A case for privacy
A.G. NOORANI
The strongest protection possible must be given for the right to privacy in any statute or scheme, including the UID project.
IT is 30 years since a Congress Member of Parliament, V.N. Gadgil, suggested an Act for the protection of privacy, designed, no doubt, to curb press exposure of the wrongdoings of politicians. In reality, it is all but impossible to draft a statute that strikes a fair balance between people's right to know and the protection of a person's privacy. In India, as in the United Kingdom, there is no tort of privacy. India's law of torts (that is, civil wrongs punishable in damages) is based on case law, English and foreign. However, the Supreme Court of India has inferred right to privacy from the ones explicitly guaranteed. Article 21 of the Constitution contains a guarantee of personal liberty and it is obvious that personal liberty also involves the right to privacy.
The Supreme Court ruled in Kharak Singh's case in 1962 that the right to privacy is not a guaranteed right under our Constitution though it struck down domiciliary visits at night as being violative of “personal liberties”. A minority, comprising Justices K. Subbarao and J.C. Shah, held that the right to privacy was “an essential ingredient of personal liberty”. In the Nakheeran case [ R. Rajagopal vs State of Tamil Nadu (1994) 6 SCC 632], the court said:
“The right to privacy is implicit in the right to life and guaranteed to the citizens of this country by Article 21. It is a ‘right to be left alone'. A citizen has a right to safeguard the privacy of himself, his family, marriage, procreation, motherhood, child-bearing and education, among other matters. No one can publish anything concerning the above matters without his consent – whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. The position may, however, be different if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.”
There is another aspect to the right to privacy. India is a party to the United Nation's International Covenant on Civil and Political Rights. Article 17 of the Covenant states that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference and attacks.” India ratified the Covenant on March 27, 1979. The instrument of ratification contains reservations to some of the other provisions of the Covenant, but not to Article 17. This is a treaty obligation enforceable internationally through the Human Rights Committee set up by the Covenant. India has to file periodic reports on its observance of the Covenant and successive Attorneys General have been grilled by the Committee's members on the pathetic state of India's reports.
In U.S. and U.K.
Even in the United States and Britain, legal recognition to privacy came in slow stages. It began with an article in 1890 in the Harvard Law Review by Louis D. Brandeis and his friend and law partner, Samuel Warren. Entitled “The Right to Privacy”, it was widely noticed. In 1928, as a judge of the Supreme Court, Brandeis gave a vigorous dissent upholding this right, which he called “the right to be let alone”. This was in Olmstead vs U.S., the famous telephone tapping case. The majority ruled that evidence, thus obtained, was admissible in courts. The ruling has suffered much battering since.
English common law recognised no right to privacy. Committees were set up to consider legislation on the right to privacy, only to find that no easy solution was possible. Reconciliation of this right with the freedom of speech is not an easy task. However, the Human Rights Act, 1998, “incorporates” as British law the “European Convention for the Protection of Human Rights and Fundamental Freedoms” signed in 1950. Article 8(1) of the Convention says that “everyone has the right to respect for his private and family life, his home and his correspondence”. Clause (2) carves out permissible restrictions, which are “necessary in a democratic society” in the interests of national security, for the prevention of crime, etc. Several cases have since been decided in English courts, which are of direct relevance to us. English cases are citable in our courts.
Data Protection Act
In 1998, Britain enacted the Data Protection Act, which lays down the principles and establishes a hierarchy of officials. Data controllers are subject to the jurisdiction of the Information Commissioner. It says: “Data controllers must also abide by the data protection principles. They are, in brief, (a) the data must be processed fairly and lawfully and only for one of the prescribed purposes. For data concerning ‘sensitive' matters, there is a narrower group of specified purposes; (b) it must be adequate, relevant and not excessive for the purpose; (c) it must be accurate, and where necessary, kept up to date; (d) it must not be kept for longer than is necessary; (e) it must be processed in accordance with the rights of data subjects; (f) appropriate technical and organisational measures must be taken against unauthorised or unlawful processing and against accidental loss or destruction of or damage to the data; (g) it must not be transferred out of the EEA [European Economic Area] unless the country to which it is taken or sent gives adequate protection for the rights of data subjects.
“The Commissioner can serve an enforcement notice if she is satisfied that a data controller has contravened any of these principles. An individual who suffers damage because a data controller has contravened any requirement of the Act is entitled to claim compensation. The special provisions for journalistic material gives exemption from: the data subjection principles (except those concerning security of data); data subject access rights; the rights of data subjects to prevent data processing; the rights of data subjects to correct inaccuracies; and rights concerning automated decision-making” (see Media Law, by Geoffrey Robertson, QC and Andrew Nicol, QC, Penguin, 4th Edition, pages 278-279).
Any law on data protection enacted by the Parliament of India will be tested on the anvil of Article 19. Section 32 of the British Data Protection Act provides “public interest” exemptions for “journalistic, literary or artistic material”. The test in each case is public interest. Public interest is a concept entirely different from material in which the public would be interested.
In 2004, the Supreme Court of India decided a case in which the right to privacy was involved. It concerned Section 73 of the Indian Stamp Act, 1899, and its amendment by Andhra Pradesh in 1986. As amended in 1986, it read:
“Every public officer or any person having in his custody any registers, books, records, papers, documents or proceedings, the inspection whereof may attend to secure any duty, or to prove or lead to the discovery of any fraud or omission in relation to any duty, shall at all reasonable times permit any person authorised in writing by the Collector to enter upon any premises and to inspect for such purposes the registers, books, records, papers, documents and proceedings, and to take such notes and extracts as he may deem necessary, without fee or charge and if necessary to seize them and impound the same under proper acknowledgement.
“Provided that such seizure of any registers, books, records, papers, documents or other proceedings, in the custody of any bank be made only after a notice of 30 days to make good the deficit stamp duty is given.”
The Supreme Court Bench, comprising R. Lahoti and A. Bhan, surveyed the case law in the U.S. and in India, but not in the U.K. It held:
“The impugned provision in Section 73 enabling the Collector to authorise ‘any person' whatsoever in respect, to take notes or extracts from the papers in the public office suffers from the vice of excessive delegation as there are no guidelines in the Act and, more importantly, the Section allows the facts relating to the customer's privacy to reach non-governmental persons and would, on that basis, be an unreasonable encroachment into the customer's rights. This part of Section 73 permitting delegation to ‘any person' suffers from the above serious defects and for that reason is, in our view, unenforceable. The state must clearly define the officers by designation or state that the power can be delegated to officers not below a particular rank in the official hierarchy, as may be designated by the state.”
Besides, the AP amendment of 1986 permitted inspection being carried out by the Collector by having access to documents that were even in private custody; that is, custody other than that of a public officer. It empowered invasion of the home of the person in whose possession the documents “tending” to or leading to the various facts stated in Section 73 were in existence. Section 73 was devoid of any safeguards as to probable or reasonable cause or reasonable basis or materials. It, therefore, violated the right to privacy both of the house and of the person. The court referred to the R. Rajagopal case wherein the learned judges held that “the right to personal liberty also means life free from encroachments unsustainable in law”, and such a right flowed from Article 21 of the Constitution.
Right to privacy was upheld again by the Supreme Court of India in another judgment most recently: Ram Jethmalani vs Union of India. Delivered by Justices P. Sathasivam and H.L. Gokhale, it read:
“Right to privacy is an integral part of right to life. This is a cherished constitutional value, and it is important that human beings be allowed domains of freedom that are free of public scrutiny unless they act in an unlawful manner…. [A]s constitutional adjudicators we always have to be mindful of preserving the sanctity of constitutional values, and hasty steps that derogate from fundamental rights, whether urged by governments or private citizens, howsoever well meaning they may be, have to be necessarily very carefully scrutinised. The solution for the problem of abrogation of one zone of constitutional values cannot be the creation of another zone of abrogation of constitutional values…. An inquisitorial order, where citizens' fundamental right to privacy is breached by fellow citizens is destructive of social order. The notion of fundamental rights, such as a right to privacy as part of right to life, is not merely that the state is enjoined from derogating from them. It also includes the responsibility of the state to uphold them against the actions of others in the society, even in the context of exercise of fundamental rights by those others….
