By Kam Sandhu
Have you ever thought about what cybersecurity means? Amongst the new normal of electronic passport checks, data breaches, fingerprint phone verification and digital convenience entering our collective lives, have the wider political implications, possibilities and threats ever been properly explained?
We have already entered a period of ‘opaque transparency’, where our digital footprints reveal more about us than we could know ourselves. Simultaneously state and technology have become more covert than ever. Government sponsored ads promoting cyber awareness feel disingenuous at best, as new powers of surveillance make the state one of the biggest beneficiaries. Along with tech companies reaching new levels of monopoly power, both retreat from publicising their intentions.
In this environment, the second birth of biometric technology is underway. Having been abandoned by the US and UK in the years before 2010 for unreliability and intrusiveness, its re-introduction differs depending on where and who you are.
Normalisation of biometrics on smartphones and increased use of scanning at airports has seen a gentle, reasonable and even novel take up in the UK. In the developing world however, this experience is characterised far more by aggression and coercion into surrendering a permanent ID tag. Amongst lax laws and poor populations in countries such as India, which now has the largest biometrics database in the world, government, private companies and technology are running amok.
The Aadhaar ID System
On 24th August, a nine judge bench of the Indian Supreme Court ruled that privacy was a fundamental human right, in a landmark case against the Indian government.
The litigation revolves around India’s Biometric ID system (Unique Identification (UID) or Aadhaar), which since its launch in 2010 has seen over a billion people enrolled. UID was initially promoted as free, voluntary, confined to improving government efficiency, and in aid of the ‘needy’ and ‘undocumented’, to ease their access to state help. But it has since been frenetically expanded by the government; opening up the database to private and financial companies, while making enrolment mandatory in order to access welfare provision. This leaves citizens in a Catch 22; often forced to hand over biometric details (including fingerprints and iris scans) to a broadening system they cannot exit. All this amidst a series of several serious leaks including the data of millions of citizens, as authorities seem to be ignoring security warnings about the world’s largest biometrics database.
Usha Ramanathan, a law researcher and leading voice against the ‘function creep’ of UID, described Aadhaar as ‘the marketing con job of the century’ in 2014. Ramanathan has documented the government’s fervent expansion which already railroaded a previous Supreme Court ruling demanding mandatory enrolment be restricted to 6 select public distribution services (PDS) for food grains and cooking oil; ‘the production of an Aadhaar will not be a condition for obtaining any benefits otherwise due to a citizen,’ the Court said. Yet UID was made a requirement in over 50 services including access to children’s midday meals, rehabilitation and therapy for HIV. Add to this new mandatory details linked to the 12-digit identifier, including marriage registry, tax records, mobile phone numbers and more, and you are on your way to creating a mass surveillance project in absolute terms.
There had been no express provision for privacy in Indian law before the Supreme Court’s ruling. However, attorney generals acting for the government were forced to argue against its very notion, producing some dramatic moments during the case where the government was forced to articulate, in defence of Aadhaar, that Indians not only had no right to privacy, but no divine right over their own bodies. They added that in a poor, developing country, demanding a right to privacy was ‘Western’ and ‘elitist.’
These seem to accurately echo the sentiments of Prime Minister Narendra Modi who has made short work of liberalising Indian citizen data. A 2016 bill allowed private company use of Aadhaar as verification for any purpose, and 2017 brought ‘Aadhaar pay’ – a cashless payment platform allowing peer to peer transactions using UID. This was promoted as the post-demonetisation strategy.
Demonetisation saw the Indian government remove, overnight, the two largest notes in Indian currency – amounting to 86% of the country’s cash – on 8th November 2016. Modi said it was a needed tough stance to tackle India’s black money problem, and many hailed him for doing so. However, the narrative quickly changed to introducing digital payment platforms like Aadhaar Pay. With the Reserve Bank of India announcing on August 31 that 99% of the notes were back in the banking system, the aims of the strategy are now called into question.
The 2016 bill and various reaches of the UID form a large part of the remaining battle at the Supreme Court, where more than 20 other petitions from activists remain. Despite winning a historic round, there is a long way to go, and this could set an important precedent for digital rights across the world.
Uses and Abuses
Without much debate, citizen data, acquired through government, is being monetised by companies to sell products back to Indians. Reliance Jio – a 4G mobile service boasts 100 million subscribers since September 2016 – a feat unachievable without Aadhaar according to the company. Last year mobile App TrustID became the first to use Aadhaar data to verify others (‘your maid, driver, electrician, tutor, tenant and everyone else instantly’) for users. The app was released while the current case was pending at the Supreme Court.
Leaks too remain a problem. 100 million Jio customer user details reportedly appeared on a site in July this year, and the company eventually filed a police complaint.
One of the biggest beneficiaries of this data may yet hit its stride however, given the eagerness of government to promote digital payments. While there is potential to make transactions easier in a country where millions have no bank account, the trade off is the power to assess worth through data unwittingly handed over.
FinTech (financial technology) meanwhile is keen to challenge the traditional financial order (think cashless societies, virtual banks and peer to peer lending). Aware that financial services are the most lucrative sector, companies we know (like Facebook) and many we don’t, have been rushing to create financial assessments of users from the data points now available on almost every consumer on the planet. These assessments are built by amalgamating new types of information and access to messages, photos, semantics and social networks. With these credit ratings, companies can begin performing the role of non-traditional banks.
Both data brokers and FinTech currently traverse an unregulated environment, and we know little about them or the algorithms they use to make their assessments – leaving plenty of room for mistakes (with no course for appeal), and discriminatory ratings. They operate without oversight (data brokers ignored calls from the Federal Trade Commission in 2014 to be more accountable and transparent) and sell data to each other. According to sociologist Beverley Skeggs, who completed research on Facebook tracking earlier this year, this opaque transparency where our lives are on show to a covert group ‘is the biggest political issue of our times,’ producing a reversal of the choice technology was thought to create. Meanwhile these new powerful companies are able to circumvent usual protections; ‘If you think that one of the Facebook founders Peter Thiel set up Paypal to evade financial regulations and made millions as a result. They have always been into financial regulations,’ explains Skeggs.
Marginalised groups, previously routinely excluded by banks and capital, have become a potentially lucrative and viable market. Government programmes like Aadhaar can make access even simpler. At India’s Economic Startup awards this month, V Vaidyanathan, Chairman of Capital First – a non-banking financial institution – said ‘The penetration of Aadhaar coupled with the use of AI has created a system where it is now possible to evaluate a customer within seconds and give him or her a loan.’
The developments in India are ‘one of the most significant revelations about the stealth by which companies enter into people’s personal lives,’ says Skeggs. ‘What is worse is they use our personal information to make a profit from us without our knowledge. How is this allowed to happen? This is more than digital rights, this is a basic human right – not to have our information sold without our knowledge.’
Interestingly, the idea of Aadhaar was advocated by Nandan Nilekani, former Chair of the UID Authority of India (UIDAI – custodian of Indian’s biometric data), on the grounds that it would stop ‘data colonisation’ by the American tech giants. Yet, many of the companies supplying biometric technology in India were US based private homeland security contractors.
Security for who?
Ramanathan previously raised concerns about the companies contracted in on UID technology. L1 Identity Solutions for example, advertise their work with the US Central Intelligence Agency (CIA) on their site. They’ve also lobbied US government as a private homeland security contractor, raising fears about data sharing. ‘All our information is going to be handed to them’, Ramanathan told one interviewer.
All of these fears have received staggering confirmation. On 30th August, The Times of India reported UIDAI gave companies like L1 Identity Solutions and Microsoft’s Accenture ‘full access to unencrypted data with the permission to store it for seven years,’ contrary to public statements that it was inaccessible. Further, a Wikileaks release on the same day as the Supreme Court privacy ruling suggests this information was funnelled to the US deep state long ago.
The CIA’s ExpressLane project, revealed by the documents, was designed to exfiltrate biometric data from liason services, such as the National Security Agency. Data is extracted under the cover of an upgrade, with core components ‘based on products from Cross Match, a US company specialising in biometric software for the law enforcement and Intelligence Community.’
Cross Match became a certified supplier of biometric devices for the Aadhaar program in 2011.
Meanwhile, the US has also been increasing its use of biometric identification, at its borders.
Identity or Identify? Biometrics Beyond India
In January, The Intercept reported Trump’s homeland security choices signalled increasing use of biometrics at US borders. Silicon Valley has been only too keen to oblige, jumping into the ‘biometric gold rush’ in a little reported push for this technology use in immigration. That same month, tech workers protested the Headquarters of Palantir – a data analysis company founded by Silicon Valley giant and Trump supporter Peter Thiel – against the potential build of software to identify Muslims or ‘illegal immigrants.’
