The Aadhaar Biometric Database Saga
An Instructive Tale for the West
Major Breaches & Misuse of Customer Data in 2018
As this year draws to a close, 2018 is increasingly labeled as a year of backlash towards technology and the ways that poorly secured technology affects our lives in unintended ways.
Major breaches, misuse of customer data, and other scandals related to election tampering and economic espionage, are contributing to a broad backlash against tech’s intrusion into every part of daily life.
Concerns about privacy and control over data led to the enactment of the General Data Protection Regulations (GDPR), an effort to better regulate sensitive data handling and handle breaches involving data of EU citizens, setting a regulatory precedent.
GDPR is still untested, and no fines have been levied. But in other parts of the world, tech’s intrusive reach is leading to court cases and legal precedents.
In India, a recent Supreme Court decision over the expansive use of Aadhaar, the world’s largest biometric database, followed years of outrage, and a substantial pull back in authority set a legal precedent that is likely to influence decisions around the world.
For many tech firms and governments who look to foreign markets as test cases for how tech can be integrated into daily life, the Aadhaar saga is a cautionary tale, yielding valuable lessons for increasingly relying on biometric data on a large scale, with little security.
Background on Aadhaar
Aadhaar was developed in 2009 by the Unique Identification Authority of India to address a country-wide problem: the lack of a standard means of verifying identities for the purposes of distributing government benefits and collecting taxes.
The solution was a voluntary database of all Indian citizens, which collected their fingerprints, iris scans, and personal details, following which each person was assigned an account and identification number.
However, despite the obvious need to protect the sensitive details of a population of 1 billion, security was not the highest priority for Aadhaar.
Once all that data was collected, Aadhaar’s purpose expanded substantially, under leadership from a government eager to champion a “Digital India.” Aadhaar became the default, outsourced verification system for thousands of purposes, from opening bank accounts to purchasing mobile phone minutes, and confirming Amazon deliveries.
Millions of private entities were given credentials to use the system for verification, giving everyone from a bank manager to a junior secretary limitless privileges to access the system.
Though official guidance maintained the programs remained voluntary, in practice, that was not the case, as private firms demanded each person to tie their Aadhaar number to all manner of services, thereby allowing those firms to monetize the biometric data of 1 billion people to increase profits.
With a wary eye toward neighboring China’s growing surveillance state, officials and private citizens voiced worries about Aadhaar’s security, questioning whether it was prudent to force all citizens into a database that a future, possibly repressive government could use against the populace.
Others wondered about the dangers of allowing so many people largely unfettered access to the data, opening the door for criminals and other bad actors to use the data for nefarious purposes.
Little was done until several hackers demonstrated the ease with which they could access large numbers of sensitive details and posted their efforts publicly online.
Ultimately, growing outrage led to a case before the Supreme Court of India, where the justices confirmed Aadhaar’s legality, but struck down article 57, which had given any private entity or individual the right to ask for an Aadhaar number in order to provide a service.
Aadhaar is now only mandatory for accessing welfare benefits and paying taxes. For many, the decision is a pyrrhic victory, removing the mandatory requirement to use Aadhaar for everything from scholarships to job applications, but not removing the data of those whose information has been widely and repeatedly accessed.
Though many politicians plan to push for deletion of the data, the chances of anything other than symbolic success are slim.
The as-yet-undefined process to demand data erasure itself involves surrendering further sensitive data to appropriate ministries, who would be left to deal with instituting a process to then pass the requests on to private firms.
For private companies that trusted the government to secure the data, even as the firms relied on open access to profit from it, they’ve suffered twin blows: public outrage and the loss of access to the database.
In the end, the people are left with the stark realization that neither the government nor private sector fought to protect sensitive information and individual rights.
The Need to Prioritize Data Security
Though coverage of the case has been muted in the West, the Aadhaar saga provides lessons to major Western countries about the need to prioritize security and accountability – not as an afterthought, but from the very start.
Many countries already rely on biometric passports and databases of visiting foreigners, but several others plan to emulate India’s approach. Kenya aims to improve government service delivery and improve security by collecting hand and earlobe geometry, fingerprints, home GPS location, retina and iris scans, and voice samples for every Kenyan.
With such extensive collection, security needs to be the first priority, yet the country does not yet have any comprehensive data protection laws, and lawsuits are sure to come if they fail to put security first.
For companies that already access some level of biometric data, like those private firms that currently manage airport security, including Clear, which uses biometric verification to help passengers speed through security lines, security also needs to come first. As companies rely on their access to biometric databases as a vital element of their operations, they should understand how quickly a Supreme Court decision could change their plans.
For countries without independent judiciaries, and those run by autocratic regimes, Aadhaar is an attractive example to follow, to register and exert control over populations that cannot fight back. As a test case, Aadhaar reveals the extent to which governments and private entities are still ill-equipped to safeguard sensitive information and control access to it in a way that streamlines government processes while protecting citizens’ identities.
Even when these glaring deficiencies are revealed, measures to remediate the situations are poorly thought out and often ineffective in addressing the root problems. While we wait to see the process by which the first cases of GDPR violations will be adjudicated, we must acknowledge that there is still much work to be done to understand the ways in which tech touches our lives and exposes us to wider vulnerabilities. Poor solutions only exacerbate these problems.