City Of Boston Left License Plate Data Unprotected And Unencrypted

from the the-city-invites-you-to-perform-vanity-searches-on-its-ALPR-servers dept

If you want a rough estimate on how much respect law enforcement agencies (and the contractors they hire) have for your personal information, all you have to do is take a look at how well they protect the vast amount of data they slurp up.

Investigative reporter Kenneth Lipp has been digging up documents and data left unguarded by government contractors for several months now. While researching the use of ALPRs (Automatic License Plate Readers) in Boston, Lipp came across a publicly-accessible database of plate scans and motor vehicle records. The problem is: it wasn’t supposed to be publicly-accessible.

Prior to two weeks ago, when this reporter alerted authorities that they had exposed critical data, anyone online was able to freely access a City of Boston automated license plate reader (ALPR) system and to download dozens of sensitive files, including hundreds of thousands of motor vehicle records dating back to 2012. If someone saw your shiny car and wanted to rob your equally nice house, for example, they could use your parking permit number to obtain your address. All they had to do was find the server’s URL.

This data wasn’t being housed by Boston law enforcement. Instead, it was in the hands of its contractor, Genetec, which owns the popular ALPR brand, AutoVu. As Lipp points out, the city of Boston’s first ALPR deployments were no big secret. The camera system was mounted on the roofs of Transportation Department vans along with sodium lights. The surveillance was no secret, but the data collected certainly was — which was why it was left in the hands of a private corporation.

ALPRs were eventually noticed by watchdogs, and in 2004 spurred a public records request, which was denied by the BTD [Boston Transportation Department] on the grounds that the database was privately owned and “on loan” from AutoVu.

Ten years later, the city is still putting its faith (and its un-FOIA-able records) in Genetec. Not that Genetec deserves it. When Lipp pointed out its unguarded portal, it denied any responsibility for its carelessness.

Reached by email for this story, the company’s Vice President of Marketing and Product Management Andrew Elvish wrote that the server in question was a “location used by a customer to transfer data to be used in a parking or law enforcement patrol car, equipped with a Genetec system.” The data, Elvish added, was “not gathered by a Genetec AutoVu ALPR system … [which is] automatically encrypted.”

Lipp investigated further and found that the server was actually run by a Xerox subsidiary. Two hours after being notified of the security hole, the company closed it.

This would normally be the end of the story. But it goes on from there. What was uncovered during Lipp’s foray into a supposedly secured and encrypted server points to further dishonesty, going beyond Genetec’s disowning of a database it has (or had) direct access to.

As the ACLU’s Kade Crockford points out, autogenerated notifications found on the server point to Boston law enforcement continuing to utilize a program it had previously told the public it would be abandoning.

I was surprised to discover these records because in 2013, in the wake of local reporter Shawn Musgrave’s expose on privacy and civil liberties problems with the department’s license plate reader program, the Boston Police told the public that it was scrapping the program altogether. The Xerox records suggest scrapping isn’t at all what occurred. Indeed, the automated emails from BTD’s license plate reader program to the Boston Police, left on the Xerox server for anyone to download at will, appear to have started at around the same time the cops told the public they’d stopped using license plate readers. That’s to say, instead of scrapping the program as the police told the public they would, BPD appears to have bootstrapped their license plate reader program from BTD data.

The government may claim license plate data has no expectation of privacy (unless you ask for it…) but people hardly expect their records to be exposed to the public at large. And they certainly don’t expect them to be accessible from the web and stored in plaintext. Even if the public is willing to accept the portrayal of plate/location data as nothing more than the digital equivalent of human eyeballs on public streets, it will be far less likely to forgive the government’s apparent disinterest in ensuring these records received even a minimal level of protection.

Filed Under: , , , , ,
Companies: autovu, genetec

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “City Of Boston Left License Plate Data Unprotected And Unencrypted”

Subscribe: RSS Leave a comment
jaack65 (profile) says:

Re: Re: incompetence of elected officials.

Snowden and Manning are suffering for exposing the LIES, DECEPTION, & stupidity of elected and appointed officials and govt employees of all levels. To get a drivers license we have to jump thru hoops & everything else in our lives is open to the world. There is no privacy and we are giving away our civil rights for safety against terrorism. Doesn’t work.
We need more TechDirt revelations

cubicleslave (profile) says:

This bit was interesting:
“1994 federal law, the Driver’s Privacy Protection Act, is supposed to prevent non-governmental third parties from accessing a person’s name, home address, or telephone number through a motor vehicle database. For safety reasons, plate numbers are not personal information, but federal safeguards have for some reason not extended to Xerox, which sells “comprehensive name and address acquisition services” that toll and parking providers use to locate and ticket violators. “

So leaving a LPR database open and unsecured for those of us “third parties” would potentially be in violation of federal law. Right? Smirk.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...