Can the MNIC really combat identity fraud?

March 25, 2017
mauritius security privacy

If one reads the judgment of the Supreme Court in the case Madhewoo M vs State of Mauritius, one would find that a major argument that held the ruling in favor of the State is that of being able to prevent multiple enrollments; that is prevent a person from having multiple identity cards under different names.

Below is a extract of the judgment where the former Project Director of MNIC, Mr Rao Ramah explained how they leverage the use of fingerprints to detect and prevent re-registration attempts.

We have identified more than 700 people who have tried to register more than once. In fact they went to one centre, possibly went to a different centre … when the system analyses the fingerprints, the system flags these people as being those who tried to register twice on the same identity card for example and then there is an investigation that happens afterwards.

Following the Supreme Court judgment which said that the provisions in NIC Act and the Data Protection Act for the storage and retention of fingerprints & other biometric details are unconstitutional, the Government of Mauritius ordered the destruction of the “database” that held biometric information of the citizens of Mauritius. Subsequent enrollments requires the citizen to provide his fingerprint images for the production of fingerprint minutiae that are stored in the citizen’s identity card only. In doing so the MNIC unit changed the verification mechanism. Instead of a one-to-many comparison of fingerprint, a one-to-one comparison is effected, where a citizen’s fingerprint is matched against his own fingerprint minutia to ascertain that he is the rightful owner of the identity card.

TCI Minister, « there is no database of fingerprints »

In a press conference, the Minister of Technology, Communication and Innovation, (Hon) Yogida Sawmynaden, said that the citizen’s fingerprints are not stored anywhere except his identity card.

Can the MNIC prevent multiple enrollments?

Since MNIC does not have a database of fingerprints, I believe it would be correct to assume that if a person who already obtained the biometric identity card attempts to enroll again under a different name, there won’t be any fingerprint in the database to compare his with and therefore the system won’t flag anything. This way Mr Rao Ramah’s statement about preventing multiple enrollments using the citizen’s fingerprints completely loses value.

Thus, the answer to the above question is no.

In a conversation with S. Moonesamy I attempted to better understand the above. I recommend reading the notes on the National Identity Card of Mauritius by S. Moonesamy, especially the paragraphs on security, assurance, and privacy considerations.

UK Information Office steps into Cambridge Analytica investigation

March 20, 2018
facebook data protection data breach privacy

MNIC officer accuses Police of forced confession in fake biometric ID Card case

February 16, 2018
mauritius mnic biometric id card website compromised?

December 7, 2017
linux wordpress security