The National Crime Records Bureau (NCRB) has justified the legality of the centralised Automated Facial Recognition System (AFRS) using a CCTNS Cabinet Note from 2009, where a system, akin to the AFRS, was envisaged. Based on this note alone, the Bureau said that the AFRS has cabinet approval, and is hence, legal. The AFRS is a centralised web application, and is expected to be the foundation for “a national level searchable platform of facial images”.
It is, however, worth noting that the AFRS solution that was approved in the CCTNS Cabinet Note of 2009 was diluted in 2015 to fund activities of the ICJS (Interoperable Criminal Justice System) project, according to a 2018 report by the NCRB. At the time, NCRB had asked the Home Ministry for Rs 20 crore to set up AFRS.
NCRB revealed all this in a response to a legal notice that the Internet Freedom Foundation had sent in July. After receiving the response, IFF, in its rejoinder, said that a cabinet note is not a statutory enactment and because it dates back to 2009, it can not justify AFRS’s legality as it was approved prior to the 2017 Puttaswamy judgement on privacy.
IFF told MediaNama:
“We’ve reiterated [in our rejoinder to NCRB’s response] the major lacking of legal basis and a failure to demonstrate sufficient safeguards against misidentification and discriminatory profiling in their response, as we have also previously highlighted. Our reply [to NCRB] indicates that largely all of our concerns continue to exist.”
NCRB also said that the AFRS will not be integrated with the Aadhaar database. There is no clarity if the NCRB would revise the 172-page Request for Proposal of the AFRS to reflect these positions, or if it has conveyed these stances to vendors who submitting their bids. An RTI response with the minutes of a pre-bid meeting held on July 25 doesn’t mention such communication.
No response on whether people’s consent will be taken: In its reply to IFF’s legal notice, NCRB did not answer if consent would be sought from the people whose faces would be fed into the system. According to the RFP, images from newspapers, raids, and sketches would be uploaded to the AFRS, but in its reply, NCRB just said that the system would be integrated with CCTNS, ICJS, IVFRT and other similar databases available with the police for identification of criminals.
No facial images’ collection from CCTV cameras in public places “unless the video footage is part of scene of crime”, NCRB said. However, it didn’t clarify if only footage of perpetrators would be picked up from CCTV recordings of crime scenes, or also of other people in the footage. If it is the former, how it would be implemented is also not clear. In case of latter, it is not clear how long such footage will be stored.
Lack of clarity about integration with biometric databases: IFF, in its legal notice, had raised concerns about AFRS’s integration with biometric solutions such as Iris and AFIS, and had pointed out that because the RFP doesn’t specify what these databases are, it could mean that police might rely on the Aadhaar database for collecting people’s biometrics. While NCRB’s response said that AFRS would not be integrated with Aadhaar database, it did not answer what what exactly the Iris and AFIS database is.
- According to NCRB’s 2018 report, AFIS is Automatic Fingerprint Identification system, and according to NCRB’s website, the Indian version of AFIS is called FACTS and is co-developed by NCRB and CMC Limited which is owned by Tata Consultancy Services. The current version of FACTS is 5.0, which was operationalised in 2007.
- Also, according to an NCRB flyer, NAFIS (National Automatic Fingerprint Identification system) went “under process” in 2018.
- There is not much publicly available information on what the Iris database is. (But remember that the Aadhaar database includes people’s iris scans.)
IFF, in its rejoinder, also pointed out that the NCRB has itself put forth a case to allow state police to access the Aadhaar database for catching first time offenders.
NCRB says there “will be not be proportionality/safeguards” in response to IFF’s concerns about unchecked surveillance, lack of legal framework to protect informational privacy, and the impact that AFRS might have on the rights of people identified by the system. We have reached out to NCRB for clarification. NCRB, however, highlighted the device safeguards AFRS would have:
- Proper Access Control Policy to prevent unauthorised access to database or application.
- Safeguards against accidental modifications or deletions.
- Confidentiality, integrity & availability of data during data transport & physical storage.
- Encryption/decryption while storing/loading the records to/from the database.
- Front end application will include features of MD 5/SHA encryption layer, SSL based (for web-enabled), prevention from BRUTE Force Attack, SQL injection, other vulnerability patches etc.
- Multi-layered security would be in place in order to access various features at Central Server, which must be exhibited by the vendor at the time of evaluation etc.
Purpose of AFRS is to “identify recovered children, unidentified persons and dead bodies expeditiously using technology”, NCRB’s response said. The RFP had not defined the exact purpose of such a database. In its rejoinder, IFF said that the use of such systems on dead bodies was redundant and unjustified public expenditure because bodies begin to decompose within 24 hours after death.
No threat of misidentification, says NCRB: IFF, in July, had cited a study conducted by researchers at the MIT to raise concerns about how facial recognition systems often misidentify people of colour. NCRB said that such a threat will not exist because AFRS will comply with standards of the US’ National Institute of Standards and Technology, and will be procured only after a satisfactory test run. Also, NCRB said that AFRS will be an investigative tool and the investigative agency will have to check other facts to correlate any findings. It also said that the AFRS will not discriminate on the bases of religion, geography, class, and caste etc., because “adequate precautions/ safeguards will also form part of SOP”. The Bureau hadn’t mentioned any such safeguard requirements in the RFP.
Read more about NCRB’s Automatic Facial Recognition System and its request for proposal here.