City Of Boston Left License Plate Data Unprotected And Unencrypted
from the the-city-invites-you-to-perform-vanity-searches-on-its-ALPR-servers dept
If you want a rough estimate on how much respect law enforcement agencies (and the contractors they hire) have for your personal information, all you have to do is take a look at how well they protect the vast amount of data they slurp up.
Investigative reporter Kenneth Lipp has been digging up documents and data left unguarded by government contractors for several months now. While researching the use of ALPRs (Automatic License Plate Readers) in Boston, Lipp came across a publicly-accessible database of plate scans and motor vehicle records. The problem is: it wasn’t supposed to be publicly-accessible.
Prior to two weeks ago, when this reporter alerted authorities that they had exposed critical data, anyone online was able to freely access a City of Boston automated license plate reader (ALPR) system and to download dozens of sensitive files, including hundreds of thousands of motor vehicle records dating back to 2012. If someone saw your shiny car and wanted to rob your equally nice house, for example, they could use your parking permit number to obtain your address. All they had to do was find the server’s URL.
This data wasn’t being housed by Boston law enforcement. Instead, it was in the hands of its contractor, Genetec, which owns the popular ALPR brand, AutoVu. As Lipp points out, the city of Boston’s first ALPR deployments were no big secret. The camera system was mounted on the roofs of Transportation Department vans along with sodium lights. The surveillance was no secret, but the data collected certainly was — which was why it was left in the hands of a private corporation.
ALPRs were eventually noticed by watchdogs, and in 2004 spurred a public records request, which was denied by the BTD [Boston Transportation Department] on the grounds that the database was privately owned and “on loan” from AutoVu.
Ten years later, the city is still putting its faith (and its un-FOIA-able records) in Genetec. Not that Genetec deserves it. When Lipp pointed out its unguarded portal, it denied any responsibility for its carelessness.
Reached by email for this story, the company’s Vice President of Marketing and Product Management Andrew Elvish wrote that the server in question was a “location used by a customer to transfer data to be used in a parking or law enforcement patrol car, equipped with a Genetec system.” The data, Elvish added, was “not gathered by a Genetec AutoVu ALPR system … [which is] automatically encrypted.”
Lipp investigated further and found that the server was actually run by a Xerox subsidiary. Two hours after being notified of the security hole, the company closed it.
This would normally be the end of the story. But it goes on from there. What was uncovered during Lipp’s foray into a supposedly secured and encrypted server points to further dishonesty, going beyond Genetec’s disowning of a database it has (or had) direct access to.
As the ACLU’s Kade Crockford points out, autogenerated notifications found on the server point to Boston law enforcement continuing to utilize a program it had previously told the public it would be abandoning.
I was surprised to discover these records because in 2013, in the wake of local reporter Shawn Musgrave’s expose on privacy and civil liberties problems with the department’s license plate reader program, the Boston Police told the public that it was scrapping the program altogether. The Xerox records suggest scrapping isn’t at all what occurred. Indeed, the automated emails from BTD’s license plate reader program to the Boston Police, left on the Xerox server for anyone to download at will, appear to have started at around the same time the cops told the public they’d stopped using license plate readers. That’s to say, instead of scrapping the program as the police told the public they would, BPD appears to have bootstrapped their license plate reader program from BTD data.
The government may claim license plate data has no expectation of privacy (unless you ask for it…) but people hardly expect their records to be exposed to the public at large. And they certainly don’t expect them to be accessible from the web and stored in plaintext. Even if the public is willing to accept the portrayal of plate/location data as nothing more than the digital equivalent of human eyeballs on public streets, it will be far less likely to forgive the government’s apparent disinterest in ensuring these records received even a minimal level of protection.