Under Trump, hostility towards the undocumented has intensified, resulting in increased raids by ICE (Immigration and Customs Enforcement). The spread of slurs such as ‘illegal’ demonstrate high levels of derision for those without an identity in the eyes of the state. In fact, categorisation as a citizen of nowhere often surreptitiously grants states permission to behave lawlessly and violently towards these individuals. This has, in many cases, cost lives. On 27 August ICE left 50 immigrants at a closed bus stop in Hurricane Harvey’s path, despite being told by a legal aid charity the day before not to do so. In a statement ICE said ‘All of the aliens who were transferred to the San Antonio Greyhound bus station by ICE on Friday morning had confirmed tickets.’
Meanwhile, the UK has also tried to strong-arm the same group into capitulating biometric data. Undocumented survivors of the Grenfell fire (June 14), were given a 12 month amnesty by government, contingent on providing biometric ID, a move described by Human Rights watchdog Liberty as a ‘trap dressed up as compassion’.
Facial recognition technology was also trialled by British police at this year’s Notting Hill Carnival, in yet more biometric scoping along racial lines. This was despite being widely admonished by civil rights groups for discrimination and the technology being known to commonly mis-identify black faces.
Critics added that the technology had no basis in UK law and there was no transparency or regulation around its use. The UK’s Biometrics Commissioner Professor Paul Wiles condemned police forces for failing to deliver a strategy promised five years ago. Meanwhile images held by police, mostly illegally, had increased to 20 million.
Will the derision of undocumented citizens be reconstructed under UID in India? An audio clip surfaced last week of an Indian Police Officer stating that under new policy police could kill anyone without an Aadhaar. While this may be the faux pas of one cop, the differentiation Aadhaar will create is concerning, and activists are further complaining that exclusion is becoming a problem.
Biometric systems are not infallible it seems, and there have been some high verification failure rates across India’s rural areas. This has meant some citizens have been unable to access the services they used freely without Aadhaar.
In Playing The Identity Card (2009), Taha Mehmood discusses Aadhaar’s previous, less ‘successful’ iteration – the MNIC smart card. He asks ‘What kind of an imagination of lived experience would result if one were to think of a nation without a centre – where the distinction between the centre and the periphery collapses, where the centre becomes the border, where presumption of guilt is ‘normalized’ and where the ‘citizen’ needs to be distinguished from the ‘alien’ through a smart identification card?’
MNIC too was promoted as ‘empowerment of the poor’, and a guard against ‘illegal immigrants,’ but also threatened to ‘demean identity’ to a set of numbers. While the offer of digital ID may at first glance, elevate status for the poor, it can equally brand statuses on individuals forever. There are many who ‘want to bury their identity, and what they are threatened with tagging them with this identity in perpetuity,’ Ramanathan explains.
Mehmood may not have imagined the position we’re in now, nor the extent of power asserted by tech companies, but the growth has simply reinforced the state and its ability to cede citizens onto a new form of the same scheme. The hyper-significance of borders and identity are once again magnified ,albeit in new contortions given the presence of foreign contractors in India. These remain enduring themes, alongside new financial possibilities for companies cashing in on data.
Unregulated environments and a small group of individuals and companies have been the persistent tropes of these stories. So how do we deal with them?
Financial Times’ Martin Sandbu suggests revisiting anti-trust laws used to channel popular resistance to the ‘stranglehold of large oil, industrial and railway companies’ at the turn of the century, and using regulation to make Internet platforms ‘behave in the public interest.’
Rights activist Aral Balkan, suggests effectively regulating company abuses while ‘funding/encouraging decentralized, free/open, interoperable [alternatives]’, to get us to transition from the Internet of Things to the Internet of People.
Tough regulation which re-asserts powers of the consumer and human being against corporations – specifically Internet giants – seems key. This too could have secondary effects on other areas of lived experience, as the last few years have all but eroded language placing human rights and privacy at the centre. Global privacy standards could also help prevent loopholes exploited by simply switching locations.
In the meantime, a win on privacy under current conditions by Indian citizens is a positive, in a case where the results will have repercussions worldwide.
READ: Interview with Usha Ramanthan ‘Biometrics was an experiment on a whole population’
WATCH: Join The Dots Episode 4: Data WTF?