Background
Technology innovations in the last twenty years have had an exponential growth that no one could have ever predicted. With this meteoric growth, the power of private companies that owned the technology has also grown significantly. The recent cases of Facebook banning all news media in Australia or Twitter blocking democratically elected leaders in USA or Indian government taking a stand against Twitter, made the recent headlines and received a lot of attention. However the governments and citizens across the world have not taken any significant actions to curtail such rapid growth of power in technology companies due to the availability of massive data. Anyone with access to data not only controls the narrative of news, they can also gain enough power to challenge the power of government and their elected leaders. Few dominant global technology companies now run the software and hardware that power the operations of most world government offices and can influence their projects and even the laws that are made by the elected officials.
Aadhaar – Indian citizen biometric data API
Recent incidents of data security pale in comparison to the ramifications for Indian citizens with the latest news that after collecting nearly all of its 1.3 billion citizens’ fingerprints and iris scans, the Indian government is giving the data to start-ups and software developers! This is being done as part of a government backed program called “India stack“ which is slated to open massive reservoir of citizen’s data to businesses such as health care providers, software developers and any other firms interested in accessing the government’s citizen identification records and incorporating them into their products and services. Their website states that with the explicit consent / authorization by the resident, the Aadhaar e-KYC service provides an instant, electronic, non-repudiable “Proof of Identity” and “Proof of Address” along with date of birth and gender. In addition, it also provides the resident’s mobile number and email address to the service provider, which helps in further streamlining the process of service delivery. Although we tried to test the API, the websites on which these services have been exposed kept crashing so a full detailed analysis could not be done immediately.
Data exposure – Implications
While this might look like a fantastic idea that heralds new economic growth opportunities for “data-hungry” technology companies, this growth could also cause irreversible harm to all citizens whose data is being made publicly available. India is ranked as the fifth worst country after China, Malaysia, Pakistan and the US in terms of extensive and invasive use of biometric data, according to a new report from Britain-based tech research firm Comparitech. Such a move to expose Indian citizen data further damages India’s credibility in the world in terms of protecting human rights, preventing economic exploitation by those that have access to such sensitive data and puts the security of all citizens at grave risk.
Here are a few concerns that emerge from this action taken by the government:
- Personally identifiable information (PII): Data such name, data of birth, address, phone number, government issued identities (Medicare, tax numbers, Social security numbers) are deemed to be protected under PII standards. Currently there are no laws enforcing such standards on governments who have been creating or collecting massive amounts of citizen data. The ramifications of private industries getting hold of anyone’s details without a warrant or approval from law enforcement authorities cannot be ignored. Using such records it will also become very easy for criminals, rogue organizations and even technology companies to exploit citizens security with identity theft.
- Health Insurance Portability and Accountability Act (HIPAA): Bio metric data such as fingers prints, dental records, medical history are all considered extremely private and sensitive data under HIPAA standards yet governments continue to push the boundaries to allow mis-use of such data. Imagine being denied basic human rights such as access to medical care, being denied insurance, being exploited based on diseases, being denied jobs based on health records! The possibilities of exploitation is staggering!
- Payment Card Industry Data Security Standard (PCI DSS): Bank details, credit/debit card details, income details, transaction details are also considered private and protected under standards such as PCI yet there are no such standards that governments have to adhere to as they process multitudes of such financial transactions. Technology companies can harvest such data to banks to deny loans, commercial trade organisations can leverage it it for economic exploitation, rogue elements can falsify records or even pretend to be someone else to gain illegal access.
- Governments also don’t have great track record of maintaining the security of the data that they have inadvertently created as part of ongoing activities. On top of this, providing access to such data to private companies will surely increase the number of data breaches, data theft and data privacy abuse.
Questions raised
The biggest worry is that the laws of various governments are unable to keep up with such rapid technology growth. While most of the other laws go through period upgrades, it has taken many years for Indian government to update the Information Technology act which was last passed in 2000 (more than 20 years ago and totally outdated). Only last year, the Indian Ministry of Electronics and Information Technology released the Information Technology Rules, 2021 which replaces the original rules from 2011 and promulgated under the Information Technology Act, 2000. This new rule set seems like progress as it enforces new obligations on companies that operate in India, requiring companies to create new positions on the ground, add specific terms in company policies, adopt proactive data removal tools and implement new notification procedures. However this rule does not enforce any restriction on government agencies that are also creating, collecting and consuming massive amounts of citizen data. Most of Indian population is busy trying to earn basic income, protect themselves from crimes and survive the COVID pandemic, they may not have the time or technology literacy to understand the ramifications of the decision made by the government.
The immediate and urgent questions that are raised are:
- Is the step taken by Indian government to expose private biometric citizen data a step in the wrong direction?
- How can the government ensure that the data is not stolen, hacked or mis-used for economic gain and discrimination by private companies?
- How can citizens protect themselves from misuse, exploitation and discriminations?
- What changes are required in the law and IT act to ensure that stricter rules and laws apply to government and agencies that seek to expose citizen data to private companies?
Conclusion
This step taken by Indian government while emboldening digital commerce, seeks to reduce protection of citizen’s private data (that was given to them in good faith for increasing convenience and access), from private companies that put profitability ahead of everything else! It can be argued that many of the elected officials and the bureaucrats may not come with deep Information Technology background, but most of their advisors are from consulting firms and technology companies that will immensely benefit from getting access to such data. Many of these large firms have become technocrats in their own right, collecting , manipulating, sharing, selling and controlling billions of records of data of citizens of various countries across the world! Surely it is like asking advise from the wolf on how to protect the sheep! A deeper conversation and debate is surely required from long term security, privacy and rights implications perspective and not just from the perspectives of economic viability and ease of governance.
If you found this article helpful, kindly drop a comment or follow us to keep reading such useful articles!