LONG READ: Big Data, Little Choice – India’s Biometric Case Study

By Kam Sandhu

Have you ever thought about what cybersecurity means? Amongst the new normal of electronic passport checks, data breaches, fingerprint phone locks and digital convenience entering our collective lives, have the wider political implications of the possibilities and threats ever been properly explained?

We have already entered a period of ‘opaque transparency’, where our digital footprints reveal more about us than we could know ourselves.  Simultaneously state and technology have become more covert than ever. Government sponsored ads promoting cyber awareness feel disingenuous at best, as new powers of surveillance make the state one of the biggest beneficiaries. Along with tech companies reaching new levels of monopoly power, both retreat from publicising their intentions.

In this environment, the second birth of biometric technology is underway, having been abandoned by the US and UK in the years before 2010 for unreliability and intrusiveness, it’s re-introduction differs depending on where and who you are. Fingerprint verification on phones and scanning at airports proffers ‘reasonable’ and useful visions of the technology in the UK, while in the developing world and at Western borders, this pursuit is characterized far more by aggression, force and coercion into surrendering a permanent ID tag. Among lax laws and poor populations in countries such as India, government, deep state, private companies and technology run amok.


On 24th August, a nine judge bench of the Supreme Court ruled that privacy was a fundamental human right, in a landmark case against the Indian government.

The litigation revolves around India’s Biometric ID system (Unique Identification (UID) or Aadhaar), which since its launch in 2010 has seen over a billion people enrolled. UID was initially promoted as free, voluntary, confined to improving government efficiency, and in aid of  the ‘needy’ and ‘undocumented’, to ease their access to state help. But it has been frenetically expanded by the government; opening up the database to private and financial companies, while making enrolment mandatory in order to access welfare provision. This leaves citizens in a Catch 22; often forced to hand over biometric details (including fingerprints, facial recognition and iris scans) to a broadening system they cannot exit. All this amidst a series of  several serious leaks including the data of millions of citizens, with authorities ignoring security warnings for what is now the world’s largest biometrics database.

Usha Ramanathan, a human rights lawyer and leading voice against the ‘function creep’ of UID, described Aadhaar as ‘the marketing con job of the century’ in 2014. Ramanathan has documented the government’s fervent expansion which already railroaded a previous Supreme Court ruling demanding mandatory enrolment be restricted to 6 select public distribution services (PDS) for food grains and cooking oil; ‘the production of an Aadhaar will not be a condition for obtaining any benefits otherwise due to a citizen,’ the Court said. Yet UID was made a requirement in over 50 services including access to children’s midday meals, rehabilitation and therapy for HIV. Add to this other often mandatory details now linked to the 12-Digit UID, including marriage and death registry, tax records, mobile phone numbers and more, and you have one of the most absolute levels of mass surveillance possible.

There is no express provision for Privacy in Indian law, and attorney generals acting for the government have argued it cannot be elevated to a fundamental human right, adding that as a poor, developing country, demanding a right to privacy is ‘elitist.’ This is a clever insinuation, that India’s economic position means citizens must surrender their privacy, for the improvement of the country’s economy, and thereby the country. Capital determines rights. But if data is the world’s new oil, how can surrender be the right business decision for citizens?

Narendra Modi has made short work of liberalizing the data. A 2016 bill allowed private company use of Aadhaar as verification for any purpose, and 2017 brought ‘Aadhaar pay’ – a cashless payment platform, also allowing peer to peer transactions using UID. This was promoted as the post-demonetisation strategy.

Demonetisation saw the Indian government remove, overnight, the two largest notes in Indian currency – amounting to 86% of the country’s cash on 8th November 2016. It was a tough stance on tackling India’s black money problem by Modi, and he was hailed by many for it despite some distressing effects on the nation’s lower classes in a country where over 90% of transactions were made in cash. However, the narrative quickly changed to introducing digital payment platforms like Aadhaar Pay, and on August 31 the Reserve Bank of India announced 99% of the notes had found their way back into the banking system. Demonetisation is now a failure, if of course, black money was really the target.

The 2016 bill and increasing data point standards of the UID form a large part of the remaining battle at the Supreme Court, where more than 20 other petitions from activists remain. Despite winning a historic round, there is a long way to go, and this could set an important precedent for digital rights across the world; nowhere more acutely than for the ‘second tier’ citizen who’s country’s economic position means a repeal of human rights afforded elsewhere.

Uses and Abuses

Without much debate, citizen data, acquired through government, is being monetised by companies to sell products back to Indians. Reliance Jio – a 4G mobile service boasts 100 million subscribers since September 2016 – a feat unachievable without Aadhaar according to the company. Last year mobile App TrustID became the first to use Aadhaar data to verify others (‘your maid, driver, electrician, tutor, tenant and everyone else instantly’) for users. The app was released while the current case was pending at the Supreme Court.

