Page One
Berkeley's New Smart Boot System: The Potential for Abuse (News Analysis)
[Editor's Note:This is the second of two articles. Yesterday's article described in greater detail how Berkeley's new SmartBoot system, to be implemented on October 18, will work.]
Under the recently announced SmartBoot program, the Berkeley Police Department will drive a "boot van" around town. Equipped with cameras, computers, and a network connection this van will automatically detect parked cars from the scofflaw list - those with too many overdue parking tickets. When the van spots a scofflaw it stops and a parking enforcement officer boots the car with SmartBoot. Violators can remove the boot themselves if they are able to pay their fees and past due fines over the phone with a credit card.
How does the system work?
The City and PayLock LLC
The SmartBoot system arises from a contract between the City of Berkeley and PayLock LLC, a New Jersey based corporation. PayLock operates a 24-hour help-line for people who have been booted. PayLock provides the city with the boot van equipment, SmartBoots, and various web-based IT services. PayLock also provides training, integration assistance, and, it would seem, PR help.
Propagating the Scofflaw List
Matt Silverman, Executive Vice President of PayLock Inc. walked us through the process:
Each night the BPD's information systems generate a "scofflaw list" of wanted vehicles for the next day. The list includes license plate ids and information about the amount owed. The list is saved as a simple file.
BPD's systems then copy the scofflaw list to PayLock's servers. "It's just an FTP thing," quipped Silverman.
Once on PayLock's servers, the data is available to the 24-hour help line for people whose cars have been booted.
PayLock also remotely copies the data to the Berkeley boot van computer, preparing it for the next day's rounds.
Scanning Cars
According to PayLock literature, the boot van should be able to cruise down most Berkeley streets at the speed limit, scanning licenses as fast as it goes.
On the computer in the van, each license identified is compared to the earlier downloaded scofflaw list. When a match is found, the enforcement officer is alerted.
The enforcement officer can then use the van's computer and network connection to contact PayLock's web servers, and double check that the scofflaw listing is current. If a scofflaw has paid his tickets and the payment been processed by the time the vehicle is spotted, the vehicle can be quickly removed from PayLock's copy of the scofflaw list and the boot avoided, even if the vehicle is still found on the boot van's copy of the list.
If the scofflaw listing is current, the enforcing officer can boot the offending vehicle.
When a vehicle is booted, the computer in the boot van notifies the PayLock servers of the relevant details. These are recorded in PayLock's databases. The secret unlock code is recorded at PayLock for that vehicle.
Paying Up
Violators who choose to pay by phone call PayLock's customer service line which is available at all hours, every day. Upon payment of fines, a $140 booting fee, and a $500 deposit, PayLock will give the violator the secret code to unlock the boot.
PayLock's servers in turn notify the City's of the payment.
The Lifecycle of SmartBoots
PayLock maintains the pool of available boots. It issues boots to the city in anticipation of estimated demand (number of scofflaws likely to be caught). Boots are returned to a PayLock-affiliated return center.
Data Retention Policy
Scofflaw data on PayLock servers is preserved for a time. The exact length of time is, Silverman says, up to the City.
Other PayLock Services
Berkeley is not, at this time, adopting some of PayLock's other services that use much of the same equipment: digital chalking and permitting. These are what they sound like: using the cameras and computers and license plate recognition (plus, optionally, RFID reading) so that vans can recognize cars permitted to park in certain areas and can recognize cars that are over-parked in time-limited zones. In addition to being used for booting, the boot van is capable (if the city begins using these services) of helping make ordinary ticketing more efficient.
"Off Label" Law Enforcement Uses
We asked Silverman if the system could be used for other aspects of law enforcement. For example, could it be used to spot stolen vehicles? Could it be used to search for the vehicle of a wanted criminal? Silverman suggested Amber Alerts as an example of a case where the boot van could be used in the urgent search for a wanted vehicle.
If the police department wants to, Silverman informed us, additional licenses can be added to the search list, by hand, on the boot van computer. The officer in the van need only type in the additional license numbers.
We asked BPD Chief Michael K. Meehan about such other uses. He reports that BPD "has no immediate plans" to use the system for anything other than parking scofflaws.
We asked Meehan if expanding the uses of the system was in the cards. He says that there are "no immediate plans" to do so.
We asked if the police department would require additional authorization from the city before using the system for anything other than scofflaw enforcement. Chief Meehan wasn't certain.
