Legislation struggling with deployment pace of biometric identity systems, says privacy expert
In an article published today in Technology Science, a Harvard-based journal, World Privacy Forum founder Pam Dixon argues that legislation is struggling to keep up with the deployment of biometric identity systems resulting in a high risk to fundamental civil liberties and privacy, particularly in India, but also with serious ramifications in the United States.
Europe is also vulnerable to ‘mission-creep’ and risks failing the ‘Do no Harm’ principle.
“According to the World Bank, 50 percent of countries with a national identity card system do not have any data protection legislation in place,“ Dixon said. “The speed of technology advancement has made digital biometric systems much more accessible and enabled wide-scale use for policy-makers.
“India’s Aadhaar program put technical deployment before policy development and continues to do so. These actions by the Indian government have led to a marked lack of protective regulatory controls, which has in turn resulted in detrimental ‘mission-creep’ and ensuring that there are adequate safeguards in place to protect citizens.”
Though India’s Aadhaar biometric system initially started as a voluntary identity card in 2010, over one billion people — 97 percent of the total population — are enrolled in the scheme. Dixon commented in a statement that despite being voluntary, the country’s government has not implemented any legislation to support its roll-out and many government and public services cannot be accessed without an Aadhaar number.
Last week, India’s Supreme Court finally ruled citizens have a fundamental right to privacy, which could potentially derail the government’s plan for making registration of its Aadhaar biometric identification program a requirement for all government services.
“It is a step in the right direction, but there is still a lot of work to be done, Dixon said. “This ruling does not evaluate the moralities of the system and how it has been deployed and there are many learnings for the U.S. and Europe.”
Dixon emphasizes that “biometrics and digital identity should not be used by the issuing authority, typically a government, to serve purposes that could harm the individuals holding the identification. Nor should it be used by adjacent parties to the system to create harm.”
She said an example of ‘harm’ is the inclusion of highly sensitive information including ethnicity, religion or place of origin.
In the UK, a proposal to implement a biometric identity card for EU nationals has been met with criticisms that it would create a ‘second-class’ citizen.
Though many have recommended that enrollment for these identity cards be solely voluntary, there is always the risk of ‘mission-creep’ without proper legislation as seen with India’s Aadhaar system.
Since Europe has extremely strict regulations around sensitive data and the use of consent, governed by the EU General Data Protection Regulation (GDPR), there have already been exceptions to key information that is required to provide a medical diagnosis and treatment. This provides the opportunity for access and use without obtaining the patient’s consent.
In the U.S., legislation varies from state to state and there is insufficient protection at the federal level. For example, some healthcare providers have called on patients to provide biometric authentication without explicitly stating that enrollment is voluntary.
Dixon has praised the work of the World Bank and its partners, but said that “the most important step the World Bank can take to improve Global privacy and protect citizens is to ensure future principals and guidelines enshrine the ’Do no Harm’ as a top priority”.
“Digital identity systems and systems that use biometrics need to be designed in such a way that they cannot fail, even when political regimes and the will of legislators do’ is a concept derived from the Privacy by Design school of thought,” Dixon said. “While all jurisdictions would benefit from an approach that considers privacy by design in biometric identity systems, it should not be seen as a substitute for legalization. Policy development needs to focus on the concept of ‘Do no Harm’ to create a bedrock guiding principle of all digital biometric identity systems.”