I'd like to set up several of these LPRs along the highway that I travel regularly, compile a listing of license plate numbers of law enforcement vehicles (such as the unmarked police cruisers that like to travel it, pull drivers over, and ticket them), have those automatically mapped in a mobile application that's free for everyone to use, and see just how much law enforcment would like it then.
I had this running on Android a while back - turns out that back then (~3 years ago) it was _very_ hard to detect and recognise plates far enough away to be of any use. I could make it work for a plate in my target set that was directly in front or behind me, but any further that a few tens of meters away the performance dropped so badly that it was unusable.
I suspect a much better job could be done now, with a combination of better cameras in phones, more cpu available to do the processing on newer phones, and I suspect a multicopter brushless camera gimbal to stabilise/aim the camera.
(I was very space-limited, since I was testing this on a motorcycle, a car with a better-than-phone-grade machine in it would make the job simpler.)
"After all, drivers do not have a reasonable expectation of privacy over their publicly-visible plate number while driving down public roads."
Random people can see my license plate but they don't know who I am. Today only people who know my license plate AND happen to see it randomly know I'm there at this moment, which is a reasonable expectation of privacy for me.
Now if there was a website where you can query a partially complete trip history of any license plate completely void that privacy. Think about such a tool in the hands of a paparazzi for instance...
You know the towtruck/repo industry currently compiles exactly this kind of dataset, and trades/sells it to each other? I have no doubt that well funded paparazzi already have access to exactly the tool you describe.
well, your dichotomy is fundamentally flawed imo. it's not "having information but keeping it private" vs. "having information and publishing it to the public".
the real issue is "a person who knows me well enough to know my license plate number can know my location at one point in time if they happen to be in the immediate area" vs. "all people who can find my license plate number can know my location at all points in time".
the dichotomy is "everyone in the checkout line can see what i'm buying" vs. "all people who know my first and last name can view my entire credit card transaction history".
I guess I don't see the distinction. If I see your license plate at the supermarket and post online that "license plate AAAAAA was seen at Whole Foods on December 6th", how is that qualitatively different from a license plate reader scanning your plate and storing that "license plate AAAAAA was at coordinates XX.XXXX, XX.XXXX at 2015-12-06?"
Unless you want to draw a line between information which is directly observed by people and information which is collected by machine, this seems like a difference of degree, not of kind.
Quantitative differences eventually become qualitative ones.
Nobody cares about any one particular data point being published; it's the collection of all of them that's revealing. See the "metadata" debate that's been going on for a year or two now.
I suspect that most folks would be willing to self-publish their checking account balance on one random day. But every day for a year, or their whole lives? Probably not. You have to marry me if you want to have that kind of information.
Do you see a distinction between me taking a photo of you by being out in public being my right and me using a special camera to pick up photons emitted by your body and not blocked by your clothing and creating an image from these?
Do you see a distinction between me being able to look into your window from the public sidewalk and me using infrared technology to map out everything you do in the house?
What if I invent a camera that can take a photo of a letter and reveal all the contents inside in easily readable detail, without needing to touch the letter. By you grabbing a letter out of your mailbox, you are letting me see the outside of it, so if this camera can capture the content is there any significant difference?
As with most pieces of surveillance, it's that there's a cost difference.
To find out where I am, you'd currently need to have me tailed. The cost involved gives me a reasonable degree of privacy in my estimation. You'd need to have some kind of reasonable cause, and assets, and need to think there was something in monitoring my movements worth spending for.
If it costs you $5 to pull up a complete driving history, you can surveil 1,000 people for the same cost, and go for a fishing trip. See if anyone moderately wealthy has been in a bad part of town, etc
Sorry for the long reply, no worries I don't take it as a critic.
It's actually more like what amagumori said:
the dichotomy is "everyone in the checkout line can see what i'm buying" vs. "all people who know my first and last name can view my entire credit card transaction history".
If you see my license plate in the street today, I wouldn't care at all. I wouldn't be fine if you published that information in a "where is everybody right now" wiki.
