India: Is biometric data privacy at risk?

India’s Criminal Procedure Identification (CPI) Act came into force last month. It gives police officers the power to collect biometric samples — such as fingerprints and iris scans — from people who have been arrested, detained or placed under preventive detention on charges that attract a jail term of seven years or more.

Data collected under the CPI can be stored for up to 75 years and shared with other law enforcement agencies. It is an offense to resist or refuse to allow the collection of data.

Unbridled power, no checks

The legislation has come under sharp criticism from opposition political parties, free speech practitioners, lawyers and civil rights activists who fear the legislation violates an individual’s privacy and liberties. 

Many say that the CPI will create a “surveillance state” given that India does not have a comprehensive data protection mechanism in place. 

For instance, central and state governments in India have deployed facial recognition systems in recent years without putting in place any law to regulate its use.

The growing use of this potentially invasive technology without any safeguards poses a huge threat to the fundamental rights to privacy and freedom of speech.

“Sharing of sensitive personal data that discloses a complete identity profile of an individual is in clear violation of Article 21 of the Constitution [the right to] life and liberty and cannot be done even in exceptional circumstances without enforcing adequate safeguards,” Anandita Mishra, a litigation counsel for the Internet Freedom Foundation, told DW.

‘Gross privacy violation’

The Identification of Prisoners Act, 1920 — which has been superseded by the new law — had allowed police to collect only photographs, fingerprints and footprint impressions from suspects. 

• From the fingerprint to biometric data

  A standard in modern forensics for 125 years

  In 1891, a Croatian born, Argentine criminologist, Juan Vucetich, started building up the first modern-style fingerprint archive. Since then, fingerprints have become one of the main forms of evidence used to convict criminals. Here, a police officer spreads dust on the lock of a burglarized apartment. Fingerprints become visible.

• From the fingerprint to biometric data

  Archiving and comparing prints

  He uses an adhesive film to capture the fingerprint. Then he glues it to a piece of paper. In the past, comparing fingerprints was a painstaking affair. Officers had to compare fingerprints found at the scene of a crime, one-by-one, with those of possible suspects. These days computers do the job.

• From the fingerprint to biometric data

  No more ink

  Taking fingerprints used to be a messy affair – with ink and dirty hands. These days scanners have replaced the inky mess. And the data can immediately be sent to a database and turned into biometrical data.

• From the fingerprint to biometric data

  Fingerprints form an identity

  The computer identifies typical spots within the ridge patterns of the fingerprint. These include forks in the lines, spots and the location of the center of the print. Fingerprints are never the same between two people – not even with identical twins.

• From the fingerprint to biometric data

  Vote early and vote often!

  No chance! Here, officials use fingerprint scanners during an election in Nigeria. It’s how they make sure the people voting are registered voters and that they only vote once.

• From the fingerprint to biometric data

  Who entered Europe where?

  This is an important question for officials who have to decide about the refugee or asylum status of applicants. In the European Union all migrants are supposed to have their fingerprints taken at the first point of entry – provided, of course, the local police officers are equipped with the scanners.

• From the fingerprint to biometric data

  Hands off! It’s my data!

  Many smartphones now come with fingerprint recognition software, such as the iPhone’s Touch-ID. The owner of the phone unlocks it with his fingerprint. If someone else finds or steals the phone, they have no way of getting at any encrypted data within.

• From the fingerprint to biometric data

  Secure ATM banking

  This is an Automatic Teller Machine (ATM) in the Scottish town of Dundee. Customers wanting to withdraw money need to show biometric proof of identity – in the form of a fingerprint. Not good news for pickpockets.

• From the fingerprint to biometric data

  Fingerprint inside the passport

  Since 2005, German passports, and many other passports, contain a digital fingerprint as part of the biometric information stored on a RFID (radio-frequency controlled ID) chip. Other information on the chip includes a biometric passport photo. The facial image is similar to fingerprints: no two images are alike.

• From the fingerprint to biometric data

  When computers recognize faces

  Facial recognition software, which uses biometrics, is well advanced. It is possible to identify suspects within large crowds, with surveillance cameras. Also internet services and private computer owners are increasingly making use of facial recognition software to sort holiday pictures and tagging them to names.

• From the fingerprint to biometric data

  The inventor of the genetic fingerprint

  Alec Jeffreys discovered DNA-fingerprinting almost accidentally in 1984 during research at the University of Leicester. He identified a specific pattern on DNA segments, which were different for every human. He created a picture, which looks like a barcode at the supermarket.

• From the fingerprint to biometric data

  A barcode for every human

  Germany’s Federal Criminal Police Office (BKA) started storing such barcodes in a federal database in 1998. Investigators have since solved more than 18,000 crimes, using genetic fingerprints.

