Two’s company, three’s a data risk

March 2018 brought a series of data-ethics blitzkriegs across the globe that compel us studying ‘smartness’ to discuss issues of data vulnerability and manipulation. The modalities of these data breaches and/or their exploitation were varied, and we’ll focus on the prospects of state surveillance through the biometric identity cards in India and China and the recent Cambridge Analytica’s (mis)use of millions of Facebook profiles in the US and UK.

Before we get into the nitty-gritty of these events, it is important for me to state that I, personally, am opposed to the forced recruitment of citizens onto biometric databases (as India and China are pushing for) and the use of digital profiles to assess and influence democratic processes. Furthermore, in the context of this project it is important to note that the Indian Smart City Mission is primarily focused on old-school physical infrastructure and the more global definitions of ‘smartness’ as internet-based technological solutions to urban management problems is not the mainstay of the Smart Cities Mission in India. Over the next few blog posts we will discuss this aspect of smart cities in India along with the increased push for private capital to create these modalities of development. However, in the wake of the various debates on digital identities across the globe it is imperative we simultaneously engage with the ethical and empirical fallouts of digital identities.

Being Good in India and China

India is in the midst of a long-delayed court battle over the digital database of biometric identity cards, also known as the ‘Aadhaar card’. This identity document is the first digital identity card that India has seen, where a citizen’s biometric data is stored on a digital database and thus the citizen need not carry the physical card to utilise it. The card is currently required to accessing all government welfare programmes (i.e. subsidised food, energy, health…) and the national government is attempting to link the card to bank records, taxation documentation, mobile phones and voter IDs. The card was introduced as a voluntary programme but has since metastasised into a system of browbeating citizens into ‘voluntarily’ joining the database. The primary concerns of this digital database are two-fold – 1) security and 2) surveillance.

In terms of security, the Unique Identification Authority of India (UIDAI) is a statutory authority created by the Government of India (GoI) to assign the 12-digit Aadhaar cards to the citizens of India and this body has repeatedly said that the database is secure and poo-pooed arguments against this. A few weeks back a hacker, who goes by the alias Elliot Alderson, created the source code to scrape through the internet and access the Aadhaar database and made the vulnerabilities of the Indian database threadbare. The reportage of this is still restricted and one could postulate that the negative reaction by the national government on editors who take a stand against the present government is part of the story (see here and here). The UIDAI claims that there has been no breach of information from the database and this is interesting because Alderson’s data breaches are accessed through third party organisations that have access to Aadhaar cards. Technically speaking, the UIDAI does not house the vulnerable databases however it has created a structure with third party that have less than optimum security measures for the database.

Very briefly, the fears of surveillance and Aadhaar are similar to the current situation in China which has been experimenting with biometric databases, digital face recognition and dovetailed it with surveillance of religious groups. The citizen report card flattens a citizen into a digital scorecard that determines the value of the citizen to access public goods. A simple reward system for a Samaritan and a punishment for the opposite. While this simplistic system of justice raises several questions (How do we judge good character? Who judges good character? Can the concept of ‘goodness’ change?), the primary concern again is of surveillance and restriction of mobility and access. At this point, someone with low ‘social credit’ will have limited access to public goods and it is a means of controlling the liberty and freedom of individuals.

Aadhaar currently does not speak of social credit, but it would be possible to move in that direction if it becomes a uniform database that accounts for the entire Indian population. There are several other forms of identification in India –passports, voter ID cards, driving licenses and many more – the Aadhaar card is the only one that has a person’s biometric data. The database is controlled by the UIDAI and there is currently no means of exiting the structure once enrolled. However as Nikhil Dey discusses, there is the danger of the ‘Kill Switch’ where the UIDAI can shut down an Aadhaar card and essential render the owner of the card a ‘ghost’ in the system. The UIDAI need not inform the person before doing so and given that the accountability structure of the UIDAI is quite fuzzy, this could pose a great danger to the citizenship rights of individuals. The Aadhaar card if made mandatory and is linked to your mobile phone, bank account, tax, pension, welfare schemes and other aspects of public and private life. The threat of shutting down your ‘identity card’ which is an embodiment of the citizen could be a powerful tool to quell resistance. If people are dependent on the card for their daily existence, the state could deactivate the card and reduce the mobility of the individual.

Smoke, Mirrors and Social Media in the US and UK

While we studied vulnerability and access in the east, for manipulation we shall turn to the other side of the globe and to zoom in on the US and the UK in particular. 2016 was a tremendous year for these two countries as Donald Trump was elected into office and the UK chose to leave the European Union (EU). One company who assisted these two campaigns was ‘Cambridge Analytica’ (CA) headed by Alexander Nix which sought to use predictive data analytics to inform the communication campaigns of their clients. As of last month, it has come to light that CA accessed data of millions of Facebook profiles to not only create a psychological map of these individuals but also to create targeted advertisements that could influence the ideas of voters. Thus, while Trump spoke of ‘crooked Hillary’, Facebook users who were identified as people who could be influenced were shown more videos and links that bolstered Trump’s opinions. These were ‘news’ items created social unrest and potentially affected the choice of voters.

CA harvested the Facebook data through a third party. Aleksandr Kogan, a lecturer at Cambridge University and the owner of Global Science Research, accessed the profiles through an app called ‘thisisyourdigitallife’. The app offered people a personality prediction and people could log in with their existing Facebook details. While 270,000 people did this, the app also accessed the information of their friends in the network and subsequently communicated to CA. While Kogan states that he had permission to access these profiles, Facebook argues that this was only for research purposes and not for commercial engagements. Like UIDAI disowning the responsibility for keeping data safe from third party bodies, Facebook states that this breach of information was not a result of direct action by the company itself. Technically speaking Alderson’s Aadhaar database search is not based directly on UIDAI’s database and Kogan’s alleged misappropriation and communication of data to CA was not conducted by Facebook. However, both these institutions created the content and the structures that allowed for the data to be accessed. Their lack of accountability and responsibility in the light of data leakages, and in the case of Facebook of potential manipulation for national-level elections is striking and begs the question, is this ‘smart’ behaviour? What are the normative and judicial components to the smartness of our world?

CA has worked across the globe and this article has not delved into Brexit, the Kenyan and Indian elections, however it is clear that issues of data vulnerability and manipulation are global issues. Facebook, Instagram and Twitter aren’t the only means of accessing data, WhatsApp is a universe in itself for transmission of (mis)information and the careful sculpting of public opinion. The cases in China of surveillance and disenfranchisement seem almost like reading through a Huxley novel, however this is all very real. This is part of our present and as we continue on this journey determining how stories of smartness are locally adopted and adapted, it is important to comprehend the global trends.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: