Biometric identification, the use of unique physical characteristics to identify an individual, is at the forefront of the growing intersection between technology and governance. Biometric identification programs, especially in areas with poor pre-existing paper-based identification, could dramatically improve social welfare programs, increase financial inclusion, and reduce fraud. However, biometric identification carries significant concerns about data security, privacy, and legal protections. This is shown clearly in India’s Aadhaar, the most ambitious biometric program to date. Aadhaar, which means “foundation” in Hindi, has remarkable enrollment rates and has increased efficiency of social welfare programs, but lacks effective regulations. While these mechanisms have evolved some over time, biometric identification programs, like other new technologies, are strongest when designed within effective legal frameworks.
What is Biometric Identification?
Biometric data are “any automatically measurable, robust, and distinctive physical characteristic or personal trait that can be used to identify an individual.” The most common forms are fingerprints, iris scans, and faceprints. Biometric data are not new, nor is their use for identification purposes. However, with higher computing capacity, biometric identification is increasingly used in widely linked, complex, biometric ecosystems of “technologies, processes and policies that are integrated together to enable unique natural persons to prove, unambiguously and securely, who they are to an information system and to empower them to assert their legal rights in a digital context.”
Biometric identification, especially in countries lacking robust paper-based identification, can have many benefits for governance, public service targeting and provision, financial inclusion and integration into formal economies. One-time, small-scale payments can be facilitated by biometric data, verifying recipients to avoid repeat payments and fraud. Biometric identification can also be used to identify marginalized populations, like refugees, to ensure their inclusion in long-term social protection schemes.
Data collected directly from citizens’ bodies is inherently intrusive and sensitive. Because of this, there are unique risks to biometric data programs. There are further concerns about linkages to other sensitive data. In a comprehensive digital system, where all data could be linked through unique biometric identifiers, the risks of hacks or gaps in data security protocols are amplified. Though strong regulatory frameworks can mitigate the risks, privacy and data security should be prioritized.
The Unique Identification Authority (UIDAI) was established in 2009 with the task of issuing “unique identification numbers to residents all across India,” that “can be verified and authenticated in an online, cost-effective manner, which is robust enough to eliminate duplicate and fake identities.” The first UID number, later called Aadhaar number, was issued in September, 2010. To date, over 1.3 billion unique Aadhaar profiles have been generated, making it the most expansive biometric identification program to date.
Residents of India can have their name, address, date of birth, gender, photograph, iris scans, and fingerprints recorded at enrollment centers, in exchange for an Aadhaar card and 12-digit identification number, issued through the UIDAI. Thus far, the program has been remarkable both in high enrollment numbers and low unit cost. With the addition of both fingerprints and iris scans, enrollment and accuracy is improved, especially among children and those with damaged hands. Data processing and authentication standards are very robust, creating a highly accurate and efficient system.
Aadhaar aims to increase access to formal identification and improve social protection. The Aadhaar system has significantly reduced fraud in social welfare systems and streamlined the process for enrollment for and payment of government subsidies. In addition, uses in the private sector allow greater access to services. An Aadhaar number allows those who may not have other formal identification to enroll at banks and welfare payments can be directly transferred into a linked account. Aadhaar has also been used for verification in online recruitment and gig-economy apps, improving the lives of cab drivers and domestic servants. These successes, and the expansion of private and public usage, only highlight the weaknesses in legal oversight.
Though the technical aspects of Aadhaar were carefully and intentionally designed, there was no legal framework in place as it was being deployed. Much of the regulation of Aadhaar is delegated to the UIDAI, the organization that manages the Aadhaar program, which has failed to enact robust stands and procedures, leaving little accountability.
Mission creep is a key issue. Initially, Aadhaar was used specifically for government social welfare services, but now is used for employment, bank accounts, medical records, and many others. Though it was voluntary at launch, the ever-growing list of activities for which it is used calls into question how voluntary it really is. The Indian Supreme Court affirmed on multiple occasions that Aadhaar must remain voluntary – “no person should suffer for not getting the Aadhaar card”. Despite this, the 2016 “Aadhaar Act” allows the government to require Aadhaar enrollment to receive a government subsidy or service, effectively making it mandatory. Since the passage of the Act, “it is becoming increasingly difficult to conduct routine tasks in India without an Aadhaar card.”
In addition, data collection and storage is another cause for concern. The 2010 National Identification Authority of India Bill stipulates that Aadhaar does not collect potentially sensitive information on race, religion, caste, or income. Despite this, Aadhaar data is connected to databases that do collect this information, including the National Population Register and ration card databases. Because Aadhaar numbers are unique identifiers, sensitive information from databases using Aadhaar numbers can become instantly traceable to individuals if there are data breaches, which are frighteningly common. These data breaches, many of which are inadvertent, make Aadhaar numbers, demographic data, and even bank details publicly accessible, in some cases through a simple Google search.
Despite these breaches, data protection and privacy policies for the Aadhaar system do not seem to be priorities for the Indian government. Most notably, the main law regulating the program, the “Aadhaar Act” is silent on privacy protection. In fact, it expands government access to Aadhaar data, including for law enforcement purposes, while previous bills including privacy provisions were withdrawn or rejected. “Despite the fact that Aadhaar was launched over a decade ago, the country still lacks a data protection law.”
Aadhaar has been successful in many ways, and its intentional technical design can be a model for developing countries seeking to use biometric data to expand formal identification. However, its severely lacking formal regulation, data security, and privacy protections hamper the effectiveness of the program should serve as a warning. While there are inevitably institutional gaps when new technologies emerge, legal frameworks should be an integral part of project design when incorporating new technology for governance. As datafication and “big data” become increasingly a part of daily reality, new technologies have the potential to fundamentally change the way states and their citizens interact and can facilitate surveillance and exclusion as much as they can facilitate inclusion and innovation.
Author Biography: Elizabeth Duncan is a Moderator of the International Law Society’s International Law and Policy Brief (ILPB) and a J.D. candidate at The George Washington University Law School. She has a Bachelor of Science in Foreign Service in International Political Economy from Georgetown University. Tweet