The facial-recognition systems of today use a camera to zoom in on an individual’s eyes, mouth and nose, and extract a “feature vector,” which is a set of numbers that describes key aspects of the image, such as the precise distance between the eyes. (Remember, in the end, digital images are just numbers.) Those numbers can be fed back into a large database of faces in search of a match. To many this sounds like science fiction, and it’s true that the accuracy of this software is limited today (by, among other things, pictures shot in profile), but the progress in this field in just the past few years is remarkable. A team at Carnegie Mellon demonstrated in a 2011 study that the combination of “off-the-shelf” facial-recognition software and publicly available online data can match a large number of faces very quickly, thanks to technical advancements like cloud computing. In one experiment, unidentified pictures from dating sites (where people often use pseudonyms) were compared with profile shots from social-networking sites, which can be publicly accessed on search engines (i.e., no log-in required), yielding a statistically significant result. It was noted in the study that it would be unfeasible for a human to do this search manually, but with cloud computing, it takes just seconds to compare millions of faces. The accuracy improves regarding people with many pictures of themselves available online—which, in the age of Facebook, is practically everyone.

Like so many technological advances, the promise of comprehensive biometric data offers innovative solutions to entrenched sociopolitical problems—and it makes dictators salivate. For each repressive regime that gathers biometric data to better oppress its population, however, a similar investment will be made by an open, stable and progressive country for very different reasons.

India’s unique identification (UID) program is the largest biometric identification undertaking in the world. Constituted in 2009, the campaign, collectively called Aadhaar (meaning “foundation” or “support”), aims to provide every Indian citizen—1.2 billion and counting—with a card that includes a unique twelve-digit identity and an embedded computer chip that contains a person’s biometric data, including fingerprints and iris scans. This vast program was conceived as a way to solve the problems of inefficiency, corruption and fraud endemic in the existing system, in which overlapping jurisdictions resulted in up to twenty different forms of identification issued by various local and national agencies.

Many in India believe that as the program progresses, Aadhaar will help citizens who have been excluded from government institutions and aid networks. For castes and tribes traditionally lowest on the socioeconomic scale, Aadhaar represents a chance to receive state aid like public housing and food rations—things that had been technically available but still out of reach, since many potential recipients lacked identification. Others who had trouble obtaining identification, like internal migrant workers, will be able to open a bank account, obtain a driver’s license, apply for government support, vote and pay taxes with Aadhaar. When enrolling in the scheme, an individual may open a bank account that is tied to his or her UID number. This enables the government to easily track subsidies and benefits.

In a political system racked by political corruption and crippled by its own sheer size—less than 3 percent of the Indian population is registered to pay income tax—this effort seems like a possible win-win for all honest parties. Poor and rural citizens gain an identity, government systems become more efficient and all aspects of civic life (including voting and paying taxes) become more transparent and inclusive. But Aadhaar has its detractors, people who consider the program Orwellian in scope and character and a ploy to enhance the surveillance capacities of the Indian state at the expense of individual freedoms and privacy. (Indeed, the government can use Aadhaar to track the movements, phones and monetary transactions of suspected terrorists.) These detractors also point out that Indians do not have to have an Aadhaar card, since public agencies aren’t allowed to require one before providing services. Concerns over whether the Indian government is intruding on civil liberties echo those of opponents of a similar project in the United Kingdom, the Identity Cards Act of 2006. (After a several-year struggle to implement the program, Britain’s newly elected coalition government scrapped the plan in 2010.)

In India, these concerns seem to be outweighed by the promise of the plan’s benefits, but their presence in the debate proves that even in a democracy, public apprehension over the impact of large biometric databases, and whether they’ll ultimately serve the citizens or the state, exists. So what happens when less democratic governments begin collecting biometric data in earnest? Many already have, beginning with passports.

States won’t be the only ones trying to acquire biometric data. Warlords, drug cartels and terrorist groups will seek to build or access biometric databases in order to track recruits, monitor potential victims and keep an eye on their own organizations. The same logic applies here as to dictators: If they have something to trade, they can get the technology.

Given the strategic value of these databases, states will need to prioritize protection of their citizens’ information just as they would safeguard weapons of mass destruction. Mexico is currently moving toward a biometric data system for its population in order to improve its law-enforcement functionality, better monitor its borders and identify criminals and drug-cartel leaders. But since the cartels have already infiltrated large swaths of the police and national institutions, there is a very real fear that somehow an unauthorized actor could gain access to the valuable biometric data of the Mexican population. Eventually, some illicit group will successfully steal or illegally acquire a biometric database from a government, and maybe only when that happens will states fully invest in high-level security measures to protect this data.

All societies will reach agreement on the need to keep biometric data out of the hands of certain groups, and most will try hard to keep individual citizens from gaining access as well. Regulation will, like regulation of other types of user data, vary by country. In the European Union, which already boasts a series of robust biometric databases, member states are required by law to ensure that no individual’s right to privacy is violated. States must get the full and informed consent of citizens before they can enter biometric information into the system, leaving citizens the option to revoke consent in the future without penalty. Member states are further required to hear complaints and see that victims are compensated. The United States will probably adopt similar laws due to shared privacy concerns, but in repressive countries, it’s likely that such databases will be controlled by the ministry of the interior, ensuring that they are primarily used as a tool for the police and security forces. Government officials in those regimes will also have access to facial-recognition software, databanks of citizens’ personal information and real-time surveillance methods through people’s technological devices. Secret police will often find a handset more valuable than a gun.

For all of the discussions about privacy and security, we rarely look at the two together and ask the question What makes people nervous about the Internet? From the world’s most repressive societies to those that are the most democratic, citizens are nervous about the unknowns, the dangers and crises that come with entangling their lives in a web of connected strangers. For those who are already connected, living in both the physical and the virtual worlds has become part of who we are and what we do. As we grow accustomed to this change, we also learn that the two worlds are not mutually exclusive, and what happens in one has consequences in the other.