Facial recognition of students taking JEE, NEET soon? Experts flag risks
The National Testing Agency, which conducts several exams including the Joint Entrance Examination (Main) as well as Advanced, and the National Eligibility cum Entrance Test (NEET), has floated a tender for facial recognition and fingerprint verification to verify a candidate’s identity on a real-time basis. First reported by Medianama, the NTA has asked for a CCTV surveillance system as well in the tender, to “monitor various activities of the candidates and other persons deployed to conduct examinations at the sub-centres spread all over India”.
The requirements from the bidder include:
> Touchless IRIS capturing and facial recognition of candidate by verifying the candidate’s identity on a real-time basis or fingerprint capturing and facial recognition where the NTA will provide centre-wise data (roll numbers, photos, name, exam date/shift etc) of all registered candidates
> The bidder maintains the database and server, and should have provision of real-time attendance monitoring system
> A QR code or barcode on the admit card will be used to fetch the candidate’s information from the database. “Thereafter, Fingerprint/IRIS capturing of candidate’s and face recognition by the hand-held device shall be done at the security gate before the beginning of examination,” the tender says.
The tender also calls for CCTV surveillance at all centres, and for the footage to be relayed to the NTA’s office. The tender says the cameras will have to cover every candidate without blind spots and should also cover entry/exit points, staircases, registration areas, frisking areas, centre control room, server room and centre-incharge room and nearby areas like parking, driveway, center compound, etc.
This will cover a large number of students, as 15.97 lakh students had registered for NEET in 2020. For the JEE (Mains) this year, Education Minister Dharmendra Pradhan said in July that 7.32 lakh candidates had already registered for the exam, with registrations even open after this announcement. For all its students, the tender document states that the total number of candidates for all examinations in a year is likely to be approximately 50 lakh.
It is important to reiterate that India does not have a law for Personal Data Protection. In addition, many students taking the exam are under the age of 18, and below the age of consent. Anushka Jain, associate counsel for surveillance and transparency at the Internet Freedom Foundation, says that facial recognition technology is known to have many problems, and at the least, will only increase the anxiety of students in an already high-pressure situation.
“The main issue that will arise is that it is the only way of verification. If that day for some reason the verification doesn’t happen because the technology itself is problematic, then the student may lose out on giving the exam — and this is plausible because the tech is not accurate, especially on the faces of children,” she says. She adds that it needs to be noted that photos in the database may be older, and children’s faces are more prone to changing than an adult’s face.
She questions why the use of such technology is being promoted. ‘Why is the use of such technology being promoted, other than the fact that people in the government are fascinated by this technology? That is the only reason I understand the government is pushing on this extremely problematic technology which is proven not just in India but also across the world” she adds.
Both Anushka and Shweta Mohandas, policy officer at the Centre for Internet and Society, also say that this includes those below the age of 18, who cannot give consent to such a move. In addition, Shweta, says this system should not be the only way for a student’s verification.
Security of the data
Anushka says that it is unknown how the data that is collected will be stored, if it will be shared further, and how it’s going to be shared with the facial recognition system to ensure students are able to access the exam centres. She adds that the Internet Freedom Foundation recently found instances of children’s data being sold on Amazon.
“With the use of facial recognition, their photographs will also get added to such a database. And this type of invasion into the privacy of students is more problematic because they are underage, and can’t consent to sharing their data,” she says, calling it wrong, and saying it “should not happen”.
“It’s not being done in a phased manner and there’s no pilot project to check the problems. They are pushing out the tender and so many issues are definitely going to arise. There’s nothing about how these issues are going to be solved,” she adds, stating that there are other ways to achieve the same objectives.
Shweta questions what happens to the data during the time it is retained by the bidder. “Are there any restrictions on companies getting the tender from profiting from it and using it to train their own algorithms, or using the data themselves for the time they have?” she asks. The data that is collected qualifies as sensitive personal data. With no personal data protection law, there should be consideration about clear restrictions on the data, says Shweta.
The tender adds that the selected bidder will be responsible for providing secure systems. “The selected bidder is expected to adhere to Information Security Management procedures as per acceptable standards with best practices...The vendor shall have to maintain strict privacy and confidentiality of all the data it gets access to,” it read.
Anushka questions what the government’s duty in such a situation is, and says that for sensitive personal data, putting the burden on the private company is not okay. “Asking the private company to ensure the security of data of such a large number of children — what is the government’s duty in this situation? The government is asking for the data and the children are sharing the data with the government, not with the private company,” she says.
Shweta reiterates that there needs to be specific standards set for data such as this as in an event of a data breach, as there are no requirements currently. Anushka adds that it is difficult to hold a private company to account and additionally, even if there are measures, the harm to students will already be done.
“It is very difficult to hold a private company to account, especially a small one. It’s not like they are going to bow to public pressure and come out with privacy principles or do a human rights audit of their processes. If a private company further sells the data, what are you going to do? There can be further criminal processes but once the data is out there it is out there and the harm to students will not be mitigated in any situation,” she states.
Similar moves to introduce facial recognition have been done before. For example, last year, the Telangana State Council of Higher Education brought in facial recognition for admissions, where students upload a selfie onto an app and key in details for the system to pull details from the Board of Intermediate Education.