Vickram Crishna, petitioner in the Aadhaar case, working for development of accessible technologies, in conversation with Nehmat Kaur discusses the shortcomings of using biometrics as a unique feature for identification
NK: What are your reflections on the recent Privacy judgement?
VC: The initial feeling was certainly one of enormous well-being and freedom, that the court has come out and said what has not needed to be said, until this gigantic intrusive engine was conceived. And it has said it in a most determined manner, very unequivocally affirming that privacy has always been a fundamental right, and is to be taken as such.
That it was the government itself that put forward the reference, thereby delaying hearings proceeding, is a bitter reality. However, the court has indicated the government will need to sit up and look sharp if it is to be able to save any part of this initiative that couldn’t have been done in this time frame in any case, without the additional intrusion.
NK: In the Supreme Court, it was argued that having fingerprints/thumb/finger impressions on a paper is similar to having it in a digital format, hence if the former hasn’t raised any privacy concerns, the latter shouldn’t either. What are your views on this?
VC: The handling of paper archives of fingerprints can hardly be compared to that of digital records, and the examination of each kind of archive itself is poles apart. The recording of fingerprints in India, for police purposes, is controlled. Fingerprints are also used as signatures, also on paper, but further used as identification only in the rarest of cases at say, banks, where they are not a requirement, just an alternative, entirely voluntary.
As it stands, the recording of fingerprints on a property document are not preserved for forensic examination. The purpose is primary identification, since age naturally tends to make more sophisticated methods less useful. But fingerprints are not that great either, still, if the person is alive, some visual judgment by an expert eye can be helpful, together with other submissions or evidence, since age also has a bad effect on fingerprints. This is a visual image, not digitised. It is compared with another image, captured in much the same way, visually, by an expert. Expertise comes with training and practice.
The digital scan is something else. The actual visual image is much too large to consider for any practical remote authentication uses. So, the industry has come up with a workaround, whereby a mathematical algorithm is applied to the patterns formed by the salient features in the actual image, and the value of this is judged to be mathematically unique enough to provide a verifiable match with a second image of the same fingerprint taken separately. The claims are made by scan vendors, who are keen to transform a small campus security gatekeeping device used in sophisticated high security environments into more ambitious applications.
In reality, ageing and manual labor, the latter also including normal Indian household work, wreak havoc on fingers. The numbers of break lines, scars, worn out lines etc are both numerous and increase with age. Actual authentication is problematic, due to capture issues arising from these problems, and subsequent attempts to recapture the same fingerprint with another device, after some time has passed. The problems are revealed in the mismatch between UID authentications reported and the numbers of persons actually being turned away for failure, together with the persons accepted using fallback methods when UID authentication fails.
Why do we think fingerprints or irises or any other feature of the human body are perfectly unique lifelong? It turns out that there isn’t actually any scientific rationale for believing in exclusivity, but the possibilities are large enough for duplicates to be very rare indeed. Still, when they are, they can sometimes be big goofups, such as arresting a random citizen of the USA in the Spanish train bombing case- it turned out the person had never travelled abroad in his life, much less got on a train in Spain. We have absolutely no way of knowing whether individual fingerprints of deceased persons are not found again in some later born person.
So why is it considered useful? Because it works fairly conveniently in some applications, where for instance, rejection is desirable, such as stopping strangers from accessing one’s own phone without permission, or having nuanced access to office areas depending on the authorised line of work. These typically involve small populations, as do, normally, prison centres, where it is also useful. Some types of crime require that prisoner’s records be maintained for some time after release, to aid in dealing with recidivism presumably, but for others there is no such stipulation.
However, if there is no scientific evidence other than the rarity of actual visually accurate complete fingerprint sets (actually, hardly ever found at crime scenes, and the gathering of evidence in Indian crime scenes is so faulty that scene of crime tampering is not difficult in the first place), then what drives this technically unsatisfactory project? Answers range from a naive need to embrace some quick and dirty methods in pursuit of breaking records (this is characterised as a Ready! Fire! Aim! strategy, commonly seen in the software sector), to more awful possibilities (the fingerprints of foreign intelligence services all over the services contracts, and the fingerprint scanner vendor, signed by UIDAI with foreign companies*), and all of them come up from time to time within larger discussions about this project.
Now, with this background, the same measure is sought to be justified as better than, say, one time passwords sent to the registered phone, because, after all, that needs the whole jhamela (ordeal) of phones etc. However, in the seemingly reasonable argument, somehow the obvious fact that the phone network is needed to run the biometric authentication system as well is somehow papered over, excepting the exhaustive research of Jean Dreze, Reetika Khera, Ramakumar, Aruna Roy and a few others, plus media reports of widespread suffering and deaths due to exclusion.
“The proposition that two biometrics together will work more effectively in the field than accepting one photographic document and sending a text message (widespread possession of both a paper identification and a telephone is a little known fact emerging from documented UIDAI figures) is the outcome of searching for a problem to which this solution can be somehow fitted.”
I think all these things together will emerge strongly once the UIDAI cases actually come forward for hearing. So far, only one of the cases has directly been heard, as I recall, and it was interrupted. The media itself, the only other way in which public opinion can be informed and mobilised, has not stepped up to the plate either. In this respect, the judgment on privacy has finally brought about the stirrings, if not the actual raising, of highbrow and lowbrow eyebrows.
NK: Does storing sensitive data in a central system make it more vulnerable than it being stored in separate databases?
VC: Certainly, something that gets centralised is liable to be subject to targeted attacks by intrusive elements. It means an extra effort has to be placed on systems to make them secure. The advantage of distributed systems lies however in flexibility and networking power, resulting in additional power in terms of derivables, not necessarily security, whose parameters in a distributed system are quite different. Loss of one centre does not result in loss of the system or the entire database, and in fact there are distributed archiving technologies that tend not accumulate singular datasets in any one place ever. This must have been widely discussed during the setting up of the UIDAI infrastructure, and it is not clear why one choice meant more to them than any other.