“…There is an inherent danger in making exceptions to fundamental principles and rights on the fly. Those exceptions, bit by bit, would then eviscerate the content of the main right itself. Undesirable lapses in upholding of fundamental rights by the legislature, or the executive, can be rectified by assertion of constitutional principles by this court…. We are not proposing that Constitutions cannot be interpreted in a manner that allows the nation-state to tackle the problems it faces. The principle is that exceptions cannot be carved out willy-nilly, and without forethought as to the damage they may cause.”
To sum up, the right to privacy is like the elephant – easy to detect, yet all but impossible to define. However, this is not to say that statutes on the subject do not exist. They do, in Canada as well as in the U.S. But the experience is not particularly inspiring. The best course then is to give the strongest protection possible for the right to privacy in any statute that may be enacted. That holds for any public scheme, including the UID project.
http://www.flonnet.com/stories/20111202282401300.htm
In two minds?
VENKITESH RAMAKRISHNAN
in New Delhi
The government seems confused on key aspects of the UID scheme, and so is the main opposition.
“FOR all the hype about it, the hallmark of the UID [Unique Identification] programme is a sense of incompleteness in terms of both conception and implementation. The muddled political perceptions on it within the government and outside emerge naturally out of these imperfections,” This was how a senior bureaucrat in the Finance Ministry responded when Frontline sought his reaction to the recent controversial developments vis-a-vis the UIDAI. The refrain in the Central bureaucracy refers to the multiple conflicts within the government on the programme and the confusion in the political leadership. Interestingly, the principal opposition Bharatiya Janata Party (BJP) also seems to have got sucked into this vortex of confusion and has not articulated a clear position on the project and its implementation. The Left parties, led by the Communist Party of India (Marxist), or the CPI(M), have expressed reservations about some aspects of the project. The CPI(M) leadership has stated that it is closely monitoring the project and the moves to bring about legislation on UID and will come up with interventions as and when required.
In the midst of all this, the Parliamentary Standing Committee on Finance has through a number of sittings considered a Bill to accord legal status to the UIDAI. While the Standing Committee's deliberations are confidential, there are indications that several of its members have questioned the necessity of such a project. Some wings of the government have raised similar questions. The merits and the functioning of the UIDAI have been questioned also by the Planning Commission. Several political observers are of the view that the UIDAI could face a third line of trouble from the audit initiated by the Comptroller and Auditor General (CAG). The Finance Ministry rejected a demand from the UIDAI to increase its outlay from Rs.3,023 crore to Rs.17,863 crore and enhance its biometric capture mandate from 200 million to all 1.2 billion. The Home Ministry questioned the accuracy of the UIDAI data and asserted that the Registrar General and Census Commissioner of India, which functions under the Ministry, would complete the collection of biometrics that it had already initiated as part of the Census.
Doubts raised by Planning Commission
The Planning Commission even questioned the approximately Rs.3,000 crore that the UIDAI was spending to collect fingerprints, iris scans and photographs of a section of the population. In fact, Planning Commission Deputy Chairman Montek Singh Ahluwalia and the Commission's Member-Secretary Sudha Pillai reportedly objected to the UIDAI's proposal to raise its implementation costs and the methods adopted by the authority to collect citizen biometrics. In a letter dated August 30, Ahluwalia requested the Home Minister to “kindly see the note below with the duplication in the rollout of Aadhaar numbers by UIDAI and the ongoing exercise of the national population register by the Registrar General of India”. Obviously following up on this, Sudha Pillai pointed out that “a reasoned decision is missing [on] whether iris [scans] really needs to be collected”. She also added that the Planning Commission was keen to avoid the duplication of data and expenditure.
While these missives and the rejection of the proposed outlay signify the turbulence in the government in relation to the very purpose of the UIDAI and the way it has evolved and sought to implement its schemes, the performance audit initiated by the CAG in early October involves inspecting the functioning of the UIDAI so far. Naturally, the expenditure incurred by the authority would also come under the CAG scanner. Several political observers, including a number of Members of Parliament, are of the view that the CAG report could raise some questions on the UIDAI's expenditures, especially in the context of the financial autonomy that has been provided to the authority. Supporters of the UIDAI and its Chairman allege that the CAG audit is unwarranted since the authority has been functional barely for a year.
The relative financial autonomy accorded to the UIDAI is being perceived as improper by a number of seasoned bureaucrats, including CAG Vinod Rai and Sudha Pillai. The style of functioning of UIDAI Chairman and Infosys co-founder Nandan Nilekani has also apparently rankled several people in the government machinery, both politicians and bureaucrats.
“Technically the UIDAI is supposed to be under the Home Ministry, but there have been several occasions when the authority dealt directly with the Finance Ministry, giving the clear impression of bypassing the designated reporting Ministry. This has not been taken lightly by many in the Home Ministry,” a senior Home Ministry official told Frontline.
Discomfiture for Prime Minister
Clearly, all these pulls and pressures have put the political leadership of the United Progressive Alliance (UPA) government in a spot. In particular, these developments have added to the discomfiture of Prime Minister Manmohan Singh, who apparently had a major say in initiating the UIDAI project. Naturally, the political spokespersons of the Congress have not made any effort of their own to clear the air in regard to the conflicting pressures and pulls within the government machinery. The matter has not figured in the issues routinely addressed by the party in its diverse forums.
However, talking to Frontline, Congress spokesperson Abishek Manu Singhvi said that the UPA government was committed to taking the UID project forward. Specifically referring to the contradictory views within the government and in institutions such as the Planning Commission, he said: “Dissent and contrary views are always welcome in India, but democracy should not begin to mean that every person must be convinced and must express agreement before a public interest, national interest project is implemented. … Every issue would certainly have a contrary view, but debate cannot continue ad infinitum and ad nauseam. What needs to be seen is that the UID is likely to transform the face of India by effectively dealing with the scourge of leakages in public welfare development projects and providing a uniform model of verification for one of the largest populations in the world. If these are not good enough reasons, so be it.” Singhvi also added that the Congress was of the view that the benefits of the UID project far outweighed the apprehensions and complaints about the fear of data and identity theft as also the reduction of subsidies and decrease in the number of beneficiaries of welfare projects.
The Left parties, however, are questioning the ruling party's assertions. Speaking to Frontline, CPI(M) leader Nilotpal Basu pointed out that the government and the authority itself had derailed the original idea that formed the basis for the UID project.
“There are several concerns about the objectives that the UIDAI proposes to pursue now, especially in the way the project is being channelled to become an instrument for effecting changes in the subsidy regime. One of these proposals is the cash transfer scheme that has been contemplated for delivering food and fertilizer subsidy. We have expressed our strong protest at this. There is also an apprehension that the UID would become an intrusionary instrument for reducing the number of beneficiaries in poverty alleviation programmes like the Mahatma Gandhi National Rural Employment Guarantee Scheme [MGNREGS].” Basu added that the Left parties would inspect the proposed law concerning the UID closely and would oppose anything that sought to reverse the existing rights of the poor.
BJP leader Yashwant Sinha pointed out that he could not make pointed comments on the merits and demerits of the UID as he was the Chairman of the Parliamentary Standing Committee on Finance, which is considering the Bill to accord legal status to the UIDAI. But he agreed that the understanding that the UID could not move forward without the imprimatur of a legislative act of Parliament was a sound one.
