Centre for Internet & Society

India, home to the world’s largest national biometric registry, plans to begin sharing citizens’ data with the country’s private companies and startups.

The blog post by Joshua Kopstein was published by Vocativ on February 21, 2017. Sunil Abraham was quoted.

The government-backed program, called “India Stack,” will allow the second most populous country on Earth to share nearly all of its 1.3 billion citizens’ fingerprints, iris scans, and more, potentially creating unprecedented security and privacy risks in the name of convenience and digital commerce.

India Stack will open up the country’s troves of biometric data to Indian software developers, health care providers, and any other business interested in using the government’s identification records in their apps and services. The Indian government hopes the move will spur innovation, jumpstarting its effort to create a centralized system of digital commerce where citizens can purchase goods, apply for health insurance, or even qualify for a loan using the biometric sensors on their smartphones.

Opponents, however, warn that the sharing scheme opens a Pandora’s box of security and privacy problems, dramatically increasing the likelihood of data breaches and abuse.

“It’s the worst time for privacy policy in the country,” Sunil Abraham, the executive director of the Bangalore-based Centre for Internet and Society, told the Wall Street Journal. “We are very caught up in technological exuberance. Techno-utopians are ruling the roost.”

The dangers aren’t just hypothetical. In 2015, an unprecedented breach at the U.S. Office of Personnel Management allowed hackers to steal the fingerprints of 5.6 million federal employees. Researchers have found that stolen fingerprints can be used to commit fraud and identity theft, and even replicated and used to unlock smartphones and other personal devices. Worst of all, unlike passwords and social security numbers, biometric identifiers like fingerprints can never be changed, meaning that any breach is virtually guaranteed to have long-term consequences.

The India Stack program is the latest in several recent schemes to push the country toward a fully-digitized and cashless economy. As of December 2016, the Unique Identification Authority of India had registered more than 91% of the population into a centralized system called Aadhaar, which integrates with banks and allows citizens to complete transactions and access government services using their fingerprints. The country has also temporarily withdrawn its higher-denomination bank notes from circulation in an effort to bolster digital payment systems.

“While the efforts of the government are commendable, the efficacy of these programs in the absence of sufficient infrastructure for security raises various concerns,” the Centre For Internet and Society wrote in a paper outlining the privacy risks of India’s digital identity system. “Increased awareness among citizens and stronger security measures by the governments are necessary to combat the cogent threats to data privacy arising out of the increasing rate of cyberattacks.”

India’s program has already gone far beyond other countries’ biometric data collection schemes, which have mostly been limited to passports and border control. But law enforcement officials’ smaller, more piecemeal efforts to collect biometric information have also raised alarm over their potential for abuse. Thanks to the cooperation of 16 state DMVs, one in two Americans currently has their photo registered to a law enforcement face recognition database – regardless of whether they’ve been charged or even suspected of a crime. Local police in several U.S. states have also begun collecting iris scans and DNA swabs from people randomly stopped on the street, in some cases specifically targeting African American children.