> nobody came to any harm or suffered any detrimental effects as a result of this breach
Who gets to decide what "harm" is or whether anyone suffered "detrimental effects"? Surveillance is so common and normalized they don't consider the act of collecting so much information itself as a "detrimental harm".
What if that harm only presented itself years down the line? Maybe a creepy stalker who can synthesize mulitple data sets to reconstruct a person's movements or possibly use it against them some way (scammers and fraudsters are increasingly using all these leaked datasets to create a more accurate profile of an individual for more sophisticated attacks/targeting. Your name/address/mobile number must not and can not be considered PII since it's already been leaked probably ten's of times by now).
That's an incredibly shortsighted comment to try and justify developing a system with not even the most basic of security considerations.
I honestly just wish those same people were jailed for 50 years as a result, we'd see a LOT more consideration in the future if they were held personally liable.
Well of course there are parallels. But on the other hand, I have very high regard for UK government digital (having twice worked in that space) and would be much more inclined to trust them than a local authority, especially where the potential benefit might be enormous.
I hope somebody combs through the data and uses it to publish embarrassing trip sequences for public officials and their families because that's the only way politicians and local officials are gonna even consider not supporting these kinds of boondoogle dragnet projects.
When I read your comment, I realized I intuitively view open access to surveillance systems like this as more desirable than limited access, and I don't know how to articulate that feeling.
I'd consider myself privacy-conscious, however it is clear that this sort of open access further limits my "privacy." I wonder if privacy advocacy is more about aversion to certain power imbalances rather than privacy as an end itself for many folks.
While having everything be open would probably reduce double standards along the "government and people with influence" vs "non-government and people without influence" lines I am not sure it would be a net positive, or at least not enough to prefer an open approach to dragnet systems over not having them in the first place.
I would be very worried about "tyranny of the majority" type situation where a (large and or powerful enough) local majority uses the system to the detriment of some local (small enough or powerless enough) minority either under color of law or with a blind eye and/or tacit approval from the local powers that be. With a large enough majority vs a small enough minority government's hands may effectively be tied when it comes to preventing abuse and intervention from next higher level up level of government is not always forthcoming. We've all seen the way online communities engage in witch hunts. If the past is any example I don't think we can trust municipalities in possession of dragnets to not do the same if the contents of those dragnets are open to the public.
I think we can all agree that gay bar patrons in rural Alabama and gun shop patrons in urban Massachusetts, to name a couple examples, might not do too well under an "all the location data the local government has out in the open" type of surveillance scheme.
Privacy as a constraint on government action, yes. Aren't all constraints on government action essentially concerned with addressing the power imbalance?
But privacy itself is also a claim against your neighbor: not only is it illegal for them to blackmail you, it is impermissible to obtain the grounds for that blackmail.
I'm perhaps more afraid of my neighbor than I am the government. Rapists are more often people you know, and all that.
I'd wager that there's vanishingly few people who don't have some thing they do, some demographic they belong to, some association with something, that some vocal minority would crucify them over while the apathetic majority stand idly by. The government can't always protect you from this kind of threat. Being a subject of controversy is not a protected class, your employer can fire you (in most states), people can refuse to do business with you, etc. etc for no reason other than because they don't want to be involved. As we've seen with online witch hunts, people's lives can be ruined, or at least set back years or decades by controversy that stems from private information getting into the wrong hands.
Urban areas have privacy by blending into the crowd. Rural areas have privacy by density, there simply aren't enough people to observe everything. Technology is making both those obsolete.
>people's lives can be ruined, or at least set back years or decades by controversy that stems from private information getting into the wrong hands
Private information "getting into the wrong hands" often seems to be an issue of misplaced confidence in the confidentiality of that information. In an era where "surveillance is democratized," how we think about the existence of "private information" might radically change. In your example, the words, actions, and ideas that would have generated controversy might not have ever been spoken or acted upon in the first place, or there would be such an apparent abundance that the "controversy" wouldn't hold ground. More of a fringe position here, but maybe certain ideas and actions wouldn't even be conceived of in a post-privacy world, as the result of the loss of an expectation that those ideas or actions could be kept confidential.
It certainly feels like the cat's out of the bag when it comes to mass surveillance. Facial recognition, for example, isn't going away, and there doesn't seem to be enough political / institutional momentum to counter the value that is provided to organizations by the data that one might view as an invasion of privacy. There doesn't seem to be a meaningful debate about maintaining personal privacy, so maybe the discussion should be who has access to these tools, systems, and institutions moving forward.
Right now, it could be useful to see which Sheffield politicians have been travelling to their second homes (or elsewhere) during the lockdown, or going to the Peak District.
The former Chief Medical Officer of Scotland lost her job by visiting her second home during the lockdown.
Or just a public database where you can enter license plate and get all trips. I don't think many people would be happy with this. That's illegal though so nothing for white hats..
is it a criminal offense to access an open website? if you had to use even a default password you could imagine it being improperly accessed,but if it's just open to the internet how is a criminal offence committed?
