The Author, Charvi Devprakash is a 2nd year student of BBA LLB (Hons.) at Faculty of Law, PES University, Bangalore.
What is an E-passport?
In 2019, the External Affairs Minister of India, Dr. S Jaishankar announced the issuance of E-passports to all citizens. This year, the government completed its trial of issuing 20,000 E-passports and has recently declared to issue it nation-wide in 2021. This advancement means that the physical or booklet form of passports shall be replaced by Radio-Frequency Identification (RFID) and biometrics. An embedded microchip with an internationally recognised logo meant for e-passports will hold all the vital information of the passport holder. The chip will be able to store data on up to 30 international visits[1]. E-passports are embedded with such chips, that help in improving the credibility, reducing crimes and in attaining a more efficient immigration and security-check mechanism.
Security and Privacy Concerns:
The issue of security and a citizen’s right to privacy, has been much debated in the Indian as well as the global context. One such recent debates in the Indian context was in the instance of Aadhaar, where the biometrics of every lawful citizen of the country was stored online. This move by the government led to a lot of outrage, with people questioning the government with respect to their right to privacy protected under Article 21 of the Indian Constitution, 1950[2]. There were also security issues raised when the citizens were expected to link their mobile and other personal details with their Aadhaar. There were some privacy issues, when the Government of India, launched the Aarogya Setu App for the monitoring the spread of the coronavirus, where the users were asked to give out their personal information. Therefore, it is no news that this initiative by the Central Government might also have some repercussions and major criticisms. This article aims at analysing one such issue with respect to E-passports, that is a legal analysis of the citizen’s privacy rights.
Global Perspective:
To standardize the regulations across the world, all E-passports issued across the world must be in compliance with the International Civil Aviation Organisation’s (ICAO) standards, with India as no exception. The ICAO defines the RFID micro-chips ISO 14443 stored inside the passports as ‘integrated contactless circuits’[3]. It is assumed that this will make the passports tougher and harder to destroy[4].
Today, many nations have either opted for or have at least considered E-passports as a viable option. However, is it truly viable in terms of data privacy and security of the passport holders is still debatable. There are over 100 countries today that are issuing E-passports and more than 420 million E-passports in circulation[5]. Almost all countries in the European Union and the United State of America have E-passports. Many developing nations also have been issuing E-passports since a long time, and now it is India’s turn to issue the same.
Plausible threats to E-passports:
Even though many countries across the world have implemented E-passports, the efficiency of the same is still questionable. This section deals with some of the major threats to E-passport implementation. Firstly, the ICAO guidelines do not mandate an authenticated and encrypted communication between passports and readers. Such unprotected chips are subjected to Clandestine Scanning, which lead to the leakage of personal information of the passport holders, like their name, permanent address, et cetera. However, what is popularly called as “Faraday Cages” acts as a countermeasure to clandestine scanning. Unfortunately, this does not prove effective with respect to eavesdropping on passport to reader communications, like those that take place in airports[6]. Secondly, the standard for RFID chips in the e-passports stipulates the emission of a chip ID on protocol initiation. If this ID is different for every passport, it could enable tracking the movements of the passport holder by unauthorized parties. Tracking is possible even if the data on the chip cannot be read.[7]. Thirdly, there is also a possible threat of passport cloning as the ICAO guidelines do not mandate the digital signatures of the passport holder to be directly linked to his/her passport. Therefore, it does not protect these digital signatures against cloning. Identity theft, biometric data leakage and cryptographic weakness are some of the very commonly existing issues with online data, and it persists with e-passports as well.
The Indian Context:
The Constitution of India, 1950 reads right to privacy as “Protection of life and personal liberty: No person shall be deprived of his life or personal liberty except according to procedure established by law” under Article 21. Right to Privacy was recognized as a fundamental right in the case of Justice K.S. Puttaswamy (Retd) vs Union of India[8]. This right expects people to respect each other’s privacy and lets them be in full control of their privacy. However, initiatives like E-passports may hamper this right as it puts all of the personal data of the citizens on a domain that can be highly exploited through ways as mentioned above. Though there are no specific legislations on data protection and privacy existing in the country, there are provisions and amendments made to the Information Technology Act, 2000, that ensures every citizen’s right to data privacy. Section 43A and 72A of the IT Act, 2000 ensures compensation for improper disclosure of personal information.
Conclusion:
Since India is an emerging economy and is rapidly growing into becoming a digital society, the country is expecting a new set of laws with respect to data privacy. A specific legislation that addresses this new path of privacy has to be brought about very soon. Digitalisation has permeated India. Having recognised this, the central government has taken up a lot of initiatives such as ‘Digital India’, which aims at having a more stringent judicial system and an effective legislature when it comes to data protection and privacy.
Having said that, it is of paramount importance for the ICAO guidelines to undergo an evaluation and a revision to suit the needs of a digitally transforming society. India also needs to tighten its protection of E-passports before implementing it on a large scale. The government has to go an extra mile in order to ensure data protection to all its citizens while opting for e-passports. It is assumed that e-passports are harder to destroy. However, at the same time, it should also be ensured that the security of the country is not protected at the stake of the privacy of 1.32 billion Indians. Therefore, thorough processing and foolproof methods of implementation has to be adopted in order to make this initiative as efficient as it is assumed to be.
References:
[1] A successful trial run saw around 20,000 official and diplomatic e-passports issued, all embedded with microchips storing vital information,(August 21 , 2020) https://www.outlookindia.com/outlooktraveller/travelnews/story/70525/e-passports-for-indians
[2] Constitution of India, 1950, § 21
[3]Vincenzo Auletta, Increasing Privacy Threats in the Cyberspace: The Case of Italian E-Passports, https://link.springer.com/chapter/10.1007/978-3-642-14992-4_9
[4] Supra note 1
[5] ePassports to drive seamless and secure mobility across borders, (April 27, 2020, 12:22 PM), https://government.economictimes.indiatimes.com/news/digital-india/epassports-to-drive-seamless-and-secure-mobility-across-borders/75401270
[6] Ari Juels, David Molnar, and David Wagner, Security and Privacy Issues in E-passports, https://eprint.iacr.org/2005/095.pdf
[7] Ibid
[8] (2017) 10 SCC 1
