The National Identity Card debate rages on with the Government’s argument, that fingerprints have been deleted from the central database thus removing the dangers of hacking. Objectors protest against keeping biometrics on the card and photographs still stored in the database, for infringement of civil liberties and continued risks and dangers for citizens’ security.
On 15th September, Minister Bhadain wondered on Radio Plus, that since fingerprints are no longer stored in the database, why would anybody want to steal biometric data from a person’s card? He termed the risk as speculative.
The National ID card enables us to conduct transactions from a bank, get our pension, bus pass, passport, vote and generally function as citizens. Valuable to you? What about to an identity thief?
The biometric fingerprints are in your possession only, says Minister Bhadain. He calls this, one-to-one. The fact is that they are stored on the card. The Government assures the public that fingerprints have been deleted from the database. Our photos, also biometric data, still remain stored in the database. This is what Minister Bhadain terms as, one-to-many. This infringes two Supreme Court Judgements of Madhewoo and Jugnauth against the State, May 2015, that say,
“the provisions in the National Identity Card Act and the Data Protection Act for the storage and retention of fingerprints and other personal biometric data collected for the purposes of the biometric identity card of a citizen of Mauritius are unconstitutional.”
Only until there is transparency in the deletion process with independent organisations as observers, following standards, for all biometric data stored, will there be a guarantee that the judgements have been respected. Fingerprint images, minutiae and photos are all biometric data.
Press articles publicized the ease in falsifying biometric data when the British ID card was abandoned. From creating fingerprint moulds from fingers to touching glass and leaving your identity verification on it, finger pads can be made to fool card readers. The British Home Office said that the system will return some matching errors. Damian Green, the shadow Home Office minister, explained that poorer people are more vulnerable to these mistakes, as they don’t have lots of credit cards “and will, therefore, have their lives made a misery by being unable to prove their own identity.” Sound familiar to our context?
The previous government’s aggressive campaign played a population numbers’ game to the deadline dates. Government has not taken legal action against citizens like Clavis Primary school did, illegally dismissing an employee, the late Amanda Jones, for refusing to give her fingerprints for attendance purposes. Her complaint was justified by the Data Protection Commissioner in May 2014 and again at the ICT Appeal Tribunal in August 2015. The Board backtracked in November 2014 after a struggle within the school. Employees were given consent forms, according to the Data Protection Act, making it no longer compulsory.
The Madhewoo judgement went further than the Data Protection Act. It saw the “risks and dangers,” not only in the database but, “The minutiae of the four fingers are recorded in the electronic chip contained in the card.” “Witness Sookun gave expert evidence on behalf of the plaintiff … the new identity card can be read at a distance with available technological devices.” (my emphasis)
The many fingerprint image and minutiae databanks that exist in the workplace also contravene the judgements. What is illegal for Government to store and retain cannot be legal for employers to do.
The judgement termed the many exceptions in law as ‘alarming,’ “it is inconceivable that there can be such uncontrolled access to personal data in the absence of the vital safeguards afforded by judicial control. The potential for misuse or abuse of the exercise of the powers granted under the law would be significantly disproportionate to the legitimate aim which the defendants have claimed in order to justify the retention and storage of personal data under the Data Protection Act.”
In July, Reuters reported 22.1 million Americans’ sensitive data hacked, almost 7% of the US population. Pro-biometric lobbies’ argument that biometrics is the surest method of verifying identity is at the expense of people’s security. BBC reported Ken Munro from security firm Test Partners saying: “The biggest concern about biometrics since day one has been revocation… It is easy to get a new password, pin or credit card after a breach, but it’s rather harder to get new fingers. »
Government argues: money already spent, waiting for further judgements and population numbers with new cards, in favour of retaining biometrics. But the Supreme Court injunctions, the risks and dangers to security and the experience of other countries demonstrate that the trade off of, loss of security and civil liberties do not justify keeping biometrics. One biometric data stored for any amount of time, is still, one too many.