This article is written by Anushruti Shah who is pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
Table of Contents
Introduction
Evolving technologies and increasing internet penetration have led to an increase in a world of anywhere, anytime convenience in the palm of one’s hand. Many apps now use biometric authentication, such as fingerprint scanning or facial recognition, to add an extra layer of security to their apps or devices. For example, a user of such applications may be required to provide a fingerprint scan before the application will allow him to access personal and sensitive data in order to authenticate the transaction when purchasing something, accessing a mobile application, or performing various other tasks on the mobile phone.
These technologies are often regarded as necessary to help in safeguarding the personal data of individuals and serve as useful objects in identifying fraudulent transactions. As the benefits and popularity of biometrics in cyberspace increase, so have the concerns of privacy advocates and regulators who are apprehensive that these technologies possess the potential for grave abuse if such data is compromised. In the current situation, lawmakers have addressed the problem of data security primarily through legislation aimed at preventing or properly notifying consumers and regulatory agencies of the unauthorized disclosure and potential misuse of numerical or factual data associated with the user. This article intends to delve deep into the topic of biometric data and identify the cybersecurity issues that come along with it while also identifying the current legal landscape for biometric data protection.
Background
What is biometrics?
The term biometrics is derived from the Greek words bio, meaning life, and metric, meaning to measure. The definition of biometric data can vary depending on the context. However, biometrics usually refers to unique and “measurable human biological and behavioral characteristics that can be used for identification, or the automated methods of recognizing an individual based on those characteristics.” While statutory definitions vary according to different cases and jurisdictions, some common examples of these “biometric identifiers” include “retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry.” As such, biometric data is the “information derived from biometric identifiers.”
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) lays out the specific conditions under which such personal information and sensitive personal data or information, including biometric data, are governed.
Rule 2 (b) of the 2011 rules defines biometrics as “Biometrics means the technologies that measure and analyze human body characteristics, such as ‘fingerprints’, ‘eye retinas and irises, ‘voice patterns’, ‘facial patterns’, ‘hand measurements’ and ‘DNA’ for authentication purposes”
Besides this, Clause 3(7) of the Personal Data Protection Bill also defines biometric data as;
“biometric data means facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioral characteristics of a data principal, which allow or confirm the unique identification of that natural person;”.
Kinds of biometrics
Biometrics can mostly be labeled into three groups:
- Biological biometrics
Biological biometrics use characters at a ‘genetic’ and ‘molecular level’. These may include features like DNA or blood, which might be assessed through a sample of your parts or body’s fluids.
- Morphological biometrics
Morphological biometrics are concerned with the shape of the body. More physical characteristics, such as the eye, fingerprint, or face shape, can be mapped for use with security scanners.
- Behavioral biometrics
Behavioral biometrics are focused on patterns that are specific to each person. If these habits are tracked, how you move, talk or even type on a keyboard may form a part of your identity.
Why should biometric data be protected?
- Characteristics of biometric data necessitate protection
The inherent characteristics of biometric data necessitate protection because they are derived from biometrics, and biometrics by their very nature are “unlike other unique identifiers.” Biometrics are “biologically unique to the individual” and, unlike other forms of sensitive information, these unique identifiers cannot be changed. As a result, once compromised, the user has no recourse and is at an increased risk of identity theft, and is likely to avoid biometric-enabled transactions.
- Biometric data protection is critical for the enjoyment of the Right to Privacy
The Supreme Court’s decision in Puttaswamy v. Union of India (Puttaswamy I) on August 24, 2017, provided some clarification on the question of privacy as a fundamental right. Prior to the judgment, India had a wide interpretation of an implied right to privacy, but its boundaries were unclear.
However, on September 26, 2018, the Supreme Court upheld the Aadhaar scheme’s constitutional validity, ruling that the “Aadhaar Act” does not violate your right to privacy when you consent to share biometric data. Though private entities are no longer allowed to use Aadhaar cards for KYC authentication, they can continue to be used for a number of other purposes, such as PAN cards and ITR filing.
With the advancement of technology, which has created new avenues for the state to violate privacy, such as surveillance, profiling, and data collection, there is an urgent need for enacting laws for privacy rights. Countries are increasing their use of technology in response to global terrorism threats and heightened public safety concerns.
Big data and digital footprints can be analyzed to reveal patterns, trends, and associations, especially those related to human behavior and interactions. With technological advancements come new concerns about how such sensitive information can be disseminated and processed by the government, especially as engineers develop more efficient algorithms and more computational power.
Even though the Aadhar Act has been declared constitutional, there should be safeguards to the system. The part of the Puttaswamy I judgment that discusses data protection and privacy states that “any collection of personal information that would impact privacy must have a law to back it.” Accordingly, in order to ensure the success of Aadhaar, India must pass comprehensive privacy legislation that provides “judicial remedies and other enforcement mechanisms for preventing privacy violations.” Considering that the right to privacy has been declared a protected right under the Indian Constitution, this task should be made easier.
- Biometric data brings along with itself cybersecurity issues
Biometric authentication is quickly becoming the preferred method of protecting businesses and individuals from hackers. Such information is used by hackers to commit fraud and identity theft. Fingerprint scanners, iris scans, and facial recognition are now prevalent. This technology provides major benefits in the battle against cybercrime, but it is not without risks. Individuals and organizations must be mindful of two major problems in order to protect themselves and their digital information:
- Individuals should be alert that fingerprint or facial recognition can be ‘hacked,’ by cybercriminals attempting to steal or forge biometric data.
