Automated License Plate Tracking: A Serial-Killer Goldmine

File under “unintended consequences”—unintended serial killer-enabling consequences, that is.

License plate info collected by law enforcement agencies can reveal much about you—and offer prospective stalkers a wealth of information about your movements should that information be accessible to the outside world.

And guess what? It turns out that three parishes in Louisiana plus the University of Southern California’s public safety department automated license plate recognition (ALPR) systems use totally open web pages accessible by anyone with a browser, according to the Electronic Frontier Foundation.

ALPRs are networks of cameras that take pictures of every passing car and capture data on each car’s license plate number, including the time, date, and location where the vehicle was photographed. The idea is to match the info up with a “hot list,” or an index of cars that are stolen or believed to be tied to criminal activities.

But the problem comes in the mass surveillance aspect of the system—it records all movements of every car across its regional network.

“Depending on how much data has been collected, this information in aggregate can reveal all sorts of personal information, including what doctors you visit, what protests you attend, and where you work, shop, worship and sleep at night,” EFF noted in a blog.

That’s pretty terrifying. The EFF is more concerned about Big Brother type activities—and fair enough, we don’t need local law enforcement to be all up in our business any more than the NSA needs to be—but in my mind it’s the potential for physical consequences that seems scarier.

Disgruntled spouses, ex-coworkers and employees, unhinged baristas at the local Starbucks—who knows who you might piss off in a day. The ability to track your movements via a completely unprotected website offers a prime opportunity for anyone (literally, anyone: think about THAT for a second) to watch you for a couple of days, learn your movements and intercept you, for any number of purposes. None of which are very pleasant to think about.

Sure, Halloween is over, and I may have watched one too many frightfest flicks this season, but to take this a step further: Are you aware that at any given moment, there are 35 to 50 active serial killers in the United States, according to an FBI source? I hate to say it, but it’s burning an imprint on my brain: This type of thing is a gold mine for victim hunting.

So let’s recap: “Even if a vehicle isn’t involved in a crime, data on where it was and when may be stored for many years, just in case the vehicle later comes under suspicion,” EFF said. “Consequently, a breach of an ALPR system is a breach of potentially every driver’s travel history.”


“The ALPR systems at the center of our investigation were sold by a company called PIPS Technology, which has since been bought by 3M. In 2011, prior to the acquisition, the company bragged of installing more than 20,000 cameras around the globe. After independent security researchers alerted us to the vulnerabilities, we discovered that many stationary ALPR cameras from PIPS were individually connected to the Internet and freely accessible online to anyone who knew where to look.”

It would be worth finding out what your local po-po is doing in this regard—and lodging a citizen’s demand that encryption, password protection and other security mechanisms are employed on such systems. If not, watch those baristas—they look just like everybody else.

What’s Hot on Infosecurity Magazine?