Infallible data protection law in the context of Biometrics

The word, Biometric is a combination of two greek words bio meaning ‘life’ and metric meaning ‘to measure’.
The very synthesis of the word itself speaks volumes about the potential scope of the revolutionising advancements it has and can bring in human lives along with the associated vulnerabilities and dangers that are attributed to it.
A widely accepted definition of Biometric is, the measurement and statistical analysis of people’s unique physical and behavioral characteristics. This is mainly employed by technologies for identification and access control, or for identifying individuals who are under surveillance. The basic premise of biometric authentication is that every person can be accurately identified by her or his intrinsic physical* or behavioral** traits.
* physical: facial-recognition, fingerprints, finger geometry (the size and position of fingers), iris recognition, vein recognition, retina scanning, voice recognition and DNA matching.
** behavioral traits: the unique ways in which individuals behave/act, includes recognition of typing patterns, walking gait and other gestures.
This article endeavors to build a case as to ‘Why we need a strong and an effective data protection law which safeguards an individual’s biometric data’.
Reasons that have led to the acceptance of this technology primarily focus on the aspects of security (owing to the belief that it is unique and cannot be spoofed or duplicated) and greater efficiency of the system. Although these factors are often driven by governmental policies, corporate interests and an overall change in the moods of the common population (especially, young populations that seem to be ever more welcoming of new technologies).
Also, the rationale devolved by governments about the use of Biometric (BM) systems can range anywhere from being enablers for transparent and effective public delivery mechanisms, building huge surveillance & security grids to weeding out ghost entries in compromised socio-economic databases, depending upon the individual requirement of the countries.
But If there is one other factor that has promoted the rise of BM in personal spaces of individuals it is: convenience.
The ‘convenience’ that has brought about ideas like ‘why should I have to remember pins or passwords now?’ let me just unlock my device/house/car with my fingerprint; has single-handedly steered the expansion of BM based systems in consumer electronics and retail shopping sectors.
The rise of BM has triggered almost an arms race in the electronics and mobile phone industry; even a low/mid-range smartphone manufacturer cannot afford to unveil a phone without a tacky fingerprint sensor at the back.
‘’ It is in the backdrop of these widespread applications of biometrics that many organisations, activists, tech. enthusiasts have felt obligated to raise questions about the vulnerabilities and dangers that may stem from it. ‘’
But my ‘Aadhaar’ is safe. … haina?
At a time when the Government of India is making authentication through Aadhaar mandatory for an increasingly large number of services, and Aadhaar being integrated by private companies for everything from signing for sim cards to being printed on Jet Airways boarding passes, the need for meaningful user privacy protections has never been greater keeping in view the recent incident where a citizen was able to buy all of the demographic data inside the Aadhaar database for a sum of Rs. 500.
In a scenario like and amid a national debate over the Aadhaar (national biometric identity database) the Supreme Court of India ruled unequivocally that privacy is a fundamental right guaranteed by the Indian Constitution. It is now incumbent upon the government to enact a law protecting this right, even as litigation around Aadhaar continues. The TRAI consultation is one of several parallel processes to help shape a comprehensive data protection law; others include the Ministry of Electronics and Information Technology Committee of Experts (the Srikrishna Committee). Numerous activists, organisations particularly the Mozilla Corporation (a renowned pioneer for user privacy and data protection) have recently filed comments with the Telecom Regulatory Authority of India (TRAI) in response to their consultation paper “Privacy, Security, and Ownership of Data in the Telecom Sector.” [1]
The thorough and thoughtful TRAI consultation paper asked several important questions, including: what should be the definition of personal data? How can users be empowered with choice and control? When should consent from users be obtained? What should be the responsibilities of data controllers? What should enforcement look like? What measures should be considered in order to strengthen and preserve the safety and security of telecommunications infrastructure and the digital ecosystem as a whole?And many more.
The ideal biometric data privacy law must ENSURE:
1. Multi-layered security and verifiable practices: Right from sourcing and collection of data, adequate security mechanisms must be incorporated inside the system. Tokens and hashes should be used for authentication instead of actual numbers, names and addresses. Human corruption (at the database facilities) as the weakest link in the chain must be addressed comprehensively.
2. That there should be no surprises in the usage of biometric data: Usage and sharing of information should occur in a way that is transparent and benefits the user.
3. Users are always in control: All the services and products put users in control of their data and online experiences. [2]
4. Limited collection of data: Collecting what is needed, de-identifying and deleting when no longer necessary. [2]
Biometric data should not be perfunctorily compared with other regular forms of data because of its unique and extraordinary relation to an individual’s identity. Any lapse or mishandling with biometric data can have damning consequences not just for the individual but the system as a whole.
REFERENCES:
[1] Mozilla Aadhaar Take Action document.
[2] Data Privacy Principles by mozilla.org .
(The writer a Data Science enthusiast & Final year student at Department of Computer Science & Engineering, North Campus, University of Kashmir. twitter: @moonisali)