India's Gargantuan Biometric Database Raises Big Questions

The government of India has amassed a database of 200 million Indian residents' digital fingerprints, iris scans, facial photographs, names, addresses and birthdates. Yet this vast collection of private information is only a drop in the bucket compared to the volume of data it ultimately intends to gather. The Unique Identity Authority of India (UIDAI), the agency that administers Aadhaar -- India's Unique Identity (UID) program -- has a goal of capturing and storing this personal and biometric information for each and every one of India's 1.2 billion residents. Everyone who enrolls is issued a 12-digit unique ID number and an ID card linked to the data.

Once it’s complete, the Aadhaar system will require so much data storage capacity that it is projected to be 10 times the size of Facebook. And while it's optional to enroll, the program is envisioned as the basis for new mobile apps that would facilitate everything from banking transactions to the purchase of goods and services, which could make it hard for individuals to opt out without getting left behind.

India’s is the largest biometric ID scheme in the world, and the masssive undertaking raises serious questions about widespread data sharing, a lack of legal protections for users’ data, and concerns about whether adequate technical safeguards are in place to keep individuals’ information safe and secure.

Recently, EFF attended a talk by Srikanth Nadhamuni, a technologist and one of the program’s chief architects, at UC Berkeley’s Center for Southeast Asian Studies. While he characterized Aadhaar as a cutting-edge tool for fighting corruption and assisting the rural poor, EFF has concerns about the privacy implications of this sweeping effort.

Is Biometric Collection Necessary to Achieve the Program's Goals?

Nadhamuni framed Aadhaar as a program that could alleviate the plight of India’s rural poor, a large subset of the population that lacks reliable access to government services. “The city governments … were still being run by leather-bound books and pen,” he explained. “Not using technology to improve service delivery was something that we wanted to change. … The thought that I had was, if we could embed a unique number for each baby that was born, and that number got used in all the different applications, then that service delivery could improve. Once you have enrolled yourself, then you can go and buy your rations, or banking transactions, and so on, using authentication.”

Nadhamuni said UID would serve to eliminate fraud in circumstances where it is now impossible to verify individuals' identities. He described the tedious and costly weekly journey of a laborer to cash a paycheck to illustrate how UID could be used to make peoples' lives more convenient. He described a system in which UID numbers would spur the development of mobile phone apps, which would allow vendors to scan fingerprints on a handheld device to use UID authentication for all kinds of purposes and transactions.

When evaluating biometric systems, it's important to determine whether the collection and processing of personal information fit with the program's stated objectives. The goal of assisting the rural poor is well-intentioned, but the means Nadhamuni is proposing to achieve this end should be carefully examined. It's also worth asking why, if the stated objective is to aid the rural poor, the UIDAI intends to extend Aadhaar's reach to each and every one of India's 1.2 billion residents. EFF remains concerned about the problems inherent in centralized biometric ID databases, systems that have been met with resistance elsewhere and, in the case of Britain, even dismantled in the face of public outcry stemming from privacy concerns.

The creation of such a system raises concerns about the security of users' highly sensitive personal information. Nadhamuni said very little about whether there is a contingency plan in the case of a data breach, like the one that transmitted Israel's entire population database onto the Internet in a freely available format. What happens if people start to spoof fingerprint scanners, which German hackers have already proven is a relatively easy feat? What if identity thieves take it a step farther, by spoofing iris scanners (which Javier Galbally showed was possible at the Black Hat Security Conference this past summer)? Unlike a PIN code, a fingerprint or an iris is impossible to cancel and re-issue.

A Centralized Unique ID System is Risky

Nadhamuni seemed to accept without question that implementing a universal ID card would benefit India. “There is no standard identity document in India,” he said. He justified the collection of biometric data by saying that insurmountable overlap between existing governmental databases makes it impossible to create a unique database by merging all existing data sets.

Yet the assumption that there is an inherent need for a governmental framework that would aggregate all individuals’ personal information in one place should not go unchallenged. There are fundamental flaws in a system with a centralized database at its core, which grants a disproportionate amount of control to a single governmental entity that collects and stores the information. Regardless of the security precautions Nadhamuni assured would be in place, the creation of such a database inevitably creates a honeypot of sensitive information that becomes a natural target for would-be criminals.