Sinha's party has broadly welcomed the initiatives on the UID, but its spokesperson Shanawaz Hussain cautioned, in keeping with the party's Hindutva-oriented nationalist perspective, that the authority should take care not to give the UID to illegal immigrants, especially from Bangladesh. Hussain told Frontline that the party was considering other criticisms against the UID and would formulate concrete views in the days to come.
Obviously, the two mainstream parties are thinking on similar lines. Both seem to support the UID and both seem confused on crucial issues concerning the project's conception and implementation. Whether this bodes well for the project or not is a moot question.
There are supporters of the UIDAI who feel such confusion in political circles may actually facilitate easier functioning of the authority. But several others are of the view that this lack of political direction will facilitate unwarranted and mischievous bureaucratic interference.
It remains to be seen which of these projections actually dominates the UID's trajectory.
http://www.flonnet.com/stories/20111202282401100.htm
Identity concerns
R. RAMAKUMAR
The Unique Identification number, “symbolic of the new and modern India”, is of questionable legality and viability.
KAMAL SINGH/PTI
Prime Minister Manmohan Singh and Chairperson of the Unique Identification Authority of India Nandan M. Nilekani at a UIDAI Council meeting in New Delhi.
“In the Indira years, the slogan was ‘ garibi hatao'…. In the 1970s and 1980s, people's aspirations had focussed on basic essentials – roti, kapda, aur makaan…. Since the reforms in the 1990s, the emphasis moved to… bijli, sadak and paani. In recent years, as growth has accelerated and access to basic infrastructure has improved further, aspirations among the poor have shifted again…. Today, it's all virtual things – it's about UID number, mobile phone and bank account…. With that, they can access services, benefits and their rights…. We are looking at a post-Aadhaar world.”
– Nandan Nilekani
“MODERN” India, it would appear, has finally found the “missing link” in its superpower story. Having ensured that all its “poor” had access to “ roti, kapda aur makaan” by the 1980s, and “ bijli, sadak, paani” by the 1990s, it is surging ahead to meet the new and rising aspirations of its “poor”. The foundations of this surge are being laid with the Unique Identification (UID) number, or Aadhaar, which is also the key to the three “virtual things”. For Prime Minister Manmohan Singh, “Aadhaar… is symbolic of the new and modern India”. For Rahul Gandhi, Aadhaar is the key to “bridging the two Indias”, where you “take some” from the “India of opportunity” and “put them” into the “India without opportunity”.
Business leaders and the pink press are gaga over the spin-offs. According to one analysis, Aadhaar links “private-sector businesses to India's poor in an unprecedented manner”; another is titled: “UID: The Biggest Business Opportunity since Liberalisation”; and yet another quotes the managing director of a software giant thus: “UID gives us a business opportunity to prosper in this digital world”.
The total cost of the project is estimated at over Rs.50,000 crore. A business newspaper reveals that “for every rupee of IT spend on the project… around 60 per cent… will go to hardware vendors”. One consultancy giant estimated that within five years into that “post-Aadhaar world”, India would see a first wave of investments totalling $10 billion. From then on, “potential” is $12 billion a year.
There is no other government project that has kicked up such frenzy in recent times. However, in the midst of this frenzy, myriads of questions are begging for answers. While there are people asking these questions, there are also those tired old ways of dismissing them. Brand them as “ jholawalas” or “lefties” or “anti-technology guys” or “those who broke computers in the [19]80s”. The more lenient of the brandings would be “civil libertarians” or “privacy activists”. Whatever they be branded, one thing in common is that none of their questions has received a satisfactory answer yet.
One place to ask questions in a democracy is Parliament; however, about six crore Aadhaar numbers have been issued even before Parliament has taken up the matter for legislative discussion.
Frontline was the first to publish a critical article on UID in 2009, which raised a set of questions to the government (“High-cost, High-risk”, August 14, 2009). More than two years later, most of those questions remain unanswered.
The REAL INTENT:
SECURITY OR DEVELOPMENT?
The Genesis
An important question regarding Aadhaar is how it will be used. Aadhaar is connected closely with the National Population Register (NPR) of the Union Home Ministry. The NPR is a child of the Kargil War. Following the reports of the “Kargil Review Committee” in 2000, and a Group of Ministers in 2001, the National Democratic Alliance (NDA) government decided to register compulsorily all citizens into an NPR and issue each a Multi-purpose National Identity Card (MNIC). Officially, the NPR is aimed at preventing “illegal migration”. For this purpose, the Citizenship Act of 1955 was amended and new Citizenship Rules were released in 2003.
As per Rule 7(3) in the 2003 Rules, “It shall be the responsibility of every citizen to register once with the Local Registrar of Citizen Registration and to provide correct individual particulars.” Rule 3(3) states that information on every citizen in the NPR should compulsorily have his/her “National Identity Number”. Still further, Rule 17 states that “any violation of provisions of rules 5, 7, 8, 10, 11 and 14 shall be punishable with fine which may extend to one thousand rupees”.
NPR and Aadhaar
While registration to the NPR was compulsory and a National Identity Number was linked to each name, the 2003 Rules did not approve of linking biometrics with personal information. If we analyse the annual reports of the Home Ministry, the sections on the MNIC pilot project do not refer to biometric data until 2004-05. In 2005-06, the first mention of biometric data appears. The report noted: “Data entry work for all the 30.96 lakh records… and integration of photographs and finger biometrics of 17.2 lakh… out of 20.6 lakh… has been completed.” Just how biometrics got included in the NPR without sanction from the 2003 Rules remains a mystery.
R.ESWARRAJ
DOING AN IRIS scan as part of collecting biometric details, at a post office in Mangalore on September 27.
With the introduction of biometrics into the NPR, the Home Ministry required technical expertise. The establishment of the Unique Identification Authority of India (UIDAI) in 2008 was partly to meet this requirement. If doubts remained, Home Minister P. Chidambaram clarified in 2009 that “MNIC has to be issued to every citizen, for which the government has decided to set up a UID authority.” The Home Ministry's annual report for 2008-09 went a step ahead and stated: “After the NPR is created, it will engulf the UID database, being far more comprehensive, and will become the mother database for identity purposes.”
The Home Ministry's plan was the following. To quote from the Census of India website: “Data collected in the NPR will be subjected to de-duplication by the UIDAI. After de-duplication, the UIDAI will issue a UID Number. This UID Number will be part of the NPR and the NPR Cards will bear this UID Number.” No prizes for guessing that Aadhaar is already compulsory. In the UIDAI parlance, the NPR is a “killer application”. A killer application is one that so “leverages Aadhaar” that every citizen is forced to get an Aadhaar number.
When the ownership of a “mother database” of citizens, including their biometrics, lies with the Home Ministry, there are reasons to worry. There is always the problem of “functionality creep”, where data collected serves purposes other than its original intent. There are many ways in which the state can use such a database against its own citizens. The database could be used to persecute marginalised sections of the population. The police and the security forces, if allowed access to the biometric database, could use it extensively for regular surveillance and investigative purposes. This can lead to a large number of human rights violations. Given that fingerprint matching is not error-free, such policing may further exacerbate human rights violations. A democratic society has to guard against such possibilities.
Questions of duplication
While the UIDAI was established to supply UID numbers to the NPR, the onus of data collection was with the Registrar General of India (RGI) under the Home Ministry. However, as an initial step, the UIDAI was allowed to enrol 200 million persons. It began this process by signing memorandums of understanding (MoUs) with “registrars”, who enrolled people either directly or through other agencies; the RGI was one of these registrars.
First, duplication of resources and work was built into this plan. There was one set of people whose data were collected by the RGI (“Group 1”) and another whose data were collected by non-RGI Registrars (“Group 2”). But data for “Group 2” could not be given to the RGI to be added to the NPR; the MoU signed between the RGI and the UIDAI did not allow for this. The MoU allowed transfer of information only for “Group 1”.
