India, with a population of 1.252 billion, has one of the world's largest biometric databases. The Aadhaar database was created seven years ago in order to streamline the payment of benefits and help eliminate inefficiencies and curb fraud. Now, a recently proposed law, which Parliament seems set to pass, would give federal agencies access to said database in the name of national security, potentially compromising billions of people. This head-on collision of a data collection project and a broad national security law highlights the importance of thoroughly implementing privacy policies, as well as the near impossibility of foreseeing the implications of future legislation.
Opponents to the new law have voiced concern and asked for assurances that the biometrics contained in the database - including biological data, iris scans, and finger prints - will not be misused. This concern is heightened because the current ruling party, Bharatiya Janata Party (BJP) is perceived to be eroding India's traditions of tolerance and free speech by being heavy-handed with student protests and furthering a Hindu nationalist agenda. Furthermore, these concerns are shared by India's large Muslim population, which fears that they could be specifically targeted given the current political climate in the region.
Although some MPs have defended the legislation, claiming that it would only be used in rare cases, and that it is actually narrower in scope than the existing Indian Telegraph Act (which allows government agencies to intercept telephone conversations in the interest of public safety), opponents are not satisfied. Asaduddin Owaisi, an opposition MP, as quoted in the Reuters article linked to below, goes as far as to question whether Parliament is "midwifing a police state" by passing the new legislation. While this phrasing could be viewed as dramatic by some, the truth of the matter is that the present bill is lacking the sort of safeguards that could theoretically prevent government overreach. If this database becomes the centralized repository for personal data, how would the Government manage different agencies' access? If you are stopped for a traffic infraction, arrested, visit a doctor, or apply for a new job - what information is available to whom?
In addition to internal mechanisms, there are many outside factors to consider. One of the pros of the database is that it helps curb fraud - in a country that has a patchwork of systems that verify an individual's identity, residents tend to have duplicate IDs, which makes it easy to falsify identities in order to claim food rations, and fertilizer and fuel subsidies. If this database works as well as it should, it could also one day support a cashless economy in a society where many do not have bank accounts. However, this means that it is not unlikely that private sector companies could bid for access to leverage the platform, using the database to confirm identities for travel, manage bank pins, or provide credit scores, among other things.
Nevertheless, the potential downsides should not be ignored. For example, the Government has yet to prove that data would not be sold to private companies or other nations. For that matter, it is also unclear whether the Indian government would collect the biometrics of migrants and share it with their home country. It has also not implemented measures against fraudulent biometrics such as synthetic iris images that could be applied to contact lenses, or fingerprints that can be lifted from surfaces and replicated. These potential nightmare scenarios do not begin to broach others that are equally delicate - encryption, localization of data storage, and the transfer of citizens’ personal data across national borders. These possible negative implications are far reaching and could be life-altering for the individuals involved.
The collection of these biometrics would also not be limited to Indian citizens and residents. (Many, if not most, countries collect information on foreign nationals at their borders - see below for links on the use of biometrics by the US, UK, and Canadian governments.) Just five days ago India announced that it would ease restrictions on Pakistani nationals traveling to Kolkata for the World T20 cricket tournament. Instead of requiring them to present a return ticket, India will collect the biometrics of all Pakistani fans entering and exiting the country, and this will enable Indian agencies to ensure they have duly left. Whether this will soon be required of all tourists is unknown but it is clear that this is a slippery slope of discrimination to single out a specific nationality. In the context of a sports match it could arguably be benign but that would change quickly in the case of a terror attack, a refugee crisis, extradition, or outright war.
How India decides to approach this new law will provide an interesting experiment as democratic governments worldwide try to balance individual privacy and legal government surveillance. It would be atrocious however, for India to blindly pass this without giving it the attention and thoroughness it deserves.
This was originally published on 16 March 2016 on LinkedIn. It can be found here.