back to article Tesco parking app hauled offline after exposing 10s of millions of Automatic Number Plate Recognition images

Tesco has shuttered its parking validation web app after The Register uncovered tens of millions of unsecured ANPR images sitting in a Microsoft Azure blob. The images consisted of photos of cars taken as they entered and left 19 Tesco car parks spread across Britain. Visible and highlighted were the cars' numberplates, though …

  1. elaar

    And what about the issue of car number plates being cloned from a breach like this? It seems very convenient for criminals to have a database of a million cars to choose a vehicle model/plate from.

    1. dnicholas

      They'll have to use image recondition to derive the make, model and colour of any car in the images to make useful clones though. If they can do that, one has to wonder what they are wasting their time stealing cars/plates...

      1. Anonymous Coward Silver badge
        Holmes

        There are plenty of sites where you enter the registration number and it produces a list of those characteristics, along with tyre sizes, engine model, etc etc etc

        1. Ogi

          > There are plenty of sites where you enter the registration number and it produces a list of those characteristics,

          Yeah, including the DVLA website itself. I sometimes go there and put in the registration plates of cars I see on old TV shows to see what model they were, which are still on the road and which have been scrapped.

          It will tell you quite a bit. I would say approx the first 14 lines on the V5 vehicle details column, including the make, model and colour of the car.

          More than enough to get fake plates made up for a vehicle that you want to clone. You do however need to have a legitimate number plate before you get the data, which is where these ANPR photos would come in useful.

      2. mj.jam

        Can't they just scroll through to find the one that matches. Although maybe far easier to go into the real world and just wait until you see a car like the one you want to clone.

        1. aks

          That assumes you live in the UK. Unless this uses AI, it's easier to get others to do this from the safety of another country. It's also quicker to flick through them and you don't get seen loitering in the car park with your car added to the database.

      3. steviebuk Silver badge

        Numberplate check on the DVLA website will give you the make, model and colour of the car.

        1. katrinab Silver badge

          Also various retailers where you can enter your reg no and it will tell you the correct things, tyres, oil, etc, to buy for your car.

          1. dnicholas

            If you have the plate already. That wasn't the premise of the op. But anyway, whatever :)

    2. Lee D Silver badge

      I can collect thousands of number plates, makes, models and colours.

      I just sit in a park for a few hours with a phone to make notes on.

      Number plates are public information displayed prominently on every legal vehicle. As such they are eminently cloneable. It's time we had something that wasn't cloneable. Like an encrypted RFID tag.

      Would also stop all of the "We'll knock up a legal-looking plate, no questions asked" people pretty much overnight. Especially if you asserted a system where only each plate has a unique key - so your "lost" plates are useless to everyone as soon as they're reported and are actually just advertising "I'm stolen!" everywhere they go.

      RFID you can target from a distance too... just use a directed powerful magnetic field (e.g. in a cable under a bridge) to induce a current so they transmit, then pluck the encrypted ID out of the air with any directional antenna and a cheap radio.

      So long as you don't allow replay attacks (e.g. time-based OTP-like IDs based on an original seed - doesn't need to be accurate to-the-second, just to-the-day will do), you can easily design such a system securely.

      Hell, while you're there, mandate OBD integration so the mileage is integrated into the seed... now they know if you're fiddling your odometer too...

      1. fridaynightsmoke

        Considering how many people drive around here with obviously illegal or no numberplates, with absolutely FA done about it, I don't feel like this is enforceable at all unfortunately

      2. macjules
        Terminator

        Nah. Just RFID chip tag the owners, run facial recognition on them and then anyone who is not that person in the car gets nicked. Or if you live in South Wales you still get nicked since the AFR does not work too well.

        Line up for your branded barcode here please ...

        1. Anonymous Coward
          Anonymous Coward

          @macjules

          One RFID chip to rule them all.

          Yeah, great idea. /s.

          Unfortunately, the powers that be think it really is a great idea.

          They're just figuring when to roll out a voluntary scheme. Where "voluntary" doesn't mean what you think it means :(

      3. Marco van Beek

        Pretty sure most cars already have a unique RFID tag

        I remember reading an article years ago (early 90’s maybe) about the new Nissan Primera about how they had to decide which part was the “first” part of a car, so that they could stick the RFID tag on it. Just In Time suppliers stuck their own sensors along the assembly line so that they got the correct amount of warning for each car and linked it to the Nissan database to determine which option that car needed, be it seat fabric, paint colour or whatever.

        If I remember correctly it was on the main member of the front subframe, chose because it was the biggest bit of the first assembly.

        1. Anonymous Coward
          Anonymous Coward

          Re: Pretty sure most cars already have a unique RFID tag

          I had assumed that those tags were removed at the end of the production line, but who knows.

    3. Tomato Krill

      They're already public, albeit without a public API to retrieve them (eg autotrader, ebay, any insurance quotation tool) - you have to apply and pay but theres nothing to stop anyone using any of these sites to iterate though registrations...

      Well, non public API up until these clowns created one at least

  2. The Pi Man

    Incompetence

    So the best way they can come with to migrate data is to expose it publicly? Ranger Services / GroupNexus shouldn't be allowed to operate a computer.

    1. Richard Jones 1
      WTF?

      Re: Incompetence

      They are not yet ready for a pen and paper, or even a slate board on which to draw up a decent, legal migration plan. However, they should get ready for a suitable punishment, hopefully.

    2. steviebuk Silver badge

      Re: Incompetence

      From what I can tell from their website, they look like they might also be using a virtual office address based in London. Someone on Amazon was doing the same. His mail would go to the London address and they then forward it on too his real address. He was illegally using the NHS logo so looked him up. He gave it away by leaving a review of their service on their Google Reviews page. Found his real address via Companies House.

      Most of the car park management companies end up being as bent as fuck. Most of them have no idea about GDPR and most of them have little to no IT security in place.

