And what about the issue of car number plates being cloned from a breach like this? It seems very convenient for criminals to have a database of a million cars to choose a vehicle model/plate from.
Tesco parking app hauled offline after exposing 10s of millions of Automatic Number Plate Recognition images
Tesco has shuttered its parking validation web app after The Register uncovered tens of millions of unsecured ANPR images sitting in a Microsoft Azure blob. The images consisted of photos of cars taken as they entered and left 19 Tesco car parks spread across Britain. Visible and highlighted were the cars' numberplates, though …
COMMENTS
-
-
-
-
Sunday 22nd September 2019 10:58 GMT Ogi
> There are plenty of sites where you enter the registration number and it produces a list of those characteristics,
Yeah, including the DVLA website itself. I sometimes go there and put in the registration plates of cars I see on old TV shows to see what model they were, which are still on the road and which have been scrapped.
It will tell you quite a bit. I would say approx the first 14 lines on the V5 vehicle details column, including the make, model and colour of the car.
More than enough to get fake plates made up for a vehicle that you want to clone. You do however need to have a legitimate number plate before you get the data, which is where these ANPR photos would come in useful.
-
-
-
Friday 20th September 2019 14:35 GMT Lee D
I can collect thousands of number plates, makes, models and colours.
I just sit in a park for a few hours with a phone to make notes on.
Number plates are public information displayed prominently on every legal vehicle. As such they are eminently cloneable. It's time we had something that wasn't cloneable. Like an encrypted RFID tag.
Would also stop all of the "We'll knock up a legal-looking plate, no questions asked" people pretty much overnight. Especially if you asserted a system where only each plate has a unique key - so your "lost" plates are useless to everyone as soon as they're reported and are actually just advertising "I'm stolen!" everywhere they go.
RFID you can target from a distance too... just use a directed powerful magnetic field (e.g. in a cable under a bridge) to induce a current so they transmit, then pluck the encrypted ID out of the air with any directional antenna and a cheap radio.
So long as you don't allow replay attacks (e.g. time-based OTP-like IDs based on an original seed - doesn't need to be accurate to-the-second, just to-the-day will do), you can easily design such a system securely.
Hell, while you're there, mandate OBD integration so the mileage is integrated into the seed... now they know if you're fiddling your odometer too...
-
Saturday 21st September 2019 12:01 GMT Marco van Beek
Pretty sure most cars already have a unique RFID tag
I remember reading an article years ago (early 90’s maybe) about the new Nissan Primera about how they had to decide which part was the “first” part of a car, so that they could stick the RFID tag on it. Just In Time suppliers stuck their own sensors along the assembly line so that they got the correct amount of warning for each car and linked it to the Nissan database to determine which option that car needed, be it seat fabric, paint colour or whatever.
If I remember correctly it was on the main member of the front subframe, chose because it was the biggest bit of the first assembly.
-
Sunday 22nd September 2019 09:47 GMT Tomato Krill
They're already public, albeit without a public API to retrieve them (eg autotrader, ebay, any insurance quotation tool) - you have to apply and pay but theres nothing to stop anyone using any of these sites to iterate though registrations...
Well, non public API up until these clowns created one at least
-
-
-
Friday 20th September 2019 13:11 GMT steviebuk
Re: Incompetence
From what I can tell from their website, they look like they might also be using a virtual office address based in London. Someone on Amazon was doing the same. His mail would go to the London address and they then forward it on too his real address. He was illegally using the NHS logo so looked him up. He gave it away by leaving a review of their service on their Google Reviews page. Found his real address via Companies House.
Most of the car park management companies end up being as bent as fuck. Most of them have no idea about GDPR and most of them have little to no IT security in place.
Argued with the one in the local Waitrose. I wasn't getting a ticket but requested my number plate be removed from their system under a Right To Be Forgotten. They claimed "I have no need to worry, I'm not getting a ticket and that they keep the plates for 6 months for security and crime prevention". I pointed out that under GDPR they no longer need to keep the plate so it needs to be deleted and that ANPR cameras are not to be used for CCTV purposed as they claimed they were doing.
They removed it. Well so they claimed. I asked for it to be removed from their backups also, they ignored all further e-mails.
-
Friday 20th September 2019 16:04 GMT Electronics'R'Us
Re: Incompetence
The 'security and crime prevention' trick won't work under GDPR.
They can retain the data for a long time (indefinitely under some circumstances), but there are limited options.
They also need to have an actual policy in place of what the data are, the purpose for which it is used and the justification for retention.
