Project PanopticFRTpolice

Why a massive leak in Tamil Nadu Police’s FRT database must herald the end of police use of surveillance technologies

On May 4, 2024, a massive leak of 8 lakh data points in Tamil Nadu Police’s FRT portal exposed the facial and personal data of about 50,000 accused or suspected persons, linked with details of their FIRs and alleged crimes. It’s time to #BanTheScan.

Disha Verma
Disha Verma

17 May, 2024
11 min read

Donate Now

tl;dr

A massive leak in the Tamil Nadu police’s Facial Recognition Portal has revealed many scary truths. Not only is centrally stored facial biometric data of suspects and criminals an ipso facto violation of their privacy and human rights, but it is also not securely stored or adequately regulated under Indian law. The blatant lack of checks and balances on how law enforcement uses surveillance tools like FRT also makes such criminal identification systems breeding grounds for discrimination, targeted policing, and disenfranchisement of historically marginalised groups. This post explores the recent data leak, how FRT systems work in criminal investigations, and the law (or lack thereof) to regulate it; and also calls attention to a significant global campaign #BanTheScan, which in context of how Indian police forces use FRT, is the need of the hour.

Background

On May 4, 2024, threat intelligence platform FalconFeeds.io reported a massive breach in Tamil Nadu (“TN”) Police’s Facial Recognition Portal, which exposed over 8,00,000 lines of data, including match reports from their Facial Recognition System (“FRS”). Other categories of leaked data include:

  • Police officer Data: 54,828 users’ personally identifiable information, including user ID, user name, first name, last name, police station, district, contact, last login, date joined, active status, staff status, superuser status, login type(s), verified person type(s);
  • Police Station Data: 2,738 police stations’ data, including the police station ID, police station name, code, district, district code, pin code, contact details;
  • Police ID data: 54,934 users’ data, including user ID, image, user name, first name, last name, police station name, district, email address;
  • FIR Data: 8,98,352 FIRs with FIR ID, NIC FIR number, FIR number, person category, police station, district, investigating officer, launch date, occurrence date, stage of the case, name in FIR, age, gender, parentage, address;
  • Alert Data: 235,753 Searches/Alerts made by police officers, along with the following data: Alert ID, alert against the query, query fir, alert against fir, source police station, source district, target police station, target district, alert result, not matched reason, alert made by, launch date, back date, initial comment, alert state.

The TN police promptly responded through a press release the same day, claiming that the password of an admin account was compromised and has since been deactivated. They stated that the last security audit of the portal was carried out by Tamil Nadu e-Governance Agency (“TNeGA”) on March 13, 2024. As a preventive measure, the TN police have deactivated the admin account. They claimed that unauthorised users can view only the front end data (like creation of ID for users, queries search) and hence could not have accessed the backend data or main server data. They added that a complaint has been filed at the Cyber Crime Police Station, Chennai and key departments have been notified of the leak for further action.

How does the FRS work?

The FRS portal and software used by the TN Police was developed by the Centre for Development of Advanced Computing (“CDAC”), Kolkata division, and hosted on the server at Tamil Nadu State Data Centre, Electronics Corporation of Tamil Nadu (“TNSDC-ELCOT”). It generated Facial Recognition Reports each time a police officer ran a query image (i.e. picture of the person to be identified). The software helps the TN Police to capture the images of wanted persons, missing persons, and unidentified corpses from the central Crime and Criminal Tracking Network and Systems (“CCTNS”) database. The portal, comprising all the facial biometric data and reports, is used by 46,112 users across Tamil Nadu. This is the interface that suffered a leak through a compromised password.

In 2021, we analysed how Indian police forces use facial recognition technology (“FRT”). Police forces use it for two primary purposes—verification and identification. Verification, or authentication, is done by matching the live photograph of a person to the pre-existing photograph that has been uploaded on any government FRT database. This is to ensure that the person presented is who they are claiming to be, and is also called 1:1 matching. This is more ubiquitous among government administrative departments, which use FRT to authenticate the identity of an individual seeking to gain access to any benefits or government schemes. 

Identification, on the other hand, is heavily relied on by police forces for rounding up criminals and suspects. This is done by trying to get a match between the face of an individual (usually a suspect) which has been extracted from a photograph/video or taken at the police station, with the entire criminal database maintained by the state police, in order to ascertain the identity of the individual. This is also called 1:many matching. Usually, the FRS used by the police will produce reports with a list of close matches (also called a probability match score or a confidence score) between the suspect who is to be identified and the pre-existing FRT database. For the TN police, as for many other state police systems, the CCTNS serves as a central storage of all such facial data that the suspect can be matched against. Read our critical analysis of the CCTNS storage and tracking system and its surveillance and privacy concerns here

In every such FRS match report, multiple possible matches are generated and listed on the basis of their likelihood to be the correct match with corresponding confidence scores. The final identification, however, is done by the police officer, who selects one match from the list of matches generated by the technology. This identification procedure has been globally critiqued to be ripe for misidentification because, while the software releases several possible matches, the police officer or ‘human analyst’ conducting the search makes the final identification.

Such a methodology also opens the door for the police officers’ own biases to creep into the final result wherein they may be prejudiced against a certain race, religion, or community, based on which their decision making may be affected. Indian police forces have a deep history of institutionalised biases and targeted policing against certain minorities, and many existing police databases reflect these biases. Relying on these cryptic technologies (that are impossible for most common men to understand) to make significant law enforcement decisions such as identifying criminals and making arrests, can legitimise the existing biassed data and absolve police forces and officers of any accountability.

But does it even work?

The accuracy rates generated by the FRT depend on a number of factors—camera quality, light, distance, database size, algorithm, and the suspect’s race and gender, to name a few. Advanced systems around the globe can achieve accuracy rates of 90%, but that still means that chances of misidentification are 10%, which is high enough. Misidentification, or false positives, occur when a person is identified as someone they are not. This is especially concerning as it can lead to the police pursuing and charging innocent persons for a crime they did not commit. And as existing police databases are flawed and biassed, the chances of implicating persons belonging to certain minorities or marginalisations also become high. 

This is markedly different from identification through other kinds of biometric prints like fingerprints or DNA samples. As research done at National Association of Criminal Defense Lawyers shows, “(i)f the sample is contaminated or does not have enough of the biometric data, either insufficient DNA or a partial latent fingerprint, the result is inconclusive. Facial recognition is different; even if the matches include the correct suspect, the analyst conducting the search and selecting the match to forward to investigators may choose the wrong individual. The correct match may not even be in the list of results identified by the software, but the analyst reviewing the results may find a match anyway, thereby implicating an innocent person (a false positive).” 

Further, we have found through Right to Information (“RTI”) requests that police forces in India have low accuracy rates while deploying FRT. The accuracy of their FRT depends on light conditions, distance, and angle of face. For the Delhi police, all matches above 80% similarity are treated as positive results while matches below 80% similarity are treated as false positive results which require additional “corroborative evidence”. It is unclear (and astounding) why 80% is chosen as the threshold above which a match will be “positive” and that an above 80% match score is sufficient to assume the results are correct and no justification has been provided for this classification. Moreover, the distinction between categorisation of below 80% results as false positive instead of negative shows that the Delhi police may still try to use below 80% results for further investigation by trying other methods of “corroborative evidence”. 

This means that, even if the technology does not give a sufficient enough result, the police may continue to investigate anyone who may have gotten a very low match score. By this logic, any person who looks even slightly similar could end up being targeted, raising concerns for people from historically marginalised communities. Further, according to a submission made before the High Court of Delhi, the accuracy rate of the FRT being used by the Delhi Police is 2%. TWO PERCENT!!!

