📰 Delhi Police’s use of facial recognition technology
When was FRT first introduced in Delhi? What are the concerns with using the technology on a mass scale?
•RTI responses received by the Internet Freedom Foundation reveal that the Delhi Police treats matches of above 80% similarity generated by its facial recognition technology system as positive results. Facial recognition is an algorithm based technology which creates a digital map of the face by identifying and mapping an individual’s facial features, which it then matches against the database to which it has access.
•The Delhi Police first obtained FRT for the purpose of tracing and identifying missing children as per the direction of the Delhi High Court in Sadhan Haldar vs NCT of Delhi.
•Extensive research into FRT has revealed that its accuracy rates fall starkly based on race and gender. This can result in a false positive, where a person is misidentified as someone else, or a false negative where a person is not verified as themselves. The technology can also be used as a tool to facilitate state sponsored mass surveillance.
•The story so far: Right to Information (RTI) responses received by the Internet Freedom Foundation, a New-Delhi based digital rights organisation, reveal that the Delhi Police treats matches of above 80% similarity generated by its facial recognition technology (FRT) system as positive results.
Why is the Delhi Police using facial recognition technology?
•The Delhi Police first obtained FRT for the purpose of tracing and identifying missing children. According to RTI responses received from the Delhi Police, the procurement was authorised as per a 2018 direction of the Delhi High Court in Sadhan Haldar vs NCT of Delhi. However, in 2018 itself, the Delhi Police submitted in the Delhi High Court that the accuracy of the technology procured by them was only 2% and “not good”.
•Things took a turn after multiple reports came out that the Delhi Police was using FRT to surveil the anti-CAA protests in 2019. In 2020, the Delhi Police stated in an RTI response that, though they obtained FRT as per the Sadhan Haldar direction which related specifically to finding missing children, they were using FRT for police investigations. The widening of the purpose for FRT use clearly demonstrates an instance of ‘function creep’ wherein a technology or system gradually widens its scope from its original purpose to encompass and fulfil wider functions. As per available information, the Delhi Police has consequently used FRT for investigation purposes and also specifically during the 2020 northeast Delhi riots, the 2021 Red Fort violence, and the 2022 Jahangirpuri riots.
What is facial recognition?
•Facial recognition is an algorithm-based technology which creates a digital map of the face by identifying and mapping an individual’s facial features, which it then matches against the database to which it has access. It can be used for two purposes: firstly, 1:1 verification of identity wherein the facial map is obtained for the purpose of matching it against the person’s photograph on a database to authenticate their identity. For example, 1:1 verification is used to unlock phones. However, increasingly it is being used to provide access to any benefits or government schemes. Secondly, there is the 1:n identification of identity wherein the facial map is obtained from a photograph or video and then matched against the entire database to identify the person in the photograph or video. Law enforcement agencies such as the Delhi Police usually procure FRT for 1:n identification.
•For 1:n identification, FRT generates a probability or a match score between the suspect who is to be identified and the available database of identified criminals. A list of possible matches are generated on the basis of their likelihood to be the correct match with corresponding match scores. However, ultimately it is a human analyst who selects the final probable match from the list of matches generated by FRT. According to Internet Freedom Foundation’s Project Panoptic, which tracks the spread of FRT in India, there are at least 124 government authorised FRT projects in the country.
Why is the use of FRT harmful?
•India has seen the rapid deployment of FRT in recent years, both by the Union and State governments, without putting in place any law to regulate their use. The use of FRT presents two issues: issues related to misidentification due to inaccuracy of the technology and issues related to mass surveillance due to misuse of the technology. Extensive research into the technology has revealed that its accuracy rates fall starkly based on race and gender. This can result in a false positive, where a person is misidentified as someone else, or a false negative where a person is not verified as themselves. Cases of a false positive result can lead to bias against the individual who has been misidentified. In 2018, the American Civil Liberties Union revealed that Amazon’s facial recognition technology, Rekognition, incorrectly identified 28 Members of Congress as people who have been arrested for a crime. Of the 28, a disproportionate number were people of colour. Also in 2018, researchers Joy Buolamwini and Timnit Gebru found that facial recognition systems had higher error rates while identifying women and people of colour, with the error rate being the highest while identifying women of colour. The use of this technology by law enforcement authorities has already led to three people in the U.S. being wrongfully arrested. On the other hand, cases of false negative results can lead to exclusion of the individual from accessing essential schemes which may use FRT as means of providing access. One example of such exclusion is the failure of the biometric based authentication under Aadhaar which has led to many people being excluded from receiving essential government services which in turn has led to starvation deaths.