I would put money that this outfit (and the one you had an unfortunate experience with) has no such written policy in place. Without a policy, no data retention beyond the original purpose of collecting the data from what I am reading.
-
Saturday 21st September 2019 21:09 GMT TeeCee
Re: Incompetence
Most of the car park management companies end up being as bent as fuck.
s/Most/All/ s/end up being/are/
Unless there's been a seismic event recently, the number of privately issued parking tickets that have actually survived the appeals process and subsequently stood up in court when challenged using advice from the likes of pepipoo remains resolutely at zero.
Issuing fines backed by threats on very dodgy legal grounds? Sounds bent as fuck to me. Where do you think the baseball bat wielding crooks who used to operate clamping services went when that was made illegal?
-
-
-
Friday 20th September 2019 11:44 GMT Luiz Abdala
RFID tags instead of pictures.
Brazil, of all the places, already developed a solution to avoid that kind of leak.
It all began with road tolls.
Some bright chap had the idea of using RFID tags glued to the windshield, and automated tool booths. If you decide to buy into the system, you don't need to pull over on every tool booth, you just pick a lane with the RFID reader, and slow down to 25MPH. The system does the rest, charging you by the end of the month.
But the system isn't fit just for toll booths. It works on parking lots too.
Large parking lots - including Walmart here - bought into the idea. Hassle-free paid parking, regardless if you are buying anything or not (people parked for free at the supermarket all day long and would go to work next block - dick move. Parking on Walmart is pretty cheap, though, cents). They extended the service to gas stations and - of all places - MacDonald's drive-through. You can literally stop by for a snack, and fill the car, without money or credit card on your person. You park under the tag reader while it fills, and gets charged when done.
Private office buildings can also include on the system, excluding people that work there from charge, as long they bring a tagged vehicle that was included on the system, while opening a revenue stream. They just need to split their parking spots into reserved and unreserved sections.
The benefits don't stop there. It is marked as evidence when the car gets stolen. You can ask the company to track its whereabouts on any reader of the system and report to the police. Yes, some dumb burglar can be seen driving a car deep into the State by the tag reader, and can be easily intercepted.
Since you are buying into the system, it isn't invasion of privacy per se (contracts, EULAS). The system can't read other RFID tags, or make any sense of them, even if they match the system.
Instead of collecting data of the general public, it collects data from agreeing parties. Much harder to go wrong.
-
-
Friday 20th September 2019 19:58 GMT Luiz Abdala
Re: RFID tags instead of pictures.
No, I'm not a RFID shill. But try to lose the printed ticket to you by the machine at the gate (a barcode) as you entered the parking lot, and see how much hassle you got.
Did you pay for parking, by handing it over to PL cashier? Did you hand it over to the Walmart cashier so it is not charged for 20 minutes, as the alloted time to leave even the most complex parking lot? Tough tits if you lost it.
Yes, the privacy of the thing can be abused to hell and back, as just a portable RFID reader cranked up to 1000 Watts and 20dB can tell you. But it beats the nagging of getting barcodes printed on thermal paper handed to you. Practical it is. Specially when it rains/heatwaves.
-
-
Friday 20th September 2019 12:25 GMT Ben Tasker
Re: RFID tags instead of pictures.
> Since you are buying into the system, it isn't invasion of privacy per se (contracts, EULAS).
That's not really an accurate statement.
It isn't a *forced* invasion of privacy, but the data collected/generated by it could still be used *for* an invasion of privacy
With that system the analogue to this story would be the RFID-s db being left open to the world, so I could then tell that registration ABCD123 is linked to RFID with serial 1234. From that I can see that RFID 1234 drives into the walmart car-park at 14:00 every tuesday and stays there for 2 hours.
Depending on what they're storing, I may not be able to tell make/model so easily (I'd need to look it up from the reg), but if they *are* storing it then it'd be easier to look up lucrative makes (query for lexus) than with the images.
The RFID version does sound convenient, and does entail more choice than with a film-all approach, but a privacy panacea it is not.
-
Friday 20th September 2019 20:02 GMT Luiz Abdala
Re: RFID tags instead of pictures.
Yep, totally agree. But it beats an open server filled with pictures of license plates any day of the week.
You'd have to tap into a reader, or the network of the place. Somebody fiddling with an automated gate would attract some looks, while reading a server off the web, won't.
-
Saturday 21st September 2019 09:57 GMT Ben Tasker
Re: RFID tags instead of pictures.
> You'd have to tap into a reader, or the network of the place.
Really depends on their setup. They will almost certainly maintain a transaction log somewhere (in case charges are challenged - mistakes happen in any system). That log may not necessarily be on site, particularly if operation of the system has been outsourced.
