UK City Leaves Nearly Nine Million License Plate/Location Data Records Exposed On The Open Web

from the city-hopes-to-one-day-achieve-minimum-competence dept

Government officials always remind us that the price of order and lawfulness requires us, as a society, to give up some of our privacy and liberty. It shouldn't be that way, but it almost always is.

For UK motorists, the exchange rate for orderly motorway traffic is millions of their travel records left exposed on the open internet.

In a blunder described as "astonishing and worrying," Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.

The ANPR camera system's internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield's road network.

Oh my no. This isn't acceptable. Sure, the Surveillance Camera Commissioner (yes, that's a thing in the UK) called it "astonishing and worrying," but even those terms fail to capture the horrendousness of this blunder. If it seems like a lot of records to leave unsecured on the open web, it is. It could allow anyone to retrace the travels of thousands of drivers with minimal effort.

It takes a while to amass nearly nine million license plate photos, but not nearly as long as one might expect. As The Register points out, the system's 100 cameras collect thousands of photos every day. On February 24, the cameras collected 21,000 photos. The only thing slowing the system down is the coronavirus. Stay at home orders dropped the record collection down to a more manageable 13,000 records on April 13.

The massive system went live in 2018, accompanied by documents that do not contain the word "privacy" anywhere in their 164-pages of bureaucratese. Apparently, no one bothered to perform any sort of penetration test that might have discovered this wide-open door before security researchers did. The best summation of this clusterfuck comes from the person who discovered the unsecured license plate portal.

The Register learned of the unprotected dashboard from infosec expert and author Chris Kubecka, working with freelance writer Gerard Janssen, who stumbled across it using search engine She said: "Was the public ever told the system would be in place and that the risks were reasonable? Was there an opportunity for public discourse – or, like in Hitchhiker's Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?"

The Sheffield City Council's response to the news is less than comforting. While properly calling the breach unacceptable, the city (and the local assistant chief constable) claims (without offering any evidence) that no one was "harmed" or "suffered any detrimental effects" from the exposed database. I beg to differ. It quite clearly harmed the trust drivers may have had in their local government and didn't do any favors for the traffic camera system provider either. Overseeing a system whose pervasiveness is only surpassed by its insecurity seems pretty detrimental to the "there's always a tradeoff" posturing governments use when subjecting constituents to even more omnipresent surveillance.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: leak, license plate, location data, privacy, sheffield, uk

Reader Comments

Subscribe: RSS

View by: Thread

  • identicon
    Anonymous Coward, 6 May 2020 @ 4:20am

    Your story completely contradicts itself.

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 6 May 2020 @ 6:51am

    Lazy or incompetent?

    I don't see the need to put this kind of data on an Internet accessible device. If other government agencies need access, couldn't they be given access to a private network that isn't Internet connected? Sure, over the Internet is easier, but only if one does not bother with properly securing the data, which would mean encrypting it among other things.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 6 May 2020 @ 7:29am

      Re: Lazy or incompetent?

      Why not both? The possible scenarios I can imagine:

      1. Nobody considered security when designing the system, they were pressured to get something functional available rather than design the best option
      2. Security was considered but it was intended to be on a private network, not on the public internet and someone cocked up the rollout, or made changes after the original deployment that weren't properly tested
      3. It was intended to be on the public internet, but testing was defunded, or some manager overrode the tests to get it operational before the tests were complete.

      There's other possibilities but my experience tells me it's likely to be one of the above.

      reply to this | link to this | view in chronology ]

  • icon
    Scary Devil Monastery (profile), 6 May 2020 @ 7:20am

    The more things change...

    "Was there an opportunity for public discourse – or, like in Hitchhiker's Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?"

    People keep forgetting that the reason so much of Douglas Adams works as fine sarcasm is because it is eminently recognizable from real life.

    Authorities have always been big on the "'ve got nothing to hide" rhetoric while being similarly big on making sure their own maneuvers around the security theatre performance they're about to pull is, if not hidden then placed in a location which is inconvenient to access.

    The irony is that in the UK as in everywhere else it might not be that the authorities DO have anything to hide, specifically. They just have this inexplicable urge to do their business in private, if you don't mind...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 May 2020 @ 10:26am

    shouldn't worry about it. once all this corona virus recognition crap has been forced on to us, every government everywhere will have exactly what they want, everyone of us bent over a barrel without a single morsel of freedom or privacy ever again!

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 6 May 2020 @ 11:23am

    really have to ask...

    Is this real?
    Is this part of a conspiracy?
    HOW bad is it to setup a computer and protect it.
    Havnt we been thru this Allot in recent years and the understanding of 'What not to do' Should be clear.
    But, there are new occurrences every day. and it seems not to be slowing down.
    There must be some powerful systems and protection for google, amazon, and a few others..
    MAYBE they have real sysops and admins watching things.
    Maybe they installed a Better front end, and not direct access to the system.
    Maybe the big corps install honeypots and other protections that have bells and whistles to warn them of mistakes.

    And I would still love to know what server OS they are running. Or did they just Slap it together and let it work.

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 6 May 2020 @ 5:02pm

    Something don't seem right

    I am wondering where these "100 cameras" are located. Timbuktu, maybe? According to them, the cameras recorded 21,000 cars per day. But that boils down to 210 cars per camera. One station on Colonial Blvd in Orange County Florida tracked 65,000 cars/day (well, it's a busy street).

    Okay, Sheffield is smaller than Orlando, but still...these roads must be pretty darn remote. Either that or someone has fudged a number somewhere.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 6 May 2020 @ 11:25pm

      Re: Something don't seem right

      Well, for one thing cities outside the US can tend to be a lot less car obsessive, with decent public transportation and other forms of transport being more common. My experience is that US cities are often designed so it's impossible to make most journeys without a car, while elsewhere other forms of transport can be preferable. British cities actually have taken a directions of building car-free areas, closing off city centre streets to cars, and I know that Sheffield has buses, trams and trains as well as cycle networks.

      You also seem to be assuming that the point of these cameras is to monitor major roads, but that doesn't seem to be evident from the article. It's likely that their purpose is to monitor streets where cars have already been restricted to traffic, rather than just trying to gobble up data on anyone exiting the M1 toward it.

      reply to this | link to this | view in chronology ]

  • icon
    BG (profile), 7 May 2020 @ 2:02am

    Lack of evidence?

    What are the odds that the lack of evidence of any unathorised access is due to the fact it has no proper monitoring or logging function? There should have been evidence of access from either/both the search engine or the security researcher at a minimum.

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)


Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.