Risk
8/17/2012
11:20 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Privacy Questions Accompany Automated License Plate Scanners

As more license plate data is collected by law enforcement, debate grows over how such data should be stored or shared.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
License plate scanners are being deployed by an increasing number of government and law enforcement agencies, but at what privacy cost?

That's the question posed by a recently published American Civil Liberties Union (ACLU) report on automated license plate readers (ALPRs). It found increasing use of such scanners--which combine cameras and optical character recognition (OCR) software with license-plate database lookups--thanks in part to "many millions of dollars" in grants having been provided for their purchase by the Department of Homeland Security, Department of Justice, and the Department of Transportation.

But what are the security and privacy implications of the growing use of such scanners? "It's not an exaggeration to say that in ten years there will be ALPRs just about everywhere, making detailed records of every driver's every movement, and storing it for who knows how long," said Kade Crockford, the ACLU of Massachusetts privacy rights coordinator, in a blog post. "In some cases, we know that the worst-case scenario--vast databases with records of movements of massive numbers of people--is already happening."

[ License-plate readers in action: NYC, Microsoft Team On Huge Surveillance System. ]

According to the ACLU, such systems can scan up to 3,000 plates per minute. Often referred to as automatic license plate recognition (ALPR) systems, the required cameras can be deployed in both fixed locations--typically, atop poles or in high, downward-facing locations--as well as on police cars. "Typically, the cameras are outfitted with software that searches for the presence of a license plate," according to the Electronic Privacy Information Center (EPIC), a privacy rights group. "Once one is detected, the image is captured and then OCR extracts the letters and numbers on the license plate. The extracted data can then be stored, linked to other applications, or compared to information in databases."

With increased adoption has also come decreased prices. Whereas an ALPR scanning unit cost $22,000 in 2010, by this year the cost had dropped to an average of $12,000 per unit.

According to EPIC, the practice of scanning license plates originated in the United Kingdom, where it's known as automatic number plate recognition (ANPR). Under British law, collected data may be stored for up to five years. The systems are in wide use--everywhere from gas stations for identifying people who don't pay for gas, to highway construction zones to identify speeders, to airport parking lots, so prepaid customers can exit without having to pay at the exit gate.

When it comes to scanning license plates in the United States, there's debate about whether collected data constitutes personally identifiable information. Earlier this year, a Drug Enforcement Agency official told legislators in Utah that it planned to install ALPR systems on the state's highways to scan "drug trafficking corridors"--as it's already doing in California and Texas.

Accordingly, the ACLU said that it examined the Federal Register for any disclosure by the DEA of how it plans to collect, store, and share license plate data, and found nothing, even though the Privacy Act of 1974 requires federal agencies to disclose such data-collection details.

But a DEA official told Utah legislators, "We're not trying to capture any personal information--all that this captures is the tag, regardless of who the driver is."

According to ACLU senior policy analyst Jay Stanley, however, "the idea that a license plate number is not personally identifiable information is laughable." In fact, multiple states prohibit the private collection of license plate data--and New Hampshire has banned the practice entirely, except for monitoring bridges and other major infrastructure--suggesting that from a privacy standpoint, such data is indeed personally identifiable.

In the absence of laws in most states that specify how such data can be collected and stored, so far it's largely been up to the law enforcement agencies that use ALPRs to police themselves.

Last month, however, the ACLU launched an effort to uncover which states are using LPR systems, as well as what privacy protections states have designated--or not--for license plate data. To help, it filed public record requests for ALPR practices in 38 states, as well as Freedom of Information Act (FOIA) requests with the Department of Justice, Department of Homeland Security, and Department of Transport, for details about their use of such technology.

Likewise, Ars Technica recently emailed state law enforcement agencies in all 50 states to ask about their ALPR practices. Although most didn't respond, the publication has been sharing what it knows, and also filing FOIA requests to help provide further details.

Vulnerability scanners can be used to help detect and fix systemic problems in an organization's security program and monitor the effectiveness of security controls. However, a vulnerability scanner can improve the organization?s security posture only when it is used as part of a vulnerability management program. In our Choosing The Right Vulnerability Scanner report, we give you tips on choosing and implementing vulnerability scanners in your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
8/21/2012 | 1:03:31 AM
re: Privacy Questions Accompany Automated License Plate Scanners
Something else to keep in mind here - if you are to take it into your own hands to either modify your license plate or cover it with something to obscure the sensors, you may be at risk of committing a crime, depending on the laws of your state and local jurisdiction.

A good number of states, in the paperwork that accompanies the plate or in the state laws surrounding the issuance of these plates, actually retain ownership of the plate itself - you are merely holding their property when you have plates attached to your vehicle.

I have seen incidents where people will strip the paint off of the letters and numbers on the plate and repaint them to match the vehicle (some custom car folks are pretty crazy about being matchy-matchy). These are the same folks that get in trouble with law enforcement who can rather easily see a modified plate.

If law enforcement was truly just using these automated plate lookups to determine if a vehicle is stolen, has outstanding tickets, etc. - that would be one thing. Taking the data that they are compiling and using it to determine the movements of people (without a warrant) is an entirely different kettle of fish - and not necessarily a tasty one.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web