allay privacy and surveillance concerns, the Indian government insisted initially that Aadhaar was to be purely voluntary. But as Techdirt reported earlier this year, it's quite clear that the government's intention is to get everyone on to the Aadhaar system, and to embed it ever-more deeply in daily life. The principal argument for doing so is that it will make India's bureacracy more efficient, help fight corruption, and make it easier for citizens to receive government support:

The data collected by the Aadhaar centres will be stored in a network of servers in the southern city of Bangalore. Information from the database can then be circulated to different authorities. The ID system, according to the government, will prevent welfare fraud and ensure subsidies and social security schemes are reaching the right people.

All laudable goals, but an article in The Times of India reveals the reality. In the Indian State of Rajasthan, 14 million people have dropped off the Aadhaar system. A major problem is that one of the key biometric identifiers -- fingerprints -- is proving unusable for precisely the groups of people that Aadhaar was supposed to help:

Hard manual labour flattens fingerprint patterns on the palm. Chances of the machines detecting them are really dim.

These patterns also fade with age. "I've never been a manual labourer, but at 70 the lines on my fingers are faint and the device never works with me too," says Aruna Roy of [the Indian social movement] MKSS.

Vaishali Devi of Kishangarh tehsil, Ajmer, complains she's been deprived of ration and pension for over three months. She was at the Jawab Do dharna in Jaipur for 20 days. With her was fellow villager Vanni Bai. For three months, she hasn't been able to collect her quota of supplies.

Another issue is that poor Internet connectivity makes it hard to check readings with the central Aadhaar databases in Bangalore, so many attempts are necessary before fingerprints are recognized, and the food rations can be given out. The good news is that there's an alternative approach:

In principle, the Unique Identity Authority of India, implementing agency for Aadhaar can issue a one-time password to the ration seeker's mobile phone if the system fails.

The bad news:

Many using the system can't afford mobile phones; some don't remember the number registered on their Aadhaar.

It sounds like getting India’s 1.29 billion population to use the Aadhaar system for routine daily transactions is going to be something of a challenge, to put it mildly.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: aadhaar, biometrics, identification, identity, india, national id, privacy

India's Attorney-General: Privacy 'Not A Fundamental Right'

from the I-am-not-a-12-digit-number dept

Last month, we wrote about attempts by the Indian government to make Aadhaar, the country's identity number system, mandatory. This was despite repeated rulings by the Indian Supreme Court that it should not be compulsory for government schemes. Last month, another application was made to the court, asking it once more to forbid the Indian government from requiring the Aadhaar card and a unique 12-digit identification number for its services. During the case, India's Attorney-General, Mukul Rohatgi, made the following remarkable assertion, reported here by Hindustan Times:

"[India's] Constitution makers did not intend to make right to privacy a fundamental right," Rohatgi told the bench, during the hearing of petitions opposing a government order that made the 12-number unique identification number mandatory, especially for seeking government welfare benefits.

As the site Scroll.in explains:

The Attorney General quoted two decisions in support of his proposition -- from 1954 and 1963. Those opposing his argument contended that these decisions had been overtaken by the constitutional jurisprudence that had since evolved.

But as well as his purely legalistic arguments, Rohatgi took another, very different angle, telling the court:

It should balance the petitioner's rights against those of the roughly 700 million people, whose subsidies and welfare benefits were dependent on the "fool-proof scheme."

Despite this emotional blackmail -- give up your privacy, or 700 million people will go hungry -- the Indian Supreme Court's interim order confirmed that:

It is not mandatory for a citizen to obtain an Aadhaar card

and

the production of an Aadhaar card will not be a condition for obtaining any benefits otherwise due to a citizen.

However, the Supreme Court did allow the Aadhaar card and number to be used for a few specific government schemes: those for "distributing foodgrains and cooking fuel, such as kerosene." So perhaps people won't want for food or fuel even if campaigners continue to insist that privacy most certainly is a fundamental right, and that making Aadhaar mandatory would infringe upon it.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: aadhaar, inda, mukul rohatgi, national id, privacy, rights

Aadhaar: Soon, In India, Everyone Will Be A Number

from the national-identity-card-club dept

National identification numbers are common enough -- many countries issue their citizens with a unique identifier. But in terms of scale, few can match Aadhaar, India's identity number system. As The Times of India explained a few years back, when the scheme was first announced:

Aadhaar is a 12-digit unique number which will be issued by the Unique Identification Authority of India (UIDAI) to all residents of the country. It's a step towards putting India in the club of more than 50 countries around the world that have some form of national identity cards. These include most of continental Europe (not the UK), China, Brazil, Japan, Iran, Israel and Indonesia. The number will be stored in a centralized database and linked to the basic demographics and biometric information photograph, ten fingerprints and iris of each individual. The number will be unique and would be available for online and offline verification and, hence, will rule out the possibility of duplicate and fake identities from government as well as various private databases.

