Get more Mail & Guardian
Subscribe or Login

Biometric data poses grave risks to privacy

TECHNOLOGY

Around the world, governments are succumbing to the allure of biometric identification systems. To some extent, this may be inevitable, given the demands and expectations placed on modern states. But no one should underestimate the risks these technologies pose.

Biometric identification systems use individuals’ unique intrinsic physical characteristics — fingerprints or handprints, facial patterns, voices, irises, vein maps or even brain waves — to verify their identity. Governments have applied the technology to verify passports and visas, identify and track security threats and, more recently, to ensure that public benefits are correctly distributed.

Private companies, too, have embraced biometric identification systems. Smartphones use fingerprints and facial recognition to determine when to “unlock.” Rather than entering different passwords for different services — including financial services — users simply place their finger on a button on their phone or gaze into its camera lens.

It is certainly convenient. And, at first glance, it might seem more secure: someone might be able to find out your password, but how could they replicate your essential biological features? But, as with so many other convenient technologies, we tend to underestimate the risks associated with biometric identification systems. India has learned about them the hard way, as it has expanded its scheme to issue residents a “unique identification number,” or Aadhaar, linked to their biometrics.

The Aadhaar programme’s primary goal was to manage government benefits and eliminate “ghost beneficiaries” of public subsidies. But it has now been expanded to many spheres: everything from opening a bank account and enrolling children in school to admission to a hospital now requires an Aadhaar. More than 90% of India’s population has enrolled in the programme. In India, the government wanted to enrol a lot of people quickly in the Aadhaar programme, so data collection was outsourced to small companies with mobile machines.

But serious vulnerabilities have emerged. Biometric verification may seem like the ultimate tech solution, but human error creates significant risks, especially when data-collection procedures are not adequately established or implemented. If a fingerprint or iris scan is even slightly tilted or otherwise wrongly positioned, it may not match future verification scans. Moreover, bodies can change over time — for example, daily manual labour may alter fingerprints — creating discrepancies with the recorded data. And that does not even cover the most basic of mistakes such as misspelling names and addresses.

Correcting such errors can be a complicated, drawn-out process. That is a serious problem when one’s ability to collect benefits or carry out financial transactions depends on it. India has had multiple cases of lost entitlements, such as food rations and wages for public-works programmes, as a result of biometric mismatches.

If honest mistakes can do that much harm, imagine the damage that can be caused by fraud. Police in Gujarat recently found more than 1 [Thin space] 100 casts of beneficiary fingerprints made on a silicone-like material, which were used for illicit withdrawals of food rations from the public distribution system. Because we leave fingerprints on everything we touch, we are all vulnerable to such replication.

Manual replication is the tip of the iceberg. Researchers have created synthetic master prints that enabled them to achieve a frighteningly high number of “imposter matches”.

Further risks arise during the transmission and storage of biometric data. Once collected, biometric data are usually moved to a central database for storage. They have to be encrypted while in transit, but the encryptions can be — and have been — hacked. Nor are they necessarily safe once they arrive in local, foreign, or cloud servers.

A French security researcher accused two Indian government websites of leaking thousands of IDs, including Aadhaar cards. That leak has now reportedly been plugged. But, given how many public and private agencies have access to the Aadhaar database, such episodes underscore how risky a supposedly secure system can be.

Of course, such vulnerabilities exist with all personal data. But exposure of someone’s biometric information is far more dangerous than exposure of, say, a password or credit card number, because it cannot be undone. We cannot, after all, get new irises.

The risk is compounded by efforts to use collected biometric data for monitoring and surveillance, as is occurring in China and elsewhere. In this sense, the large-scale collection and storage of people’s biometric data pose an unprecedented threat to privacy. And few countries have anything close to adequate laws to protect their residents.

In India, revelations of the Aadhaar programme’s weaknesses have largely been met with official denials, rather than efforts to protect users. Worse, other developing countries, such as Brazil, now risk replicating these mistakes as they rush to adopt biometric technology. Given the large-scale data breaches that have occurred in the developed world, these countries’ citizens are not safe, either.

Biometric identification systems are permeating every facet of our lives. Unless and until citizens and policymakers recognize and address the complex security risks they entail, no one should feel safe. — © Project Syndicate

Jayati Ghosh is professor of economics at Jawaharlal Nehru University in New Delhi, executive secretary of International Development Economics Associates and a member of the Independent Commission for the Reform of International Corporate Taxation

Subscribe for R500/year

Thanks for enjoying the Mail & Guardian, we’re proud of our 36 year history, throughout which we have delivered to readers the most important, unbiased stories in South Africa. Good journalism costs, though, and right from our very first edition we’ve relied on reader subscriptions to protect our independence.

Digital subscribers get access to all of our award-winning journalism, including premium features, as well as exclusive events, newsletters, webinars and the cryptic crossword. Click here to find out how to join them and get a 57% discount in your first year.

Jayati Ghosh
Jayati Ghosh
Jayati Ghosh is one of the world's leading economists. She is professor of economics at Jawaharlal Nehru university, New Delhi, and the executive secretary of International Development Economics Associates (Ideas). She is a regular columnist for several Indian journals and newspapers, a member of the National Knowledge Commission advising the prime minister of India, and is closely involved with a range of progressive organisations and social movements. She is co-recipient of the International Labour Organisation's 2010 Decent Work Research prize

Related stories

WELCOME TO YOUR M&G

If you’re reading this, you clearly have great taste

If you haven’t already, you can subscribe to the Mail & Guardian for less than the cost of a cup of coffee a week, and get more great reads.

Already a subscriber? Sign in here

Advertising

Subscribers only

Local elections: Water tops the agenda in Limpopo’s dry villages

People in the Fetakgomo Tubatse local municipality, who have to collect water from Motse River, are backing independent candidates because they’re tired of parties’ election promises

Careers the Zondo state capture inquiry has ended (or not)

From Vincent Smith to Gwede Mantashe, those named and shamed have met with differing fates

More top stories

Local elections: Water tops the agenda in Limpopo’s dry villages

People in the Fetakgomo Tubatse local municipality, who have to collect water from Motse River, are backing independent candidates because they’re tired of parties’ election promises

A bigger slice of the pie: Retailers find ways to...

The South African informal economy market is much sought-after, with the big, formal-sector supermarkets all looking to grow their share

Careers the Zondo state capture inquiry has ended (or not)

From Vincent Smith to Gwede Mantashe, those named and shamed have met with differing fates

The Democratic Alliance and illiberal liberalism’s glass ceiling

The DA appears to have abandoned its ambitions of 2016 and is set to lose further ground in the upcoming elections
Advertising

press releases

Loading latest Press Releases…
×