In a truly remarkable online security lapse, Sheffield City Council's automatic number-plate recognition (ANPR) system has been found to have exposed the details of an enormous 8.6 million road journeys made by hundreds of thousands of people across the district.
ANPR is the system of cameras and sensors that are placed all over the UK’s road network. Most people assume they are there to catch people who are speeding or driving without tax or insurance.
But the truth is that they record far more than that, as this leak has now exposed, in a story that not only lays bare the truth about ANPR but also reveals the causal nature that so many public bodies treat our sensitive private data.
Sheffield’s ANPR disaster
The story of Sheffield’s ANPR problems were first unearthed by Chris Kubecka, an author and information security expert and freelance writer Gerard Jannsen, who subsequently shared it with The Register website.
They found that Sheffield City Council’s ANPR internal management dashboard could be accessed by anyone simply by typing its IP Address into a web browser. It had no login requirements and no password protection enabled; something that seems staggering in this day and age.
With this unprotected access, Kubecka and Jannsen were able to view and search the ANPR system in real-time. Even more troubling, they could also access the systems log which revealed the details of millions of vehicles and recorded when and where they travelled around the Sheffield road network.
This is a staggering security lapse and could have proved hugely dangerous. Anyone could use the data on this system to reconstruct an individual vehicles journey or even a series of journeys. Such information could be combined with other details or used to plot their movements with a view to attacking them or robbing their home.
Sheffield City Council and South Yorkshire Police have now reported themselves to the Information Commissioners Office and can expect a severe dressing down on top of a sizable punishment.
The UK’s Surveillance Camera Commissioner, Tony Porter, has described the lapse as “both astonishing and worrying.” He has demanded a full inquiry.
What this leak tells us about ANPR and privacy
So too have Privacy International. Their representative, Edin Omanovic said the revelation raised serious questions about what exactly ANPR cameras were actually being used for in the UK.
Sheffield’s ANPR network was installed in 2014 when the city set up a clean air zone in the city centre and began charging some vehicles for driving into the area.
As the Register article notes, the word privacy is not included in any of the 164 pages of the council document explaining this scheme and the data their dashboard was recording appears to go far beyond what is needed for this system’s rather narrow remit.
A subsequent investigation has also found no signs up in Sheffield warning about the use of ANPR, which is almost certainly illegal.
As Edin Omanovic told the Register, ANPR “is not supposed to be a tool of mass surveillance… Time and again we've seen the introduction of surveillance tech for very specific purposes, only to creep into other areas of enforcement.”
“[The Council and the Police] must both now explain how exactly they are using this system, how their use is consistent with data protection rules, how it came to be that this data was exposed, and what changes they've made to ensure it never happens again,” he continued.
He is absolutely right. Why are these ANPR cameras, which are supposed to bill certain cars entering a specific area actually logging millions of journeys and details about hundreds of thousands of vehicles? How is this data being used and how long is it being kept for?
A major online security blunder
If easy access to the ANPR dashboard and its log of millions of journeys was not bad enough, The Register also asked an anonymous information security researcher to take a closer look at the server that hosts the dashboard.
He found that this included the address of a storage drive that featured millions of raw images taken from these cameras. These images will include a car number plate but could also include the faces of drivers and passengers as well as nearby pedestrians and people entering and exiting shops.
Any hacker worth his salt would have been able to access all of this private information with ease and sell it on. Perhaps they did, although there is no evidence presented in the report to suggest this is the case.
It is timely for this revelation to come to light as only two days ago, we reported on the UK government’s plans to allow five more public bodies to be added to the already extensive list of organisations that can routinely access the internet data of every UK citizen.
This story shows how public bodies have a proven track record of being lax with our private information and highlights the potential risks they can place all of us under. It reaffirms why we should always resist the government’s efforts to carry out surveillance and share the data with anyone they choose.
This case may be an extreme example, but unless the highest standards of security and privacy are used to protect our private information, it can easily fall into the hands of hackers and the consequences of that could be dire.