In other words, within the UIDAI's 200-million persons, duplication and wastage was already built in. Persons in “Group 2” now have to enrol again at an RGI centre. Not surprisingly, officials of the Comptroller and Auditor General (CAG) of India have made a quiet trip to the UIDAI office for an audit.
Secondly, if duplication is allowed to cross the 200 million mark, a major section of the population would have to enrol twice. This is the reason why the Home Ministry is now trying to recapture the responsibilities of enrolment. On its part, the UIDAI wants to continue with the old plan; whether the Cabinet will allow it is not clear yet.
WHITHER PRIVACY?
Another important concern is the project's potential to violate people's right to privacy. In most Western countries, projects to issue ID cards were shelved because of strong privacy concerns and adverse public opinion (see interview with Dr Edgar Whitley on page 29).
Privacy and culture
Is privacy a “Western” concept that does not apply to “eastern” societies like India, where “community-based” life predominates? Such a question is regularly raised in debates on Aadhaar. What this question ignores is that the right to privacy has the status of a shared global value (see A.G. Noorani's article on page 13). While the nature of notions around privacy differs across countries, every country has a temporally dynamic notion of privacy built into its culture. In other words, “an interest in self-governed choice” is not a by-product of “Western individualism”.
Martha Nussbaum, the renowned philosopher, has criticised the argument that privacy is a notion without value in India (see “Is Privacy Bad for Women?”, Boston Review, April/May, 2000). She writes that if the history of India is any guide, it only shows that “India draws certain concrete lines in different places than does America”. She further argues that “if we consider the general meanings of ‘privacy' typically acknowledged as most salient in American discussions, India also marks each of the notions as salient, and ascribes value to protecting the concerns that fall under them.”
To argue her point out, Nussbaum cites three cases. First, just as in the U.S., Indian “people recognise that certain types of information about oneself are privileged, and that it is bad for outsiders to publicise them without consent.” Secondly, she argues that “in India, as in the U.S., there is a deep concern for keeping certain parts of the body, and certain bodily acts, hidden from the sight of others – and also a more general concern that, whatever one is doing, one should not be watched without one's consent.” Thirdly, there is a strong “interest in decisional autonomy or liberty in certain areas especially definitive of the person”. All these lessons, Nussbaum says, are from “among the most ancient and deeply traditional concerns of both Hindu and Muslim cultures”.
It is clear then that privacy can be viewed as a globally valued “right”, “entitlement” and “freedom”. We can also work within the framework of individual freedoms elaborated by Amartya Sen. In Sen's framework, every freedom can have “intrinsic” and “instrumental” values. In the intrinsic sense, privacy enriches the lives of people in a substantive way and thus is “constitutive” of development. In the instrumental sense, privacy can be seen as contributing to other individual freedoms and socio-economic progress. It is from this standpoint that Sen has argued against consequence-independent absolute rights. Thus, the demand to trade-off one freedom for another (say, the “invasive loss” of privacy for “development”) is an untenable demand.
Aadhaar and privacy
It is disturbing then that privacy concerns are not discussed in any document of the government or the UIDAI. On the contrary, discussions around Aadhaar have involved open calls for sharing personal information with private companies. From 2006 onwards, there was a scheme titled “Unique ID for BPL families”, implemented by the Department of Information and Technology. While critics trace the origin of the UIDAI to the MNIC project, the UIDAI itself traces its origin to this scheme. In 2006, a working group of the Planning Commission examined the possibilities of improving upon this scheme and introducing smart cards linked to unique IDs of citizens. The working group report noted that:
“…[U]nique ID could form the fulcrum around which all other smart card applications and e-governance initiatives would revolve. This could also form the basis of a public-private-partnership wherein unique ID-based data can be outsourced to other users, who would, in turn, build up their smart card-based applications…. In the context of the unique ID, part of this database could be shared with even purely private smart card initiatives such as private banking/financial services on a pay-as-you-use principle….”
The callousness that this report displays in sharing personal information with private companies is astonishing. In India, one major threat to privacy arises from here: the promotion of private players in the provision of social services, such as education, insurance and health (see Mohan Rao's article on page 19). With the privatisation of social services, personal data would be transformed into commodities in the market for Aadhaar numbers. In such a context, promises to introduce privacy laws become weak tools to gain the trust of citizens.
IS BIOMETRIC TECHNOLOGY INFALLIBLE?
Among the technological features of Aadhaar, the collection of biometrics is most significant. Apart from biometrics, there is no systemic check to prevent “identity theft”. While there is agreement among biometric and legal experts regarding critical drawbacks of biometrics in proving identity beyond doubt, the Aadhaar project demonstrates extraordinary levels of faith in the infallibility of biometrics.
First, no accurate information exists on whether errors of fingerprint matching are negligible or non-existent. A small percentage of users would always be either falsely matched or not matched at all.
Secondly, a report from 4G Identity Solutions, a supplier and consultant for the UIDAI, recognises that people above 60 years and children below 12 years have difficulties in enrolling with fingerprints. Fingerprints of manual labourers are likely to be broken or eroded, apart from accidental damages to fingers from burns, chemicals, and other agents. Owing to such bad or noisy data, “the failure to enrol is as high as 15 per cent” in India; this involves a minimum of 180 million persons. If fingerprint readers are installed at MGNREGS work sites and PDS outlets, and employment or purchases are made contingent on authentication, about 180 million persons will be excluded from accessing these schemes.
Biometric Standards Committee report
Many of the misgivings with regard to biometrics were reaffirmed by the UIDAI's Biometrics Standards Committee. This committee conducted a sample study of 25,000 persons. Even in such a small sample, 2 to 5 per cent of the respondents did not have “biometric records”. Error rates increased by 2 to 3 per cent when the software was “untuned” to local conditions. The report also noted that sensors would not usually capture fingerprints accurately when women apply mehendi on their fingers.
NAGARA GOPAL
CAPTURING FINGERPRINTS AT a special booth set up at Patancheru in Medak district, Andhra Pradesh.
For iris images, the report did not provide estimates of error because of the “absence of empirical Indian data”. It recommended that iris images should be used only “if they [UIDAI] feel it is required”. The Proof of Concept (PoC) study of the UIDAI also does not inspire confidence regarding the potential of biometrics to work in large populations (see R. Ramachandran's article on page 25).
However, despite adverse technical reports, the UIDAI decided to proceed with the collection of fingerprints and iris images for the entire population. Given that the total project cost is over Rs.50,000 crore, it is but natural that hard questions are asked on these spending decisions.
“REFORMS” IN THE SOCIAL SECTOR?
“We have to rework the system. If we simply introduce UID without re-engineering the system, it wouldn't work,” said Montek Singh Ahluwalia, Deputy Chairman of the Planning Commission, in September. He is right. Aadhaar would drastically reform the architecture of welfare provisions and qualitatively restructure the state's role in the social sector (see articles on PDS (page 16), MGNREGS (page 122) and health (page 19)). This policy has two elements, both of which are constitutive of neoliberal policy in India.
The first is a shift from universalism to targeting. Aadhaar is not intended to expand social service provisions. Its aim is to keep benefits restricted to “targeted” sections, ensure targeting with precision, and thus limit the government's fiscal commitments. As Manmohan Singh stated in July 2010: “To reduce our fiscal deficit in the coming years,… we must [be]… reducing the scale of untargeted subsidies. The operationalisation of the Unique Identification Number Scheme… provides an opportunity to target subsidies effectively.”
The second is a shift from direct provision to indirect provision of social and economic services. Here, existing institutions of direct intervention are dismantled and replaced by new institutions of indirect provision. Aadhaar, as claimed, is not a tool of empowerment; it is actually an alibi for the state to leave the citizen unmarked in the market for social services.
Aadhaar as sufficient identity proof?