Even if not outsourced, it was likely bought it, so may exist on the vendors systems (whether routinely stored there, or periodically captured for monitoring/debugging). There's absolutely nothing to stop "vendors systems" from being an open-to-the-world hadoop server.
So, it may well still be an open server, it just won't be full of pictures. At that point you may be better off, or worse off, depending on what data they're storing
-
Monday 23rd September 2019 10:26 GMT streaky
Re: RFID tags instead of pictures.
"it beats an open server filled with pictures of license plates any day of the week"
If we're assuming incompetence now they don't have pics of numberplates (I can think of reasons why that can't possibly be true, but -) now they have name, if it's a corp account, where you live, payment info and again, times when you used a car park, road (in the case of tolls) etc and when. Can't imagine why Brazil has a systemic problem with armed car jackings of rich people.
Okay sure presumably you could anonymise such a system and have people only top-up so to speak via shops or whatever, but most people won't want the inconvenience. Not saying there should be a problem with such a system but we're assuming incompetence remember - there shouldn't be a problem with a db of licence plate images either..
-
-
-
-
Friday 20th September 2019 20:07 GMT Luiz Abdala
Re: RFID tags instead of pictures.
You get handed a thermal paper with a barcode like everybody else. And must present that piece of paper to a pay booth.
All shopping centers have them on the parking exits. Upon payment the system lets the code free of charge for the time required to leave the premises.
The same kind of thermal paper used on receipts for credit cards, in case of supermarkets.
-
Saturday 21st September 2019 17:06 GMT John Brown (no body)
Re: RFID tags instead of pictures.
"All shopping centers have them on the parking exits. "
Not around here they don't. I don't think I've ever paid to use a shopping centre car park. Maybe it's just a problem in city centre shopping centres. ISTR a nearby ASDA tried it about 10 years ago but their footfall dropped so much they gave up on it.
-
-
-
-
Friday 20th September 2019 11:54 GMT Joe Harrison
Bastards
My local Tesco fined me 20 quid for overstaying the 2-hour parking after I spent too long in their coffee shop one Sunday while doing my shopping. This Tesco is in the middle of nowhere-ish I mean not next to the station or anything at all where people might want to leech off their parking. They were within their rights as there were hitherto-unnoticed signs all over saying 2 hours, so I paid it, but really it's not a good thing to do to your customers. Or ex-customers, to which merry band I now belong.
-
Friday 20th September 2019 12:24 GMT Anonymous Coward
Re: Bastards
I was surprised before last Christmas to see my car reg flash up on a display when I drove into the car park at a local retail centre. I've never driven into that car park again. I'm not saying I won't ever, but having heard about the various "errors" that lead to a fine, I prefer to take my business elsewhere.
-
Friday 20th September 2019 12:29 GMT Ben Tasker
Re: Bastards
When Tesco first started doing their ANPR monitoring there were a lot of people round my area getting fines despite not having overstayed.
The problem was, they'd swing in in the morning to grab a coffee from the attached coffee-shop, drive from there to work, and then come back later in the day (either for another coffee, or to do some shopping on the way home).
ANPR would catch their entry into the car-park in the morning, but miss them leaving (bad weather, lorry turning into the petrol station, all sorts of reasons). Then either didn't see them enter later or failed to handle you being there "twice" (my guess is the latter), and would record you leaving that second time, ultimately deciding you'd been there for 8 hrs.
From what I gather, the lot running the parking system were a complete shower and insisted the system couldn't be wrong, do you have proof etc.
So I stopped using the local Tesco for quite a while, as there's Sainsbury's just down the road, with (at the time) none of that hassle.
-
Friday 20th September 2019 13:05 GMT aje21
Re: Bastards
Won't be a fine as it's not from the council, etc. - will be an "invoice" which is dressed up to look like something official. Just saying... annoying to get one, but if they can ever get the parking rules sorted out it should become clearer what is going on.
Oh, and I "love" the way that your car can form a contract with a parking company on your behalf. The registered keeper is considered to have been driving unless they say someone else was. But all they have is the car number plate. DVLA make a lot of money selling registered keeper details for this purpose.
-
Friday 20th September 2019 14:27 GMT Lee D
Re: Bastards
Fining your own customers, specifically the ones who are slow, enjoying your shop, or just buying a lot of stuff, is the stupidest thing I've ever heard.
The first time a shop ever tries to send me anything like that, not only will it be challenged by every ounce of my being in every way conceivable (hey, it's a hobby of mine) but I will avoid the chain in perpetuity.
