24 Jun, 2012, 01.31PM IST, M Rajshekhar,ET Bureau
There was to be one large database. Now, we are moving to a system where multiple agencies capture and store biometrics data in myriad servers. This is amplifying the risk of biometric theft.
As Sunil Abraham, the head of Bangalore-based Centre for Internet and Society says, “If biometrics is used as authentication factor then it would be possible for a criminal to harvest your biometrics – such as using a glass to collect fingerprints – without your conscious cooperation. Or the registrar can cache your biometrics and duplicate transactions.”
As the number of databases containing biometrics rises, the risk of this information leaking out increases. There have been complaints against an UIDAI enrolment agency called Madras Security Printers that it had sold data to private companies. There were also charges that enrolment agencies had outsourced the enrolment work to other companies, which they are not allowed to do.
What complicates matters further is there are not many safeguards. The country doesn’t have a policy on how biometrics can be captured, used, stored and destroyed. But before we get deeper into that story, it is useful to understand why multiple departments have begun collecting biometrics.
According to a senior bureaucrat who recently retired from the ministry of planning, the answer lies in the 2014 elections. “For the government, cash transfers are the large reforms that they think UPA 2 can point towards in the next elections. For this reason, they need all this up and running before 2014.”
This pilot, says DK Jain, joint secretary, MoRD, started 3-4 months ago in parts of Gujarat, Karnataka, Odisha and Rajasthan. In another six months, it will be available across the country. And then, there is the PDS.
Here, different states are putting different systems in place. Andhra, says a senior mandarin in the food ministry, is going with UID, Haryana is looking at smart cards, Jharkhand is going with Aadhaar, MP and Gujarat are testing food coupons, while Chhattisgarh has decided to use RSBY and Orissa has chosen NPR.
Apart from this, data is also being collected by the RSBY and BC companies on behalf of the banks handling welfare payments, or scrambling to meet their financial inclusion targets.
A New Set of Worries
As the number of databases rises, a new set of worrying questions are coming to the fore. The first has to do with this enthusiastic adoption of biometrics. If they do not work, people might be excluded from something as basic as citizenship, or from government programmes.
And then, there are data safety questions. Says the NIC official, “In my opinion if all the solutions are in isolation to each other then there cannot be any common safeguard mechanism. Every organisation shall have to ensure their own data security by applying normal cyber security principles.”
The official was referring to technology standards – on data encryption and firewalls. How are we doing here? Not very well. Says B Sambamurthy, head of Hyderabad-based Institute for Development and Research into Banking Technology: “There are standards for capturing, storaging and retrieving of biometric data. The problem is not with technology or standards but rigorous compliance.”
And then, there are more procedural aspects – like ensuring that the information collected is not shared, or that it be used only for the purpose for which it was collected. These are entirely missing. Take Andhra Pradesh, where the government tried to share the biometrics it had collected for one programme with other government departments. But that triggers larger questions about consent and ownership over biometric information. Can a person’s biometrics be used in ways he or she has not expressly authorised?
These are issues that the privacy bill will have to look at. Says a bureaucrat working on the bill, “It will lay down the broad standards. Any agency which wants to collect this information will need to get enrolled or registered with a central body before it can start collecting data. It cannot share this data with anyone else. It also lays down the penalties in case anyone violates these terms.”
It also envisages the creation of a new agency – a standalone agency which will define privacy standards and monitor compliance. But, it is a long way off. The ministry wants to revise the Bill in the coming month, and then place the bill online for public comments, and then another round of interministerial consultations.
In the meantime, be careful. There is little by way of penalties that can be imposed on any organisation that shares your information with anyone.
- Unique identity crisis- #UID #Aaadhaar #Nandan Nilekani (kractivist.wordpress.com)
- Growing Mistrust of India’s Biometric ID Scheme (kractivist.wordpress.com)
- Aadhaar Round-Up: UID Vs Resident ID; UID In Jharkhand and Delhi & More (kractivist.wordpress.com)
- Seven booked in Aadhaar fraud #UID #Nandan Nilekani (kractivist.wordpress.com)
- Chidambaram vs Nilekani: New round in turf war over biometrics (ndtv.com)