14 DAY TRIAL // Data acquired via automatic license plate readers (ALPR) deployed by the Boston Transportation Department (BTD) has been accidentally spewed online, according to a report on DigBoston.
Automatic license plate readers have been deployed in numerous US cities, and while highly controversial due to their privacy intrusion, have been actively used by local authorities to issue parking tickets and catch suspects wanted by the police.
In most cities, ALPRs are deployed and managed by transportation departments, which is also the case with the city of Boston.
While government recommendations prohibit the storage of private and sensitive user information on third-party servers, the city of Boston used a server belonging to Affiliated Computer Services (ACS), a Xerox subsidiary, to store data recorded by its ALPR system.
As DigBoston's reporter Kenneth Lipp has disclosed, this Web-facing server was improperly secured and exposed metadata acquired from ALPRs going back to 2012.
The ALPR data collection portal was left on a public-facing server
The data included details like the license plate number, the location at which the number was detected, along with car make and model.
Responding to Lipp's inquiries on the matter, Affiliated Computer Services removed the particular server from public view within two hours.
But the scandal did not end here. The problem is that this data was actively being used by the Boston Police Department, which back in 2013, announced they would stop, at the pressure of various user privacy groups.
Hundreds of emails containing license plate numbers were sent on daily basis to the Boston Police Department, as this PDF report shows.
Even if the data was being used to find stolen vehicles across the city, the problem still remains, and that's the general lack of transparency when it comes to public disclosures from law enforcement agencies, and their addiction to huge data collection practices.