MUMBAI — In December, India wrapped up its long-awaited Personal Data Protection Bill (PDF) that seeks to preserve “consent” in data sharing and penalizes breaches of privacy. Pending parliamentary approval, the bill will define the country’s legal framework in the digital age and coincides with government policies aiming to control residents of the world’s largest democracy; including the use of advanced technology to track them.
The bill follows the landmark judgment by the Supreme Court of India in 2017 which upheld privacy as a fundamental right under the constitution. In line with international standards, the judgement defined sensitive personal data and labelled social media platforms as fiduciaries subjected to heavier responsibilities; it intended to prevent the impact of fake news in free and fair elections, for instance.
However, some criticize the final bill for exempting government agencies, citing national security, public order, or friendly relations with foreign states, while it lessens data localization norms. “They have removed the safeguards. That is most dangerous,” Justice BN Srikrishna told the Economic Times recently. Srikrishna led the committee that wrote the initial draft of the bill. “I believe there should be judicial oversight on government access. [Otherwise] It will weaken the bill and turn India into an Orwellian State,” he said.
Privacy advocates see in the bill opportunities for both public and private entities to take advantage of people. “The data protection authority should be independent and autonomous, as the committee suggested. Now the government can overrule it,” explains Dr. Gopal Krishna, chairman of the Citizens Forum for Civil Liberties (CFCL). Krishna not only argues that the bill sets the fox to guard the henhouse, but that it comes too late to protect citizens: “Most of their data has been already compromised via [the] Aadhaar system.”
The World’s Largest (and Most Exposed) Biometric Identification System
With nearly 1.23 billion beneficiaries — most of India’s population — Aadhaar has become the world’s largest biometric identification scheme. Based on a confidential and unique 12-digit number linked to physical and demographic information, this national database is similar to Western Social Security systems and has been labelled by the government as a revolution for the welfare system following its inception in 2012.
While Aadhaar (meaning “foundation,” in Hindi) was a plan to prevent misuse of public funds, curbing some forms of corruption, the card issued to its members can also be used as a form of identification to open bank accounts, get SIM cards, hire an Uber, make purchases on Amazon, or rent an Airbnb.
“The government has also incurred into routine and blatant violations of the order,” claims Reetika Khera, associate professor at the Indian Institute of Management of Ahmedabad. Contributor to the book Dissent on Aadhaar: Big Data meets Big Brother, Khera fears most Indians are unaware of the harms of data-sharing: “Aadhaar is disenfranchising people in many ways. Deletion of their names from voter lists is a direct way. But more than 40 people have died due to denial of entitlements — rations and pensions — related to it.”
According to local media, at least four major Indian states linked hundreds of million of Aadhaar numbers to citizens’ voter cards without consent; exposing them. Up to 2019, around 300 news reports cite public leaks as well as illegal requests and later misuse of unprotected databases. One of the most flagrant cases happened in 2018, when Airtel had to return over $27 million intended to subsidize beneficiaries whose personal bank accounts had been unwillingly connected to the company’s payment accounts using their Aadhaar numbers.
Following serious criticism in 2018, the chairman of the Telecom Regulatory Authority of India (TRAI), RS Sharma, who helped setting up Aadhaar, invited the online community to prove its vulnerability. Hundreds responded, allegedly revealing his personal data along with the hashtag #AadhaarChallenge. More recently, a cybersecurity expert proved the existence of the system’s loopholes after exposing on Twitter official documents with Aadhaar data as well as other identification numbers and income tax details.
“Although biometric information is not available publicly, demographic data alone could allow to track that person online or offline,” argues software developer Srikanth Lakshmanan. “If a start up gets access to this information from millions and puts them into a database, this can be sold and available to companies outside the Aadhaar ecosystem,” says Lakshmanan; who insists that the new bill does not apply retrospectively, giving a blanket approval to all the private information already shared between entities.
India’s Dystopian Controlled State
Last October, India announced that it will centralize its facial recognition systems into a single database — the word’s largest. The government says this initiative will help balance its shortfalls on security personnel — 144 police officers for every 100,000 citizens, compared to a ratio of 318/100,000 in the EU — and serve good purposes, such as identifying some of the 300,000 missing Indian children. But it is also a potentially lucrative opening for surveillance firms and a nightmare for those who fear India is building a Chinese-style Orwellian state.
“They talk about ‘data empowerment’. But it’s about empowering people to ‘share’ their data at a price, not empowering them,” says independent law researcher Usha Ramanathan. Awarded with the 2018 “Human Rights Hero” award for campaigning against Aadhaar, Ramanathan summarizes the current legal context: “The basic principle that data protection is about protecting the people has got completely lost.”
In December, New Delhi police used facial recognition software to screen Indians protesting against a controversial citizenship law which excludes non-Indian Muslims from naturalization. Technology analysts say it’s the first time the Automated Facial Recognition System (AFRS) — installed to track missing children — was used to screen a crowd at a political rally. This raised concerns about privacy and mass surveillance.
Current nationwide demonstrations are also a reaction against the implementation of a national register of citizens (NRC) in the state of Assam; ostensibly to uncover illegal migrants — mainly Muslims — from neighboring Bangladesh. Protesters say the junction of a larger NRC — enacted across India — with the citizenship law will enable the government to select citizens on the basis of their religious identity; for what the state already counts with personal data, surveillance systems and a permissive legal framework.
“The question to ask is why these kind of projects come into picture now. They do so under a certain political environment,” argues security researcher Anand Venkatanarayanan. “One feels a threat about an outsider, so the population is more prone to accept these systems to control peers. But this does not solve the problem. Instead, it reduces civil liberties.”
Both the biometric and the facial recognition schemes may help fight corruption and crime, but they will also expose vulnerable groups, unless a legal framework protects citizen’s rights in a country wherein not only religious minorities have long faced discrimination. According to the National Dalit Movement for Justice, for instance, lower castes and tribal people constitute 34 percent of India’s prisoners although they barely account for a quarter of the country’s population.
Angel L. Martínez Cantera is a Spanish freelance photojournalist based in Asia since 2013. He has an MA in international politics from City University of London (UK) and specializes in human rights and development.