Central Board of Secondary Education (CBSE) students will now be able to use a facial recognition system to download their academic documents for the tenth and twelfth grade. Essentially, students will be able to download their academic documents just by verifying their identity using a facial recognition tool, without requiring any other identifier. The academic documents repository itself is hosted on DigiLocker — an Aadhaar-based cloud-based locker. However, students who go through the facial recognition system won’t have to submit their Aadhaar details or mobile number — a move CBSE said was geared towards helping students based in foreign countries. Alarmingly, the website, on which it is hosted doesn’t seem to have a privacy policy.

Students’ photographs, collected by the CBSE for issuing board admit cards, form the basis of the facial dataset that underpins this facial recognition system, Rama Sharma, public relations officer at CBSE, told MediaNama. Not much else is known about this facial recognition system, including who built it, and what sort of accuracy rates this system has. The website’s technology partner is the National e-Governance Division, an independent business division of the IT Ministry. We have reached out to NeGD for more details.

When asked about the absence of a privacy policy, a person working at CBSE told MediaNama, on the condition of anonymity, that “the system has just been launched, and the department will rectify any errors along the way”. This essentially suggests that CBSE has potentially not thought through the process of implementing a facial recognition system which will primarily deal with processing biometric data of children. “Everyone’s using facial recognition technology these days, right?” this person said.

Issues with the facial recognition system

At the outset, there seem to be several issues with this facial recognition system: (i) the lack of clarity on how CBSE will safeguard children’s data, (ii) if guardians’ or students’ consent was taken before their photographs were used as part of a facial dataset, (iii) and the absence of a privacy policy. DigiLocker has a privacy policy of its own, but it does not explicitly deal with processing, sharing, or storing facial data.

Divij Joshi, an independent lawyer and researcher and a tech policy fellow at Mozilla told MediaNama: “The CBSE should not have created this system without explicit notice and consent of children or guardians, and without a clear rationale for the same, or safeguards. Systems around the world rely on strong security practices like passwords and 2FA [two factor authentication]. Instead of encouraging this, experimental and dangerous tech like facial recognition is being pushed out for no obvious reason.”

When asked whether the central education board should seek additional consent from students or their guardians before using their photographs in a facial dataset, Joshi said that he seriously doubts if the specific notices provided on the forms for submitting board admit cards had a privacy or data use policy.

“In fact, notice and consent itself is not sufficient for this kind of data collection — if you opt not to give your photo to the CBSE, the alternative is that you can’t write central exams. This system should never have been built, and there is no clear justification for doing so. If there was a clear justification, there should have been appropriate safeguards such as providing clear notice to children and guardians, limiting the ways in which data will be used, oversight mechanisms,” Joshi added.

Joshi also said that this system shouldn’t have been rolled out without an adequate privacy policy. “Newer forms of digital and algorithmic technologies pose new challenges to privacy and data protection, given the ways in which data can be produced and shared. Government departments need to contend with the implications of digitisation and digital technologies for privacy, in ways which earlier paper-based record keeping and databasing practices did not,” he added.

Facial recognition everywhere

From the Indian government itself to several state governments and police department, the use of facial recognition technology is proliferating across the country. The National Crime Records Bureau is currently working towards building a national level facial recognition system, and only very recently revealed that it wants to tests the system on mask-wearing faces, and for it to generate “comprehensive biometric reports”.

In Telangana, police have been known to demand people to undergo a facial recognition verification exercise, randomly, claiming that they do so to nab criminals. The state is also planning to introduce facial recognition for people seeking rations under the public distribution system (PDS). It is already using the tech for renewing driving licenses and pensions. Telangana is also the first state in the country to pilot facial verification of voters during civic polls earlier this year.

The Vadodara City Police, in Gujarat had earlier told MediaNama that it was planning to use Clearview AI’s controversial facial recognition software. The Indian Railways said that it was in the process of installing Video Surveillance Systems, equipped with a facial recognition system. A number of airports in the country have introduced facial recognition based boarding solutions.

It is worth noting that Indian agencies are installing facial recognition surveillance tools when India doesn’t have a data protection law. Moreover, the Personal Data Protection Bill, 2019, which is currently being deliberated upon by a Joint Parliamentary Committee, has carved out exemptions for government agencies to adhere to provisions of the Bill. This suggests that government institutions like the NCRB, or the Railways could potentially be able to collect, store and process biometric data of Indians without necessarily adhering to provisions of the Bill.

Also read: