Giving out your fingerprint for Aadhar payments is as bad as telling the seller your banking password
The blog post by Nimish Sawant was published by First Post Tech 2 on February 3, 2017. Pranesh Prakash was quoted.
Ever since the current government has come into power, there has been a concerted effort to take India on the information highway with technology-backed initiatives. Projects such as Digital India, Smart City Project, Startup India to the latest policy announcements post the demonetisation on 8 November 2016, a lot of has been said about technology.
But there are still areas of improvement, for instance we are yet to have a privacy and data protection law, there is an alarming shortage of cybersecurity experts and we have seen our fair share of government as well as personal data being under jeopardy in the years gone by.
Pranesh Prakash, policy director of the Centre for Internet and Society, has his reservations against the speed at which we are moving towards the dream of a digitised India, without covering the core policies on security, legal frameworks and more. Here is what Prakash has to say.
“All in all, we in India are in a really precarious situation when it comes to Digital India, especially from a legal and regulatory perspective. While the push for digitisation is to be welcome, it should make this more convenient for citizens and that can’t be accomplished by forcing digitisation on people without giving them options.
The Planning Commission put together a group of experts chaired by Justice AP Shah, which came out with a report on privacy principles which were to inform a privacy and data protection law that the government was to introduce in Parliament. That report came out in 2012. In 2017, we are no closer to a privacy and data protection law. The data security practices at the levels of the government and of the private sector are very worrying.
For instance, the Narendra Modi app, which is operated by the BJP, for many months was leaking the personal details of more than 7 million users.
Another example: the government, as per press reports, is going ahead with using fingerprints for authentication of Aadhaar Enabled Payment Systems (AEPS) transactions. While the security architecture of AEPS might in itself be good, the idea of providing your fingerprints to merchants for financial transactions is a terrible idea since that is like asking you to give your bank password to a merchant, and the merchant can reuse that password, and you can’t ever change the password.
Last year Symantec revealed that for more than two years a cyberespionage project (that Symantec called “SuckFly“) had penetrated deep into Indian systems, including Indian government and banking systems. Yet, the government didn’t conduct an enquiry about this and reassure the public on actions being taken to mitigate this.
So while digitisation initiatives are great, there also needs to be a concerted effort to have a secure framework, and there has to be an ease in onboarding the non tech-savvy population as well.”