On June 28, the National Crime Record Bureau (NCRB) called for applicants to bid for the implementation of a centralised Automated Facial Recognition System (AFRS). The ad defined the broad scope of work in fairly innocuous terms — “supply, installation and commissioning of hardware and software at NCRB” — but the detailed request for proposal (RFP) is anything but innocuous. The RFP states that this “is an effort in the direction of modernising the police force, information gathering, criminal identification, verification and its dissemination among various police organisations and units across the country”.

NCRB is responsible for collecting and analysing criminal data which is subsequently used by Indian police. It is supposed to annually release statistics on crimes committed in India. The Bureau released its last report in 2017, for the year 2016. For years 2017 and 2018, NCRB hasn’t released its report.

What is this system?

According to the RFP, this new AFRS will be “a centralised web application hosted at the NCRB Data Centre in Delhi with DR in non-seismic zone which will be made available for access to all the police stations of the country”. It will be the foundation for “a national level searchable platform of facial images”.

The RFP envisions it as an app that will be available on Android/Windows/iOS and be used on the field as well. On the field, the police officer would snap picture of the suspect, the AFRS would send it to the local AFRS set-up where it will scan for a match in the ever-growing database. How this system can be abused is fairly apparent. If it finds a blacklist match with face images captured from the CCTV feed, it will generate alerts. The proposed AFRS will have the capacity to process 1 crore images with upgradation capacity to 5 crores. In addition, the database should be able to handle 2,500 concurrent users. The NCRB has already proposed provision of mobile data terminals to each police station at an estimated cost per lakh per device in the total budget of ₹308 crore in CCTNS Phase-II.

The contract is for 5 years and the AFRS implemented for NCRB will be audited by NCRB or an NCRB-appointed external agency every year. The selected vendor will also be responsible for the security of the systems, and for the training of the officials which will be approved by NCRB.

Source of photographs — every database?

From the RFP, it is apparent that the aim is to create a repository of photographs that can be used to identify and track criminals. The database will be created using “Passport, CCTNS [Crime and Criminal Tracking Network and Systems], ICJS [Interoperable Criminal Justice System] and Prisons, Ministry of women and child development (KhoyaPaya) State or National Automated Fingerprint Identification System or any other image database available with police/other entity”. It is unclear if the database will only focus on suspects/criminals, or create a photographic dossier on every citizen and non-citizen in India. The RFP doesn’t specify if it will make use of Aadhaar databases for access to images.

Integration with other surveillance systems

The new centralised AFRS will be integrated with “existing AFRS system (and any other AFRS system established before signing of contract) of some advanced states”. Through an RTI application that MediaNama had filed, we learnt that the Delhi Police owns two “facial recognition softwares [sic]” for use in Crime Branch, and has installed 6,372 CCTV cameras across the city. It is not clear if the NCRB will have access to these two “softwares” and CCTV footage from Delhi Police. It is also unclear if the NCRB will have access to footage from the 1.4 lakh CCTV cameras with which the Delhi government is currently blanketing the city.

The news AFRS will also be integrated with “ICJS, CCTNS, Immigration Visa Foreigner Registration Tracking (IVFRT), advanced State police Integration (Police IT Karnatak, Enterprise e-Cops Telangana, G-Cops Goa, Cyprus Tamil Naidu, e- Guj Gujarat)”. During the operations and maintenance phase of the project, requests for “addition open integrations of systems & databases” will be taken. It is not clear if this database will be made available to private security firms/investigators, and if it will be shared with other countries.

In light of the fact that India does not have any legal framework to safeguard the personal data of its citizens, nor any sort of judicial oversight over public surveillance programmes, this bid alone should make you sit up and pay attention.

MediaNama has reached out to the NCRB for clarifications.