Inaccuracy, however, is not an Indian problem which can be solved with “better” technology. According to a report by Georgetown Law’s Center on Privacy and Technology, the FBI’s own statistics suggest that one out of every seven searches of its facial recognition database fails to turn up a correct match, meaning the software occasionally produces 50 “potential” matches who are all “innocent”. While we do not have any complete information about all FRT systems in India and their respective accuracy rates due to a lack of transparency on the part of the government authorities, it is safe to assume that their accuracy rates will be significantly lower than the FBI’s 86% accuracy rate… which, unlike Delhi or TN police, has access to the most advanced technology in the world. 

But all this can be prevented by the law right? Right???

As it stands today, use of FRT or any surveillance systems is not regulated by any law in force in India. There are no standards, guidelines, circulars, policy documents, or even internal office memorandum (at least in the public domain) in place to regulate the technology or certify its quality or accuracy. Yet, police forces are increasingly becoming the largest deployers of various surveillance tools. It is not far-fetched to think that the FRS being deployed by them is sub-par in quality and may easily lead to misidentification, and ultimately, false convictions.

Even when the Digital Personal Data Protection Act, 2023 (“DPDPA”) comes into play with its procedural Rules notified, it still may not be able to adequately protect the sensitive facial biometric data of suspects or criminals in the system, or regulate its use by police forces. This is for two reasons. 

  1. Section 17 of the Act holds the power to exempt government instrumentalities and law enforcement agencies from its very application at any given time. It is highly likely that such an exemption will be afforded to police forces, as law enforcement is often given far and wide regulatory exemptions for purposes of maintaining public order, safety, or security. The valuable provisions of seeking informed and verifiable consent before data sharing, among others, will not apply to police use of FRT.
  2. The DPDPA does not classify ‘sensitive personal data’ as a distinct category needing additional safeguards and caution, like its earlier versions or even the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Global instruments recognise the sensitive nature of biometric information such as facial data and the vulnerable position the processing of such data may leave the data principles in. As the European Council’s ‘Guidelines on facial recognition’ recognise, 
Considering the potential intrusiveness of these [facial recognition] technologies, legislators and decision makers have to ensure that an explicit and precise legal basis provides the necessary safeguards for the processing of biometric data. Such a legal basis will include the strict necessity and proportionality of their use and will take into consideration the vulnerability of the data subjects and the nature of the environment in which these technologies are used for verification purposes.

Therefore, until specific Rules under the DPDPA prescribe higher standards for processing sensitive information such as facial biometric data, criminal FRS across India will continue to operate without appropriate privacy safeguards.

It is pertinent to note that the TN police attempts to legitimise their use of FRS by drawing powers to identify criminals under the Tamil Nadu District Police Act, 1859 and the Code of Criminal Procedure, 1973. They have been using this wide interpretation of policing powers to actively progress towards installing and deploying FRT systems across the state. For instance, by April 2022, the government had equipped over 40,000 personnel in the field and police stations with FRTs, and since 2018, the government has installed facial recognition-enabled CCTV cameras in 100 “crime-sensitive” locations and had commenced operating the technology in Kancheepuram and Madurai as of March 2022.

However, the constitutional validity of TN police’s legal interpretation and use of FRT ubiquitous is under legal challenge, where the petitioner is assisted by IFF. We have challenged the deployment on the grounds that a) the Supreme Court in K.S. Puttaswamy v. Union of India & Ors (2017) 10 SCC 1 has held that the government cannot curtail the right to privacy unless such restriction is grounded in law, and is necessary and proportionate; and the manner of implementation of the FRT infringes the right to privacy, as it fails the five-pronged proportionality test laid by the Supreme Court; b) it lacks legislative authorisation and thus, fails the test of legality, as the reliance placed on Tamil Nadu District Police Act of 1859 and Code of Criminal Procedure of 1973 is inherently flawed; c) even if it is held that the FRT is sufficiently grounded within existing legislation, it still fails the other prongs of proportionality requirement, specifically, rationality, necessity, balancing and safeguards against abuse; and d) the deployment of FRT is demonstrably discriminatory in nature, and hence, without prior impact assessment, it violates Article 14 of the Constitution. We await the next date of hearing in the matter.

