Over the past three months, the clamour for scrapping the proposed DNA Profiling Bill has grown significantly louder and the Bill’s progress stands halted. This vocal opposition owes itself in large part to the manner in which the proponents of the Unique Identification Authority of India (UIDAI)/Aadhaar project conducted themselves. The UIDAI lobby got its way and discounted voices that raised legitimate doubts. The opponents of the DNA Bill have, thus, raised their concerns before it gets too late.
Since the DNA database will rely on drawing blood or taking tissue from citizens as opposed to scanning a finger or an iris, it may appear as being more invasive than the UIDAI. But a closer look shows that from the privacy, civil liberties and national security perspective, the DNA database has notable differences with the UIDAI database. As for the conduct of those proposing the DNA Bill, it has so far been a whole lot better than the UIDAI lobby.
Better than biometrics
For one, the draft DNA Profiling Bill is direct and certain about its goal — forensics, identification of dead bodies and settlement of paternity and maternity claims.
This is in stark contrast to the UIDAI that has been projected as the miracle cure for every national ailment, real and imagined, ranging from a bad ration system to bogus voting on to catching terrorists and bringing back black money.
Second, unlike former UIDAI chairman Nandan Nilekani and the UIDAI lot, proponents of the DNA Bill aren’t rushing to bypass due process and devising ways to coerce the population into giving up their biological data. Even at the draft stage, the DNA Bill makes good mention of civil liberty and privacy concerns, has opened itself up to suggestions and has in all civility paused in the face of widespread doubt.
Third, technically the DNA fingerprint database is far superior to the biometric database as a repository of identification.
DNA prints are already widely, routinely and reliably used across the globe and in India for the purpose of identification, while biometrics is relatively untested technology. The possibility of error in DNA fingerprinting is 1 in 100 billion. Given that the population of India is 1.23 billion, theoretically, there is no possibility of duplicate records. The UIDAI, on the other hand, is built on untested, immature biometric technology and is likely to throw up a large quantum of error in uniquely identifying people.
Fourth, DNA database can’t be used to track people in near real-time. At least not without much commotion.
Say, for example, one goes to a ration shop to buy kerosene or to the bank to transfer money and the shopkeeper or the banker asks for a swipe of the fingers or a scan of the iris to establish identity. Given that most people (outside of the UIDAI) have nothing to hide, they won’t mind doing either. But asking a customer to submit herself to getting pricked or having the inside of her cheek scraped for buccal tissue is high order even for the worst of police states.
Notwithstanding the aforementioned, the DNA database will offer itself to some serious exploitation scenarios.
Though not at the level of African countries, the huge population of hopelessly poor Indians who have no access to an affordable public healthcare system, has been a favourite hunting ground for pharma companies to get human lab rats.
Innumerable poor Indians regularly die of unethical human trials done by big names and having a handy database with Indians’ DNA on it will make it much worse than it is.
The DNA database will contain not only DNA information but also demographic information including name, age, gender and address. The availability of such combined data and the rapidly plummeting cost of gene assay could take human experimentation to a whole new level.
Assume X pharma company’s agents have authorised access to the DNA database and they run a query that says “SHOW ADDRESS OF PEOPLE WITH SLC34A2 GENE MUTATION”. The addresses are plotted on a map. And voila! He has with him clusters of people susceptible to pulmonary alveolar microlithiasis — a condition that makes people susceptible to breathing trouble. He ships some potent chemical/biological allergen to those places and soon we’ll find villages or localities of breathless people willing to take any medicine offered at any price just so they can live another day.
This isn’t science fiction.
The Congress Grass (Parthenium hysterophorus) sent to India by the United States by way of contaminated PL 480 wheat in 1951 as part of United States Agency for International Development’s “Food for Peace” programme is not only a weed that is killing India’s own food production, but is also an allergen that causes harsh skin problems, breathing trouble and can prove lethal. One shudders to imagine what can be achieved with targeted contamination.
Second, attaching demographic information with DNA information will give a big fillip to socio-political prejudices.
Studies like this one that say caste can be identified in Indians’ genes can easily be hijacked to reaffirm fetid beliefs like members of Scheduled Castes/Scheduled Tribes are inherently of low birth as opposed to “intelligent” Brahmins and “strong” Kshatriyas. It doesn’t take much effort to see how this can become pseudo-scientific proof to back violence, Khaps, Ranvir Senas, anti-reservationists and the like.
In a riotous country like India, this can become extremely potent guides for ethnic cleansing.
No decentralisation, no security
The proponents of the DNA Bill must question the wisdom of keeping so much vital data in one single place.
Like the UIDAI, they may say the data will be kept safe and secure and unauthorised access will be prevented. But there is no reason to take someone’s word for it.
World over, all systems are hack-proof until the first hack.
And India’s situation is even worse thanks to the widespread and systemic apathy towards information security among users, activists and politicians alike. Recall how former Indian foreign minister Salman Khurshid publicly defended the US’ spying operations by saying “it’s not snooping its just metadata”.
Hackers from foreign governments and private companies have walked in and out of India’s servers regularly. Let alone stopping such attacks, most sysadmins don’t even notice the hack or bother patching up even after learning of the hack through public media.
Second, despite being led by stars from the private sector and despite the claims of security, the UIDAI has till date shied away from submitting itself to public security audits. That said, the greater danger lies not from nameless hackers but from authorised users who have access to multiple databases at the same time.
Note here how UIDAI kept the biometric data on private American servers that are beyond scrutiny of the Indian government and so there is no real way of knowing who has accessed and replicated the data.
Location data and habits from social media apps, biometric and DNA data from government databases, eating habits from restaurant rating and food ordering apps, sexual-social habits from dating apps — the permutations and combinations are virtually limitless. And so are the options to commercialise and weaponise them.
The obvious question that gets raised here is why such an open invitation to misuse? Why is there no effort to mitigate risks by distributing the data between competing and autonomous government bodies? Why not detach the DNA data from the demographic data and store them separately, allowing mapping only with a court order?
Most important of all, why this rush to collect citizens’ private data before enacting laws that guide collection, storage and usage, and punish misuse?