“However, security is not the vault, it is the contents. And the most precious item added to the archives while digitising them is the UID number, the one branded by the UIDAI, which fiercely marketed the mandatory linking of the number to all kinds of records, some relating to welfare services, others merely aimed at coercing the well-off to comply.”
Since this number has been happily bandied about by all sorts of government agencies, and UIDAI itself, through its leaking software given to vendors, that revealed gaping security holes, I’m not sure why this question of centralised databases is still relevant.
One must complete the scenario by acknowledging the fact that indeed, biometrics have also been recorded, and are stored in this database. However, difficulties in data capture encountered right from the pilot stage onwards meant that escape routes were built into the system, allowing for processing biometrics of persons whose recordings were weak. It is important to point out, while talking of recordings, that the fingerprint or iris are not digital images, they are digital sums generated by analysing the patterns in the images. Poor pattern recognition leads to sums that are not definitive enough to give a firm positive response the next time the person, in equally adverse conditions, puts forward a finger for approval. This leads to large time exclusion, a matter extensively researched by Jean Dreze, Reetika Khera and others, but the cut in spending is being claimed as efficiency. In my opinion, the deficiencies in biometric accuracies stored in the very secure central database are of sufficiently poor quality that identifying and rectifying the errors in usage of the verification data is already slated to be an enormously expensive task.
In my opinion, since the evangelising of the use of the number has been through display of the ‘card’, and it is as a card that it is ubiquitously known, as mentioned numerous times in the court, the UIDAI will eventually come out with rules that make it simpler for the ‘authentication’ to be verifiable by the person on the spot ie what was always possible the manual way, so that the horror stories about exclusion go away.
NK: From a data security point of view, how secure is the Aadhaar database in your opinion? Please give us examples to better understand the issue
VC: I think I have explained this already: the most potent threat is the cavalier manner in which the number is being thrown around.
However, there are other points of weakness in the system, some of which have been addressed after many civil society activists have raised a hue and cry. For instance, ‘consent’: it is widely suspected that consent was coercively or unknowingly taken from many registrants, and this consent is now being extended to financial services through bank interlinking. Only a rigid audit can reveal the extent to which this may have happened, and reversing these actions is going to cost the banks time and money. In the absence of action, it is not possible to ascertain whether these loose processes resulted in deliberate fraud, with canny operators deliberately seeding the database with falsified records. We do know that tens of thousands of agencies have been blacklisted or deregistered, but not what has been done about the records they managed.
Then there are the weak personal data and biometric data records. The managers of the system simply did not take into account the reality of assigning a person an address or even a name. Poor form design, aimed presumably at simplicity, instead resulted in extensive confusion as inexpert data collectors spread across India.
Apart from all of this, there is the spectre of a concerted attack aimed at breaching the CIDR data itself. This could take the form of sophisticated spoofs of authorised centres and agencies. Note that some of them are operated by the same agencies that have been breached already by attacks suspected to have originated from China, as revealed by the Ghostnet investigation, another civil society initiative. Many of these agencies either took no action after being notified of the breaches, or denied that any breach had taken place.
Having said which, the database itself has been worked on by experts from foreign companies that are extremely closely associated with state intelligence agencies of foreign powers. The contract enabled them full access and duplication rights. No Indian intelligence agency owns up to approving these contracts, and UIDAI has gone on record stating that all vendors have offices in India (which is a contract condition) so it is not possible to know whether they have foreign ties. The latest information from the security world, a few weeks back, reveals that the only approved vendor of fingerprint sensors happens to be the one that built clandestine data capture software into fingerprint sensors used by friendly foreign services. So yes, there are other dangers that have not been adequately addressed at the public level.
NK: One of the statements made quite often is that you shouldn’t care about you right to privacy, if you have nothing to hide. What is your view on this?
VC: It’s an old chestnut, and I’m amused that so many nuts still trot it out.
‘Everyone’ has something to hide: the brain is in constant repair helping to conceal your most embarrassing or deplorable memories from yourself. That is extreme: much simpler is the password you just created in order to set up an email account. Only a complete idiot would now advocate that there is no reason to try and keep it hidden.
NK: With a Committee drafting a data protection/privacy law for the country, according to you, what are some key features it should have from a digital privacy perspective?
VC: I think the first step is to agree on a data policy for the country, before rushing headlong into another effort to create a law at any costs. However, your question implies some commonality between a law for the two, data protection and privacy, and there isn’t. There is no need for a privacy law in India, it is affirmed as a fundamental right, with due restrictions, like any other fundamental right. Any law that seeks to infringe upon those restrictions must proceed according to a strictly laid down process, which is detailed for the record in the judgment. Definitely, a data protection or data security law is going to be tested very sharply on these principles.
And the first step towards agreement on a data policy is to ensure that the voices of all stakeholders are adequately represented. A first effort has been announced by the government, in the form of a committee, and if this is the direction the government wants to take or is unable to prevent happening, then one cannot expect much good to come of it. There isn’t a single representative from civil society, apart from Justice Srikrishna, who is not known for his learned awareness of digital technologies, no matter his other strengths.
“As a first principle, not collecting data in the first place is paramount to data security. Whatever data is collected, must be collected strictly and minimally, according to the need. Whenever data is shared, the first step must be to erase links between individuals and other data, before allowing duplication.”
Some of the experts on this committee have gone on record arguing this country has no need for privacy, and with such strong views one cannot imagine that national interest is paramount in the basket of values sought to be enshrined in a data policy.