Fingerprinting an Invisible Population: India’s Unique Identity Program Raises Questions about Privacy, Poverty, and Biometrics1
By Nicola Carah Menaldo
The developing world’s public welfare systems are riddled with corruption and waste: the most needy often do not receive adequate nutrition, education, and healthcare because bureaucrats and politicians have developed clever ways to arrogate their benefits and cash without fear of punishment. Add to this the problem of “invisible populations” — populations of extremely impoverished who are not registered at birth and therefore have no official claim to benefits — and the problem of getting basic necessities to the world’s poorest seems insurmountable. India, despite being the world’s largest democracy, is no stranger to corrupt public officials. Indian bureaucrats in charge of distributing welfare benefits manage to skim off almost two thirds of welfare benefits intended for the destitute. Moreover, few poor people in India can prove who they are. They have no driver’s license or official identity of any kind. This only enables middlemen to more easily pretend that they have delivered benefits to the intended beneficiaries. India, however, has decided to do something about this waste and graft. It is something quite remarkable.
The Economist reported that India is slated to enroll its 200 millionth member in its Unique Identity Program (UID). UID promises to revolutionize the distribution of welfare benefits in India and help lift millions out of poverty. Under the UID scheme, each Indian is eligible to apply for a unique, 12-digit identification number, a so-called Aadhar number, linked to that person’s biometric data. The program matches welfare benefits to personalized identifiers such as fingerprints and iris scans. If the UID lives up to its promise, it will eliminate the middlemen—corrupt bureaucrats who often fabricate fake welfare recipients and pocket the benefits—and therefore improve the disposable income and life chances of an “invisible” and forgotten underclass.
And there are other, far-reaching benefits. A national identification system would allow banks and credit companies to reliably track an individual’s credit history for the first time. This would incentivize financial institutions to extend credit to individuals who are currently on the margins of society and need credit to smooth consumption and invest in human capital. If adopted by credit bureaus, this could help displace informal money lenders who charge onerous interest rates and curb predatory lending practices. An Aadhar number for every Indian could even be linked to school records and medical records, providing portability and reliability for the first time and making education and healthcare more efficient. Depending on what the government is permitted to do with the data, the UID program could be used in contexts as far ranging as voter registration and the provision driver’s licenses to epidemiology and targeted advertising.
This gets us to the question of data protection. There is growing opposition to the UID program, which is not surprising given the vested political and economic interests involved. The opposition to the Aadhar number may not be entirely without merit, however. As activists and parliamentarians are increasingly pointing out, India currently has no privacy law in place. What nefarious things could the government do with such a vast database of information? Could governments use the data to influence voting patterns? What protections are in place to prevent unauthorized use of the data? Would the government be allowed to share the data, or sell it to third parties?
Although these are valid concerns, I think The Economist probably says it best:
India plainly needs better data protection law, but even if the existing rules remained unchanged, the threat to liberty would be dwarfed by the gains to welfare: to people who live ten to a room, concerns about privacy seem outlandish.
In my paper on data protection laws in Chile, I argue that there is no such thing as a universal privacy norm. Rather, feelings and intuitions about the optimal level of privacy vary by time and place. Moreover, there are trade-offs to strong data protection laws: protecting data increases transaction costs and can have real effects on economic growth, especially in the credit sector. The reality of these trade-offs, combined with differing cultural preferences for autonomy, result in widely diverging concepts of the appropriate level of privacy and data protection across countries.
Take, for example, the social security number system. Americans have gotten comfortable with the idea that most government transactions, and even commercial transactions of a certain caliber – like buying a house – require the provision of a social security number. And a social security number is very similar to the Aadhaar number: it is a single number that identifies us with the U.S. government for the purpose of the provision of benefits and, except in rare circumstances, it is tied to us throughout our lives. There is no biometric data involved in U.S. social security number system, but as one commentator noted, one can imagine that if the system were implemented today, biometric data may very well have been used.
On the other hand, while many European nations have national identification systems, the concern over function creep has arguably been greater in Europe than it has been in the United States. Austria restricts the use of social security numbers to social security, taxes, education and other administrative areas. European nations have flatly rejected the use of biometric data in their national identity cards. Britain, Norway, the Netherlands and Ireland have all squelched proposal to include biometric data in national identification systems.
South America inhabits the other end of the spectrum. Chileans are required to write their national identification numbers below their signatures every time they enter into a credit card transaction. Americans would likely find the Chilean system intrusive and dangerous: imagine providing your social security number to every merchant with whom you do business. Moreover, the use of biometrics in Chile is extensive, and fingerprints and facial recognition technology can be found in airports and contexts as far ranging as healthcare, banking and retail.
Much of this cross-national variation can be explained by where citizens choose to locate themselves on the trade-off between privacy and convenience. Until recently, Chileans have not agitated for increased data protection and privacy laws, even though their consumer histories are tracked throughout their lifetimes, and gargantuan data breaches have exposed such intimate details as their children’s school routes home. Why? Because they have done pretty well without them. Chile’s economy is the strongest in South America. It enjoys first world status on a continent of third world countries. I believe that Chileans are – rightly – concerned about upsetting the delicate balance that has transformed Chile from a poor backwater to a vibrant economy.
