Mozilla's Open Letter To Expert Committee Drafting India's First Data Protection Law Slams Aadhaar Biometric Identity System
from the the-lizard-wrangler-speaks dept
Techdirt has been covering India’s monster biometric database, Aadhaar, since 2015. Media in India, naturally, have been on the story longer, and continue to provide detailed coverage of its roll-out and application. But wider knowledge of the trailblazing identity project remains limited. One international organization that has been working to raise awareness is Mozilla, home of the Firefox browser and Thunderbird email client.
Last May, an opinion piece entitled “Aadhaar isn’t progress — it’s dystopian and dangerous“, by Mozilla Executive Chairwoman and Lizard Wrangler Mitchell Baker and Mozilla community member Ankit Gadgil, appeared in India’s Business Standard newspaper. In July 2017, Mozilla released a statement on the Indian Supreme Court hearings on Aadhaar. A blog post in November pointed out that the Aadhaar system is increasingly being used by private companies for their services, something Techdirt covered earlier. Similarly, after it was revealed that anybody’s Aadhaar details could be bought for around $8 each, Mozilla issued a statement saying “this latest, egregious breach should be a giant red flag to all companies as well as to the UIDAI [Unique Identification Authority of India] and the [Indian] Government.”
Following the creation of a committee to draft India?s first comprehensive data protection law, Mozilla has now paid for an open letter to appear in The Hindustan Times. It was written by Baker, and co-signed by 1,447 Mozilla India community members. Although the letter welcomes the work being carried out by the committee of experts, it criticizes Aadhaar for its many failings, and points out some serious omissions in the committee’s report on data protection:
The current proposal exempts biometric info from the definition of sensitive personal information that must be especially protected. This is backwards, biometric info is some of the most personal info, and can?t be “reset” like a password.
The design of Aadhaar fails to provide meaningful consent to users. This is seen, for example, by the ever increasing number of public and private services that are linked to Aadhaar without users being given a meaningful choice in the matter. This can and should be remedied by stronger consent, data minimization, collection limitation, and purpose limitation obligations.
Instead of crafting narrow exemptions for the legitimate needs of law enforcement, you propose to exempt entire agencies from accountability and legal restrictions on how user data may be accessed and processed.
Your report also casts doubt on whether individuals should be allowed a right to object over how their data is processed; this is a core pillar of data protection, without a right to object, consent is not meaningful and individual liberty is curtailed.
On a Web page called “Key challenges and the way forward“, Mozilla calls on the Indian government to “pause further roll out of Aadhaar until the major problems with Aadhaar have been addressed.” It also has a further suggestion:
The Indian government must release Aadhaar as true open source software rather than use language of open source, and encourage the use, development, and adoption of open source as a pillar of the Aadhaar system
Of course, you might expect an open source foundation like Mozilla to say that, but nonetheless it’s good to see what is at heart a software organization engaging with global problems that affect huge numbers of people in this way. Others should do the same.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: aadhaar, biometrics, database, india, privcy
Companies: mozilla
Comments on “Mozilla's Open Letter To Expert Committee Drafting India's First Data Protection Law Slams Aadhaar Biometric Identity System”
Mozilla doesn't have much room to talk though: it's again getting 325 million a year from GOOGLE, after at least 3 prior years of 300 million per year. For that, Mozilla puts exceptions for GOOGLE in -- and who knows if visible are the only ones?
Taking major money from the biggest violator of privacy on the planet.
You know how necessary the SQL database is in Firefox? — NONE! I’ve deleted the 10 meg file entirely, and it rebuilds when started again. That SQL file is entirely for SPYING, it doesn’t help users at all.
So, phooey on Mozilla: it’s just the usual tactic of finding some other horror to direct attention away from own evils.
Re: Mozilla doesn't have much room to talk though: it's again getting 325 million a year from GOOGLE, after at least 3 prior years of 300 million per year. For that, Mozilla puts exceptions for GOOGLE in -- and who knows if visible are the only ones?
uh, which sqlite db would that be?
Re: Mozilla doesn't have much room to talk though: it's again getting 325 million a year from GOOGLE, after at least 3 prior years of 300 million per year. For that, Mozilla puts exceptions for GOOGLE in -- and who knows if visible are the only ones?
Have you looked into that database to see what it actually contains. Firefox has a large number of setting, many hidden away in ‘about:config’ that can be changed, and an sqlite data base is the easiest way of doing so.
Biometrics
Whether used as passwords or personal identification or by ‘legitimate law enforcement needs’ (whatever those are vs whatever they should be) should not be a final, end all system to establish who someone is. I am much more than my DNA, or iris scan, or fingerprint. Each of those may be faked. Who I am is something much, much more. And, as the article points out biometrics are not changeable. But they are fake-able. Me, I am not as fakeable.
They might lead a legitimate, appropriately conducted, law enforcement investigation to look at me closer, but they are not, in and of themselves, indicators of criminality. There are too many ways for them to be faked to be indicators of actual guilt. Watch the many TV cop shows for various examples. I could have a stone cold unbreakable alibi verified by 50 other people. What do they do with their biometrics then?
Then there is the whole non law enforcement use, which should be illegal from the get go. Why should any non government agency have access to such information? Why (other than nefarious reasons) would they need to? It is my personal information. Mine! And unless someone gives me a compelling reason to give it to someone other than the government (and their compelling reasons have some extremely serous dubious intentions) then they should not have access to it, at any price. And if they do, then the decision to share it further is up to me, not them. Even if I derive some benefit from the sharing of information. Passing it along should be opt in, and not a blanket opt in, but a case by case opt in, with full disclosure as to who and why it is being shared as well as how it will be used.
My information is my information whether it is a part of doing business with another entity or not. It is still, my information. States should not share drivers license databases (photos in the case of biometrics), ISP’s should not share IP addresses (potential location information, which does not mean a person, just a user, and the location might be which end point I choose for my VPN today), and phone carriers should not share location information (which might be someone to whom I lent my phone, but not me (which would be a great trick as I don’t have a phone)) without a warrant. Under any circumstances. And, those warrants should be hard to come by, that is, no rubber stamping and the judge in question committing some interrogatory that verifies the probable cause in front of a clerk that takes down and records for posterity (no seals) everything said.
Now I realize this article is about India, and that their laws are not the same as US laws, but the underlying principles should not be different.
The big problem is getting the governments of the world to understand that they are not in control, and that at some point they will find out so. One way or another. Do they need to control criminal activity? Yes. Do they need these things to do so? No. Are there other ways to convict criminals and OMG ‘terrorists’? Yes. They used to do so before all this ‘technology’ came about. Sometime they did it well, and sometimes they did it conveniently and therefore incorrectly. Today, they should be doing it both correctly and inconveniently. Takes more effort? So what?
Re: Biometrics
Biometrics can be permanently dismissed, with prejudice, from any security conversation by noting that it’s impossible to revoke the keys. That’s it. Done. Finished. Anyone who begins the next sentence with “But…” should be silenced immediately.
Admiral Ackbar on Aadhar: “It’s a trap!”
bAGGED, TAGGED, AND IN THE fRIG..
Social sec numbers are SUPPOSED TO BE PRIVATE.
but somewhere int he past, people hand them out as a SORT of ID, which is against the law(look it up)
NOW the Credit Bureau’s and OTHERS have gotten it into their heads that they can ASK anytime they wish.
Then comes Companies SHARING your data that they receive, and you get MORE and MORE SPAM..this is the old style from Catalog mails..and your MAIL ends up being FULL of magazines you never asked for, and TONS of other crap you never heard of.
Then comes the INTERNET BROWSER,.. before this, we could be MOSTLY Anon, running around the internet..and NOW you have to give info to ALMOST EVERY SITE, just to see it. WHICH can be collected and shared with EVERY person, company, site, ANYONE that wishes to pay a small fee for it..
With all the DATA being SWAPPED around, they can Correlate, JUST ABOUT everything about you..from your location, State, county, city, and ADDRESS, to your age, and year you were born, to how many DOGS/CATS/KIDS you have AND if you really understand this, you can ALSO Garner/gather/expect WHAT a person is watching/reading/ANYTHING. BECAUSE you BOUGHT the info from certain companies that GROW FLOWERS/PAYLESS/WALLMART/PAYLESS/HARBOR FRAIGHT/../…/… They can tell you WHAT TV you have to WHAT CAR you own..
YOU CAN..call many up and ASK to be removed from the lists..OR NOT to use your name on your SALES MAGS.. You can ask them to do many things, BUT ITS ABIT LATE..
The FUNNY part of this, is that MOST of the police forces dont know/understand this..
The Average sale of a full name and address and other info, is AROUND $200+ per name, depends on the amount of info..
Mozilla added DRM support to Firefox.