India to build world's biggest facial recognition system

In a photo taken on Oct 16, pedestrians walk past stores in the Zaveri Bazaar, in Mumbai, India.
In a photo taken on Oct 16, pedestrians walk past stores in the Zaveri Bazaar, in Mumbai, India.PHOTO: BLOOMBERG

BANGALORE - On Nov 8, the Indian government will name the companies that will help it build what could be the world's largest facial recognition system.

Once it is set up, India's National Automated Facial Recognition System will provide a centralised database for police forces across its 28 states.

According to a government document published in July inviting companies to bid for the project, authorities will be able to identify people - including criminals, missing children and dead bodies - by matching their images against a database of images.

That database will draw on images from existing records of images of prisoners, photos in passports, and "any other image database" with any entity.

Facial recognition identifies distinct points on an individual's face and creates a unique map of it.

It is thus like a fingerprint, rather than a photograph.

The system is expected to enable searches based on images from closed-circuit television (CCTV) camera feeds, handheld mobile devices operated by security forces, and even photographs from "newspapers, raids, sent by people, sketches etc".

The sheer scope of the enterprise, especially in a country that is yet to enact a data protection law, has alarmed privacy advocates. Oddly, for a project of this scale, there has been no discussion in Parliament on how the system would work, what oversight and safeguards it will be subject to, and whether it will even be accurate.

In July, India's National Crime Records Bureau (NCRB) organised a conference for nearly 80 potential bidders. Businesses raised questions about how facial recognition data would be integrated with existing databases, and whether it should be able to identify people with plastic surgeries.


But most of the questions raised, were about the qualification criteria for companies to place their bids.

The NCRB has said that bids will only be accepted from companies that, among other conditions, have an annual turnover of at least INR 1 billion ($1.9 million) for the last three years; have installed at least three facial recognition systems with a million-strong database for law enforcement agencies across the world; and meet technical standards set by the United States National Institute of Science and Technology.

The criteria effectively exclude home-grown businesses, say Indian companies like Staqu Technologies that has helped digitise records and created searchable databases for eight police forces in India already.

Mr Atul Rai, the co-founder and chief executive of Staqu told Indian media outlets that foreign software might not be built for low resolution CCTV images, or the diversity of Indian faces.

At least a dozen foreign surveillance companies already operate in India, like CP Plus, Honeywell International, Bosch Security Systems, and Dahua.

The Delhi government contracted an Indian subsidiary of China's Hikvision to set up 150,000 CCTVs in the city last year.

The United States has banned Hikvision for supplying surveillance equipment to detention centres where the Chinese government keeps Uighurs captive.

Mr Apar Gupta, executive director of the Delhi-based Internet Freedom Foundation, said that having a foreign company collect and hold sensitive biometric data of India is "a threat to national security".

The Ministry of Home Affairs did not respond to e-mails about its plans to build this facial recognition database.

The push for this technology comes in the name of better law enforcement. India's police are one of the most understaffed in the world, with just 144 police officers for every 100,000 citizens, compared to 318 per 100,000 citizens in the European Union.

Authorities are hoping facial recognition technology will make up for the shortfall.

But they may be disappointed; the technology is limited.

"It can't even tell the difference between boys and girls, so thinking about using it for crime prevention is a huge mistake," Ms Vidushi Marda, a lawyer who works on Artificial Intelligence at Carnegie India and British human rights organisation Article 19.

"Law enforcement agencies assume that the link between using facial recognition technology and fixing crime is a direct one, but that's not true at all. These systems are completely broken. They are really unreliable," Ms Marda added.

The Delhi police, for instance, told a court that the accuracy rate of the existing facial recognition software it used to trace missing persons was only 2 per cent. Studies have declared even the most state-of-the-art technology used in the US, Britain and Germany to be inefficient.

Researchers from the Massachusetts Institute of Technology found that the software did not recognise dark-skinned people as well as it recognised those who were lighter skinned, because African Americans were underrepresented in the modelling data set.

The American Civil Liberties Union is now pushing for a ban on biometric surveillance altogether.

Even if the technology is accurate, said Mr Apar Gupta, executive director of the Delhi-based Internet Freedom Foundation, "it is unconstitutional, and gravely injurious to privacy".

"Facial recognition systems are by design an act of mass surveillance. Such identification, even if done for purposes like law enforcement, is essentially collating and using data without any underlying basis of suspicion.

"This is termed as a general warrant, which is not permitted in law," said Mr Gupta.

In a ruling that has far-reaching implications on state surveillance, the Bombay High Court on Oct 22 said that authorities could not simply justify the infringement of a citizen's privacy by citing national security.

Government agencies had to test if phone tapping or any other privacy violating technology was necessary and proportionate in a democratic society, request permission, and only then carry it out.

"Facial recognition does not meet these standards at all. In fact, it is just collecting data for the sake of it and finding a use for it later," said Ms Marda.

It has proven to be neither leak-proof nor secure. Last year, there were reports of CCTV footage from Delhi's metro stations being uploaded on to pornographic websites.

Recent revelations about unknown entities using Israeli spyware to snoop on the WhatsApp conversations of several Indian activists and journalists, have deepened worries about the absence of privacy protections for Indian citizens.

At the core of the issue is the absence of a data protection law in India.

"In this situation, a nationwide biometric record is essentially putting people at a very high degree of risk. The reality is that today we urgently need regulatory intervention, given that there is market failure in self regulation," said Mr Gupta.

He likens the oversight needed to safety standards in the food industry, with labelling requirements, safety inspectors, and regular checks, to address the large scale of risk.

With the government set to announce the winner of the bid on Nov 8, the world's biggest database of faces seems inevitable.

"How do you mitigate this risk? You can't walk around with a mask all the time, right?" said Ms Marda.

"A system of public accountability around emerging technologies is the need of the hour. Because once you put these systems into a democracy, it breaks down immediately."