Raising questions over surveillance powers and privacy rights, the CBI has asked social media platforms to run Microsoft-owned PhotoDNA for investigation into regular criminal cases, in violation of international norms stipulating that this specialised software is “exclusively used to identify child exploitation images”.
PhotoDNA is currently at the centre of a debate in Europe, where the EU’s European Privacy Regulation is moving to effectively ban social media companies from using this software to proactively scan billions of images for child abuse. Companies such as Twitter, Microsoft, YouTube and Facebook do not allow use of this software, even exclusively for blocking extremist content or terrorist messaging.
However, a notice issued this month to social media platforms by the CBI under Section 91 of CrPC, accompanied by some photographs, states: “For the purpose of investigation, you are requested to conduct PhotoDNA in respect of photographs CBI asks social media firms to use intrusive photo tech to track suspects enclosed herewith. The said information is required very urgently for the purpose of investigation.”
This means that social media companies would have to run a surveillance search on all photographs on their servers — and not data of any suspect’s account — using PhotoDNA software.
According to Microsoft, PhotoDNA “is exclusively used to identify child exploitation images” and is free to use. Its usage for other purposes has been restricted as it would mean imposing restrictions on a free and open Internet and legitimise broader regimes of censorship.
Such an act would also violate the right of privacy, upheld by the Supreme Court as a Fundamental Right earlier this year, by placing all users on any social media platform — including those who are neither charged nor suspect — effectively under surveillance. A CBI spokesperson did not respond to queries from The Indian Express on the use of this software.
Sources told The Indian Express that they are not aware of any legal bar in India for the use of PhotoDNA for cases other than child exploitation. Moreover, it was only a request to social media companies and it is up to them to comply with the notice or not, sources said.
“If any police or investigative agency is using PhotoDNA for a general crime investigation, it is a massive breach of the intended purpose of this technology, which is only for checking child sex abuse cases. This is the slippery slope of surveillance and censorship,” said Apar Gupta, executive director, Internet Freedom Foundation.
PhotoDNA creates a unique digital signature or “hash” of an image, which is then compared against that of other photos to find copies of the same image. When matched with a database containing “hashes” of previously identified illegal images, this software is used to help detect, disrupt and report the distribution of child exploitation material.
These databases of hashes are not maintained by Microsoft but independent organisations such as US-based National Center for Missing and Exploited Children (NCMEC), the Internet Watch Foundation and Project Vic, which are used internationally by law enforcement agencies.
In 2009, Microsoft partnered with Dartmouth College to develop PhotoDNA, a technology that aids in finding and removing known images of child exploitation, the tech giant says on its website. Today, PhotoDNA is used by organisations around the world and has assisted in the detection, disruption, and reporting of millions of child exploitation images, it says.