The Telangana Police has denied allegations that its TSCOP app stores data about citizens' hotel visits, and added that neither does it share any such data with a US-based third-party application.
However, a video from 2021 has Telangana cops saying on-record that the police had introduced a `new feature' on TSCOP, whereby the records of hotel guests can be checked ``against a list of suspects using a facial recognition (FR) system, and by matching mobile numbers.''
"All those who have visited a lodge or hotel will enter their details (at the hotel), so we will get a notification along with the photo, mobile number, address, etc. This will automatically be checked against a database which has the details of criminals. And if there is anything suspicious, we will alert the concerned police station," says a policeman in the video.
Moneycontrol has reached out to the Telangana Police seeking clarifications regarding the issue, and the article will be updated when we hear from them.
The recent response from the Telangana Police stems from security researcher Srinivas Kodali's post on X, where he claimed to have found evidence in the TSCOP app's code which suggests that the police collected such data and shared it with Zebi, a blockchain platform based in the US.
Dear @TelanganaCOPs why are you collecting details of everyone who checks-in into a hotel in Hyderabad and why are you sending them to a blockchain company - zebichain? pic.twitter.com/AHqbgFTfigRelated stories
— Srinivas Kodali (@digitaldutta) June 7, 2024
The post went viral, triggering accusations of violation of privacy.
"TSCOP does not collect any hotel visitor data. Hence, it is absolutely incorrect to say that TSCOP gave such data to any third party," the Telangana Police said on June 9.
TSCOP is an internal application used by Telangana Police. It is connected with central security infra such as the Crime and Criminal Tracking Network & Systems (CCTNS) database.
TSCOP has been under the scanner ever since a related app of the police,TS Hawk Eye, was hacked, exposing the data of TSCOP and the police's SMS services in the process. Hawk Eye is a free-to-use application developed by Telangana police for citizens to report crimes and violations.
The cops arrested a hacker from Delhi on June 8, who, they say, has a history of committing cyber crimes and was allegedly involved in a similar case of hacking. "Last year, the accused had leaked data regarding Aadhaar cards, and critical information related to other agencies," the Telangana police has said.
Cracking the code
On June 7, 2024, Kodali posted screenshots on X of what he claimed to be an analysis of the TSCOP app's code, suggesting that the Telangana cops were collecting and sharing data about citizens' hotel visits.
The screenshots suggested that among the data the cops were collecting was the guest's mobile number, name, room number, check-in and check-out date, i.d. proof, i.d. number, vehicle number, address, etc..
"Dear @TelanganaCops why are you collecting details of everyone who checks-in into a hotel in Hyderabad and why are you sending them to a blockchain company - Zebichain?" the post read.
Founded in 2015, and now defunct, Zebi had been developing blockchain-enabled platforms for creating "tamper proof and hacker-proof systems with an audit trail." The company has also worked with the Andhra Pradesh government in building a blockchain-enabled ledger system for land records.
However, it is important to remember that the TSCOP app is not available on public platforms, raising questions as to how Kodali secured access to its source code.
Kodali told Moneycontrol that he got access to the app's APK (android application package) from a third-party website, where it was presumably uploaded by threat actors after the Hawk Eye app was hacked and related data leaked. Asked how reliable the APK was, Kodali said he was "confident to a certain extent."
Data laws
Under the Sarai Act of 1867, cops across the country have access to a hotel's guest register. The objective of the Act was to regulate such establishments and ensure the safety of travellers.
Per the Act, the data collected by the hotel must include information such as the guest's name, address, etc., and the cops and other local authorities have the right to inspect these records to ensure compliance.
"The police has statutory blessing, they are authorised to collect this kind of data. The processing of such information for verification of visitors is legitimate under the DPDP (Digital Personal Data Protection) Act," said Supratim Chakraborty, Partner at Khaitan and Company, a law firm.
However, Chakraborty pointed to the 'purpose limitation' clause of the DPDP Act and said that sharing such data with a third party can be a violation of the law.
Purpose limitation refers to the idea that personal data collected by an entity (referred to as the "data fiduciary") should only be used for specific, clear, and lawful purposes that were explicitly stated to the data subject (the individual whose data is being collected) at the time of collection.
However, it is important to note that the DPDP Act has provisions to exempt government and law enforcement agencies from the provisions of the Act in the interest of "national security, public order, sovereignty and integrity of the nation,'' said Chakraborty.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