      Argued with the one in the local Waitrose. I wasn't getting a ticket but requested my number plate be removed from their system under a Right To Be Forgotten. They claimed "I have no need to worry, I'm not getting a ticket and that they keep the plates for 6 months for security and crime prevention". I pointed out that under GDPR they no longer need to keep the plate so it needs to be deleted and that ANPR cameras are not to be used for CCTV purposed as they claimed they were doing.

      They removed it. Well so they claimed. I asked for it to be removed from their backups also, they ignored all further e-mails.

      1. Electronics'R'Us
        Holmes

        Re: Incompetence

        The 'security and crime prevention' trick won't work under GDPR.

        They can retain the data for a long time (indefinitely under some circumstances), but there are limited options.

        They also need to have an actual policy in place of what the data are, the purpose for which it is used and the justification for retention.

        I would put money that this outfit (and the one you had an unfortunate experience with) has no such written policy in place. Without a policy, no data retention beyond the original purpose of collecting the data from what I am reading.

        1. RedCardinal

          Re: Incompetence

          >>The 'security and crime prevention' trick won't work under GDPR.

          Unless you're the King's Cross Central developer apparently....

        2. Anonymous Coward
          Anonymous Coward

          Re: Incompetence

          Found their PP:

          http://portal.rangerservices.co.uk/RangerPrivacyPolicyv0_3.html

      2. TeeCee Gold badge
        Devil

        Re: Incompetence

        Most of the car park management companies end up being as bent as fuck.

        s/Most/All/ s/end up being/are/

        Unless there's been a seismic event recently, the number of privately issued parking tickets that have actually survived the appeals process and subsequently stood up in court when challenged using advice from the likes of pepipoo remains resolutely at zero.

        Issuing fines backed by threats on very dodgy legal grounds? Sounds bent as fuck to me. Where do you think the baseball bat wielding crooks who used to operate clamping services went when that was made illegal?

        1. Handlebars

          Re: Incompetence

          You typed 'fines' but you meant 'invoices'

  3. Blockchain commentard
    Facepalm

    Breaking news...

    They're renaming themselves to 'Group Numty'

    1. TimMaher Silver badge
      Trollface

      Re: Breaking news...

      And they can’t spell.

      Otherwise it would be “Group Numpty”.

  4. Steve Davies 3 Silver badge

    Shuttered?

    Hey, El Reg, repeat after me,

    WE ARE NOT IN TRUMPLAND

    What is so wrong with 'Closed Down'?

    1. Anonymous Coward
      Anonymous Coward

      Re: Shuttered?

      WE ARE NOT IN TRUMPLAND YET.

      TFTFY

      1. Law

        Re: Shuttered?

        Trump is no doubt waiting to make his offer after the 31st October.

        1. Anonymous Coward
          Anonymous Coward

          Re: Shuttered?

          They'll be no offer - he'll just buy the UK.

          Well, the bits they haven't bought already that is :(

          Greenland was just a dry run.

    2. Anonymous Coward
      Anonymous Coward

      Re: Shuttered?

      And 'click to embiggen'? surely even murcans understand what 'enlarge' means?

      1. Cheshire Cat
        Facepalm

        Re: Shuttered?

        "click to embiggen" is a Simpsons reference.

        1. Anonymous Coward
          Anonymous Coward

          Re: Shuttered?

          And that justifies it how?

          Not everyone subscribes to the US dumbed down version of 'entertainment'

  5. Luiz Abdala
    Stop

    RFID tags instead of pictures.

    Brazil, of all the places, already developed a solution to avoid that kind of leak.

    It all began with road tolls.

    Some bright chap had the idea of using RFID tags glued to the windshield, and automated tool booths. If you decide to buy into the system, you don't need to pull over on every tool booth, you just pick a lane with the RFID reader, and slow down to 25MPH. The system does the rest, charging you by the end of the month.

    But the system isn't fit just for toll booths. It works on parking lots too.

    Large parking lots - including Walmart here - bought into the idea. Hassle-free paid parking, regardless if you are buying anything or not (people parked for free at the supermarket all day long and would go to work next block - dick move. Parking on Walmart is pretty cheap, though, cents). They extended the service to gas stations and - of all places - MacDonald's drive-through. You can literally stop by for a snack, and fill the car, without money or credit card on your person. You park under the tag reader while it fills, and gets charged when done.

    Private office buildings can also include on the system, excluding people that work there from charge, as long they bring a tagged vehicle that was included on the system, while opening a revenue stream. They just need to split their parking spots into reserved and unreserved sections.

    The benefits don't stop there. It is marked as evidence when the car gets stolen. You can ask the company to track its whereabouts on any reader of the system and report to the police. Yes, some dumb burglar can be seen driving a car deep into the State by the tag reader, and can be easily intercepted.

    Since you are buying into the system, it isn't invasion of privacy per se (contracts, EULAS). The system can't read other RFID tags, or make any sense of them, even if they match the system.

    Instead of collecting data of the general public, it collects data from agreeing parties. Much harder to go wrong.

    1. simonlb Silver badge
      Trollface

      Re: RFID tags instead of pictures.

      You sound like an RFID company shill. Please tell me I'm wrong.

      1. Luiz Abdala

        Re: RFID tags instead of pictures.

        No, I'm not a RFID shill. But try to lose the printed ticket to you by the machine at the gate (a barcode) as you entered the parking lot, and see how much hassle you got.

        Did you pay for parking, by handing it over to PL cashier? Did you hand it over to the Walmart cashier so it is not charged for 20 minutes, as the alloted time to leave even the most complex parking lot? Tough tits if you lost it.

        Yes, the privacy of the thing can be abused to hell and back, as just a portable RFID reader cranked up to 1000 Watts and 20dB can tell you. But it beats the nagging of getting barcodes printed on thermal paper handed to you. Practical it is. Specially when it rains/heatwaves.

