Information Security, Top News

California to make it harder for your license plate to be tracked

On 9 January, a California committee passed senate bill SB-712: a piece of legislation that would make, what might seem like, a tiny tweak to a law that says you can’t cover your car’s license plate.

In California, it’s currently legal to cover your entire vehicle, including the license plate, to protect the car from the weather, as long as the cover is easy enough to pull up to get a look at the license plate.

However, it’s illegal to cover just the license plate, which you may very well want to do to protect your privacy from automated license plate readers (ALPRs).

The proposed tweak to the bill, introduced by Sen. Joel Anderson in 2017 and endorsed by the Electronic Frontier Foundation (EFF), would change the bill to read like so:

A covering shall not be used on license plates except as follows:
(1) The installation of a cover over a lawfully parked vehicle to protect it from the weather and the elements, or the installation of a cover over the license plate of a lawfully parked vehicle, does not constitute a violation of this subdivision. A peace officer or other regularly salaried employee of a public agency designated to enforce laws, including local ordinances, relating to the parking of vehicles may temporarily remove so much of the cover as is necessary to inspect any license plate, tab, or indicia of registration on a vehicle.

In other words, keep your spying, data-collecting, privacy-invading cameras away from our cars. There are businesses that send ALPRs, mounted on vehicles, driving up and down streets to document the travel patterns of drivers, to take photos of every license plate they see, to time-stamp and location-stamp those photos, to upload them to a central database, and to sell the data to lenders, insurance companies, and debt collectors.

The data-aggregators-on-wheels companies also sell information to law enforcement, including to the US Department of Homeland Security (DHS), the EFF says. The DHS, in fact, last month released its updated policy for using this commercial ALPR data for immigration enforcement.

DHS’s notice mentions “privacy and civil liberties protections that have been implemented by the agency and the vendor,” but we’ve seen time and again how casually vendors treat sensitive ALPR data and how nonresponsive they’ve been to police when they’ve tried to protect investigation details from unauthorized eyes.

In August, Wired detailed one such instance, wherein a sensitive case became an open book to police departments that had no business looking at it, all because they were able to enter a license plate number involved in the case.

These things suck up so much data, with so little protection for privacy, that legislators and police seem to have gone a little kid-in-a-candy-store. In 2015, for example, the Los Angeles City Council thought it was a good idea to have the city attorney’s office analyze a proposal to use license plate readers to determine who owns vehicles spotted parking in, or driving slowly through, neighborhoods known for prostitution. The idea was to then send “Dear John” letters, warning of sexually transmitted diseases (STDs), to the car owners’ home addresses, in the hopes that wives or girlfriends would intercept them.

The Atlantic has called the amassing of this huge database of driver information an “unprecedented threat to privacy.” From its coverage:

[Vigilant Solutions, an ALPR surveillance company] has taken roughly 2.2 billion license-plate photos to date. Each month, it captures and permanently stores about 80 million additional geotagged images. They may well have photographed your license plate. As a result, your whereabouts at given moments in the past are permanently stored. Vigilant Solutions profits by selling access to this data (and tries to safeguard it against hackers). Your diminished privacy is their product. And the police are their customers.

We have seen the security of ALPR live feeds compromised, streaming out the license plates of mostly innocent drivers caught in vast police dragnets. We have also seen police in Oakland, California, hand over an entire license plate reader data set to a journalist.

Should we care? After all, the ALPRs are just automating the collection of what can be seen by anybody driving down the street and jotting down license plate numbers, the argument goes. That’s how a Vigilant company official framed it when talking to the Washington Post:

[The technology] basically replaces an old analog function – your eyeballs… It’s the same thing as a guy holding his head out the window, looking down the block, and writing license-plate numbers down and comparing them against a list. The technology just makes things better and more productive.

The response to that from The Atlantic’s Conor Friedersdorf:

By this logic, Big Brother’s network of cameras and listening devices in 1984 was merely replacing the old analog technologies of eyes and ears in a more efficient manner, and was really no different from sending around a team of alert humans.

As we’ve noted in the past when reporting about Big Data, we have to stop thinking about data sets in terms of individual records and start thinking about them in terms of huge networks of possible relationships that exist between those records.

As Naked Security’s Paul Ducklin has pointed out, license plate readers are a good example of how seemingly innocuous pieces of discrete data – i.e., where your license plate was and when – manifest into something entirely different when amassed in huge data sets and cross-correlated, given that your plate number stays constant while your location changes.

There are properties and capabilities that emerge from large collections of data that don’t exist in the same data at smaller scales (it’s why we had to invent a term – Big Data – to describe it).

While one data point about a license plate could – and has – been used to do things such as track fugitives or solve a gang-related homicide, there’s no saying what the government can do with massive amounts of correlated data spanning years – the vast majority of which has been collected from innocent people who aren’t breaking any laws.

To put some numbers around the scope of how (in)effective ALPR data has been in fighting crime, the EFF has filed dozens of public records requests. It’s found that “less than 0.1% of license plate data collected by police are connected to a crime at the point of collection, but the remaining 99.9% of the data is stored and shared anyway.”

On 10 January, the bill that would make it legal to cover up cars’ license plates was ordered to a third reading, so as of 22 January, it wasn’t yet a done deal.


Source : Naked Security

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend