11 Security Sights Seen Only At Black Hat

License plate scanners are being deployed by an increasing number of government and law enforcement agencies, but at what privacy cost?

That's the question posed by a recently published American Civil Liberties Union (ACLU) report on automated license plate readers (ALPRs). It found increasing use of such scanners--which combine cameras and optical character recognition (OCR) software with license-plate database lookups--thanks in part to "many millions of dollars" in grants having been provided for their purchase by the Department of Homeland Security, Department of Justice, and the Department of Transportation.

But what are the security and privacy implications of the growing use of such scanners? "It's not an exaggeration to say that in ten years there will be ALPRs just about everywhere, making detailed records of every driver's every movement, and storing it for who knows how long," said Kade Crockford, the ACLU of Massachusetts privacy rights coordinator, in a blog post. "In some cases, we know that the worst-case scenario--vast databases with records of movements of massive numbers of people--is already happening."

[ License-plate readers in action: NYC, Microsoft Team On Huge Surveillance System. ]

According to the ACLU, such systems can scan up to 3,000 plates per minute. Often referred to as automatic license plate recognition (ALPR) systems, the required cameras can be deployed in both fixed locations--typically, atop poles or in high, downward-facing locations--as well as on police cars. "Typically, the cameras are outfitted with software that searches for the presence of a license plate," according to the Electronic Privacy Information Center (EPIC), a privacy rights group. "Once one is detected, the image is captured and then OCR extracts the letters and numbers on the license plate. The extracted data can then be stored, linked to other applications, or compared to information in databases."

With increased adoption has also come decreased prices. Whereas an ALPR scanning unit cost $22,000 in 2010, by this year the cost had dropped to an average of $12,000 per unit.

According to EPIC, the practice of scanning license plates originated in the United Kingdom, where it's known as automatic number plate recognition (ANPR). Under British law, collected data may be stored for up to five years. The systems are in wide use--everywhere from gas stations for identifying people who don't pay for gas, to highway construction zones to identify speeders, to airport parking lots, so prepaid customers can exit without having to pay at the exit gate.

When it comes to scanning license plates in the United States, there's debate about whether collected data constitutes personally identifiable information. Earlier this year, a Drug Enforcement Agency official told legislators in Utah that it planned to install ALPR systems on the state's highways to scan "drug trafficking corridors"--as it's already doing in California and Texas.

Accordingly, the ACLU said that it examined the Federal Register for any disclosure by the DEA of how it plans to collect, store, and share license plate data, and found nothing, even though the Privacy Act of 1974 requires federal agencies to disclose such data-collection details.

But a DEA official told Utah legislators, "We're not trying to capture any personal information--all that this captures is the tag, regardless of who the driver is."

According to ACLU senior policy analyst Jay Stanley, however, "the idea that a license plate number is not personally identifiable information is laughable." In fact, multiple states prohibit the private collection of license plate data--and New Hampshire has banned the practice entirely, except for monitoring bridges and other major infrastructure--suggesting that from a privacy standpoint, such data is indeed personally identifiable.

In the absence of laws in most states that specify how such data can be collected and stored, so far it's largely been up to the law enforcement agencies that use ALPRs to police themselves.

Last month, however, the ACLU launched an effort to uncover which states are using LPR systems, as well as what privacy protections states have designated--or not--for license plate data. To help, it filed public record requests for ALPR practices in 38 states, as well as Freedom of Information Act (FOIA) requests with the Department of Justice, Department of Homeland Security, and Department of Transport, for details about their use of such technology.

Likewise, Ars Technica recently emailed state law enforcement agencies in all 50 states to ask about their ALPR practices. Although most didn't respond, the publication has been sharing what it knows, and also filing FOIA requests to help provide further details.

Vulnerability scanners can be used to help detect and fix systemic problems in an organization's security program and monitor the effectiveness of security controls. However, a vulnerability scanner can improve the organization?s security posture only when it is used as part of a vulnerability management program. In our Choosing The Right Vulnerability Scanner report, we give you tips on choosing and implementing vulnerability scanners in your enterprise. (Free registration required.)