India has no data privacy protection law to speak of, and the fact that this program is moving ahead in the absence of such a safeguard is problematic, particularly given the widespread data-sharing that is contemplated under this endeavor. Similar proposals have run into legal trouble. In March 2012, the Conseil Constitutionnel, the highest authority on the French Constitution, declared the provisions of a law permitting judicial and police use of a centralized national ID database to be unconstitutional.

In other countries, we've seen how biometric data can ultimately be used for purposes other than stated intentions. In Argentina, for instance, a new centralized, nationwide biometric ID will allow law enforcement to “cross-reference” information with biometric and other data initially collected for the purpose of operating a general national ID registry. This reverses the traditional practice of limiting police fingerprint databases to those suspected or convicted of criminal offences.

Once it is built, an enormous system based on the personal information of 1.2 billion people can begin to serve all manner of previously unimagined purposes. What's more, Nadhamuni suggested biometric identification with Aadhaar could become a convenient part of everyday life: the UIDAI lets private parties accept the IDs and verify their content online, for outsourced financial transactions or authenticating users for third-party applications. For example, people could have their fingerprints scanned on a shopkeeper's mobile device as a way of paying for items at a shop. It's astonishing to think that the enormous flows of data that would result from these applications – and the associated potential for monitoring Indians' physical whereabouts and day-to-day lives – would come with few legal safeguards.

Beware of Function Creep

A telling moment in Nadhamhuni’s lecture came when an audience member asked whether Aadhaar would be used for national security purposes. “I don't know about the linkage between UID and security,” Nadhamuni responded. “I was head of technology, and the specification that I was given was to build a system for social inclusion and the poor. So if there's a linkage, I don't know of it, and so I can't comment on what that linkage is.”

It's disappointing that he didn't say more, particularly given this New York Times op-ed by Indian journalist Aman Sethi suggesting that national security was at the root of a government initiative to collect biometric ID that predates Aadhaar and is now moving ahead in sync with the UID program. Function creep – when a program is introduced for one purpose and ultimately used for another – is a serious consideration when assessing biometric ID systems. What will happen when data collected by the UIDAI is used in conjunction with a governmental surveillance program or national security initiative? So far, this question remains unanswered, but there are good reasons to be concerned.

This colossal, IT-driven effort is moving forward without adequate transparency or public dialogue, and it’s no wonder that activists have pushed back against the idea in India. Internet policy researcher Sunil Abraham, of the Bangalore-based Center for Internet and Society, has voiced concerns over Aadhaar’s identification system and proposed alternatives that would be far less privacy-invasive.

"Privacy protections should be inversely proportional to power," Abraham wrote in a Business Standard op-ed. "The transparency demanded of politicians, bureaucrats and large corporations cannot be made mandatory for ordinary citizens. Surveillance must be directed at big-ticket corruption, at the top of the pyramid and not retail fraud at the bottom. Even for retail fraud, the power asymmetry will result in corruption innovating to circumvent technical safeguards. Government officials should be required by law to digitally sign the movement of resources each step of the way till it reaches a citizen. Open data initiatives should make such records available for public scrutiny. With support from civil society and the media, citizens will themselves address retail fraud. To solve corruption, the state should become more transparent to the citizen and not vice versa."

A biometric data collection program of this scale, particularly in the absence of an existing data protection law, presents serious risks to individuals’ privacy. Rather than improving people’s lives, Aadhaar could place their highly sensitive personal information at risk.

Source: EFF

SpeechPro: Russian biometric software capable of storing, identifying millions of voice samples

How SpeechPro’s VoiceGrid works (Image credit: SpeechPro)

The use of biometrics and government-run centralized biometric databases is on rise and it seems like every day brings a new identification method including pedo-biometrics (using feet to identify targets), remote biometrics (using surveillance cameras), soft biometrics (which can be deployed on drone platforms), iris scans (which people are being illegally pressured into submitting to), high-speed facial recognition software (the use of which is being expanded to police departments across the United States by the FBI) and even so-called behavioral recognition software.

