City Of Boston Left License Plate Data Unprotected And Unencrypted

from the the-city-invites-you-to-perform-vanity-searches-on-its-ALPR-servers dept

Wed, Sep 9th 2015 12:45pm — Tim Cushing

If you want a rough estimate on how much respect law enforcement agencies (and the contractors they hire) have for your personal information, all you have to do is take a look at how well they protect the vast amount of data they slurp up.

Investigative reporter Kenneth Lipp has been digging up documents and data left unguarded by government contractors for several months now. While researching the use of ALPRs (Automatic License Plate Readers) in Boston, Lipp came across a publicly-accessible database of plate scans and motor vehicle records. The problem is: it wasn't supposed to be publicly-accessible.

Prior to two weeks ago, when this reporter alerted authorities that they had exposed critical data, anyone online was able to freely access a City of Boston automated license plate reader (ALPR) system and to download dozens of sensitive files, including hundreds of thousands of motor vehicle records dating back to 2012. If someone saw your shiny car and wanted to rob your equally nice house, for example, they could use your parking permit number to obtain your address. All they had to do was find the server’s URL.

This data wasn't being housed by Boston law enforcement. Instead, it was in the hands of its contractor, Genetec, which owns the popular ALPR brand, AutoVu. As Lipp points out, the city of Boston's first ALPR deployments were no big secret. The camera system was mounted on the roofs of Transportation Department vans along with sodium lights. The surveillance was no secret, but the data collected certainly was -- which was why it was left in the hands of a private corporation.

ALPRs were eventually noticed by watchdogs, and in 2004 spurred a public records request, which was denied by the BTD [Boston Transportation Department] on the grounds that the database was privately owned and “on loan” from AutoVu.

Ten years later, the city is still putting its faith (and its un-FOIA-able records) in Genetec. Not that Genetec deserves it. When Lipp pointed out its unguarded portal, it denied any responsibility for its carelessness.

Reached by email for this story, the company’s Vice President of Marketing and Product Management Andrew Elvish wrote that the server in question was a “location used by a customer to transfer data to be used in a parking or law enforcement patrol car, equipped with a Genetec system.” The data, Elvish added, was “not gathered by a Genetec AutoVu ALPR system … [which is] automatically encrypted.”

Lipp investigated further and found that the server was actually run by a Xerox subsidiary. Two hours after being notified of the security hole, the company closed it.

This would normally be the end of the story. But it goes on from there. What was uncovered during Lipp's foray into a supposedly secured and encrypted server points to further dishonesty, going beyond Genetec's disowning of a database it has (or had) direct access to.

As the ACLU's Kade Crockford points out, autogenerated notifications found on the server point to Boston law enforcement continuing to utilize a program it had previously told the public it would be abandoning.

I was surprised to discover these records because in 2013, in the wake of local reporter Shawn Musgrave's expose on privacy and civil liberties problems with the department’s license plate reader program, the Boston Police told the public that it was scrapping the program altogether. The Xerox records suggest scrapping isn’t at all what occurred. Indeed, the automated emails from BTD’s license plate reader program to the Boston Police, left on the Xerox server for anyone to download at will, appear to have started at around the same time the cops told the public they’d stopped using license plate readers. That's to say, instead of scrapping the program as the police told the public they would, BPD appears to have bootstrapped their license plate reader program from BTD data.

The government may claim license plate data has no expectation of privacy (unless you ask for it…) but people hardly expect their records to be exposed to the public at large. And they certainly don't expect them to be accessible from the web and stored in plaintext. Even if the public is willing to accept the portrayal of plate/location data as nothing more than the digital equivalent of human eyeballs on public streets, it will be far less likely to forgive the government's apparent disinterest in ensuring these records received even a minimal level of protection.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: alpr, boston, license plate data, license plates, privacy, security
Companies: autovu, genetec

