Big Brother watching you is bad enough. But Big Brother allowing hackers to watch you as well is worse.
And that is increasingly the case, thanks to the indiscriminate, and insecure, collection of vehicle license plate data, according to recent reports from the Electronic Frontier Foundation (EFF) and the alt-weekly DigBoston.
The technology at issue is Automated License Plate Readers (ALPR) – cameras mounted on patrol cars or stationary roadside structures like utility poles that record not just the plate number, but metadata including the date, time and location of the vehicle.
EFF reported late last year that it had found, “more than a hundred ALPR cameras were exposed online, often with totally open Web pages accessible by anyone with a browser.” Those cameras were in several Louisiana communities; in Hialeah, Florida; and at the University of Southern California.
DigBoston reported in September that until alerted by a reporter, “anyone online was able to freely access a City of Boston ALPR system and to download dozens of sensitive files, including hundreds of thousands of motor vehicle records dating back to 2012.”
In both cases, public safety or transportation officials and the APLR vendors tightened security after being notified of the vulnerabilities, although EFF said it took, “five months of engagement with these entities.”
The systems studied by EFF were made by a company called PIPS Technology, which was acquired by 3M in 2012. 3M, in a statement to EFF, said the cameras had good security features, but that they had to be enabled by customers.
Jennifer Lynch, senior staff attorney at EFF, said the organization does not know how many ALPR systems are in use throughout the U.S. and what percentage of them might have security problems.
But with the exploding popularity and use of such cameras, it is virtually guaranteed that there are both security and privacy issues that are not being addressed. A team of computer scientists at the University of Arizona issued a recent report saying they had found vulnerable cameras in Washington, California, Texas, Oklahoma, Louisiana, Mississippi, Alabama, Florida, Virginia, Ohio, and Pennsylvania.
DigBoston reported that the open online server it found, used for municipal parking enforcement, was owned by Affiliated Computer Services (ACS), a Xerox subsidiary. When notified about it, “within two hours, the portal was removed from public view,” wrote reporter Kenneth Lipp.
Jody Westby, CEO of Global Cyber Risk and a privacy consultant, said that digital surveillance many times exceeds the expertise of “guards, guns, and gates” security teams.
Those teams, she said, “are often very reluctant to turn the maintenance of these systems over to the IT staff,” which is a prime cause of security flaws. Those problems are almost inevitable, she said, with the, “deployment of sophisticated surveillance technologies by departments without the expertise or resources to manage privacy and security risks.”
Even if security concerns are addressed, however, EFF argues that the current use of ALPRs amounts to “a form of mass surveillance.”
The stated purpose of the camera systems is to aid law enforcement in investigations: If the plate matches a number on a so-called “hot list” – where the owner is wanted for anything from an unpaid parking ticket to a probation violation to a felony, or is connected to an AMBER alert or any kind of a gang or terrorist watch list – then the system notifies police or other agencies.
But most ALPR systems collect and store data on every vehicle they scan – they do not discard information on plates that don’t match the hot list. And in many cases, the data is held for years.
“Depending on how much data has been collected, this information in aggregate can reveal all sorts of personal information, including what doctors you visit, what protests you attend, and where you work, shop, worship, and sleep at night,” EFF said.
And when EFF and the American Civil Liberties Union (ACLU) filed a public records request for ALPR data to the Los Angeles Police Department and Los Angeles County Sheriff’s Office, “the agencies refused to hand over the data, citing a provision in California law that allows them to withhold investigative records. Who are they investigating? The answer: all cars in California,” the EFF said.
The ACLU and EFF then sued to compel the release of the data, but lost at both the Superior Court and Appeals Court level, where the courts ruled that even though the large majority of the data collected by the camera systems was on innocent motorists, it still qualified as investigatory material, and therefore not subject to public disclosure.
The case went before the California Supreme Court on Oct. 26. Lynch said the briefs from the city and county are due Jan. 25.
But even if the privacy advocates win, the reality remains that there is little oversight or regulation of ALPR data collection.
According to the National Conference of State Legislatures, only 10 states have laws putting limits on the collection, storage and use of ALPR data – Arkansas, California, Colorado, Florida, Maine, Maryland, New Hampshire, Tennessee, Utah and Vermont.
Most of those laws say the data may only be used for law enforcement purposes and limit the time it is stored to anywhere from 21 days to several years.
But most also contain exceptions, such as the recording of plate information at automated tollbooths or for the security of specific bridges and approach structures.
That leaves 40 states without regulation, and nothing pending at the federal level.
Lynch did say that, “there are many Congress members who are concerned about Americans’ privacy.”
But for now, the surveillance is both pervasive and vulnerable to hacks.
Nancy Libin, a partner at Jenner & Block and former chief privacy officer at the Department of Justice, said there hasn’t been enough study of the data being collected about not only its current, but possible future, use.
“Law enforcement is often tempted to use data it has collected for one purpose or another purpose,” she said. “So it’s a big surveillance tool, to collect information that may one day become useful to them.”
And she said it could become, “even more pernicious, considering the way technology is evolving. It might be possible to mine the data and conduct predictive searches about what somebody might do,” – which sounds like the dystopian future imagined in the movie “Minority Report”.
Drew Mitnik, policy counsel at Access Now, expressed similar concerns. “License plate information is sensitive on its own,” he said, “but it could also be combined with other information taken from cell phones and other smart devices, to provide the government a disturbingly detailed illustration of our lives.
And given that there is no such thing as 100 percent security, Mitnik and other privacy advocates say the unfettered use of ALPRs and other digital surveillance continue to increase the risks that the daily routines of millions of Americans could be exposed, “to anyone with an Internet connection.”
“We haven't had a true, open conversation about what information the government is capturing, what they are doing with it, and whether the privacy risks are acceptable,” Mitnik said.
Lynch said she believes public awareness is the most effective way to regain a measure of control over government surveillance.
“There have been public protests about this at various city council meetings and activism at the state legislative level,” she said. “That’s how we’ve seen privacy-protective laws pass in several states.”
Westby said she thinks public awareness is growing that the collection of multiple data points leads to them “being integrated and analyzed and used in a manner that violates privacy – and potentially constitutional rights. Eventually, big data will become the biggest privacy issue in the U.S.”