A police facial recognition database, which contains photos of not just criminals but anyone that the police have taken a picture of for matching purposes, was readily available on the Internet with no security, according to security researcher Oliver Hough. Screenshots reviewed by HuffPost India show how Hough was able to see people’s faces, phone numbers, and the nearest police station. The database, maintained by the Madurai police, also included information about the people authorised to use the system, including their phone numbers.
On Thursday night, Hough tweeted about CopsEye, which is used by the Madurai police, saying that he had found data leaked from the application. Apart from the suspect photos, names of officers using the app, and the OTP codes needed to access the app, and also admin passwords — all in plain text with no security.
This comes at a time when more and more cities and states in India are stealthily deploying facial recognition programs for the police without any public consultation on the need, efficacy or risks associated with such invasive technology.
The effectiveness of such programs is questionable — for example, in April last year, the Delhi Police claimed to have found 3000 missing children using a new facial recognition system.
This year, the Ministry of Woman and Child Development told the Delhi High Court that the system was so glitchy that it mistook boys for girls.
Despite this, there is a growing wave of artificial intelligence startups across the country, and plans to take such systems across the nation, with the National Crime Records Bureau putting up a tender for a National Automated Facial Recognition System.
On Friday, HuffPost India has sent emails to CopsEye and the Madurai Police seeking comment, and we will update this article once they respond.
“I found the database while collecting and testing different firebaseio.com database URLs. I didn’t attempt to bypass the authentication on the app — in fact I never even downloaded the app,” explained Hough.
Firebase is a highly popular app-development platform, which was acquired by Google in 2014. Since it’s used by a wide variety of app developers, security researchers will often search these databases to find weaknesses in applications. In this case, Hough struck a rich vein of data while prospecting.
The CopsEye app is free to download, but users have to verify themselves using an OTP, which is in theory enough to keep the data inside secure. However, when Hough found the database, he also found all the OTPs listed there, in plain text, allowing anyone to gain access.
“The OTP has to be stored somewhere so it can be checked when they log in, normally this would be stored as a hash so anyone with access to the database can’t steal all the OTPs,” he said.
Based on the database, it also appears that even if you’re not a criminal in the database, but simply a suspect that the police photographed, your picture goes up on the Internet and stays there. One of the files in the database includes photos that did not find a match, but are still available online, and include the person’s name and phone number as well.
The information remained online and unsecured for an unknown amount of time — CopsEye was launched in Madurai in March 2018, and according to reports, was used to arrest 18 individuals. In June this year, the app was launched in Namakkal district in Tamil Nadu.
The database was only removed from online access earlier today, after Hough’s tweets, although the company had not responded to him either, at the time of writing.
“It was very easy to download the whole database (it was closed this morning) to prove this I sent a link to the app to a friend, this friend found the database in 5-10 minutes,” said Hough. “This is an issue that should have been found while testing before the released the app, there is no excuse here really, it clearly was not tested to a high enough standard, when this is an app for police I would expect it to not have silly bugs like this, you visit one URL and then you have the whole database.”
The use of facial recognition technology for policing has been under criticism in India and the rest of the world, for a number of different reasons. The first is that such technology is often much less effective than it claims to be, as the Delhi police example shows.
In the US, a similar app called Rekognition made by Amazon was shown the pictures of US members of Congress, and wrongly identified many of them as criminals. Perhaps not surprisingly, the system tended to misidentify people of colour more than white people.
“There is mounting evidence in other countries to show that facial recognition systems are less accurate in identifying ethnic minorities and women, leading to a higher possibility of misidentification—and therefore discrimination—against communities that are already more vulnerable,” said Kritika Bharadwaj, one of the lawyers in the landmark 2017 Right to Privacy case.
“I think it’s scary that this is being rolled out in different cities,” Hough added. “If this deployment is anything like the others then I would expect more data breaches in the future.”
“I’ve already been sent links to other similar apps that I plan to take a look at soon. It’s a worrying sight that a country that produces so much tech talent is resorting to the lowest bidder for government/police projects.”