Wednesday, February 01, 2017

Your fingerprint is not your own! Meaning of privacy in India!

A website I often use made an offer recently – a free SIM that I could use for free for a couple of months. My wife was interested and we decided to try it. Everyone has heard of the well-known promotional offer by a cell phone company.

I filled in a form online, which said to keep the Aadhar card ready and wait for the delivery rider. He turned up in a day and asked if we had received an SMS message. We had and my wife brought her cell phone to read out that SMS. Meanwhile, the man pulled out a fingerprint reader. What was that for? He said that she should have her fingerprint recorded and that their system would get it verified. We said we did not wish to give the finger print as we were not confident that it would be safely handled. Instead we offered other ID and address proof and were willing to give a Xerox copy. The man said that would not be acceptable and we spoke to his supervisor about it over phone. The supervisor said that “this” was a government scheme and the alternative was not acceptable.

In that case, we said, we did not want the SIM!

The Aadhar card was devised by well-meaning people who had thought of various safeguards to avoid misuse. However, this is a country in which privacy means little. A person sharing a train ride could strike up a conversation with you and within minutes, ask you where you work and at what salary!
No wonder, anyone could walk in and have you give them your fingerprint to be used by some app on their cellphone! How does the customer know that the fingerprint will not be stored and used on a different occasion to “prove” his/her presence at some strange place? Does the law provide any safeguards? After all, the delivery man need not even be a staff member of the cell phone company, but be an agent hired on daily wages. You may not even learn his name or ask for his ID.

This poses major risks in a country in which over 25% of adults are illiterate.

We need researchers to find ways and means of making identification possible without any risk of abuse of the technology.  


Srinivasan Ramani said...

I posted a query on about safeguards that could prevent abuse. Wolfgang Reichl answered. I will describe his solution in my own words:
All that a cell phone company needs to know is if a given Aadhaar ID number, name and address exists  as per the database. The customer's bio-metrics are irrelevant in this case.

This means that whoever administers the Aadhaar ID verification system should make multiple types of ID verification possible. They should make the verification available only to registered parties and should ideally charge them a fee like, say, Rs 10,000 per year for up to 10,000 verifications per year. The use of bio-metric verification should be allowed only where this is strictly required, as in law and order applications.

Srinivasan Ramani said...

Another case of possible violation of privacy. How do you convince members of a professional society that the list of its members (which is sold for a price) contains only genuine members? One society has asked members to give either their PAN number of Aadhaar card number while updating their address record. They say this improves transparency. It is not clear how. Do we expose members PAN numbers and Aadhaar card numbers to the world? Is it necessary?