Hacker News new | past | comments | ask | show | jobs | submit login
EFF Wins Access to License Plate Reader Data to Study Law Enforcement Use (eff.org)
518 points by slowhand09 on Oct 3, 2019 | hide | past | favorite | 66 comments



"The California Supreme Court ruling has significance beyond the ALPR case. It set a groundbreaking precedent that mass, indiscriminate data collection by the police can’t be withheld just because the information may contain some data related to criminal investigations."

Good. What other systems would be targeted next by the EFF? Facial recognition systems?


Legally it doesn't make much sense to gather a ton of data and say "well something might be in there" and now nobody ever sees it.

Pretty easy to just make big buckets of data nobody ever sees...


When you use the Constitution as a base line as to what it's logical for the government to do, then it's absolutely ridiculous to allow it. The only one who can argue otherwise are lawyers who represent cops/FBI/NSA whose sole purpose is to do the best job they can do, which obviously means no limits on their power. It's up to citizens to vote in law makers who actually represent our interests, the CIA/FBI/cops will only ever stick up for what is in their best interests. That swearing to protect the Constitution is really just a formality and not really applied to their daily activities.


They all take the oath to to "preserve, protect, and defend the Constitution of the United States". It would be great if those agents of the government were held accountable to that oath, and if found guilty of otherwise face appropriate repercussions


Orwell wrote:

>when I see an actual flesh-and-blood worker in conflict with his natural enemy, the policeman, I do not have to ask myself which side I am on


Orwell was a communist, though. It sort of confuses me what he meant by all that. Did he not understand that the kind of mistreatment of humanity was what he supported? I have read his memoirs and articles, I know he was a smart guy who took big chances in Spain and places. I just don't understand why such intelligent people support big, top-down, collectivist structures.


>It's up to citizens to vote in law makers who actually represent our interests...

That just doesn't happen. And that is because the majority of voters do not know who they are voting for or what they really stand for. Voting in the US is more of a popularity contest between two teams, and the team with the most money and the most pleasing rhetoric (lies) will win.


You should read up on the 17th amendment. Our constitution has been hobbled a number of ways not originally intended.


Easier is to let a third party make and manage the buckets of data and just use a warrant to get whatever you want.


Even easier to just not worry about getting a warrant.


Yeah, no need for a warrant when you can use a National Security Letter. They even come with built-in gag orders!


I'm in Taiwan right now, and they use license plate readers to associate plates in parking lots with the parking ticket you receive to track the time you're in the mall. Sure you could use it as metadata for human analytics, but in this case I'm pretty certain its current use is for reducing queues and making checkin and checkout of parking lots more efficient.

I feel like there is a fine line between pure technology advanced convenience and actually big brother style monitoring. In Taiwan if you drop trash where you shouldn't there's a chance that a camera will capture your movement, and they will try to find out who that person is.

In China, I assume it's the same, but because of the way it's set up it gives you more of a prison feeling. At least that's what I felt like to me in Pudong, Shanghai.

What I'm saying is how can we make sure that we get the convenience part without the pervasive big brother aspect. I'm sure there is a way and I believe that's what we should focus on as technically moves on.

Similarly, the same applies to things such as medical records.


> In Taiwan if you drop trash where you shouldn't there's a chance that a camera will capture your movement, and they will try to find out who that person is.

Wouldn't a permanent surveillance reveal that humans are biologically unfit to follow "laws" and keep up with their changes? Humans do mistakes all the time, especially when they are tired or under pressure, or maybe they don't have the time to read the hundred of pages of law and they simply would like to live without fear of being prosecuted for every single small mistakes they may make.

For example, in Taiwan, if someone drops trash somewhere where they shouldn't have, and police finds you, what's are the results ? A full fine ? A warning ? An investigation to understand if the person was intentionally breaking the law ?

Wouldn't a mass surveillance system force people to never go outside, by fear of unintentionally breaking the law and get caught ?


> Wouldn't a mass surveillance system force people to never go outside, by fear of unintentionally breaking the law and get caught ?

I find it more likely that enforcement would be relatively rare, and selective. Rare so that people still go outside. Selective in a way that marginalizes anyone who gets in the way of the people in charge. After all, they'll be able to find a record of criminal activity for anyone.


