LEGAL CHALLENGES IN REGULATING THE USE OF BIOMETRIC AUTHENTICATION IN MOBILE DEVICES

This article is written by Sangamithirai. V of Chettinad School of Law, an intern under Legal Vidhiya

ABSTRACT

The rise of mobile biometric authentication in India has significantly transformed how users identify and authenticate their identities when accessing mobile applications. This method leverages unique physical traits, such as fingerprints, facial features, and iris patterns, to enhance security while simplifying user experience. Key Features of Biometric Authentication involve utilizing the distinct ridges and valleys in fingerprints for recognition and capturing facial measurements to precisely verify individuals. Iris scanning analyses complex iris textures to distinguish one person from another. These biometric modalities are built into smartphones with high-tech fingerprint readers and optical sensors, streamlining the authentication workflow for a frictionless user experience.

Applications of Biometric Authentication impact the financial sector as it expedites digital ID verification, bolstering protection for online money transactions. It benefits healthcare by using biometrics for patient IDs to prohibit unauthorized access to medical histories. The Aadhaar initiative played a key role in strengthening India’s security infrastructure by linking citizens’ biometrics to a single ID number, improving access to services while decreasing fraud owing to the immutability of physical traits. This paper will explore the legal challenges and considerations in regulating the use of biometric authentication in mobile devices in India.

KEYWORDS

Biometric Authentication, Data Protection, RBI Guidelines, IT Act 2000, Digital Identity.

INTRODUCTION

The adoption of biometric authentication in mobile devices has drastically changed how we secure our digital lives. Although this technology provides increased security and convenience, it presents new specific legal issues that must be analyzed. This introduction will then delve into the core legal issues arising from biometric authentication in mobile devices in India

Mobile biometric authentication, which identifies and authenticates the user’s identity that trying to access a mobile app. This may be done in various ways, including fingerprint readers, facial recognition, or voice recognition, among others. Securing data using Biometric Authentication has come up large due to the advent of mobile devices in India. It uses individual characteristics such as fingerprint, face recognition and iris patterns to identify a user based on that strengthening the security of access while improving the experience.

Biometrics authentication is a way of using unique traits that an individual possesses to gain great safety in accessing devices and applications. Common modalities include:

Fingerprint Recognition: Utilizes specific designs in the fingerprint of an individual.

Face Recognition: Detects faces and looks for a match.

Iris Scanning – To recognize people based on the biometric patterns in their irises.

These methods are usually integrated into mobile devices that have state-of-the-art sensors such as fingerprint scanners or cameras, making the authentication process more secure and simple.

The Supreme Court of India has rendered judgement that the right to privacy is a fundamental one, however, current laws do not effectively protect biometric data from abuse. One of the most significant aspects that emerged from the Puttaswamy[1] Judgment was a clear pronouncement by Hon’ble SC that any collection of personal information affecting privacy should be backed by law, leading to which there must exist robust legal framework so far as biometric data is concerned. These privacy concerns are materializing in the ongoing debates around the Aadhaar system, with critics arguing that not enough is already done to protect individuals given possible abuses.

RESEARCH OBJECTIVES

• To discuss the Key Aspects of Biometric Authentication in India’s Mobile Ecosystem
• To discuss Key Biometric Authentication Methods in Indian Smartphones
• Safeguarding biometric data from breaches and unauthorized access

RESEARCH QUESTION

What are the implications of the Information Technology Act [2]and the Aadhaar Act [3] on the regulation of biometric authentication on mobile devices?

RESEARCH METHODOLOGY

The research methodology adopted in this paper is purely doctrinal. Doctrinal research, also known as library-based research, involves exploring existing legal provisions, precedents, and scholarly works. It provides insight into theoretical and conceptual aspects of law through a systematic exposition of legal doctrines and principles. Primary sources driving doctrinal research include statutes, court decisions, and authoritative texts. Secondary sources such as commentaries, articles and digests are also examined. The process involves identifying, compiling, and critically analysing these sources to derive logical conclusions and offer perspectives on issues under review. Through doctrinal research, this paper aims to deliver a thorough, coherent comprehension of the applicable legal framework. The methodology’s comprehensive study of sources and contextual analysis facilitates the development of a unified perspective on the research question. By synthesizing diverse materials and viewpoints, doctrinal research constructs a balanced interpretation of the subject matter.

