Skip to main content
InternetFreedomIn u/InternetFreedomIn avatar

Internet Freedom Foundation

u/InternetFreedomIn

Feed options
Hot
New
Top
View
Card
Compact

Why was "Satluj" removed from Zee5 despite no law explicitly banning its online release?
Why was "Satluj" removed from Zee5 despite no law explicitly banning its online release?
media poster

IFF raises concerns over proposed plan to further integrate Facial Recognition Cameras in Major Indian Airports
IFF raises concerns over proposed plan to further integrate Facial Recognition Cameras in Major Indian Airports

Donate Now

tl;dr

Recent media reports disclosed that there are plans to introduce facial recognition cameras at six major airports in India, namely, Delhi, Mumbai, Bengaluru, Hyderabad, and Chennai. IFF has written representations to MHA, CISF, AAI, and DGCA highlighting concerns about the infringement of the right to privacy of citizens, and the inaccuracies, racial and gender biases that facial recognition technology has been riddled with.

Background

On June 23, 2026, media reports from The HinduThe New Indian Express, and The Economic Times, among others reported that a proposed plan to introduce facial recognition cameras at major Indian airports was being considered. As per The Hindu, The airports being considered are Delhi, Mumbai, Bengaluru, Hyderabad, and Chennai and are further proposed to be linked to a data fusion centre that is proposed to come up in Delhi. At a recent event, the CISF Director General Praveer Ranjan, stated that the proposal was to integrate about 1.5 lakh CCTVs installed in units under CISF security cover. Moreover, the facial recognition cameras at the airports are further proposed to be integrated with the National Intelligence Grid (NATGRID) to enhance real-time monitoring, suspect identification and support to law enforcement agencies.

Analysis

Concerns regarding the Right to Privacy

There are several concerns about the Proposed Plan to integrate facial recognition technology (FRT) in cameras at airports, the foremost among them being that the move significantly enhances mass surveillance. The Supreme Court in its landmark judgement, K.S. Puttaswamy v. Union of India (2017), recognized the right to privacy as a fundamental right emerging from the right to life and liberty under Article 21 of the Indian Constitution. In its judgement, the Supreme Court laid down the threefold requirements of i) legality; ii) necessity; and iii) proportionality which needed to be satisfied in order to justify an encroachment on an individual’s right to privacy. 

The Proposed Plan does not indicate the statutory basis or the specific legal provision being relied on to roll out facial recognition cameras at airports and fails to articulate any clearly defined, legitimate State aim and purpose of the Proposed Plan (even if legality is presumed).  Moreover, the Proposed Plan’s deployment is also a breach of the proportionality standard as laid down by the Supreme Court in Puttaswamy (supra). This principle requires demonstration of necessity for the collection, through concrete evidence. Crucially, data collection cannot be done in a blanket manner – that is, if the goal is to identify a specific instance of wrong-doing or prevent crime (in policing or security), the State cannot achieve that by broad, sweeping and indiscriminate data collection, as it fails to distinguish between those against whom there is probable cause of suspicion, and against whom there is not. In other words, any data collection must be undertaken in a specific and targeted way. Hence, given the Proposed Plan would effectively build an underlying database of people from public spaces and then further deploy them in crowds to detect them it runs foul of the proportionality standard.

Opacity and a Lack of Oversight

Another concerning aspect is that no details whatsoever about the proposed “data fusion centre” which is set to come up in Delhi have been provided. The data fusion centre also raises its own separate privacy concerns, such as what exactly the centre entails, how sensitive biometric data of facial scans will be stored and processed and for how long. 

Further, there exists a complete absence of any oversight or accountability system with respect to the Proposed Plan, with no information provided if any privacy and data protection audits have been carried out regarding the Proposed Plan by independent experts and researchers. There is also complete ambiguity about how such sensitive biometric data of people’s faces will be stored, for how long, and the providers of the FRT software that will be used for the implementation of the Proposed Plan, thereby leading to significant opacity. 

Racial and Gender Bias in FRT

Research has clearly indicated facial recognition technology (FRT) is racially biased, is highly error prone and lacks accuracy, and thereby significantly increases the likelihood of discrimination and exclusion in a country as diverse as India. There are also significant concerns that researchers have highlighted about the gender bias in FRT.

Researchers over the world have flagged concerns about the passive nature in which individuals participate in such usage of FRT as it takes place without their explicit consent, or often even awareness. This is particularly concerning given the lack of legislative oversight, as discussed above, which also falls afoul of the standards laid down in Puttaswamy, all the while enhancing the potential for expansion and misuse to conduct mass surveillance.

FRT has been found to be Inaccurate and Unreliable

To give a concrete example, if an FRT system is trained to identify an identity, some results will always be incorrect and the best guarantee the developer of the system will be able to provide will be metrics like percentages for precision (what proportion of positive identifications was actually correct?) and recall (what proportion of actual positives was identified correctly?). No FRT system is possible where these are 100%. Outside of laboratory conditions, accuracy rates

are extremely low to the point of being dangerous if deployed. The central issue 26 here is not inaccuracy as even humans are inaccurate, the central issue is the random nature of this inaccuracy and inability to get rid of it.

IFF has in its previous work highlighted the dangers of FRT regarding its reliability, given that machine learning technologies are essentially stochastic in nature. Machine learning systems involve a certain degree of probabilistic and statistical reasoning based on pseudo-random processes as opposed to a deterministic system, where for each set of inputs only one output is possible. The Proposed Plan fails to consider that FRT systems are stochastic and will always have errors because all their results are based on probability. Thus, it is important to take into consideration that machine learning systems will always have errors which can be reduced with training with more and more data, but never be fully eliminated, which leads us to conclude that an FRT system will always have errors.

Action

IFF has filed an RTI with the CISF asking the following questions:

  1. Is the proposed plan to install facial recognition separate from the pre-existing Digi Yatra Scheme?

  2. Which government agency/authority has been identified as the Data Fiduciary for the Project?

  3. How will biometric data collected at the six airports be stored? 

  4. How long will the data be stored at the proposed data fusion centre?

  5. How long will such collected biometric data be stored for?

  6. Which government agencies/departments/authorities will have access to the biometric data collected in such a manner?

  7. Please provide a copy of the tender and other bid documents for the Project.

IFF has sent representations to the MHA, CISF, AAI, and the DGCA urging that the roll out and operation of the Proposed Plan be ceased immediately at the six major airports of Delhi, Mumbai, Bengaluru, Hyderabad, Chennai. The representations highlight the legitimate privacy concerns that arise from the Proposed Plan, which have not been satisfactorily addressed. The Plan would directly infringe upon the privacy of Indian citizens were it to go ahead and as such IFF’s representations call upon the relevant government authorities/agencies to halt it with immediate effect.

References

  1. Report by The Hindu dated June 23, 2026 [Link]

  2. IFF’s Representation to the Ministry of Home Affairs (MHA) [Link]

  3. IFF’s Representation to the Central Industrial Security Force (CISF) [Link]

  4. IFF’s Representation to the Airports Authority of India (AAI) [Link]

  5. IFF’s Representation to the Directorate General of Civil Aviation (DGCA) [Link]

Donate Now


Statement on the Information and Broadcasting Ministry’s piracy notice to Telegram
Statement on the Information and Broadcasting Ministry’s piracy notice to Telegram

New Delhi, 4 July 2026

As per a press handout on 4 July the Ministry of Information and Broadcasting issued a notice to Telegram over pirated films and OTT content, directing the platform to build systems to detect, report, disable and remove infringing material, to act against repeat infringers including channels, administrators and “associated entities”, and to file an Action Taken Report within fifteen days. Piracy causes real harm. However, a Union Ministry ordering a platform, by undisclosed letter, to build a private content policing machine is not the answer.

The notice has no clear basis in law, and may not even lie with this ministry. Intermediary obligations under the IT Rules, 2021 are in Part II, administered by the Ministry of Electronics and Information Technology. The Information and Broadcasting Ministry’s remit is Part III, covering digital news publishers and OTT services. Even the constitutionality of Part III is pending determination and several stay orders have been passed. Telegram is neither a digitial news publisher nor a OTT service provider. Beyond the this, no provision of the IT Act lets the executive order an intermediary to build filtering systems. As we have stated the Union Government meddling into platform design when without any clear legislative authority is an arbitrary action of a digital license raj.