Some Risks
At first glance it may seem that there could be no new risks created by the use of this system. After all, ever since license plates were first introduced more than a century ago, police have had the legitimate right to search the streets for a sought-after car. Proponents say that the new system makes that traditional search more efficient.
Nevertheless, the boot van and SmartBoot program represent a sweeping change in how these searches are done. New risks result which we consider below:
Risk Factors of the PayLock Corporate Form
PayLock LLC is a privately held, New Jersey based corporation. This does not in and of itself create new risks, but it enhances risks that arise from other causes.
Because PayLock is a privately held corporation its financial reporting requirements are significantly less than those of a publicly traded firm, and less than those of a government agency. PayLock's services assume some police and municipal functions, but with less financial accountability than if these functions remained with the city.
Because PayLock is a privately held corporation in an out of state jurisdiction, it is far less subject to operational oversight and review than any government agency. For example, the city's internal handling of scofflaw records can be scrutinized through a variety of governmental audit mechanisms none of which apply to PayLock's handling of these same records. The city and PayLock agree upon rules for handling these records, but the opportunities to verify that the rules are being followed are diminished by PayLock's corporate form.
The Risk of Vendor Lock-in
The services provided by PayLock are not a commodity. If the city wished to continue to operate a boot van and use smart boots, but to switch from PayLock to another vendor or to internally provided services, it would have a hard time.
At the same time, the city accumulates a sunk investment cost in staff training time and entrenchment of new parking enforcement practices. Even to revert back to a tow-only system of parking enforcement would cost the city.
PayLock may therefore enjoy pricing power that works against the interests of Berkeley residents and the city government. For example, if they later demand that the booting fee be raised from $140 to some higher amount, the City may have little realistic choice but to assent.
The Risk of Diminishing Returns and the Pressure to Expand Uses
At the press conference where PayLock was introduced, we overheard City Council Member Capitelli ask Silverman whether diminishing returns on scofflaw enforcement ought to be expected. For example, in an initial sweep many long-standing scofflaws could be caught, bringing a lot of money to the city and to PayLock. Will that initially high level of revenue keep up? Or will it trail off as fewer people become scofflaws.
Silverman said that in other cities such as Oakland they've seen a high initial spike in scofflaw enforcement, which then settles down to a slightly smaller but roughly stable level of revenue.
We conclude that because PayLock is a for profit company, there is some risk that Berkeley will be encouraged or pressured to expand the uses of the PayLock technology in order to justify PayLock's continued presence. For example, as the police department becomes comfortable with the technology, perhaps there will be pressure to add more equipped enforcement vehicles and use the system for digital permitting and chalking.
Such expansion would multiply other risk factors. For example, it would expand PayLock's assumption of police and city functions. Adoption of uses like digital permitting and chalking would strengthen PayLock's pricing power over service fees.
The Risk of Data Escape
Can the City of Berkeley's scofflaw records and other data be stolen from PayLock by third party criminals?
Silverman pointed out that PayLock takes data security seriously, for example by storing data in an encrypted form. (A data thief would need not only the encrypted files, but also a stolen encryption key or other means of de-encrypting the file.) Unfortunately, there was not time for us to explore PayLock's data security measures in detail.
Data security systems are notoriously difficult to implement well. It is common for systems that superficially appear quite secure to in fact contain design gaffes that leave them wide open to data theft. PayLock's data storage creates a data theft risk that is difficult, at best, to assess other than to make the general observation that truly secure systems are the exception, not the rule.
This in and of itself would be nothing new: Berkeley's own IT systems are also a potential target for data thieves.
Yet, the use of PayLock does heighten the risk in this sense: PayLock's servers contain data not only for Berkeley, but for all municipalities with which PayLock does business. A data thief stealing scofflaw data from Berkeley's own systems gets only Berkeley data, but a thief stealing from PayLock gets a much larger prize. In general, the effort data thieves are willing to make to steal some resource goes up, the more potentially valuable data there is.
The Risk of Weak Employee Accountability
When a violator calls PayLock's 24/7 help line, Silverman says, the operators have very limited information from the scofflaw list, Silverman says. Help line operators have the violator's license number and amount owed, but are not provided the car owner's name, address, and so forth.
Nevertheless, violators must provide operators with a name and credit card number.
Public record searches can usually, given a license plate number, identify the car's owner, address and so forth. In combination with credit card information, this is enough for acts of identity theft.
There is of course no reason to assume that PayLock's help line operators are more likely than anyone else to commit identity theft, nor that PayLock's internal operations would make this easy. Unfortunately, though, the stakes are high because of the high volume and large number of calls PayLock processes for all the municipalities it serves.
PayLock's corporate form (see above) compounds the problem because it diminishes the potential for oversight and auditing of the formerly governmental function of payment collection.
The Risk of Internal Misuses
Because of PayLock's corporate form, the potential for unchecked or even unnoticed misuse of city data internally to PayLock is greater than if the city performed these functions internally.
It is our impression, in part from speaking with Silverman, that PayLock takes its responsibilities quite seriously. We intuitively doubt that they are likely anytime soon to do anything quite this nefarious, but here is an example of "what could possibly go wrong" but that PayLock's corporate form would make hard to detect. We emphasize again that we don't believe PayLock is currently inclined to come close to a misuse like this:
Suppose that in some of PayLock's client cities, politicians are running for office who oppose the use of PayLock's services. PayLock could perform wholesale searches to find discrediting information against those politicians ("that woman never pays her parking tickets", "that guy parks in front of a brothel a lot") more cheaply and easily than by conventional and sanctioned means of searching. Having easily found a target to discredit, an evil version of PayLock could then obtain the same information by overt means (for plausible deniability) and leak it to the press without exposing the underlying abuse of police data.
The Risk of Police Corruption
This risk is inherent to any boot van system, regardless of whether it is operated by PayLock or internally by the city.
The system is flexible enough to allow searches for vehicles other than scofflaw vehicles. As Silverman explained, additional licenses to search for can be entered into the computer on the van.
Without strict and proactive auditing, this creates a potential for abuse if enforcement officers search for particular licenses for purposes other than law enforcement.
We, of course, have great faith in our sworn officers and yet, even Berkeley has seen its share of police corruption such as thefts from evidence rooms. How would corrupt license searches work?
As one example, a private detective might be seeking evidence of an adulterous affair for use in a divorce proceeding. By covertly partnering with enforcement officers, the detective could have help locating the target's vehicle. If it is found in a surprising location the information can be passed to the detective (in exchange for money) who can then "find" the car independently and use the evidence without exposing the misuse of the boot van.
Strict auditing of the boot van use - assuming that PayLock's software enables it - can help prevent such problems but requires concentrated effort to implement and sustain. This problem is intrinsic to any mobile license plate recognition system that can be field programmed to search for arbitrary vehicles.
The Risk of Population Tracking
The system being deployed in Berkeley does not, as configured, record and report back a list of all parked cars scanned, where, and when - it focuses only on the vehicles targeted in the Scofflaw list.
Silverman confirmed, however, that the system is capable of recording all parked vehicles - a record that can be used to track the movements of innocent drivers as well as guilty.
That "track everyone" capability is gaining popularity with law enforcement. Industry standards have arisen to collect that information into searchable databases, allowing police to search "backwards in time" for the whereabouts of anyone they like. Because the data is collected without the need for a warrant, as things stand, it can be retained and searched without a warrant and with few meaningful restrictions on the purpose of the search.
The Berkeley Police Department has no plans to perform this kind of surveillance and we suspect would be reluctant to rush into such a program. Nevertheless, times change. Little appears to stand in their way of eventually performing that kind of surveillance with no need for additional authorization from the city and no additional oversight.
Generalized population tracking, if it were to begin, would heighten the risks of corrupt abuse of the system. Additionally, it would greatly challenge the balance of police powers vs. civil liberties.
The Risk of "Wholesale" Surveillance
Police have always had the right to examine the license plate of parked car and compare it to a list of wanted vehicles - or to look up information about any vehicle for legitimate police purposes. In that sense, the PayLock system is nothing new.
What has changed is that such searches are now quantitatively so much more efficient, that there is a qualitative change in the civic order.
The term "wholesale surveillance" to describe this kind of qualitative shift was coined by security expert Bruce Schneier who wrote in the San Francisco Chronicle and on his blog:
"On the face of it, this is nothing new. The police have always been able to run a license plate check. The difference is they would do it manually, and that limited its use. It simply wasn't feasible for the police to run the plates of every car in a parking garage, or every car that passed through an intersection. What is different isn't the police tactic, but the efficiency of the process.
"Technology is fundamentally changing the nature of surveillance. Years ago, surveillance meant trench-coated detectives following people down streets. It was laborious and expensive, and was only used when there was reasonable suspicion of a crime. Modern surveillance is the police officer with a license-plate scanner, or even a remote license-plate scanner mounted on a traffic light and a police officer sitting at a computer in the police station. It's the same, but it's completely different.
"It's wholesale surveillance.
"And it disrupts the balance between the powers of the police and the rights of the people.”
Schneier later adds:
"Like the license-plate scanners, the electronic footprints we leave everywhere can be automatically correlated with databases. The data can be stored forever, allowing police to conduct surveillance backward in time.
"The effect of wholesale surveillance on privacy and civil liberties is profound; but unfortunately, the debate often gets mischaracterized as a question about how much privacy we need to give up in order to be secure. This is wrong.
"It's obvious that we are all safer when the police can use all techniques at their disposal. What we need are corresponding mechanisms to prevent abuse, and that don't place an unreasonable burden on the innocent."
This is awkward for a city like Berkeley. The adoption of PayLock by Berkeley is motivated by the goals of increasing city revenue by collecting on overdue tickets, while reducing enforcement costs and (purportedly) improving customer service. A resource strapped city like Berkeley, pursuing such goals, is less than likely to invest adequately in new regulations and mechanisms to prevent abuse.
The wholesale surveillance aspect of the system makes it a bit like a very dangerous power tool. We hope that the people using the tool (the police and PayLock) will be careful and responsible, but for its unprecedented power there are precious few substantial protections from abuse.
The Risk of Federalizing Municipal Police
In the years that have followed the attack on the World Trade Center, federal law enforcement and intelligence agencies have been building intelligence information systems. These are used to share massive surveillance databases among agencies. These systems include information sharing partnerships with states and municipalities.
On the one hand, this is understandable and hopefully helpful. The nature of threats to public safety has changed dramatically. Centralized intelligence gathering has reportedly been helpful in detecting and thwarting terrorist efforts in their planning stages, before attacks can be carried out.
On the other hand, this new mode of federalized surveillance of the general population is rife with potential for abuse yet is being carried out far away from meaningful oversight and accountability to the general public.
As the ties and information sharing between municipalities like Berkeley and the Department of Homeland Security grow, there are few if any barriers to prevent license plate recognition technology from being used to conduct wholesale surveillance of the general population, forwarding the information to federal databases.
The Risk of Third Party Surveillance
Regardless of what actions are taken by PayLock, Berkeley, or the federal government, the risk of wholesale surveillance by third parties is also growing.
PayLock's system of license plate recognition is polished and conveniently packaged, but the underlying technology is widely available. A determined private party could covertly equip any vehicle with discreet cameras and computers, drive around, and track vehicles. Even if Berkeley had not decided to use PayLock's systems at all, this risk would be present.
Is the Sky Falling? What Can be Done?
The sky is not (yet) falling. We have no reason to believe that, beginning October 18th, the newly deployed PayLock system will be abused. It seems far from likely.
Nevertheless, in light of the risk factors considered above, it is hard to see how use of the technology in Berkeley will not expand, over time, putting us on a slippery slope to abuse and unchecked enhancement of policing powers at the cost of civil liberties. The risks should be taken quite seriously. Sadly, confronting these risks aggressively is likely to be expensive and politically difficult.
Some suggestions for Berkeley:
Berkeley's use of the PayLock system should be reviewed frequently, perhaps each six months. Reviews must not be limited to the system's impact on the city's bottom line nor to the purported customer service benefits. Reviews should look for positive proof that the system has not been abused in the field. Reviews should seek a definitive assessment of how data is being shared and used. Reviews should examine the data retention policies and their implications.
For fiduciary as well as civil rights reasons, Berkeley should begin to explore the alternative of operating its intelligence gathering systems purely internally, without the need for third party out-of-state corporation. That is, a priority should be made of restoring to the city those police and bureaucratic functions which PayLock assumes. As the underlying technology becomes less expensive and more mature, this option should become easier for the city.
The city should implement new systems of regulation and oversight for this and similar forms of surveillance. The police department should not be able to expand use of the system without prior approval from city council after public disclosure and hearings.
The city, the police (and others) should respect the intelligence of the residents and engage in a public education effort to inform Berkeley residents of the detailed operations of the system, its risks, its implications, and what steps are being taken to mediate the risks. The people of Berkeley should be full partners in deciding whether and how to continue using this technology. Glossy sales pitches about improvements to "customer service" and the city's bottom line gloss over what is at stake in a condescending, unhelpful way.
Meanwhile: Happy motoring and watch where you park.