A key premise for Aadhaar is that inability to prove identity is a barrier that prevents the poor from accessing services. It is true that the lack of identity prevents a large number of poor from, say, getting a ration card or opening a bank account. Will Aadhaar be sufficient proof of identity to access these services? Will Aadhaar do away with the need to present other documents for proving identity? In all probability, the answers are in the negative.
For instance, the UIDAI claims that the Reserve Bank of India (RBI) has made Aadhaar a valid identity proof for opening a bank account. It also claims that this step would lead to rapid growth of financial inclusion. How accurate are these two claims?
Indeed, through a gazette in November 2010, the government added the letter from the UIDAI, with the Aadhaar number, to the list of documents that may be accepted as proof of identification. However, in a circular, dated September 28, 2011, the RBI clarified: “It is reiterated that while opening accounts based on Aadhaar also, banks must satisfy themselves about the current address of the customer by obtaining required proof of the same as per extant instructions.” In other words, even with an Aadhaar number, banks would continue to demand other “valid” documents.
Aadhaar for financial exclusion?
Despite the phenomenal spread of public banking in rural areas after 1969, a large section of the Indian people remain “unbanked”. One of the reasons is that many of the successes achieved between 1969 and 1991 were reversed by the financial liberalisation policies after 1991. For instance, a large number of rural bank branches were closed down in the 1990s and early 2000s. In any meaningful financial inclusion policy, opening of new rural bank branches has to be a priority. However, the government has other plans. For the government, the earlier “brick-and-mortar” model of rural banking is passé. The preferred option is to encourage “branchless banking”, and this is where Aadhaar becomes important.
In a working paper on financial inclusion, the UIDAI notes that taking banking to rural areas is an “expensive proposition”. Hence, opening rural branches becomes a “social responsibility rather than a business opportunity”. It suggests that Aadhaar can usher in “an era of ubiquitous branchless banking”. Instead of opening rural branches, the bank may simply appoint “business correspondents” (B.C.), who, with the help of hand-held biometric devices, perform banking functions. To promote the B.C. model, the RBI has already permitted the appointment of “for-profit companies” as B.Cs. The size of the “B.C. market” was recently estimated at Rs.3,000 crore. Just by routing MGNREGS wages, the B.Cs are likely to earn up to Rs.600 crore a year as commission.
The B.C. model has already triggered adverse outcomes in rural areas. On March 18, 2011, an internal circular of the State Bank of India noted that B.Cs were “found to indulge in malpractices, such as asking for unauthorised money, over and above the bank's approved rates of charges from the customers”. It noted that “gullible customers” are being “exploited”, posing “serious risk” to the bank's reputation. During discussions with a leading bank union, I was told that B.Cs regularly extracted Rs.100 to 150 per gold loan in many south Indian districts. One newspaper recently quoted a B.C. employee in Punjab thus: “75 per cent of B.C. agents are village sarpanchs or their kin.”
To conclude, a project of the size and cost of Aadhaar should not be pursued without wider discussions among the public and in Parliament. Such projects should inspire public trust and confidence. However, the undue haste displayed by the proponents of the project raises many questions. The sad part of the story is that there are no satisfactory answers.
R. Ramakumar is Associate Professor at the Tata Institute of Social Sciences, Mumbai.
http://www.flonnet.com/stories/20111202282400400.htm
How reliable is UID?
R. RAMACHANDRAN
At the technical level, the question is whether the technology deployed for identification will return answers that are unambiguous.
K. MURALI KUMAR
Biometric scanning of fingerprints during the launch of UID enrolment at the General Post Office in Bangalore on June 24.
THE Unique Identification (UID) project, the national project of the Government of India, aims to give a unique 12-digit number – called Aadhaar – to every citizen of the country, a random number that is generated and linked to a person's demographic and biometric information. The key word is “unique”. Launched in 2009 with the objective of reaching various benefits such as the public distribution system (PDS) to the poor, better targeting of developmental schemes such as the Mahatma Gandhi National Rural Employment Guarantee Scheme (NREGS) and enabling services such as the opening of a bank account, this uses technology based on a biometrics recognition system. Significantly, there will only be a UID number and no UID card as had been proposed earlier by the National Democratic Alliance (NDA) regime.
The advocates of the project believe that this will eliminate the multiple bureaucratic layers that the people of the country, particularly the rural poor, are confronted with and the multiplicity of documents that they have to present in order to access their legitimate entitlements, and the channels of corruption that these have bred over the years. But it has been clearly stated that “Aadhaar will only guarantee identity, not rights, benefits or entitlements”. It is only envisaged as a “robust” mechanism to eliminate duplicate and fake identities by uniquely verifying and authenticating genuine beneficiaries and legitimate claimants.
After authentication by a centralised database of biometric and demographic information to which service providers will be linked, this unique identification number alone will enable every individual to access services and entitlements anywhere in the country and at any time. The centralised database, Central ID Repository (CIDR), will be maintained and regulated by the UID Authority of India (UIDAI), which has been set up with the technocrat Nandan Nilekani, former co-chairman of the IT enterprise Infosys, as its chairman.
So will the system do what it claims it will? Socio-political issues and those of ethics and breach of privacy have been raised in this regard in different quarters. But purely at a technical level, the question is whether the technology deployed for identification will return answers that are unambiguous. Can it be that definitive that the authentication and verification made by matching the presented data with the stored data for a given individual in the CIDR will be unique and refer only to that individual? Are there no errors in such biometric systems?
What is biometrics? Biometrics, as defined by the report of the Whither Biometrics Committee (2010) of the National Research Council (NRC) of the United States, “is the automated recognition of individuals based on their behavioural and biological characteristics. It is a tool for establishing confidence that one is dealing with individuals who are already known (or not known) and consequently that they belong to a group with certain rights (or to a group to be denied certain privileges). It relies on the presumption that individuals are physically and behaviourally distinct in a number of ways.” The UID biometric system is a “multi-modal” one and uses data on the ten (single) fingerprints, palm print or slap fingerprint (which combines the features of fingerprints and hand geometry), iris characteristics and facial images of every person.
The NRC study concludes thus: “Human recognition systems are inherently probabilistic and hence inherently fallible. The chance of error can be made small but not eliminated…. The scientific basis of biometrics – from understanding the distribution of biometric traits within given populations to how humans interact with biometric systems – needs strengthening particularly as biometric technologies and systems are deployed in systems of national importance.” A biometric identification system basically involves the matching of measured biometric data against previously collected data, the reference database, for a given individual. Since the sources of uncertainty in a biometric system are many, this can only be approximate. So biometric systems can only provide probabilistic results.
Sources of uncertainty
The sources of uncertainty include variations in biological attributes both within and between persons, sensor characteristics, feature extraction and matching algorithms. Traits captured by biometric systems may change with age, environment, disease, stress, occupational factors, socio-cultural aspects of the situation in which data submission takes place, changes in human interface with the system and, significantly, even intentional alterations. This would be so particularly of the poor engaged in labour-intensive occupations such as farming, where hands are put to rough use causing weathering of finger and hand prints. Recently, it has also been shown that the three “accepted truths” about iris biometrics involving pupil dilation, contact lenses and template aging are not valid. Kevin Bowyer and others from the University of Notre Dame, U.S., have demonstrated that iris biometric performance can be degraded by varying pupil dilation, by wearing non-cosmetic prescription contact lenses, by time lapse between enrolment and verification and by cross-sensor operation and that all these factors significantly alter the matching done to identify an individual uniquely.
According to the NRC report, there are many gaps in our understanding of the nature and distinctiveness and stability of biometric characteristics across individuals and groups. “No biometric characteristic,” it says, “is known to be entirely stable and distinctive across all groups. Biometric traits have fundamental statistical properties, distinctiveness, and differing degrees of stability under natural physiological conditions and environmental challenges, many aspects of which are not well understood, especially at large scales.” (Emphasis added, given its particular relevance to the UID, which has to deal with 1.21 billion registrations in the database.)
