Aadhaar’s shortcomings, focusing on an almost Kafkaesque disparity between the “helplessness, frustration and vulnerability” of the individual and the omniscience and opacity of large bureaucracies. “The Aadhaar project is a perversion of the constructive purpose of technology to be subservient to the needs of society,” concluded Reetika Khera, the book’s lead author.5
Biometric systems are also prone to failure, warns the London-based charity Privacy International:
The consequences of this can be severe: for example, failing to get access to benefits to which an individual is entitled. This is not an abstract concern. There are already reports that this has led to starvation deaths in India.6
The systems are also notoriously inaccurate on women and those with darker skin, and they may also be inaccurate on children whose facial characteristics change rapidly. Wired magazine reported in 2019 that “US government tests find even top-performing facial recognition systems misidentify blacks at rates five to 10 times higher than they do whites.”7
There is also the risk that people’s biometric identifiers could end up in the wrong hands. A large-scale data breech in India, for example, could affect over a billion people. Privacy International reports that authorities in India, South Korea, and the Philippines have already suffered “extensive security and data breaches that led to the leaking of biometric ID information belonging to millions of individuals in those respective countries.”
If biometric data is hacked, there is no way of undoing the damage. You cannot change or cancel your iris, fingerprint, or DNA like you can change a password or cancel your credit card.
“The idea of a data breach is not a question of if, it’s a question of when,” says Professor Sandra Wachter, a data ethics expert at the Oxford Internet Institute. “Welcome to the internet: everything is hackable.”
Most databases are exceedingly porous, even in countries with advanced cybersecurity systems, as we saw in the recent hack of Microsoft’s exchange servers.8 Governmental databases are often targets because they have fewer resources and often less skilled IT teams.9 Central banks, such as the Reserve Bank of New Zealand and Banco de Mexico, have also been targeted by cybercriminals. These incidents raise concerns about any system that seeks to collect, integrate, and use the biometric identifiers of hundreds of millions or even billions of people. While most vaccine passport systems haven’t collected users’ biometric data yet, it is probably a matter of time before they do. That data is unlikely to be fully secure.
Peter Yapp, former deputy director of UK Government Communications Headquarters’s (GCHQ’s) National Cyber Security Centre (NCSC) recently warned that building another centralized database to store even more of our personal data would create more opportunities for hackers and cybercriminals:
Steve Baker, deputy leader of the COVID Recovery Group (CRG) of Conservative MPs, said a centralized vaccine passport system would become a magnet for hackers:
Bugs create security vulnerabilities. That’s why it’s a terrible idea to gather together so much data of such importance in one place. This is one more nail in the coffin in the idea of COVID certification.10
There is another reason why vaccine passport systems are a threat to our personal liberties, privacy, and digital rights: that the scale and scope of their application will grow over time.