India has no personal data protection law. The Centre promised the Supreme Court that it would pass exactly this sort of legislation years ago, during proceedings that saw the court affirm that privacy is a fundamental right. Yet the law doesn’t seem likely any time soon.
India also lacks an electronic surveillance framework. A draft of the personal data protection bill put together by the Justice Srikrishna Committee last year deliberately left out the question of placing fetters on government surveillance. The presumption was that another legislative effort would take care of it. Of course, this didn’t happen either.
Yet, with little in the way of safeguards, India is barreling forward with all sorts of efforts to pry into citizens’ lives – and even allowing private companies to do so. The latest threat to privacy comes in the form of facial recognition. The government has already permitted airports to begin deploying technology that lets passengers use their faces as “boarding pass”. The initiative allows the data to be used by private companies with the consent of passengers.
In addition, the National Crime Records Bureau has called for bids to allow it to implement an Automated Facial Recognition System. The tender envisions the system as a grand database that acts as a “searchable platform of facial images”. It wants this to be integrated into numerous other existing systems, such as the Crime and Criminal Tracking Networks and Systems used by police stations everywhere, the Khoya Paya system for finding missing children and more.
The government envisions using the system to match faces of suspected criminals, prisoners, missing persons and others in the database with those picked up on CCTVs around the country.
There are many problems with this, and they have been discussed at length by a number of analysts, including the Internet Freedom Foundation, which has sent a legal notice to the crime records bureau and the home ministry demanding an immediate halt to the tender process.
For one, this is a purely executive effort, with no backing legislation. Without a data protection law or a surveillance framework, and no legislation governing facial recognition, it should not be allowed – particularly considering that the Supreme Court so recently affirmed the right to privacy.
Besides, facial recognition technology has proven to be extremely flawed. A University of Essex study found that the facial recognition system of the United Kingdom’s Metropolitan Police had targeted innocent people as suspects four out of five times.
Other research has shown how the current systems, which depend on machine learning and algorithms, come with biases in-built. They often disproportionately target those with darker skin tone and women. The danger here should be obvious: individuals and courts tend to presume technology is somehow more accurate than human judgment, even though it often simply reflects the prejudices of society. Relying on this technology at this stage is deeply troubling.
Many places around the world, including San Francisco and Oakland in California, have banned facial recognition altogether, saying that the technology is incompatible with privacy. Elsewhere, the tools are being carefully scrutinised before being implemented by governments.
Indians deserve as much care and deliberation before being subjected to an extremely flawed technology that currently has nothing in the way of safeguards. Until there has been public consultation, laws that put in place safety checks and a proper demonstration that facial recognition actually works, the government should withdraw its bids and focus first on passing the privacy law that it promised Indians in the first place.
As airports in India start using facial recognition, how will it be regulated?
Where is the personal data protection law that Indians were promised?