    2. Ben Tasker

      Re: RFID tags instead of pictures.

      > Since you are buying into the system, it isn't invasion of privacy per se (contracts, EULAS).

      That's not really an accurate statement.

      It isn't a *forced* invasion of privacy, but the data collected/generated by it could still be used *for* an invasion of privacy

      With that system the analogue to this story would be the RFID-s db being left open to the world, so I could then tell that registration ABCD123 is linked to RFID with serial 1234. From that I can see that RFID 1234 drives into the walmart car-park at 14:00 every tuesday and stays there for 2 hours.

      Depending on what they're storing, I may not be able to tell make/model so easily (I'd need to look it up from the reg), but if they *are* storing it then it'd be easier to look up lucrative makes (query for lexus) than with the images.

      The RFID version does sound convenient, and does entail more choice than with a film-all approach, but a privacy panacea it is not.

      1. Luiz Abdala

        Re: RFID tags instead of pictures.

        Yep, totally agree. But it beats an open server filled with pictures of license plates any day of the week.

        You'd have to tap into a reader, or the network of the place. Somebody fiddling with an automated gate would attract some looks, while reading a server off the web, won't.

        1. Ben Tasker

          Re: RFID tags instead of pictures.

          > You'd have to tap into a reader, or the network of the place.

          Really depends on their setup. They will almost certainly maintain a transaction log somewhere (in case charges are challenged - mistakes happen in any system). That log may not necessarily be on site, particularly if operation of the system has been outsourced.

          Even if not outsourced, it was likely bought it, so may exist on the vendors systems (whether routinely stored there, or periodically captured for monitoring/debugging). There's absolutely nothing to stop "vendors systems" from being an open-to-the-world hadoop server.

          So, it may well still be an open server, it just won't be full of pictures. At that point you may be better off, or worse off, depending on what data they're storing

        2. Tomato Krill

          Re: RFID tags instead of pictures.

          Well no more than they had to 'tap into'the network of the place in the article surely?

        3. streaky

          Re: RFID tags instead of pictures.

          "it beats an open server filled with pictures of license plates any day of the week"

          If we're assuming incompetence now they don't have pics of numberplates (I can think of reasons why that can't possibly be true, but -) now they have name, if it's a corp account, where you live, payment info and again, times when you used a car park, road (in the case of tolls) etc and when. Can't imagine why Brazil has a systemic problem with armed car jackings of rich people.

          Okay sure presumably you could anonymise such a system and have people only top-up so to speak via shops or whatever, but most people won't want the inconvenience. Not saying there should be a problem with such a system but we're assuming incompetence remember - there shouldn't be a problem with a db of licence plate images either..

    3. Sgt_Oddball

      Re: RFID tags instead of pictures.

      Malaysia has a similar system. However, its perfectly fine with you using a card without having it linked to a car. Makes it easier if you've got more than vehicle.

    4. Chris Hills

      Re: RFID tags instead of pictures.

      What happens when every car park uses its own system, am I supposed to glue 5 different tags to my windscreen?

      1. Luiz Abdala

        Re: RFID tags instead of pictures.

        You get handed a thermal paper with a barcode like everybody else. And must present that piece of paper to a pay booth.

        All shopping centers have them on the parking exits. Upon payment the system lets the code free of charge for the time required to leave the premises.

        The same kind of thermal paper used on receipts for credit cards, in case of supermarkets.

        1. John Brown (no body) Silver badge

          Re: RFID tags instead of pictures.

          "All shopping centers have them on the parking exits. "

          Not around here they don't. I don't think I've ever paid to use a shopping centre car park. Maybe it's just a problem in city centre shopping centres. ISTR a nearby ASDA tried it about 10 years ago but their footfall dropped so much they gave up on it.

        2. Tomato Krill

          Re: RFID tags instead of pictures.

          100% of shopping centres with charges and requiring bits of paper can go to help anyway, up until they're the only place you can buy stuff

    5. heyrick Silver badge

      Re: RFID tags instead of pictures.

      And since this lovely RFID system seems to do just about everything but make coffee (wait... McDo...), do you get printed receipts? Do you compare all of them with what you're actually being charged?

    6. Anonymous Coward
      Anonymous Coward

      Re: RFID tags instead of pictures.

      I just use free carparks...

  6. Joe Harrison

    Bastards

    My local Tesco fined me 20 quid for overstaying the 2-hour parking after I spent too long in their coffee shop one Sunday while doing my shopping. This Tesco is in the middle of nowhere-ish I mean not next to the station or anything at all where people might want to leech off their parking. They were within their rights as there were hitherto-unnoticed signs all over saying 2 hours, so I paid it, but really it's not a good thing to do to your customers. Or ex-customers, to which merry band I now belong.

    1. karlkarl Silver badge

      Re: Bastards

      If you knew you were going to be fined, I bet you wished you parked across the entrance instead don't you? ;)

    2. Anonymous Coward
      Anonymous Coward

      Re: Bastards

      I was surprised before last Christmas to see my car reg flash up on a display when I drove into the car park at a local retail centre. I've never driven into that car park again. I'm not saying I won't ever, but having heard about the various "errors" that lead to a fine, I prefer to take my business elsewhere.

    3. Ben Tasker

      Re: Bastards

      When Tesco first started doing their ANPR monitoring there were a lot of people round my area getting fines despite not having overstayed.

      The problem was, they'd swing in in the morning to grab a coffee from the attached coffee-shop, drive from there to work, and then come back later in the day (either for another coffee, or to do some shopping on the way home).

      ANPR would catch their entry into the car-park in the morning, but miss them leaving (bad weather, lorry turning into the petrol station, all sorts of reasons). Then either didn't see them enter later or failed to handle you being there "twice" (my guess is the latter), and would record you leaving that second time, ultimately deciding you'd been there for 8 hrs.

      From what I gather, the lot running the parking system were a complete shower and insisted the system couldn't be wrong, do you have proof etc.

