Watching

I happened across a tweet from CPMG last week,and retweeted it (amd, indeed, responded to it with both a reply and by completing the survey (which I’d encourage you to do). The conversation that resulted can be viewed on twitter by clicking the first link, but is also screenshotted below:

Screenshot 1 of 2- click to embiggen.

screenshot 2 of 2, click to embiggen.

An interesting conversation, rapidly joined by Livestream Data Systems, who, in their own words, provide backend systems for ANPR. Almost as if they were ready, watching for replies, huh?

They made the very valid point that a number plate (VRM) is public data, publicly visible all the time. This is true, of course, but it’s trivial for people to associate my number plate with me- especially should the “they” be law enforcement, who can look it up in seconds.

Continuing that, it’s pretty trivial to track me by combining ANPR with a few other things. A thought occurred to me as an example: I completed the survey from the holiday flat we rented. I checked the public-side IP of the broadband connection, and it geolocated to within a few miles of my location (I was in Torquay, it said Dawlish). So, taking only public or non-personal data along with potential ANPR data (the camera locations are not public) I follow CPMG on twitter. I completed the survey from a location near Torquay having clicked through from Twitter (this data could be obtained from server logs).

CPMG probably don’t have many followers on the English Riviera, as they’re a Midlands unit.

Now search the ANPR data for cars travelling between the Midlands and the South West. Add in from the server logs that I used Linux, google a bit, and you have me, most likely. You know where I am, what car I drive, and you have my opinions on ANPR, without having to apply for a court order or similar. Analyse ny tweets, dig over this blog and there’s plenty to learn (of course, what I tweet or post here I’m voluntarily supplying, thank fuck I don’t use Facebook).

That might sound a little paranoid, but it’s an example, and it’s why we should all remain vigilant and wary. I don’t have anything to hide, and you could therefore take the view of “who cares”, but are you comfortable with being tracked?

There’s going to be a lot of pressure in coming times for greater surveillance, especially given recent terror events: but one thing to consider here is that if a terrorist is willing to kill or injure many people with explosives, I don’t think using false plates and/or changing vehicles is going to bother them, whereas the majority of us use one or two vehicles regularly, so it’s far easier to track ordinary citizens than the criminals. Most of us voluntarily carry a tracking device (smartphone), use bank cards: do the bad guys do that?

I’d like to make it clear I fully support CPMGs work, keeping the road safe for us all, but I’m a bit concerned about data use (and misuse) here, and this isn’t the first time. It’s the work of seconds to reveal misuse of anti-terror legislation for things as trivial as school catchment areas, and there’s prior cases of ANPR misuse. That’s even before we consider that companies like Livestream- a private company- may be providing the back end and processing for the national network (I don’t know exactly who does), and therefore we could be trusting their systems and employees with this data.

A quick Google search revealed a supplier of services to councils who apparently encrypt ANPR data with SQL.

Errrm?

Oooh- what’s that black helicopter overhead?

4 Responses to “Watching”

  1. Willenhall_Lad Says:

    We’ve all got reasons to be concerned about how we are tracked but given what you have written above, that pretty much has defined “the box”.

    Thinking “outside the box” , which we have been pretty good at (Operation Mincemeat), would mean that you could adopt a false identity with false plates, simpler phone etc. Indeed, you could just do away with electronic communication altogether and rely on simpler methods if you had nefarious intentions on your mind.

    This is what bothers me more – the people who have this capacity.

    We must be careful not to get drawn into overcomplicating the security issues. APNR is another tool in the box even if it is has it’s downside. But if you pay your tax and insurance get the MoT up to date, then we’ll have to accept this.

    As to private companies providing the services, until there is a mindshift by the bean-counters and we insist through the politicians that we need the Civil Service to run this, it will carry on being delivered as such. I suspect though, that with contracts will be in place , that any breech or misuse of data will have criminal penalties applied.

  2. species5618 Says:

    in general it is not the collection of some of that individual data that worries me
    it more the two year retention for ALL records in the case of ANPR, which is my view show be no more than 180days + 2 years for persons of interest, anything outside of that should be anonymised so it canbe used for general analytics.

    EUGDPR legislation is not far away

    I will throw these into the mix
    SKY and Virgin collect recording and viewing data from the set top boxes
    Telco companies keep extensive call data records
    Mobile Phone Providers now what cell your connected to, so can track you to within a cell
    Most ISPs probably keep DNS query records
    Public wi-fi provider have your device MAC addresses, map to phone number or email address

    have a look at this for an enlightening view on data analytics,
    https://www.theguardian.com/world/2015/jun/23/italy-denies-role-cia-extraordinary-rendition-egyptian-imam

  3. species5618 Says:

    re ” SQL for encrypted data.” which i suspect they mean encryption at rest which is great for back end access, but any access from a comprimised front end, will have acccess via the required user id to decrypt the data

  4. stymaster Says:

    Right. i wasn’t aware that was a built-in thing. So that would protect a compromised SQL server, but as you say, a compromised front-end (or misuse) is still possible.

    As you say, there’s an incredible amount of data stored, and if you glue it all together properly you can learn a lot.

Leave a Reply


This blog is protected by Spam Karma 2: 41037 Spams eaten and counting...