What is with India? Just last summer India’s Supreme Court held that individuals have a fundamental right to privacy that is intrinsic to the right to life. Yet the same Supreme Court waffles over whether agencies and companies can require program participants to link to their Aadhaar data to get the service or benefit they need.
For those who don’t know, Aadhaar is a 12-digit unique identifier issued to all Indian residents based on biometric (iris scans and fingerprints) and demographic data. The data is collected by the Unique Identification Authority of India (UIDAI) which sits in a gigantic database called the Central Identities Data Repository (CIDR).
Participation is high producing the world’s largest biometric system. As of November, Aadhaar claimed 1.19 billion enrollees with over 99% 18 and over enrolled. Data has been collected since around 2010.
So back to the Indian Supreme Court for a second and its inconsistent and incomprehensible rulings on mandatory linkage. In one 2013 decision, the Supreme Court held that government agencies and companies cannot make providing your Aadhaar identifier resulting in linkage to your personal Aadhaar data mandatory. Typically this is done for authentication purposes. However, most recently in June 2017, just two months before the right to privacy ruling nonetheless, the Supreme Court held that Aadhaar authentication linkage CAN BE made mandatory for “other purposes” such as income tax filings and bank accounts. We really should come to expect such incremental encroachment and expansion of a very creepy program.
So what’s the problem? Well, a few really big ones.
First, a rapid spread of mandatory identifier requirement. Despite the Supreme Court’s seeming early reluctance to permit mandatory linkage for authentication purposes AND a rash of recent serious challenges to the validity of the Act itself, numerous government agencies and private companies have made participation in programs conditional upon providing Aadhaar identifiers giving them access to the data.
Second, there are serious security issues. For example, UIDAI confirmed that >200 government agencies were publicly displaying confidential Aadhaar personal data. While this problem may have been corrected, it’s difficult to put that cat back in the bag. Of course, no heads were rolling down New Delhi streets.
The Hindustan Times reported in May 2017, that around 135 million Aadhaar numbers and personal information may have been leaked from four government portals due to lack of IT security practices. The leak may have also included bank account numbers.
In another incident, it was discovered that a rogue agent (or agents) was selling access to a portal on the Aadhaar website giving anyone access who has the credentials access. The agent was selling access for as little as Rs 500.
Finally, concerns have been expressed over the proliferation of databases containing Aadhaar data meaning the information contained in CIDR is likely scattered among numerous government agencies with their own independent databases. CIDR security procedures do not apply to these databases. It’s up to the independent agencies to engage vendors for system maintenance.
Recently, Edward Snowden stirred the pot with a series of tweets about Aadhaar and the security risks posed and Wikileaks hinted at potential CIA access to Aadhaar data through a CIA related contractor supplier of biometric equipment.
The world is watching folks. When the United Nations issues statements such as the following, watch out. “The decision of India 2010 to launch the Aadhaar programme to enroll the biometric identifying data of all its 1.2 billion citizens was a critical step in enabling fairer access of the people to government benefits and services” with “tremendous potential to foster inclusion.” The U.N. likes it very much. And it’s spreading with countries such as Australia, Brazil, Germany, Israel, New Zealand, and Norway all implementing biometric based national ID programs and/or passport programs. While India is the only country so far to tie biometric data collection to the receipt of government benefits and other private sector services like banking, I predict it won’t be the last.
Posted by Frank W. Leak. Frank is a member of the law firm, Leak & Jamison, PLLC, and is located in Winston-Salem, NC.
PrivacyPig™ 