Calibration changes and aging of sensors and the sensitivity of sensor performance to variations in the ambient environment (such as light levels) can affect the measurements. Biometric characteristics cannot be directly compared, but their stable and distinctive features are extracted from sensor outputs. Differences in feature extraction algorithms – chiefly pattern recognition algorithms – can affect performance, particularly when they are designed to achieve interoperability among different proprietary systems. However, in the case of UID, customised enrolment and extraction software are supposed to have been used in all systems used by enrolment (registration) agencies across the country. The same will have to be done for systems at the service provider level, where a beneficiary's data will be captured for authentication. Similar will be the issue with regard to matching algorithms. However, since matching is generally expected to be done at a centralised database at CIDR, only the algorithm's performance or sensitivity in handling variations in biometric data presented will be important, but this needs to be known and quantified.
Biometric match
A fundamental characteristic of a biometric system is that a biometric match represents “not certain recognition but probability of a correct recognition, while a non-match represents a probability rather than a definitive conclusion that an individual is not known to the system”. Thus, even the best designed biometric systems will be incorrect or indeterminate in a fraction of cases, and both false matches and false non-matches will occur. Recognition errors of biometric systems are stated in terms of false match rate (FMR) – the probability that the matcher recognises an individual as a different enrolled subject – and the false non-match rate (FNMR) – the probability that the matcher does not recognise a previously enrolled subject. (Correspondingly, 1–FNMR means the probability that a trait is correctly recognised and 1–FMR that an incorrect trait is not recognised.)
“Assessing the validity of the match results, even given this inherent uncertainty,” the NRC report points out, “requires knowledge of the population of users who are presenting to the system — specifically, what proportions of those users should and should not match. Even very small probabilities of misrecognitions — the failure to recognise an enrolled individual or the recognition of one individual as another — can become operationally significant when an application is scaled to handle millions of recognition attempts. Thus, well-articulated processes for verification, mitigation of undesired outcomes, and remediation (for misrecognitions) are needed, and presumptions and burdens of proof should be designed conservatively, with due attention to the system's inevitable uncertainties.”
India's current population is 1.21 billion and the UID scheme aims to cover all the residents. No country has attempted an identification and verification system on this scale. Though enrolment for the proposed system is stated to be voluntary, it will be on an unprecedented scale because a potential beneficiary can be denied access to a particular scheme or service if the individual does not enrol himself/herself and obtain the Aadhaar number. Indeed, many countries that had launched a biometric identification system have scrapped the idea as there are many unanswered questions about the reliability of a biometric system for the purposes they had considered it. It should be remembered that the objective of the Indian system is developmental, rather than security and related issues that countries of the West have been concerned with, and is aimed at delivering specific benefits and services to the underprivileged and the poor of the country. The envisaged system is also correspondingly different from those proposed elsewhere. To see if the system envisaged by the UIDAI meets these criteria and can deliver unique identification of all, it is important to understand the way the system is supposed to work.
The process
The process of enrolment that is currently on – already about 70 million have enrolled – involves presenting oneself to one of the agencies, termed registrars, identified by the UIDAI for enrolment purposes across the country. This involves the registrar recording the individual's properly verified basic demographic information – which includes name, address, gender, date of birth, relationship – and capturing biometric information – which includes palm print (slap fingerprint), ten single fingerprints, iris imaging and face imaging – and this is encrypted and transmitted to the UIDAI electronically, including physical transmission using pen-drives for locations that lack any data connectivity. In principle, unknown errors or data corruption could occur at the transmission stage.
Even assuming that the transmission is perfect, data presented during enrolment need to be compared and checked to avoid duplication – “de-duplication” – and thus prevent any fraud. Otherwise one individual may end up with two Aadhaar numbers. So any new set of biometric data – fingerprints and iris prints – need to be compared with those of already enrolled individuals and shown to be different from every other set. This comparison was trivial when the first person, Ranjana Sonawne of Tembhli village in Maharashtra, enrolled because there was no one before that to be compared against. But it is clear that when the nth person goes to enrol, the data will have to be compared against the already enrolled n–1 sets of data. So registrars will send the applicant's data to the CIDR for de-duplication. The CIDR will perform a search on key demographic fields and on the biometrics for each new enrolment so as to minimise duplication in the database.
Can one totally eliminate duplication? As noted earlier, this will depend on the FNMR which, in a probabilistic system, will be a finite number, however small. So there will be a small but finite probability for duplication to occur. It is easy to see that this matching exercise will involve n(n-1)/2 comparisons, which, as n becomes large, obviously, is a highly computationally intensive exercise requiring large computing power. The number of comparisons will be several orders of magnitude more than the numbers enrolled. So in a population of 1.21 billion, when the (1.21 billion+1)th person comes in to enrol, the CIDR server will have to perform about 700 million billion (7x10 {+1} {+7}) comparisons. This may seem mind-boggling, but a modern-day high-performance computer can do this pretty fast. And since such a de-duplication exercise will be done off-line before issuing the Aadhaar numbers, the time involved in doing the comparisons is not the issue. The key issue is the magnitude of probabilistic error in these comparisons. In case of a false match, for example, the system will reject a genuine applicant. A computer cannot resolve FMR and FNMR cases; it has to be done physically by tracking down individuals and carrying out the re-enrolment-cum-matching exercise.
One way to improve the performance (reducing error rates) of the biometric system is to use the multimodal approach. Data from different modalities – face, palm print, fingerprints and iris in the UID case – are combined. Such systems obviously require different kinds of sensors and software (essentially different algorithms) to capture and process each modality being used for comparison. Already, using 10 single fingerprints provides additional information compared with a single fingerprint and this improves the performance, especially in very large-scale operations. Of course, this will be computationally intensive, particularly when matching is to be done from among millions of references in the database. Multimodality, in addition, will require even greater computational resources.
(Spoofing a single fingerprint has been demonstrated to be possible and such an impostor fingerprint can be used to fool a biometric reader. But this seems nearly impossible to do for all the 10 fingerprints and the palm print without being caught. And, combined with multimodal comparison, chances of such impersonation become extremely low.)
Error rate
The crucial issue, therefore, is the error rate and how many false positive identifications and false negative identification cases can potentially arise? A Proof of Concept (POC) exercise was carried out by the Authority with 40,000 subjects, divided into two sets of 20,000, in rural Andhra Pradesh, Karnataka and Bihar. This was done to analyse data from rural groups where quality of fingerprints is likely to be uneven.
For POC analyses, only 10 fingerprint data and two iris data were used. The face biometric was not used. According to the report, the study – which clearly was a multimodal one – observed an FNMR – that is a person is identified to be a different individual and re-enrolled resulting in duplication – of 0.0025 per cent.
Similarly, the study observed an FMR – where a new applicant is rejected because of false matching – of 0.01 per cent using irises alone and 0.25 per cent with fingerprints alone. But the concluding claim of the report that “by doing analysis as shown in the examples above on real data captured under typical Indian conditions in rural India, we can be confident that biometric matching can be used on a wider scale to realise the goal of creating unique identities” is clearly misleading as the order of magnitude of such cases of misrecognition in the real situation involving much larger numbers (say hundreds of millions) will be pretty large. The corresponding exercise of resolving these cases would be huge. If not resolved, large numbers would either be denied the benefits due to them or large number of impostors would get benefits that are not legitimately theirs because of inherent errors in the technology.
