A Failure to Do No Harm: India’s Aadhaar biometric ID program

For Immediate Release

India’s Digital Biometric ID System Fails to Protect Citizen’s Privacy and is a Warning for Europe and the United States

World Privacy Forum Executive Director Pam Dixon publishes extensive research and analysis on India’s Aadhaar National Biometric ID system, calls for policymakers to take lessons from fundamental failings in India and ensure a ‘Do no Harm’ ethos is the foundation for regulations to protect privacy


  • Article: A Failure to Do No Harm: India’s Aadhaar biometric ID program and its inability to protect privacy in relation to measures in Europe and the U.S. (Pam Dixon, Springer Nature, Health TechnologyDOI 10.1007/s12553017-0202-6.  http://rdcu.be/tsWv. Open Access, via Harvard-Based Technology Sciencehttps://techscience.org/a/2017082901/
  • India’s ‘Aadhaar’ digital biometric system mandatory for vital government and public services has currently virtually no data and privacy protection legislation
  • The Indian Supreme Court has ruled privacy is a fundamental right, but has not yet tackled the question of the legality of the Aadhaar project
  • Risk of ‘mission-creep’ in Europe through the use of biometric systems to identify patients and UK discussions to create a biometric ID card for EU nationals post-Brexit, spark concerns around human rights
  • United States (US) legislation is inconsistent across states and particularly around understanding of consent to use data heightening concerns about proposed facial recognition technology currently being deployed in airports across the US


Thursday 24 August 2017, Oregon, USA – Legislation is struggling to keep pace with the deployment of biometric identity systems resulting in a high risk to fundamental civil liberties and privacy particularly in India, but also with serious ramifications in the US. Europe, who has the most robust data protection and human rights laws is also vulnerable to ‘mission-creep’ and risk failing the ‘Do no Harm’ principle according to Pam Dixon, founder of World Privacy Forum in an extensively-researched article for Nature-Springer, available as an Open Access article (no paywall) in Technology Science, a Harvard-based journal on Tuesday 31 August 2017. (1)

Dixon who has spent extensive time over four years in India researching the Aadhaar warns; “According to the World Bank, 50% of countries with a national identity card system do have not had any data protection legislation in place. The speed of technology advancement has made digital biometric systems much more accessible and enabled wide-scale use for policy-makers. India’s Aadhaar program put technical deployment before policy development and continues to do so. These actions by the Indian government have led to a marked lack of protective regulatory controls, which has in turn resulted in detrimental ‘mission-creep’ and ensuring that there are adequate safeguards in place to protect citizens.”

India’s Aadhaar system

Aadhaar, the Indian digital biometric system started as a voluntary identity card in 2010; fast-forward to 2016 and over one billion people were enrolled in the scheme and today accounts for 97% of the population. (1) Despite its initial voluntary directive, no legislation has been implemented to support its roll-out and it has become impossible to access any government or public service, such as getting married or even buying train tickets without an Aadhaar number. (1) Furthermore, with a failure rate of 49% to match individuals in some regions such as Jharkhand, there are significant failings that could leave citizens unable to access key benefits or get to work. (1)

Recently, a nine-judge Constitution Bench of the Indian Supreme Court, decreed that citizens have a fundamental right to privacy, a protection it read into Article 21 of the Constitution, which guarantees a right to life and personal liberty.

Dixon welcomes the ruling “It is a step in the right direction, but there is still a lot of work to be done. This ruling does not evaluate the moralities of the system and how it has been deployed, and there are many learnings for the US and Europe.”

Biometrics are fast becoming the cornerstone of technology in establishing identity and assisting in reducing crime and fraudulent activity in the US and Europe and new systems are rapidly being deployed. Whilst, the US, and Europe do have regulations in place to support data protection, privacy and consent to use information, India is a case in point that by the time a deliberative legislature can move to a bill of passage, a fledgling biometric programme may have attained pervasiveness and thus be very difficult to regulate or remove. (1)

According to Dixon “The ‘Do no Harm’ principle means that biometrics and digital identity should not be used by the issuing authority, typically a government to serve purposes that could harm the individuals holding the identification. Nor should it be used by adjacent parties to the system to create harm.”

An example of such a ‘harm’ is the inclusion of highly sensitive information such as ethnicity, religion or place of origin. This was evidenced in the Republic of Rwanda, where personal identity documents that included ethnicity, were used to aid and to expedite genocidal activities. (1)

‘Mission-Creep’ in Europe and the United States

In the UK, there has been a proposal to implement a biometric identity card for EU nationals (2) creating controversy around the creation of a ‘second-class’ citizen. (3) There are calls for these cards to be voluntary, but without adequate legislation, there is a danger of ‘mission-creep’ as witnessed in the Indian Aadhaar system.

Additionally, in Europe, whilst there are very strict regulations around sensitive data and the use of consent, governed by the EU General Data Protection Regulation (GDPR), (4) there are already exceptions over information that is necessary to provide a medical diagnosis and treatment providing opportunity for access and use without patient knowledge. (1)

In the US, legislation is inconsistent across states and there is inadequate protection at the federal level. (1) For example, some healthcare providers have urged patients to provide biometric-based authentication without making it clear that such enrolment is voluntary. (1) Concerns about the use of biometric data have soared recently as the US has announced plans to apply facial recognition of all passengers including US citizens entering and exiting US airports. (5) The technology has already been installed at six airports[*] across the US, with more to follow.

Dixon flags that; “Current policy proposals state that live photographs will be deleted within 14 days, but customs officials have already discussed dropping such a restriction, thus providing ‘mission-creep’ opportunity for the information to be used by other federal agencies.”

Call to policymakers

Dixon extols the great work being put forward by the World Bank and its partners, but highlights that “the most important step the World Bank can take to improve Global privacy and protect citizens is to ensure future principals and guidelines enshrine the ’Do no Harm’ as a top priority”

The Principles on Identification is a joint policy document of the World Bank Group, the United Nations Development Programme (UNDP), and other key stakeholders such as the Bill and Melinda Gates Foundation outlining ten principles of privacy and non-discrimination.

‘Digital identity systems and systems that use biometrics need to be designed in such a way that they cannot fail, even when political regimes and the will of legislators do’ is a concept derived from the Privacy by Design school of thought. (6)

Dixon adds that “While all jurisdictions would benefit from an approach that considers privacy by design in biometric identity systems, it should not be seen as a substitute for legalisation. Policy development needs to focus on the concept of ‘Do no Harm’ to create a bedrock guiding principle of all digital biometric identity systems.”


– Ends –


Notes to Editors


Contact details:

Hayley Jayawardene


07813 346395


About Pam Dixon

Pam Dixon is the founder and executive director of the World Privacy Forum, a public interest research group well-known and respected for its consumer and data privacy research. An author and a researcher, Dixon has written ground-breaking and influential studies in the area of privacy, including The Scoring of America, a substantive report on predictive analytics and privacy written with Bob Gellman. She has also written well-known reports on Medical Identity Theft, the One-Way Mirror Society report on digital signage networks and retail privacy, and a series of reports on data brokers, among others. Dixon has conducted substantive biometrics research in India, which formed the basis of a forthcoming scholarly article on India’s Aadhaar, biometrics, and EU-US policy in Technology Science, a Harvard-based journal.

Dixon is one of several leading experts invited as an advisor to contribute to a major review of the development of artificial intelligence in the UK.

Dixon has testified before the US Congress, including the Senate Judiciary Committee, as well as the US Federal Trade Commission and other agencies on prominent consumer privacy issues, including issues related to data brokers, identity, health privacy, genetic privacy, the Common Rule, facial recognition, and online and offline privacy. Dixon is an expert advisor to the OECD regarding health data uses, and she serves on the editorial board of Harvard’s Journal of Technology Science. She is a member of the Biometric Institute, where she serves on the privacy committee. Dixon was formerly a research fellow at the Privacy Foundation at Denver University’s Sturm School of Law. She has written 8 books, including titles for Random House / Times Books, among other major publishers. Her most recent book, Surveillance in America, was published in 2016 by ABC-CLIO books.

About the World Privacy Forum

The World Privacy Forum is a non-profit public interest research and consumer education group focused on the research and analysis of privacy-related issues. The Forum was founded in 2003 and has published significant research and policy studies in the area of privacy, specifically relating to the key areas of health, predictive analytics, and AI, regulation, biometrics, identity, financial privacy, and data brokers among additional areas of inquiry. www.worldprivacyforum.org.



  1. Dixon, Pam.
  2. Secretary of State for the Home Department. The United Kingdom’s exit from the European Union: Safeguarding the position of EU citizens living in the UK and UK nationals living in the EU. London : HM Government, 2017.
  3. Verhofstadt, Guy. Improve the Brexit offer to EU citizens, or we’ll veto the deal. London : s.n., July 09, 2017. The Guardian.
  4. The EU General Data Protection Regulation (GDPR). EUGDPR.org. [Online] http://www.eugdpr.org/eugdpr.org.html.
  5. U.S. Customs and Border Protection. CBP Deploys Biometric Exit Technology to Chicago O’Hare International Airport. Chicago : s.n., 2017.
  6. Cavoukian, Ann. Privacy by design, the 7 Foundational Principles, Implementation and mapping of the Fair Information Practices. Ontario : s.n., 2011.



[*] Boston Logan, New York JFK, Dulles in D.C., Hartsfield-Jackson in Atlanta, Chicago O’Hare, and Bush in Houston