•However, even if accurate, this technology can result in irreversible harm as it can be used as a tool to facilitate state sponsored mass surveillance. At present, India does not have a data protection law or a FRT specific regulation to protect against misuse. In such a legal vacuum, there are no safeguards to ensure that authorities use FRT only for the purposes that they have been authorised to, as is the case with the Delhi Police. FRT can enable the constant surveillance of an individual resulting in the violation of their fundamental right to privacy.
What did the 2022 RTI responses by Delhi Police reveal?
•The RTI responses dated July 25, 2022 were shared by the Delhi Police after Internet Freedom Foundation filed an appeal before the Central Information Commission for obtaining the information after being denied multiple times by the Delhi Police. In their response, the Delhi Police has revealed that matches above 80% similarity are treated as positive results while matches below 80% similarity are treated as false positive results which require additional “corroborative evidence”. It is unclear why 80% has been chosen as the threshold between positive and false positive. There is no justification provided to support the Delhi Police’s assertion that an above 80% match is sufficient to assume the results are correct. Secondly, the categorisation of below 80% results as false positive instead of negative shows that the Delhi Police may still further investigate below 80% results. Thus, people who share familial facial features, such as in extended families or communities, could end up being targeted. This could result in targeting of communities who have been historically overpoliced and have faced discrimination at the hands of law enforcement authorities.
•The responses also mention that the Delhi Police is matching the photographs/videos against photographs collected under Section three and four of the Identification of Prisoners Act, 1920, which has now been replaced by the Criminal Procedure (Identification) Act, 2022. This Act allows for wider categories of data to be collected from a wider section of people, i.e., “convicts and other persons for the purposes of identification and investigation of criminal matters”. It is feared that the Act will lead to overbroad collection of personal data in violation of internationally recognised best practices for the collection and processing of data. This revelation raises multiple concerns as the use of facial recognition can lead to wrongful arrests and mass surveillance resulting in privacy violations. Delhi is not the only city where such surveillance is ongoing. Multiple cities, including Kolkata, Bengaluru, Hyderabad, Ahmedabad, and Lucknow are rolling out “Safe City” programmes which implement surveillance infrastructures to reduce gender-based violence, in the absence of any regulatory legal frameworks which would act as safeguards.
📰 Making bail impossible
In upholding the constitutionality of the PMLA, the court has resurrected the ghost of ADM Jabalpur
•While upholding the right to privacy in 2017, the Supreme Court overruled the decision in ADM Jabalpur v. Shivkant Shukla (1976). However, the recent decision in Vijay Madanlal Choudhary v. Union of India, upholding the constitutionality of the Prevention of Money Laundering Act (PMLA), is proof that the ghost of ADM Jabalpur has been resurrected. The old maxim of bail being the norm and jail the exception has been judicially cremated with this decision. Bail is now not even an exception; it is impossible.
Draconian preconditions for bail
•First, consider the draconian preconditions for the grant of bail in Section 45 of the PMLA. To be eligible for bail, the arrested person must persuade the court that there are reasonable grounds for believing that he is not guilty of the money laundering offences brought by the Enforcement Directorate (ED). The onus is on the accused to prove that an event did not transpire. If he cannot do this, he will continue to languish in jail.
•To justify this high bar, the court overturned its decision in Nikesh Tarachand Shah v. Union of India (2017) that had directed treating the offence of ‘money laundering’ as less heinous and therefore differently a crime from ‘terrorism’ under the Terrorist and Disruptive Activities (Prevention) Act (TADA). The court stated that the offence of money laundering was as heinous as a terrorist act and as great a danger to the sovereignty and integrity of our country. In doing so, it ignored the fact that under the PMLA, money laundering also covers monies associated with offences relating to infringement of copyrights and trademarks, arts and antiquities, securities, information technology, companies, and air and water pollution.
•The court also declared that the ED does not need to share the Enforcement Case Information Report (ECIR) with the accused. This is bizarre because the same notion of secrecy is not applicable to equivalent documents (FIRs) for agencies like the police and the Central Bureau of Investigation. The ECIR contains the rationale for the ED to register the offence. However, the court chose not to equate the ECIR with an FIR.
•According to the court, the fundamental fights of the accused are satisfied if he is informed of the grounds of arrest at the time of arrest. However, there is no definition of what qualifies as grounds for arrest and how detailed such grounds need to be. Typically, criminal arrest memos will only inform the accused of the Section(s) under which the alleged offence is committed. Now, with the ED informing the accused that the arrest is on account of an offence under one or more Sections of the PMLA, the court seems to have judged that the fundamental rights of the accused have been upheld.
