aadhaarCovidCOWINCoronavirusData ProtectionDigitalJusticefacial recognitionPrivacySurveillancevaccinesProject Panoptic

Government endorses the use of facial recognition for “touchless” vaccination process

We filed an RTI application with the Ministry of Health and Family Welfare to verify reports about the government using facial recognition technology (FRT) for the verification of beneficiaries of the COVID-19 vaccines. In their response the Ministry confirmed the use of FRT.

Yashaswini
Yashaswini

04 July, 2021
4 min read

Tl;dr

Among several other controversies that have surrounded the Government’s COVID-19 vaccine management policies, recent news about the Government deploying facial recognition facilities at vaccination centres for the purposes of authentication has emerged as a cause of worry. We filed an RTI application with the Ministry of Health and Family Welfare (MoHFW) on May 18, 2021 to understand more about the process and to verify the authenticity of such reports. In their reply to our RTI application dated June 24, 2021 the Ministry confirmed the use of facial recognition for verification of beneficiaries of the COVID-19 vaccines but failed to provide any guidelines or SOP that clearly delineates the technical and implementation details of facial recognition technology (FRT) for COVID-19 vaccine verification.

Background

Government had implied its plans to roll out Aadhaar based facial recognition technology (FRT) as the mode of verification of the personal data of the beneficiaries of  the COVID-19 vaccines purportedly to make the vaccination process “touchless”, thus replacing the existing practice of biometric verification at vaccination centres through fingerprints and iris scans. This indicates that using Aadhaar cards for the purposes of registration for COVID-19 vaccines can potentially become mandatory, thereby posing grave threats to the privacy and other constitutional rights of the citizens.

Despite official statements of government authorities affirming that biometric authentication for vaccination was not currently in practice as well as the clarification of the MoHFW in the Lok Sabha that Aadhaar was not mandatory for vaccine registration and several other IDs were accepted for the registration process, this unchecked roll-out of FRT based registration system has caused anxiety and apprehension among many.

We filed an RTI application asking the MoHFW to furnish details about the use of FRT

In our RTI application with the MoHFW dated May 18, 2021, we had sought information about but not limited to:

  1. the legislation or rule which authorised the use of FRT for COVID-19 vaccine registration;
  2. the specific technology procured for the use of FRT based authentication;
  3. the details about the storage and use of the data thus collected;
  4. whether any privacy impact assessment was conducted before deploying FRT for vaccine registrations;
  5. copies of any guidelines or SOPs which outlined the use of FRT for the registration process and other relevant information.

You can peruse all  of the questions that we asked by taking a look at a copy of the RTI application here.

MoHFW confirmed that FRT is being used as a part of the vaccination process

In response to our RTI application on June 24, 2021, MoHFW acknowledged the use of FRT as one of the methods for online verification of the beneficiaries. They further stated that the images captured through FRT would be sent to UIDAI for verification and not stored in any distinct database. According to their reply, no additional procurement was made for the implementation of FRT based verification. They also informed us that a pilot project for facial recognition authentication is still under continuation. According to reports, this pilot project is being conducted in Jharkhand.

However, MoHFW failed to specify any legislative or legal order that authorised the use of FRT nor could they provide copies of any relevant privacy impact assessment. Furthermore, the reply stated that use of FRT for verification of the beneficiaries’ data would be according to the terms furnished in the ‘Verifier & Vaccinator Module User Manual’ included in the COWIN portal which was not available on COWIN portal or any open source webpage. Lastly, they were unable to provide us with any information related to the accuracy of the FRT used, any third party assessments which may have been conducted and the exhaustive list of databases with which the facial recognition technology will be linked in order to identify individuals.

While we appreciate MoHFW conferring this response, we are afraid that they have failed to supply accurate information and have been evasive in their response. This is highly disconcerting since it violates the tenet of transparency under the RTI Act, creates further ambiguity regarding the registration process and offsets the promise of a universal and inclusive vaccination policy which indeed is the crying need of the hour.

FRT based verification for vaccination should be stopped

The COVID-19 vaccines are essential, life saving commodities in the current pandemic and ensuring equitable & indiscriminate access to the vaccines for all is of paramount importance. However, deploying Aadhaar based FRT for the verification process, deprives the citizens who do not possess or have not linked their Aadhaar cards to the COWIN portal or the on-site register, of the vital vaccines. Further, there is evidence that FRT is highly error prone and as may be gleaned from MoHFW’s response, no clearly defined testing or legal vetting was done prior to the deployment. Consequently, the risk of FRT failing to correctly identify the beneficiaries and thereby potentially excluding a significant portion of the population from the benefits of the COVID-19 vaccines, looms large.

MoHFW informed us that no privacy impact assessment of the use of FRT was conducted prior to its deployment. We have already enunciated the privacy concerns related to the data collected by UIDAI through Aadhar.

Use of FRT in vaccine registration process borders on function creep

In the past, there have been numerous incidents wherein FRTs deployed for a specific reason have been utilised for purposes beyond its original mandate. Thus fears of using the data procured through the FRT in vaccination for larger surveillance would not be unfounded. This is further aggravated by the fact that the User Manual mentioned by MoHFW in their reply to our RTI is not publicly available. This creates further confusion and anxiety regarding how the data would be collected, stored and used by the government authorities.

Imposing arbitrary requirements of enrolment with inaccurate and exclusionary digital identification schemes without any privacy safeguards is highly problematic and can adversely impact India’s fight against COVID-19.

Important Documents

  1. RTI application filed with MoHFW on May 18, 2021 (link)
  2. Response received from MoHFW on June 24, 2021 (link)
  3. Joint Statement: Say no to Aadhaar based Facial Recognition for Vaccination! dated April 14, 2021 (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

2
Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

3
IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!