India’s biometric identification programme, known as Aadhaar, has gone from an optional program to a mandatory one, and is collecting more data than ever expected. In light of private information being published by government sources and lack of clarity on a number of fundamental issues, many are concerned about the security of the program and associated loss of privacy.

The World’s Largest Biometric Database

Over the last seven years India has been building up the world’s largest biometric database. 1.17 billion people, nearly 90% of India’s population, have been registered in the Aadhaar database. By linking individuals to their biometric details, India has provided a form of identification for rural Indians, making it easier for them to register for bank accounts, get a driver’s license, or receive government subsidies. Registered users need only scan a fingerprint or retina to confirm their identity and access government or even private services. That is at least how the scheme was supposed to work – a voluntary system which would improve the livelihood of rural Indians.

Since its inception the scope of Aadhaar has expanded massively – it has become a de facto requirement for participating in even the simplest aspects of daily life. It began as a facilitating tool for certain activities, such as setting up a bank account, and is now mandatory as a form of identification. In June, the government made it mandatory for banks to link their customers’ Aadhaar information with their bank accounts. Any accounts not linked by the 31st December 2017 will be shut down until the account has been linked. SIM cards will also have to be linked to Aadhar by February 2018 or else be deactivated.

Each extension in the scope of the project is explained as boosting efficiency or combating criminality. The government claims that by linking bank accounts to Aadhaar it will be able to prevent money laundering and tax evasion since it will be able to tie every transaction to an individual and every individual to their transactions. By linking SIM cards to Aadhaar, the system would further be able to prevent criminals and terrorists from using unverified mobile phones (the government has yet to come up with a plan for verifying pre-paid mobile phone users who make up 90% of total users).

Private Data Made Public

The expansion of Aadhaar’s scope is alarming to many, however. Critics claim that the government is invading the privacy of citizens, and/or failing to adequately protect their data. Under Aadhaar, data from nearly every aspect daily life is aggregated and can in theory be analysed to build a comprehensive profile of Indian citizens. Adding to the concern is the fact that the data is largely managed by private firms and certain parts of it can be accessed for businesses purposes.

The system seeks to be embedded in nearly every aspect of life, but it is not yet clear that the data is sufficiently protected, or that citizens have a method of recourse if data is leaked. There have already been several instances in which personally identifiable information (PII) has been published by government sources. Online portals managed by the National Social Assistance Programme and the National Rural Employment Guarantee Act, both part of the Ministry of Rural Development, published databases containing PII including names, Aadhaar numbers and bank account numbers among other things. Two government portals of the state of Andhra Pradesh also published a collection of PII. The total number of Aadhaar numbers published by these four portals is estimated to be between 130-135 million.

The issue in these cases was not just that data was leaked, but rather that it was being published online in easily accessible and usable forms. The problem therefore pertains to the lack of regulation or standardization across the various governmental departments that manage Aadhaar data. The variety and number of government departments managing Aadhaar data complicates matters, but in a program as far-reaching as Aadhaar a greater degree of forethought in regards to managing and protecting data is expected.

A published Aadhaar number or bank account number is not a risk in itself, but it does have the potential to make identity fraud or social engineering much easier to commit. Though not associated with any tangible loss, there is a clear erosion of privacy – personal data can be used by either the government or private firms to understand habits, preferences, and perhaps risk profiles of individual Indian citizens.

The government has taken down the aforementioned Aadhaar data and sought to clarify the ways that Aadhaar is protected. But the belated management of critical security concerns and procedures is troublesome. Many other important questions are likely to arise such as “what happens to individuals whose Aadhaar accounts are compromised?”

The Future of Biometric Identification

Aadhaar undoubtedly has its benefits. It would certainly make the delivery of benefits and services to Indian citizens more efficient. It also has the potential to reduce corruption and tax evasion. But the loss of privacy is equally great and it remains unclear as to whether the data will be sufficiently protected.

More transparent rules and better enforcement mechanisms will certainly help but fundamental questions have yet to be answered. India’s Supreme Court recently ruled that Indian citizens have a fundamental right to privacy – but it is not clear precisely what those rights entail. The government itself has published Aadhaar data – but are there procedures for holding it accountable? Can private businesses be held accountable if they publish data, or if they fail to sufficiently protect that data?

Other countries are now looking to India for guidance on implementing their own Aadhaar style systems. Singapore and Bangladesh have biometric identification programs but have not yet expanded their scope to the degree that India has. How Aadhaar performs and the precedents it sets are likely to guide future biometric systems.