      So I stopped using the local Tesco for quite a while, as there's Sainsbury's just down the road, with (at the time) none of that hassle.

    4. Anonymous Coward Silver badge
      Stop

      Re: Bastards

      I would've contested that fine on the basis that I was using the store and that they could check the store CCTV for evidence if they wished.

      I bet 99%(ish) of such fines disappear when challenged on any basis.

    5. aje21
      Headmaster

      Re: Bastards

      Won't be a fine as it's not from the council, etc. - will be an "invoice" which is dressed up to look like something official. Just saying... annoying to get one, but if they can ever get the parking rules sorted out it should become clearer what is going on.

      Oh, and I "love" the way that your car can form a contract with a parking company on your behalf. The registered keeper is considered to have been driving unless they say someone else was. But all they have is the car number plate. DVLA make a lot of money selling registered keeper details for this purpose.

      1. tin 2

        Re: Bastards

        I'm pondering putting a "contract" on the back of my car for £300 appearance fee.

      2. aks

        Re: Bastards

        The solution is to forbid DVLA from selling this information. Should only be available to the Police.

    6. Lee D Silver badge

      Re: Bastards

      Fining your own customers, specifically the ones who are slow, enjoying your shop, or just buying a lot of stuff, is the stupidest thing I've ever heard.

      The first time a shop ever tries to send me anything like that, not only will it be challenged by every ounce of my being in every way conceivable (hey, it's a hobby of mine) but I will avoid the chain in perpetuity.

      Either provide enough spaces, or get out. If people are misusing spaces without making any purchases at all (e.g. if you're near Wembley etc.) then I kind of understand having some system. So you, say, make it free if you spend "over £X" in-store, where X is how much it would cost to park in the car parks in town anyway. But time limits are stupid. I'm not going to rush my (now monthly, because weekly is a pain in the butt and monthly suits me fine) shop just to fit inside your window when the car park is *MOSTLY* empty all the time anyway. Obviously, tow away anything still there when you lock up the car park, that's fair enough.

      I'd be more in support of a supermarket that policed their disabled spots (e.g. you can use them, if you have a blue badge, and if you have someone checking the ID of the driver/passenger against the badge holder... invite a local PCSO if you get a lot of mis-use!), parent-and-child spots, etc.

      But try and "fine" me, or even threaten to do so officially, for utilising your services in a reasonable manner? Well done, you just lost a customer.

      1. John_Smith

        Re: Bastards

        "The first time a shop ever tries to send me anything like that, not only will it be challenged by every ounce of my being in every way conceivable (hey, it's a hobby of mine) but I will avoid the chain in perpetuity."

        Be more imaginative.

        Pop in and fill a trolley with chilled and frozen food, then change your mind about wanting it so just abandon it, so when they find it has to be thrown away.

        Rinse and repeat until bored.

        1. Anonymous Coward
          Anonymous Coward

          Re: Bastards

          That's just wasting food. Try to find out which car belongs to the store manager and handcuff a trolley to the door handle

      2. Anonymous Coward
        Anonymous Coward

        Re: Bastards

        @Lee D

        I guess you think it's all about you. And you're not even from the snowflake generation ;)

        Tesco doesn't.

        They have no problem with never seeing troublesome customers again. Ever.

        1. Jimmy2Cows Silver badge

          Re: Bastards

          Did you miss your pills this morning?

      3. Anonymous Coward
        Anonymous Coward

        Re: Bastards

        @Lee D

        You don't want to play by Tesco's rules that do affect you, but insists they enforce their other rules that don't affect you.

        Mmm...that sounds like you think the world revolves around you. Who'd have thought?

      4. Jimmy2Cows Silver badge
        Thumb Up

        Re: Bastards

        +1 for a supermarket that policed their disabled spots

        It's a special kind of twat who abuses those spaces.

        1. Roland6 Silver badge

          Re: Bastards

          +1 for a supermarket that policed their disabled spots

          >It's a special kind of twat who abuses those spaces.

          It amuses me visiting my my local superstore at 11pm or some other unsocial hour and tossing a coin as to whether to bother with the 'rules' and avoid the vast area of empty disabled and parent & infant parking spaces, or just go "what the f*ck"...

          Mind you I suspect some idiot parking company would chose to implement the rules, as at that time of night they would get clear cctv footage of the driver walking normally way from the car, which they would be unable to get during normal hours; which is when misuse of the bays is a problem...

    7. Doctor Syntax Silver badge

      Re: Bastards

      There parking vultures sent me a snotty letter saying if I did it again I'd be fined. I decided the best way to avoid the risk of that was to never go into a Tesco car park again. The best way to avoid that was never to go into a Tesco again.

      The really annoying thing was that when they looked after things themselves they sent someone out to control the exit gate when they were busy; that day they weren't, it appeared to be a day when half the population was spending a really hot summer day watching other people kick a ag of wind up and down a field.

      Also annoying was the fact that I'd driven into town to pick up SWMBO, do some shopping in Tesco & go home for lunch. We decided to eat in town and were about to pass on the shopping but I decided that as we'd parked there it would only be fair to use the shop, otherwise we'd have been out, having bought nothing, in under the time limit.

      It seems that Tesco don't actually want you to shop in their stores. It's amused me since to note how their market share has shrunk over the years and realise that my absence has contributed a good few £k to that by now. And the real irony is that as they'd outsourced the car park they probably had no idea about the letter and that that's why my card suddenly stopped being used; so much for their alleged expertise in number-crunching.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bastards

        @Doctor Syntax

        The arrogance of thinking your shopping bill influences Tesco's behaviour.

        And that you think that documenting the fact here will get you some sympathy.

        LOL

        Grow up.

        1. Doctor Syntax Silver badge

          Re: Bastards

          You do realise, don't you, that Tesco's shrinking turnover is the cumulative result of lots of people like me not buying from them? If you think it's some mega-millionaire not shopping there any longer then you need to grow up.

