An iPhone app released a few days ago called “Find My Car” has just turned into a PR disaster for shopping centre operator Westfield. The idea seemed neat enough: download the app, and if you lose your car, just enter the number plate, which Westfield’s cameras had captured and indexed. Someone forgetting where they’d parked …
Dude! Where's my headlline?
Can't believe you passed up a headline opportunity like this.
An alien because they smoke too.
Dare I ask...
This was originally funded by a government agency, right? Soon to be spun into "just think of how easy it will be to catch the people who stole your car".
doesn't look like it
Doesn't look like it, no. They seem to be an Australian private company. http://www.parkassist.com/
Someone who knows a bit about programming and is a gadget geek wrote the code. Just enough knowledge to be dangerous, hmm like me really.
We need more people willing to just try stuff, especially with the potential of the cloud to shut out 'home grown' in favor of 'this is what you get' g??gle 'we own you' styles.
However whenever there is lots of personal private data involved, this is definitely not a place for the copy and paste hacker.
although i do copy paste code a bit *shameface* seeing some of the code people come up with i know that i should NEVER EVER EVER try and sell my services as a coder especially when it comes to private information.
Can we get alerts from this?
I hate having to refresh that app while I'm busy loading a shoppers older stuff into the back of the ute. I want it to tell me if I have time to look through the DVD collection for the good ones or if I should just grab them all and let the pawn shop sort them out. I hear technology is supposed to make my life easier but I'm not seeing a lot of apps for my profession.
/Mines the one with other peoples stuff in the pockets but it appears TheReg staff stole it off me.
Does it track the security vehicles?
Stop wining are start winning
So that's where you are...
All on CCTV
Continously recorded so that when you make a claim against them for damage done to your car while it was in their carpark, they can bring up the film of you driving it in, or smashing the windscreen.
I bet you didn't even know you could make claims like that? They pay, it's cheaper and avoids bad publicity.
They also record to keep a lid on car theft, but I understand that car theft is actually less of a problem than false claims.
You never had any privacy. Now you know.
In Central Scotland there are often "park here at your own risk" signs.
Theft or vehicle damage = not the store"s fault - they claim. In some cases you may be able to argue otherwise.
Where's my privacy?
So it's no longer safe to drive when visiting a Westfield shopping centre. I mean I'm *sure* they automatically delete all this information after a couple of days ... right?
Westfield probably *do* delete it after a few days.
But ACPO Ltd will probably have been granted a back door into the database "for the detection and prevention of crime". In that event, you can be *sure* that (1) they slurp up everything on the database every few hours, and (2) they *never ever* delete their copy.
Missed opportunity for making this a lot more secure
There are all the ingredients for setting up a two-factor authentication policy on this service:
1. They know your license plate, from when you stopped to take the parking ticket.
2. They could print a unique ID (in QR code or OCR code, and also in human readable) on the parking ticket, selected from a large enough space that it has reasonable unguessability.
They would have to keep the ID sequence secret, which is easy enough to do; keep an air gapped machine for spewing out IDs using a cryptographic random number generator, then take these key streams and print/prepare the cards in advance. The ID would also be on the magstripe (if it's printed on the card, might as well be encoded for easy machine reading), so that when you take the card, the ID can be associated with your license plate. There is no requirement for the cards to be sequential in the key sequence, just for the IDs to act like one-time passwords and not leak information about the IDs on other cards being issued to parkers.
3. The service could then require the ID from your parking ticket (point your iPhone at the QR code, not a big deal), *as well as* your license plate number, before it would tell you anything about where your car was.
With this change, the service becomes a two-factor system: authentication requires something you have (a one-time password), and something you know (your car's license plate number). It doesn't allow stalking (because the IDs are sufficiently unguessable that they act like OTPs), and doesn't facilitate theft: if you find a parking ticket you don't get directed towards a car that you could steal (because you don't know the car's license plate number).
A possible weak link: the people loading the cards into the parking gates could find out the sequences in advance by inspecting the decks of cards. If the printers in the parking gates are flexible enough to print the codes on the fly then that problem is removed.
I've seen several different sorts of ticket used. Some are meant to be displayed on the car's windscreen while it's parked, which would rather put the kybosh in this idea. It depends on the ticket being provided at an entry barrier. But there's no reason why the ticket can't have a clearly visible number. We seem happy enough to use a 4-digit PIN for payment cards, though this would clearly need a longer number.
I don't think ticket printing is the fundamental problem. It's whether the overall system can link a ticket to a vehicle. Most of the car parks I know would struggle to do that, because the driver has to park, and walk to a ticket machine to collect the ticket.
Those pay and display lots aren't really appropriate for this sort of scheme anyway. Most such lots I know are small enough that you shouldn't be misplacing your car in the first place. There are no barriers so all a would-be thief needs to do is pick a nice looking car, gain entry, get it to start, and drive it on out of there unimpeded. They don't need an app for that.