As a reminder on first principles, copyright is a private right, enforced by rights holders before the civil courts, which already grant the film industry site blocking and John Doe injunctions. Dressing it up in the language of a, “creator economy” is disingenuous and likely to lead to censorship of those very online creators (for instance, reaction videos or parodies).

Beyond the law, the demand in feasible. The model that may be used as an example is YouTube’s Content ID, which cost Google over a hundred million dollars and nearly two decades, and still only detects a match. It cannot read a licence or recognise fair dealing under Section 52, so it flags lawful criticism and public-domain works.

Telegram’s architecture, where files are forwarded, re-encoded, renamed and rebuilt, is a poor fit for fingerprinting, and encrypted secret chats (enabled by the platform) cannot be scanned without breaking encryption. What can be built in fifteen days is a blunt filter that removes lawful speech to avoid risk.

Secrecy is an unfortunate hallmark of digital censorship and continues as the notice has not been published. What exists in public is a handout briefed via unnamed sources and helps contour reporting and narrative control by public authorities. This is the third such step in a fortnight, after the block of Telegram and the username notices to WhatsApp, Telegram and Signal.

IFF is sounding the alarm on the rapid acceleration of digital authoritarianism in India under the guise of moral panics and social issues. We demand regulatory governance than the control of platforms by the Union Government.

We call on the Union Government to publish the notice, state the provision of law under which it was issued, and explain by what authority it directs a messaging intermediary.


After WhatsApp, MeitY has reportedly sent notices to Telegram and Signal over their username features, raising serious questions about privacy, executive overreach, and constitutional safeguards.
After WhatsApp, MeitY has reportedly sent notices to Telegram and Signal over their username features, raising serious questions about privacy, executive overreach, and constitutional safeguards.
media poster

Statement on MeitY's notices widen an unconstitutional dragnet over privacy features
Statement on MeitY's notices widen an unconstitutional dragnet over privacy features

New Delhi, 2 July 2026

A day after its notice to WhatsApp on the usernames feature, as per press reports MeitY has today evening sent the same kind of notice to Telegram and Signal, asking each to explain a username feature and its safeguards against impersonation and misuse. In two days the Ministry has gone from one platform to three, and from acting on content to policing the design of products. This is a dragnet, it is widening, and it has no basis in law. As we warned in our first statement it is a digital license raj that is expanding arbitrary executive power.

We know of these notices only through press reports, and the notices themselves have not been published. Where that reporting is sourced from within the Government, MeitY is left free to shape the coverage by choosing what to hand out and to whom. Releasing a document selectively, is not the same as disclosing it to the public, and it is the opposite of transparency. The public is told that platforms are being made to answer for "misuse", while the notice that would show the demand has no basis in law stays out of sight.

We again highlight that the core defect is constitutional. The executive is restraining lawful features, and with them the private communication those features protect, without the authority of law. We agree there can be regulatory authority for such features however it requires a clear articulation of policy intent that is rooted in legislation. This simply does not exist at present. No provision of the IT Act permits it as we have explained in our statement yesterday. A restraint on how a platform may operate cuts into its freedom to carry on its work under Article 19(1)(g), and a restraint on private messaging cuts into the users' freedom of speech under Article 19(1)(a). A restriction on either must fall within Article 19(2) or 19(6) and must rest on a law, and here there is no law at all.

The sweep is also indiscriminate, which is a vice of its own. The three features are not the same. Here, the inclusion of Signal is the sharpest sign of what this is really about. Signal is a non-profit. It is encrypted by default, it collects almost no data, and its username feature exists for the single purpose of letting people communicate without handing over a phone number. Signal's is a private contact tokens with no public directory, which reduces what a user reveals rather than expose it. Signal in particular keeps almost nothing, has refused to build the searchable directory an identification order would need, and is the tool journalists, activists and many at risk people and their contacts rely on, so a notice aimed at it strikes straight at protected speech.

Beneath all three notices sits the demand for traceability under Rule 4(2) of the IT Rules, 2021, which cannot be met on an encrypted service without breaking the encryption that protects every user, and which is already under challenge before the Delhi High Court as exceeding the Act.

Each notice is a step here makes the next look ordinary and needs to clearly and unequivocally condemned for the widespread digital authoritarianism. First pieces of content are blocked in thousands, even entire accounts sometimes just for parody posts, then a whole platform is blocked for a week, and now companies are told to account for the features that keep their users safe. This is how executive power grows past the limits of our constitution.

