Biometrics have arrived. Here's what could go wrong with them

In Laal Purja, the popular television series of the 1990s, Hari Bansha Acharya plays Ghanshyam, a simpleton and the sole heir to property coveted by outside investors. Dhurbe, played by Madan Krishna Shrestha, is a local agent trying to usurp Ghanshyam’s land. As the story unfolds, Dhurbe cunningly places Ghanshyam’s fingerprints on the manjuri nama (agreement document) while he is asleep, leaving Ghanshyam penniless.

The authachhap, or thumbprint, has been a ubiquitous part of Nepali life. For a population with high levels of illiteracy, it is the primary form of identification. It has also been mythologized in popular culture as a tool frequently abused by feudal landlords and predatory agents to dupe people out of their property and possessions. To this day, the thumbprint is used in official documents in Nepal alongside a signature because of its unique character and reliability.

Taking advantage of technological advances, many countries and private companies across the world are gathering not only fingerprints, but also other biometric data that can instantly identify and verify the identity of an individual. Biometric refers to metrics related to your human characteristics that can be identified through finger and palm prints, iris and face scans, and DNA testing.

In keeping with the United Nations Sustainable Development Goals for 2030, the World Bank and Asian Development Bank are supporting the government of Nepal in collecting new biometric data and digitizing existing records of its citizens. The government considers this to be a vital step towards better provision of services. The Election Commission currently hosts the largest biometric database in Nepal, with data on 12.9 million voters. The smart license and machine-readable passport are other examples. The national identity card project currently being piloted will surpass them all in scope and size. It hopes to cover all citizens, with multipurpose database hosting data for driver’s licenses, voter credentials, property registrations, and banking.

Proponents of biometrics affirm that the unique character of biometric data can prevent fraud and identity theft, as each person’s biometric character is unique. Using biometric as an authentication factor to prove your identity, however, is a bad idea from an information system perspective as it is easy to steal biometrics. The digitization of such databases increases the points of vulnerability, as they can be remotely stolen during the phases of storage and transmission. The hacking of various government website last week, of which responsible officials were unaware, demonstrates the permeability of the government’s information system. Once the biometrics are stolen, it’s not possible to re-secure it like resetting your password.

Then, there is the issue of what is called ‘function creep’: expanding the use of a technology or system beyond its intended scope. The databases themselves are less the problem than the potential for misuse that is built into them. For instance, the national identity project is not a surveillance program, but the capability to track people and their activities is engineered into it. This leaves much room for the abuse of such a system.

The risk for privacy would intensify if a law such as the 2002 Terrorist and Disruptive Activities Act was introduced again. The Act gave the security forces special powers to place people under surveillance even if they weren’t suspected of involvement in terrorist acts. Combine that with facial recognition technology, a fully-fledged biometric database, and the CCTV cameras that are planted around the country (again without legal safeguards), and what you have is a recipe for an Orwellian state.

While Laal Purja illustrates that problems around biometric data are not new, they are more complex and dangerous than ever. Besides the Constitution, the Right to Information Act is the only piece of legislation we have right now to address privacy. But it too does not specify what information the government can – and cannot – collect from its citizens.

The urgency of an informed debate about whether the collection, sharing and retention of biometric data violates individual privacy cannot be overstated. We need a robust privacy law with provisions for safeguarding individual data, so that government agencies and private companies are required to legally justify their reason for collecting and sharing it.

We must not fall asleep like Ghanshyam. In the digital world, Ghanshyam’s thumbprint is now permanently stored on Dhurbe’s thumbdrive.

Photo credit: AMISOM Public Information / Flickr