It's not difficult to imagine such data being used for both benign and malevolent purposes.


Yeah, but that's not the point.

We know that this is the direction we're going. So the focus shouldn't be prohibition, but rather different ownership models to data and more sensible access to the data only to parts and the parties necessary.

Germany for example while being "sort of" privacy aware is a prime example on how not to do it. They've been deadlocked in this for decades now and can't seem to find a way out. All the while expanding infringement of data access where it shouldn't be happening.

They've been writing an own HIPAA for almost a decade now with no end in sight. They, did the same for the medical card spending a decade on discussions on privacy without actually addressing any of them.

I give you another example. The access to medical laws in Germany while good in theory make everyone sign a verbatim access to your medical history in writing which you then have to retract in writing IF you can even remember all the places you've signed this form. It looks good on paper but if you ask me it's an absolute privacy disaster.


I think you are touching a fundamental problem with humans.

One aspect is that we do make mistakes, cannot follow rigid laws to the letter and that's why we have judges. Judges are supposed to consider "all circumstances" of a particular event and have the power to decide for no punishment even if technically a law was broken. This system has been evolving for centuries, don't expect it to be solved any time soon. It's still imperfect.

The other aspect is that different parties have different motivation and no matter which system you implement, it can be "hacked". Just like any computer can be hacked. A system is a construct and if you follow the construct, you can find ways around it. So it depends on the motivation of the parties - if it's strong enough, they will find a way through. If motivations align, they will cooperate. Again, behavioral psychologists have been trying to understand how cooperation happens, and it's not a solved problem, maybe even not solvable. There will always be power plays.

It might seem like it should have a solution, that it's just about the ownership models, but this is more fundamental. I would personally be ok with cameras monitoring people who throw thrash on the streets if the punishments were somehow "reasonable", but it's just not possible. Not to mention it costs something to issue the punishment, so it doesn't make sense to issue very small punishments, and somebody needs to clean it anyway, and our technology is not 100% accurate and, and, and... So realistically there are just many easier treatments, that are "good enough", not perfect, that unfortunately leave some trash on the streets because the alternative is dystopia.


I get what you're saying but that problem already exists. Your medical data is already stored in a bunch of crappy insecure systems with inadequate protection.

So your ideal world that you're describing there already doesn't exist. Whereas working on expiring data and temporary access permissions on data you own and is stored on your own devices is a million times more secure than the cluster fuck we're trying to protect.


I was mostly referring to this thing you wrote earlier: "how can we make sure that we get the convenience part without the pervasive big brother aspect. I'm sure there is a way" - I think that simply cannot exist due to all the practical limitations with rigid systems and costs to issue punishment. And that clusterfuck is mostly the result of the power plays between multiple parties who are trying to hack each other's proposals, trying to win something over others. And that will also exist for as long as we are human. So I'm not really describing any ideal world, it is in fact quite sad. We will probably never have all our data truly in our own hands, even though it might seem easier and more secure. There are practical limitations of being human and there are competing human interests.


Four years ago in this case, the LA police said that all cars in Los Angeles are under investigation. [1]

[1] https://news.ycombinator.com/item?id=7434448


That is not really inconsistent with the principle of implied consent for drivers. Driving is dangerous and destructive and not a natural right. Cars _should_ be under suspicion at all times, moving or parked.


Implied consent for drivers is from a bygone era when cars were not the dominant mode of transportation. Mass transit in LA (and most of the rest of the United States) is a woefully inadequate alternative. You can't consent to something when there is reasonably no other choice.

Your argument would only hold water in the future if self-driving cars become widespread and it isn't necessary to display a number plate on a car without a human driver, thereby giving people a reasonable transportation alternative that allows for anonymous freedom of movement. Until then, the government should not be able to simultaneously mandate number plates and use them for mass surveillance.


Implied consent passed in California in 1998.


The 1998 California legislature was full of people who were adults before the interstate highway system was built. And the Patriot Act was passed in 2001; doesn't mean the sentiment doesn't date to the McCarthy era.


While there is no right to driving automobiles there is a right to travel and interstate commerce. Notably there is no right to travel at a specific speed or in a specific way so it follows that there is some right to travel by car, and the various tracking mechanisms of vehicles violate the 4th.

Saying there is no right to travel via automobile is like saying certain methods of disseminating speech are not protected.


There's a lot of digital advocacy and letter writing out there that sometimes has me all "Man does anyone do anything that produces a result?". I'm pretty proud to support the EFF who seriously puts in a lot of work to actually do things that seem like they matter as far as the digital age goes (not sure we're calling it that anymore).


I’m super-curious how Mars will be governed.


There's a Playstation 2 FPS that focuses on a miner uprising on Mars (with destroyable walls) that gamed this out:

https://en.wikipedia.org/wiki/Red_Faction_(video_game)

>Red Faction takes place on Mars around the year 2075. Earth's minerals are being depleted and humans need more of them to survive. The vast Ultor Corporation runs the mining operation on Mars. The living conditions are deplorable, human rights for the miners are few, and a disease called "The Plague" is running rampant throughout the colony with no known antidote available—predominantly within the confines of the mine complex. Parker, a downtrodden miner, came to Mars to make a new start in his life—taken in by the promises and advantages Ultor has to offer in the mines of Mars. After a routine day in the mine with the typical aggression toward miners and cramped living conditions and poor nutrition, he witnesses the spark that starts a rebellion when a security guard abuses a miner at the end of his shift and heartlessly kills him.[5] Parker takes up arms, with the help of Hendrix, a rebellious Ultor security technician who guides Parker through the complex.


Yeah, but that's just a common story (repeated throughout history), that happens to take place on Mars, just like it happened on Earth. There's nothing in it that explores the fact that they are on a different planet.


>The data, which has been deidentified to protect drivers’ privacy, will allow EFF and ACLU SoCal to learn how the agencies are using automated license plate reader (ALPR) systems throughout the city and county of Los Angeles and educate the public on the privacy risks posed by this intrusive technology.

If the data tells you that much, which it sounds like it does, how hard is it to figure out identities from the patterns?


De-anonymising data is not especially difficult. [0][1] Combine it with another database or two and you'll have a high degree of confidence you know who did what, where and when.

[0] http://digital.law.washington.edu/dspace-law/bitstream/handl...

[1] https://news.mit.edu/2013/how-hard-it-de-anonymize-cellphone...


With a large enough data set I'm guessing it'd be pretty trivial. It seems like it'd depend on how many places data was collected from. Car #308933938 drove past main street each morning mon-fri between the hours of 7:30am and 7:50am heading north doesn't tell you much, but if you catch the same car at more intersections every morning and don't record it at several other intersections along his projected route you could get a pretty clear picture of where they are going and where they stopped.


Is this really a good thing?

1. Indiscriminate collection by law enforcement is bad to start with.

2. Since we agree it was bad to collect such data, we’re going to set a precedent that law enforcement can’t have exclusive rights to that data. Instead, now some legal process allows bureaucrats or justices to give data improperly collected about me to third party private agencies that I’m not familiar with.

This is supposed to be a win for me? If data was improperly collected, it should be deleted. I don’t care how much value Org X thinks it can derive from that data and how many government employees Org X can persuade to share it with them.

I gather from comments here that EFF has a laudable mission and track record, but the reputation or purpose of the organization in question is orthogonal to the reasonableness of the data sharing precedent.

Perhaps I’m missing some crucial facts?


FOIA is "some legal process". If we don't want that data getting out, we shouldn't allow its collection.


FOIA doesn’t usually involve my personal data as a typical private citizen. Personal data that can potentially be traced back to me and affect my life in negative ways. It usually involves data about the work that the government itself is doing... work that is funded with my tax dollars and involving data that ostensibly can’t be used to harm me personally. Data sharing increases the attack surface for that data... considering I never consented to that data being collected in the first place, the supposed government of the people should be working very hard to make sure my data isn’t abused or hacked.

Agreed on the latter statement though.


Loading a database of plate numbers that are stolen, or reported for criminal activity/suspicion of criminal activity seem like a good compromise. Read a plate, compare it to the list. If not found, delete the record. Retention is the problem IMHO.


