License plate reader (LPR) technology is a hot topic and its usage is rapidly increasing. OpenAPLR, which offers free LPR software that lets any web-connected camera read license plates, has gone from utilization in around 300 cameras two years ago to 9,200 cameras around the world, an increase of nearly 3,000 percent. Interestingly, only about half of these users are police officers, a fact that carries all sorts of implications in a largely unregulated industry.
With little existing legislation and 5G knocking at the door with promises of significantly faster data transmission and an explosion in the number of IoT devices, it appears that we’re all groping our way through a messy intersection of creative ways to use LPR technology for multiple applications and potential privacy, ethical and legal issues that will likely spawn future litigation.
So how can security leaders who use LPR or are considering adding it to their existing programs stay above the fray while also mitigating risk, implementing best practices and adding value? Here are some points to consider.
Be Aware of Your State’s LPR Laws
As of this writing, just 16 states have official statutes regarding LPR use and/or data retention, a number that’s sure to eventually increase, says the National Conference of State Legislators. If you’re using the technology, you need to be informed about your state’s laws (or lack thereof) and your responsibilities, whether you’re using it as a private citizen or as law enforcement.
Privacy Concerns Will Continue to Create Challenges
With so little legislation governing LPR, groups like the American Civil Liberties Union (ACLU) have been calling for legislation and law enforcement policies regarding both the usage of LPR and the storage of collected data and filing (and winning) lawsuits that challenge data collection, storage and transparency. And with the increasingly rampant use of LPR by everyday citizens and private companies, questions are arising as to where all this data is going, with whom it is being shared and how it is being used. All these factors create an environment that is ripe for brand and agency distrust, if not outright lawsuits.
Cybersecurity Should Be Front-of-Mind
It goes without saying that a growing number of collection nodes, whether it is LPR cameras or other IoT devices, results in more areas of potential vulnerability. It seems too basic to even mention, but if your LPR camera is connected to the internet, it is imperative that you change the default password that comes with it.
Case in point: Over a week’s time in 2019, the website TechCrunch found more than 150 LPR cameras that were connected to the internet and either easily or completely accessible, thanks to the use of default passwords. No one wants the fallout of a hack, so do your due diligence and plug these obvious security holes.
And if you are not a cybersecurity guru, find someone who is to help you keep your devices secure. “Physical security people like me don’t necessarily understand all the ins and outs of cybersecurity, and vice versa,” says James DeMeo, a corporate security professional at Sunstates Security and instructor of event security and risk assessment at Tulane University. “But if we sit down at the table together and we share examples and best practices, we can effectively integrate these technologies to better protect patrons, assets and organizational brand.”
If you want to get a good handle on where you may have cybersecurity vulnerabilities, check out the search engine Shodan, which indexes everything that is connected to the internet.
LPR Continues to Create Success Stories
The Brookhaven Police Department, located just outside Atlanta, partnered with Georgia Power to place nearly 50 LPR cameras around the city. As the center of a multi-agency sting called “Operation Interception,” which targeted people who intended to travel to have sex with minors, 21 people were arrested in five days beginning January 30, 2019, thanks to the LPR technology the Brookhaven PD already had in place.
“We were able to get tags for vehicles that were registered to these people,” says Detective Sergeant David Snively of the Brookhaven PD. “We put them in and set it so that only our command post got the alerts. As soon as (predators) passed a tag reader, we knew where they were. It was one more piece of evidence, but much, much more importantly, it gave our arrest teams a heads up that made it safer for the officers and the community.”
Snively sees the publicization of the operation as a deterrent. “Our message is very simple: If you’re coming to Brookhaven to have sex with a kid, there’s a good chance you’re going to meet me instead,” he says.
Beyond that, he finds the LPR historical data to be relevant to virtually all the department’s ongoing criminal investigations. “I think we’re probably averaging a stolen car every week at least, maybe two or three,” he says.
Snively points out that officers don’t just randomly look up license plates. “It’s not a fishing expedition, we’re not going through every tag. We get specific tags and query them,” he says. There’s also a checks and balances system. “If I want to see historical data for a particular tag, before I can ever see it, I have to enter my user name and password so it identifies me specifically and I have to enter a case number and a brief description of why I’m searching that tag. It has a built-in audit trail.” Images can only be viewed — they can’t be deleted or manipulated in any way.
It’s a Good Strategy for Safeguarding Exterior Perimeters
In the event security arena, LPR technology is used extensively as law enforcement patrol the exterior perimeter parking lots. “LPR is a proactive risk mitigation strategy. Whether it’s a school or a stadium, these exterior perimeters are soft targets,” says DeMeo. “They’re extremely vulnerable, so if they’re in close proximity to mass transportation hubs, the ability to have officers patrolling the lots and looking for these suspicious vehicles utilizing LPR technology bodes well for ownership groups in terms of duty of care.”
It Can Add Value to Your Security Program
One of the great things about LPR is the multitude of ways the data it collects can be used to solve problems, whether financial, criminal, safety, customer service or security, notes Matt Powell, transportation market manager at Convergint. If there are vehicles involved and you need data, LPR is a good way to get it, he adds. Thinking creatively about how you can use LPR to drive revenue for your enterprise or client adds significant value to your security program.
For example, let’s say your enterprise or client needs to update an old, crowded parking deck. LPR data can help you analyze peak hours, create a charting system based on activity and provide heat mapping, yielding cold, hard data that justifies the upgrade. Not only does this give security more value, it keeps you in the conversation rather than pushing you out of the way in favor of third-party vendors, such as parking companies with their own LPR systems.
Aside from increasingly common applications like parking lot gate arms and access control, LPR is being utilized in other interesting ways. Enterprises like automotive dealerships, casinos and airports are using it as a concierge service to enable staff to provide a better, smoother customer service experience, as well as to send alerts when VIP customers arrive.
Cody Mulla, senior information security manager of crisis, continuity and incident response at Informatica, sees a possible future application of LPR in workplace violence prevention programs as well. “If you have an employee that has a person of interest that may have a protective order and they collected that vehicle information, you could set up alerts to go to your internal security staff to let them know that the vehicle is around and possibly that person is operating the vehicle,” he says.
Transparency is Vital
Educating both clients or appropriate enterprise personnel and the public about how you’re using LPR technology and how it’s benefiting them helps to build public trust and can help minimize misuse of the technology, says Powell. Posting obvious signs wherever you have cameras is one way to maintain transparency.
Clear Policies Can Pave the Way to Success
“I’m not an attorney, but I always remind people that you’re probably going to get sued. However, if your actions are reasonable and necessary and you do everything within your power to take steps like proactive security staff training, utilizing metrics to measure learning and understanding, this places you in a very good position to protect yourself from those liabilities,” DeMeo says.
You should also know where your data is stored, for how long and if and with whom it’s shared. Even if there aren’t any hard and fast rules in your state yet, developing a clear internal policy on data storage, usage and sharing is a good practice and could help you down the road in the event of a lawsuit, as well as create transparency and build trust in your brand.