DRIVERS OF ADOPTION

Security issues – Traditional Password-based systems are an old tech method of implementing Security due to cyber threats on the rise. Using biometric authentication is a more secure option that eliminates problems of unauthorized access and identity theft.

That accessibility endears it to a nation with an increasingly smartphone-centric population.

Government initiatives: Programs such as Aadhaar, which assigns biometric identity to each Indian resident, played a significant role in advancing the concept of biometric authentication. It enables access to numerous services such as banking or government programs, thus becoming part of everyday life in terms that are associated with biometrics.

Financial Industries are Using Biometric Security in Mobile Banking

Digital Identity Verification-Biometric systems serve to smooth the process of verifying identities for online services, making sensitive transactions more secure.

Healthcare: Biometrics are used for patient identification and making zero fraudulent access to medical records by users. Biometrics Strengthen India’s Security Infrastructure

BOOSTING SAFEGUARDS

Biometric identification, which relies on immutable physical attributes like fingerprints and facial recognition, significantly enhances security across domains:

Aadhaar Initiative[4], Aadhaar assigned each resident a unique twelve-digit number linked to biometric data, reaching over a billion users essential to access government amenities and financial inclusion, curbing deception and ensuring transactions’ integrity.

Law Enforcement Applications: Security agencies increasingly employ biometric technologies for criminal identification and investigation. The Criminal Procedure (Identification) Act 2022[5] allows collecting arrestees’ and convicts’ biometrics, advancing crime-solving and prevention through precise recognition.

Streamlining Governance and Services Delivery

Integrating biometrics into governance has streamlined the delivery and oversight of amenities and programs:

Public Aid Programs: Biometric platforms track beneficiaries of welfare schemes, minimizing leakage and dishonesty to ensure aid recipients receive due benefits. For example, biometrics enhanced the efficiency and monitoring of the public distribution system.

Financial Access: Biometric authentication facilitated banking access, especially in rural regions where traditional ID is less effective. The Aadhaar-enabled Payment System considerably reduced fraud and improved transaction security.

KEY ASPECTS OF BIOMETRIC AUTHENTICATION IN INDIA’S MOBILE ECOSYSTEM

1. Government Initiatives and Aadhaar’s Pivotal Role:

The landmark Aadhaar project allocated unique identification numbers to citizens using biometric data, laying the foundation for authentication across India. Accessing public services now simplified via Aadhaar integration accelerated the adoption of these technologies in banking, healthcare, and benefits. Mobile apps link Aadhaar enabling real-time ID verification, and streamlining delivery while reducing deception.

2. Accelerating Proliferation of Mobile Biometrics:

Smartphone penetration bringing fingerprint scanners and facial recognition to the masses triggered a boom in associated mobile solutions. Major platforms like iOS and Android incorporating such sensors into devices allowed effortless, secure authentication removing passwords’ complexity burden. Convenience, not solely security, boosted user experiences.

3. Cross-Industry Applications:

Biometric authentication found diverse applications:

Financial services deploying biometric systems facilitated contactless payments and account access.

Healthcare utilizing verification ensured proper patient identification and protected medical records and care services’ access.

E-commerce and retail businesses implemented biometric solutions to smoothly identify customers and bolster online transaction security.

4. Augmenting Protection and Diminishing Fraud:

Biometric authentication considerably lowers identity theft and fraud risks. Unreplicable biometric traits surpass password protection’s importance heightened as digital transactions proliferated in India where security concerns are paramount.

KEY BIOMETRIC AUTHENTICATION METHODS IN INDIAN SMARTPHONES

Fingerprint sensors are standard for unlocking phones swiftly. This speedy method remains mainstream due to its convenience in mid- to high-tier devices. However, facial recognition has gained traction following its adoption by premium products like the iPhone X, revolutionizing user verification. Android manufacturers followed by incorporating face unlocking to better security seamlessly. This technologically advanced approach identifies individuals accurately under changing light through sensitive optics and algorithms.

Rarely seen in costlier phones alone, iris scanning provides supreme security owing to iris patterns’ singularity, an attractive privacy-focused selection.

