Dave Maass from the Electronic Frontier Foundation writes, "Earlier this year, security researcher John Matherly alerted us to potentially massive vulnerabilities in a certain vendor's automated license plate reader systems. We dug into the data and found that, sure enough, hundreds of LPR systems were potentially vulnerable, with many openly accessible online."
While EFF was able to affect ALPR system security in these jurisdictions, dozens of cameras may still be vulnerable in some form. However, in many cases, tracking these devices to their sources has been impossible. It is our hope that with publication of this report, all agencies responsible for PIPS cameras, wherever they are in the country, initiate comprehensive security audits of their devices. ALPR systems are a form of mass surveillance, plain and simple. This technology captures information on every driver, regardless of whether they are under suspicion. In fact, when EFF and the ACLU sent a public records request for ALPR data to the Los Angeles Police Department and Los Angeles County Sheriff’s Office, the agencies refused to hand over the data, citing a provision in California law that allows them to withhold investigative records. Who are they investigating? The answer: all cars in California.
If law enforcement agencies are going to pursue this technology, then they should limit storage of this data to as short a time period as possible—days, not years or indefinitely, as is the current practice of many agencies. The safest policy would be to not store data unrelated to crimes at all, but only capture data on hot-listed vehicles suspected of involvement in crimes.
As these cases illustrate, when law enforcement agencies use surveillance systems, they need to be far more vigilant in ensuring that the technology is secure before they deploy it. They must also continue to modernize systems to protect against emerging threats and vulnerabilities. What was cutting edge in 2008 is unlikely to withstand the sophisticated threats of 2015.
Law enforcement should not collect information they can’t protect. Surveillance technology without adequate security measures puts everyone’s safety at risk.
License Plate Readers Exposed! How Public Safety Agencies Responded to Major Vulnerabilities in Vehicle Surveillance Tech
[Dave Maass and Cooper Quintin/EFF]