City Of Boston Left License Plate Data Unprotected And Unencrypted

from the the-city-invites-you-to-perform-vanity-searches-on-its-ALPR-servers dept

If you want a rough estimate on how much respect law enforcement agencies (and the contractors they hire) have for your personal information, all you have to do is take a look at how well they protect the vast amount of data they slurp up.

Investigative reporter Kenneth Lipp has been digging up documents and data left unguarded by government contractors for several months now. While researching the use of ALPRs (Automatic License Plate Readers) in Boston, Lipp came across a publicly-accessible database of plate scans and motor vehicle records. The problem is: it wasn't supposed to be publicly-accessible.

Prior to two weeks ago, when this reporter alerted authorities that they had exposed critical data, anyone online was able to freely access a City of Boston automated license plate reader (ALPR) system and to download dozens of sensitive files, including hundreds of thousands of motor vehicle records dating back to 2012. If someone saw your shiny car and wanted to rob your equally nice house, for example, they could use your parking permit number to obtain your address. All they had to do was find the server’s URL.
This data wasn't being housed by Boston law enforcement. Instead, it was in the hands of its contractor, Genetec, which owns the popular ALPR brand, AutoVu. As Lipp points out, the city of Boston's first ALPR deployments were no big secret. The camera system was mounted on the roofs of Transportation Department vans along with sodium lights. The surveillance was no secret, but the data collected certainly was -- which was why it was left in the hands of a private corporation.
ALPRs were eventually noticed by watchdogs, and in 2004 spurred a public records request, which was denied by the BTD [Boston Transportation Department] on the grounds that the database was privately owned and “on loan” from AutoVu.
Ten years later, the city is still putting its faith (and its un-FOIA-able records) in Genetec. Not that Genetec deserves it. When Lipp pointed out its unguarded portal, it denied any responsibility for its carelessness.
Reached by email for this story, the company’s Vice President of Marketing and Product Management Andrew Elvish wrote that the server in question was a “location used by a customer to transfer data to be used in a parking or law enforcement patrol car, equipped with a Genetec system.” The data, Elvish added, was “not gathered by a Genetec AutoVu ALPR system … [which is] automatically encrypted.”
Lipp investigated further and found that the server was actually run by a Xerox subsidiary. Two hours after being notified of the security hole, the company closed it.

This would normally be the end of the story. But it goes on from there. What was uncovered during Lipp's foray into a supposedly secured and encrypted server points to further dishonesty, going beyond Genetec's disowning of a database it has (or had) direct access to.

As the ACLU's Kade Crockford points out, autogenerated notifications found on the server point to Boston law enforcement continuing to utilize a program it had previously told the public it would be abandoning.
I was surprised to discover these records because in 2013, in the wake of local reporter Shawn Musgrave's expose on privacy and civil liberties problems with the department’s license plate reader program, the Boston Police told the public that it was scrapping the program altogether. The Xerox records suggest scrapping isn’t at all what occurred. Indeed, the automated emails from BTD’s license plate reader program to the Boston Police, left on the Xerox server for anyone to download at will, appear to have started at around the same time the cops told the public they’d stopped using license plate readers. That's to say, instead of scrapping the program as the police told the public they would, BPD appears to have bootstrapped their license plate reader program from BTD data.
The government may claim license plate data has no expectation of privacy (unless you ask for it…) but people hardly expect their records to be exposed to the public at large. And they certainly don't expect them to be accessible from the web and stored in plaintext. Even if the public is willing to accept the portrayal of plate/location data as nothing more than the digital equivalent of human eyeballs on public streets, it will be far less likely to forgive the government's apparent disinterest in ensuring these records received even a minimal level of protection.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 9 Sep 2015 @ 1:44pm

    used locally here

    A quick google search shows an old job posting in a town near me for a Sys Admin to administer (among other things) Genetec LPR suites.
    I'd be curious to know how it's being used.

    reply to this | link to this | view in chronology ]

  • identicon
    Glenn, 9 Sep 2015 @ 2:17pm

    Are you suggesting that information that can be gained by anyone simply looking at a vehicle should be considered "personal information"?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Sep 2015 @ 2:35pm

      Re:

      You can figure out a person's name & home address just by looking at his/her license plate?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Sep 2015 @ 3:15pm

      Re:

      i might not mind the lprs as much if the lpr was an actual person writing down license plates in a notebook

      that would apparently be a more secure option as well

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Sep 2015 @ 5:05pm

      Re:

      No, he's suggesting that information that can be gained by simply looking at all vehicles in the city and storing them with time and geolocation stamp for unimpeded future access by anyone who knows where the data is stored should be considered "unwise" and possibly unlawful.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Sep 2015 @ 8:00am

      Re:

      It is when that same license plate is recorded at several points of your route. I would not want someone to know my daily whereabouts.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2015 @ 2:38pm

    I assume Andrew Elvish is a Drow.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 9 Sep 2015 @ 3:12pm

    Aaaand we have yet another reason to distrust the whole DoJ and police system.

    Because when they lie to us, track data that is private and then leave it for any hackwit to download and utilize that shows that they're worse than malicious, they're incompetent.

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 9 Sep 2015 @ 3:26pm

    I would not be surprised if this investigative reporter is charged with aiding and abetting terrorism for exposing incompetence among those in charge of this aspect of the city.

    reply to this | link to this | view in chronology ]

    • icon
      Groaker (profile), 10 Sep 2015 @ 6:48am

      Re:

      There is no worse terrorism than exposing the incompetence of elected officials.

      reply to this | link to this | view in chronology ]

      • icon
        jaack65 (profile), 15 Nov 2015 @ 2:37am

        Re: incompetence of elected officials.

        Snowden and Manning are suffering for exposing the LIES, DECEPTION, & stupidity of elected and appointed officials and govt employees of all levels. To get a drivers license we have to jump thru hoops & everything else in our lives is open to the world. There is no privacy and we are giving away our civil rights for safety against terrorism. Doesn't work.
        We need more TechDirt revelations

        reply to this | link to this | view in chronology ]

  • identicon
    Mr Big Content, 9 Sep 2015 @ 9:21pm

    We Should Have A Constitutional Right To Leave Data Unprotected

    Because when data is protected against hackers, only hackers will hack data.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2015 @ 5:11am

    The last line of the original digboston article by Kenneth Lipp really sums it up perfectly:

    "If not for incompetence, we’d have no transparency at all."

    reply to this | link to this | view in chronology ]

  • icon
    cubicleslave (profile), 10 Sep 2015 @ 6:05am

    This bit was interesting:
    "1994 federal law, the Driver’s Privacy Protection Act, is supposed to prevent non-governmental third parties from accessing a person’s name, home address, or telephone number through a motor vehicle database. For safety reasons, plate numbers are not personal information, but federal safeguards have for some reason not extended to Xerox, which sells “comprehensive name and address acquisition services” that toll and parking providers use to locate and ticket violators. "

    So leaving a LPR database open and unsecured for those of us "third parties" would potentially be in violation of federal law. Right? Smirk.

    reply to this | link to this | view in chronology ]

  • icon
    limbodog (profile), 10 Sep 2015 @ 9:29am

    As someone who lives and drives in Boston, I'm rather curious what they have on me. Anyone know how to find out?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Close
Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.