• From the fingerprint to biometric data

  Clearing the innocent

  It’s not just criminals who get identified. Many innocent people can be cleared of criminal charges through good identification. For some, technology has saved their lives. Kirk Bloodsworth spent almost nine years on death row. The US Innocence Project has proved the false incarceration of more than 100 people using DNA evidence.

• From the fingerprint to biometric data

  Clarity for victims’ families

  The first big test for DNA-fingerprinting came with the mass murder of Srebrenica. Bodies, exhumed from mass graves, were systematically identified using DNA techniques. They were then reburied by their loved ones. Here, five year old Ema Hasanovic pays last respects to her uncle. More than 6,000 victims of the massacre – mostly men – were identified using DNA-fingerprinting.

• From the fingerprint to biometric data

  Biometric data on your phone and computer

  You may be surprised, but there’s biometric information in sounds and other digital data. Voice recognition software can, for instance, identify people making threatening phone calls – the human voice is also unique. And don’t forget: we leave all kinds of digital traces on the internet, which hold clues to who we really are.

  Author: Fabian Schmidt

However, the scope of the CPI includes other sensitive information such as fingerprints, retina scans, behavioral attributes — like signatures and handwriting — and other biological samples such as DNA profiling.

“Perhaps the most egregious provision of the bill is that it authorizes the retention of all the measurement data digitally for 75 years from the date of collection, without any in-built checks to protect the confidentiality of such data,” Vrinda Bhandari, consultant with India’s Law Commission, told DW.

“This is a gross violation of privacy and data storage limitations and is contrary to the law laid down in the Supreme Court’s privacy judgment.”

In 2017, the country’s top court gave a momentous judgment affirming that the constitution guarantees to each individual a fundamental right to privacy.

The ruling affirmed three aspects of the fundamental right to privacy, including intrusion with an individual’s physical body, informational privacy and privacy of choice.

Safeguarding rights

Criminal lawyer Rebecca Mammen John pointed out that the legislation creates a wholly new regime and structure in the criminal justice system which disproportionately affects the rights of individuals — while granting the state unchecked powers of surveillance.

Moreover, she argued that creating databases and enabling data sharing on the scale envisioned by the act may violate the fundamental right against self-incrimination.

“What happens if these databases are breached or if data is misused or sold? What protections are offered to prevent the usage of stored information to maliciously implicate innocent persons?” John asked DW.

While passing the bill in parliament, the government sought to allay apprehensions surrounding the possible misuse of data.

There are concerns that, given India’s lack of robust systems to investigate alleged police misconduct, data could be misused

Home Minister Amit Shah pointed out that the best technology would be used for safeguarding data and training manpower.

“It is about safeguarding human rights of the victims of crimes, and not just criminals,” Shah told parliament in April. 

But many feel that the new law gives the government a dangerous snooping weapon to exercise against dissidents.

No data protection system 

Last month, the Indian government surprisingly withdrew a proposed bill on data protection that a panel of lawmakers had been working for more than two years, saying it was working on a new law.

The abandoned legislation, the Personal Data Protection Bill, 2019, would have required internet companies like Meta and Google to get specific permission for most uses of a person’s data — and would have eased the process of asking for such personal data to be erased.

Tech companies had specifically questioned a data-localization provision in the bill under which they would have been required to store a copy of certain sensitive personal data within India, while the export of undefined “critical” personal data from the country would have been prohibited. 

Activists, on the other hand, had criticized a provision that allowed the government and its agencies blanket exemptions from adhering to any and all provisions of the bill.

Risk of misuse

Several countries, including the US and the UK, collect biometric identifiers such as facial features, fingerprints or retina scans of people who are arrested or convicted.

Finger scans can immediately be sent to a database and turned into biometrical data

But given that India does not have well-defined systems to investigate alleged police misconduct, there are concerns that collected data could be misused.

Pawan Duggal, an expert on cybercrime law and security, maintained that the government had a bigger duty to come up with appropriate checks and balances before implementing the controversial provisions of the CPI.

“This law assumes more significance because people who have been arrested and detained, have not been convicted and the accepted principle of law is that a person is presumed to be innocent unless proven guilty,” Duggal told DW.

“There is a distinct need for having in place appropriate checks and balances for exercising such power. Given the absence of dedicated data protection law in India, such power has the potential of being abused and misused,” he added.

Edited by: Keith Walker

Article source: https://www.dw.com/en/india-is-biometric-data-privacy-at-risk/a-63044478?maca=en-rss-en-all-1573-rdf