It is time to #BanTheScan

We know that FRT used by police forces is not accurate. We know that it can lead to rights violations and disenfranchisement of historically marginalised groups. We know that it is deployed without legal safeguards or checks and balances. After the massive leak in the TN FRS portal, we now know that this facial data collected in vast numbers, is also not secure. Given that the privacy and human rights violations and surveillance concerns associated with criminal FRS far outweigh its benefits, it is time that police forces stop using it altogether. 

A similar demand is echoed in Amnesty International’s Ban The Scan campaign, which is a call to completely withdraw all private and public use of FRS owing to the high risks associated with FRT. Amnesty claims, with evidence from around the world, that criminal FRS greatly threatens the rights of minority communities and people with darker skin, who are at risk of false identification and false arrests. As we have tracked in our surveillance and transparency endeavour, Project Panoptic, the Indian government has spent a whopping 9.6 billion rupees on FRT despite several human rights concerns. 

FRT is an extremely invasive and dangerous surveillance tool which poses a direct threat to individual privacy, especially at the hands of law enforcement. Police forces are able to amass and process large volumes of sensitive facial data without any checks, consent, transparency, or procedural safeguards. If too accurate, the deployment of such tech perpetuates the creation of a surveillance regime, where citizens are constantly placed under a watchful eye, and their fundamental rights to free speech, dignity, privacy, and even life, can be infringed upon without checks and balances. If inaccurate, it can lead to the incrimination of innocent persons, as police forces liberally use FRT for criminal identification—often with high error margins. 

We, at IFF, have consistently opposed and condemned the use of FRT by Indian law enforcement agencies. Such flawed and invasive tools infringes upon privacy and civil liberties of not only convicted criminals, but also a large volume of unsuspecting innocent persons, all in the absence of legal safeguards. Facial biometric data is a highly sensitive kind of personal data that can be weaponised to profile, police, and silence citizens. This massive data leak in TN police’s FRT database is proof that the manner in which such sensitive data is being stored is completely unsecured too—we have written to CERT-In urging them to investigate the leak promptly. Given the scale of privacy violation due to this leak, it time to #BanTheScan, especially when it comes to police use of FRT.

Important documents

  1. IFF’s letter to CERT-In on the Tamil Nadu FRT portal data leak dated May 15, 2024 (link)
  2. IFF’s post titled ‘Madras HC issues notice on petition challenging use of FRT in Tamil Nadu’ (link)
  3. IFF’s post titled ‘From investigation to conviction: How does the Police use FRT?’ (link)
  4. IFF’s Project Panoptic (link)
  5. Amnesty International’s Ban The Scan campaign (link)
Donate Now

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Supreme Court issues notice in Sushant Singh's transfer petition challenging website blocking

Sushant Singh has sought transfer of his writ petition from the Bombay High Court to the Supreme Court, challenging Rules 8 and 16 of the IT Blocking Rules, 2009. On 02.05.2025, the Supreme Court issued notice and tagged it with SFLC’s pending petition raising similar issues.

6 min read

2
Section 44(3) and the Systematic Dismantling of the RTI Act: A Fact Check to Ashwini Vaishnaw

Section 3 has no relevance to the RTI amendment, and Mr. Ashwini Vaishnaw's response fails to address the core concern: Section 44(3) weakens citizens’ right to information and transparency in governance. IFF does a fact check. 

6 min read

3
Budget Session 2025: A Digital Rights Review

The Budget Session of Parliament, held from January 21 to April 4, 2025, included a recess from February 13 to March 10 for Standing Committee reviews. Key discussions covered various national issues, including digital rights and freedoms.

12 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!