Why India must resist facial recognition tech
Without a data protection law, the unregulated use of such technologies can corrode and destroy freedoms
Facial recognition has become a cause for concern in western democracies. The European Commission is considering imposing a five-year moratorium on the use of facial recognition technologies in the European Union (EU). In the United States (US), municipalities have passed, or are considering passing prohibitions, and California is considering a similar legislation. This alarm is justified. India, however, is rushing to adopt public facial recognition without any legal restraint, and discussion.
Recently, former minister of state for civil aviation, Jayant Sinha, celebrated the launch of Digiyatra, endorsing the omnipresent use of facial recognition in airports where someone’s face would suffice as the boarding pass. Not to be left behind, the Telangana State Election Commission announced the use of facial recognition in Medchal Malkajgiri district to counter impersonation by voters in a forthcoming municipal election. Sinha asserted that Digiyatra was General Data Protection Regulation (Gdpr)-compliant, which would be enough to protect the privacy of Indian citizens. The GDPR 2016/679 is a regulation in the EU law on data protection and privacy to protect European citizens. It doesn’t talk about rights of Indian citizens and its applicability in this context is unclear.
In the 21st century, an Aadhaar number, a mobile handset’s IMEI number, and the unique network address of a wifi adapter in smartphones, for example, can locate users in the digital world. From financial transactions to interpersonal communications, from web searches to everything that a person reads, watches, or listens can be used to identify almost everything we touch, do and think. Once cameras are connected to a facial recognition software, citizens have no privacy anywhere. To those with power — governments or businesses — people are seen, recognised, analysed, predicted and controlled all the time. This technology can be used to perfect despotism. Thanks to the technical sophistication and political audacity of the Chinese Communist Party, which has made a demonstration prototype to warn residents of Xinjiang, we don’t have to treat that possibility as science fiction.
The Indian government may go down the same road. By beginning to apply it in elections in Telangana, the State is claiming that this technology is somehow integral to democracy.
Tech enthusiasts tend to dismiss anyone asking basic questions as Luddites, especially if billions of dollars are at stake. But once such a society without privacy is built, it cannot be dismantled. Once people allow their government to permit its construction, they are entrusting all future governments, and all future dominant data-mining companies, with powers that can be used to destroy freedom. This is why the other advanced democracies are hesitating. In civil society, within government, and even in the tech companies themselves, there is a sudden awareness that a tipping point has been reached.
Facial recognition is just one form of identification. Even if it is controlled or forbidden to use on the public, all the other forms of digital identification, when accompanied by comprehensive behaviour collection and secretive data analysis, are a threat to the autonomy of each individual. There is a need to regulate the industry on behaviour collection, and subject government surveillance to the rule of law. But once we have also enabled comprehensive facial recognition, we have made all those problems exponentially worse, and probably irreversible.
Yet in India, the government and private industry are forging ahead. What they are asking is not only that we should trust the government and these private market parties with power sufficient to destroy democracy. We are being asked also to trust all their successors with such power. This, even before we have forgotten the Whatsapp/nso spying scandal. Unless the Puttaswamy judgment (the right to privacy is protected as a fundamental constitutional right) of the Supreme Court has already become meaningless, for the government to take such a step violates basic constitutional rights.
For the government to allow the private market to create the infrastructure, placing the impetus in constitutionally unaccountable hands while reserving to itself the right to have continuous access to the data, should also be held a violation of constitutional human rights.
What should happen now? First, as in Europe, we should declare a five-year moratorium on all public-space facial recognition, governmental and private, to allow time for society and the law to catch up. Parliament should make by statute a strong personal privacy charter protecting the rights of everyone to be free from forms of behaviour collection and mass data analysis that are demonstrably harmful. Such an Act should not have any exceptions. It should subject all government surveillance — and government use of private surveillance technologies — to the rule of law.
Parliament should also make a “data protection” statute that regulates the sale and transfer in commerce of behavioural information about individuals that does not meet technical standards of safety and appropriateness of acquisition. It is only then that a democracy can safely begin to adopt technologies that, unregulated as they presently are, can corrode and destroy the very fabric of human freedom.