India uses controversial Aadhaar facial biometrics to identify COVID vaccination recipients

Safer than eyeballs or fingerprints, apparently

India’s National Health Authority has commenced a pilot of facial recognition software as a means of identifying people as they queue in the nation's COVID-19 vaccine centres.

The reason for using facial biometrics is simple: fingerprints or eyeball scans require touching equipment and getting close to machinery, both risky activities during the pandemic. A touchless and more sanitary facial recognition system therefore makes sense.

The system uses facial scans captured under India's Aadhaar national ID scheme.

National Health Authority CEO R.S. Sharma told Indian online newspaper, ThePrint:

We have started a pilot in Jharkhand which is reporting more than 1,000 successful authentications via facial recognition on a daily basis at the vaccination sites.

The program will expand across the country once the pilot has between 50,000 and 60,000 facial authentications completed, according to Sharma, who praised Aadhaar because citizens whose faces were scanned in 2011 can now use facial recognition.

Indian payment app MobiKwik denies theft of customer data, has no idea how the info ended up on the dark web: Maybe it was your fault?


Aadhaar is the world's largest biometric ID system. Users opt in by providing biometric and demographic data in exchange for a 12-digit unique identity number. While presented as an optional system, critics say that India residents face more and more pressure to use the system, which collects a wealth of data, some of it accessible by non-government entities, without many privacy assurances.

For example, India made Aadhaar mandatory for e-gov services in 2017. A few months later, India's Supreme Court ruled that the nation's constitution gives its citizens a right to privacy, complicating matters for Aadhaar, which saw over 135 million financial records leaked at what appeared to be an inside job.

The breach was downplayed by the Unique Identification Authority of India (UIDAI), the government authority that collects the data. ®

Similar topics

Broader topics

Other stories you might like

  • Intuit pulls QuickBooks from India, uncomfortably quickly
    Walks away from enormous but parochial market, while leaving global development teams in place

    Accounting software colossus Intuit has decided to pull its QuickBooks product from India.

    The decision comes into effect on January 31 2023, after which QuickBooks products and service offerings for accountancy and small business customers will no longer be available in the world's second most populous country.

    "After careful consideration, the decision was made that we can no longer continue to deliver and support QuickBooks products that serve the needs of small businesses and accounting professionals across India," reads a notice posted yesterday.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading

Biting the hand that feeds IT © 1998–2022