Two ways to not protect biometric data demonstrated by world’s most populous countries

Several civil society groups in India are highly concerned about the spread of facial recognition and other surveillance technologies in the country, particularly in the context of a legal and regulatory open season on private data.

In China, a recently-passed data privacy did not motivate a physical access control and human resources software provider to secure its databases of face biometric templates and license plate records.

A huge trove of exposed records, including biometric data, was discovered on a server hosted by Alibaba for Xinai Electronics, reports TechCrunch.

The database has held as many as 800 million records, and contained complete URLs for image files. Neither were protected, and both could be accessed from a normal web browser. The data included high-resolution facial photos, as well as resident ID numbers and other personal information.

Xinai offers facial recognition for access management, but also employee time and attendance and other applications.

The researcher who discovered the exposed data also found a ransom note demanding cryptocurrency in return for not releasing the data.

It is the second major breach, chronologically and by size, of personal data in China since the country’s Personal Information Protection Law came into effect last November.

Scepticism abounds in India

A panel discussion hosted by the Internet Freedom Foundation and titled Privacy Supreme featured representatives from the CivicDataLab and Amnesty International India, as well as privacy advocate Usha Ramanathan and others.

The discussion focused on the relationship between privacy and technology, but also on the relationships between individuals, businesses, and the government.

Both the government and businesses in India are using new technologies as tools to violate people’s privacy, panelists agreed. The result is apprehensiveness about those technologies and how they will be used, and ultimately resistance.

Not only are technologies outpacing people’s ability to understand them, but businesses and government entities are racing to ingest data, and in some cases share it.

“You can’t have facial recognition technology being rolled out,” in this context without robust debate, Ramanathan argued. “A moratorium doesn’t have to be for 10 or 15 years. But there has to be enough time for people to know what it is.”

India’s Constitution does not enshrine a right to privacy, so Ramanathan suggests that a court judgement is needed to establish privacy rights in the country.

She also said that more than 9 out of 10 people in Chennai have declined to link their Aadhaar and voter ID credentials. In the absence of a legal right to privacy, according to Ramanathan, this is among the only recourse available to people.

India has had legislation to regulate data protection on the books for years, but has failed to operationalize it. Each passing year makes an update to the unimplemented law more critical.

Article Topics

biometric identifiers  |  biometrics  |  China  |  data privacy  |  facial recognition  |  India  |  surveillance