For parking garages with ticket dispensers and entry/exit barriers it would be a piece of cake for a *competent* development team to come up with something that works as intended AND is secure, as described by the post you replied to. Every large multi-level parking garage I've ever been in, both in the US and UK, works like this and those are the places where someone of sound mind could misplace an entire vehicle and spend a lot of time trying to find it on multiple levels.
It could even be extended to ensure that the vehicle exiting on a ticket is the same vehicle that entered on that ticket, so the tealeaf finding a dropped ticket can't just choose the nicest car in the garage and drive it out for the cost of a few hours' parking. The barrier won't open for them unless the car and ticket match. If the ticket doesn't obviously link to a specific car, good luck finding the right one on the first try.
With a properly designed system the only way a ticket could be linked to a vehicle by any outside observer would be if the driver dropped the ticket as they left their car, or left the ticket in the car where it could be found. That's not the parking lot operator's fault.
Note I stated "competent". Westfield's mistake was hiring incompetent developers.
Liverpool airport already prints an entry ticket based on your APNR. Im sure other airports do the same so the tech is already running. Downside is the slower entry and exit times whilst APNR catches up.
I have a foreign registered car and the system at Liverpool airport tried to make the characters fit a UK format plate. I wondered if they all did the same and whether the average speed ones actually take photos or only keep the plate on file. If it's the latter then there's a loophole for getting out of a fine.
>Those pay and display lots aren't really appropriate for this sort of scheme anyway.
Yup, for these you just need the ticket to say where it was brought from to guide you back close enough with no data on the car needed at all
Apple and Westfield. You have none.
Shouldn't somebody create an act of parliament to protect peoples' data? I could think of maybe eight principles which might apply. Keeping it secure for example.
Good idea - you could call it something like the 'Data Protection Act'
Fail, because that's what those responsible for enforcing the act do.
The location of your car is not personal data. Westfield hold no information that identifies a living person, which is the sine qua non of data protected by the Data Protection Act 1998.
Is this an issue?
Is this really an issue?
What am I missing?
The (UK) governments creeping national ANPR network worries me, as it gives the government the power to track us in a way that seems to have occurred without any parliamentary oversight. This is a serious and worrying issue, and systematic of the slow creeping erosion of the importance of privacy we had built up over many years of not having it so good.
However this just allows someone to see that I was in a public place at a particular time/date, something they could do by sitting outside the damn shopping centre.
So whilst embarrassing, and a bit of a PR nightmare is it really a serious issue?
This is the title
ANPR cameras catch people who are driving without insurance - the same people who are pushing up your car insurance premiums. They also catch those wanted by the police and those connected to illegal drugs.
Hell, if I had the programming skills I could write my own ANPR system - it's basically a system programmed to recognise number plates and then use optical characer recognition on anything it recognises as a number plate. I wouldn't be doing anything illegal either: you have no right to privacy in public places, and this includes photos of you and your number plate. Of course if I did write such a system you could potentially sue me, but I wouldn't have committed a criminal offence.
So someone driving a similar car to yours on cloned plates doesnt get you visited by the plod? Really? Care to explain that to my work colleague who has had congestion charge crap through the door AND a couple of visits from plod? A database is only as good as the information contained within and the data inputted.
And you would have an obligation as a number plate directly reflects back on the registered keeper. There is already case law compelling registered keepers to know who they have let use their car at certain times.
ANPR cameras don't catch anyone. They may provide evidence that could be used to catch crims, but in order to do that they have to track everyone, everywhere, just in case. Your argument that we have no right to privacy is spurious, for we do have such a right *regardless* of whatever legislation may or may ot exist. Such rights are innate, and are not removed by legislation, nor by the lack of legislation proclaiming them; they are merely held in abeyance by threat of force.
In this country we have a right to move freely and not be molested by agents of the king whilst acting lawfully, as *described* in Magna Carta and the parliamentary bill of rights. These documents describe a pre-existing condition of human existence, they do not create that condition, and this condition is that we have the right to move freely and go about our lawful business without the government watching our every move.
You are assuming that the government has the *right* to track our movements and that we have no "privacy". IT HAS NO SUCH RIGHT. It has no right to do anything to anyone acting in a lawful manner; it has no right to watch people who are actig in a lawful manner "just in case". It may not do so; it cannot do so, and to do so is unlawful.
The goverment exists at our leisure and only to serve our needs, not to watch our every move just in case we do something it has decided it doesn't like. It has no authority to grant or remove rights, nor any authority to declare it can begin tracking our movements just in case one of us turns out to be breaking the law.
When you accept the idea that the government is the sole source of "rights", you implicitely accept slavery. And when you accept the idea that the government can determine that you no longer may travel freely without constant monitoring, you're already too far gone to be considered free in any meaningful sense of the word.
What was that song with the line "You don't know what you've got 'till it's gone"?
Looks like ParkAssist have done the right thing..
The blogger has updated his post, looks like the company involved have dealt with this is in a laudibly frank and efficient way to try and sort it out.
