The NTA’s tender has made facial recognition mandatory at exam centers and has invited bids to provide handheld facial recognition scanners for every 100 candidates.
A few days ago, MediaNama reported on how the National Testing Agency, an Indian government agency tasked with conducting entrance examinations for higher education, was planning to introduce facial recognition technology for verification of those sitting for the online versions of these exams. But that might not be all. The NTA is now proposing a more expansive biometric verification module that will cover candidates giving the exams offline as well.
In its tender (a copy of which MediaNama has seen), the NTA proposes the installation of CCTV cameras in 4,000 examination centres coupled with compulsory biometric verification such as iris and fingerprint scans as well as facial scans. Whereas, in a separate proposal by the NTA, CCTV surveillance measures for online or computer-based tests (CBT) were restricted to just 600 centres. These proposals translate to a 566% increase in the number of examination centers that are going to be under CCTV surveillance and biometric verification.
Ancillary security services are to be provided for approximately 4000 examination centers spread all over India. The main aim for having the service in each of the exam rooms of these examination centers is to curb malpractices, unfair means in the examinations so as to ensure smooth conduct of examinations — National Testing Agency tender
Why it matters? Effectively, what it means is that now, more candidates will be subjected to facial recognition and other biometric verification procedures sans any robust legal backing. The country’s Personal Data Protection Bill is still with the Joint Parliamentary Committee and it may be brought up in the Parliament’s Winter Session. It is also important to point out that by implementing facial recognition scans of candidates appearing for these examinations, the NTA will be dealing with the data of many who are minors.
An estimate on how many candidates might be surveilled
A look at the illustrated figures shows that the five major entrance tests of the country amassed 33.16 lakh registrations in 2020-2021. Going by the number of centers allotted for NTA's computer-based test (CBT) (600 centers), one could still argue that the scope of facial recognition is not very high. But now, with 4,000 centers being included in the project, the figure may well touch above 33.16 lakh. That is also because, the NTA also conducts the Delhi University Entrance Test, IGNOU PhD and OpenMAT (MBA) Entrance Test, Graduate Pharmacy Aptitude Test, Hotel Management Joint Entrance Examination Test, and so on.
No skipping facial recognition: NTA
The tender shows that the NTA has made facial recognition mandatory. According to the tender, there are two types of surveillance combinations available for the bidder to implement:
- 5.B.1 Touchless IRIS capturing and facial recognition of candidate by verifying candidate’s identity on a real-time basis
- 5.B.2 Digital finger-print capturing and facial recognition of candidate by verifying candidate’s identity on a real-time basis
The other requirements for the tender are similar to what the NTA had earlier proposed for the online version of these entrance tests. However, here’s a rundown of a few of the key demands by the NTA from bidders:
- Must use data such as roll numbers, photos, name, exam data/shift provided by NTA for facial recognition, and iris/fingerprint scans
- Entrance admit card must have a bar code which will be scanned at the time of entry. This scanning will retrieve the candidate’s data from NTA, which will then be used for live verification.
- Facial recognition should be performed in “a completely stateless transaction of two images”.
- Deploy “de-duplication algorithm across the database to avoid duplicity of enrollment records."
- Maintain entire database and application server at two different seismic zones within India, making one site as data centre and other site as disaster recovery.
- Biometric verification should not be stopped at any point of time and “data capturing/identification work must be completed during stipulated time period of examination”.
- There should be one handheld facial recognition and other biometric scanners for every 100 candidates
- These are the formats required for facial recognition: GIF, PNG, JPEG, TIFF, RGB24 bpp. Face size should be at least 60 pixels.
