Mitchell Baker, chairman of the Mozilla Foundation, published a full-page ad in an open letter to the Hindustan Times, one of India’s most popular daily newspapers, to the Indian Electronic Information Technology Expert Committee. The letter elaborates on her view of Justice Srikrishna’s “Establishing a National Data Protection Framework,” urging the commission “to defend the privacy and security of all Indies.” A few weeks ago the committee published a white paper on the complexity of data protection and it is unclear whether Mozilla has formally submitted its recommendations to it.
In addition, the letter also talked about India’s “
Aadhaar” system. People can voluntarily register biometric information, while the government is responsible for distributing the 12-digit unique identification code and designating UIDAI as the identity certification authority.
Although under the banner of “voluntary”, the Indian government has been pushing the system strongly into the lives of its residents. After registration, the public can do a lot of things through the Aadhaar system, such as opening a bank and mobile phone account or receiving government assistance, but it also caused some controversy.
Mitchell Baker’s focus is on whether Indian authentication authorities are capable of safeguarding the security and integrity of their large biometric databases and whether UIDAI can maintain the privacy of those registered Aadhaar users.
In the past few months, there have been many cases of counterfeit cards, identity theft, and fraud in India, and the government has instituted legal proceedings against those anxiously exposed the issue of exposure. In the context of all these commotions, the High Court of India ruled in August last year that privacy is the basic right of every Indian people.
Baker said many people, including Mozilla, are paying more attention to system efficiency. She, therefore, made a few suggestions to the committee, hoping to iterate over the current version of the white paper:
- The current proposal exempts biometric info from the definition of sensitive personal information that must be especially protected. This is backwards, biometric info is some of the most personal info, and can’t be “reset’ like a password.
- The design of Aadhaar fails to provide meaningful consent to users. This is seen, for example, by the ever increasing number of public and private services that are linked to Aadhaar without users being given a meaningful choice in the matter. This can and should be remedied by stronger consent, data minimization, collection limitation, and purpose limitation obligations.
- Instead of crafting narrow exemptions for the legitimate needs of law enforcement, you propose to exempt entire agencies from accountability and legal restrictions on how user data may be accessed and processed.
- Your report also casts doubt on whether individuals should be allowed a right to object over how their data is processed; this is a core pillar of data protection, without a right to object, consent is not meaningful and individual liberty is curtailed.
At present, the High Court of India is considering a case related to the objection to Aadhaar. The prosecution considered the system unconstitutional. However, the court did not support this view. It plans to hold a hearing on February 13.