tl;dr
After coming across reports that the Central Board of Secondary Education (CBSE) was using facial recognition technology to provide access to digital documents, we pursued multiple paths of transparency and accountability. Firstly, we filed RTIs and then we wrote to them highlighting our concerns.
What is the CBSE doing?
As per a news report published in the Indian Express, the CBSE is now using facial recognition technology to provide access to digital documents to students. The application will enable students to download their digital academic documents of classes 10 & 12 after a live image of the student is matched with the photograph on the CBSE admit card already stored in the repository.
First step: Right to Information
Pursuant to this, we filed a Right to Information request with CBSE bearing reference no. CBSED/R/E/20/03761 on October 28, 2020 asking them to provide information about the scope and nature of the project. In their reply dated November 24, 2020 bearing reference no. CBSED/R/E/20/03761/3176, CBSE stated that they were not using facial recognition technology instead they were using face matching technology thereby trying to create a measure of difference between the two.
On 28.10.2020, we filed an RTI with the CBSE @cbseindia29 asking them about their use of facial recognition technology to access digital documents. In a reply dated 24.11.2020, they have denied use of FRT but state that they use a “facial matching” system instead.
— Internet Freedom Foundation (IFF) (@internetfreedom) November 25, 2020
1/n pic.twitter.com/uLGufBiXU4
As a result, we filed another RTI request on December 10, 2020 bearing reference no. CBSED/R/E/20/04158 asking CBSE to explain how the face matching technology operates. However, even after the prescribed time limit of 30 days within which a reply has to be provided expired, the CBSE has failed to provide any response to our second request. As a result, we have filed a first appeal highlighting the CBSE's failure to respond. We still await further information on this for which we reserve our rights to remedies as per law.
Next step: A recommendation to halt use by highlighting concerns
Since we have received no response on our last RTI request, we decided to write to the CBSE highlighting the various concerns that use of facial recognition brings with it.
A. Concerns related to privacy
Use of this technology, in a legal vacuum, especially with regard to children, is extremely concerning as pertaining to the fundamental right to privacy. Here, we take the liberty to draw your attention to the Hon’ble Supreme Court's decision in Justice K.S. Puttaswamy vs Union of India (2017) 10 SCC 1 which says that certain standards have to be met in order to justify intrusion by the State into the right to privacy. These standards are :
a. Legality (existence of a law) : Where the intrusion must take place a defined regime of law i.e. there must be an anchoring legislation, with a clear set of provisions.
b. Legitimate goal/state aim : Which justifies that the restriction to people’s privacy (in this case data collection and sharing) is needed in a democratic society to fulfill a legitimate state aim.
c. Proportionality : Where the Government must show among other things that the measure being undertaken has a rational nexus with the objective. The state must also demonstrate that there are no other alternatives both analog and digital which can fulfil said mandate which are less intrusive but equally effective; and that the extent of the interference is proportionate to its need.
d. Procedural guarantees to check against the abuse of State interference : Where there is an appropriate independent institutional mechanism, with in-built procedural safeguards aligned with standards of procedure established by law which are just, fair and reasonable to prevent abuse.
Laws with regard to facial recognition which may act as anchoring legislations, unfortunately do not exist in India thereby failing to satisfy the first Puttuswamy standard. Additionally, the use of FRT by CBSE fails to satisfy the proportionality requirement since, according to the reply sent to us by CBSE, it is just one of the authentication mechanisms being used under the multi-factor authentication process in place. Finally, there are no procedural guarantees, such as a data protection law, in place to ensure that misuse of the technology does not take place thereby increasing the risks related to its use.
B. Concerns related to exclusion
In addition to concerns related to privacy, concerns relating to exclusion due to inaccurate technology become a factor here. This is also important to consider since students accessing these documents may be under stressful conditions like application processes for colleges and universities abroad. In such a situation, this technology could act as an unnecessary hindrance. Another factor to consider here is since the technology is being used on children whose appearance is bound to undergo changes over the course of the time since when the picture in the CBSE repository was taken and when the student is trying to access it, this technology could fail to identify students thereby adding to the stress that children may already be undergoing.
Our recommendation
In lights of these concerns, we recommended that CBSE cease use of facial recognition irrespective of the nomenclature being used for it as face matching for any of its deployments.
Project Panoptic
Under our Project Panoptic, we try to bring transparency and accountability to all facial recognition deployments by the government, both State and Central across the country. You can read more about the CBSE deployment here and sign the petition calling for a ban on facial recognition use here.