Also, as the NRC report emphasises, “Although laboratory evaluations of biometric systems are highly useful for development and comparison, their results often do not reliably predict field performance. Operational testing and blind challenges of operational systems tend to give more accurate and usable results than developmental performance evaluations and operational testing in circumscribed and controlled environments.” As against this one-to-many comparisons at the stage of identification of an individual during the enrolment process, the process of authentication or verification when a claimant presents his/her UID number is a case of one-to-one match. The process of Aadhaar authentication, as outlined by the UIDAI, is as follows:
Aadhaar number, along with other attributes (including biometrics), is submitted to the UIDAI's CIDR for verification. The CIDR verifies whether the data (demographic and/or biometric) submitted match the data available in the CIDR and respond with a “yes/no” answer. No personal identity information is returned as part of the response. And this process can be done online by the service provider linked to the UIDAI. But the authentication is based entirely on the Aadhaar number submitted so that this operation is reduced to a 1:1 match (emphasis added).
This means that the Authority has only to match the presented data with the copy of the individual's biometrics that was captured earlier and stored in the CIDR corresponding to that UID number. The CIDR will, in turn, say ‘yes' or ‘no' to a particular query on, say, the demographic information of the individual, which can be verified against documents such as Proof of Address (PoA) or Proof of Identity (PoI) by the service provider. This is quite different from the verification required in biometric systems for security purposes, say entry through airports, where every verification procedure may be a one-to-many matching exercise. But authentication, despite being a 1:1 match, could have its own error rates largely arising from inevitable human errors, especially in large-scale implementation – for example, transmitting the wrong Aadhaar number or wrongly keyed-in query – and since the system is designed to answer only in “yes/no”, the service provider, say NREGA, may not be in a position to know that the error has originated at the agency-end itself. While, in principle, the UID number holder should be able to crosscheck what is being transmitted, in the rural Indian context, given the level of illiteracy, this may not always happen.
More pertinently, the verification process could itself become the channel of new ways of corruption. Suppose the service provider deliberately transmits the wrong Aadhaar number during the authentication process and in return obviously gets a ‘no” for an answer to any query pertaining to the claimant of service or benefits that he/she is entitled to. Now this could become the basis of corruption. The service provider could say that the service/benefit can be provided – which the claimant is entitled to legitimately – on payment of ‘x' amount of money.
This socio-cultural trait of corruption will always find new ways of doing it, especially when such a project is sought to be implemented on such a countrywide scale involving hundreds of million transactions. It is not clear how this manual error – deliberate or otherwise – at the man-machine interface in the UID system can be avoided on a real-time basis during the interaction between a potential beneficiary and the service provider. In addition to probabilistic errors in the biometric identification scheme, perhaps such issues could also become cause of real concern.
http://www.flonnet.com/stories/20111202282402500.htm
Why it failed in U.K.
R. RAMAKUMAR
Interview with Dr Edgar Whitley, research coordinator of the London School of Economics Identity Project.
BY SPECIAL ARRANGEMENT
Edgar Whitley: "There was the question of the scheme's legality."
DR EDGAR WHITLEY is Reader in Information Systems at the Information Systems and Innovation Group in the London School of Economics and Political Science. He has a PhD in Information Systems from the LSE. His research and practical interests include global outsourcing, social aspects of IT-based change, collaborative innovation in an outsourcing context, and the business implications of cloud computing. He is also an expert in identity, privacy and security issues relating to information- and Net-based technologies.
Whitley was the research coordinator of the LSE Identity Project and represented the project at the Science and Technology Select Committee review of the scheme. He has written extensively about the United Kingdom's identity cards programme for both academic and trade audiences and is a frequent media commentator on the scheme. His recent publications include work on the technological and political aspects of the programme. In 2009, he co-authored with Gus Hosein a book titled Global Challenges for Identity Policies (Palgrave Macmillan, Basingstoke, U.K.). He spoke to Frontline at his LSE office on October 18.
Thank you Edgar for agreeing to do this interview. You would have guessed that the decision to do this interview is inspired by certain recent events in India, where an identity project largely similar to the project in the United Kingdom is being implemented. In your view, what were the major reasons behind the U.K. government's decision in 2004 to bring in an identity card project? Was there only an “internal security” dimension to it? Or were there other dimensions, too, such as “developmental”?
In many ways, this is a really great question to begin the interview, because it is kind of a puzzle that we have never been able to find a satisfactory answer to ourselves. The idea of having identity cards has been one that almost every Home Secretary had at least thought about and had some consultations with civil servants at some stage, before they backed out. So, in the U.K., in 2002, there was a discussion about “entitlement cards” that slowly gave way to “identity cards”. I think the idea that there was a single policy reason or a few policy reasons behind the identity card project would not fit the facts well. If you take entitlements to access public services, then a few features of the project could be thought of as leading us to such a view. If you take national security, then, certain other features of the project could be thought of as leading us to such a view. In addition, there was a real space where I could have jokingly said about the reasons behind the project as: “Oh, it is Tuesday today, so for today ‘X' might be the reason behind the project.” This was partly the way the description, discussion and arguments for the project evolved over time, both naturally as a policy development and in response to the challenges and questions that the project faced at each point of time.
So, by about 2009, when the popularity of the project was faltering badly, to put it mildly, emphasis suddenly moved to enabling young people, who did not necessarily have a detailed credit history or biographical footprints, to be able to prove who they are for frequent transactions, such as opening a bank account or registering for a mobile phone number, and so on. This particular strategy was a response to the fact that other claims were not proving to be successful, as they had initially hoped. Another argument was that this scheme would help to build confidence in people working in airports, which was a typical “national security” reason. But the airport unions fought back against it and they had to limit it to two small trial projects in two small airports. During other times, some of the arguments put forward were responses to policy design decisions. So, sometimes they thought it may be better to emphasise the idea that the ID card can be used to travel freely across Europe without carrying passports.
So, the claims and responses kept changing. That is why I said it was a great question to begin this conversation. If the idea of having a centralised database was to address questions of identity fraud, so that people would not have more than one identity card, then there were other ways in which you could do that without resort to such centralisation of personal information. So, I suspect there was a broad kind of direction; when some aspects of the project appeared to be faltering in popularity, other claims were made, and this process continued as the project evolved.
Discrimination concerns
Was the “entitlement card”, linked to the ID card project, linked to reforms in the National Health Services (NHS), that is, to reduce leakages?
It was essentially about concerns about people who were not entitled to public-funded services like the NHS having access to them. So, if students were entitled to the NHS during the period of their study, and they didn't return to their home country, maybe you could argue that fraud could be reduced if you insist that the ID card should be produced at the NHS centres. But there are practical problems that emerge from this policy. The counter argument was that this makes the doctor a receptionist, equates him to a border official, having to do duties way beyond what he was reasonably expected to do. Further, this also rewrites what citizenship or entitlement actually means.
There is also a very practical risk of discrimination. If a surgeon is doing this checking for entitlement, and I, as a white middle-class male, come along and say, “I am sorry, I don't have my card with me, but I would like to book a doctor's appointment”, will I be treated in the same way as a U.K. national whose skin colour is not white and first language is not English? The latter might be checked more despite the fact that their entitlement is exactly the same as mine, and there are consequential concerns of discrimination that are very serious.
What were the major arguments in the LSE report?
We had argued that the ID card system could offer some basic public interest and commercial sector benefits. But we also identified six key areas of concern with the government's plans. First, evidence from other national identity systems showed that such schemes performed best when established for clear and focussed purposes. The U.K. scheme had multiple, rather general, rationales, suggesting that it had been ‘gold-plated' to justify the high-tech scheme.
Secondly, there was concern over whether the technology would work. No scheme on this scale had been undertaken anywhere in the world. The India project is, of course, even bigger. Smaller and less ambitious schemes had encountered substantial technological and operational problems, which may get amplified in a large-scale national system. The use of biometrics created particular concerns, because this technology had never been used on such a scale.
