MAPIN is a database about individuals, which uses fingerprints to ensure that one individual cannot have multiple accounts. This makes possible interesting applications in the financial sector. For example, if a person is debarred from working in the securities industry for X years by the regulator, the database makes it possible to prevent him from resurfacing under a new identity. SEBI has begun by making MAPIN mandatory for a few people (board of directors), but the long-term goal is to have a large number of people in the system.
Many pillars of society have complained about being treated like common criminals, and having to supply fingerprints. There are also concerns about the safety and privacy of the data.
For a while, SEBI seemed to want to kill the MAPIN system, but they have changed their mind now and seem to be headed to restart MAPIN. Business Standard has an interesting editorial on the MAPIN database. They say that the system is required, in dealing with problems like insider trading and market manipulation. They show a host of questions that the citizen should worry about on questions of safety and privacy of data, and argue that while MAPIN is needed a concerted policy focus on privacy.
The questions they pose are:
- If a private investigator could tap Amar Singh's Reliance telephone, what is to ensure privacy of the information with MAPIN?
- Can computer-scanned thumbprints, obtained from MAPIN, be used to frame a person at a crime scene?
- The Amar Singh case involved attack by a private individual. But very often, in India, the worst perpetrators in terms of violation of privacy are employees of the government. Is all MAPIN data available to the IT department?
- Can the police query one record? Can the police run a search on the full database?
My understanding of the treatment of thumbprints is that scanned images of fingerprints are put through a feature-detection algorithm, and a compact vector of characteristics is stored in the system. Testing that two fingerprints are identical is then synonymous with testing whether the two vectors are close to each other. The actual scanned fingerprint is not stored. (And, it a person can be tricked to hold a glass of water, his fingerprints can be extracted from it).
The attacks on privacy can occur in two ways: based on policy and based on violations of policy.
Violation of policy would involve attacking NSDL computer systems, unethical employees at NSDL, etc. NSDL needs to comprehensively persuade the country that it is doing a good job of blocking attacks which are based on violations of policy.