According to the FBI’s Biometric Center of Excellence, voice recognition is a “popular choice for remote authentication due to the availability of devices for collecting speech samples (e.g., telephone network and computer microphones) and its ease of integration, speaker recognition is different from some other biometric methods in that speech samples are captured dynamically or over a period of time, such as a few seconds.”

We’ve also seen strange implementations of voice recognition technology as evidenced by the deployment of voice recognition avatars at border crossings and even voice recognition technology in police cars.

Now the Russian Speech Technology Center, which, according to Slate, operates as SpeechPro in the United States, has created a program called VoiceGrid Nation capable of storing and identifying massive numbers of voice samples for governments around the world.

The software, at least according to the company behind it, is incredibly fast. It can deal with a database containing millions of voice samples of regular people, criminals, persons of interest or people on a watch list.

Computerworld reports that VoiceGrid uses three methods for voice matching along with an algorithm that automatically compares “voice models against voice recording obtained from different sources such as cell phones, land lines, covert recordings and recorded investigative interviews.”

When combined, VoiceGrid is capable of 90% accuracy within just 15 seconds.

According to Homeland Security News Wire, “Officials at VoiceGrid say that to get a sample, it only takes three seconds of a speech pattern to use for analysis. In five seconds it can search through and match 10,000 voice samples, executes up to 100 simultaneous searches, and stores up to 2,000,000 samples.”

According to SpeechPro, the accuracy is at least 90 percent and has already been deployed to Mexico and, according to SpeechPro’s president Alexey Khitrov, they are also working with multiple U.S. state and federal agencies.

“He declined to reveal any names because of nondisclosure and confidentiality agreements,” writes Ryan Gallagher for Slate. “But Khitrov did divulge that various versions of the company’s biometric technology are used in more than 70 countries and that the Americas, Europe, and Asia are its key markets.”

SpeechPro doesn’t just design voice recognition software for law enforcement and governments. They also have created technology for call centers which can verify the identity of customers automatically.

According to Agentura, a Russian secret services watchdog, the Speech Technology Center’s products have been sold off to several questionable governments including Belarus, Kazakhstan, Thailand and Uzbekistan.

Gallagher points out that this is hardly comforting given the incredible power this technology could give to an authoritarian regime.

“It has the technical capacity, for example, to store a voice-print of every single citizen in a country the size of Bahrain—with a population of 1.3 million—which would allow state security agencies to very effectively monitor and identify phone calls made by targeted political dissidents (or anyone else for that matter),” Gallagher rightly states.

Khitrov attempted to brush away these legitimate and major concerns by saying, “We just make sure that we work with trusted law enforcement agencies and try to make sure that they use it properly.”

Khitrov laughably claims that SpeechPro’s technology is solely used for “very noble causes,” although he was only able to cite a single example in Mexico where it was used to identify and find kidnappers who made ransom calls soon before they were going to murder someone.

To prove just how absurd Khitrov’s claim is, when Gallagher pressed for more examples of how VoiceGrid is being used in Mexico, Khitrov was forced to admit, “We don’t know the specifics because that’s their information.”

In other words, they actually have no clue about how it is being used, they just have a few nice anecdotes which make it seem like it’s only being used for noble ends.

Source: End the Lie

OxyContin: How America Got Hooked On Legal Heroin

Monsanto’s Tricky Plan to Defeat GMO Labeling?

Who is behind the recent study of organic food and why?

Okay—let’s not miss the point about the Stanford “study” on organic food, the one released in early September that concludes that the scientific literature “lacks strong evidence that organic foods are significantly more nutritious than conventional foods.”

Every reaction I’ve seen in the press grants that maybe organic food isn’t more nutritious, but it’s healthier in many other ways, like much lower amounts of toxic agricultural chemicals, and so on. But there are many studies that show that organic food is indeed more nutritious. To really understand those studies, you have to know who paid for them. If Monsanto or Cargill is paying a researcher at a land-grant university to look into the nutritional value of foods, there’s a temptation there to work the data in favor of the company paying the bills, especially if they like your work and order more studies.