Either provide enough spaces, or get out. If people are misusing spaces without making any purchases at all (e.g. if you're near Wembley etc.) then I kind of understand having some system. So you, say, make it free if you spend "over £X" in-store, where X is how much it would cost to park in the car parks in town anyway. But time limits are stupid. I'm not going to rush my (now monthly, because weekly is a pain in the butt and monthly suits me fine) shop just to fit inside your window when the car park is *MOSTLY* empty all the time anyway. Obviously, tow away anything still there when you lock up the car park, that's fair enough.
I'd be more in support of a supermarket that policed their disabled spots (e.g. you can use them, if you have a blue badge, and if you have someone checking the ID of the driver/passenger against the badge holder... invite a local PCSO if you get a lot of mis-use!), parent-and-child spots, etc.
But try and "fine" me, or even threaten to do so officially, for utilising your services in a reasonable manner? Well done, you just lost a customer.
-
Friday 20th September 2019 20:42 GMT John_Smith
Re: Bastards
"The first time a shop ever tries to send me anything like that, not only will it be challenged by every ounce of my being in every way conceivable (hey, it's a hobby of mine) but I will avoid the chain in perpetuity."
Be more imaginative.
Pop in and fill a trolley with chilled and frozen food, then change your mind about wanting it so just abandon it, so when they find it has to be thrown away.
Rinse and repeat until bored.
-
-
Tuesday 24th September 2019 13:22 GMT Roland6
Re: Bastards
+1 for a supermarket that policed their disabled spots
>It's a special kind of twat who abuses those spaces.
It amuses me visiting my my local superstore at 11pm or some other unsocial hour and tossing a coin as to whether to bother with the 'rules' and avoid the vast area of empty disabled and parent & infant parking spaces, or just go "what the f*ck"...
Mind you I suspect some idiot parking company would chose to implement the rules, as at that time of night they would get clear cctv footage of the driver walking normally way from the car, which they would be unable to get during normal hours; which is when misuse of the bays is a problem...
-
-
-
Friday 20th September 2019 14:41 GMT Doctor Syntax
Re: Bastards
There parking vultures sent me a snotty letter saying if I did it again I'd be fined. I decided the best way to avoid the risk of that was to never go into a Tesco car park again. The best way to avoid that was never to go into a Tesco again.
The really annoying thing was that when they looked after things themselves they sent someone out to control the exit gate when they were busy; that day they weren't, it appeared to be a day when half the population was spending a really hot summer day watching other people kick a ag of wind up and down a field.
Also annoying was the fact that I'd driven into town to pick up SWMBO, do some shopping in Tesco & go home for lunch. We decided to eat in town and were about to pass on the shopping but I decided that as we'd parked there it would only be fair to use the shop, otherwise we'd have been out, having bought nothing, in under the time limit.
It seems that Tesco don't actually want you to shop in their stores. It's amused me since to note how their market share has shrunk over the years and realise that my absence has contributed a good few £k to that by now. And the real irony is that as they'd outsourced the car park they probably had no idea about the letter and that that's why my card suddenly stopped being used; so much for their alleged expertise in number-crunching.
-
-
Saturday 21st September 2019 15:11 GMT Doctor Syntax
Re: Bastards
You do realise, don't you, that Tesco's shrinking turnover is the cumulative result of lots of people like me not buying from them? If you think it's some mega-millionaire not shopping there any longer then you need to grow up.
Big companies spend fortunes on marketing and advertising to bring people in or get them to pay more when they're in. They fail to realise that not pissing off customers and potential customers would be far cheaper.
They also seem not to realise that parking is an aspect of customer service. Put like that it should be simply obvious that it is. Yet they're prepared to turn over their car parks to companies for whom the store is simply bait to lure prey or to take up premises in trading estates where their landlords do that.
"And that you think that documenting the fact here will get you some sympathy."
I'm not looking for sympathy. I have less need of Tesco than they have of customers. However it does appear that more folk here agree with me than you. I trust you're not looking for sympathy either.
-
Saturday 21st September 2019 19:28 GMT Anonymous Coward
Re: Bastards
Tesco's shrinking turnover is not due to "pissing off customers". It's because it's competitors have better prices. It's called a business model. When they offer significantly lower prices on the products you buy, even you'll be back, unless you're just bloody minded, which is a distinct possibility ;)
The number of "pissed off customers" due to parking problems or other reasons is a tiny fraction of their real customer base.
You have more sympathisers than me? Seriously? LOL. It's not a competition! Just grow up.
