Data passed on in encrypted format
Hyderabad: The Telangana State Election Commission (SEC) has announced th-at it would be using facial recognition to authenticate voters in Kompally during the January 22 urban local body elections. Observers have criticised this move, calling attention to the lack of oversight when it comes to collection, deletion and possible misuse of citizen data.
As of now, there is no legal framework that governs the collection, storage and deletion of personal data. The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha in December last and is being studied by a standing committee.
An SEC official told Deccan Chronicle that the pilot project would be conducted only in 10 polling booths across Kompally municipality.
A senior official expl-ained that voters would be authenticated using their photographs in the electoral database.
“The result in the recognition tool would not be taken as final. Physical verification will be done in tandem by field officials,” he said. He assu-red that no legitimate voter will lose his right to vote. The official said the pilot was expected to provide real-time experience and understanding to the SEC, which it would need to deploy facial recognition across the state in future elections. “We want to assess the practical applications of this tool and improve it using this experience. We are considering using it during the GHMC elections,” he said.
When asked about the absence of a legal framework to use facial recognition technology to identify voters, a State Election Commission (SEC) official said the voter’s authentication data would not be stored, or deleted soon afterwards. “The data is transmitted to servers for authentication in an encrypted format, for security reasons. It will be deleted by the end of the day or the next. It will not be stored at all,” he said.
Interestingly, this authentication does not happen on servers operated by the SEC, a Constitutional and independent authority. It is the Telangana State Technology Services (TSTS), a specialised agency established by the state government’s information technology department, that will provide this service. The official admitted that the SEC would have no control over the deletion of voter data, and TSTS has ultimately been entrusted with this important task.
“The data will be sent to data centres operated by the TSTS. I don’t know where they are,” he added.
Indeed, there doesn’t seem to be a standard procedure for data deletion. Mr G.T. Venkateswara Rao, managing director (in-charge) of TSTS, told Deccan Chronicle that the SEC gave the TSTS the job of running backend operations only after doing due diligence.
“Only limited fields of (voter) data are shared with the TSTS. The data will be deleted post the elections. The SEC has decided (to give this work) only after it was satisfied,” he explained.
Asked whether an external audit would be conducted to confirm the deletion of data, Mr Rao said, “As mentioned earlier, since only two or three pieces of data will be shared, the certification of deletion will be self-declared,” he said, adding that it “is not a major issue.”
In a statement, the SEC said the entire transmission process and IDs are anonymised through encryption and removal of personally identifiable information. “The input filed (encrypted live photo data) is deleted immediately after the purpose is fulfilled,” it said. On the TSTS’ role in the process, it said, “The photographs will not be stored or used for any other purpose. They will be erased from the mobile used in the polling station and also the server of TSTS. Further, TSTS has to give an undertaking to this effect before implentation of the pilot project.”