          Big companies spend fortunes on marketing and advertising to bring people in or get them to pay more when they're in. They fail to realise that not pissing off customers and potential customers would be far cheaper.

          They also seem not to realise that parking is an aspect of customer service. Put like that it should be simply obvious that it is. Yet they're prepared to turn over their car parks to companies for whom the store is simply bait to lure prey or to take up premises in trading estates where their landlords do that.

          "And that you think that documenting the fact here will get you some sympathy."

          I'm not looking for sympathy. I have less need of Tesco than they have of customers. However it does appear that more folk here agree with me than you. I trust you're not looking for sympathy either.

          1. Anonymous Coward
            Anonymous Coward

            Re: Bastards

            Tesco's shrinking turnover is not due to "pissing off customers". It's because it's competitors have better prices. It's called a business model. When they offer significantly lower prices on the products you buy, even you'll be back, unless you're just bloody minded, which is a distinct possibility ;)

            The number of "pissed off customers" due to parking problems or other reasons is a tiny fraction of their real customer base.

            You have more sympathisers than me? Seriously? LOL. It's not a competition! Just grow up.

            1. Doctor Syntax Silver badge

              Re: Bastards

              "unless you're just bloody minded, which is a distinct possibility "

              Life is too short to carry a grudge but we all have to do the best we can.

              Note that one of my points was that part of Tesco's shtick was that they were really good at understanding their customers because of all their analytics. Well, that was something they couldn't analyse unless their outsourcer passed over the data, which I suspect they didn't. They weren't as good as they thought they were.

              1. Anonymous Coward
                Anonymous Coward

                Re: Bastards

                "They weren't as good as they thought they were."

                Fortunately, that's not your problem...

                1. Doctor Syntax Silver badge

                  Re: Bastards

                  Quite right. Tesco (and every other retailer) need customers more than I (and every other customer or potential customer) needs them. Not being good at understanding their customers is a problem for any retailer. Thinking they are good whilst not being is an even bigger problem.

              2. RegGuy1 Silver badge

                Life is too short to carry a grudge but we all have to do the best we can.

                This whole thread is about people carrying grudges!

          2. paulf
            Meh

            Re: Bastards

            In my experience, Tesco have failed extensively at the whole "Don't piss off your customers" thing. They only got away with it by being the 800lb Gorilla in the supermarket world. Issuing "fines" to people who stay too long in one of their shops is just the tip of the ice berg.

            I came to the conclusion about 20 years ago that Tesco aren't just indifferent to their customers, they outright hate them. That's when I resolved to never shop there, other than perhaps twice a year for the things I can't get anywhere else. Any other supermarkets deal with CS questions cheerfully (mostly!) but in Tesco they always pick the most outwardly hostile people to staff the CS desk.

            It's interesting to note how Tesco whine about people not using the in store cafes and deli counters (hence closing some former and most latter) without thinking perhaps people aren't stopping for coffee/breakfast/lunch or to wait for someone to serve their slice of cheese because they have to hurry out the door before they're charged £20 to park for 2 hours and 10 minutes.

            Worth noting all the Aldis around here (Just outside the northern half of the M25) only give you 90 minutes to shop - but that's more than long enough considering how you get your shopping thrown at you by the checkout operator.

            1. Anonymous Coward
              Anonymous Coward

              Re: Bastards

              You must be lucky - at Aldis everywhere else it take 90 minutes to get through the 3 checkouts they have open at any one time!

    8. Andy Taylor

      Re: Bastards

      Not.A.Fine. It's an invoice.

    9. Law

      Re: Bastards

      I once got told I'd been in a McDonalds carpark for 24 hours once... turned out they'd seen me on day 1 going in for my drive through morning coffee... not clocked me leaving on day 1... then missed me on day 2 going in for my coffee, but seen me leaving... hence 24 hours.

      I worked for a CCTV company at the time, and offered court-grade proof I was in the work carpark 5 minutes after the coffee stop on day 1, but they refused to listen to reason and upped the fine. I tried again, this time including McDonalds on the conversation. Again - they upped the fine and threatened legal action.

      In the end, I told them to take me to court then just ignored them. As (at the time at least) fines on private land aren't enforceable, I heard nothing from them again.

      Pretty sure you could just ignore the fine... private fines not enforceable... only fines issued by companies on behalf of the council are enforceable I think. But, INAL... so might be talking out my arse.

      1. Andy Taylor

        Re: Bastards

        I'm now suggesting victims of this "double dip" issue operators a Letter Before Claim for misuse of personal data under the DPA 2018. £250 is the minimum amount to ask for.

        So far it's resulted in immediate cancellations from every firm I've tried this with.

      2. matjaggard

        Re: Bastards

        "Pretty sure you could just ignore the fine... private fines not enforceable... only fines issued by companies on behalf of the council are enforceable I think. But, INAL... so might be talking out my arse."

        You are indeed talking out of your posterior. There was a case recently where someone kept ignoring invoices for parking without a ticket in a private car park and in the end the court made them pay the whole lot. As someone who is responsible for a 6 car car park, I'm actually very pleased that these invoices can't just be ignored forever.

  7. tony
    Happy

    Hopefully the regulators etc. will give the parking company the same level of compassion that parking companies give when somebody either make a simple mistake or are incorrectly charged...

  8. Locky
    Coat

    When it comes to data slurping

    Every little helps

  9. Jason Bloomberg Silver badge
    FAIL

    "A technical issue with a parking app"

    Actually; a complete fuck-up.

    It makes a delightful change when someone actually admits they have fucked-up.

    1. matjaggard

      Re: "A technical issue with a parking app"

      Yes, and they took the complaint seriously enough that they're potentially losing money. Very refreshing.

  10. Immenseness
    WTF?

    Wtf

    Is it only me that is wondering why they need to keep 10 million images in the first place? Surely after you subtract time out and time in, if less than the permitted time you delete the images.

