With the implementation of central criminal tracking databases going slow, the Telangana police is effectively building its own StateGRID without any major cyber security or privacy protections.
Update: Addressing the author and audience during a conference, Hyderabad’s police commissioner announced that the IPIH project has been transferred to the IT department after the initial tender was released. Both the commissioner and a senior IT department official assured the access to data is highly restricted, but is being used for better service delivery and detecting fraud.
Hyderabad: The Centre’s delay in properly implementing the Crime and Criminal Tracking Network and Systems (CCTNS) scheme is forcing individual police departments to build their own surveillance networks under the pretext of smart policing.
The Hyderabad police force, for instance, has already built its own criminal tracking system and has started moving forward with the construction of a database with that will help profile every resident and citizen; even those potentially without any criminal background.
The database, known as the ‘Integrated People Information Hub’ (IPIH) offers a “360-degree view” of citizens, according to police commissioner M. Mahender Reddy as reported in Telangana Today.
The IPIH is being promoted primarily as a smart policing mechanism in order to attract foreign direct investment (FDI), according to the tender. The technical architecture talks about the linking of CCTV footage, fingerprints data, call data records (CDR) using entity matching and other data mining algorithms. Other variables for the system include a citizen’s name, father’s name, mother’s name, spouse’s name, address, date of birth, mobile number, contact number, driving license, voter ID, Aadhaar number and a crime number.
These separate data points help identity and group the records of a citizen or crime history of a citizen as well as identifying the relationships the person shares with others. All of this data has already been collected by the state government right after formation of Telangana through a large scale survey called ‘Samagra Kutumba Survey’ – a mini-Census if you will.
Designed to be used by every department in the state, IPIH defies the logic of the ‘Principle of Least Privilege’. A popular credo in the field of information and cybersecurity, this informal rule quite simply states that any software, program or user should be able to access only the information and resources that are necessary for a particular and legitimate purpose.
Disguised as a measure to control corruption and tax evaders, this massive database is very similar to what central intelligence agencies want access through NatGRID. The implementation of the NatGRID system, like CCTNS, has been delayed over the years.
The IPIH tender document cites example of US Department of Homeland security using such similar measures for policing and profiling passengers, but fails to acknowledge India’s national efforts along similar lines. The Hyderabad police is creating yet another parallel mass surveillance database, with minimal security features, that will be shared with every other government employee in the state of Telangana.
The need for mass surveillance in India didn’t start with the Mumbai attack of 26/11, but in South India pre-dates to the Hyderabad twin bombings of 2007 – when a blast right opposite the state secretariat sent shivers into the bureaucrats, political class and police of the then-united Andhra Pradesh. What followed was a series of surveillance measures including cameras all over the city. Hyderabad has large number of surveillance cameras numbering around 30,000 – much higher than other major cities, which trail far behind at 5,000-6,000 cameras. When it comes to surveillance, Hyderabad may be the most surveilled city in India, with city police hoping to increase the number of cameras up to 1 lakh.
These are primarily legacy technologies from over a decade ago and have been prone to all kinds of data mismanagement issues. For example, the Hyderabad police has been using a third party portal to geotag and record crime incidents. This portal has had almost no security measures or restrictions on access – even making the incident pages indexed on Google for almost 10 years. The portal, which came with a map-based visualisation, was even publishing the names of victims of rape, which are not to be stored by the police officials in the first place according to Indian Penal Code. A research associate from Hyderabad Urban Lab had written to the Committee on Effective Law Enforcement for Women’s Safety, Government of Telangana about the matter in 2014 with no action taken for nearly 2 years until late 2016 when the portal was brought down along with the data.
Post the formation of Telangana, the new government has been taking several steps to improve policing and the state of IT infrastructure for policing. A new cyber security policy of Telangana released in September 2016 is focused on fixing up these legacy issues and training a number of so-called cyber warriors. Hyderabad’s traffic police are also the first police in the country to wear body cameras for transparency and accountability, an effort lead by dynamic IT minister K.T. Rama Rao. At the highest levels of government there is an interest to improve systems and practices, but the same cannot be said about the man in the chair executing tasks at India’s so called best cyber crime division.
If you walk into Cyberabad’s cyber crime branch and sit down with a few of the inspectors, it’s easy to see that most of them usually get transferred as punishment for mistakes they committed during their time in other divisions. It also needs to be noted that not every inspector who gets transferred, in order to do his minimum service requirement, is well informed about cyber-security. It’s usually private players, who provide IT services, who are responsible for managing the IT systems of the police and themselves are only digitally aware to the extent that the job pays them. Building these sensitive data IT systems with low-skill employees is a potential disaster in the making.
The technical design of IPIH lists a number of sources of data: Enterprise E Cops Data (CCTNS), RTA for Telangana, voter data for Telangana, Samagra Kutumba Survey data, mobile phone records of Telangana, ration card data of Telangana, voter data of other states, Mobile Phone records of other States and a number of other data sources; with a total list of 10,94,00,000 records at the current stage. It predicts access to several other databases include passport database, LPG connection database, travellers database, bank transactions data, educational certificates, e-Courts data, house rental database, marriage bureau database, foreigners database, tenants information, Govt. Employees Database, Hostels Information, Private Employees Information, CAB drivers and an auto driver’s database. Most of these datasets are possibly being stored unencrypted in the first place to begin with, but centralising all of them can become a serious issue in case of data breaches.
In short, the Telangana police is building its own StateGRID without any major cyber security or privacy protections and other states are expected to emulate this practice starting with Andhra Pradesh which is doing its own citizen’s survey. The lack of cooperation with data sharing between the Centre and the states is fuelling the necessity for the states to build their own surveillance databases under the pretext of women safety, corruption and safety of citizens. While these are indeed serious issues for the police to take care of, smart and predictive policing can easily turn into total blanket surveillance from all forms.
The lack of good data practices is a serious issue with many state police departments. The Bangalore police released 13,000 call data records for a hackathon in 2015 and similarly Delhi police found that CDRs were being sold for Rs 6000-15000 each from neighbouring state police departments. Telangana will be no different. The home ministry and Centre needs to act and stop this mad rush of individual police departments calling themselves “smart police” without proper safeguards.