World Privacy Forum founder and multi-government advisor Pam Dixon calls for policymakers to take lessons from fundamental failings in India and ensure a ‘Do no Harm’ ethos is the foundation for regulations to protect privacy
- India’s ‘Aadhaar’ digital biometric system mandatory for vital government and public services has currently virtually no data and privacy protection legislation
- The Indian Supreme Court has ruled privacy is a fundamental right, but has not yet tackled the question of the legality of the Aadhaar project
- Risk of ‘mission-creep’ in Europe through the use of biometric systems to identify patients and UK discussions to create a biometric ID card for EU nationals post-Brexit, spark concerns around human rights
- United States (US) legislation is inconsistent across states and particularly around understanding of consent to use data heightening concerns about proposed facial recognition technology currently being deployed in airports across the US
Legislation is struggling to keep pace with the deployment of biometric identity systems resulting in a high risk to fundamental civil liberties and privacy particularly in India, but also with serious ramifications in the US. Europe, who has the most robust data protection and human rights laws is also vulnerable to ‘mission-creep’ and risk failing the ‘Do no Harm’ principle according to Pam Dixon, founder of World Privacy Forum in an article due to be published in Technology Science, a Harvard-based journal on Tuesday 31 August 2017. (1)
Dixon who has spent extensive time over four years in India researching the Aadhaar warns; “According to the World Bank, 50% of countries with a national identity card system do have not had any data protection legislation in place. The speed of technology advancement has made digital biometric systems much more accessible and enabled wide-scale use for policy-makers. India’s Aadhaar program put technical deployment before policy development and continues to do so. These actions by the Indian government have led to a marked lack of protective regulatory controls, which has in turn resulted in detrimental ‘mission-creep’ and ensuring that there are adequate safeguards in place to protect citizens.”
India’s Aadhaar system
Aadhaar, the Indian digital biometric system started as a voluntary identity card in 2010; fast-forward to 2016 and over one billion people were enrolled in the scheme and today accounts for 97% of the population. (1) Despite its initial voluntary directive, no legislation has been implemented to support its roll-out and it has become impossible to access any government or public service, such as getting married or even buying train tickets without an Aadhaar number. (1) Furthermore, with a failure rate of 49% to match individuals in some regions such as Jharkhand, there are significant failings that could leave citizens unable to access key benefits or get to work. (1)
Today, a nine-judge Constitution Bench of the Indian Supreme Court, decreed that citizens have a fundamental right to privacy, a protection it read into Article 21 of the Constitution, which guarantees a right to life and personal liberty.
Dixon welcomes the ruling “It is a step in the right direction, but there is still a lot of work to be done. This ruling does not evaluate the moralities of the system and how it has been deployed and there are many learnings for the US and Europe”
Biometrics are fast becoming the cornerstone of technology in establishing identity and assisting in reducing crime and fraudulent activity in the US and Europe and new systems are rapidly being deployed. Whilst, the US, and Europe do have regulations in place to support data protection, privacy and consent to use information, India is a case in point that by the time a deliberative legislature can move to a bill of passage, a fledgling biometric programme may have attained pervasiveness and thus be very difficult to regulate or remove. (1)
According to Dixon “The ‘Do no Harm’ principle means that biometrics and digital identity should not be used by the issuing authority, typically a government to serve purposes that could harm the individuals holding the identification. Nor should it be used by adjacent parties to the system to create harm.”
An example of such a ‘harm’ is the inclusion of highly sensitive information such as ethnicity, religion or place of origin. This was evidenced in the Republic of Rwanda, where personal identity documents that included ethnicity, were used to aid and to expedite genocidal activities. (1)
‘Mission-Creep’ in Europe and the United States
In the UK, there has been a proposal to implement a biometric identity card for EU nationals (2) creating controversy around the creation of a ‘second-class’ citizen. (3) There are calls for these cards to be voluntary, but without adequate legislation, there is a danger of ‘mission-creep’ as witnessed in the Indian Aadhaar system.
Additionally, in Europe, whilst there are very strict regulations around sensitive data and the use of consent, governed by the EU General Data Protection Regulation (GDPR) (4), there are already exceptions over information that is necessary to provide a medical diagnosis and treatment providing opportunity for access and use without patient knowledge. (1)
In the US, legislation is inconsistent across states and there is inadequate protection at the federal level. (1) For example, some healthcare providers have urged patients to provide biometric-based authentication without making it clear that such enrolment is voluntary. (1) Concerns about the use of biometric data have soared recently as the US has announced plans to apply facial recognition of all passengers including US citizens entering and exiting US airports. (5) The technology has already been installed at six airports[*] across the US, with more to follow.
Dixon flags that; “Current policy proposals state that live photographs will be deleted within 14 days, but customs officials have already discussed dropping such a restriction, thus providing ‘mission-creep’ opportunity for the information to be used by other federal agencies.”
Call to policymakers
Dixon extols the great work being put forward by the World Bank and its partners, but highlights that “the most important step the World Bank can take to improve Global privacy and protect citizens is to ensure future principals and guidelines enshrine the ’Do no Harm’ as a top priority”
The Principles on Identification is a joint policy document of the World Bank Group, the United Nations Development Programme (UNDP), and other key stakeholders such as the Bill and Melinda Gates Foundation outlining ten principles of privacy and non-discrimination.
‘Digital identity systems and systems that use biometrics need to be designed in such a way that they cannot fail, even when political regimes and the will of legislators do’ is a concept derived from the Privacy by Design school of thought. (5)
Dixon adds that “While all jurisdictions would benefit from an approach that considers privacy by design in biometric identity systems, it should not be seen as a substitute for legalisation. Policy development needs to focus on the concept of ‘Do no Harm’ to create a bedrock guiding principle of all digital biometric identity systems.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.