-
Sunday 22nd September 2019 10:25 GMT Doctor Syntax
Re: Bastards
"unless you're just bloody minded, which is a distinct possibility "
Life is too short to carry a grudge but we all have to do the best we can.
Note that one of my points was that part of Tesco's shtick was that they were really good at understanding their customers because of all their analytics. Well, that was something they couldn't analyse unless their outsourcer passed over the data, which I suspect they didn't. They weren't as good as they thought they were.
-
-
Monday 23rd September 2019 11:06 GMT Doctor Syntax
Re: Bastards
Quite right. Tesco (and every other retailer) need customers more than I (and every other customer or potential customer) needs them. Not being good at understanding their customers is a problem for any retailer. Thinking they are good whilst not being is an even bigger problem.
-
-
-
-
Monday 23rd September 2019 10:00 GMT paulf
Re: Bastards
In my experience, Tesco have failed extensively at the whole "Don't piss off your customers" thing. They only got away with it by being the 800lb Gorilla in the supermarket world. Issuing "fines" to people who stay too long in one of their shops is just the tip of the ice berg.
I came to the conclusion about 20 years ago that Tesco aren't just indifferent to their customers, they outright hate them. That's when I resolved to never shop there, other than perhaps twice a year for the things I can't get anywhere else. Any other supermarkets deal with CS questions cheerfully (mostly!) but in Tesco they always pick the most outwardly hostile people to staff the CS desk.
It's interesting to note how Tesco whine about people not using the in store cafes and deli counters (hence closing some former and most latter) without thinking perhaps people aren't stopping for coffee/breakfast/lunch or to wait for someone to serve their slice of cheese because they have to hurry out the door before they're charged £20 to park for 2 hours and 10 minutes.
Worth noting all the Aldis around here (Just outside the northern half of the M25) only give you 90 minutes to shop - but that's more than long enough considering how you get your shopping thrown at you by the checkout operator.
-
-
-
-
Saturday 21st September 2019 11:54 GMT Law
Re: Bastards
I once got told I'd been in a McDonalds carpark for 24 hours once... turned out they'd seen me on day 1 going in for my drive through morning coffee... not clocked me leaving on day 1... then missed me on day 2 going in for my coffee, but seen me leaving... hence 24 hours.
I worked for a CCTV company at the time, and offered court-grade proof I was in the work carpark 5 minutes after the coffee stop on day 1, but they refused to listen to reason and upped the fine. I tried again, this time including McDonalds on the conversation. Again - they upped the fine and threatened legal action.
In the end, I told them to take me to court then just ignored them. As (at the time at least) fines on private land aren't enforceable, I heard nothing from them again.
Pretty sure you could just ignore the fine... private fines not enforceable... only fines issued by companies on behalf of the council are enforceable I think. But, INAL... so might be talking out my arse.
-
Saturday 21st September 2019 21:02 GMT matjaggard
Re: Bastards
"Pretty sure you could just ignore the fine... private fines not enforceable... only fines issued by companies on behalf of the council are enforceable I think. But, INAL... so might be talking out my arse."
You are indeed talking out of your posterior. There was a case recently where someone kept ignoring invoices for parking without a ticket in a private car park and in the end the court made them pay the whole lot. As someone who is responsible for a 6 car car park, I'm actually very pleased that these invoices can't just be ignored forever.
-
Friday 20th September 2019 13:19 GMT Immenseness
Wtf
Is it only me that is wondering why they need to keep 10 million images in the first place? Surely after you subtract time out and time in, if less than the permitted time you delete the images.
Or are they are they storing it long term for another purpose? If so, when did drivers consent to that? Just because they parked there and it was on a small notice in yellow text on a white background would seem to me to fly in the face of GDPR.
-
-
Saturday 21st September 2019 10:06 GMT Martin M
Idiots
Only as long as you don't process photos either automatically (e.g. by running ANPR) or manually by filing them as part of a structured filing system. Otherwise you fall within scope of the GDPR and would be in breach. This all applies as much to individuals as companies.
Registration numbers are PII and you must have a lawful basis for processing. Legitimate interest is used to cover parking enforcement but would not cover your example, which would require consent - which of course would not be practical to obtain. Whatever the lawful basis, you must not over-retain.
In practice you might not be *prosecuted* for doing it, but that's a whole different question.
-
-
Monday 23rd September 2019 08:43 GMT Jimmy2Cows
Re: Idiots
Reg numbers are a related factor. You can't categorically identify someone from a number plate, but you could link it with other details to do so.