From that wiki a stalker would have it really easy to ruin my life; a burglar could break in at the good moment; an employer could know I visited their concurrent, probably for an interview; I go to this church/mosque/synagogue/... : now you know my religion;the neighborhood association could see I have 'too many' (for their standard) friends (or AirBnB customers?) visiting; marketers could see I go often to store X,Y, on vacation to Z, that I'm more of a Fast food Mc lover than a BK, ...
Also:
So taking a photo of (or making a memory of having seen) doesn't violate your privacy . For many Europeans countries it does violate the privacy, if that photo has no public information purpose. For instance: http://uk.practicallaw.com/7-573-6346
A photo of you in public does not violate your privacy. It has been ruled, time and time again, that the image you present is public and anyone can take a picture of it.
BUT, technology allows me to capture far more than the visible spectrum. Give your clothes probably don't consist of lead plates, part of the photos I can detect are from your body and not your clothes. So using this information, and some recoloring algorithms, I can likely create a decent image of your underlying body.
Applying technology allows for more information to be withdrawn from situations where previously that information wasn't available. But due to the need for advanced technology to pick up on the information, most people do not even realize they are leaking it. (Take private conversation being recorded at a distance by viewing vibrations in objects near where the conversation is happening.)
Our technology has outpaced our moral/philosophical reasoning and the gap keeps growing.
or any one with an ax to grind with a political figure. You manage to jeopardize a senator or two's privacy (and more importantly, security of them and their family) and you'll see legislation protecting everyone from this kind of technology tomorrow.
I believe in some jurisdictions you can if you have a verifiable justification like death threats or stalkers. Other than that I don't think you'd be able to.
Just FYI, you can pull an address from a license plate for about 40 dollars. We're all driving around with our addresses on our cars, there's no way to avoid that.
You can actually look up random people's numbers, because all the plates are two letters for the Canton, plus a number starting at 1. So for instance "ZG 888" is a valid plate, as is "ZH 12345"
Sweden too. Well, you fill in the reg number and a fax number online, and they fax the owners information to you. Of coure there are online services that will give you a fax number and receive ten or so free faxes for you.
Err, how? That's (afaik) a very privileged ability for law enforcement. I should not be able to get your home location or name from just your number plate
I've used a service called docusearch. I believe it's a network of private investigators across the US. You have to select from a few "permissible purposes". I've used it two or three times to pull plates of people dealing drugs on my street. I used the "Motor Vehicle Safety" category for these. I live right on a county line, so it helps me direct my calls to the appropriate police department, also, I like to know who these people are in case something worse ever happens.
I wonder if an extremely range-limited RFID plate with a challenge-response system that only local LEAs can read (modulo leaks, of course) would be better. We'd lose the ability for people reporting a crime to say "plate XYZ on green car at location A just did Q illegal thing", but maybe "green car at location A just did Q illegal thing" would be good enough.
It's hard to have an extremely ranged limited RFID plate when only half the range is determined by the RFID chip itself -- a sufficiently large antenna on the receiver can increase the range. Granted a passport that's supposed to readable from centimeters away will probably never be read a couple hundred meters away, but a license plate that can be read from a few meters away could be made readable from a hundred meters away.
Though I guess a smarter RFID plate could use latency to decide if a reader was "close enough", but that would make reliable reads harder since it would require several round trips.
I'm not quite sure how generating more data about people's locations and putting it in the hands of more people is considered a victory for privacy advocates.
On one level I agree - ensuring that it's easier for, say, a criminal gang to track unmarked police cars or abusive exes to find their victims seems a backward step.
The flips side of that, though, is that this power exists and is being used by rich, powerful entities anyway. If I was a law-abiding member of a mosque or political group, I'd love to know that undercover law enforcement officers are trying to stir up trouble, for example. If they can track me, why shouldn't I be able to track them? Or, less melodramatically, the highest rate of road fatalities in my country involve logging trucks. There are persistent claims that companies keep them on the road for more hours than their drivers are legally allowed to work, but they're politically shielded from official investigations. It would be nice for citizen groups to have the tools to investigate those claims.
