Jump to content


Sheffield Council's Anpr System Left Open To Internet

Recommended Posts

From this report in The Register

In a blunder described as "astonishing and worrying," Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.



The ANPR camera system's internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield's road network.

 

An astonishing level of incompetence.

Share this post


Link to post
Share on other sites

Even leaving aside the data breach, why is that data being logged and stored indefinitely anyway? It's one thing for a traffic camera to log the VRM of a car detected as having jumped a red light or whatever - what reasonable cause do SCC have to indefinitely save the details of every vehicle passing any camera? Or to put it another way, anyone at SCC with suitable access (and until just now that meant anyone in the world with internet access) can do a search of my VRM and get a complete log of all the car journeys I've made in the last two years.

Share this post


Link to post
Share on other sites

From the link:

 

`Nowhere in the public-facing 32-page council document nor the 132-page appendix is the word "privacy" mentioned let alone "privacy impact assessment." The only impact assessment mentioned as being carried out was an equality one, allegedly to ensure "different communities" in Sheffield wouldn't object to the low-emission zone.`

 

Says it all really.

Share this post


Link to post
Share on other sites
1 hour ago, dave_the_m said:

Even leaving aside the data breach, why is that data being logged and stored indefinitely anyway? 

Where does it say the data is kept indefinitely?

 

SCC have had traffic ANPR cameras for many years. It was debated on here fairly extensively circa 2009 on this thread: 

 

Share this post


Link to post
Share on other sites
1 hour ago, dave_the_m said:

Even leaving aside the data breach, why is that data being logged and stored indefinitely anyway? It's one thing for a traffic camera to log the VRM of a car detected as having jumped a red light or whatever - what reasonable cause do SCC have to indefinitely save the details of every vehicle passing any camera? Or to put it another way, anyone at SCC with suitable access (and until just now that meant anyone in the world with internet access) can do a search of my VRM and get a complete log of all the car journeys I've made in the last two years.

But what harm has it done to you? I don't see the problem.

Share this post


Link to post
Share on other sites
14 minutes ago, Planner1 said:

Where does it say the data is kept indefinitely?

 

SCC have had traffic ANPR cameras for many years. It was debated on here fairly extensively circa 2009 on this thread: 

 

The Register article implied that the data was growing over time, which tended to imply that the data was certainly retained, if not indefinitely, then possibly back to Nov 2018. If you have more specific details, feel free to share.

 

If the data was being kept purely for traffic planning purposes, then it should at least have been anonymised - as a simple example, each new day at 3am, all records for the last 24H are automatically scanned, and each unique reg is replaced with a unique random token. This is trivial to achieve if the will is there. Note that the VRM is classified as personal data by the ICO, and under the GDPR, it mustn't be unnecessarily retained.

 

That was a very long thread you referred to - I only scanned the first 8 pages of it. If there's anything pertinent that I I haven't covered, you'll have to mention it again.

Share this post


Link to post
Share on other sites
14 minutes ago, WarPig said:

But what harm has it done to you? I don't see the problem.

For example, I was involved with the tree protests. Council officials could have tracked my car in order to obtain information about my activities and movements.

 

Or someone who works at the council could track the regular travel habits of their estranged (and possibly abused) partner.

 

You cannot assume that authorities will only ever use such information for good. Rather than relying on their goodwill, it is better that they don't have access to such data in the first place. History is replete with authorities abusing their power - such as the FBI's investigation of Martin Luther King.

Share this post


Link to post
Share on other sites
18 minutes ago, dave_the_m said:

The Register article implied that the data was growing over time, which tended to imply that the data was certainly retained, if not indefinitely, then possibly back to Nov 2018. If you have more specific details, feel free to share.

 

If the data was being kept purely for traffic planning purposes, then it should at least have been anonymised - as a simple example, each new day at 3am, all records for the last 24H are automatically scanned, and each unique reg is replaced with a unique random token. This is trivial to achieve if the will is there. Note that the VRM is classified as personal data by the ICO, and under the GDPR, it mustn't be unnecessarily retained.

 

That was a very long thread you referred to - I only scanned the first 8 pages of it. If there's anything pertinent that I I haven't covered, you'll have to mention it again.

Yes I’m well aware of GDPR requirements and so are SCC. Certainly when that thread was running, SCC said they were hashing / anonymising the data and only retaining it as long as necessary. 
 

The data would of course have been growing all the time as a large network of cameras records plates constantly. Looked to me that the authors of the article were trying to make it sound as sensational as possible.

 

Experience has taught me to favour cockup over conspiracy and I’d certainly think that is the case here. I’m sure the details will come out when the ICO have looked into it.
 

Major cities tend to have these systems as it is very useful to have up to date data on traffic movements across the area and how they change over time.

Edited by Planner1

Share this post


Link to post
Share on other sites
8 minutes ago, Planner1 said:

 Certainly when that thread was running, SCC said they were hashing / anonymising the data and only retaining it as long as necessary. 
 

 

And yet that Reg article shows the system displaying a log for a specific VRM. Perhaps SCC lied??

To quote the article (my bold):

Quote

A total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard

 

Share this post


Link to post
Share on other sites
11 minutes ago, Planner1 said:

Yes I’m well aware of GDPR requirements and so are SCC. Certainly when that thread was running, SCC said they were hashing / anonymising the data and only retaining it as long as necessary. 
 

 

The report in The Register clearly indicates they are not hashing / anonymising the data. If they've lied about that they can't really expect us to trust them when they say they only keep it as long as necessary.

Share this post


Link to post
Share on other sites
8 minutes ago, dave_the_m said:

And yet that Reg article shows the system displaying a log for a specific VRM. Perhaps SCC lied??

To quote the article (my bold):

 

Well, it appears the system has been changed / upgraded since those days, so something may have gone wrong? We don’t know and probably won’t know till the ICO do their investigation.

 

Its also worth noting that at the time of the thread I pointed to, the ICO investigated SCC’s use of the ANPR data they were collecting and did not have any concerns.

Edited by Planner1

Share this post


Link to post
Share on other sites

Another thing of note..The ANPR cameras that SCC operate are Directly linked to the DVLA's own data base.

 

Thereby sharing information re...Taxed, uninsured motor vehicles etc.

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.