Leaks too remain a problem. 100 million Jio customer user details reportedly appeared on a site in July this year, and the company eventually filed a police complaint.
One of the biggest beneficiaries of this data may yet hit its stride, given the eagerness of government to promote digital payments. While there is potential to make transactions easier in a country where millions have no bank account, the power to assess the individual instantly and without their knowledge through data is the trade off.

FinTech (financial technology) meanwhile is keen to challenge the traditional financial order (think cashless societies, virtual banks and peer to peer lending). Aware that financial services are the most lucrative sector, companies we know (like Facebook) and many we don’t, have been rushing to create financial assessments of users from the data points now available on almost every consumer on the planet. These assessments are built by amalgamating new types of information and access to messages, photos, semantics and social networks (Facebook recently patented the right to include social circles in their assessments). With these credit ratings, companies can begin performing the role of non-traditional banks.

Both data brokers and FinTech currently traverse an unregulated environment, and we know little about them or the algorithms they use to make their assessments – leaving plenty of room for mistakes (with no course for appeal) and discriminatory ratings. They operate without oversight (data brokers ignored calls from the Federal Trade Commission in 2014 to be more accountable and transparent). According to sociologist Beverley Skeggs, who completed research on Facebook tracking earlier this year, this opaque transparency where our lives are on show to a covert group ‘is the biggest political issue of our times.’ It produces a reversal of the choice technology was thought to create, while power is able to circumvent usual protections; ‘If you think that one of the Facebook founders Peter Thiel set up Paypal to evade financial regulations and made millions as a result. So they have always been into financial regulations,’ explains Skeggs.

With tables turned, there is no such thing as a bad customer. Everyone produces data, everyone can be assessed. The marginalised groups which Capital has before routinely ignored and excluded have become an untapped, reachable and financially viable market. Government programmes like Aadhaar can make access even simpler. At India’s Economic Startup awards this month, V Vaidyanathan, Chairman of Capital First – a non-banking financial institution – said ‘The penetration of Aadhaar coupled with the use of AI has created a system where it is now possible to evaluate a customer within seconds and give him or her a loan.’

The developments in India are ‘one of the most significant revelations about the stealth by which companies enter into people’s personal lives,’ says Skeggs. ‘What is worse if they use our personal information to make a profit from us without our knowledge. How is this allowed to happen? This is more than digital rights, this is a basic human right – not to have our information sold without our knowledge.’

Tech companies seem to be at their most powerful when working alongside government, allowing each to extract data for their own interests. But what happens to a country like India when all the biometric service providers are US based intelligence and defence contractors with links to the American deep state?

Security for who?

Ramanathan previously raised concerns about the companies contracted in on UID technology. L1 Identity Solutions for example, advertise their work with the US Central Intelligence Agency (CIA) on their site. They’ve also lobbied US government as a private homeland security contractor, raising fears about data sharing. ‘All our information is going to be handed to them’, Ramanathan told one interviewer.

All of these fears have received staggering confirmation. On 30th August, The Times of India reported UIDAI (the UID Authority of India – administrator and ‘custodian’ of the data) gave companies like L1 Identity Solutions and Microsoft’s Accenture ‘full access to unencrypted data with the permission to store it for seven years’ contrary to public statements that it was inaccessible. Further, a Wikileaks release on the same day as the Supreme Court’s privacy ruling suggests this information was funneled to the US’ deep state long ago.

The CIA’s ExpressLane project, revealed by the documents, was designed to exfiltrate biometric data from liason services, such as the National Security Agency. The data is extracted under the cover of an upgrade, with core components ‘based on products from Cross Match, a US company specialising in biometric software for the law enforcement and Intelligence Community.’

Cross Match became a certified supplier of biometric devices for the Aadhaar program in 2011.

Identity or Identify? Biometrics Beyond India

In January, The Intercept reported Trump’s homeland security choices signaled increasing use of biometrics at US borders. Silicon Valley has been only too keen to oblige, jumping into the ‘biometric gold rush’ in a little reported push for this technology use in immigration. That same month, tech workers protested at the Headquarters of Palantir – a data analysis company founded by Silicon Valley giant and Trump supporter Peter Thiel – against the potential build of software to identify Muslims or ‘illegal immigrants.’

