The law plays catch up with technology because new technology creates new possibilities. For example, the invention of the internal combustion engine led to the concept of speed limits and driving licences. Electricity, the telegraph, radio and telecommunications and of course, the internet, have all triggered webs of mutating legislation.
The laws regarding forensic science and the current gold standards of biometric ID proof could be headed for a breakdown. Biometrics has always had an India connection. William James Herschel, the grandson of astronomer Frederick William who discovered Uranus, was an ICS officer in Jangipur, Murshidabad District, in the 1850s. He figured out fingerprints were unique and used them in legal documents. The Bengal Presidency then pioneered the use of fingerprints to identify criminals.
Biometric technology now includes iris scans, and DNA profiling is also an ID tool. Biometric data is accepted as a means of ID as well as key evidence in criminal cases. It is also used as sign-ons for personal electronics and collected as part of the visa issuance process by governments.
The Aadhaar database famously depends on biometrics to issue a unique ID. Aadhaar is now said to have enrolled over a billion individuals. The government is attempting to make Aadhaar linkages mandatory for pretty much everything from filing IT returns, to buying railway tickets, to owning a mobile connection, to payment of pensions and subsidies. In addition, Aadhaar is used by the private sector for multiple KYCs and verifications.
Anything involving a billion IDs linked to hundreds of different databases will always be insecure. Aadhaar has seen data breaches on a daily basis. At least 130 million Aadhaar accounts — over a tenth of the total database — are known to have been exposed in public domain.
There are huge privacy concerns, given an opaque UIDAI Act, the lack of a privacy law and data-security laws. The government has repeatedly argued that individuals don’t have a right to privacy, in order to evade its responsibility in formulating and legislating a Privacy Act. The Supreme Court will have to put together at least a seven-member Bench to clarify contradictory previous judgments on privacy issues, including the key case of Kharak Singh vs The State of UP & Others (December 18, 1962). It has not done so.
This entire debate might soon become irrelevant. The utilisation of biometrics across multiple domains and the storage of biometrics in digital form has also created a major incentive to spoof biometric IDs and of course, this is possible. Faking biometric data — pretending to be somebody you are not — is a high-reward industry.
There are many ways of deriving biometric data, including Aadhaar leaks and hacks of visa databases, etc. Faking fingerprints can be as easy as using fevicol and playdoh, or as complicated as printing skin-thin latex gloves with required prints on a high-end 3-D printer. “Iris-faking” can involve the analysis of high-resolution pictures to derive iris pattern followed by wearing contact lens to spoof the iris. Israeli scientists have demonstrated that it is also possible to fake DNA.
Much of this information is publicly accessible, in academic papers and even on YouTube. German researchers have publicly demonstrated that they could fake the iris scans of Angela Merkel and the iris scans and fingerprints of the German defence minister, Ursula von der Leyen.
As faking technology scales up, it will become easier and soon it could involve nothing more complex than Googling. Courts around the world will then be flooded by cases alleging spoofing of biometrics and DNA. There will be accusations everywhere that law enforcement authorities are faking evidence to gain criminal convictions.
That will first, result in a race to build biometric ID systems that are harder to fake. But it will also destroy the credibility of biometrics as an infallible means of ID. I’d guess that biometrics will be junked as a reliable basis for proving ID sometime within the next decade. The folks who are spoofed and robbed of their identity in the interim will just have to be written off as collateral damage.
Twitter: @devangshudatta
One subscription. Two world-class reads.
Already subscribed? Log in
Subscribe to read the full story →*Subscribe to Business Standard digital and get complimentary access to The New York Times
Smart Quarterly
₹900
3 Months
₹300/Month
SAVE 25%
Smart Essential
₹2,700
1 Year
₹225/Month
SAVE 46%
*Complimentary New York Times access for the 2nd year will be given after 12 months
Super Saver
₹3,900
2 Years
₹162/Month
Subscribe
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app
SAVE 25%