The Union home ministry has said, in response to a legal notice, that its proposed National Automated Facial Recognition System (NAFRS) does not violate privacy of citizens because it only “automates the existing Police procedure of matching suspects’ photos with images stored” in law enforcement agencies databases.

It also defended “legality” of the NAFRS, saying the project had the Union cabinet’s approval, even though India did not yet have a law to regulate the use of facial recognition technology.

The NAFRS is a proposed national-level platform of digital facial images that will help police identify persons by automatically matching facial features from digital images, sketches and videos with an already existing database of images.

The National Crime Records Bureau (NCRB), under the home ministry, issued a tender in July this year to procure software and services for the project from private firms. On November 7, it extended the deadline for submission of bids for the third time to make it January 3, 2020. Once rolled out nationally, NAFRS will potentially be the world’s biggest facial recognition system with a capacity of processing 10 million facial images and upgradable to up to 50 million images.

Also read: India Is Falling Down the Facial Recognition Rabbit Hole

Internet Freedom Foundation (IFF), a Delhi-based non-profit that works on digital liberties, sent a legal notice to the NCRB in July this year asking it to withdraw the tender. The foundation said the project did not have a legal basis and violated the right to privacy of citizens which has been upheld as a “fundamental right” by the Supreme Court in 2017. The NCRB, through the home ministry, responded to the notice on November 5, denying all “allegations”.

“According to the Supreme Court’s decision in the right to privacy case, the three core elements to gauge the legality of a privacy violation are, (a) legality; (b) legitimate state aim; and (c) proportionality,” the IFF said in the notice. “There exists a complete lack of legality” in undertaking this “massive government program” and it is “likely to result in the creation of powerful surveillance architecture that will inevitably be prone to misuse and hence is disproportionate to any public purpose,” it added.

In response, the NCRB told the foundation: “The AFRS will be a tool to aid investigating officer.” It will be “made available for access to only police in the country in a secure environment. Police station will use the software only for the intended purpose as per a well laid down standard operating procedure (SOP)”.

On November 6, the IFF has again sent a rejoinder to the NCRB with “specific denials” to its responses and “restating the demand for the recall” of the tender.

The home ministry and the NCRB did not respond to Business Standard queries, sent through email on November 7, regarding legal provisions regulating the use of facial recognition technology in the country and other issues raised in the legal notice. The ministry officials did not respond to phone calls.

Uploading bulk images from multiple sources

According to the tender document of the NAFRS, the proposed facial recognition system aims to access facial images of persons across databases like passport, criminal tracking system, courts, prisons, lost and found persons, fingerprints or “any other image database available with police/other entity”.

The system will also “add photographs obtained from newspapers, raids, sent by people, sketches etc. to the criminal’s repository tagged for sex, age, scars, tattoos, etc. for future searches.” It will have options to upload “bulk subject images” and “CCTV feeds” to “generate alerts if a blacklist match is found”. The video feeds will be sourced from “CCTVs deployed in various critical identified locations” or “from private or other public organisation’s video feeds,” the tender document says.

Also read: What Can a Hacker Do With Your Stolen Fingerprints?

“This process appears to be carried out without the knowledge of the subject of these images” and “violates the principle of consent,” the IFF said in the legal notice.

The Home Ministry, in its response has asserted that the project “does not violate the principle of consent” because its “primary use would be to identify recovered children, unidentified persons and dead bodies.” It also clarified the images will not be sourced from CCTV cameras in public places, “unless the video footage is part of the scene of crime”. The ministry also said the facial recognition system will not be integrated with the Aadhaar database.

The ministry did not respond to the Business Standard query if it would be amending the tender document to reflect these clarifications. India has yet not enacted a personal data protection law that defines the process of consent for collecting and processing personal data of citizens to protect their privacy. A draft law has been pending with the government for finalisation since July 2018.

According to the tender document, the NAFRS will also “enable the handheld mobiles with app to capture a face on the field and get the matching result from the backend server.” The Hyderabad police has recently come under criticism in the media and on social media for rounding off citizens and clicking their pictures in the mobile phones to test a state-level facial recognition system in Telangana.

Concerns over technology

The IFF said in the legal notice that the “lack of safeguards and clarity” on procedure for the use of facial recognition technology “draws up large concerns of misidentification and profiling”. It cited studies and trials conducted at the MIT and by the Metropolitan Police in London, to say the technology had limited accuracy in identifying individuals and “perpetuating biases that are largely prevalent with the current law enforcement”. This could lead to misidentification of persons and discrimination against individuals on the basis of religion, geography, class or caste, it said.

Also read: Humans Can’t Watch All the Surveillance Cameras Out There, so Computers Are

Claiming that there is no threat of misidentification, the home ministry said, “AFRS will comply NIST standards (American National Standards Institute/NIST- ITL 1-2011) with latest update 2015. Procurement of AFRS will be done only after satisfactory test run and proposed solution meeting all stringent evaluation criteria for a highly accurate and reliable system. Since AFRS solution will be an Investigation assisting tool, investigation authority will have to check other facts also to correlate the findings.”

It also said safeguards will be included in the standard operating procedure to ensure the facial recognition algorithm does not lead to discrimination against citizens on the basis of religion, geography, class and caste.

By arrangement with Business Standard.