Government endorses the use of facial recognition for “touchless” vaccination process

tl;dr

Among several other controversies that have surrounded the Government’s COVID-19 vaccine management policies, recent news about the Government deploying facial recognition facilities at vaccination centres for the purposes of authentication has emerged as a cause of worry. We filed an RTI application with the Ministry of Health and Family Welfare (MoHFW) on May 18, 2021 to understand more about the process and to verify the authenticity of such reports. In their reply to our RTI application dated June 24, 2021 the Ministry confirmed the use of facial recognition for verification of beneficiaries of the COVID-19 vaccines but failed to provide any guidelines or SOP that clearly delineates the technical and implementation details of facial recognition technology (FRT) for COVID-19 vaccine verification.

Background

Government had implied its plans to roll out Aadhaar based facial recognition technology (FRT) as the mode of verification of the personal data of the beneficiaries of the COVID-19 vaccines purportedly to make the vaccination process “touchless”, thus replacing the existing practice of biometric verification at vaccination centres through fingerprints and iris scans. This indicates that using Aadhaar cards for the purposes of registration for COVID-19 vaccines can potentially become mandatory, thereby posing grave threats to the privacy and other constitutional rights of the citizens.

Despite official statements of government authorities affirming that biometric authentication for vaccination was not currently in practice as well as the clarification of the MoHFW in the Lok Sabha that Aadhaar was not mandatory for vaccine registration and several other IDs were accepted for the registration process, this unchecked roll-out of FRT based registration system has caused anxiety and apprehension among many.

We filed an RTI application asking the MoHFW to furnish details about the use of FRT

In our RTI application with the MoHFW dated May 18, 2021, we had sought information about but not limited to:

1. the legislation or rule which authorised the use of FRT for COVID-19 vaccine registration;

2. the specific technology procured for the use of FRT based authentication;

3. the details about the storage and use of the data thus collected;

4. whether any privacy impact assessment was conducted before deploying FRT for vaccine registrations;

5. copies of any guidelines or SOPs which outlined the use of FRT for the registration process and other relevant information.

You can peruse all of the questions that we asked by taking a look at a copy of the RTI application here.

MoHFW confirmed that FRT is being used as a part of the vaccination process

In response to our RTI application on June 24, 2021, MoHFW acknowledged the use of FRT as one of the methods for online verification of the beneficiaries. They further stated that the images captured through FRT would be sent to UIDAI for verification and not stored in any distinct database. According to their reply, no additional procurement was made for the implementation of FRT based verification. They also informed us that a pilot project for facial recognition authentication is still under continuation. According to reports, this pilot project is being conducted in Jharkhand.

However, MoHFW failed to specify any legislative or legal order that authorised the use of FRT nor could they provide copies of any relevant privacy impact assessment. Furthermore, the reply stated that use of FRT for verification of the beneficiaries’ data would be according to the terms furnished in the ‘Verifier & Vaccinator Module User Manual’ included in the COWIN portal which was not available on COWIN portal or any open source webpage. Lastly, they were unable to provide us with any information related to the accuracy of the FRT used, any third party assessments which may have been conducted and the exhaustive list of databases with which the facial recognition technology will be linked in order to identify individuals.

While we appreciate MoHFW conferring this response, we are afraid that they have failed to supply accurate information and have been evasive in their response. This is highly disconcerting since it violates the tenet of transparency under the RTI Act, creates further ambiguity regarding the registration process and offsets the promise of a universal and inclusive vaccination policy which indeed is the crying need of the hour.

FRT based verification for vaccination should be stopped

The COVID-19 vaccines are essential, life saving commodities in the current pandemic and ensuring equitable & indiscriminate access to the vaccines for all is of paramount importance. However, deploying Aadhaar based FRT for the verification process, deprives the citizens who do not possess or have not linked their Aadhaar cards to the COWIN portal or the on-site register, of the vital vaccines. Further, there is evidence that FRT is highly error prone and as may be gleaned from MoHFW’s response, no clearly defined testing or legal vetting was done prior to the deployment. Consequently, the risk of FRT failing to correctly identify the beneficiaries and thereby potentially excluding a significant portion of the population from the benefits of the COVID-19 vaccines, looms large.

MoHFW informed us that no privacy impact assessment of the use of FRT was conducted prior to its deployment. We have already enunciated the privacy concerns related to the data collected by UIDAI through Aadhar.

Use of FRT in vaccine registration process borders on function creep

In the past, there have been numerous incidents wherein FRTs deployed for a specific reason have been utilised for purposes beyond its original mandate. Thus fears of using the data procured through the FRT in vaccination for larger surveillance would not be unfounded. This is further aggravated by the fact that the User Manual mentioned by MoHFW in their reply to our RTI is not publicly available. This creates further confusion and anxiety regarding how the data would be collected, stored and used by the government authorities.

Imposing arbitrary requirements of enrolment with inaccurate and exclusionary digital identification schemes without any privacy safeguards is highly problematic and can adversely impact India’s fight against COVID-19.