Law enforcement agencies around the country have been all too eager to adopt mass surveillance technologies, but sometimes they have put little effort into ensuring the systems are secure and the sensitive data they collect on everyday people is protected.
Case in point: automated license plate recognition (ALPR) systems.
Earlier this year, EFF learned that more than a hundred ALPR cameras were exposed online, often with totally open Web pages accessible by anyone with a browser. In five cases, we were able to track the cameras to their sources: St. Tammany Parish Sheriff’s Office, Jefferson Parish Sheriff’s Office, and the Kenner Police in Louisiana; Hialeah Police Department in Florida; and the University of Southern California’s public safety department. These cases are very similar, but unrelated to, major vulnerabilities in Boston’s ALPR network uncovered in September by DigBoston and the Boston Institute for Nonprofit Journalism.
After five months of engagement with these entities, we are releasing the results of our research and the actions these offices undertook in response to our warnings.
What is ALPR?
ALPRs are networks of cameras that take pictures of every passing car and capture data on each car’s license plate number, including the time, date, and location where the vehicle was photographed. ALPR cameras are often mounted on patrol cars or affixed to stationary roadside structures, such as light poles and traffic signals.
The systems will alert police when a camera recognizes a car on a “hot list,” an index of cars that are stolen or believed to be tied to criminal activities. However, most ALPR systems collect and store data on every car (i.e. they don’t distinguish between suspects and innocent civilians). Even if a vehicle isn’t involved in a crime, data on where it was and when may be stored for many years, just in case the vehicle later comes under suspicion. Consequently, a breach of an ALPR system is a breach of potentially every driver’s travel history. Depending on how much data has been collected, this information in aggregate can reveal all sorts of personal information, including what doctors you visit, what protests you attend, and where you work, shop, worship, and sleep at night.
The ALPR systems at the center of our investigation were sold by a company called PIPS Technology, which has since been bought by 3M. In 2011, prior to the acquisition, the company bragged of installing more than 20,000 cameras around the globe. After independent security researchers alerted us to the vulnerabilities, we discovered that many stationary ALPR cameras from PIPS were individually connected to the Internet and freely accessible online to anyone who knew where to look.