If we should be able to go about free of day-to-day surveillance (absent good, court-approved cause), which I certainly agree with, then we should be modifying laws and institutions to reflect that. Since what we've got is a situation where the powerful (government agencies, large companies) use the absence of regulation and powerful tools to watch us the second-best option is for us to have the tools to watch them.
Sorry, but this is just a "movie plot terrorism" entry for Schneier's annual competition, not reality as we live in it.
In what way is acquiring the skills required to download/compile/configure this software, then integrate it with an electrically detonated bomb - more likely to be undertaken by "the bad guys" than hooking the detonator up to the backlight of a burner phone and standing a block away and texting it? (Just like every reported IED from the latest war-torn country being bombed into democracy and freedom.)
It makes me mad when intelligent people think up "bad things" that might be done with extremely high barriers to entry, when way simpler and easier to achieve methods for the same "bad stuff" are obvious.
Case in point - one of my local councils has just blanket banned "drones" (without even bothering to define what a "drone" is) on the pretext that "there is a concern about people taking unauthorised photos of children in public areas" - See more at: http://www.ausleisure.com.au/news/safety-fears-see-leichhard....
Watch this video of a $600 point-n-shoot camera (at least past the 37 sec mark) and tell me you're more at risk from someone with a drone invading your privacy: https://www.youtube.com/watch?v=Csp6asxf00o
If people want to take your (or your families) picture, they will. Probably with their cell phone without anyone noticing, or with a $600 camera on a tripod so far away you can't even see them. They _won't_ buy a $1,200+ drone and learn to pilot it, then fly it up close where you can see it. (And they _certainly_ won't be learning to assemble and tune their own quadcopter for a few hundred dollars of Chinese sourced parts. Not just to be a creep with.)
Same if they want to blow something up - they're not going to clone some open source code from github, learn how to use it's python bindings, and build a RaspberryPi powered auto-detonator to trigger off your numberplate. There are _way_ lower barrier-to-entry methods to achieve that goal (which are also way more reliable).
And hence we get groped or porno-scanned at every airport check in, and secret no fly lists which are good enough to stop people with names vaguely similar to possible terrorists from flying but which are not accurate enough for use as lists of people who shouldn't be permitted to buy guns.
Do you think that's an appropriate response? Especially since it seems to be almost universally true that every time the TSA is tested, weapons still get through the checkpoints with startling regularity.
Sorry, but I still see this as kneejerk reactions to spectacularly unlikely scenarios of "bad things happening" being proposed and regulated by people who don't care about reducing other people's freedom because it won't affect them personally.
I'm still unsure what you're suggesting "shouldn't be allowed" here? Open sourcing computer vision projects? Publishing on github? SHould all hobbyists leave face detection algorithms to Facebook and Apple and Google, because someone else might misuse the results (worse that Zuckerberg already does)? It's all extremely reminiscent of the "crypto wars" and Homeland Security's new "House Un-American Mathematics Committee": https://twitter.com/puellavulnerata/status/67290345222221824...
Me? I'm 100% for publishing this(and similar) projects - because the tech is already out there and being used. Pretty much every towtruck and repo man has had this tech running for 5+ years, and almost nobody knows. Why is it a problem now that sufficiently motivated geeks can roll their own for ~$100 and a weekend's futzing around? Same with using promiscuous wifi adapters or TV-tuner SDRs to sniff MAC addresses or TMSIs - shopping malls and law enforcement are routinely using that tech to track you, I reckon more art projects showing how simple and creepy it is would be a good thing.
There's another movie-plot bomb detonator for you - an UberTooth One (or $5 Chinese counterfeit wifi adaptor in promiscuous mode) listening for the MAC address of your phone/smartwatch/tablet. What're we going to have to ban in response to that idea?
(I know, lets ban _ideas!_... (Sorry, that's way snarkier than intended...))
No because it is not going to make much difference.
> Sorry, but I still see this as kneejerk reactions to spectacularly unlikely scenarios of "bad things happening" being proposed and regulated by people who don't care about reducing other people's freedom because it won't affect them personally.
