Datenschutz

India expands its controversial biometrics database Aadhaar

In India, a new law allows companies to access the government biometrics database. Despite a court ruling, linking to income tax returns becomes mandatory. Mistakes in social services have already led to starvation deaths. A planned data protection bill is on hold.

The biometrics programme has been expanded for ten years. (Image edited by netzpolitik.org)

The Indian parliament has approved an expansion for the controversial biometrics programme Aadhaar. It will allow companies to access the database to authenticate their users‘ identities. The country’s Supreme Court had prohibited this, but the new regulation lifts the ban.

Through Aadhaar, Indians are registered with fingerprints as well as photographs of face and iris. According to a study by the think tank IDinsight, 1.2 billion people were already enrolled last year. Privacy activists criticize the program and the ten year legislative process.

„Mandatory authentification“

According to the Supreme Court, identification by Aadhaar should not be mandatory. However, the new law includes „mandatory authentication“:

Notwithstanding anything contained in the foregoing provisions, mandatory authentication of an Aadhaar number holder for the provision of any service shall take place if such authentication is required by a law made by Parliament.

Future laws could thus simply bypass the Supreme Court judgment, privacy activists say. The opposition MP Shashi Tharoor tried to introduce a ban of Aadhaar authentication by private companies into the law. However, this ban was „shouted down“ before the expansion was passed. The government of party of prime minister Modi, who supports Aadhaar, enjoys an absolute majority in the Indian lower house.

Court considers new petition

Activists have filed a petition against the new expansion at the Supreme Court:

The impugned ordinance creates a backdoor to permit private parties to access the Aadhaar eco-system, thus enabling State and private surveillance of citizens, and the impugned Regulations permit the commercial exploitation of personal and sensitive information which has been collected and stored for state purposes only.

The new law also violates last year’s judgment, the petition says. The Court has now issued a notice to the Aadhaar authority UIDAI to seek its response to the accusations.

The finance minister also proposed making PAN, an identification number required for filing income tax, and Aadhaar number interchangeable: „Everywhere where you’re required to quote the PAN instead you can just do Aadhaar – and even if you don’t have a PAN, there is no problem.“

This plan is now being put into effect. But: All PANs which have not been connected to an Aadhaar number by August 31st will be invalidated. The aim is the elimination of non-genuine PANs, said a civil servant.

Demands not taken into account

The time-limited 2016 law was first extended by decree in March before parliament now approved its extension and expansion. Such decrees are properly intended for emergencies, criticizes AccessNow – that Aadhaar was so urgently needed has not been proven until today.

In 2017, the Indian net activist Nikhil Pahwa published a list of demands for Aadhaar. At the top: Registration should never become mandatory, not even – like in an Indian joke – „voluntary, but mandatory“. Services that cover a large part of the population should always offer an alternative.

Pahwa also demanded that biometric information should not be used for authentication by government authorities or companies: „I can’t emphasize this enough. Biometric information is a permanent identifier, and can be easily compromised.“

Google search for pregnancy data

That compromising is not theory, but practice: There is a long list of data breaches. In 2017, at least 130 million Aadhaar numbers, associated with 100 million bank accounts and data such as name, age and gender were accessible in the state of Andhra Pradesh on government sites. Next year, it was a database for pregnancies: Abortions, risk assessments and bank accounts were freely accessible on the internet, linked to Aadhaar numbers.

The websites were also indexed by search engines, so entries could simply be found by googling names or addresses.

These breaches were largely stopped, regional authorities reacted quickly by protecting data and even turning off pages completely. But at the national level, the situation is somewhat different.

In January, a journalist had access to all UIDAI data – for a price of 6.50 euros. With over a billion compromised users, it is likely to be one of the largest data leaks of all time. A UIDAI filing with the police followed within four days – against the journalist.

Privacy yes, but not for poor people

Last year, a government spokesperson said in parliament that „as on date, no incident of data breach has been reported“. And still in February, a UIDAI spokesperson said that reports about data breaches were „misleading“ and „completely devoid of any substance or truth“.