- Organizations that store patient medical histories, blood samples, or DNA profiles, such as hospitals, must consider the security ramifications of a data breach, as well as their possible liability.
Biometric spoofing: the emerging threat
Spoofing is the act of deceiving a biometric security system by using forged or copied biometric data. A fingerprint, for example, can be stolen, replicated, and molded into an artificial silicon finger. (Just like the Bareilly Case which can be read here.) This can be used to gain access to a user’s bank account by unlocking a mobile device or payment system. Facial recognition systems, which are often used to protect smartphones and tablets, have been known to be vulnerable to simply being shown a photograph of the user, unlocking the device.
Companies are constantly improving technology to keep one step ahead of hackers, but people leave fingerprints and DNA, such as saliva on a coffee cup, everywhere they go, opening up a plethora of opportunities for fraud. If your credit card is stolen then, you simply get a new one and cancel the old one. However, replacing a stolen and replicated fingerprint or DNA sample is practically impossible. To remain one step ahead of cybercriminals, technology companies must address key security questions raised by biometric security systems, such as how to securely store this information, prevent spoofing, and, most importantly, verify the user’s authenticity.
Biometric data: the current regime in India
Currently, the collection, storage, and handling of biometric data are regulated by information technology law, specifically the “Information Technology Act, 2000 (IT Act)” and the laws framed within it. This is “The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules),” which outlines the basic requirements that regulate personal information and sensitive personal data, including biometric data. Aside from that, some other laws address particular uses of biometric data, such as authenticating an individual’s identity through the Aadhaar card.
Regulation of biometric data in India
At the moment, Indian law demands that the same rules that must be followed when dealing with sensitive personal data or information be applied when possessing, dealing with, or handling biometric data. However, it is important to remember that the IT Act governs biometric data since such data can be obtained and processed using a computer resource and is considered a type of personal data.
The Privacy Rules define ‘personal information as information that relates to a natural person and can be used to identify that person, either alone or in combination with other available information (Personal Data). Furthermore, “sensitive personal data or information” for an individual is a type of Personal Data relating to the person’s sensitive details that require a higher degree of confidentiality, such as a password, some financial information relating to a bank account or cards, or biometric information, among other things (Sensitive Data). In general, Privacy Laws have a higher degree of security and tighter rules for processing, dealing with, or handling any data or information classified as Sensitive Data. Since biometric data has been categorized as Sensitive Data, the protections that apply to Sensitive Data must be followed when dealing with biometric data. It establishes guidelines for data collection, retention, disclosure, and transfer, among other things.
Furthermore, an entity handling biometric data must follow and implement “reasonable security practices and procedures, the failure of which results in wrongful loss or gain to the entity or any individual, in which case the entity is liable to pay damages as compensation to the person affected. The IT Act is an exception to the general rule for damages in India, and it states that if the wrongful gain is proven, the violator entity must compensate the data subject without the data subject has to prove that he or she suffered a wrongful loss as a result of the entity’s negligence in implementing reasonable security practices and procedures in handling biometric data.
Biometric data and Personal Data Protection Bill
The Indian government appointed an expert committee, chaired by Justice B. N. Srikrishna, submitted to the government a draft bill titled “Personal Data Protection Bill.” The Bill establishes India’s data security regime and is expected to replace the current framework. The Bill is currently in draft form. A change from the current Privacy Rules is suggested in the form of a cross-border transfer of biometric data, with the transfer proposed to be in accordance with model contract clauses agreed by the Data Protection Authority (envisioned under the Bill). Furthermore, the Bill proposes that a copy of such data be maintained in an Indian data center. Penalties have been proposed for violating laws regulating biometric data processing or collecting, disclosing, transmitting, or selling biometric data deliberately, knowingly, or recklessly.
Conclusion
To summarise, the existing Indian legal regime considers biometric data as sensitive data under the Privacy Rules, and the Aadhaar Act specifies a particular use-case for biometric data, which is authentication. Furthermore, the potential uses and misuses of biometric data are unknown, which is why it is important to secure this type of critical data.
References
- https://www.mondaq.com/india/privacy-protection/857992/biometric-data-regime-in-india#:~:text=To%20summarize%2C%20the%20current%20Indian,which%20is%20for%20authentication%20purposes.
- https://www.kaspersky.com/resource-center/definitions/biometrics
- https://lifars.com/2020/05/biometrics-and-cybersecurity/
- https://www.cnahardy.com/news-and-insight/insights/english/cyber-securit-the-future-risk-of-biometric-data-theft
- https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/inspired/biometrics
- https://us.norton.com/internetsecurity-iot-biometrics-how-do-they-work-are-they-safe.html
- https://www.sans.org/reading-room/whitepapers/authentication/paper/850
- https://securityintelligence.com/posts/biometrics-for-enterprise-security/
- https://www.securitymagazine.com/articles/92319-biometric-data-increased-security-and-risks
- https://www.identitymanagementinstitute.org/security-and-privacy-risks-of-biometric-authentication/
- https://www.darkreading.com/endpoint/biometrics-are-coming-and-so-are-security-concerns/a/d-id/1331536
- https://repository.law.miami.edu/cgi/viewcontent.cgi?article=4570&context=umlr
- https://privacyinternational.org/state-privacy/1002/state-privacy-india
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