Fully agreed on that one.
> I'm still unsure what you're suggesting "shouldn't be allowed" here?
This software has a ton of bad use possibilities, I just threw out the first one that I could think of, there are a whole raft of others.
> Open sourcing computer vision projects? Publishing on github?
No, it's inevitable. But there is currently no framework on how to deal with these things. Just because you can doesn't always mean that you should. There are a ton of things I could do that are legal but that does not mean that all those things have a net-positive effect on the society we live in and I think that the ability to build these systems comes with some responsibility.
> Me? I'm 100% for publishing this(and similar) projects - because the tech is already out there and being used. Pretty much every towtruck and repo man has had this tech running for 5+ years, and almost nobody knows.
Yes, but they are limited in quantity and enough of a quantitative change is a qualitative change.
> (I know, lets ban _ideas!_... (Sorry, that's way snarkier than intended...))
Trivial might be a stretch. Try talking to some random people who aren't hackers/diy techies. I suspect this sort of task requires at least half a decade of somewhat specialized learning to execute with minimal physical risk, let alone without leaving ample evidence leading to your immediate detention. Most people who put this much time into building a marketable skillset find better things to do than commiting senseless acts of terrorism.
Bombs are tremendously easy, making them go off at the right moment is the hard part and with a handy open source license plate reader, a camera and a raspberry-pi with one gpio line that just got a lot easier.
Right, but it takes years of immersion in specific fields just to be made aware of the existence of git, let alone grasping the only somewhat related concepts necessary to interface your raspberry pi with your homemade bomb (a whole nother set of skills!) Do you remember your first foray into microelectronics? Let's just say you might not want to use live explosives for your first attempt...
I have a friend who likes to make and print his own 3d models. He built his own 3d printer. I connected the camera he got to his raspberry pi and installed and configured octopi for him because he wasn't confident he could figure it out in a timely manner.
Ok, well let's rephrase that: it would be trivial for me and I hate to underestimate the opposition, they're not all dumb. And the proliferation of IEDs in Iraq suggests that those skills are readily transferable.
If you need more than around 200feet of range, a coathanger as an antenna at each end could probably triple that range, a couple of coathangers fashioned into a pair of 310MHz yagis could likely get you several miles range.
All for less than a Raspberry Pi camera.
Even if you, as a "smart guy" were also a bad guy, would you _really_ consider doing things "the hard way"?
> And the proliferation of IEDs in Iraq suggests that those skills are readily transferable.
Nope, there were a small number of bomb makers who provided the bombs to a distribution network - this network then assigned the bombs to emplacement teams. There was also state level assistance coming from Iran. A few bomb makers and a lot of emplacement teams blew themselves up - so it isn't as easy as Hollywood has portrayed.
ADB-B receiver + cheap drones with simple homing software = total shutdown of US air traffic. I think $20,000 is probably an overestimation of what it would take. There's a lot of asymmetric situations starting to "mature" and defense side is way behind since they're using them to exploit the populace. It's not just a "cyber" problem.
All of the pieces are readily available online, all it takes is someone to put them together. And it's something that pretty much any high school kid with a credit card and interest in electronics could do.
> Curious the downvotes on that comment, it's totally feasible.
I'm guessing that you got downvoted because the logic is ridiculous: LPRs are to be feared because bombs can be attached to them. That is true of every technology. Also, if somebody has your plate number and knows your driving patterns well enough to leave a VBIED there - they could find a much more certain and easily executed method of assassination.
A stationary car bomb has a lot of advantages over other assassination methods. For one it allows you to get away, you only need to plant the thing and it could go off hours, days or weeks later. The assassin could be a in a different country when the bomb goes off. You could put more of them at strategic points into a city not knowing anything about the daily routine of your target, just their license plate would be enough. You could drop a bunch of them ahead of time in random places and program all of them by remote to scan for new plates and so on. Not much you could do about it either, every parked car would be a risk.