In a prior Aadhaar process, a government official said in 2017 that the right for privacy was an „elitist“ concept. Poor people don’t care for the protection of their data, he said, but for food, shelter and clothing. The court ruled at the time that there was a fundamental right to privacy.

The IDinsight survey, conducted in poor areas, also came to a different conclusion: more than 96 percent of respondents said that it was important for them to know if and how the government used their data.

„A lot of personal information is on Aadhaar… there is no reason to link everything. Why should I share my day to day life with the government?“, said a resident of Mumbai in the „Privacy on the Line“ report.

Agency to regulate itself

The newly passed law provides for a fine of 10 million rupees – around 130,000 euros – for breaches of data protection regulations. For every day that the violation continues, a further million rupees is added. The Aadhaar agency is to be responsible for investigating cases and determining fines.

„This can be ineffective given the dual purpose for a single organization, raises potential conflicts, and is not ideal given the complexity of regulatory requirements,“ the authors of the IDinsight study write. Instead, they call for an „independent, competent, and fully authorized data protection regulator“, who can enforce the regulations of a strong data protection law.

Data protection law on hold

India does not currently have a data protection law, even though activists like Pahwa have been demanding one for a long time. Last week, opposition MP Shashi Tharoor described data protection as a national security issue and criticized that the responsible minister had already announced such a law for the last session of parliament. Since 2017 there has been a drafting committee – it receives advice from the same think tank as the Aadhaar draft.

And thus, the draft Data Protection Act, published „like the finale of an exasperatingly long-drawn out TV series,“ provided that data could be processed without the consent of the data controllers if this happened for „the exercise of any function of the State authorised by law for the provision of any service or benefit to the data principal“. Translation: The provisions don’t apply to Aadhaar, which was originally intended for social welfare.

Originally for social welfare

Biometric authentication was meant to ensure that social assistance – especially food allocations – were distributed to the right recipients. With more and more expansions, the project became the data giant it represents today.

According to the government, Aadhaar is a phenomenal success in welfare: 11 billion euros were saved by biometrics and digitization between 2014 and 2018, mostly by eliminating double, false or erroneous entries in social welfare databases. Additionally, the introduction of Aadhaar caused very positive developments in drought areas, says the Economic Survey for the last financial year.

According to activists, this is wrong: the data for the survey is cherry-picked, their evaluation guided by wrong assumptions. Instead, aid measures ordered by the Supreme Court, such as the provision of late wages, improved the situation in the affected areas, they say.

Millions of mistakes

And the figure of eleven billion euros of savings are probably also a bit too optimistic, write the authors of the IDinsight survey: Neither has the government published the underlying data, nor has it clarified if only non-genuine beneficiaries were excluded from receiving welfare. And the exact value of the Aadhaar system is extremely hard to calculate anyway.

And then there is the other side of the coin: The mistakes in the system. Nine percent of the respondents reported that their records contained errors such as wrongly spelled or transcribed names. Only six percent of respondents reported errors with traditional ID methods.

Researchers believe that the true error rate is higher: „a respondent would likely only report the error if it has led to service denials or other issues.“ But it is not the access to a website that is at stake here, not even the access to bank accounts – but to food.

Important for food allocation

In Rajasthan, India’s largest state, 51 million people live in rural areas. Of those, almost ten percent receive assistance under the Public Distribution System. More than two percent of the rural population were excluded from the program each month in the summer of 2017, even though they were entitled to it – because of Aadhaar.

This means that an estimated 1.2 million people did not receive food due to authentication errors, missing connections to central servers or power outages.

There have already been reports of starvation deaths in families who were unable to collect their food allocations due to Aadhaar errors.

„At least 27 are directly linked with the inability to exercise the new ID system,“ said the human rights hero Dr. Usha Ramanathan at the Kultursymposium in Weimar last week. „This can’t be a way on which any country should proceed.“

0 Ergänzungen

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.