People have been tried and committed for crimes in court for this type of thing. It probably varies from country to country but there is definitely legal precedence that if you come across data that you know shouldn't be publicly accessible, you can't just pretend that it's okay to use it as if it was. Intent and common sense probably plays into it.
I would link some sources because you shouldn't trust just my vague memory, but it's incredibly difficult to find the right google search terms.
Note in the UK the CPS guidance which talks about "unauthorised access".
There has to be knowledge on the part of the offender that the access is unauthorised
So I guess it depends what the "offender" googled and what the link description said before they clicked it wrt open websites. And no doubt their explanation and demeanour when questioned etc.
> ... manipulating the URL, that presumably counts as a crime.
"Manipulating the URL" -- "?id=1", "?id=2", "?id=3", in effect -- was enough to get Andrew Auernheimer (a.k.a. "weev") convicted and sentenced to ~3.5 years in prison [0].
Yes, his conviction was later vacated -- albeit due to a "technicality" ("improper venue"). Regardless, he still spent more than two years locked up for what really does seem like some completely exaggerated bullshit!
> "... [the Third Circuit judges] were skeptical of the original conviction, noting that no circumvention of passwords had occurred and that only publicly accessible information was obtained."
---
(Note: I've never met the guy, nor would I ever want to. Everything I've heard and read indicates that he's a pretty shitty human being -- and I suspect that didn't help him very much at trial. He almost certainly was deserving of some "bad karma" but that's not for the "justice system" to dish out.)
TL;DR: If you're in the U.S., you might want to think long and hard before taking that chance!
I'm somewhat puzzled when this defense comes up, but I think it's worthwhile debating it. Does the condition of how you came upon the contents have any real bearing on the matter? I mean, nobody is really saying that accessing an open website itself is illegal. But it's not as if this circumstance will alleviate all future repercussions of your subsequent actions. I suspect I don't have to give analogies of what might be an inappropriate action - there are a number of things you could find on an open website that could be illegal to distribute.
I suspect a much more interesting argument exactly is the issue with having this particular data - what laws are being broken by redistributing it (I don't have the answer). But that was not the point that you raised, hence my reply.
I assume gdpr (and/or equivalent) is still law in the UK? If so, dealing with person data (traveldata + car registration should qualify) - without explicit consent is illegal, yes. Just storing the data would be illegal. (getting consent, and then not storing it securely would also be an offense).
As I understand it, under GDPR data controllers have a responsibility to take reasonable measures to secure the data. I believe failure to do so is a criminal offense.
License plates should be done away with. Replace them with RFID tags that log, and can alert the driver each time they're activated. Drivers could switch them off when they're at home or parked.
Anyone, not just the government can operate an ALPR system and record this data for whatever purpose they wish.
It's still ultimately government fining its self. No point if it really is council run infrastructure. To punish them you need to vote out whoever commissioned this project (I realise that's unlikely to happen).
I'd be surprised though if it is really run by the council or just contracted out to some outsourcer. In which case they should be fined.
True, you can't directly identify the driver, but I would imagine the correlation between number plate and one or a very small number of individuals who have use of the vehicle is strong enough (in most cases) that it could be regarded as personal information.
You can once the inevitable database leak of driver information details leaks from the DVLA/insurance companies.
It might take a few years, but you can use this dataset in the future to understand who owned the vehicle at this time and reconstruct their movements.
Using collected information it's possible a computer can remember every journey you've ever taken; this car with this reg plate was here at this time at this place, and they did not have a valid tax/insurance at this time, or it could be useful during investigations
There seems to be an assumption that this would come under GDPR, but that's not obvious to me (excluding the potential images of people).
Putting aside ethical concerns , would there be any legal ramifications for capturing the presence of a car at a certain location and sharing it? The licence plate identifies the car, not the driver. (Similar schemes are in place for boats and airplanes of course)
The driver of a private motor vehicle is almost invariably the registered keeper. In most of the case where it is not then it is a family member.
Are you implying that the slightest doubt about the identity of the driver means that it is perfectly alright to collect the data? because if so that surely also applies to many other GDPR situations, where families share a single computer for instance.
I'm actually saying I don't know; where is the line? Licence plates seem like an interesting test case, given many registered keepers are companies (either company cars, work vehicles or hire cars).
Who gets to decide what "harm" is or whether anyone suffered "detrimental effects"? Surveillance is so common and normalized they don't consider the act of collecting so much information itself as a "detrimental harm".
What if that harm only presented itself years down the line? Maybe a creepy stalker who can synthesize mulitple data sets to reconstruct a person's movements or possibly use it against them some way (scammers and fraudsters are increasingly using all these leaked datasets to create a more accurate profile of an individual for more sophisticated attacks/targeting. Your name/address/mobile number must not and can not be considered PII since it's already been leaked probably ten's of times by now).
That's an incredibly shortsighted comment to try and justify developing a system with not even the most basic of security considerations.
I honestly just wish those same people were jailed for 50 years as a result, we'd see a LOT more consideration in the future if they were held personally liable.