    Or are they are they storing it long term for another purpose? If so, when did drivers consent to that? Just because they parked there and it was on a small notice in yellow text on a white background would seem to me to fly in the face of GDPR.

    1. Tessier-Ashpool

      Re: Wtf

      You do not need the consent of a driver to photograph his car and retain the photo indefinitely. Nor is there anything stopping you setting up a camera on a motorway bridge and taking as many snaps as you like.

      1. Martin M

        Idiots

        Only as long as you don't process photos either automatically (e.g. by running ANPR) or manually by filing them as part of a structured filing system. Otherwise you fall within scope of the GDPR and would be in breach. This all applies as much to individuals as companies.

        Registration numbers are PII and you must have a lawful basis for processing. Legitimate interest is used to cover parking enforcement but would not cover your example, which would require consent - which of course would not be practical to obtain. Whatever the lawful basis, you must not over-retain.

        In practice you might not be *prosecuted* for doing it, but that's a whole different question.

        1. Doctor Syntax Silver badge

          Re: Idiots

          "Registration numbers are PII"

          If it's just the number then maybe not. However as soon as you marry it up with the name of the registered keeper and the name the person, if different, who was driving it at a certain time and place certainly is.

          1. Jimmy2Cows Silver badge

            Re: Idiots

            Reg numbers are a related factor. You can't categorically identify someone from a number plate, but you could link it with other details to do so.

            Unsurprisingly the definition of related factor is somewhat wooly and subjective. From the ICO:

            • If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
            • Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
            • When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.

        2. Roland6 Silver badge

          Re: Idiots

          >Otherwise you fall within scope of the GDPR and would be in breach.

          Interesting example of the limits of GDPR as the vehicle owners would have no way of filing a deletion request. Obviously stopping on the hard shoulder and asking, isn't a valid use of the hard shoulder...

          >Registration numbers are PII

          Yes and No!

          I see many articles say yes and justify this by saying the registration number can be linked to information held by DLVA. However, it is clear the writer hasn't fully thought through the access to such linked data.

          Taking Tessier-Ashpool's example, if the filming was being done by a private citizen who does not have access to DLVA, I suggest registration numbers aren't PII.

          However, attention needs to be given to the way the numbers are processed and handled, to ensure a third-party isn't able to link data. If we take what Reg reader Ross did with the Tesco parking data, we can assume they handled and processed the information out of personal interest - does that satisfy the "lawful basis" test? However, from the frequency graph published in the article we can see that there is no way any one could derive any PII from the his work.

          Happy to be corrected by those with a better grasp of GDPR, please ensure your response is directly linked to the two examples (Ross's and Tessier-Ashpool's) to assist understanding.

      2. Anonymous Coward
        Anonymous Coward

        Re: Wtf

        Exactly. Other than the understandable discontent at the fact that these chumps had unsecured data publicly viewable, the 'data' (which was recorded in public, or private land with free access to the public) in itself does not constitute a leak of PII without cross-referencing to other data, which is (supposedly) controlled within the law. I'd say that more PII is captured every day by individuals 'dashcams' - not just of vehicles, but drivers, pedestrians etc. this can be shared with no controls with all & sundry with no regulation at all - even 'You've Been Framed' have to gain consent or pixellate, broadcasting your favourite dashcam recording on Youtube? - free reign to show what and who you want!

      3. Tessier-Ashpool

        Re: Wtf

        No, you are wrong. A vehicle registration is not personally identifiable information in itself. You would need to apply to (and be authorised by) the DVLA to find the registered keeper. If you were to do that and process said data henceforth you would be subject to data processing rules. Until then, not.

        1. Martin M

          Re: Wtf

          Not really. The BPA themselves actually advise that the ICO definitely considers VRM to be personal data in the hands of a parking operator (original context of discussion), because it can be used to identify, even if this has not yet taken place. The I is for Identifiable, not identified. Hence processing is under the scope of the GDPR - https://www.britishparking.co.uk/write/GDPR%20Events/BPA-A4-How-Does-GDPR-Affect-Me-v2.pdf .

          If you’re not a parking operator with a KADOE contract it’s probably more nuanced.

          However, I should correct an definite mistake I made above: GDPR does not affect information collected by individuals for household/personal purposes. Mea culpa.

        2. Martin M

          Re: Wtf

          Note under GDPR you don’t necessarily have to have someone’s name for them to be identifiable or identified, it’s sufficient that you can distinguish them from other individuals. As many people drive only one car it’s at least arguable that this is the case even for companies without a KADOE contracts.

          https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/ says it depends on the context. Sounds like lucrative fun for the lawyers.

        3. Phil Endecott

          Re: Wtf

          > A vehicle registration is not personally identifiable information in itself.

          Would would also claim that a picture of my face is not PII ? Because I don’t actually have my name tattooed across my forehead?

  11. Anonymous Coward
    Anonymous Coward

    So I live in Hailsham. Is there any recompense for this or is the only bonus to hear about how utterly rubbish these companies are?

  12. Lee D Silver badge

    "Tesco said that because it bought the car park monitoring services in from a third party, the third party was responsible for protecting the data in law."

    Not since GDPR, mate.

    Or are you suggesting that there's no link between the Tesco's systems and those of this app despite you having to validate your parking?

    1. Roland6 Silver badge

      Suspect Tesco effectively outsourced the car park monitoring to a third-party. The third-party uses a particular ANPR system at their discretion to collect data and supplies Tesco with a branded parking validation app. So there probably is room to debate whether the ANPR data security was ultimately the responsibility of Tesco or remained with the third-party.

      1. FrogsAndChips Silver badge

        The third party operated on instructions of Tesco, Tesco is the data controller and holds as much responsibility as the data processor.

