Sensitivity of Data
Biometrics have become one of the very popular authentication and authorization mechanisms. A lot of financial authorisation happens with fingerprints, further it is used for PDS and subsidies in India. One of the major factors for its use is that it’s considered foolproof and using it requires no effort. The one thing to realize about biometrics is that you cannot reset it — you cannot replace your finger.” If a password is compromised, you can change it. You can use something that’s longer, more complex, and difficult to guess. If your biometrics like fingerprint or retina scan is compromised, how would you change or update that? That would be scary, impossible, and frustrating.
Considering the seriousness of biometric data, in India, the collection, storage and handling of biometric data is governed by the information technology law contained under the Information Technology Act, 2000 (IT Act), primarily through the rules framed under it. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) lays out the specific conditions that regulate personal information and sensitive personal data or information, including biometric data. Some of the key conditions applicable are as under:
1. Collection: To collect biometric data from a person, a body corporate (Entity) is required to obtain the data subject’s written consent regarding collection and usage of such data. This consent would mean giving an option to not provide biometric data sought. Given its sensitive nature, biometric data can be collected only for a lawful purpose which is connected with and essential to the Entity’s function.
2. Retention: Once the purpose is fulfilled, the Entity can no longer retain the biometric data collected by it.
3. Disclosure: To be able to disclose any biometric data with a third party, the Entity must obtain the data subject’s permission. This permission may be obtained under the contract between the Entity and data subject. Disclosure may also be made for compliance with law or is being made to government agencies mandated to obtain information, which may be for identity verification, or for prevention, investigation, prosecution and punishment of offences.
4. Transfer: Biometric data can be transferred to any other person, in India or outside, only with concerned data subject’s consent to the transfer, or if transfer is necessary for performance of a lawful contract between the Entity and data subject. An important condition attached to such transfer is that the recipient needs to ensure the same level of data protection as the transferring Entity.
Additionally, an Entity handling biometric data needs to implement and maintain ‘reasonable security practices and procedures’. If an Entity’s failure to implement ‘reasonable security practices and procedures’ results in wrongful loss to the data subject or wrongful gain to the Entity or any person, such Entity is liable to pay damages as compensation to the affected.
Ease of Cloning & Spoofing
Fingerprints are very easy to clone. Just a single search on google will show you how people have used impressions on paper, gum, gummy candy and what not to easily spoof fingerprints. When the primary purpose of fingerprints is for attendance, it has been observed that people game the system by using 2 of their fingers to register for themselves and use their other fingers for registering for others. This way they are able to fill attendance for their colleagues without any issues.
Blue collared staff sometimes have lines on their fingers damaged leading to a poor capture and match. The problem is more pronounced with continuous usage in outdoor conditions. When a user enrolls in a biometric system, his or her information is likely recorded in a well-lit, stable, predictable environment. But in the recurring use of the sensor, the conditions will not be ideal, and will probably have degraded. Scanners get soiled as they pick up dust and grease from fingers. This opens up some issues, ranging from the simple inability to access a system to the misidentification of an individual. In practice, these problems can have significant implications
Fingerprints should be kept in the scanner device. Even on the device they should be encrypted and stored in device memory. They should not be transmitted even in encrypted for over network or stored. Even Google doesn’t store any fingerprints on cloud or otherwise and saves it locally on the mobile in its physical memory which cannot be accessed by normal CPU processes.