Driven by Aadhaar mandating biometrics for authentication in numerous services, government initiatives set a precedent encouraging private sector use similarly in mobile applications. With intensifying digital threats, biometric login presents a safer alternative to memorized secrets by establishing identity theft difficulty through inherently exclusive biometrics. Biometrics also enhance experiences through faster, simpler authentication aligned with growing smartphone dependence.

Projections foresee India’s biometric authentication market nearly doubling by 2027 to approximately $3.81 billion from around $2.06 billion in 2020 based on mobile integration impetus from improvements and demand.

While advantageous overall, widespread biometric adoption faces hurdles including apprehensions around data collection and storage raising important privacy issues. Implementation expenses pose barriers for smaller firms desiring integration. Users may also hesitate due to a lack of comprehension or cleanliness/security worries regarding these emerging technologies.

INFORMATION TECHNOLOGY ACT OF 2000

The Information Technology Act of 2000 provides India’s legal framework governing biometric data use, particularly via the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules 2011[6]. Key aspects relating to biometric authentication under this law include:

Biometric data is defined within the Act to encompass human body measurements and analyses, like fingerprints, irises, faces, voices, and hands, as well as DNA- all categorized as sensitive personal information mandating stringent protection.

Organizations handling such data must establish reasonable security practices, such as encrypting biometric information during storage and transmission to prevent unauthorized access. Access is also limited only to approved staff, reducing breach risks. Explicit consent from individuals is legally required before any biometric collection or processing, ensuring transparency and respect for privacy rights.

The IT Act and the Aadhaar Act together establish how biometric data may be gathered, stored, and utilized. Biometric information is classified as sensitive personal data necessitating heightened safeguards due to its ability to impact personal privacy and security. Companies failing to comply with outlined security practices carry liability should a breach occur, reinforcing accountability. The government also oversees usage to mandate adherence to legal standards protecting citizen rights.

SAFEGUARDING BIOMETRIC DATA FROM BREACHES AND UNAUTHORIZED ACCESS

1. Legal Regulations Surrounding Biometrics in India:

The governance of collecting, storing, and managing biometric data in India is outlined within the Information Technology Act of 2000. This law contains protections for sensitive personal information, including biometrics. Additionally, the Information Technology (Reasonable Security Practices and Procedures for Sensitive Personal Data) Rules of 2011 specify conditions for handling sensitive data, such as explicit consent is mandatory before acquiring biometric identifiers; data can only be gathered for lawful, function-specific purposes; and stored data must be deleted and third-party sharing requires permission, excluding legal mandates. The Aadhaar Act 2016 also regulates biometric data usage for identity verification, allowing collection for registration and mandating strong security to shelter this sensitive information. The Supreme Court emphasized privacy and accountability when using biometrics, especially by private organizations.

2. Necessary Security Measures:

Reasonable security is indispensable for entities that process biometric information. This involves encrypting stored and transmitted biometric data to thwart unauthorized access, restricting personnel authorization, and conducting audits to ensure adherence to protocols and identify vulnerabilities. If security lapses enable a breach, affected persons can seek damages from accountable parties through the IT Act without proving wrongful loss, focusing instead on benefits gained through non-compliance.

3. Recommendations for Individuals:

Self-protecting personal data involves understanding consent and biometric value before engaging reputable partners that prioritize security standards. Regularly monitor accounts for irregular authentication or access without permission.

4. Future Considerations:

As India’s Personal Data Protection Bill advances legal protections, enhanced safeguards for biometrics could materialize, such as stricter cross-border transfer rules and penalties. Emerging legislation and policy aim to establish comprehensive personal data guidelines, specifically involving mobile biometric verification consent, lawful collection limitations, and security protocol adherence.

KEY REGULATIONS ABOUT BIOMETRIC INFORMATION

1. Classification of Personal and Sensitive Personal Data:

The bill designates biometric data as sensitive personal information. This group encompasses material that can divulge an individual’s identity and is subject to stricter rules. Sensitive personal data includes various kinds of records, such as medical records, financial particulars, and biometric signatures like fingerprints and facial recognition scans.

2. Requirement for Consent:

One of the fundamental principles of the bill asserts that the processing of personal data, including biometric identifiers, necessitates clear consent from the individual. Organizations must obtain well-informed agreement before collecting or handling biometric details. This ensures folks have control over their personal information and understand how it will be applied.

