Indian police adopt facial recognition despite risk of massive data breaches

“Real-time facial recognition” typically refers to continuous biometric monitoring. But it applies equally as well to the experience of watching in real time as warnings about facial recognition give way to real-life examples of the risk to data security. As rights groups in the UK and U.S. push back against the use of facial recognition tools by law enforcement, a breach in India underscores the reality of their concerns.

‘Valerie’ breaches Tamil Nadu police facial recognition database

A breach of the Tamil Nadu Police Facial Recognition Portal exposed 800,000 lines of data, including information of over 50,000 persons, according to reports in The New Indian Express’ and Medianama. Exposed by threat intelligence platform FalconFeeds.io, the breach was the work of a group calling itself “Valerie,” which has claimed responsibility. Data stolen from five types of data sets has been found for sale on the dark web, and includes names of police officers, phone numbers, info on police stations, and first information report (FIR) details.

According to Nandakishore Harikumar, the owner of FalconFeeds.io, “since details from FIRs including personal identification details (of accused and suspects) have been stolen, there is a possibility of scamming family members into making payments. For instance, calls claiming to be from a particular police station, along with personal identification details, may make family members believe in the genuineness of the call and may lead to transfer of payments to scamsters.” An admin account that was compromised has been deactivated.

Tamil Nadu police’s facial recognition system was first deployed in 2021. It uses biometrics software developed by the CDAC (Centre for Development of Advanced Computing) Kolkata. Intended to be used by police officers on patrol who might need to verify information about a potential suspect, the system has been criticized for giving too much allowance to police in determining who warrants a face scan, since there are no formal criteria for identifying someone as a suspect.

Face biometrics adoption continues across Indian government, law enforcement

The potential risk in hoarding massive honeypots of biometric data that is vulnerable to breaches and attacks is not deterring authorities across India, which continue to roll out facial recognition systems with enthusiasm.

India Today reports that the government of Meghalaya in Northeast India will deploy 300 facial recognition cameras and algorithmic software throughout the city of Shillong to deter criminal activity. According to Chief Minister Conrad Sangma, “work is already underway, with high-level cameras being installed at various junctions.”

An article in News Intervention says police in Jammu and Kashmir have deployed an AI-based facial recognition system to monitor vehicles passing through a tunnel on the Jammu-Srinagar National Highway. The system’s high-focus CCTV cameras capture and analyze the faces of drivers and passengers against a database of images of militants, overground workers, and criminals.

Medianama says the Telangana State Police Department is seeking a service provider for the implementation of its Automated Multimodal Biometric Identification System (AMBIS), an upgrade to the existing Automated Fingerprint Identification System (AFIS). The move is spurred by the new Criminal Procedure (Identification) Act, 2022, which gives law enforcement more power to collect biometric data such as iris scans, facial images, fingerprints, footprints and so on.

Biometrics for police come from Japan, but subject to domestic ethics

While India continues on its path to digital transformation, touting big projects such as Aadhaar and Digi Yatra, much of the underlying tech comes from Japan – which, according to a report from The Wire, is also supplying many of India’s police forces. “Biometrics in India are now ubiquitous in day to day life from unlocking phones to using them everywhere Aadhaar has been forcefully made mandatory,” writes Srinivas Kodali. “But the real danger of these technologies is in policing and surveillance of India’s population.”

Kodali says Japanese firm NEC has been supporting India’s technology infrastructure since the 1950s, and now supplies Indian law enforcement agencies with biometric tools. “NEC’s vast experience in this space gives it an edge compared to other domestic and international organizations operating in India,” he writes.

That NEC supplied police with facial recognition should not come as a surprise, he says, given that they also supply technology used to build Aadhaar and Digi Yatra. The reliance on Japanese technology is partly a way to avoid outsourcing critical infrastructure projects to China, but Kodali says it does not address the issue of potential misuse by domestic clients, asserting that “while NEC Corporation itself has a human rights policy, Indian organizations, including the private sector, are known for their abuse of such systems.”

Article Topics

biometric identification  |  biometrics  |  criminal ID  |  facial recognition  |  India  |  police