Unsurprisingly the definition of related factor is somewhat wooly and subjective. From the ICO:
- If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
- Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
- When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
-
-
Saturday 21st September 2019 18:09 GMT Roland6
Re: Idiots
>Otherwise you fall within scope of the GDPR and would be in breach.
Interesting example of the limits of GDPR as the vehicle owners would have no way of filing a deletion request. Obviously stopping on the hard shoulder and asking, isn't a valid use of the hard shoulder...
>Registration numbers are PII
Yes and No!
I see many articles say yes and justify this by saying the registration number can be linked to information held by DLVA. However, it is clear the writer hasn't fully thought through the access to such linked data.
Taking Tessier-Ashpool's example, if the filming was being done by a private citizen who does not have access to DLVA, I suggest registration numbers aren't PII.
However, attention needs to be given to the way the numbers are processed and handled, to ensure a third-party isn't able to link data. If we take what Reg reader Ross did with the Tesco parking data, we can assume they handled and processed the information out of personal interest - does that satisfy the "lawful basis" test? However, from the frequency graph published in the article we can see that there is no way any one could derive any PII from the his work.
Happy to be corrected by those with a better grasp of GDPR, please ensure your response is directly linked to the two examples (Ross's and Tessier-Ashpool's) to assist understanding.
-
-
Saturday 21st September 2019 12:12 GMT Anonymous Coward
Re: Wtf
Exactly. Other than the understandable discontent at the fact that these chumps had unsecured data publicly viewable, the 'data' (which was recorded in public, or private land with free access to the public) in itself does not constitute a leak of PII without cross-referencing to other data, which is (supposedly) controlled within the law. I'd say that more PII is captured every day by individuals 'dashcams' - not just of vehicles, but drivers, pedestrians etc. this can be shared with no controls with all & sundry with no regulation at all - even 'You've Been Framed' have to gain consent or pixellate, broadcasting your favourite dashcam recording on Youtube? - free reign to show what and who you want!
-
Saturday 21st September 2019 15:32 GMT Tessier-Ashpool
Re: Wtf
No, you are wrong. A vehicle registration is not personally identifiable information in itself. You would need to apply to (and be authorised by) the DVLA to find the registered keeper. If you were to do that and process said data henceforth you would be subject to data processing rules. Until then, not.
-
Saturday 21st September 2019 16:12 GMT Martin M
Re: Wtf
Not really. The BPA themselves actually advise that the ICO definitely considers VRM to be personal data in the hands of a parking operator (original context of discussion), because it can be used to identify, even if this has not yet taken place. The I is for Identifiable, not identified. Hence processing is under the scope of the GDPR - https://www.britishparking.co.uk/write/GDPR%20Events/BPA-A4-How-Does-GDPR-Affect-Me-v2.pdf .
If you’re not a parking operator with a KADOE contract it’s probably more nuanced.
However, I should correct an definite mistake I made above: GDPR does not affect information collected by individuals for household/personal purposes. Mea culpa.
-
Saturday 21st September 2019 16:54 GMT Martin M
Re: Wtf
Note under GDPR you don’t necessarily have to have someone’s name for them to be identifiable or identified, it’s sufficient that you can distinguish them from other individuals. As many people drive only one car it’s at least arguable that this is the case even for companies without a KADOE contracts.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/ says it depends on the context. Sounds like lucrative fun for the lawyers.
-
-
-
-
Friday 20th September 2019 14:07 GMT Lee D
"Tesco said that because it bought the car park monitoring services in from a third party, the third party was responsible for protecting the data in law."
Not since GDPR, mate.
Or are you suggesting that there's no link between the Tesco's systems and those of this app despite you having to validate your parking?
-
Saturday 21st September 2019 18:17 GMT Roland6
Suspect Tesco effectively outsourced the car park monitoring to a third-party. The third-party uses a particular ANPR system at their discretion to collect data and supplies Tesco with a branded parking validation app. So there probably is room to debate whether the ANPR data security was ultimately the responsibility of Tesco or remained with the third-party.
-
-
Friday 20th September 2019 14:54 GMT Starace
Data retention
Leaking the data is sloppy.
But the other question would be why they have retained so much for so long? Surely after the parking is validated and after a suitable delay for any challenges (like fines) they should be binning it? If they want long term statistics they can process and anonymise it and not need any of the source data.
Certainly no need to store all those images and related data permanently and risk them leaking.
-
Friday 20th September 2019 17:22 GMT Andy Taylor
Parking Companies = Cowboys
Well, according to MPs anyway. They described the parking industry as an "outrageous scam perpetrated on the motorist".
