NCRB finally responds to legal notice on facial recognition, we promptly send a rejoinder...

Tl;dr

We sent a legal notice to the National Crime Records Bureau (NCRB) on August 18, 2019 to halt and recall the invitation for bids for the implementation of a centralised Automated Facial Recognition System (AFRS) put out on June 28, 2019 with extremely worrying features of the system. With no response, we sent a follow up on October 31, 2019, to which we received a very detailed reply by the NCRB on November 5, 2019. Excitedly, we readied ourselves to send across a rejoinder to their response but much to our dismay, we largely had to restate our original asks.

Position unchanged

The follow up to our legal notice was graced by peculiar circumstances. The NCRB responded on November 5, 2019 with a  detailed parawise reply to our notice dated August 18, 2019. However, not long after, we received emails from NCRB officials stating that they wished to recall the email response sent to us. Naturally, we wrote back enquiring if an updated or finalised version of the document needed to be sent, to which there has been no clarification.

Given the tender closes today, we promptly sent across our rejoinder two days back, in the same format of their response. It involved us indulging in a lot of rebutting and here's what we had to say briefly.

  1. Main submission dealt with legality
    Our legal notice informed the NCRB that there was no legislative framework that gave AFRS any legality and we reiterated that once again. Why? Because the NCRB informed us that AFRS will be hosted on the CCTNS database which finds its supposed legality in the CCTNS Cabinet Note of 2009. We made sure to explain that a cabinet note is not a statutory enactment but a record of proceedings, and hence, AFRS continues to lack legality. We very clearly observed that the use of such systems on dead bodies appears slightly redundant on account of bodies beginning to decompose within 24 hours after death, which does not justify public expenditure on this.
  2. Flawed understanding of consent
    The response was firm in stating that the principle of consent would not be violated but did not have much to substantiate this point. It also says that Aadhaar would not be integrated with AFRS. We sure had a lot to say to this; our rejoinder pointed out the inadvertent access that the integration of various databases will provide. Further, the Aadhaar database, through the already existing access State police have, quite clearly violates consent considering that an individual may have only given consent to one database and its use.
  3. Systems are apparently too cutting edge
    Our concerns of misidentification and discriminatory profiling were met with blanket responses that AFRS would simply not face these problems as it would meet NIST standards (National Institute of Standards and Technology) and also have sufficient safeguards in its Standard Operating Procedure. Our response makes sure to highlight how without any legal framework, there would be nothing to provide for strict safeguards and also cases from San Francisco and Massachusetts that have found that their cutting edge technology too faces concerns of misidentification and discriminatory profiling.
  4. No need for proportionality/safeguards but oversight and accountability will still exist
    The response by the NCRB claims that there would be no need for proportionality or any safeguards and they substantiate this with requirements provided for device security and unauthorised access. We point out their misunderstanding of proportionality and safeguards by explaining our worries of mass surveillance that could ensue because of such unregulated technology.

Stop! In the name of law

It is important to note that a lot of what the NCRB has stated, marks a large departure from what the Request for Proposal (the tender document) states. Although we appreciate the NCRB's efforts in responding to our legal notice, at the end of this, we had to restate most of our initial submissions. While we do not want to take any credit for this outcome, the date for the tender has once again been extended to January 3,  2020.

As a result, our rejoinder continues to ask for a withdrawl of this tender and a moratorium on all privacy invading projects until a data protection law and authority is in existence. We intend to examine all legal options to challenge it after conferring with counsel if it proceeds further.

Important Documents:

  1. IFF rejoinder dated November 6, 2019 to NCRB response dated November 5, 2019 [link]
  2. NCRB Response dated November 5, 2019 to IFF legal notice dated August 18, 2019 [link]
  3. Follow up Representation to the National Crime Records Bureau dated August 31, 2019 [link]
  4. Previous post on Facial Recognition Systems [link]
  5. Legal notice to the National Crime Records Bureau dated August 18, 2019 [link]

Do you see eye-to-eye with us on how problematic facial recognition systems can be? Become an IFF member today!