Human Rights lawyer warns database can be hacked and abused by interested parties for personal or political gain
A fundamental rights petition has been filed with regards to the Regulations that give effect to the provisions of the Registration of Persons Act which was amended recently to facilitate the e-NIC Project. Skeptics point out that the e-NIC card is a ‘red herring’ and that the real concern is the database. The database will contain wide-ranging information that is requested from an individual to register through the application forms. Further, the database can be used to collect information about a person from any Government authority. The Petitioner claims that the database can be hacked and abused by interested parties for personal or political gain, and thus citizens are at a risk.
"You don’t have to be a suspect for your information to be disclosed to the police"
The Government has planned to re-register all citizens and create a database called the National Persons’ Registry (NPR). The ‘Smart ID’, which was launched on October 27, is merely an interim solution until the Department issues the e-National Identity Card (e-NIC) by 2018 or early 2019 once the data is collected. The ‘Smart ID’ will contain the name, place of birth, address and gender in all three languages. There will be a personalized barcode and a photograph of ICAO (International Civil Aviation Organization) standard. The‘smart ID’ will be issued to those who apply for new NICs or for renewals from October 27 onwards.
The e-NIC Project, initiated by the previous Government, is envisaged to identify persons for the purpose of facilitating the general public to obtain their day-to-day services, to facilitate national security and to accelerate the economic development of the country.
A human rights lawyer speaking on conditions of anonymity, pointed out that the project could lead to efficiency only if there was a completely incorruptible government of politicians and public officers who are averse to abuse. “If you start abusing it-and am fairly certain you will- then you lose all the efficiency gained. Then it can be used for all matters of corruption, for intimidation and can retard economic growth by driving fear into businessmen. The consequences can be quite dire,” he said.
Speaking to the Daily Mirror, Commissioner-General of the Department of Registration of Persons, P. Viyani Gunathilake, said that since 1972 there has been a database with basic details of those who have obtained the NIC. “But our purpose is to re-capture the data of the entire citizenry of the country who are more than 15 years old. This is still to be done. So far we have amended the law. We have the legal authority to obtain people’s bio data, biometrics (fingerprints), and a standard photograph,” he said.
The regulations, which were issued after the amendment to the Act, were approved by Parliament in August this year and they came into effect in September through a gazette notification. These Regulations have been challenged by M.R.Ratnasabapathy, (the petitioner) who is an accountant by profession. The case will be taken up before the Supreme Court on November 23. The Minister of Internal Affairs, S. B. Navinna, the Commissioner General, V. Gunathilake and the Atorney General have been cited as respondents.
Family details and privacy
The Daily Mirror learns that the anticipated database will be very expansive. The applications to register or re-register persons require basic details of the applicant, and information about his family (parents, siblings, spouse, children) including their NIC numbers and their civil status. The HR lawyer, Daily Mirror spoke to, said that this was an ‘intrusive search’.
Further this application contains a clause stating that applicants are required to submit another application in the event of a child birth, change of civil status such as marriage, divorce, separation or ordaining of any person in the family. In the event of a divorce the applicant is required to fill the case number, date of issuance of the decree and the court that issued the decree.
“Divorce is a serious problem because we have a fault-based system of divorce. Any Government authority will be able to go to court and pick up your divorce case where all sorts of nasty things would have been said about the individual. So if the person is a politician, dissenter or someone who is unpopular with the Government it will be a problem,” said the Attorney-at-Law.
Regulation 19 states that every District Registrar of Births, Marriages and Deaths should provide to the Commissioner General or an officer designated by him, a report of the births, marriages and deaths that occur in his area. The names, NIC numbers and certificate numbers relevant to the purpose of updating the National Register of Persons, should be furnished as well.
All this leads to the creation of an updated family tree.
The petitioner states in the FR petition that the collection of a full family tree of all citizens has little, or no benefit. He apprehends that this would enable to target family members of opponents for personal or political gain.
The petitioner further claims that the Commissioner General and the State would have access to the information concerning the total life history of every individual. He asserts that confidential and personal information required in terms of the Regulations aren’t adequately protected from being disclosed to a third party.
When asked about the necessity of establishing a family tree the Commissioner-General noted that there could be occasions where the family details of a particular person is needed for identification purposes.
Information not prescribed
The Amended Act allows the Commissioner General to establish and maintain a database called the National Register of Persons. There will be a record of the name, date of birth, place of birth, gender, the address, family details and any other information as may be prescribed. However the FR petition points out that the regulations do not prescribe the information that can be requested, leaving it open to the Commissioner General or an authorized officer to request any information he or she wishes to obtain.
Meanwhile the Human Rights Lawyer pointed out that the Regulations haven’t specified a public authority. “Without for instance saying that we can ask for the address from the Grama Niladhari, they have said we can ask for the information from any head of any public institution. There is an open ended ability to ask for information from any public authority,” the HR lawyer said.
Centralization of citizens’ information
Further the petition states that since the Regulations envisage the centralization of citizens’ information, separate databases can be linked together to obtain a complete profile of any citizen or their family. For example, the vehicle number can be entered and the owner can be discovered, and a complete profile of the owner and his family can be obtained. Similarly it is foreseen that if the phone number or the e-mail address of a person is entered his full profile and that of his family can be obtained.
Information could be leaked
In the absence of laws for data protection and privacy the database is vulnerable to be hacked. There is also a huge scope for abuse. “A lot of this information could be leaked or hacked. Someone can be bribed and the information can be handed over to your enemy; for instance, to your neighbour with whom you’re having a land dispute,” pointed out the Human Rights lawyer.
The Commissioner General of the Department of Registration of Persons assured that the database and the software will be secure. “We will include as much security features as possible, so that nobody can obtain data illegally,” he asserted.
According to the Registration of Persons Act the Commissioner General can disclose any information relating to a registered person, to a public officer or authority, in the interest of national security upon a direction issued by the secretary of the Defence Minister; for the purpose of prevention or detection of crimes; or under the direction of a competent court.
The Lawyer questioned the rationality of disclosing information ‘for the prevention of crime’. “What is a prevention of crime? The police can say they need a particular piece of information for the prevention of crime. The crime hasn’t been committed. All they have to say is that ‘we have information that there is concern regarding a person, in the commission, regarding a future crime. They don’t even need to say that there is a witness and a victim. You don’t have to be a suspect for your information to be disclosed,” he pointed out.
He added that there were no sanctions imposed if information was requested for in other instances.
"There could have been a requirement long ago for every citizen to be finger printed. We didn’t do that because we consider it to be an intrusion on people’s autonomy"
“The police can say we want to prevent people from making false declaration to the Inland Revenue Department (IRD) and request information concerning all vehicle holders and their tax numbers. Why not?”
“Tax information can be obtained from the IRD and vehicle details from the Department of Motor Vehicles. So the scope for abuse is huge,” he explained.
“The Department of Registration of Persons exists only to have a database and issue a card. Now they can collect all sorts of information for no sensible purpose, other than to share with other people,” he stressed.
“There could have been a requirement long ago for every citizen to be finger printed. We didn’t do that because we consider it to be an intrusion on people’s autonomy. The moment the police gets a fingerprint from a house, they know whose fingerprints those are. But the flip side is that if they’re trying to fix someone they know how that person’s fingerprints look like,” he pointed out.
Meanwhile, Commissioner General Viyani Gunathilake said that apart from the exceptions mentioned if the applicant consented the information can be released. He added that other than those instances he could only certify to the authenticity of the particulars of an NIC of a person. “If a public officer queries whether a particular NIC number corresponds with a person, I can only say ‘Yes’ or ‘No’,” he explained.