What to do if you get a charge notice (NB IT"S NOT A FINE):
Do not ignore it. The law changed in 2012 and keepers can be held liable.
Speak to the landowner/store manager first. Escalate to CEO if appropriate.
Wait for a Notice to Keeper through the post (unless car is hired or leased and you receive a charge notice on the windscreen)
Send a generic "appeal" to the parking company without identifying the driver. They can only chase the keeper in certain circumstances and often fail to comply with the law that allows them to transfer liability from keeper to driver. This applies even if keeper = driver because unless the keeper tells the operator who the driver was, they don't know and cannot assume.
The keeper is under no obligation to tell anyone who the driver was.
Use the POPLA appeal service if available to you (used by British Parking Association)
Do not use the "Independent Appeals Service" offered by members of the International Parking Community trade body as it's not Independent.
Ignore powerless debt collectors
Defend in court if necessary - not all companies do court, and those that do often lose a properly defended claim.
Eagerly await the new statutory parking code of practice that is on the way.
There's lots of help and assistance to be found online, but beware the idiots who tell you to ignore/bin.
-
Sunday 22nd September 2019 02:53 GMT Anonymous Coward
Re: Parking Companies = Cowboys
In Oz.
Ask for all the evidence they have, logs, names, dates, photos, etc in writing.
Ask how they obtained your details.
Ask who the driver was (but don't tell).
Ask for evidence that driver = owner.
Wait
Wait
Ignore
END
However, if it's police or council, pay.
-
-
Saturday 21st September 2019 07:43 GMT Anonymous Coward
"...nor any sensitive data were available..."
And Tesco misses the point entirely. "We've heard of security" !!!
Yes, of course an individual ne'er do well can follow someone and track their movements manually, but for Tesco not to recognise that having it available in a single database so the bad guys (ie not just one) can choose who to burgle at their leisure, beggars belief.
How are the daily driving habits of thousands of car owners in one database not sensitive data?!?
-
Saturday 21st September 2019 11:34 GMT adnim
Once upon a time
many medium to large businesses and corporations processed data in house.
Off the shelf commercial software would be joined together with custom code to do what was needed.
A van with a heavy looking dude might turn up to take some tapes off site every day.
The data could come in from many places in many formats and would go out hopefully exactly as expected, exactly where it was wanted.
The processing and data control was often in the hands of a small, loyal team. Hardware would be supported in house too.
It sounds clunky, not exactly agile, but it worked well for many years. Data breaches were rare, faults were found and resolved quickly.
We now have businesses that contract out almost all of the data processing part of their business, not only car park management. But, payroll, human resource management, data management and data storage, coding, gateways, security controls etc.
And those contracted to do these tasks will sub contract those tricky parts they don't or can't do themselves. And as we move down the sub contractor pecking order, the understanding of and vested interest in the task diminishes. How long can a chain of sub contractors be?
The data will pass through a lot of control boundaries on its journey from a to b, all managed by different sub-contractors few of which will understand or even care about the process end to end.
As we rush toward a pushed, filed, stamped, indexed, briefed, debriefed, numbered, globally connected, data sharing future. A future in which multinational corporations will exist name only, all the actual business function being outsourced. Expect more of your privacy to become public. Expect your corporate puppetmasters to care less when they respond to your pain with AI.
As the distinction between corporation and government becomes undefined, we welcome you to the machine.
-
Saturday 21st September 2019 16:29 GMT Claverhouse
Not Compulsory Yet
Tesco customers across the nation were instructed to use parkshopreg.co.uk to validate their parking with a code printed on their receipts along with their vehicle’s registration number, thus avoiding parking charges.
Suppose one didn't have a receipt ? Having exited without buying anything ?
-
Saturday 21st September 2019 20:05 GMT Tempest
Parking Control Systems - Real Privacy Collection Systems - Ideal For Extortionists
Late last month the condominium in which I reside decided to waste money installing a parking control system running VinaParking software.
Apart from the significant physical installations fails (a Harley wouldn't fit between the lane guides for motorcycles - my scooter has paniers than measure 1 metre across from one side to the other), the HD cameras fitted are very susceptible to IR and UV radiation. The cameras record rear number plate and a facial image of the driver.
The system collects a multitude of data points apart from the essentials including height of rider (against a visual scale), number of riders, etc. The collected information can be used by unscrupulous people as often car images on newer systems include number plates AND images of front seat passengers who should not be seen together such as in extra marital affairs.
