“Our faces are not data points”: IFF writes to govt against use of Aadhaar biometric, facial recognition enabled attendance systems

In light of various government departments enforcing Aadhaar biometric and facial recognition-enabled attendance systems across the country, digital rights group Internet Freedom Foundation wrote to authorities outlining glaring privacy harms.

“In recent years, there have been rising instances of facial recognition technologies and biometric scans being deployed by India’s union and state government agencies to record attendance. This technology is being deployed at public offices, hospitals, and schools without adequate checks or safeguards, endangering vulnerable data of citizens. We wrote to the Secretaries of Delhi Education Department, Delhi Transport Department, and Secretary of the National Medical Commission noting our concerns, urging them to take necessary steps to preserve the privacy of all implicated parties, and recall this action with immediate effect,” said IFF.

It went on to say: “There has been a rising trend in the use of attendance systems which use biometric data such as facial features, retina, iris, or fingerprints to log the attendance of individuals. At the Union government level, the Ministry of Personnel, Public Grievances & Pensions introduced AEBAS in 2014 and urged compliance with the same by all the Union government offices in 2023. This is also being done by various state governments, who have been deploying AEBAS or similar biometric systems and facial recognition tools for employees at government offices, hospitals, buses, and in schools. Some of these even extend to office visitors and students sitting for exams.”

The increased prevalence of the use of biometric technology to identify and monitor people raises some serious human rights concerns, it noted.

“A major concern is that the Digital Personal Data Protection Act, 2023 (“DPDPA”), has not been operationalised till now. In the absence of an implemented data protection law, any data collection exercise can result in harmful breaches of privacy. Additionally, even once the law comes into operation through notified Rules, the conditions for data collection and processing by private and government agencies remain unclear and broad, thereby exposing people’s personal data to privacy issues and threats of surveillance without a set remedial recourse. “

The IFF said: “The use of facial recognition systems could result in additional screening measures for those categories which have historically lower facial recognition accuracy rates such as women and people with darker skin, and false negatives could result in them not being identified as themselves correctly. This can have repercussions on wages as the person may be falsely marked as absent, and impact performance reviews overtime. The nature of biometric data itself increases the harms that may result from any data breach or misuse as well. Unlike passwords, biometric data cannot be changed and thus, once breached the harms may be irrevocable.”

The Biometric attendance systems will also fail the Puttaswamy standard, the IFF said.

“In addition to biometric data, such biometric attendance systems also collect other information, such as geo-location data, which may also lead to potential harm. In some instances, these systems are being used for students who are minors. Usage and propagation of such a technology violates the fundamental right to privacy of students, teachers/invigilators and employees which is accorded to them vide Article 21 of the Indian Constitution. This can be tested through an assessment against principles set forth by a nine-judge bench of the Supreme Court in K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.”

The digital rights body said that the government‘s history with data breaches, specifically in the case of Aadhaar, throws into question the vulnerability of any potential biometric system.

It said: “Issues of individuals Aadhaar data being made publicly available and being accessible to government officials who lacked proper authorization, represent just some of the cybersecurity issues (here and here) that any future database will be required to overcome. In our letter to the Computer Emergency Response Team (CERT-In) regarding a breach of Aadhaar data, we recalled numerous instances of Aadhaar data being leaked or breached in the recent past and called to action the responsible Union and state level agencies to cure this dangerous trend. Furthermore, the existence of fraud and identity theft that have arisen in the case of biometrics data could compromise any future system that will rely on or integrate any pre-existing facial or biometric data that has been collected for Aadhaar.”

Internet Freedom Foundation said they believe that the proliferation of AEBAS and facial recognition attendance systems as well as the move to make biometric attendance compulsory in various organisations, patently violates the fundamental right to privacy of individuals and might lead to data maximisation.

“It not only fails to meet the purported objective of curbing unfair practices, but its compulsory use also exposes the vulnerability of state agencies not equipped to develop and maintain such sensitive information as has been observed in the past data breaches. We urged the administrating agencies to cease the use of such privacy invasive systems.”

Author