1 lakh CCTV cameras to be installed
A mammoth 1 lakh CCTV cameras of 2 MP each will have to be installed by the bidders. To put this number into perspective, Delhi government spent Rs 264 crore on installing 1.32 lakh CCTV cameras across the national capital in a span of five years. Here are the other important deliverables for the selected bidders:
- To ensure that the data is secure, the CCTV feed should be passed through a secure virtual private network (VPN) and a copy should be maintained at a cloud-based storage
- CCTV recording of the examination will be retained for 3 months
- A center-in-charge would be overseeing the CCTV feeds at each exam center
- A live demo of the CCTV network will have to be demonstrated to the NTA a day before the examination
- An integrated command and control center has to be setup by the selected bidder at NTA, Okhla
These are other services that the NTA requires bidders to provide at exam centers such as:
- Frisking of candidates through handheld metal detector
- Thermal screening of candidates
- Entry/crowd management during examination
- Supply of Covid-19 safety material
What is NTA’s stance regarding privacy for this project?
According to the tender, the NTA has designated that the selected bidder will be responsible for data security. “The selected bidder shall be responsible for guarding the systems against virus, malware, spyware and spam infections using the latest antivirus corporate/enterprise edition suites which includes anti-malware, anti-spyware and anti-spam solution for the entire system. The vendor shall have to maintain strict privacy and confidentiality of all the data and it gets access to,” the tender said.
What does the draft PDP Bill say about facial recognition?
The Personal Data Protection Bill which may be introduced in the Parliament during its Winter Session, has few provisions pertaining to ‘sensitive personal data’, an overhead under which facial recognition technology falls:
- Clause 3(7): Defines 'biometric data' and includes 'facial images' as part of biometric data.
- Clause 3(36): Categorises 'biometric data' as 'sensitive personal data'.
- Clause 33: Sensitive personal data may be transferred outside India, but such sensitive personal data should be stored in India.
- Clause 34: Transfer of 'sensitive personal data' can only be done provided explicit consent has been given by the user; has been approved by data protection authority; Central government has given consent after consultation with data protection authority, and so on.
- Clause 40: A data fiduciary (like NTA), which intends to take up new technologies which involve large scale data processing of sensitive personal data, has to “undertake a data protection impact assessment” before that.
- Clause 92: Seeks to ban processing of certain form of biometric data.
Multiple privacy and security concerns: Experts
More transparency required: Prasanth Sugathan, Legal Director of Software Freedom Law Center said, “Foremost, the concern arises of informed consent. They should provide detailed information about data collection, third-party sharing, processing, and should have the consent of parents in case of minors."
“Another concern could be recourse available in case of a data breach. The NTA and its partner agencies will be dealing with sensitive biometric data of students and test-takers across the country. India has seen over 5 massive data breaches in the last few months. Deployment of such technologies often do not come with any safeguard in case of a data breach,” Sugathan said adding that biometric exclusion can also be another possible challenging arising from this.
Added responsibility since dealing with minors’ data: Shweta Mohandas, policy officer, Center for Internet and Society said, "In the specific case of the use of facial recognition on minors, there is an added responsibility on the person storing and processing the data to ensure that the data does not get leaked, as well as that the data is not being used for purposes other than what it was collected for. Ideally, the NTA must share responsibility of the data to ensure that there is more accountability towards the data practices.”
NTA should implement provisions of PDP Bill: “Given the importance of the sensitive personal data involved in the present case, it would be advisable to put additional guardrails, such as those proposed under the upcoming Personal Data Protection Bill. The Bill imposes additional obligations and accountability on entities handling sensitive personal data.” said Supratim Chakraborty, Partner, Khaitan & Co.
Data Processors will not be statutorily liable under PDP Bill, like GDPR: “While NTA will in its capacity as fiduciary be responsible under the law for its violation, the liability of third-party agency collecting and processing the data in its capacity as a data processor will have to be reviewed pursuant to the recommendations of JPC on the PDP Bill. The data processors are only contractually liable under the current regime. This is unlike under GDPR where data processors are also statutory liable,” Nakul Batra, Associate Partner, DSK Legal.
- Defence Ministry looking to install facial recognition-based attendance at its PSUs
- The COVID-19 Pandemic requires us to reconsider the Internet as infrastructure
- Facial authentication for vaccination not the same as facial recognition: Nandan Nilekani
Have something to add? Subscribe to MediaNama and post your comment