We wrote to the Govt. of Meghalaya against the use of FRT for verification of pensioner's identities

tl;dr

According to a press release by the Government of Meghalaya, facial recognition technology will be used to verify the identity of pensioners to issue a digital Life Certificate. We provided support to Mr. Jade Jeremiah Lyngdoh, a law student, in drafting a letter to the relevant authorities in which we highlighted the possible privacy concerns.

Background

Through an Office Memorandum dated July 15, 2021, the Finance (Pension Cell) Department of the Government of Meghalaya clarified that generating a Digital Life Certificate on using “Pensioner’s Life Certification Verification” mobile application would also be considered as a valid means of submission of Life Certificate to the Pension Distributing Authority. According to a press release issued by the Government of Meghalaya, also dated July 15, 2021, the pensioner’s identity will be verified by the mobile application using “Face Verification Technology” or facial recognition technology (FRT).

The intent of the notice, according to the press release, is purportedly to offer pensioners “a secure, easy and hassle-free interface for verifying their liveness to the Pension Disbursing Authorities from the comfort of their homes using smartphones”. Concerned about the possible privacy violations, Mr. Lyngdoh approached us to help him to draft a letter to the relevant authorities in order to caution them against such use of FRT.

Problems with use of FRT for issuing digital Life Certificates

FRT is innately invasive. It involves processing digital images of individuals faces for verification or identification, by extracting data points from a face and then comparing data points to a pre-existing image. Thus, the use of FRT involves collecting, processing and storing biometric information. Biometric information constitutes “sensitive personal information” given the expectation of confidentiality associated with biometric data; the immutability of the data as part of an individual’s identity; and the risk of significant harm that may be caused by its use and misuse.

In this regard, it is important to note that the Hon’ble Supreme Court in K.S. Puttaswamy v. Union of India 2017 SCC 1, held the right to privacy includes the right to informational autonomy, and any processing of sensitive personal data must follow the principles of lawfulness, fairness, and transparency; data minimisation and collection limitation; purpose limitation; storage and retention limitation; accuracy; integrity and confidentiality of data; and principles of accountability. These principles must be complied by any authority collecting data, even if such collection is on a voluntary basis.

The “Pensioner’s Life Certification Verification” mobile application does not comply with any of these principles. The application has been rolled out without any anchoring legislation which governs the processing of personal data and thus, lacks lawfulness and the Government is not empowered to process data. Moreover because of a lack of an anchoring legislation, the residents of Meghalaya, amongst other things, do not have any statutory recourse in case their biometric information is misused. An anchoring legislation would have provided a grievance redressal mechanism as well as the time-period for which personal data may be retained, the purposes for which the data would be used and an option to the residents of Meghalaya to opt out. In absence of such statutory safeguards, according to settled law, personal data should not be processed.

Further, facial recognition systems are also not accurate. A report published by The New York Times, dated February 9, 2018, and a report titled “Facial Recognition Technologies: A Primer” both reveal the potential threats and drawbacks of utilising Face Recognition Technology. A study in the primer highlighted that when FRT was tested on individuals from several countries and age groups, the error rate was negligible. Shockingly, when the technology was used on a homogenous population consisting of individuals belonging to the same age group and geographical area, the error rate was 20 times higher. Considering the pension benefits will be derived by individuals in Meghalaya from the same age group, the error rate is likely to be considerably high.

Our recommendations

In light of the above considerations, we requested the Finance Department of the Government of Meghalaya to reconsider the validity of the directions held in the aforementioned memorandum and press release.

Use of FRT for access to government schemes will not only lead to a violation of privacy but also lead to exclusion from them due to its inaccuracy. Under IFF’s Project Panoptic, we will continue to fight against the proliferation of this harmful technology throughout the country.