Citing the example of fraud reported after biometric verification during the Bihar panchayat elections in 2022, Kodali said, "Using biometrics as passwords is as it is very problematic, and now we are focusing on building everything around it." During the elections, a fraudster took out money from the accounts of voters by taking their "fingerprints on his phone before they had put their fingerprints in the biometric machine to cast their votes", The Hindustan Times reported.
This isn't the only case where biometrics have been misused. In January 2019, a former Aadhaar operator's biometrics were misused to withdraw money from two of his accounts, in Jind, Haryana. Similarly, in 2020, the biometric data of a 58-year-old woman, based in Kolkata, was misused to obtain a sim card and commit other crimes in Rajasthan.
In another case of identity theft, a private company in Chennai had been gathering private biometric information on thousands of individuals in order to verify who was eligible for a welfare programme on behalf of the Greater Chennai Corporation. This counterfeit programme had been running since 2015, until it got busted in 2022.
According to Prateek Waghre, policy director at Internet Freedom Foundation, "The press release does not give away much about the technique of the new AI mechanism. We could only guess that it would be used to tell apart a real fingerprint from, maybe, a prosthetic or a dummy one. However, the security mechanism will not change the underlying issues with the use of biometrics, that is, we cannot do anything to protect the data once it is compromised."
What is the need of the hour?
Speaking to BOOM, Mishi Choudhary, a technology lawyer with Software Freedom Law Centre, said, "For robust security against data breaches, The Government of India needs law, policy and private sector tools. Like the Biden Administration, there needs to be a comprehensive review and strategy against breaches, hacking and ransomware."
Talking about India's Data Protection Bill, Waghre said, "There were multiple versions of the 2017 Bill, which were ultimately withdrawn in 2021. The latest version was drafted in November, last year but has not been tabled in the Parliament yet."
According to Waghre, the biggest problem, even with the recent version, remains that the state can still collect our data and can choose to exempt themselves from any obligations under this. "This defeats the purpose of the law itself," he added. Delving into the basis of the problem, Waghre said, "In the face of a data breach, the first step by our government authority is denial, which speaks much about their stance on the matter of security."