So who’s paying for the Stanford study? The Stanford doctor who was the principal author, Crystal Smith-Spangler, M.D., writes that there was no funding for the study, which appeared in the Annals of Internal Medicine (vol. 157, no. 5 [4 September 2012]: 348–366)—this despite the listing of 11 coauthors including physicians and health specialists along with Dr. Smith-Spangler. Since no funding is listed, we can’t know whether Dr. Smith-Spangler and cohorts did the rather exhaustive study out of the goodness of their hearts or if someone took them to lunch, so to speak. But even that isn’t the point.

The real question is, why do you think this Stanford study came out now? The title of the study raises a red flag as it asks, “Are Organic Foods Safer or Healthier than Conventional Alternatives?” Its conclusion states, “The published literature lacks strong evidence that organic foods are significantly more nutritious than conventional foods. Consumption of organic foods may reduce exposure to pesticide residues and antibiotic-resistant bacteria.” So it casts doubt on the value of organic food, even as it admits organic food has fewer toxic residues and pathogenic microbes. Yet I’m aware of several strong studies supporting the nutritional superiority of organic food,* and I looked through all 298 studies cited in the Stanford overview of the scientific literature, but they were nowhere to be found. But even that’s not the point.

Remember: This November, Californians will be asked to vote on Proposition 37, which will require foods containing genetically modified ingredients to be so labeled. Remember too that organic food is not allowed by law to contain any genetically modified ingredients.

Now think about Monsanto, Dow, DuPont, Syngenta, and other corporations turning out genetically modified farm seed. Why do you think they’re doing that? They say it’s to improve agriculture, to feed the world, to solve farming’s problems—but there’s another reason they seldom mention. When they make a genetically modified (GMO) seed, they patent it. And those who hold the patents reap the financial rewards.

Source: Organic Gardening

Scientists Move to Create Genetically Modified Camels for Pharmaceutical GM Milk

As if genetically altered salmon, genetically modified babies, and GMO crops aren’t science fiction enough for you—soon drug makers will be using genetically modified camels in their pharmaceuticals. Yes, you read that right—camels. According to the Science and Development Network, the camels will be used to make genetically modified milk, which will then be processed into cheaper drugs.
Genetically Modified Camels for Pharmaceutical GM Milk – What?

The drugs from these laboratory-created camels will include insulin and clotting factors for hemophilia. They will be used, at least initially, in the arid regions of the Middle East and North Africa, from which the camels originally came. Apparently, that’s why camels are being used instead of cattle, because of their adjustment to the extreme climates.

Cows would be better producers of transgenic protein as they produce more milk, said Serge Muyldermans of the Laboratory of Cellular and Molecular Immunology at Vrje University Brussel in Belgium. But as camels can be kept in arid areas and are used to living under harsh conditions, they might be better suited to the Middle East.

Evidently, other scientists prefer genetically modified cows as well. In another recent creation unleashed by scientists, human genes have successfully been inserted into genetically modified cows that now allow them to produce ‘human’ milk — milk that has the very same properties as human breast milk. What is the world coming to?

But the researchers prefer genetically modified camels since the animals are highly resistant to local disease and easier to maintain in the area. They are more efficient in converting food into body mass when compared with cattle as well.

So, how are the camels being modified? Initial reports aren't clear. The scientists do say, however, that the camel cells will be modified with “foreign DNA” and then implanted into full-grown camels as embryos. The group plans on transplanting the embryos into the surrogate mothers later this year, though they aren't sure when the first GM babies will be born.

The calving rate for cloned embryos is only 5%. This means that for every 100 cloned embryos implanted, only five are carried to term and delivered. “The rate gets even smaller when transgenic cells are used,” said Nisar Wani, head of the Reproductive Biology Laboratory at Dubai’s Camel Reproduction Center.

The gestation period for a camel is about 13 to 14 months. So in the “best” case scenario, the first genetically modified camels won’t be born until early 2014. Then the world would have to wait for their milk production and the medications to be developed, pushing the actual GM camel-derived pharmaceuticals back another year or so. Even still, the thought of these sort of “advances” in the works is frightening.

At what point does science cross an ethical line? Haven’t we established that genetically modifying foods are dangerous? How could genetically modifying animals and then turning those animals into drugs be any better?

Source: Activist Post