So, is privacy, as the Economist suggests, a rich person’s problem? Yes and no. As economies grow and citizens get richer, trade-offs change. With three square meals on the table and education for our children, we might be wiling to stand in longer lines at the bank in exchange for some autonomy and peace and mind about the security of our financial information. On the other hand, some aspects of our cultural attitudes towards privacy are less susceptible to change. After all, if privacy were purely an outgrowth of wealth, one would expect a direct correlation between a country’s wealth and its demand for privacy, at least among the world’s democracies, where voters’ preferences influence laws. The United States, however, has much weaker protections than the nations of Europe. Argentina, on the other hand, has been recognized as having some of the best data protection laws in the world, yet it is only the world’s 22nd largest economy. (India is the world’s 4th largest.)
While more research is needed, the idea that privacy is tied to a country’s political cultural – and not just its economic climate – has both empirical and theoretical support. In the late 1970s and early 1980s, Dutch social psychologist, Geert Hofstede conducted hundreds of interviews with IBM employees from over 53 countries. See generally, Geert Hofstede, Cultures and Organizations: Software of the Mind (McGraw Hill 1991). Because every individual in the sample belonged to the same corporate culture, Hofstede was able to observe variance across national cultures. Hofstede found four central dimensions upon which cultures varied significantly: power-distance, individualism/collectivism, femininity/masculinity, and uncertainty avoidance. Across these dimensions, Hofstede found significant variation among countries, as well as among regions.
With respect to privacy in particular, law professor James Whitman argues that there are two different cultural conceptions of privacy in the Western world: the dignity perspective and the liberty perspective. See The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J. 1151 (2004). He argues that privacy values are culture-specific:
We do not seem to possess general ‘human’ intuitions about the ‘horror’ of privacy violations. We possess something more complicated than that: we possess American intuitions – or, as the case may be, Dutch, Italian, French or German intuitions.
Or, as the case may be, Indian intuitions. So what kind of privacy protections would India have, if we were to hold economic growth constant? Are Indian attitudes more like European attitudes or Chilean attitudes? It is difficult to tell. A pair of surveys by Ponnurangam Kumaraguru and Lori Cranor (here and here) suggests that Indians’ notions of privacy are different than those of Americans. For example, the authors found that, when questioned about privacy, most Indians think of privacy in terms of personal space and individuals, while people from the United States think of financial information and identity theft. 89% of those from the United States disagree with the statement that “data security and privacy are not really a problem because I have nothing to hide,” whereas only 21% of those from India disagree.
While the surveys indicate that there may be differences in cultural attitudes towards privacy between the United State and India, the surveys do not differentiate those privacy notions that stem from purely economic circumstances (why care about your financial information if you don’t have a bank account) versus those that are tied to distinctly Indian notions of privacy. And this is not surprising. At this stage, I think that the pressure on Indian politicians to grow the economy and do something about the hundreds of millions of Indians that live in poverty today largely obscure any independent notions that Indians have about autonomy and the right to privacy. In other words, the trade-offs in India are so stark that cultural attitudes play little to no role at this point in Indian history.
Take, for example, the new provisions in India’s Information Technology Act (“IT Act”) implemented in 2011. The truth is, India does have data protection laws in place – it just does not have a stand-alone data protection or privacy law. Rather, on April 11, 2011, the Indian Ministry of Communications and Technology published rules implementing certain provisions of the Information Technology Act of 2008 dealing with: (a) protection of sensitive personal data: security practices and procedures to be followed by organizations dealing with sensitive personal data; (b) due diligence to be observed by intermediaries; and (c) guidelines for cybercafés. The provisions related to the protection of sensitive data are similar to those found in the U.K. Data Protection Act of 1998 and appear to achieve the baseline of security around personal information set by the E.U. Data Protection Directive. Accordingly, the provisions were likely a bid for a favorable classification from the European Commission – a political body that taps certain countries on the head as worthy of processing data from Europe emanating from Europe. Indeed, since the Y2K scare when companies looked to Indian for inexpensive, 24-hour data processing needs, India has processed a sizable chunk of the world’s data.
A few short months after the IT Act amendment was put in place, however, the Ministry of Communications and Technology began issuing a series of “clarifications.” Most notably, one of the clarifications provided that, while sensitive data collected in India required the data subject’s written consent and other protections, those protections did not extend to data collected abroad and exported to India for processing alone. Leaders and lawyers of the world’s largest companies breathed a sigh of relief and India continued to process the world’s data.
The moral of the story of India’s 2011 IT Act Amendments is twofold. First, at this juncture in history, India’s data protection laws do not appear to reflect any homegrown attitude towards privacy and autonomy. Rather, as Indian lawyer, Raghunath Ananthapur has noted, “India is probably reacting primarily to international pressure in an effort to grow and sustain its data protection industry.” The second lesson we learn form this saga is that India does in fact have data protection laws. Are these laws strong enough to thwart data breaches and ensure individuals’ security as India embarks on the UID program — the world’s largest data collection effort in history? Probably not. But given the trade-offs that hundreds of millions of Indians face today, I would venture that this is a risk that Indians are willing to take.
An Economist article about opposition to the UID program.
An excellent primer on the UID program written by a team of Indian bloggers.
A good summary of the use of biometric data around the world can be found.