    2. FrogsAndChips Silver badge

      Actually, even before GDPR, the data controller was responsible for breaches. GDPR added responsibility to the data processor, who can no longer give the excuse that they were simply acting under instructions of the data controller.

  13. Starace
    Alert

    Data retention

    Leaking the data is sloppy.

    But the other question would be why they have retained so much for so long? Surely after the parking is validated and after a suitable delay for any challenges (like fines) they should be binning it? If they want long term statistics they can process and anonymise it and not need any of the source data.

    Certainly no need to store all those images and related data permanently and risk them leaking.

  14. Cederic Silver badge

    El Reg Hackers

    This article suggests that El Reg now does its own unauthorised accesses of third party computing resources.

    I'm not sure whether to be appalled or applaud.

  15. AGeezer

    GDPR

    Are they now due a large fine from the ICO with 14 days to pay?

  16. Shez

    Free Parking

    Tesco have made the parking free in Gateshead so there is some good which has come out of it.

  17. Andy Taylor
    Boffin

    Parking Companies = Cowboys

    Well, according to MPs anyway. They described the parking industry as an "outrageous scam perpetrated on the motorist".

    What to do if you get a charge notice (NB IT"S NOT A FINE):

    Do not ignore it. The law changed in 2012 and keepers can be held liable.

    Speak to the landowner/store manager first. Escalate to CEO if appropriate.

    Wait for a Notice to Keeper through the post (unless car is hired or leased and you receive a charge notice on the windscreen)

    Send a generic "appeal" to the parking company without identifying the driver. They can only chase the keeper in certain circumstances and often fail to comply with the law that allows them to transfer liability from keeper to driver. This applies even if keeper = driver because unless the keeper tells the operator who the driver was, they don't know and cannot assume.

    The keeper is under no obligation to tell anyone who the driver was.

    Use the POPLA appeal service if available to you (used by British Parking Association)

    Do not use the "Independent Appeals Service" offered by members of the International Parking Community trade body as it's not Independent.

    Ignore powerless debt collectors

    Defend in court if necessary - not all companies do court, and those that do often lose a properly defended claim.

    Eagerly await the new statutory parking code of practice that is on the way.

    There's lots of help and assistance to be found online, but beware the idiots who tell you to ignore/bin.

    1. jospanner

      Re: Parking Companies = Cowboys

      Can confirm. This is the way to do it.

      I got two dodgy notices in the space of twelve months. Both decided to leave me alone after putting up a fight, because they want quick payments from people who don't know better.

      ANPR is ridiculous nonsense.

    2. Anonymous Coward
      Anonymous Coward

      Re: Parking Companies = Cowboys

      In Oz.

      Ask for all the evidence they have, logs, names, dates, photos, etc in writing.

      Ask how they obtained your details.

      Ask who the driver was (but don't tell).

      Ask for evidence that driver = owner.

      Wait

      Wait

      Ignore

      END

      However, if it's police or council, pay.

  18. Anonymous Coward
    Anonymous Coward

    Stupid is as stupid does, amazing how many companies are so past does and into doing again.

    1. Anonymous Coward
      Anonymous Coward

      Say that again, but in English.

  19. Anonymous Coward
    Anonymous Coward

    "...nor any sensitive data were available..."

    And Tesco misses the point entirely. "We've heard of security" !!!

    Yes, of course an individual ne'er do well can follow someone and track their movements manually, but for Tesco not to recognise that having it available in a single database so the bad guys (ie not just one) can choose who to burgle at their leisure, beggars belief.

    How are the daily driving habits of thousands of car owners in one database not sensitive data?!?

  20. volsano

    Security Assurance

    Tesco said there were no security risks at all - but advised all UK shoppers, for their convenience, to change their vehicle registration license plate as a precaution.

    Oops - sorry cut'n'pasted the wrong marketing bland response to a security breech.

    1. Tomato Krill

      Re: Security Assurance

      You.missed the year of credit monitoring from Experian...

  21. adnim

    Once upon a time

    many medium to large businesses and corporations processed data in house.

    Off the shelf commercial software would be joined together with custom code to do what was needed.

    A van with a heavy looking dude might turn up to take some tapes off site every day.

    The data could come in from many places in many formats and would go out hopefully exactly as expected, exactly where it was wanted.

    The processing and data control was often in the hands of a small, loyal team. Hardware would be supported in house too.

    It sounds clunky, not exactly agile, but it worked well for many years. Data breaches were rare, faults were found and resolved quickly.

    We now have businesses that contract out almost all of the data processing part of their business, not only car park management. But, payroll, human resource management, data management and data storage, coding, gateways, security controls etc.

    And those contracted to do these tasks will sub contract those tricky parts they don't or can't do themselves. And as we move down the sub contractor pecking order, the understanding of and vested interest in the task diminishes. How long can a chain of sub contractors be?

    The data will pass through a lot of control boundaries on its journey from a to b, all managed by different sub-contractors few of which will understand or even care about the process end to end.

    As we rush toward a pushed, filed, stamped, indexed, briefed, debriefed, numbered, globally connected, data sharing future. A future in which multinational corporations will exist name only, all the actual business function being outsourced. Expect more of your privacy to become public. Expect your corporate puppetmasters to care less when they respond to your pain with AI.

    As the distinction between corporation and government becomes undefined, we welcome you to the machine.

  22. Claverhouse
    Unhappy

    Not Compulsory Yet

    Tesco customers across the nation were instructed to use parkshopreg.co.uk to validate their parking with a code printed on their receipts along with their vehicle’s registration number, thus avoiding parking charges.

    Suppose one didn't have a receipt ? Having exited without buying anything ?

    1. John Brown (no body) Silver badge
      Joke

      Re: Not Compulsory Yet

      What if a have a receipt with a code but no car?

      1. Tomato Krill

        Re: Not Compulsory Yet

        Go see Claverhouse

    2. jamesckelsall

      Re: Not Compulsory Yet

      Not forgetting about those who don't have internet access, or who can't use it, or those who were using Tesco's Click and Collect service.