I have long fitted IR & UV radiators to my motorcycle (as SaiGon has over 20,000 traffic cameras as well as a national highway plate reading system) to blind them since the traffic cops aren't able to identify the lamps. The cops are wise to reflective paint (Google 'reflective paint for license plates').
The cameras are 'blinded' on the parking system. EMP generators (search YouTube) are extremely effective for producing false readings, even 'killing' cheap card scanners, and simply dropping a helmet faceplate neutralises the facial capture system.
Most parking systems are set not to impede when a camera 'misread' occurs.
-
Monday 23rd September 2019 08:02 GMT Securitymoose
Puts me in mind of the Fourteenth Adjustment by Robert Wingfield
A sci-fi satire where a parking junta has taken over the entire world - a quick quote from where the parking executives are discussing how to get more cash in. Some people are refusing to pay...
“Everyone else is paying their parking charges without complaint.”
“Of course they would.” Poordraw rubbed his hands together. “Nobody ever questions parking charges, well, nobody of any consequence, that is.” He looked sideways at his co-director. “An excellent idea of yours, Pietro, identifying everyone over a certain income level, and giving free parking to those people. That way, folks with the money to challenge us will never complain, and they don’t care what happens to the commoners in any case.”
“I take all the credit for that,” said Fairway. “I bought these ‘reality’ glasses from Dearheat Enterprises. They have filters which blank out anyone below a certain income level. I believe they were developed for visitors to the theatres in the Arty District to help them ignore beggars, but they work adequately when worn by our car-park attendants.
-
Monday 23rd September 2019 08:21 GMT steviebuk
What an idiot
Last week I read that as
"10 seconds of a million automatic number plate recognition images"
:)
What annoys me is in the so call "cloud" age, everything is being run by hipster knobs who what stuff "rushed to market" and stuck "in the cloud". But it needs to be secure "Fuck security, just get it done and too market as soon as we can. I want to then sell it and become a millionaire so I can buy more hipster clothes and just sit in coffee shops all day disguising how we can use AI to put loads of people out of work and call anyone that doesn't agree with me 'Granddad/Grandma'"
-
Monday 23rd September 2019 08:57 GMT 2Fat2Bald
I once got stopped by the police for having no numberplate on my motorcycle. The officer examined where the plate should have been and noticed the clean plastic where it had broken off, laughed and gave me directions to a motorcycle dealers who could make me a new plate. I went there, got a new plate and found the sneaky bugger parked up outside to make sure I did it. He even wondered over to lend me a screwdriver from his car's toolkit to help fit it.
I think that's how policing should be done. It was obvious the plate had just dropped off a short while ago (probably due to the big thumper engine in the bike) because the broken part was still clean no other offences were present, so the officer used his discretion. And this is the point of getting actual humans to enforce rules rather than buggy computer code...
-
Monday 23rd September 2019 12:02 GMT ICPurvis47
Not just Tesco
Sainsbury's in Oswestry recently introduced just such an ANPR parking system, it has a large illuminated annunciator at the entrance that gives the number plate and time of arrival, but I have yet to detect any similar information gathering equipment when you leave. When you check out your purchases, you are given a barcoded slip to present to the payment machine outside the store entrance, but if you have a Blue Badge, you can register your Registration Mark(s) with them and not need the barcode slip. I asked one of the car park attendants what would happen if someone did not pay and just drove out, but he either could not or would not say. The nearest Tesco, in Welshpool, 15 miles away, does not charge for parking, but as it would cost me £10 for the round trip to get there and back, I don't go very often unless there's something I want that is not stocked at Sainsbury's.
-
Monday 23rd September 2019 15:52 GMT RLWatkins
Still investigating...?
What's to investigate? They didn't secure a DB hosted on a service bureau. They need to do that. End of story.
We need two new words in our vocabulary: for handwaving-in-order-to-stall-for-time, and for stalling-for-time-in-hopes-that-everyone-will-forget.
Granted, folks have been doing this since the dawn of recorded history, but lately it's become something one encounters daily. [sigh]
-
Monday 23rd September 2019 21:36 GMT Anonymous Coward
Data Leakage Overlooked
When filling stations started using ANPR to identify bilkers and thereby prevent fuel theft, the Plod wet themselves in their eagerness to catch hold of all that lovely surveillance data. What makes you think that supermarkets and other "ANPR controlled" car parking schemes are not also sending copies of their records to the Police National Computer. In fact I seem to remember someone on this very site moaning about the strictness of formatting demanded by Plod for the ANPR data that they were required to send in daily.
I suggest that many of the ANPR parking companies were set up specifically to gather ANPR data for police use. Can anyone disprove my suggestion?