Criminal identification bill follows similar, unsuccessful and discriminatory laws elsewhere
A number of justifications have been cited for the recently approved Criminal Procedure (Identification) Bill 2022 – among them that the move will modernize identification processes and reduce crime rates, and that others countries, especially in the West, have successfully implemented laws. However, when subjected to close scrutiny, these claims are found to be misleading at best, if not downright inaccurate. In defining its own policy, it will be important for India to take into account the broader picture that has emerged from the experiences of other countries.
Much is at stake in this discussion. Data is power in digitalized societies, and although the CPI bill claims to make identification easier, in reality it sweeps away a far greater scope of personal biometrics than is necessary for this purpose (or even what is required for Aadhaar). These include “physical, biological samples and their analysis, behavioral attributes” and more.
This prima facie language includes DNA samples, from which a virtual treasure trove of an individual’s most private information can be derived – including susceptibility to disease, character traits, parentage, kinship, perhaps even his predisposition to a particular sexual orientation – not to mention that of their relatives who were never involved in any criminal activity to begin with. AI-based analysis of other included biometrics such as gait, face and voice analysis, combined with other data, can make increasingly detailed inferences about an individual – often based on private sector AI technology not subject to public scrutiny, and whose fairness and accuracy have yet to be demonstrated.
And biometric data is immutable – an individual cannot change it, and once it is released or leaked within government or beyond, the individual may suffer long-term consequences not only from the government, but other actors who have obtained this sensitive and valuable information. The data.
No previous evidence that it works
Given this broad scope, one has to ask whether the data demonstrates the purported reduction in crime that this type of bill is supposed to bring about. The response elsewhere has been largely negative. Consider the example of “DNA on arrest” – US state-based laws that allow the taking of DNA on arrest for crimes of a certain gravity, as the draft would ICC law. There, claims of reduced crime did not stand up to statistical scrutiny. The proponents’ crime reduction claims were based entirely on a very small number of high-profile cases, and even in these cases the critical role of DNA in the identification process has not been established.
When comparing crime rates within states over time, or between states with and without such statuses, it became clear that these types of statuses had no impact on crime rates and that in almost in any case, identification would have been possible even without DNA evidence. Similar cases abound – for example, the increased use of facial recognition biometrics in public spaces in places like Orlando and Washington County, Oregon, has failed to produce the announced reductions in crime.
But the lack of efficiency is far from being the only lesson; another challenge is the potential for abuse created by the government’s vastly increased data collection powers. Since the structure of the ICC bill relies on the seriousness of an underlying charge to determine the permissible scope of biometric collection, it incentivizes police to overcharge in a given case. This can be compared to the plea bargaining system in the United States, which confers enormous power in charging decisions by prosecutors. This power has resulted in a well-documented and widespread practice of overcharging – both increasing the seriousness of charges and adding new ones, even when prosecutors are aware they cannot prove them beyond any reasonable doubt. The ICC bill is likely to have a similar impact, with police being incentivized to exaggerate underlying crimes in order to collect mandatory biometrics.
In the context of other biometric technologies, abuses have already been documented – for example, twin reports from Georgetown Law documented a misuse of facial recognition systems, bringing probable accuracy in some cases close to zero, but still used to search and detain suspects. Even the use of DNA in the US criminal justice system is far from an exact science – there has been a litany of contaminated samples, mishandling by labs and disputes over forensic analysis. AI-based forensics with contested methodology. Further back, Edward Snowden’s revelations reveal the temptation to circumvent even skeletal accountability measures when invasive data-gathering power is vested in government.
Absence of data protection in India
This shift in power is particularly concerning in the Indian context, where there is a lack of strong data and privacy protection structures. While the European Union has the General Data Privacy Regulation (GDPR) and additional laws, and the United States has some state and constitutional protections, India’s structure is still developing, with new new regulations promising to streamline data protection. However, these forward-looking protections will be cold comfort to those whose biometric data may have already been widely shared among government agencies, as the proposed IPC bill allows. The bill also does not include other checks and balances such as judicial or regulatory approval or digital data trails.
These concerns are even before we address the issue of data breaches – an area where, by the government’s own admission, cybercrime has quintupled over the past three years, putting large government databases at risk. And the bill removes expungement provisions found in previous versions – meaning individuals can have their biometric data retained by the government for life even after a successful pardon, creating an underclass of individuals more likely to to be monitored. People from disadvantaged sectors of society are unlikely to be able to correct the record even when biometrics are collected in error – similar to the impact of disenfranchisement in the United States, which resulted in the permanent and unjust loss of the right to vote, even for those eligible, many of them non-white.
It is also far from the case that other countries have followed a steady march towards increasingly important collection of biometric data. On the contrary, the trend has been increasingly to require strong and clear justification for any collection with supporting data, as well as strong safeguards and accountability when laws are passed. The aforementioned DNA on arrest statutes, for example, has met with strong backlash in US states, with at least some state constitutions interpreted to ban the practice in whole or in part.
The latest EU AI regulation being discussed rightly prioritizes biometric AI – which overlaps with the collection authorized by the IPC Bill – as being of most concern. Many U.S. cities have banned public use of facial recognition, and even private-sector providers of such technology have been forced to refrain from selling it to law enforcement in the face of fairness and security concerns. responsibility. Biometric databases in the US and EU have been rightly recognized as being of the highest sensitivity, with additional safeguards and digital trails required for access, and with sharing only with justification convincing. Canada, spurred by widespread collection of biometric data by a private sector shopping mall operator, has introduced legislation to update its privacy protections around such biometric data.
The GDPR itself attempts to tie the scope of data collection to a clearly stated and defined purpose – a best practice that should apply in today’s environment – and includes recourse provisions, including deletion, and a regulator with substantial power to enforce these rules. In many of these debates, the criminal context is viewed as the canary in the coal mine – the first use case that could eventually normalize broader biometric data collection for the entire population. For this reason, it is important to determine whether collection is warranted and to adopt data collection best practices from the outset.
While there may be positive intentions behind the CPI Bill, and the reassurances of its proponents are welcome, the content of the Bill itself strikes a discordant note in the context of larger trends. wide. Where the potential for violation of citizens’ personal rights is so great, verbal assurances are no substitute for clear and enforceable systems of accountability and transparency. These should include, in the first place, the adequacy of the scope of the collection for its presumed purpose (identification) and the production of data to substantiate this scope. If these data cannot be produced, the bill should be dropped.
If it goes ahead, it must limit collection through clear definitions that are fit for purpose. It should also include clear third-party approval processes for sharing between agencies (rather than general sharing allowed by the invoice), a digital trail documenting access and use, and processes for deletion and erasure, as well as a third-party regulator with the power to enforce the rules and sanction breaches. These best practices should go hand in hand with expanded biometric collection rather than an afterthought. Only then will the government’s stated intention to modernize its criminal identification processes turn into a beneficial reality, rather than a nightmare for citizens.
Shankar Narayan is a lawyer working at the intersection of technology and civil rights. He worked for over a decade with the American Civil Liberties Union and served as a technology attorney for Microsoft and Amazon, among others.