Listen to this article:
A number of justifications have been cited in favour of the recently-approved Criminal Procedure (Identification) Bill 2022 – among them that the move will modernise identification processes and reduce crime rates, and that other countries, particularly in the West, have successfully implemented similar laws. However, when subjected to scrutiny, these claims prove misleading at best, if not outright inaccurate. In setting its own policy, it will be important for India to take into account the broader picture that has emerged from other countries’ experiences.
A great deal is at stake in this discussion. Data is power in digitised societies, and while the CPI Bill purports to facilitate identification, in reality, it sweeps in a far greater scope of personal biometrics than required for that purpose (or even what is required for Aadhaar). These include “physical, biological samples and their analysis, behavioural attributes” and more.
This language on its face includes DNA samples, from which can be derived a virtual treasure trove of an individual’s most private information – including their susceptibility to disease, character traits, parentage, kinship, perhaps even predisposition to a particular sexual orientation – not to mention that of their relatives who were never involved in any criminal activity to begin with. AI-based analysis of other included biometrics such as gait-, face- and voice-analysis, combined with other data, can make increasingly detailed inferences about an individual – often on the basis of private-sector AI technology not subject to public scrutiny, and whose fairness and accuracy have yet to be demonstrated.
And biometric data is immutable – an individual cannot change it, and once it is disseminated or leaked within the government or beyond, the individual may suffer long-term consequences not just from the government, but from other actors who have obtained this sensitive and valuable data.
No previous proof it works
Given this sweeping scope, it is worth asking whether data demonstrates the purported reduction in crime this kind of Bill is supposed to engender. The answer elsewhere has been largely negative. Take the example of “DNA on arrest” – state-based US statutes that allow the taking of DNA upon arrest for crimes of a certain severity, as the CPI Bill would. There, the reduced-crime claims failed to stand up to statistical scrutiny. Proponents’ crime reduction claims were based entirely on a very small number of high-profile cases, and even in those instances, the critical role of DNA in the identification process was not established.
Comparing crime rates within states over time, or across states with such statutes and without, it was made clear that these kinds of statutes have no impact on crime rates, and that in nearly all cases identification would have been possible even without DNA evidence. Similar instances abound – for example, the increased use of facial recognition biometrics in public spaces in places like Orlando and Washington County, Oregon, failed to produce the touted crime reductions.
But lack of efficacy is far from the only lesson; another challenge is the potential for abuse engendered by the government’s broadly increased data collection powers. Because the CPI Bill’s structure relies on the severity of an underlying charge to determine the permissible scope of biometric collection, it incentivises police to over-charge in a given case. This can be analogised to the plea bargaining system in the US, which vests tremendous power in charging decisions by prosecutors. This power has resulted in a well-documented and widespread practice of over-charging – both increasing the severity of charges and adding additional ones, even when prosecutors are aware they cannot prove them beyond a reasonable doubt. The CPI Bill is likely to have similar impact, with police incentivised to overstate underlying crimes in order to collect mandatory biometrics.
In the context of other biometric technologies, abuse has already been documented – for example, twin reports by Georgetown Law documented widespread misuse of facial recognition systems, bringing likely accuracy in some cases near zero, yet still relied on to seek out and detain suspects. Even the use of DNA in the US criminal justice system has been far from an exact science – there have been a litany of contaminated samples, mishandling by labs, and litigation around AI-based forensic analysis with contested methodology. Further back, the Edward Snowden revelations reveal the temptation to bypass even skeletal accountability measures when invasive data collection power is vested in government.
Lack of data protection in India
This shift in power is particularly concerning in the Indian context, where there is a lack of robust data protection and privacy structures. While the European Union has the General Data Privacy Regulation (GDPR) and additional statutes, and the US has some state-based and constitutional protections, India’s structure is still in development, with new regulations promising to rationalise data protection. However, those forward-looking protections will be cold comfort to those whose biometrics may have already been shared broadly between government agencies, as the CPI Bill allows. Nor does the bill include other checks and balances such as judicial or regulatory approval or digital data trails.
These concerns are even before we get to the question of data breaches – an area where, by the government’s own admission, there has been a fivefold increase in cybercrime over the past three years, putting large government databases at increasing risk. And the Bill removes the expungement provisions found in previous versions – meaning that individuals may have their biometrics kept by the government for life even after successful rehabilitation, creating an underclass of individuals more susceptible to surveillance. Individuals from disempowered sectors of society will likely be unable to correct the record even where biometrics are collected in error – similar to the impact of felony disenfranchisement in the US, which has resulted in the permanent and unjust loss of voting rights even for eligible individuals, many of them non-white.
It is also far from the case that other countries have been on a steady march towards greater and greater collection of biometrics. If anything, the trend has been increasingly to demand strong and clear justification for any collection with data to back it up, as well as strong safeguards and accountability where statutes are approved. The aforementioned DNA on arrest statutes, for example, have been met with strong pushback in US states, with at least some state constitutions interpreted to outlaw the practice in whole or in part.
The latest EU regulation on AI under discussion rightly prioritises biometric AI – which overlaps with the collection allowed under the CPI Bill – as being of the highest category of concern. Numerous US cities have banned the public use of facial recognition, and even private sector vendors of such technologies have been forced to refrain from selling it to law enforcement in the face of fairness and accountability concerns. Biometric databases in both the US and EU have been rightly recognised as being of the highest sensitivity, with additional protections and digital trails required for access, and with sharing only with compelling justification. Canada, spurred on by broad biometrics collection by a private sector mall operator, tabled a bill to update its personal privacy protections around such biometrics.
The GDPR itself attempts to tie the scope of data collection to a clearly stated and defined purpose – a best practice that should apply in the current context – and includes redress provisions, including deletion, and a regulator with substantial power to enforce these rules. In many of these debates, the criminal context is seen as the canary in the coal mine – the first use case that eventually may normalise broader collection of biometrics for the broader population. For that reason, it is important to consider whether the collection is justified, and to adopt data collection best practices at the outset.
While there may be positive intentions behind the CPI Bill, and the reassurances of its proponents are welcome, the content of the Bill itself strikes a discordant note in the context of the larger trends. Where the potential to infringe on the personal rights of citizens is so great, verbal reassurances cannot substitute for clear and enforceable systems of accountability and transparency. These should include, first and foremost, matching the scope of the collection to its purported purpose (identification), and producing data to justify that scope. If that data cannot be produced, the Bill should be dropped.
If it does move forward, it must limit collection via clear definitions matched to purpose. It must also include clear third-party approval processes for sharing between agencies (rather than the blanket sharing the bill authorises), a digital trail documenting access and use, and deletion and expungement processes, as well as a third party regulator with the power to enforce the rules and penalise infractions. These best practices must go hand in hand with expanded biometrics collection rather than following as an afterthought. Only then can the government’s stated intent of modernising its criminal identification processes turn into a beneficial reality, rather than a citizen’s nightmare.
Shankar Narayan is an attorney working at the intersection of technology and civil rights. He worked for over a decade with the American Civil Liberties Union, and served as a technology lawyer for Microsoft and Amazon, among others.