So, if you are prone to losing your car and have an iPhone or whatever... why don't you just take a damned picture of where you parked the car to begin with?
Re: Is this an issue?
Not at all. No issue here. Run along.
<goes back to sitting in a cafe near Westfield noting the registrations of nice cars... ooops, there's an alert, one of those nice cars has just parked up... back in a min>
Thinking I'll have some fun...
... by swapping number plates around. Might be even more fun doing this between separate store locations.
Where is it?
I know where I put the car, just where did I put my iPhone? (crunching sounds in background)
I would have thought that an app for my in-car computer to find my i-phone would be of more use.
Is it legal for a private company to capture and store such data without the car owner's consent?
In the UK, yes it is. In a public place, there is no automatic right to "privacy". Anyone is entitled to take photos of you and indeed your registration number.
they still have obligations under data protection though.
Yes they can take a photo, I'm not looking at a privacy angle, can they store what is essentially personally identifiable data it in a database and use it commercially without consent?
Not as much as you think
Provided that they're not collecting information about you as an identifiable person, they're free and clear of the Data Protection Act
As long as they don't collect the registered keeper's info or anything like that, merely collecting number plates is legal.
They just need the website
We find any car,
we find any car, - Any, any, any, any....
any make, any model, any age, any price, from fifty quid to a hundred grand...
go nick your motor now at we find any car (dot com)
I've lost more iPhones than cars - Doesn't really help me
Pay per view
A much more low tech solution would be this: charge people a pound (as per text message charging) to see the result of the search. You'll then stop all the casual use of the service and would also make a bit of extra money for the car park - if you're daft enough to lose your car, spending a quid to find it isn't so bad.
Alternatively, for a free version, don't use the phone method at all. If it's a pay-to-exit system, modify the payment machine so that as soon as you've paid you can type in your reg number and the location (floor, bay number) is printed out. Again, no casual use - you have to have the ticket the barrier system gave to you as you came in.
If it's pay-and-display, type in your reg number as you're paying, and a second ticket is printed out which you keep in your wallet, with the location on it. Or the money-making method again: lost your car? Insert coin and we'll tell you where it is.
Basically, tying the system to the handing over of cash will probably drastically reduce abuse of the system.
ok , hit me with the Thumbs down
Once again , i cant see how this matters at the end of the day.
I mean, that data is also available to anyone who was standing outside the shopping centre all day.
So come on , someone give me clear cut example of how this is a disaster,
Paris , cos i'm obviously too stupid or niave
scrape the website for data on a car owner of your choice. You know that they go shopping and usually leave the house empty. Wait till car goes out to the shopping center then go on a burglary spree. Beats hanging around a posh pad and getting eyeballed.
Ex-violent partner gets call from a friend saying they've seen their ex-victim in shopping centre with new partner. Ex-violent partner goes round to shopping centre and lays in wait.
Not quite sure...
...how either of the above amounts to any special threat from the app.
If you're waiting for someone to leave home so you can ransack their place, watching the house is a better option because you'll know if there's anyone still there, and have more time to go about your nefarious deeds, since you won't have to wait for them to get to the shopping mall to head off.
If you're a violent ex, and a mate calls to say they've seen your ex at the shopping centre, then you can still go and lie in wait for them in the car park.
Really, the "private" information this contains is that a particular car was parked in a particular space in a particular carpark. It does not include information on the owner of the vehicle, the assumption seems to be that anyone wanting to use this for evil purposes already knows everything they need to know about the target, except where their car is.
So, yes, I see it as embarassing, but I don't really see how it's a actually a violation of privacy, anymore than letting people wander about the carpark is.
>this for evil purposes already knows everything they need to know about the target, except where their car is
Your ignorance is astounding.
Victims of abuse who come forward are often put in sheltered accomodation, the abuser will lose all contact with the abused. On the off chance of being seen in a shopping centre knowing the number plate of the abused party's car is enough in this case.
still not buying it
sorry Chris, not buyin it, agree with faceless man
my ex's abusive ex had no problem working out where i lived , by recognising her car, without the help of a shopping centre ANPR cam.
Also your your theory depends on the villian getting a call from the henchman informing him target is shopping - so what difference does it make where the car is?
Or if it does make a difference he could use the time honoured tradition of wondering round the car park looking for it, like the rest of us .
I suppose the need for this app is that the car park is huge. The abuser could use the time honoured method of using their eyes but it sure as hell makes things a lot simpler to just tap in a number plate from the comfort of wherever you happen to be and instantly know that the car is still in the car park saving a wasted journey and time looking for it.
As for depending on the villain getting a call from a chance encounter, yes it does, that's the way things usually work, by chance. If it was the abuser who by chance crossed the path of the victim then the app would help them locate the car so they could do whatever they may want to do more privately.
My new numberplate "RV56 A' ;-- drop table numberplates"
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Antique Code Show World of Warcraft then and now: From Orcs and Humans to Warlords of Draenor
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...