altus   540 #1 Posted April 28, 2020 From this report in The RegisterIn a blunder described as "astonishing and worrying," Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal. The ANPR camera system's internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield's road network.  An astonishing level of incompetence. Share this post Link to post Share on other sites Share this content via...
dave_the_m   61 #2 Posted April 28, 2020 Even leaving aside the data breach, why is that data being logged and stored indefinitely anyway? It's one thing for a traffic camera to log the VRM of a car detected as having jumped a red light or whatever - what reasonable cause do SCC have to indefinitely save the details of every vehicle passing any camera? Or to put it another way, anyone at SCC with suitable access (and until just now that meant anyone in the world with internet access) can do a search of my VRM and get a complete log of all the car journeys I've made in the last two years. Share this post Link to post Share on other sites Share this content via...
the_bloke   17 #3 Posted April 28, 2020 From the link:  `Nowhere in the public-facing 32-page council document nor the 132-page appendix is the word "privacy" mentioned let alone "privacy impact assessment." The only impact assessment mentioned as being carried out was an equality one, allegedly to ensure "different communities" in Sheffield wouldn't object to the low-emission zone.`  Says it all really. Share this post Link to post Share on other sites Share this content via...
Planner1   438 #4 Posted April 28, 2020 1 hour ago, dave_the_m said: Even leaving aside the data breach, why is that data being logged and stored indefinitely anyway? Where does it say the data is kept indefinitely?  SCC have had traffic ANPR cameras for many years. It was debated on here fairly extensively circa 2009 on this thread:  Share this post Link to post Share on other sites Share this content via...
WarPig   78 #5 Posted April 28, 2020 1 hour ago, dave_the_m said: Even leaving aside the data breach, why is that data being logged and stored indefinitely anyway? It's one thing for a traffic camera to log the VRM of a car detected as having jumped a red light or whatever - what reasonable cause do SCC have to indefinitely save the details of every vehicle passing any camera? Or to put it another way, anyone at SCC with suitable access (and until just now that meant anyone in the world with internet access) can do a search of my VRM and get a complete log of all the car journeys I've made in the last two years. But what harm has it done to you? I don't see the problem. Share this post Link to post Share on other sites Share this content via...
dave_the_m   61 #6 Posted April 28, 2020 14 minutes ago, Planner1 said: Where does it say the data is kept indefinitely?  SCC have had traffic ANPR cameras for many years. It was debated on here fairly extensively circa 2009 on this thread:  The Register article implied that the data was growing over time, which tended to imply that the data was certainly retained, if not indefinitely, then possibly back to Nov 2018. If you have more specific details, feel free to share.  If the data was being kept purely for traffic planning purposes, then it should at least have been anonymised - as a simple example, each new day at 3am, all records for the last 24H are automatically scanned, and each unique reg is replaced with a unique random token. This is trivial to achieve if the will is there. Note that the VRM is classified as personal data by the ICO, and under the GDPR, it mustn't be unnecessarily retained.  That was a very long thread you referred to - I only scanned the first 8 pages of it. If there's anything pertinent that I I haven't covered, you'll have to mention it again. Share this post Link to post Share on other sites Share this content via...
dave_the_m   61 #7 Posted April 28, 2020 14 minutes ago, WarPig said: But what harm has it done to you? I don't see the problem. For example, I was involved with the tree protests. Council officials could have tracked my car in order to obtain information about my activities and movements.  Or someone who works at the council could track the regular travel habits of their estranged (and possibly abused) partner.  You cannot assume that authorities will only ever use such information for good. Rather than relying on their goodwill, it is better that they don't have access to such data in the first place. History is replete with authorities abusing their power - such as the FBI's investigation of Martin Luther King. Share this post Link to post Share on other sites Share this content via...
Planner1   438 #8 Posted April 28, 2020 (edited) 18 minutes ago, dave_the_m said: The Register article implied that the data was growing over time, which tended to imply that the data was certainly retained, if not indefinitely, then possibly back to Nov 2018. If you have more specific details, feel free to share.  If the data was being kept purely for traffic planning purposes, then it should at least have been anonymised - as a simple example, each new day at 3am, all records for the last 24H are automatically scanned, and each unique reg is replaced with a unique random token. This is trivial to achieve if the will is there. Note that the VRM is classified as personal data by the ICO, and under the GDPR, it mustn't be unnecessarily retained.  That was a very long thread you referred to - I only scanned the first 8 pages of it. If there's anything pertinent that I I haven't covered, you'll have to mention it again. Yes I’m well aware of GDPR requirements and so are SCC. Certainly when that thread was running, SCC said they were hashing / anonymising the data and only retaining it as long as necessary.  The data would of course have been growing all the time as a large network of cameras records plates constantly. Looked to me that the authors of the article were trying to make it sound as sensational as possible.  Experience has taught me to favour cockup over conspiracy and I’d certainly think that is the case here. I’m sure the details will come out when the ICO have looked into it.  Major cities tend to have these systems as it is very useful to have up to date data on traffic movements across the area and how they change over time. Edited April 28, 2020 by Planner1 Share this post Link to post Share on other sites Share this content via...
dave_the_m   61 #9 Posted April 28, 2020 8 minutes ago, Planner1 said:  Certainly when that thread was running, SCC said they were hashing / anonymising the data and only retaining it as long as necessary.   And yet that Reg article shows the system displaying a log for a specific VRM. Perhaps SCC lied?? To quote the article (my bold): Quote A total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard  Share this post Link to post Share on other sites Share this content via...
altus   540 #10 Posted April 28, 2020 11 minutes ago, Planner1 said: Yes I’m well aware of GDPR requirements and so are SCC. Certainly when that thread was running, SCC said they were hashing / anonymising the data and only retaining it as long as necessary.   The report in The Register clearly indicates they are not hashing / anonymising the data. If they've lied about that they can't really expect us to trust them when they say they only keep it as long as necessary. Share this post Link to post Share on other sites Share this content via...
Planner1   438 #11 Posted April 28, 2020 (edited) 8 minutes ago, dave_the_m said: And yet that Reg article shows the system displaying a log for a specific VRM. Perhaps SCC lied?? To quote the article (my bold):  Well, it appears the system has been changed / upgraded since those days, so something may have gone wrong? We don’t know and probably won’t know till the ICO do their investigation.  Its also worth noting that at the time of the thread I pointed to, the ICO investigated SCC’s use of the ANPR data they were collecting and did not have any concerns. Edited April 28, 2020 by Planner1 Share this post Link to post Share on other sites Share this content via...
FinBak   12 #12 Posted April 28, 2020 Another thing of note..The ANPR cameras that SCC operate are Directly linked to the DVLA's own data base.  Thereby sharing information re...Taxed, uninsured motor vehicles etc.   Share this post Link to post Share on other sites Share this content via...