Rendering bail impossible
•Put together, this means that once a person has been arrested under the PMLA, in order to get bail, he will have to show that he has not committed the offence that he stands accused of and he will also be unaware of the specifics of the offence he is alleged to have committed. He is oblivious of the transactions being investigated or the assets being labelled proceeds of crime. This renders bail impossible.
•No judge can ever take the view that an accused has prima facie shown that he has not done what the ECIR alleges because no accused will ever be able to prove this if he does not even know what the ECIR contains. The result is that no accused will ever be able to obtain bail under the PMLA once the ED decides that he has committed an offence. To add to it, the accused can be ‘persuaded’ to sign confessional statements while in custody. Since the judgment considers the confessional statement to be admissible evidence, such evidence can be presented to the judge at a bail hearing as well.
•The problem is compounded by the decision in NIA v. Zahoor Watali (2019), in which the court was considering the bail standard under the Unlawful Activities (Prevention) Act. It held that at the stage of bail, the court cannot enter into an appreciation of evidence, but only has to see whether a prima facie case against the accused is made out. But it also effectively held that in considering the prima facie case, the prosecution’s version is sufficient, and that if the case diary or the charge sheet makes out sufficient grounds to deny bail (which it will, being a document created by the prosecution), it is reasonable to deny bail. Notwithstanding this, the UAPA accused is provided with a copy of the FIR, unlike the PMLA accused.
•This means that when someone is arrested for an offence under the PMLA, he will be placed in prolonged incarceration without being told the specifics of why this is so. And no court will ever be able to reasonably conclude that the person is entitled to bail under the law as it now stands. ADM Jabalpur is dead. Long live ADM Jabalpur.
📰 What next on data protection?
There are two issues – the form that a new law will take, and the nature of protections it will offer
•The withdrawal of the Personal Data Protection Bill from Parliament came as a surprise, particularly after so much effort was put into it over the last five years. Between August 2017 and July 2018, a 10-member committee chaired by a former Supreme Court judge drafted the Bill. The committee included four senior government officials. The Bill was then revised by the government, approved by the Cabinet, and tabled in Parliament in December 2019. Subsequently, a joint parliamentary committee, or JPC, comprising a majority of BJP members, reviewed the bill and submitted its report in December 2021. The withdrawal does not reflect well on the government, the entire process having been played out under its regime. This also increases uncertainty about the future of privacy regulation in India.
•One way to understand this decision is to go back to the genesis of this law, which arose out of the Justice K.S. Puttaswamy v. Union of India case where the court held that the right to privacy had both a positive and negative aspect. The former implies the need for the state to actively take measures to protect an individual’s privacy. Thus, the government was more or less forced to initiate the drafting of a data protection law. This experience also tells us something about the limits of judicial inducement for regulation, for which active effort of the other two branches of the state is needed. The options of delay and dilution are always available.
The scope of the law
•The growing importance of the digital economy and the broad scope of the proposed law also contributed to contestations between stakeholders as the law was being deliberated. Shaped by different interests and incentives, the state, industry, and advocacy groups all have very different expectations of what a data protection law should look like. For instance, for domestic industry such a law represents a compliance hurdle which could put it at a disadvantage. However, a law can also promote regulatory certainty, thereby opening up the possibility of increased data flows and the growth of data processing business. For the state, a law could limit intrusive data processing by state agencies, but it could also promote geopolitical, strategic or regulatory interests. Similarly, individuals could benefit by the restrictions on harmful data processing, but on the other hand, a poorly drafted law could legitimise certain intrusive practices.
•Each version of the law — the 2018 Bill of the Srikrishna Committee, the 2019 Bill introduced in Parliament, and the version of the JPC in 2021 — faced different types of critique from different stakeholders. For instance, law enforcement interests were seen as being obstructed by the 2018 draft, leading to broad exemptions being provided in the 2019 Bill.
•However, what appears striking is the consistent dilution of the focus on data privacy from the 2018 version onwards. From being the centerpiece of the legislation, privacy protection was increasingly being seen as one of several objectives being pursued. This was seen most clearly in the JPC’s recommendations, which sought to significantly revise the scope of the law. The JPC recommended moving away from a personal data protection law towards a law to govern the entire data ecosystem. It further suggested putting in place a number of broader restrictions on social media and other entities. This attempt to solve multiple problems in the digital ecosystem saw an already broad law being turned into an omnibus Bill. This made one question the ability to properly implement it. In addition, the provisions relating to many issues were lacking in detail. For example, the provisions related to processing of data by the state, governance of non-personal data and the regulation of social media could all have been fleshed out with greater substantive and procedural detail, which is required to balance the complex competing interests at hand.
The way forward
•Looking forward, there are two critical issues – the form that a new law will take, and the nature of protections it will offer.
•On the first issue, the government has suggested that it will introduce multiple legislation comprising a new comprehensive legal framework. This is the right approach, as trying to fit all objectives related to the digital ecosystem or even data governance into one Bill would be a mistake. It is healthy to maintain some polycentricity in the governance of a complex digital economy, and different laws and agencies should co-exist. It would be ideal if each bill addressed a single coherent set of objectives: For instance, one personal data protection bill should not be burdened with other objectives. Similarly, separate laws could deal with issues concerning state surveillance, or issues in the data economy such as dealing with competition-related concerns arising out of the monopolisation of data by certain entities. Over time, such a system may lead to more balanced and beneficial results. In the short term, however, the government would do well to put in place a specific personal data protection law – given the effort already dedicated to this (and the significant areas of agreement amongst stakeholders).
•The second issue is the nature of privacy protection any new law will provide to individuals. The 2018 law, on which future drafts were based, borrowed heavily from the rights-based European General Data Protection Regulation. This framework was however criticised by some due to its perceived unviability in the Indian context. For instance, creating a cross-sectoral data protection entity with the power to take significant coercive action is seen as problematic given the rule of law, capacity and regulatory constraints in India. Some of these issues could be addressed in creating a new data privacy law.
•First, it should build in a risk-based approach to data protection, so that the regulatory focus is directed towards addressing sources of potential harm. Second, based on risk assessments, the law could enable co-regulation and self-regulation (with the regulator acting as a backstop). These could reduce compliance burdens on entities without significantly affecting rights protection. Third, the current version of the law was weak on accountability measures for the data protection regulator. The new Bill should include more provisions to ensure that the regulator uses its powers well. These include provisions relating to appointments, consultations, reporting, and so on. Fourth, even while the law is being drafted, the government should invest in building some administrative capacity to implement it, so that when the law is eventually passed, implementation can begin soon after. This has been previously done with SEBI and PFRDA. Finally, it is vital that any new law is framed based on transparent and meaningful consultations with all stakeholders.
📰 ‘Forcible’ Aadhaar-voter ID linking
While the govt. says the process is voluntary, reports of coercion emerge
•Despite clarifications from various government authorities that the linking of Aadhaar with the voter identity card is “voluntary”, there have been instances of people being warned by booth-level officers that their voter ID would be cancelled if the linking is not done.
•In a tweet about one such case, the Internet Freedom Foundation (IFF), which advocates digital rights and privacy, alleged that a booth-level officer called one of its staff members seeking the Aadhaar number, threatening that “or else they’ll be deleted from the electoral roll”.
•The contentious Election Laws (Amendment) Bill, 2021, which allows for the linking of electoral data with the Aadhaar number, was passed by Parliament in December 2021, amid strong protests by the Opposition.
•At the time, Union Law Minister Kiren Rijiju informed Parliament that linking would be voluntary.
•Responding to the tweet thread by the IFF, the Chief Electoral Officer of Haryana reiterated the same.
•“Submission of Aadhaar number in Form 6B is voluntary. No entry in electoral roll shall be deleted on the ground of non-submission of Aadhaar number. Purpose of obtaining Aadhaar number is for authentication of electors’ entries in electoral roll & extending better electoral services,” the CEO said in a tweet.
•Replying to a similar tweet on the issue by a different account, the Chief Electoral Officer of Delhi said that the matter had been “noted to seek more details”.
•“Linking of Voter id with AADHAAR is voluntary…” the tweet added.
New form
•However, the IFF pointed out that the Union Law and Justice Ministry recently amended Form 6, and introduced Form 6B to the Registration of Electors Rules, 1960. “These forms make it compulsory for those who have Aadhaar to provide their Aadhaar numbers in order to vote,” it noted.
•The Election Commission of India started a campaign on August 1 for the “voluntary” linking of Aadhaar details with the voter ID. As part of the campaign, the commission has set up camps and begun door-to-door collection of data. It has collected over 2.5 crore Aadhaar details till August 11.
•Mr Rijiju told Parliament in August that the reasons for linking voter IDs with Aadhaar numbers were to streamline electoral rolls and the process of registration of migrated voters without duplication in the rolls and to curb the menace of multiple enrolment of the same person in different places.
•The move, however, has drawn flak from sections of society citing violations to an individual’s right to privacy. Many have also flagged concerns that the linkage would help in creating voter profiles which may be used to influence the voting process.