The government of India has amassed a database of 200 million Indian residents' digital fingerprints, iris scans, facial photographs, names, addresses and birthdates. Yet this vast collection of private information is only a drop in the bucket compared to the volume of data it ultimately intends to gather. The Unique Identity Authority of India (UIDAI), the agency that administers Aadhaar -- India's Unique Identity (UID) program -- has a goal of capturing and storing this personal and biometric information for each and every one of India's 1.2 billion residents. Everyone who enrolls is issued a 12-digit unique ID number and an ID card linked to the data.
Once it’s complete, the Aadhaar system will require so much data storage capacity that it is projected to be 10 times the size of Facebook. And while it's optional to enroll, the program is envisioned as the basis for new mobile apps that would facilitate everything from banking transactions to the purchase of goods and services, which could make it hard for individuals to opt out without getting left behind.
India’s is the largest biometric ID scheme in the world, and the masssive undertaking raises serious questions about widespread data sharing, a lack of legal protections for users’ data, and concerns about whether adequate technical safeguards are in place to keep individuals’ information safe and secure.
Recently, EFF attended a talk by Srikanth Nadhamuni, a technologist and one of the program’s chief architects, at UC Berkeley’s Center for Southeast Asian Studies. While he characterized Aadhaar as a cutting-edge tool for fighting corruption and assisting the rural poor, EFF has concerns about the privacy implications of this sweeping effort.
Is Biometric Collection Necessary to Achieve the Program's Goals?
Nadhamuni framed Aadhaar as a program that could alleviate the plight of India’s rural poor, a large subset of the population that lacks reliable access to government services. “The city governments … were still being run by leather-bound books and pen,” he explained. “Not using technology to improve service delivery was something that we wanted to change. … The thought that I had was, if we could embed a unique number for each baby that was born, and that number got used in all the different applications, then that service delivery could improve. Once you have enrolled yourself, then you can go and buy your rations, or banking transactions, and so on, using authentication.”
Nadhamuni said UID would serve to eliminate fraud in circumstances where it is now impossible to verify individuals' identities. He described the tedious and costly weekly journey of a laborer to cash a paycheck to illustrate how UID could be used to make peoples' lives more convenient. He described a system in which UID numbers would spur the development of mobile phone apps, which would allow vendors to scan fingerprints on a handheld device to use UID authentication for all kinds of purposes and transactions.
When evaluating biometric systems, it's important to determine whether the collection and processing of personal information fit with the program's stated objectives. The goal of assisting the rural poor is well-intentioned, but the means Nadhamuni is proposing to achieve this end should be carefully examined. It's also worth asking why, if the stated objective is to aid the rural poor, the UIDAI intends to extend Aadhaar's reach to each and every one of India's 1.2 billion residents. EFF remains concerned about the problems inherent in centralized biometric ID databases, systems that have been met with resistance elsewhere and, in the case of Britain, even dismantled in the face of public outcry stemming from privacy concerns.
The creation of such a system raises concerns about the security of users' highly sensitive personal information. Nadhamuni said very little about whether there is a contingency plan in the case of a data breach, like the one that transmitted Israel's entire population database onto the Internet in a freely available format. What happens if people start to spoof fingerprint scanners, which German hackers have already proven is a relatively easy feat? What if identity thieves take it a step farther, by spoofing iris scanners (which Javier Galbally showed was possible at the Black Hat Security Conference this past summer)? Unlike a PIN code, a fingerprint or an iris is impossible to cancel and re-issue.
A Centralized Unique ID System is Risky
Nadhamuni seemed to accept without question that implementing a universal ID card would benefit India. “There is no standard identity document in India,” he said. He justified the collection of biometric data by saying that insurmountable overlap between existing governmental databases makes it impossible to create a unique database by merging all existing data sets.
Yet the assumption that there is an inherent need for a governmental framework that would aggregate all individuals’ personal information in one place should not go unchallenged. There are fundamental flaws in a system with a centralized database at its core, which grants a disproportionate amount of control to a single governmental entity that collects and stores the information. Regardless of the security precautions Nadhamuni assured would be in place, the creation of such a database inevitably creates a honeypot of sensitive information that becomes a natural target for would-be criminals.
India has no data privacy protection law to speak of, and the fact that this program is moving ahead in the absence of such a safeguard is problematic, particularly given the widespread data-sharing that is contemplated under this endeavor. Similar proposals have run into legal trouble. In March 2012, the Conseil Constitutionnel, the highest authority on the French Constitution, declared the provisions of a law permitting judicial and police use of a centralized national ID database to be unconstitutional.
In other countries, we've seen how biometric data can ultimately be used for purposes other than stated intentions. In Argentina, for instance, a new centralized, nationwide biometric ID will allow law enforcement to “cross-reference” information with biometric and other data initially collected for the purpose of operating a general national ID registry. This reverses the traditional practice of limiting police fingerprint databases to those suspected or convicted of criminal offences.
Once it is built, an enormous system based on the personal information of 1.2 billion people can begin to serve all manner of previously unimagined purposes. What's more, Nadhamuni suggested biometric identification with Aadhaar could become a convenient part of everyday life: the UIDAI lets private parties accept the IDs and verify their content online, for outsourced financial transactions or authenticating users for third-party applications. For example, people could have their fingerprints scanned on a shopkeeper's mobile device as a way of paying for items at a shop. It's astonishing to think that the enormous flows of data that would result from these applications – and the associated potential for monitoring Indians' physical whereabouts and day-to-day lives – would come with few legal safeguards.
Beware of Function Creep
A telling moment in Nadhamhuni’s lecture came when an audience member asked whether Aadhaar would be used for national security purposes. “I don't know about the linkage between UID and security,” Nadhamuni responded. “I was head of technology, and the specification that I was given was to build a system for social inclusion and the poor. So if there's a linkage, I don't know of it, and so I can't comment on what that linkage is.”
It's disappointing that he didn't say more, particularly given this New York Times op-ed by Indian journalist Aman Sethi suggesting that national security was at the root of a government initiative to collect biometric ID that predates Aadhaar and is now moving ahead in sync with the UID program. Function creep – when a program is introduced for one purpose and ultimately used for another – is a serious consideration when assessing biometric ID systems. What will happen when data collected by the UIDAI is used in conjunction with a governmental surveillance program or national security initiative? So far, this question remains unanswered, but there are good reasons to be concerned.
This colossal, IT-driven effort is moving forward without adequate transparency or public dialogue, and it’s no wonder that activists have pushed back against the idea in India. Internet policy researcher Sunil Abraham, of the Bangalore-based Center for Internet and Society, has voiced concerns over Aadhaar’s identification system and proposed alternatives that would be far less privacy-invasive.
"Privacy protections should be inversely proportional to power," Abraham wrote in a Business Standard op-ed. "The transparency demanded of politicians, bureaucrats and large corporations cannot be made mandatory for ordinary citizens. Surveillance must be directed at big-ticket corruption, at the top of the pyramid and not retail fraud at the bottom. Even for retail fraud, the power asymmetry will result in corruption innovating to circumvent technical safeguards. Government officials should be required by law to digitally sign the movement of resources each step of the way till it reaches a citizen. Open data initiatives should make such records available for public scrutiny. With support from civil society and the media, citizens will themselves address retail fraud. To solve corruption, the state should become more transparent to the citizen and not vice versa."
A biometric data collection program of this scale, particularly in the absence of an existing data protection law, presents serious risks to individuals’ privacy. Rather than improving people’s lives, Aadhaar could place their highly sensitive personal information at risk.