  23. Tempest
    Stop

    Parking Control Systems - Real Privacy Collection Systems - Ideal For Extortionists

    Late last month the condominium in which I reside decided to waste money installing a parking control system running VinaParking software.

    Apart from the significant physical installations fails (a Harley wouldn't fit between the lane guides for motorcycles - my scooter has paniers than measure 1 metre across from one side to the other), the HD cameras fitted are very susceptible to IR and UV radiation. The cameras record rear number plate and a facial image of the driver.

    The system collects a multitude of data points apart from the essentials including height of rider (against a visual scale), number of riders, etc. The collected information can be used by unscrupulous people as often car images on newer systems include number plates AND images of front seat passengers who should not be seen together such as in extra marital affairs.

    I have long fitted IR & UV radiators to my motorcycle (as SaiGon has over 20,000 traffic cameras as well as a national highway plate reading system) to blind them since the traffic cops aren't able to identify the lamps. The cops are wise to reflective paint (Google 'reflective paint for license plates').

    The cameras are 'blinded' on the parking system. EMP generators (search YouTube) are extremely effective for producing false readings, even 'killing' cheap card scanners, and simply dropping a helmet faceplate neutralises the facial capture system.

    Most parking systems are set not to impede when a camera 'misread' occurs.

  24. JohnMurray

    Perhaps they should also check the system at Tesco Goldington, Bedford......which send you parking tickets saying you've overstayed your time......when you just go in, buy an item/s, then go out....in less than an hour !!!! WARNING: do not go into that store twice in a day.....

  25. Dave559

    There is no data. There is only Zuul.

    There is no data. There is only viZuul?

  26. Securitymoose

    Puts me in mind of the Fourteenth Adjustment by Robert Wingfield

    A sci-fi satire where a parking junta has taken over the entire world - a quick quote from where the parking executives are discussing how to get more cash in. Some people are refusing to pay...

    “Everyone else is paying their parking charges without complaint.”

    “Of course they would.” Poordraw rubbed his hands together. “Nobody ever questions parking charges, well, nobody of any consequence, that is.” He looked sideways at his co-director. “An excellent idea of yours, Pietro, identifying everyone over a certain income level, and giving free parking to those people. That way, folks with the money to challenge us will never complain, and they don’t care what happens to the commoners in any case.”

    “I take all the credit for that,” said Fairway. “I bought these ‘reality’ glasses from Dearheat Enterprises. They have filters which blank out anyone below a certain income level. I believe they were developed for visitors to the theatres in the Arty District to help them ignore beggars, but they work adequately when worn by our car-park attendants.

  27. steviebuk Silver badge

    What an idiot

    Last week I read that as

    "10 seconds of a million automatic number plate recognition images"

    :)

    What annoys me is in the so call "cloud" age, everything is being run by hipster knobs who what stuff "rushed to market" and stuck "in the cloud". But it needs to be secure "Fuck security, just get it done and too market as soon as we can. I want to then sell it and become a millionaire so I can buy more hipster clothes and just sit in coffee shops all day disguising how we can use AI to put loads of people out of work and call anyone that doesn't agree with me 'Granddad/Grandma'"

  28. 2Fat2Bald

    I once got stopped by the police for having no numberplate on my motorcycle. The officer examined where the plate should have been and noticed the clean plastic where it had broken off, laughed and gave me directions to a motorcycle dealers who could make me a new plate. I went there, got a new plate and found the sneaky bugger parked up outside to make sure I did it. He even wondered over to lend me a screwdriver from his car's toolkit to help fit it.

    I think that's how policing should be done. It was obvious the plate had just dropped off a short while ago (probably due to the big thumper engine in the bike) because the broken part was still clean no other offences were present, so the officer used his discretion. And this is the point of getting actual humans to enforce rules rather than buggy computer code...

  29. Anonymous Coward
    Anonymous Coward

    CPP rival?

    More like opposite of 'rivals' ;-)

  30. Doogie Howser MD

    Missed Headline Opportunity?

    "There is no data, there is only Vizuul"

  31. ICPurvis47
    Boffin

    Not just Tesco

    Sainsbury's in Oswestry recently introduced just such an ANPR parking system, it has a large illuminated annunciator at the entrance that gives the number plate and time of arrival, but I have yet to detect any similar information gathering equipment when you leave. When you check out your purchases, you are given a barcoded slip to present to the payment machine outside the store entrance, but if you have a Blue Badge, you can register your Registration Mark(s) with them and not need the barcode slip. I asked one of the car park attendants what would happen if someone did not pay and just drove out, but he either could not or would not say. The nearest Tesco, in Welshpool, 15 miles away, does not charge for parking, but as it would cost me £10 for the round trip to get there and back, I don't go very often unless there's something I want that is not stocked at Sainsbury's.

  32. RLWatkins

    Still investigating...?

    What's to investigate? They didn't secure a DB hosted on a service bureau. They need to do that. End of story.

    We need two new words in our vocabulary: for handwaving-in-order-to-stall-for-time, and for stalling-for-time-in-hopes-that-everyone-will-forget.

    Granted, folks have been doing this since the dawn of recorded history, but lately it's become something one encounters daily. [sigh]

  33. Anonymous Coward
    Anonymous Coward

    Data Leakage Overlooked

    When filling stations started using ANPR to identify bilkers and thereby prevent fuel theft, the Plod wet themselves in their eagerness to catch hold of all that lovely surveillance data. What makes you think that supermarkets and other "ANPR controlled" car parking schemes are not also sending copies of their records to the Police National Computer. In fact I seem to remember someone on this very site moaning about the strictness of formatting demanded by Plod for the ANPR data that they were required to send in daily.

    I suggest that many of the ANPR parking companies were set up specifically to gather ANPR data for police use. Can anyone disprove my suggestion?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like