Aadhaar face authentication: Are we going to be a total surveillance state like China?
“UIDAI introduces yet another landmark technology for authentication – Face Authentication. Aadhaar Face Authentication will help all elderly or others facing issues with fingerprint authentication. Service to be launched by 1 July 2018,” tweeted Dr Ajay Bhushan Pandey, the CEO of Unique Identification Authority of India (UIDAI), adding to the fears of anti-Aadhaar activists, who have long maintained that it is a surveillance tool masquerading organised welfare.
MediaNama reported that according to UIDAI circulars, “face identification” will be only used in “Fusion Mode” and will need an additional form of authentication with a fingerprint scan, iris scan or one-time password. The agency also added that “face identification” will be provided to only certain Authentication User Agencies (AUAs). Furthermore, the circular claims that, at present, the face photo is not enabled on the Aadhaar authentication API within the Central Identities Data Repository (CIDR) but it can be enabled, adding that “since the photo is already present in the UIDAI database there is no need to capture any new reference data”.
The problem
Several internet freedom and anti-surveillance state activists, lawyers and journalists have pointed out that adding facial recognition to biometrics, a term whose definition has most certainly been left ambiguous in the Aadhaar Act, would do no good.
Shave. Trim eyebrows. Apply lots of talcum powder. Erase the sindoor. After all algorithms designed by caucasians to recognise typical caucasian faces? https://t.co/fQ7yhV4Z9I
— Prasanna S (@prasanna_s) January 15, 2018
Ha Ha Ha. As per UIDAI's #AadhaarBreach denials photographs were not biometric so far. https://t.co/Ny0pTssAP8
— Anivar Aravind (@anivar) January 15, 2018
Yep! Ur photograph IS A BIOMETRIC AND NOT.. THESE GUYS ARE INCORRIGIBLE https://t.co/T2ecneFGZJ
— James Wilson (@jamewils) January 15, 2018
All your face are belong to us https://t.co/gtBBYGDYdK
— ¯_(ツ)_/¯ (@PranavDixit) January 15, 2018
Criticism from many also came in the form of a comparison between India's UIDAI and Chinese government — notorious for its totalitarian measures and a tightly run surveillance ship.
In 2012 a Delhi High Court judge innocently asked why we could not block websites, "like China"? While networked censorship is far away, India is catching up in mass surveillance. Facial recognition will now be as a system of government authentication. Like China. https://t.co/GxdVRyeMGE
— Apar (@aparatbar) January 15, 2018
And a full fledged surveillance state emerges. Now CCTVs and cameras can spot you on the go. Perfect. China is experimenting with this right now. We wanted the China development process right? Here we have it. https://t.co/KTJzqMIxMU
— The Startup Guy ® (@vijayanands) January 15, 2018
Of course! Face identification is an essential tool for any total #SurveillanceSocietyThose who think these are elitist #WineAndCheese gang concerns: read how China is using IDs/Biometrics/Facial recognition for #CitizenControlhttps://t.co/lgGY9oREAjhttps://t.co/vAqcIppJP3 https://t.co/YcDDLfM5lD
— Rakesh Sharma (@rakeshfilm) January 15, 2018
Union minister for IT and electronics, and law and justice RS Prasad may hail this move as “yet another innovative solution to facilitate digital inclusion”, but it does not change the fact that the Aadhaar facial authentication announcement comes awfully close to a Washington Post report on China and its use of facial recognition for surveillance.
According to the report, an ambitious plan known as “Xue Liang (Sharp Eyes)” intends to connect the security cameras that already scan roads, shopping malls and transport hubs with private cameras on compounds and buildings, and integrate them into one nationwide surveillance and data-sharing platform.
The following part of the report, incidentally, sounds premonitory of what may soon be a reality in India:
[Xue Liang] will use facial recognition and artificial intelligence to analyze and understand the mountain of incoming video evidence; to track suspects, spot suspicious behaviours and even predict crime; to coordinate the work of emergency services; and to monitor the comings and goings of the country’s 1.4 billion people, official documents and security industry reports show.
At the back end, these efforts merge with a vast database of information on every citizen, a “Police Cloud” that aims to scoop up such data as criminal and medical records, travel bookings, online purchase and even social media comments — and link it to everyone’s identity card and face.
But even if one tries not to imagine a Black Mirror meets Minority Report-like dystopian future where the state recognises and tracks every move made by its citizens, there are other issues that one can feel anxious about at present. Aadhaar has become notorious for its security leaks, and how UIDAI reacts when such leaks are pointed out.
Recently, UIDAI, acting in a manner that is both bizarre and imprudent, lodged an FIR against a reporter of Chandigarh-based English daily The Tribune for exposing the massive security threat posed by the UID project. The Tribune's Rachna Khaira had shown in her comprehensive report that admin access to the entire UIDAI database can be arranged for as little as Rs 500. Basically, for the cost of a cab trip from Delhi to Noida, with some online rigging, nearly anyone can have access to the Aadhaar-related information of one-billion-plus Indian citizens.
But if one's Aadhaar data can be breached in minutes, facial authentication is, if not more, an equally risky proposal.
As was pointed out in an Ars Technica report last year, security researchers used a $150 mask to break the Face ID facial recognition system that locks Apple's new iPhone X. Yet, scarier still is the fact that in a two short months developers have found a digital alternative to this.
According to a report in Wired, facial recognition can be circumvented with simple “3-D rendering and some light Internet stalking.”
Researchers (security and computer vision specialists) from the University of North Carolina presented new groundbreaking technology at the Usenix security conference. Their system — using digital 3D facial models based on publicly available photos, displayed with mobile virtual reality technology — managed to defeat facial recognition systems four out of five times.
“Their attack is a reminder of the downside to authenticating your identity with biometrics,” wrote Lily Hay Newman of Wired, further highlighting how risky their new venture could turn out to be.
And finally, for more than a week now, a white hat hacker who goes by Elliot Alderson on Twitter (it’s the name of Rami Malek’s character on the critically acclaimed series Mr Robot in which Malek incidentally plays the role of a hacker moonlighting as a cyber security expert), demonstrated in multiple examples the callous level of security on the Aadhaar database.
Hi #Aadhaar ????! Can we talk about the #BenefitsOfAadhaar for the #India population?I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...????♂️https://t.co/acjp6tUjqs
— Elliot Alderson (@fs0c131y) January 10, 2018
Former CIA employee and whistleblower of the US government's surveillance programmes, Edward Snowden, while talking about Aadhaar, tweeted on January 5: “It is the natural tendency of government to desire perfect records of private lives. History shows that no matter the laws, the result is abuse.”
It should only serve as a warning for citizens that pro-government names, members of the ruling party and the UIDAI choose the overlook this ominous pronouncement from someone who has helped create global surveillance technology.