The Aadhaar system is designed to make it easier for people on the sub-continent to prove their identity:

One of the key challenges faced by people in India is difficulty in establishing identity. People have multiple identity documents, each serving a different purpose. The most important characteristic of Aadhaar is its universality and it is assumed that the biometric card with the number will be gradually accepted across the country as the identification number by all service providers and government agencies.

The system is almost in place. According to an article in The Economic Times, as of this month, 870 million Aadhaar numbers have been issued. The hope is to achieve "universal coverage" -- 1.2 billion people -- by December.

Initially, the Indian government insisted that the scheme was voluntary, although even in 2013, there were concerns that it was effectively mandatory because various state benefits required its use. In 2014, India's Supreme Court reiterated that the system should not be compulsory, and also forbade the authorities from sharing biometric data held on the associated database with the police or similar agencies without the permission of the person concerned.

That raises one of the principal concerns with such centralized databases: the fact that, once created, there is a natural tendency to use them for purposes that have nothing to do with the original justification. For example, in 2013, there were suggestions that the Aadhaar card could be linked to driving licenses. In December last year, 100 million bank accounts were already associated with Aadhaar numbers. Last month, it was revealed that the Indian Railways may make the use of the Aadhaar number mandatory for booking online tickets. All of those will make tracking a person's activities much easier.

As the use of the Aadhaar system spreads to more domains, and becomes indispensable for more everyday services, that single number will assume an ever-greater importance in the lives of people in India -- and therefore become increasingly useful for identity fraud. It will doubtless make things much easier for the public there; but it will also provide the authorities with the perfect way of unifying all the information that they hold about citizens. Let's hope that by the time that happens, India has in place suitably robust laws regulating both government surveillance and data protection.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: aadhaar, id, id number, national id, number, privacy

Bad Things Happen When Politicians Think They Understand Technology

from the not-so-good dept

With health care reform out of the way, lots of politicians are pushing out new legislative ideas, hoping that Congress can now focus on other issues -- so we're seeing lots of bad legislation proposed. Let's do a two for one post, highlighting two questionable bills that many of you have been submitting. The first, proposed by Senators Schumer and Graham, is technically about immigration reform, which is needed, but what's scary is that the plan includes yet another plan for a national ID card. Didn't we just go through this with Real ID, which was rejected by the states? Jim Harper, who follows this particular issue more than just about anyone, has an excellent breakdown of the proposal, questioning what good a national ID does, while also pointing to the potential harm of such a plan.

Then we have the big cybercrime bill put forth by Senators Hatch and Gillibrand Senators Rockefeller and Snowe (updated, since there are two separate cybersecurity bills, and its the Rockefeller/Snowe one that has people scared), that tries to deal with the "serious threat of cybercrime." But, of course, it already has tech companies worried about the unintended consequences, especially when it requires complying with gov't-issued security practices that likely won't keep up with what's actually needed:

"Despite all [the] best efforts, we do have concerns regarding whether government can rapidly recognize best practices without defaulting to a one-size-fits all approach," they wrote.

"The NIST-based requirements framework in the bill, coupled with government procurement requirements, if not clarified, could have the unintended effect of hindering the development and use of cutting-edge technologies, products, and services, even for those that would protect our critical information infrastructure."

They added the bill might impose a bureaucratic employee-certification program on companies or give the president the authority to mandate security practices.

This is one of those bills that sounds good for the headlines (cybercrime is bad, we need to stop it), but has the opposite effect in reality: setting up needless "standards" that actually prevent good security practices. It's bills like both of these that remind us that technologically illiterate politicians making technology policy will do funky things, assuming that technology works with some sort of magic.

Filed Under: cybersecurity, immigration, national id, politicians, technology