I'm guessing that you're concerned about a place that has no parking authority, highway patrol, corporate security, nosey neighbors - because an abandoned vehicle won't last more than two days otherwise. There is a reason why assassins have historically chosen guns over bombs, and it isn't due to a lack of technology that places distance between themselves and the target. Like most important things, when assassinating somebody, you want to eliminate as much uncertainty as possible. That is pretty much the opposite of just leaving a bomb somewhere and crossing your fingers. Also, leaving a lot of bombs all over the place increases the odds of detection.
I think it'd be more effective against a class of vehicles... like if you have an agenda against Company XYZ, scope out their parking lot and build a database of their employees, then you can target those employees. Likewise, if you want to shut down the entire EMS system, build a database of police, fire, etc vehicles and target them and you can ground the entire EMS fleet.
It would, and a ball-peen hammer is better at mashing potatos than a baseball hat. Just attack the company parking lot or the city motorpool. This whole thing sounds like the darkest rube goldberg machine ever.
They're legally required on current-production cars, so your car "works pretty good without them" in the sense that it also works pretty good without a license plate.
(I suppose technically the TPMS requirement applies to the manufacturer as opposed to the owner, though.)
This is a good point...when discussing the controversies behind surveillance and privacy, a frequent issue is that most people have no idea what's possible, even though it should be as clear as day. An obvious example is back when Facebook's API was more publicly accessible, youropenbook [1]
But there are other things to be mindful of...when publicizing how easy it is to be surveilled/attacked, how easy is it to for a mischievous person to make use of that information versus how long would it take to fix? I'd have mixed feelings about anyone publishing a user-friendly one-button-SWATter, even if it would most certainly spur some kind of movement to strengthen our emergency response systems (eventually).
But something that is basically an object detector plus OCR? No doubt that if many people run this software, and then feed into a system that makes it as easy (and ubiquitous) as Google to look up any license plate and see instantly all locations where it has been photographed, we would have a situation that would make most people a bit unhappy...but without those network effects, the personal use of this software would seem to be relatively benign, while at the same time educating people how easy it is to be tracked.
On remote locations collected data could be transmitted into this public LPR system over free LoRaWAN networks like The Things Network https://news.ycombinator.com/item?id=10438352
That's a pretty dystopic view. I'd rather the government not collect the data at all. The massive perpetual databases that are amassing around the world are really ticking time bombs.
The cameras are there. They are not going away. Cameras are incredibly cheap, tiny and readily available, and legislating them out of private hands just isn't going to happen.
So we'll have to deal with them somehow, and I'd prefer that the government not have a monopoly on the data -- frankly, I think that the data that the government collects in public should be made public, rather immediately, so that we can see what is being collected.
I don't have a huge problem with individuals running license plate readers, since that is necessarily limited in scope. I meant that it's a bit of a dystopic view to assume that the government should be allowed to have their license plate readers and use them to accumulate massive databases that track the position of every car on every road.
Given that a lot of the license plate capture right now is private companies (that insist that everybody can do so) such restrictions would achieve at least some the goal. Now if that's worth it is a different question...
I'd like to see the license plates of stolen vehicles published. I don't see that as a violation of privacy, especially if the owners agree to publish them.
Then anybody could see stolen vehicles and report them. That would discourage theft.
Frankly, I'd like to see all ALPR data published in real time. If my local government wants to collect data based on what's in plain public view, I see no reason why that data should not also be public.
I don't think anyone serious about stealing cars would drive them around with their original license plate.
Most likely the first thing thieves do is switch their plate with the plate of a similar car (same make, same color), then drive to another country where they'll be resold.
I think you presume too much about the motives and planning behind the majority of car thefts.
A professional car thief who steals cars in order to resell them may very well work that way. But I suspect those people are a small minority in comparison to the opportunists who probably don't have appropriate spare plates on hand, or the desperate criminals trying to pick up a getaway car, or the joyriders, etc.
That's a lot of work, plus you don't know if the owner of the stolen plate has warrants, suspended license, lack of insurance, or anything else that might cause an ALPRS alert. Better to just remove the plate and go. I commuted in one car for a year with no plate. Drove by cop cars with ALPRS regularly. I don't think these things alert when an object passes by but it failed to recognize a license plate.
