Importance of biometric data protection emphasized as IMF recognizes Aadhaar achievement
The International Monetary Fund (IMF) has recognized India as a global leader in biometric identification systems, but has called on the country to take measures to ensure the privacy and security of personal data included in the Aadhaar program. Wrongful payments under India’s LPG (liquified petroleum gas) subsidies have been reduced by at least 11 percent, and as much as 24 percent, according to the recently published IMF Fiscal Monitor chapter on Digital Government.
The report lauds India’s registration of 1.2 billion people, and notes that the Unique Identification Authority of India estimates the cost of Aadhaar’s implementation and maintenance is roughly $1.5 billion, or $1.25 per card, while other electronic identification systems tend to cost $3 to $6 per person.
It also notes that the encryption of the collected biometric data makes Aadhaar compatible with privacy rights, according to its proponents, but says that a lack of sufficient security controls has made it vulnerable to unauthorized access.
“In India, privacy and security concerns led to alternating periods of mandatory and non-mandatory use of Aadhaar in social programmes,” the report says. It also notes that it has been reported that 135 million Aadhaar numbers have been compromised, and that the program’s compliance with privacy laws is under review by India’s Supreme Court.
“The security risks associated with biometric data are very similar to any other personal data, once the digital data is stored somewhere, it can be hacked,” Michael Fauscette, Chief Research Officer of G2 Crowd told Biometric Update in an email conversation on the general topic of biometric data security. “Moving the data from the sensor to the repository is also a risk point, and must include data encryption to prevent highjacking.”
While encryption is important to preserving the security and privacy of biometric data, Fauscette says, it is only part of a larger data protection picture.
“Data at rest (in storage) presents a large risk, but there are other risks. The process of setting up the system, sometimes called enrollment, can be a weak point. If the enrollment process doesn’t include positive identification, then the whole system is at risk from the start. The wrong person’s biometric data could be used and associating it to a different person. Or, if the enrollment process includes a comparison of biometric data to some central repository as a way to validate identity, there is risk to the data in transit if it is not encrypted.”
Changes were recently made to the Aadhaar enrollment process in response to allegations of corruption and process violations.