Under Trump, hostility towards the undocumented has intensified across the US, seeing rights recede and surprise raids by ICE (Immigration and Customs Enforcement) increase. The undocumented have been subject to long term deep derision as the bottom of the social ladder, simply because they do not have an identity in the eyes of the state. Categorisation as a citizen of nowhere surreptitiously grants permission to the state to behave lawlessly and violently towards these individuals, and has, in many cases, cost lives. On 27 August ICE left 50 immigrants at a closed bus stop in Hurricane Harvey’s path, despite being told by a legal aid charity the day before not to do so. In a statement ICE said ‘All of the aliens who were transferred to the San Antonio Greyhound bus station by ICE on Friday morning had confirmed tickets.’

How quickly can this standing be reconstructed in India? An audio clip surfaced last week of an Indian Police Officer stating under new policy police could kill anyone without an Aadhaar. While this may be the faux pas of one cop, the differentiation Aadhaar will create is concerning, and it is under the cover of social derision and rhetoric that authorities have been able to act violently against them in the US.

The UK has also strong-armed the same group to capitulate data. Undocumented survivors of the Grenfell fire (June 14), were given a 12 month amnesty by government, contingent on providing biometric ID, described by Liberty as a ‘trap dressed up as compassion’. Further, contractors such as L1 Identity Solutions, a US company, now owned by France’s Safran group, have held British contracts too.

Facial recognition technology was also recently trialed by British police at Notting Hill Carnival, in yet more biometric scoping along racial lines. This was despite being widely admonished by civil rights groups for discrimination and the technology being known to commonly mis-identify black faces. While unreliability and intrusiveness were dealbreakers for national UK ID cards, the same flaws for in identifying largely black and migrant communities in the same country, is all fair game.

Critics added that the technology had no basis in UK law and there was no transparency or regulation around its use. A few days before Carnival, the UK’s Biometrics Commissioner Professor Paul Wiles condemned police forces for failing to deliver a strategy on biometric use that was promised five years ago while facial images held by the police, mostly illegally, had increased to 20 million. Wiles added that the operation at Notting Hill Carnival came with no evaluation of effectiveness nor public report.

The UN meanwhile, announced its biometric ID program with Microsoft’s Accenture in June. They hope to digitise the identities of 1.1 billion undocumented people to help refugees access aid they qualify for; reminiscent of the original framing of Aadhaar. Would biometric ID solve the worldwide inertia of the refugee crisis? Unlikely, but Accenture, also one of the contractors on the UID technology, is morally indignant about the cause; ‘Digital ID is a basic human right’ the Managing Director told Fortune.

What next?

In Playing The Identity Card (2009), Taha Mehmood discusses Aadhaar’s previous, less ‘successful’ iteration – the MNIC smart card. He asks ‘What kind of an imagination of lived experience would result if one were to think of a nation without a centre – where the distinction between the centre and the periphery collapses, where the centre becomes the border, where presumption of guilt is ‘normalized’ and where the ‘citizen’ needs to be distinguished from the ‘alien’ through a smart identification card?’

MNIC too was promoted as ‘empowerment of the poor’, and a guard against ‘illegal immigrants,’ but instead threatened to ‘demean identity’ to a set of numbers. This is another element of tech disguise – innovation is not inherently good. It can be bad. While the offer of digital ID may at first glance, elevate status for the poor, it can equally brand their status on them forever. There are many who ‘want to bury their identity, and what they are threatened with tagging them with this identity in perpetuity,’ Ramanathan explains.

Mehmood may not have imagined the position we’re in now, nor the extent of power asserted by tech companies, but the growth has simply reinforced the state and its ability to cede citizens onto a new form of the same scheme. The hyper-significance of borders and identity are once again magnified albeit in new contortions given the presence of foreign contractors in India. These remain enduring themes, alongside new possibilities for Capital to use this identity and data for financial gain.

While it is good to see conversations regarding how to reign in the powers of companies such as Google and Facebook through nationalization, this in and of itself may not solve the problem, and could risk centralizing powers within a state that already benefits from covert coercion with the same industry.

Unregulated environments and a small group of individuals and companies have been the persistent tropes of these stories. So how do we deal with them?

Financial Times’ Martin Sandbu suggests revisiting anti-trust laws used to channel popular resistance to the ‘stranglehold of large oil, industrial and railway companies’ at the turn of the century, and using regulation to make Internet platforms ‘behave in the public interest.’

Rights activist Aral Balkan, suggests effectively regulating company abuses while ‘funding/encouraging decentralized, free/open, interoperable [alternatives]’, to get us to transition from the Internet of Things to the Internet of People.

Tough regulation which re-asserts powers of the consumer and human being against corporations – specifically Internet giants – seems key. This too could have secondary effects on other areas of lived experience, as the last few years have all but eroded language placing human rights and privacy at the centre. The creation of global minimum privacy & regulation standards would also prevent the loopholes exploited by these powers by simply switching locations.

In the meantime, a win on privacy under current conditions in Indian citizens is a positive, in a case where the results will have repercussions worldwide.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s