India working on standard for biometrics

Government looking at national standard to provide "level-playing field", as India readies e-government initiatives based on biometric technology.

NEW DELHI--The need for standards and concerns over security and privacy were highlighted this week, as the Indian government prepares to roll out various e-government projects based on biometrics.

"The industry, government and academia need to collaborate to evolve standards for biometrics," Nandita Jain Mahajan, IBM's India South chief privacy and information security office, said during the India Preparatory Meeting: Biometrics and Data Protection, held here Thursday. The two-day event was organized by the Data Security Council of India, a self-regulatory organization led by Nasscom.

According Mahajan, the Indian government should adopt open standards to avoid heavy dependence on one technology vendor.

The country is in the process of deploying biometric cards for various e-government schemes, including the national unique identity card and e-passport projects.

"No government wants to be locked into any one technology," S. K. Sinha, senior director of National Informatics Centre (NIC), said during a panel discussion, adding that India has put much emphasis on standardization for the technology.

"The Indian government is working on a national standard for biometrics [and] wants to have a technology standard that is open and provides a level-playing field so that many vendors can take part," Sinha said. However, he noted that standards should be established such that they can widely adopted by the industry. "Standards should be implementable," he said.

Are biometric cards privacy-compatible?
According to Shree Parthasarthy, a director at Deloitte said biometrics is "as old as forensics", taking into account several factors such as the iris scan, finger prints, appearance, social behavior, skull measurement, voice, and so on. "It's impossible to replicate or mimic all of these characteristics," Parthasarthy noted.

And while biometric cards offer better security, he noted that there are several primary concerns over the use of such cards, including questions about privacy protection, misuse of biometric data and how biometrics will support privacy policies.

According to Mahajan, there are three technology components in biometrics: acquisition, extraction and matcher. Often, all attributes of biometric cards do not match and the acceptability error rates can be high, she said.

"If your password is compromised, you can change it, but if your biometrics is compromised, what can you do about it," she questioned.

Y. D. Wadaskar, managing director of Pune-based IT security products company, WYSE Biometrics Systems, said: "Every individual is unique and therefore, biometrics and privacy go hand in hand. We need to trust these cards just as we trust our doctors and lawyers when we share personal information with them."

Sunil Dhaka, chief information security officer of ICICI Bank, said the bank has been successful in implementing biometric cards for agriculture-based banking in rural areas.

"Since rural India has no Internet or tele-banking facility, we realized the solution had to be online-offline ready," Dhaka said. "With such cards, we can do banking at the speed of thought."

One billion ID cards challenge
Zia Saquib, executive director of Centre for Development of Advanced Computing (C-DAC), who also attended the meet, noted that deploying biometric cards for citizens in New York is different from implementing similar schemes in rural India. C-DAC develops applications for e-government projects.

According to Saquib, data collection and enrolment in rural areas can prove a challenge as "identification is a sensitive issue," he said.

"We need to have strong authentication processes in place at the time of enrolment, he explained, adding that biometric data must not be stored in the same place as personal data."

Biometric data must be stored locally," he said. Saquib also highlighted the benefits of using digital rights management methodology for biometrics, giving users access to information only on a "need to know" basis.

Sinha said generating over 1 billion national unique ID cards cannot be done with small number of stakeholders. "You need different stakeholders for enrolment, creation of database, generating algorithms, verifying and distributing these cards," he added.

"And when you have so many stakeholders, the need for standards becomes all the more critical," he noted. Asked how the government plans to address privacy and security concerns over biometric cards, he said it is still too early to provide comments.

Sinha said: "All we can say is that the data will be highly protected and we will put several cyber-controls and encryptions in place, in both online and offline mode."

Swati Prasad is a freelance IT writer based in India.