India Stack: Major Potential, but Mind the Risks

Seema is a garment worker in India who has just migrated from a rural area in India to Bangalore, a hustling bustling city of 10 million. She has no fixed address yet, but she — along with 1 billion other Indians — does have a national biometric identifier, which on arrival facilitates her ability to open a bank account instantly and without any other documentation, get a loan, and receive government payments. Seema can also send money to her mother back in her village using a simplified payment interface. It is remarkable that technology can bring so many, like Seema, into the financial mainstream. But, for this inclusion to be sustainable, it is critical to address data protection and security risks.

The centerpiece of India’s financial system is Aadhaar, a national ID. Remarkably, in less than seven years, 1.1 billion Indians have been issued an ID number after having their fingerprints and retinas scanned and stored in what is now the world’s largest biometric database. Aadhaar pays for itself by saving the government from making duplicate benefits payments or payments to deceased individuals. ID theft can be reduced by use of this unique ID number, verified by fingerprints or a retina scan. While it is asserted by the Indian government that state-of-the-art security protects the Aadhaar database, centralizing vast quantities of identity information guarantees the database will be an attractive target for cybercriminals who would like nothing more than to commit ID theft on an unprecedented scale.

Aadhaar’s design and security has been criticized on privacy and security grounds, including the permanent and irrevocable consequences of having one’s fingerprints compromised in the event of a breach. Furthermore, fingerprints are not a 100 percent reliable indicator of identity. There is the risk of both false positives and negatives, the latter potentially denying someone like Seema access to much needed services and payments. There have also been reports that fingerprints can be stored and reused, opening yet another avenue for fraud. Seema, just starting her life in a new city, can ill afford unauthorized access to her account.

Massive databases also offer governments a tool for tracking and surveilling their citizens. In India, the government can access Aadhaar records for “national security” purposes – an undefined term under the law that is open to expansive interpretation and potential abuse.

In the private sector, national identifiers like Aadhaar can facilitate linking databases together, generating a profile of a person’s financial, travel, employment and social media activities. In addition to raising personal privacy concerns, such profiles can be used to make decisions about who gets credit or is hired, but without protections that would enable data subjects to access and correct their information.

In addition, collections of personal information by firms offering digital financial services can be of great value for providing customer service and marketing, permitting the delivery of individually tailored, timely offers to Seema, who might be in need some credit to get started with her new life in Bangalore. The downside is that the same information could be used to trap Seema into a high-cost loan.

How can Seema reap the benefits of these exciting financial inclusion tools while still having her privacy protected? The first step is for governments and the private sector to consider privacy and bake it into the development of these new financial products – something called “privacy by design.” This process forces questions for public and private developers, such as whether it is better to maintain massive databases or disperse information to protect individual security.  Even at this point, Aadhaar security measures could be reconsidered and enhanced.

In addition, governments could adopt comprehensive privacy legislation or regulations imposing data controls that strike a balance between encouraging innovation for financial inclusion and protecting consumers. For instance, individuals could be guaranteed access to their profiles that are created by linking information with Aadhaar numbers, including the opportunity to dispute incorrect information and opt out of marketing uses. Also, the government’s ability to obtain information for national security purposes could be limited to situations where there are legitimate safety concerns. Providers, either on their own or through trade associations, could consider voluntary data protection efforts, including acting as fiduciaries of their customers’ information.

It is very hard for poor, undereducated, less sophisticated consumers to fend for themselves. In such cases, the government needs to step in to protect them. Seema just doesn’t have the time to pour through legalistic privacy policies and terms of services, but she needs protection to allow her to take full advantage of the financial inclusion tools that are being made available to her.