Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Privacy Questions Accompany Automated License Plate Scanners

As more license plate data is collected by law enforcement, debate grows over how such data should be stored or shared.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
License plate scanners are being deployed by an increasing number of government and law enforcement agencies, but at what privacy cost?

That's the question posed by a recently published American Civil Liberties Union (ACLU) report on automated license plate readers (ALPRs). It found increasing use of such scanners--which combine cameras and optical character recognition (OCR) software with license-plate database lookups--thanks in part to "many millions of dollars" in grants having been provided for their purchase by the Department of Homeland Security, Department of Justice, and the Department of Transportation.

But what are the security and privacy implications of the growing use of such scanners? "It's not an exaggeration to say that in ten years there will be ALPRs just about everywhere, making detailed records of every driver's every movement, and storing it for who knows how long," said Kade Crockford, the ACLU of Massachusetts privacy rights coordinator, in a blog post. "In some cases, we know that the worst-case scenario--vast databases with records of movements of massive numbers of people--is already happening."

[ License-plate readers in action: NYC, Microsoft Team On Huge Surveillance System. ]

According to the ACLU, such systems can scan up to 3,000 plates per minute. Often referred to as automatic license plate recognition (ALPR) systems, the required cameras can be deployed in both fixed locations--typically, atop poles or in high, downward-facing locations--as well as on police cars. "Typically, the cameras are outfitted with software that searches for the presence of a license plate," according to the Electronic Privacy Information Center (EPIC), a privacy rights group. "Once one is detected, the image is captured and then OCR extracts the letters and numbers on the license plate. The extracted data can then be stored, linked to other applications, or compared to information in databases."

With increased adoption has also come decreased prices. Whereas an ALPR scanning unit cost $22,000 in 2010, by this year the cost had dropped to an average of $12,000 per unit.

According to EPIC, the practice of scanning license plates originated in the United Kingdom, where it's known as automatic number plate recognition (ANPR). Under British law, collected data may be stored for up to five years. The systems are in wide use--everywhere from gas stations for identifying people who don't pay for gas, to highway construction zones to identify speeders, to airport parking lots, so prepaid customers can exit without having to pay at the exit gate.

When it comes to scanning license plates in the United States, there's debate about whether collected data constitutes personally identifiable information. Earlier this year, a Drug Enforcement Agency official told legislators in Utah that it planned to install ALPR systems on the state's highways to scan "drug trafficking corridors"--as it's already doing in California and Texas.

Accordingly, the ACLU said that it examined the Federal Register for any disclosure by the DEA of how it plans to collect, store, and share license plate data, and found nothing, even though the Privacy Act of 1974 requires federal agencies to disclose such data-collection details.

But a DEA official told Utah legislators, "We're not trying to capture any personal information--all that this captures is the tag, regardless of who the driver is."

According to ACLU senior policy analyst Jay Stanley, however, "the idea that a license plate number is not personally identifiable information is laughable." In fact, multiple states prohibit the private collection of license plate data--and New Hampshire has banned the practice entirely, except for monitoring bridges and other major infrastructure--suggesting that from a privacy standpoint, such data is indeed personally identifiable.

In the absence of laws in most states that specify how such data can be collected and stored, so far it's largely been up to the law enforcement agencies that use ALPRs to police themselves.

Last month, however, the ACLU launched an effort to uncover which states are using LPR systems, as well as what privacy protections states have designated--or not--for license plate data. To help, it filed public record requests for ALPR practices in 38 states, as well as Freedom of Information Act (FOIA) requests with the Department of Justice, Department of Homeland Security, and Department of Transport, for details about their use of such technology.

Likewise, Ars Technica recently emailed state law enforcement agencies in all 50 states to ask about their ALPR practices. Although most didn't respond, the publication has been sharing what it knows, and also filing FOIA requests to help provide further details.

Vulnerability scanners can be used to help detect and fix systemic problems in an organization's security program and monitor the effectiveness of security controls. However, a vulnerability scanner can improve the organization?s security posture only when it is used as part of a vulnerability management program. In our Choosing The Right Vulnerability Scanner report, we give you tips on choosing and implementing vulnerability scanners in your enterprise. (Free registration required.)


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
8/21/2012 | 1:03:31 AM
re: Privacy Questions Accompany Automated License Plate Scanners
Something else to keep in mind here - if you are to take it into your own hands to either modify your license plate or cover it with something to obscure the sensors, you may be at risk of committing a crime, depending on the laws of your state and local jurisdiction.

A good number of states, in the paperwork that accompanies the plate or in the state laws surrounding the issuance of these plates, actually retain ownership of the plate itself - you are merely holding their property when you have plates attached to your vehicle.

I have seen incidents where people will strip the paint off of the letters and numbers on the plate and repaint them to match the vehicle (some custom car folks are pretty crazy about being matchy-matchy). These are the same folks that get in trouble with law enforcement who can rather easily see a modified plate.

If law enforcement was truly just using these automated plate lookups to determine if a vehicle is stolen, has outstanding tickets, etc. - that would be one thing. Taking the data that they are compiling and using it to determine the movements of people (without a warrant) is an entirely different kettle of fish - and not necessarily a tasty one.

Andrew Hornback
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.