National Biometric Databases

Monday , 12, August 2019

In the last post about biometric identification, “Fingers, Eyes & Veins” we looked at some of the technologies in use today, after an introduction to facial recognition in the previous post. Now let’s look at what governments are doing with the biometric data they’re collecting and using. They believe this will drive efficiency and fairness in government-personal interactions but the early indicators suggest disasterous results.

India has a government run program called Aadhaar that is essentially a giant database of biometric identity markers plus demographic data for their citizens, used by the state assistance programs. Other national governments have also expressed interest in this system if successful. The Indian government claimed this would lead to budgetary savings due to increased efficiencies and reduce corruption, but results are not clear.

What is clear is that this highly invasive system has actually led to denial of medical services resulting in starvation and death. But while the horror stories get all the press coverage, there have been an ongoing series of security issues since deployment.

As it turned out the Indian government did not get the source code, or have an independent audit to look for vulnerabilities or data mining code. Serious security compromises began to happen with regularity, like the known Pakistani spy with an Aadhaar ID who popped up in 2016, that was obtained by falsifying data instead of by forgery. There are at least 18 known cases like this.

Widespread cheating takes place due to corruption and because any resident can sign up with no proof of citizenship required. Enrollment stations were commonly created from laptops by using fake fingerprints and bypassing iris scan requirements. There is a “ghost kit” sold to unauthorized operators which allowed them to create fake Aadhaar ID cards. People created fake personas by using one finger and hand combination from each person.

The stories of fraud are many, but we need to make a point about privacy instead of telling tales of cheating and corruption. This system contains plenty of personally identifiable information, of the type that cannot be changed if compromised. There is a great deal of information aside from the information explicitly on the ID card that is exposed publicly, like the bank accounts associated with a particular ID. It seem that for years user data was exposed without restrictions in place to prevent mass exfiltration.

There have been numerous breaches disclosing Aadhaar data, like what happened to the mobile app made for this purpose called eKYC. As the Centre for Internet and Society (CIS) pointed out there were 130 million Aadhaar numbers and data available on various government run websites as result. A substantial breach, discovered in March 2018 included records with names, their twelve digit ID number, and connected services data like bank account info.

As bad as this case study seems, it is a future that many nations want, and many more inch their way toward. Collecting and using biometric identifiers is problematic from a security perspective, and has historically led to abuses of privacy.

In February 2019 the government of Kenya updated the country’s national identity law to require mandatory turning over of detailed genetic data. This data will be tied to their national identity records in much the same way as the Aadhaar system does, and is a troubling development.

This constitutional amendment requires Kenyans to provide DNA, retinal scan, iris pattern, voice sample, and earlobe geometry in order to get an official government-issued ID. This IDis needed to vote, access healthcare systems, buy property, access credit, obtain employment and more.

Naturally, privacy advocates have concerns about this system. It does not seem likely that the Kenyan government will be able to secure the data any better than India has, or that they can prevent government employees from selling it or accessing it illegally. Again, there is no recourse once your biometric data has been compromised.

Another concern is that this data will be used to discriminate against citizens based on their ethnicity. Ethnicity in Kenya is a contentious issue – 42 distinct groups were identified officially in 1969 and by 2009 there were 111 ethnic groups used for the census. Some marginalized groups have long complained about being shut out of the system and discriminated against, and the fear is that a central database of genetic identifiers will enable such discrimination to be possible going forward.

Combining the extensive biometric identifying information with location data including where the samples were submitted and the required latitude and longitude where the citizen lives provides opportunities for mass surveillance. The National Intelligence Service (NIS) has a history of sharing data with groups including some law enforcement agencies who have engaged in gross human rights abuses in the past, as documented in multiple investigations.