Indian police adopt facial recognition despite risk of massive data breaches

A breach of the Tamil Nadu Police Facial Recognition Portal exposed 800,000 lines of data, including information of over 50,000 persons, according to reports in The New Indian Express’ and Medianama. Exposed by threat intelligence platform FalconFeeds.io, the breach was the work of a group calling itself “Valerie,” which has claimed responsibility. Data stolen from five types of data sets has been found for sale on the dark web, and includes names of police officers, phone numbers, info on police stations, and first information report (FIR) details.

According to Nandakishore Harikumar, the owner of FalconFeeds.io, “since details from FIRs including personal identification details (of accused and suspects) have been stolen, there is a possibility of scamming family members into making payments. For instance, calls claiming to be from a particular police station, along with personal identification details, may make family members believe in the genuineness of the call and may lead to transfer of payments to scamsters.” An admin account that was compromised has been deactivated.

Tamil Nadu police’s facial recognition system was first deployed in 2021. It uses biometrics software developed by the CDAC (Centre for Development of Advanced Computing) Kolkata. Intended to be used by police officers on patrol who might need to verify information about a potential suspect, the system has been criticized for giving too much allowance to police in determining who warrants a face scan, since there are no formal criteria for identifying someone as a suspect.