Even if you're not a die-hard privacy advocate, the prospect of widespread license plate scanning is rather unsettling. Local police departments often operate such programs under the assumption that all cars in their jurisdiction are "under investigation," even if the vast majority of cars scanned have never been implicated in any kind of misdeed.
That's why a recent discovery in Boston is so unsettling: It turns out, the data collected by the city's Transportation Department was being stored on a webpage that was wide-open and accessible to anybody with decent Googling skills—no password required.
It wasn't until investigative journalist Kenneth Lipp alerted the city to this massive security flaw that the web page was made private. And that's not all: According to The Boston Globe, the Boston Police Department had vowed in December of 2013 to "indefinitely suspend" its license plate scanning activities in the wake of growing public outcry over a perceived invasion of privacy. Lipp reports that the Boston Transportation Department exchanged "several hundred daily emails" with the Boston Police Department containing data from the Transportation Department's ongoing license plate scanning. In other words, instead of "scrapping" the plate scanning project as the police department had promised, it merely began sourcing its data from the Boston Transportation Department.
Lipp reports that the unsecure webpage in question was a file-sharing server operated by a Xerox subsidiary, "primarily used for municipal parking enforcement to transfer and store vehicular permit information and nearly one million license plate numbers." The data, generated from the city's fleet of vehicles equipped with AutoVu license plate readers, was "waiting to bediscovered by anyone spelunking Google for terms including "Genetec," the name of a Canadian surveillance company" that manufactures the plate readers, Lipp writes.
What kind of information could be gleaned once an unauthorized individual found his or her way to that page? Lipp says motor vehicle records dating back to 2012 were freely available on the site to be viewed or downloaded. A bad actor could use your license plate number or city parking permit number to find your home address. Lipp says that the "hotlists" of license plates to be monitored were massive—one parking enforcement list included 720,000 hits, each of which carried a plate number, location data, and the vehicle make and model.
For reference, Boston's population is around 650,000.
Perhaps even more troubling is the fact that the data on the page in question included 2,500 hits grouped on a "Gang/Terrorist Watch" list. It's unclear if that list was maintained by Boston Police or the FBI.
Thankfully, this particular data security oversight has been rectified: In late August, Lipp contacted Xerox (a subsidiary of which operated the data server in question), informing the company of the public nature of the data. "Within two hours, the portal was removed from public view," he reports.
It's worth pointing out that Lipp is maybe not the most unbiased journalist in this regard. His report concludes, "fortunately for the people of Massachusetts, Big Brother let its guard down this time, and was exposed. If not for incompetence, we'd have no transparency at all." But his reporting is finely researched and thorough, and what he found was alarming enough to pique the interest of the American Civil Liberties Union.
Mass surveillance of law-abiding citizens isn't going away, and the license plate you're legally required to affix to your car provides an incredibly easy means of conducting such widespread digital dragnets. The fact that some of our nation's largest city police departments can't figure out how to secure that massive trove of data is rightfully terrifying.
Bob Sorokanich previously served as deputy editor of Road & Track Magazine. He is based in New York City.