We call on MeitY to withdraw the notices to WhatsApp, Telegram and Signal, to publish them, and to state the provision of law under which it claims to act. Privacy protective design is not a wrong to be explained away, and the Constitution does not permit a widening dragnet over the means by which people speak.


WhatsApp's usernames feature promise more privacy, but the reality is more complicated
WhatsApp's usernames feature promise more privacy, but the reality is more complicated
media poster

Statement on MeitY's notice to WhatsApp over the "usernames" feature
Statement on MeitY's notice to WhatsApp over the "usernames" feature

The Ministry of Electronics and Information Technology (MeitY) has sent WhatsApp a notice about the usernames feature it announced on 29 June 2026. The notice asks the company to explain, within three days, why regulatory action should not be taken against it "for launching a feature that may increase cybercrimes", and it directs the company "not to roll out this feature until the consultation on this point is achieved to the satisfaction of the Government". The Internet Freedom Foundation is concerned that the notice has no clear basis in law. It is an attempt by the executive to decide what a company may build and ship, which no statute permits.

The notice treats the launch of a lawful feature as a wrong the company must justify. That reverses the ordinary position especially given the absence of any clear legal power that exists. MeitY does not name any provision that lets it approve a product feature before release or order one withdrawn, because there is none, and the provisions it does cite do not supply that power.

Section 79 of the IT Act, 2000 is a safe harbour that protects an intermediary from liability for what its users post, so long as it observes due diligence. It decides when a platform can be held liable. It is not a power for MeitY to decide what features the platform may offer. Sections 66C and 66D punish identity theft and cheating by personation. They are criminal offences, tried by courts, aimed at the person who steals an identity, not at the maker of a tool that a third party misuses. Also, on MeitY's logic, a telecom operator could be told not to sell SIM cards because SIM cards are used in almost every online fraud.

Rule 3(1)(b), Rule 3(2) and Rule 4 of the IT Rules, 2021 are due diligence and grievance obligations and cannot be converted into a licensing scheme. Section 69A, the one provision that lets MeitY control what appears online, permits the blocking of specific information through a set procedure. It says nothing about which features a company may build. Further the IT Rules, 2021 are subordinate legislation made under Sections 79 and 87 of the IT Act, and subordinate rules cannot travel beyond the parent statute (Ajoy Kumar Banerjee v. Union of India). If a rule cannot exceed the Act, a letter certainly cannot. The power to require prior permission for a feature is not in the Act, not in the Rules, and cannot be created by a notice.

MeitY has tried this before. In March 2024 it told the same large intermediaries, among them AI Companies, to obtain its explicit permission before deploying under-tested AI models. That was criticised as an overreach that sought to build a licensing mechanism with no empowering provision in the IT Act, and within a fortnight MeitY withdrew it and dropped the permission requirement. This notice repeats the move for a single feature and goes further, because it names one company, sets a three-day clock, and bars the launch until MeitY is satisfied.

This matters beyond WhatsApp. A power asserted against one company by letter can be turned on any company and any feature. On this reasoning MeitY could tell a browser not to switch on a privacy setting by default, or a payments app not to add a login method, each time until it was content. The notice also invokes traceability, through Rule 4(2) of the IT Rules, 2021 and the identification of the "first originator" of a message. Rule 4(2) has been challenged as exceeding its parent provision and resting on no law made by Parliament, and that challenge is pending before the Delhi High Court. Raising it against a feature meant to share fewer identifiers fits a pattern.

We ask MeitY to state the exact provision of law under which this notice, and the direction to halt the roll-out, has been issued, and to withdraw that direction. It should stop using Section 79 and the contested traceability rule as leverage to control product design and to reverse features that improve privacy. Impersonation and fraud are real risks, but they are met by enforcing the criminal law against those who commit them, and by open processes that rest on identified legal powers. They are not met by MeitY deciding, in private and by letter, what features Indians may use. That is a licence raj for software features.

Internet Freedom Foundation
New Delhi, 1 July 2026


Since a year most of our posts have not been getting any traffic on Reddit. It’s actually better now because earlier they were for some wierd reason triggering the automated filter and being marked as spam 🤷🏽