Facial recognition app used by Madurai Police left data of individuals unsecured

0
Share If You Like The Article
          

Copseye, designed by Madurai-based startup Geomeo Informatics, allows the police to take photos of people suspected to be involved in criminal activity.

MUMBAI: Names and photographs of thousands of ‘suspected criminals’ were exposed to the public over the internet in a major privacy breach of a facial recognition app used by the Tamil Nadu police at its Madurai city branch. The leak was detected and flagged by cyber security researchers.

Copseye, designed by Madurai-based startup Geomeo Informatics, allows the police to take photos of people suspected to be involved in criminal activity.

The photos are then automatically sent to the police’s centralized criminal database to scan for prior criminal records. A match allows police to investigate the ‘suspects’.

Security researchers Robert Baptiste, better known as Elliot Alderson, and Oliver Hough on Thursday took to Twitter to report the openly available information database, which contained names, photos, One Time Passwords, an administrator password and details of police officers using the app.

ET has independently verified that the photos and names were, in fact, openly available.

Emailed queries and phone calls to the commissioner and deputy commissioners of Madurai police seeking their response elicited no response till press time on Friday.

A spokesperson for Geomeo Informatics said the app was “only a demo version with a dummy database” which the developers had been using to launch the app in another district of Tamil Nadu.

“The photos and names are from a test set, they may not necessarily be exact matches. They could be indicative names assigned to the photos to be checked later. This demo app is used to show how the product works” the spokesperson said, adding the company would “secure the database” and create an internal policy to “use local servers, rather than cloud servers for product testing.”

UK-based Hough said there were photos of “roughly 4,900 ‘wanted’ people and roughly 7,500 images uploaded to be checked. Every image that is checked is stored, no matter if it’s a match or not.”

The data was allegedly left unsecured despite the company receiving warnings from the Google-owned database company, Firebase, according to the researchers.

“The main issue here is the database was not secured and left in public view, this should have been easily spotted in testing… (I) wanted to highlight how apps made for government/police usage are not being tested to good standards,” Hough said.

The app was not available on the Google Play Store on Friday, following the flagging of the data leak. It was available for downloads until Thursday.

Leave a Reply

Your email address will not be published. Required fields are marked *