Madurai Police left data of individuals unsecured after using Facial recognition app
In a thrilling turn of events, names and photographs of thousands of ‘suspected criminals’ were leaked to the public over the internet in a major privacy breach of a facial recognition app used by the Tamil Nadu police at its Madurai city branch. Cyber security researchers detected and flagged the leak.
The app, Copseye, was designed by Madurai-based startup Geomeo Informatics. The app allowed the police to take photos of people suspected to be involved in criminal activity. The photos were then automatically sent to the police's centralized criminal database to scan for prior criminal records. When a match is found, it allows police to investigate the ‘suspects’.
However, security researchers Robert Baptiste,
better known as Elliot Alderson, and Oliver Hough on Thursday took to Twitter to report the openly available information database, which contained names, photos, One Time Passwords, an administrator password and details of police officers using the app.
Emailed queries and phone calls to the commissioner and deputy commissioners of Madurai police seeking their response elicited no response till press time on Friday. A spokesperson for Geomeo Informatics said the app was "only a demo version with a dummy database" which the developers had been using to launch the app in another district of Tamil Nadu.
“The photos and names are from a test set, they may not necessarily be exact matches. They could be indicative names assigned to the photos to be checked later. This demo app is used to show how the product works” the spokesperson said, adding the company would “secure the database” and create an internal policy to “use local servers, rather than cloud servers for product testing.”
According to UK-based Hough, there were photos of ‘roughly 4,900 ‘wanted’ people and roughly 7,500 images uploaded to be checked. Every image that is checked is stored, no matter if it’s a match or not.” Google-owned database company, Firebase, kept giving warnings with no luck on hiding the which was allegedly left unsecured, according to the researchers.
“The main issue here is the database was not secured and left in public view, this should have been easily spotted in testing… (I) wanted to highlight how apps made for government/police usage are not being tested to good standards,” Hough said. The app was not available on the Google Play Store on Friday, following the flagging of the data leak. It was available for downloads until Thursday.