Mozilla's Open Letter To Expert Committee Drafting India's First Data Protection Law Slams Aadhaar Biometric Identity System
from the the-lizard-wrangler-speaks dept
Techdirt has been covering India’s monster biometric database, Aadhaar, since 2015. Media in India, naturally, have been on the story longer, and continue to provide detailed coverage of its roll-out and application. But wider knowledge of the trailblazing identity project remains limited. One international organization that has been working to raise awareness is Mozilla, home of the Firefox browser and Thunderbird email client.
Last May, an opinion piece entitled “Aadhaar isn’t progress — it’s dystopian and dangerous“, by Mozilla Executive Chairwoman and Lizard Wrangler Mitchell Baker and Mozilla community member Ankit Gadgil, appeared in India’s Business Standard newspaper. In July 2017, Mozilla released a statement on the Indian Supreme Court hearings on Aadhaar. A blog post in November pointed out that the Aadhaar system is increasingly being used by private companies for their services, something Techdirt covered earlier. Similarly, after it was revealed that anybody’s Aadhaar details could be bought for around $8 each, Mozilla issued a statement saying “this latest, egregious breach should be a giant red flag to all companies as well as to the UIDAI [Unique Identification Authority of India] and the [Indian] Government.”
Following the creation of a committee to draft India?s first comprehensive data protection law, Mozilla has now paid for an open letter to appear in The Hindustan Times. It was written by Baker, and co-signed by 1,447 Mozilla India community members. Although the letter welcomes the work being carried out by the committee of experts, it criticizes Aadhaar for its many failings, and points out some serious omissions in the committee’s report on data protection:
The current proposal exempts biometric info from the definition of sensitive personal information that must be especially protected. This is backwards, biometric info is some of the most personal info, and can?t be “reset” like a password.
The design of Aadhaar fails to provide meaningful consent to users. This is seen, for example, by the ever increasing number of public and private services that are linked to Aadhaar without users being given a meaningful choice in the matter. This can and should be remedied by stronger consent, data minimization, collection limitation, and purpose limitation obligations.
Instead of crafting narrow exemptions for the legitimate needs of law enforcement, you propose to exempt entire agencies from accountability and legal restrictions on how user data may be accessed and processed.
Your report also casts doubt on whether individuals should be allowed a right to object over how their data is processed; this is a core pillar of data protection, without a right to object, consent is not meaningful and individual liberty is curtailed.
On a Web page called “Key challenges and the way forward“, Mozilla calls on the Indian government to “pause further roll out of Aadhaar until the major problems with Aadhaar have been addressed.” It also has a further suggestion:
The Indian government must release Aadhaar as true open source software rather than use language of open source, and encourage the use, development, and adoption of open source as a pillar of the Aadhaar system
Of course, you might expect an open source foundation like Mozilla to say that, but nonetheless it’s good to see what is at heart a software organization engaging with global problems that affect huge numbers of people in this way. Others should do the same.