In another car that I'd just purchased a cop pulled up next to me at a light and asked about my lack of plate. Said I bought it a couple days ago, he said I have X days in this state to get tagged and drove off.
As someone else pointed out, this could be a good way to crowd source watching the watchers.
You may be able to get a list of law enforcement license plates through a FOIA request and then use this plus a network of many highway cameras to show a map of where law enforcement was last seen.
the same way that Wireshark benefits security professionals by making it easier to monitor the network for bad people and audit applications to make sure they aren't doing bad things even though it also makes it easier for bad people to see what good people are doing.
* note: the definition of "good people" and "bad people" is not the point here
At least there is a more trustworthy method of validation. Is it illegal for me to spend my time on a lawn chair on the side of the highway logging the plates I see if that's the kind of thing that blows my skirt up?
Essentially - if you have modified openalpr then you are probably violating, if you haven't you probably aren't.
Unless you are a small company with a business model tied tightly around using a modified openalpr to generate revenue then there is plenty of scope for complying with the license without damaging the business. If you are then the company is stealing and I would advise leaving.
Either way you are under a moral, and potentially legal, obligation to bring the company towards compliance. Advice for you is not to massively rock the boat - do not use it as a means to hurt your employer (even after leaving) do not focus too much on it.
IANAL; The way I would approach this:
- forward the this news article (not the hacker news post) and the openalpr license page http://www.openalpr.com/license.html to your legal contact (and manager?). Attach a simple and professional message along the lines of "Saw an article about some software we use and I am concerned we may be accidentally violating the license"
- Do not act like you really care. You were just exercising due diligence in your job and forwarding on to people that deal with it. Don't rock the boat, don't defend yourself, don't threaten.
- Do care. If your company does not respond to you within a few weeks, threatens you in any way (interrogation), or says they are deliberately ignoring the license then you need to work on getting a new job. This is because your employers act exploitatively and without respect to the work of others (such as yourself). When you come into legal dispute (which happens more often with these kinds) they are not the ones you want to be fighting. So find another job (take your time) and leave, do not cite the license as a reason. Once you are safe notify the developers.
If you are careful, not disruptive, and don't use it to create gossip or push other agendas most employers will engage legal advice and work towards resolution thanking you in the process (its way better than being sued!) and you need not suddenly leave your job over an honest mistake.
Find another job. Then consult with a lawyer to see what risk you have if report them to the developer of that software whose copyright is being abused.
Don't post about it with an account that is linked to your "real" identity is a good first step. Details depend on your local laws, but generally there isn't much you can do outside of bringing it up with someone responsible at your company without risking legal trouble with them.
This kind of surveillance by government isn't going away, so I'm happy to see this kind of technology ending up in the hands of the public to help level the playing field.
I was thinking about creating an this with OpenCV in response to law enforcement's use and abuse of similar systems. It would be great to provide instructions on building a cheap, pseudo-anonymous, dash mounted system to track police vehicles that could be faux-subpoenad for testimony in real cases. "If you've got nothing to hide" should go in both directions.
Last time I drove south for vacation we ran into people whom we ran into the previous year at a roadside restaurant.
That got me thinking about LPRs. Lease some land or the roof of a few buildings, and you'll build a dossier of regular I-95 travelers. People often go on vacation at the same time.
Figure out how to buy license plate data from the DMV, and you can market all sorts of stuff.
I knew that DOT's buy that data for traffic analysis. Never realized that folks can figure out the comparative average incomes for an average hotel guest based on that data. (you could see it in one of the screenshots.)
Gov buys these devices from companies. If the company already sells to gov, why wouldn't they use opensource solution, use fewer developers and pocket the difference? I'm assuming gov already covers silly markup on big purchases because of the bureaucracy around it.
Imagine if you were storing the license plate in a mysql db and someone attached a sql command at the back of the car that drops the sql db. I would find that hilarious.
What's good for the goose ...