I think one can consider this like publishing an exploit. If the EFF can get that data, so can any shady organization, probably without you even knowing. They're casting light on the issue.


This is for LA “law enforcement” not sure if that’s LAPD only... though would appear broader.

Wonder if they’ll go after private ALPR systems like in Tiburon/Belvedere.


How does having the data tell the EFF how they are using the data? If you give me a spreadsheet with a bunch of data in it, I don't know how you use it.

Are they using it legally? How can we know just by looking at the data they have?


It doesn't matter how they are using the data, what matters is how they can use the data. We shouldn't trust that they will always do the right thing for citizens' privacy.


How about what parts of town they are collecting this data in and where APLR readers are located. Are all readers based on police vehicles? Are there fixed links location readers? I would assume every entry comes with lat\long and time of day.


In addition to data Creation and Reading, we also have to address Update and Delete.

Do they change the data or delete "special" cars or "special" events. If there are any exceptions to collecting and storing the data, we can't trust it for much of anything: maybe the license plate entry was changed to a different license, maybe seeing a license at a location was added to the data, maybe other suspects are ruled out because data was deleted. And there will absolutly be exceptions: undercover officers, the presidents motorcade, people with stalkers, etc...


> where APLR readers are located

On police cruisers, which indiscriminately scan as they drive through any neighborhood.


They can cross reference with the cases that actually get prosecuted.


"The data, which has been deidentified to protect drivers’ privacy, will allow EFF..."

Cross references won't be easy.


I'm guessing they might be able to find out how and where they're collecting the data.


I suppose you could register a company in Arizona (supports quasi-anonymous llc), then register the car in the company's name. They could obviously correlate if needed, but would somewhat force probable cause first.


Good luck insuring a car registered to an out of state LLC without lying to your insurance company.


Wouldn't that be a common thing? Don't LLCs have operations in locales other than where they are registered?


Nice!

I wonder if they have other tech on premises with the LPR cams doing BLE sniffing for "loose your keys" BLE tags and other UUID fingerprints like 802.11.


Does this mean we can download the data set?


"Download the ALPR Dataset"

https://www.eff.org/pages/download-alpr-dataset

does not appear to be updated with this data. but other data already available.


hope so... it would (maybe) make people realize how bad of a privacy invasion it is... cars should not have a visible tag... they should also not have all these wireless transmitters (like TPMS with unique IDs)


Why do you think you should be able to drive, in public, but anonymously?


There's a difference between being readily identifiable and actively surveilled.


No, the two are isomorphic.


In what's-possible-land, not what's-proper.


So when someone sees the car sideswipe yours in the parking lot, they describe it how...?


I suppose I could keep an RTLSDR in my car running rtl_433 at all times, and just filter out my own TPMS IDs...


I am humbled by your pi.


FINALLY! The best case here is that by scanning plates, you are casting a wide net and investigating without reasonable suspicion - which itself is a violation of your Fourth Amendment rights. The security and usage of that data is a whole other can of worms that also needs to be addressed.

Also, fwiw, if you drive a car made in the last 5 years, in all likelihood the manufacturer is tracking you as well.


Most people are completely oblivious to just how far surveillance capitalism is observing their every move inside public and private spaces.

Sad truth is that even if they would be aware, they'd just shrug their shoulders and let it be as they would have been framed to see it as either an inevitable state of things, or, being done in the name of their 'security' or some other vague benefit (personalized service).

Frameworks like the GDPR are steps in the right direction, but unless enforcement is staffed and funded at a scale to match the threat (It is not, not even close on a galactic scale), its impacts will mostly be cosmetic.

Don't get me wrong, I do applaud the work of privacy advocates, but unless we have a systemic change to reign in surveillance capitalism and captured regulation, things will only get worse.


When the city i live in announced they were deploying these readers i got a response from our police chief, he advised me that refusal to install them would result in their department losing some certification that allowed them to remain as independent as possible.


This opens some interesting questions. What certificates and independence requirements the police have?

How would these scanners and help?

Without the scanners who would they be dependent on?


I’ve always been curious how much data fixed cameras in Australia is used by LE, how can I find out?


Go EFF!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: