Biometric IDs and privacy safeguards

By Ravi Ratnasabapathy

News reports have announced the issue of new electronic identity cards (E-NICs). 

This is not just a card, it is an identity management system with multiple layers: The NRP (National Registry of Persons) – individual checking and numbering of the population – with many personal and family details to be disclosed and updated including fingerprints – the card itself – possibly a widespread scanner network (needed for verification) and secure (one hopes) infrastructure connecting it to the central database – provision for use across the public (and possibly, private sectors) – data-sharing between organisations on an unprecedented scale.

Some Western countries do have ID cards but these are not comparable – most ID cards are limited in use, with strong legal privacy protections to minimise data sharing and secured by modern encryption methods.

In the absence of data protection laws what concerns does this pose for citizens? 

Fair Information Practices (FIP), offer guidance on how the privacy of people should be managed. FIPs are a set of principles/practices that describe how an information-based society may approach information handling with a view to maintaining privacy and security. Drafted by the OECD, they are the foundation for most national laws governing data protection. 

Sri Lanka has no privacy/data protection laws but hitherto privacy has been protected by the fact that most data is held in either manual form or on isolated computer systems. Information was never shared and if needed for investigative or other purposes would have been provided only with a court order.  No longer; wide powers have been granted to the Commissioner-General, his officials and other authorities to collect and record any personal details from all public; and potentially private; databases. 

Further, the use of biometrics bring about certain unique challenges which must be understood.

Implications of biometrics

First, biometrics such a fingerprints establish a verifiable link between a person and a credential such as an ID card or a database. This provides a feature not available in other identification systems: comparison of the biometric of an unknown individual to the database to uncover an identity. Hitherto a name, a number or other details would be necessary to search the database. Now it may potentially be searched with a fingerprint accidentally left on an object.

A biometric identifier may work today only under ideal conditions with bright lights, close proximity, and a cooperative data subject. In future, advances in technology may enable the collection of a biometric without the data subject’s consent, and while that data subject is walking down a public street at some distance from the sensor; for example using facial recognition technology.

Second, biometrics are difficult to change in the event that an ID card or a database record is compromised. A Personal Identification Number (PIN) or password can be easily cancelled and reissued; changing fingerprints is impossible.

These create new threats to privacy and security which can only be addressed through a strong legal framework. 

The principles of Fair Information Practice are:

1. Collection Limitation Principle

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

The less information is collected the better. A biometric identification system might be able to function with only a name and one or more biometrics. Gender and data of birth might be important depending on the intended uses for the identifier. Each data element collected should be evaluated and debated. The casual inclusion of information that “might be useful someday” should be resisted.

Sri Lankan E-NIC blatantly violates this principle. Instead of limiting the data to the individual the system collects detailed information on an individual’s family enabling the construction of complete family trees along with emails and phone numbers. If the system is about establishing ID, family details are unnecessary. An individual’s identity is independent of the family. Our current ID’s and passports carry no family details. Why is this necessary in the E-NIC?

2. Data Quality Principle

Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.

The relevance standard of the data quality principle is consistent with the collection limitation principle. Data that is neither necessary for nor relevant to the ID system should not be collected or maintained. 

3. Purpose Specification Principle

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes. 

4. Use Limitation Principle

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose Specification Principle] except:

a) with the consent of the data subject; or 

b) by the authority of law.

The purpose specification principle works together with the use limitation principle. The specification of the purposes for any personal data processing implements the general policy that data collected for one purpose should not be used for another purpose.

This is how the present manual systems work – we provide information to the Land Registry, RMV or EPF for a particular purpose. The departments use it for internal purposes only and do not share the data with other agencies except when ordered by court. The proposed central database will share information with other agencies for a variety of purposes including prevention or detection of crimes without a court order. 

A biometric identification system can, consistently with the data quality principle, be used for a wide variety of identification activities. However, using an identification system for other purposes would violate the purpose and use principles.

A more questionable activity is the use of an identification system for general purpose surveillance. An identification system that maintains location or transactions may allow police or other government agencies to track individuals. Any identification system runs the risk of becoming a general purpose surveillance system in the absence of clearly defined limits.

This is clearly the greatest concern with Sri Lanka’s proposed system. The Act seems to specify that this is for the purpose of establishing identity but clear limitations on use are not in place. Newspaper reports inform us that this seems to be an all-purpose solution including for tax, property, banking as well as national security. 

One way to control abuse is to ensure notification or consent is obtained when information is accessed. The simplest way to achieve this is for the database to be encrypted and accessible only with a unique PIN or password known only to the user. Whenever the user needs to access a service the PIN/Password is used to verify the record. Except when the user provides the PIN/password the database, being encrypted, is unintelligible and the user is in control of how the data is accessed.

Available information on the E-NIC: a wide basic dataset, access to all Government (and possible private) databases, wide powers to share, no restrictions on tracking: points to a surveillance system, similar to Pakistan’s system on which it is modelled. 

5. Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

6. Openness Principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

The openness principle requires that any data subject be able to learn of the existence of a processing operation, who is the data controller for that processing, and what personal data is being processed.

Sri Lanka’s system is shrouded in secrecy and even attempts to obtain basic information on through RTI requests have not yielded results. Data may be shared amongst different agencies without the knowledge or consent of citizens.

7. Individual Participation Principle

An individual should have the right: 

a) to obtain from a data controller, or otherwise, confirmation of whether or not the data

controller has data relating to him;

b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; 

c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and

d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

8. Accountability Principle

A data controller should be accountable for complying with measures, which give effect to the principles stated above.

A position of a Data Controller is usually created under privacy/data protection legislation and is then held accountable for complying with measures which give effect to the principles.

Accountability measures include civil/criminal penalties, administrative enforcement, internal or external audits, complaint processing, a privacy office and more.

The project is going ahead with no public consultation. Individuals don’t have the right to know what data is held and to challenge incorrect data. There is no central authority to hold accountable for loss or misuse of data.

The legal system has not kept pace with advances in technology; the extent of the gap becomes self-evident when we examine the project through the FIP principles. 

If we are to embrace technology we must do so only with the soundest of legal safeguards in place. Without proper data protection laws in place the E-NIC project should not go ahead.