3. Limitation on Purpose:

The legislation mandates that biometric data may only be processed for specific, legitimate reasons. Organizations must notify individuals about the objective of amassing their biometric information, and they cannot use it for any other purposes without obtaining additional consent. This provision helps prevent misuse of biometric details.

4. Data Protection Measures:

The bill emphasizes the need for organizations to execute reasonable security practices to safeguard sensitive personal data, particularly biometric information. This incorporates measures like encrypting data, access controls, and routine audits to ensure adherence to security protocols.

5. Rights of Data Principals:

The bill grants several entitlements to individuals concerning their data, like the right to access, correct, and erase their biometric information. Additionally, people have the right to data portability, allowing them to transfer their biometric data between service providers easily.

6. Data Localization:

The bill incorporates provisions regarding data localization, which require that sensitive personal data, like biometric identifiers, be stored within India. This aims to boost data security and ensure that Indian citizens’ biometric information is protected under Indian law.

7. Data Protection Authority:

The bill proposes establishing a Data Protection Authority of India (DPA), which will oversee applying data protection laws, like those relating to biometric data. The DPA will have the power to enforce compliance, investigate breaches, and impose penalties for violations of the provisions concerning biometric data handling.

RESERVE BANK OF INDIA (RBI) GUIDELINES ON BIOMETRIC AUTHENTICATION[7]

The latest developments in the Reserve Bank of India’s guidelines for biometric verification centre around strengthening protections for digital payments. Here are the key changes:

Dynamically produced authentication must currently be used for all digital transactions as of August 2024, as mandated by the RBI. This implies the authentication factors should be made after payment initiation and must not be reused or tied to a single transaction. This requirement aims to bolster security for digital dealings and decrease fraud risk.

Exemptions for small transactions are detailed in the RBI’s guidelines. The requirement for dynamically generated authentication does not apply to small contactless card payments under ₹5,000, recurring digital payments through e-mandates, and small offline digital payments. This exception allows for simpler transactions while maintaining protections for higher-value dealings.

Issuers of biometric authentication methods may use a risk-based method in deciding the proper additional authentication factor. Factors like the transaction amount and risk profile of the customer can be considered, permitting a tailored security mechanism for various transaction types.

In July 2024 the RBI published a draft framework for alternative authentication mechanisms in digital payment dealings. This framework encourages adopting new authentication technologies, like biometric methods, as options to traditional SMS-based OTPs. The RBI emphasizes the need for secure, innovative authentication solutions to stay ahead of evolving cyber threats.

Exclusivity agreements where issuers exclusively use one payment or technology service provider are now prohibited by the RBI. This ensures competitive development and the use of diverse authentication solutions, including biometrics.

The RBI also highlighted the importance of securing digital payments through additional authentication and has worked on extra fraud risk management steps for Aadhaar-enabled Payment System transactions, especially those vulnerable to duplicated fingerprints. This involves revising the onboarding process for Aadhaar service providers to strengthen security against fraud.

In summary, the latest RBI[8] developments for biometric verification focus on boosting protections through dynamically generated authentication factors, encouraging innovative options, and ensuring a competitive landscape for authentication technologies. These measures aim to reinforce integrity in India’s digital payment systems while addressing emerging security challenges.

CASE LAWS

1. The case of Patel v. Facebook [9]from 2019 alleged that the social media giant’s application of facial recognition technology to tag users in photos violated an Illinois privacy law protecting biometric data. The 9th Circuit Court ruled that the collection of facial geometry constituted sensitive personal information requiring explicit opt-in, even absent direct commercial motives. This established biometric identifiers like facial scans as deserving of heightened legal safeguards.
2. The ACLU vs Clearview AI[10] , ACLU sued facial recognition startup Clearview AI in 2020 for scraping billions of online images without consent in potential violation of BIPA and other laws. This case underscored concerns involving algorithmic unfairness and accuracy issues surrounding these technologies alongside demands for robust rules safeguarding individual privacy rights. The litigation continues but has driven scrutiny and calls to regulate biometric data collection and usage.
3. An earlier 2014 Virginia state case, Commonwealth v. Baust[11], ruled that compelling a suspect to provide a fingerprint did not breach 5th Amendment rights since it was deemed a physical rather than testimonial form of evidence. However, the court noted that compelled access to passcodes or other mental state information would likely overstep boundaries. This helped differentiate biometric data like fingerprints from memorized passcodes in the context of self-incrimination privileges.

RECOMMENDATIONS

Recommendations for Policymakers:

Establishing comprehensive data governance frameworks must be a top priority for policymakers’ guidelines on biometric data collection, storage, processing, consent practices, usage, and sharing will help ensure transparency and accountability in these systems. Legal protections also require strengthening, starting with evaluating provisions in the Information Technology Act 2000 and the Aadhaar Act [12]2016 to address privacy concerns and penalize data breaches or misuse. Mandatory socio-economic risk assessments should also precede biometric system deployments to appraise impacts on vulnerable populations and ensure inclusive access to critical services. Regulators should expand transparency mechanisms tied to biometric and digital identity systems by making public information about handling such sensitive personal data. Public-private partnerships can foster biometric innovation between government and industry while safeguarding public interests, so policymakers need frameworks facilitating accountable collaboration.

Recommendations for Industry Stakeholders:

Industry stakeholders must adopt sophisticated security practices like encryption, access controls, and regular audits to vigorously protect biometric information according to data protection standards. A major focus must be educating users about authentication systems and consent for data usage clear communication can boost trust and accountability in technology. Ethical considerations for respecting individuals’ privacy rights [13]and using data solely as intended should drive biometric system development and deployment. Companies need continuous compliance checks against legal/regulatory guidelines to maintain oversight and transparency in handling biometric profiles. As innovation progresses, this sector should create solutions attentive to privacy/ethics while fostering an inclusive society.

CONCLUSION

The rise of biometric authentication in mobile devices has significantly altered identity verification and access across India. Leveraging intrinsic physical traits such as fingerprints, facial attributes, and iris patterns, this technology provides a more secure and convenient authentication experience compared to traditional approaches.

Biometric authentication presents a more robust alternative to password-based systems, meaningfully decreasing unauthorized access and identity theft[14]. Government programs like Aadhaar have enabled widespread adoption of biometric IDs, allowing access to banking, government services, and beyond.

Applications of biometric authentication span sectors for instance finance, healthcare, and security. It expedites digital identity verification, protects online transactions, and aids in preventing fraud by connecting citizens to a unique biometric ID.

However, amplified usage of biometric data also raises important legal challenges and considerations regarding data privacy, security, and regulation. As biometric authentication continues to remodel the mobile landscape in India, policymakers will necessitate prudently navigating these issues to unlock the full benefits while safeguarding individual rights and freedoms.

REFERENCES

• Biometric Authentication Systems 2012 written by Vinayak Bharadi, Hemchandra Kekre
• Biometric Authentication A Clear and Concise Reference written by Blokdyk Gerardus
• https://www.claysys.com/blog/types-of-biometrics/
• http://www.freelaw.in/legalarticles/Legal-Challenges-in-Biometric-Data-Usage-in-India

---

[1] Right to Privacy verdict- K.S. Puttaswamy (Retired). vs Union of India And Ors., 2017

[2] Information Technology Act 2000

[3] Aadhaar Act 2016

[4] Aadhaar Initiative 2009

[5] It replaces the Identification of Prisoners Act, of 1920, a colonial-era law,

[6] Rules made by the Central Government in the exercise of its powers under the Information Technology Act 2000,

[7] Framework on Alternative Authentication Mechanisms for Digital Payment Transactions

[8] Reserve Bank of India was established on April 1, 1935 in accordance with the provisions of the Reserve Bank of India Act, 1934. 

[9] Patel vs Facebook,932 F. 3d 1264 (9th Cir. 2019),

[10] ACLU vs Clearview AI , Ill. Cir. Ct. 2021

[11] Commonwealth v. Baust,89 Va. Cir. 267 (2014)

[12] Supreme Court upheld the Aadhaar Act as constitutional by a 4:1 majority

[13] Art 21 of the Indian Constitution enshrined the right to privacy

[14] Section 66C in The Information Technology Act, 2000

Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or the materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is personal.