Chinks in Fortress Data
South Asian countries have been innovating and pioneering digital ID programmes for over a decade. While India and Pakistan have been torchbearers for the same in the region and have issued digital IDs to most of their citizens, Sri Lanka and Bangladesh are in the process of rapidly setting up their biometric identity systems. A report by the McKinsey Global Institute states that digital ID systems can add 6% growth to an emerging economy and 3% to an advanced economy’s GDP. A key motivation for setting up digital ID programmes is that they help deliver public services efficiently to the targeted population.
However, it’s imperative that we remain cognisant of data security and risks to privacy that come along with these initiatives. Data security is primarily focused on preventing unauthorised access to data via breaches or leaks, while data privacy concerns itself with responsible use of data placing importance on user consent. India’s Ayushman Bharat Digital Mission, which is issuing unique health IDs to citizens, takes a technical approach to securing data privacy and security. The building blocks of ABDM follow a decentralised approach to storing data that prevents data security risks. While this is an ideal solution on paper, it remains to be seen whether participants maintain the sanctity of user data. User consent forms the core of ABDM. When a health facility or a doctor or an insurance company registered with ABDM wants to access users’ health data, they are immediately notified to reject, accept, modify or revoke the request.
These technical considerations provide a good starting point to strengthen the security and privacy of digital ID programs. But the political economy and legal frameworks play an important role too. As the Taliban took over Afghanistan, it came to light that it had seized US military biometric devices and was trying to gain access to multiple databases that held identification data points on millions of Afghan nationals. This was an attempt to target Afghan nationals who had worked with the US and UK administrations. In a widely reported incident in 2016, the Taliban used a fingerprint scanner to match against a local ID database to identify and kill 12 Afghan National Army service members. It is thus clear that a political-economic risk analysis needs to be a key design consideration while planning biometric digital ID systems.
Collecting minimal data as opposed to exhaustive data also needs to be deliberated upon, prioritising individual safety over social benefits. In India, there have been numerous breaches with Aadhaar data. Similar allegations have been made against Pakistan’s National Database & Registration Authority that issues digital IDs. While privacy is a constitutional right in Pakistan, exemptions within the same weaken the legal framework. Article 8 of the Constitution does not apply to the armed forces in a country with a strong role of the military in its domestic politics. Robust legal frameworks not only create accountability among the stakeholders of the programme but also generate the support of the judiciary for the citizens to fall back on in cases of data breaches or invasion of privacy.
The emergence of digital ID programmes in South Asian countries has definitely led to improved service and programme delivery and, in many ways, has shown the world the importance of digital IDs. However, the incidents of data breaches, targeting individual safety, and gross misuse of the data raise the urgency of establishing data protection legislation with clear accountability, reimagining technical architecture approaches, and factoring in political risks.
(Sarthak Satapathy and Sourav Panda are post-graduate students at the Fletcher School of Law and Diplomacy)