Thirdly, there was the question of the scheme's legality. A number of elements of the scheme potentially compromised Article 8 (privacy) and Article 14 (discrimination) of the European Convention on Human Rights. The government was also in breach of law by requiring fingerprints as a pre-requisite for receipt of a passport. There was a lot of talk from the proponents about international obligations. However, the report found no case as to why the ID card requirements should be bound to passport documents.
Fourthly, we felt that the National Data Register was likely to create a very large data pool in one place that could be an enhanced security risk in case of unauthorised accesses, hacking or malfunctions.
Fifthly, according to us, an identity system that is well accepted by citizens is likely to be far more successful in use than one that is controversial or raises privacy concerns. This was important in order to realise the public value that citizens would want to carry their ID cards with them and to use them in a wide range of settings.
Finally, the cost part. Compliance with the ID cards Bill would have meant that even small firms would have had to pay £250 for smartcard readers and other requirements, which would have added to the administrative burdens that firms faced.
You have argued in the report that the “scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals”. Was privacy the legal right you were referring to?
Yes, privacy in terms of the data controlled by the government. There was a separate concern about the audit trail. So, when you entered into a transaction where you had to produce your ID card, the design of the system was such that a record would be kept of every such verification. Good idea, because it allows you to check for forgery in transactions. However, the negative version of that is it provides a detailed record of every transaction you have done, which can be of interest to either people browsing the database or to security services or whoever. The record here wouldn't be just that your identity was verified; there would be a little more data associated with the transaction. For example, you went to Health Clinic Number 45. They used your card and your fingerprint there for verification. They did this at 12:37 hours. There is a series of metadata associated with that visit that would be there in the audit trail. And, of course, it wouldn't take very long to realise that, actually, Health Clinic Number 45 is a sexual health clinic. If the audit trail also shows that you were there on a number of occasions, it might be reasonable to infer certain kinds of things that you perhaps do not want to disclose. Some things are not necessary to be disclosed, but which are being recorded and stored in an accessible way to various people because of the way the system is designed.
A second concern was with the way biometrics was being used. Although fingerprints and iris scans are useful ways of linking a person to their biometric, one problem if you take straightforward images is that they aren't revocable. So, if you have a password for your e-mail account, and you realise that someone has broken into your e-mail account, you can always reset your password. If the biometric is stolen, the possibility of revoking it becomes almost impossible. It's gone.
“Death of privacy” is what some argue in the wake of the massive technological advances that we have had. Your comments.
That is just one way of looking at the technological advances. To my mind, it is an overly deterministic proposition. What you are doing here is not allowing for user choice of designs and not allowing for innovative alternative designs. It's a too straightforward view. Clearly, there are privacy concerns that are more difficult to address with the new technologies. The fact that when you visit a web page, they know where you came from, what your browser configuration is, what plug-ins you have, what screen resolution, and so on. You could be pretty uniquely identified just from the browser. But there are things that you can do. You can do private browsing, you can have do-not-track options, you can delete your cookies and if you are really sophisticated, you could also do things like onion routing. There are also opportunities for companies to declare themselves as privacy-friendly, and they could be good competitors to other companies that are not so privacy-friendly. So, the idea of “death of privacy” is too simplistic a view.
There are always alternatives; there are always different ways in which a society can respond to these kinds of concerns and issues. There are always possibilities to have privacy-enhancing means of identification. For instance, you could have an ID card with a chip, which has your fingerprint, or a part of it, stored as a template. It is not stored in any central database, but it is in the chip of your card and your card is with you.
So, when you have to prove that you are you, you could just swipe the card and give your fingerprint, after which you could be identified as the bearer of that card. No one gets your information stored in that card. That's a privacy-friendly way of identification.
The first generation technology here are chip cards, the second generation technology is stickers on your mobile phones and the third generation technology is a chip inside your mobile phone. The chip may have your name, your database, your fingerprint template and a little bit more data on who issued it and all that. But nothing about where you have been, no audit trails, no records and thus, privacy-enhancing.
Are there countries that have tried these methods?
This has not yet become the obvious way to do it because it takes a while to get your head around. The point here is that you need to understand what it is that you want. Technically, you only want proof that the person is himself and a little bit more.
Biometric matching
You were very critical of the technology of biometrics being used in the project. You argued that “the technology envisioned for this scheme is, to a large extent, untested and unreliable”. Was this assessment based on technical inputs from biometric experts? Could you elaborate on the comments from biometric experts?
We used some feedback from biometric experts, but we also independently looked at already published research work on biometrics. Certainly, in terms of the untestedness, the scales of studies that had been done for both fingerprints and iris scans were fairly limited.
There were far better performance results on a 1:1 match. So, this is Edgar's fingerprint on the database, here is Edgar, we do 1:1 match; this is more likely to work. But that was not how the U.K. was planning to use it. The U.K. was trying to use biometrics to also prevent duplicate identities. The idea was that even if I try to enrol twice, and even if I had created a fake biographic identity (say, a John Smith with a different address), when my fingerprint came in for a second time, the system should come along and say: “We know this fingerprint, and this belongs to Edgar Whitley” and not say, John Smith. Here, you have to match every single biometric with every single previous biometric.
Biometric matching is not a perfect process. There is an element of judgment, and there will always be the result: “This fingerprint is pretty close to three other fingerprints”, which you then need to check manually and figure out. But this increases the cost, let alone concerns about reliability.
Now, there is always a possibility of a fraudulent use; that is, if I am really John Smith, I could have applied with Edgar Whitley's biographical details. That's possible, though difficult.
So, for instance, victims of domestic abuse could be given a completely new identity with a stolen set of biometrics.
You also have major issues with gender reassignment, which will create unnecessary interferences into your private life.
The U.K. project was to have iris scans, but they were dropped later. Was there a reason?
Iris scans were always present in the documents that were discussed in Parliament. The proponents of iris scans claim that they are far better than fingerprints at differentiating people. That is because you collect a far larger number of data points in your iris scan than in the fingerprint. The problem with the iris biometric at that time was that the set-up for the capture of the iris biometric had to be well managed.
If there is a sudden good sunshine, very noticeably the room is brightened up. So, you need to potentially adjust your iris-capture device to allow for those kinds of set-ups. But we know from the experience of airports that iris devices often have problems in operating at their full performance level; airports are designed by architects, and architects use lots of glass and open space, which allow for light to come in seamlessly and brighten up the space. This creates a lot of problems for iris recognition systems.
There is also interesting empirical research that shows that as you move from one version of the technology to newer versions, you get performance differences because they capture iris images slightly differently.
So, you don't get quite the same results in matching as you move with versions. These were the reasons why the U.K. government dropped iris scans from the plan in 2006.
What was the nature of the response among the British people to the identity project? Were there mass protests? Or was it mostly through the social media that the protest spread? And, was it due to these protests that the project was finally shelved in 2010?
It got scrapped because the parties that came to power were opposed to it. In practice, you don't vote on the basis of your view of one single scheme. There was a lobby group called “NO2ID”, which was very effective in getting the message out about their concerns with the whole process. I was on their mailing list, and every week, along with the news items on the scheme, there was also information on where meetings were to be held, where you could meet MPs and ask questions about the scheme, and so on. Scores of local activists got involved in this, again from both the Left and the Right. This was no civil disobedience movement, but just explaining what these proposals were and what they are going to mean, and trying to convince people over what some of the dangers were.
They were also continuously talking to journalists and explaining what this meant in practice, at levels of detail. They kept telling journalists why biometrics could not be the “magic bullet”. The press coverage was overwhelmingly comfortable with that critical analysis.
The technology press and its science and technology correspondents were eager to deal with these questions. They asked those questions. So, there was general awareness building in a major way.
Have you been following the Indian debate around unique ID numbers? Any views?
I have been following it one step removed. We have been speaking to people though. I think in India, too, it is important to raise these policy questions that I referred to just a while back.
Thank you very much, Edgar.
http://www.flonnet.com/stories/20111202282402900.htm