15 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 9 Sep 2015 @ 1:44pm

used locally here
A quick google search shows an old job posting in a town near me for a Sys Admin to administer (among other things) Genetec LPR suites.
I'd be curious to know how it's being used.
[ link to this | view in chronology ]
Glenn, 9 Sep 2015 @ 2:17pm

Are you suggesting that information that can be gained by anyone simply looking at a vehicle should be considered "personal information"?
[ link to this | view in chronology ]
- Anonymous Coward, 9 Sep 2015 @ 2:35pm
  
  Re:
  You can figure out a person's name & home address just by looking at his/her license plate?
  [ link to this | view in chronology ]
- Anonymous Coward, 9 Sep 2015 @ 3:15pm
  
  Re:
  i might not mind the lprs as much if the lpr was an actual person writing down license plates in a notebook
  
  that would apparently be a more secure option as well
  [ link to this | view in chronology ]
- Anonymous Coward, 9 Sep 2015 @ 5:05pm
  
  Re:
  No, he's suggesting that information that can be gained by simply looking at all vehicles in the city and storing them with time and geolocation stamp for unimpeded future access by anyone who knows where the data is stored should be considered "unwise" and possibly unlawful.
  [ link to this | view in chronology ]
- Anonymous Coward, 10 Sep 2015 @ 8:00am
  
  Re:
  It is when that same license plate is recorded at several points of your route. I would not want someone to know my daily whereabouts.
  [ link to this | view in chronology ]
Anonymous Coward, 9 Sep 2015 @ 2:38pm

I assume Andrew Elvish is a Drow.
[ link to this | view in chronology ]
Uriel-238 (profile), 9 Sep 2015 @ 3:12pm

Aaaand we have yet another reason to distrust the whole DoJ and police system.
Because when they lie to us, track data that is private and then leave it for any hackwit to download and utilize that shows that they're worse than malicious, they're incompetent.
[ link to this | view in chronology ]
Padpaw (profile), 9 Sep 2015 @ 3:26pm

I would not be surprised if this investigative reporter is charged with aiding and abetting terrorism for exposing incompetence among those in charge of this aspect of the city.
[ link to this | view in chronology ]
- Groaker (profile), 10 Sep 2015 @ 6:48am
  
  Re:
  There is no worse terrorism than exposing the incompetence of elected officials.
  [ link to this | view in chronology ]
  - jaack65 (profile), 15 Nov 2015 @ 2:37am
    
    Re: incompetence of elected officials.
    Snowden and Manning are suffering for exposing the LIES, DECEPTION, & stupidity of elected and appointed officials and govt employees of all levels. To get a drivers license we have to jump thru hoops & everything else in our lives is open to the world. There is no privacy and we are giving away our civil rights for safety against terrorism. Doesn't work.
    We need more TechDirt revelations
    [ link to this | view in chronology ]
Mr Big Content, 9 Sep 2015 @ 9:21pm

We Should Have A Constitutional Right To Leave Data Unprotected
Because when data is protected against hackers, only hackers will hack data.
[ link to this | view in chronology ]
Anonymous Coward, 10 Sep 2015 @ 5:11am

The last line of the original digboston article by Kenneth Lipp really sums it up perfectly:

"If not for incompetence, we’d have no transparency at all."
[ link to this | view in chronology ]
cubicleslave (profile), 10 Sep 2015 @ 6:05am

This bit was interesting:
"1994 federal law, the Driver’s Privacy Protection Act, is supposed to prevent non-governmental third parties from accessing a person’s name, home address, or telephone number through a motor vehicle database. For safety reasons, plate numbers are not personal information, but federal safeguards have for some reason not extended to Xerox, which sells “comprehensive name and address acquisition services” that toll and parking providers use to locate and ticket violators. "

So leaving a LPR database open and unsecured for those of us "third parties" would potentially be in violation of federal law. Right? Smirk.
[ link to this | view in chronology ]
limbodog (profile), 10 Sep 2015 @ 9:29am

As someone who lives and drives in Boston, I'm rather curious what they have on me. Anyone know how to find out?
[ link to this | view in chronology ]