Los Angeles Police Department Kept User ID and Password to “Big Data Policing” Software on Office Whiteboard, Incidentally Broadcast to CNN Viewers During Interview
It is no secret that the Los Angeles Police Department (“LAPD”) equips its patrol cars with automatic license plate readers (ALPRs) that use GPS to record the locations of people as they drive through the city. It is also no secret that the LAPD conducts this surveillance regardless of whether a given driver is suspected of a crime. “Anybody who is a vehicle owner in a public place and has passed a license plate reader will be in our dataset,” said LAPD Captain II John Romero during an April 21, 2014, interview later televised on CNN. What is yet to be revealed, however, is the LAPD’s careless security practices when it comes to protecting the data it collects on the public. This data includes the GPS coordinates of vehicles photographed by the LAPD’s automatic license plate readers.
Captain Romero gave his televised CNN interview from within the LAPD’s Real Time Analysis and Critical Response Division (“RACR”), the office responsible for conducting LA’s “big data policing.” The backdrop for the interview was an LAPD whiteboard scrawled across with information that could be useful to a hacker seeking to hijack license plate reader data and other data from the LAPD. A cropped screenshot of the whiteboard is depicted above. A full-size screenshot is available here. The original video can be viewed on CNN’s website. A fair use video clip of the whiteboard can be viewed here. Most significant, the whiteboard shows the user ID “training” and the password “camsstudent” which correspond to a “lans computer login” (LAN is an acronym for Local Area Network). The whiteboard also shows an LAPD folder path for “camsdesktop” data. More about CAMS Desktop below.
Among other datamining, statistical analyses, and mapping software, the LAPD’s RACR division uses Palantir, “[a] powerful application that can claim the CIA as an early investor.” The CNN video shows LAPD Sergeant Jason O’Brien using Palantir to search for data on a burglary suspect. “After searching over a hundred million datapoints, Palantir displayed an impressive web of information,” said CNN reporter Rachel Crane. Palantir’s interface resembles a web search engine with datasets labeled People, Vehicles, Locations, Crime, Arrests, FIs (Field Interview Reports), Citations, Bulletins, Tips, and Everything (view screenshot). The video also shows Sergeant O’Brien accessing the LAPD’s automatic license plate reader database to map the past locations of the burglary suspect, which go back as far as March 2011. Because it collects location data on all LA drivers, the LAPD also has the ability to use its software to map out the locations of people who are not suspected of committing crimes.
The text of the leaked user ID and password (i.e., “training” and “camsstudent”) suggests that they allow access to a training program for the LAPD’s Computer Analysis Mapping System (“CAMS”). The “.../esri/camsdesktop/data” folder likely relates to the LAPD’s CAMS Desktop applications developed by ESRI, a “supplier of Geographic Information System software, web GIS and geodatabase management applications.” According to an ESRI press release dated October 2, 2006, “[t]he [CAMS] intranet application is accessible from any of more than 6,300 department-wide computers. Users can view maps, query information, conduct easy-to-use analysis, and generate reports. Information including crime incidents, crime and arrest locations, recovered vehicles, citations, traffic accidents, calls for service, and more will be made available.”
It is unknown whether the LAPD configures its network to permit access to the training login over the internet. The local area network where the training environment resides would need to be linked to the internet in some way. Failing a deliberate link, any LAPD workstation computer having both internet access and LAN access could potentially establish a link. Using email, a website, or some other internet based avenue of attack, a hacker could gain remote access to an LAPD workstation computer and use it as a proxy to access the LAN hosting the CAMS training environment. Because the hacker would have access to the LAPD workstation computer over the internet, he/she would also have access to the LAN over the internet.
Even if additional steps are needed to complete an internet based attack, information on the whiteboard certainly peals back one layer of security blocking the way to private data. Above all else, the LAPD keeping a password—any password—on an office whiteboard in plain sight is deeply troubling. Haphazardly allowing CNN to film the password for a national news broadcast is more troubling still. Captain Romero told CNN that the LAPD “cannot just go searching for you or anyone else without a reason because we have a lot of data for people who have done nothing.” But the whiteboard depicted in the CNN video casts doubt upon the LAPD’s ability to keep its data private. This data includes the ever growing database of GPS coordinates corresponding to the tens of thousands of innocent LA drivers who pass by LAPD license plate readers each day.
Freedom Du Jour worked with the American Civil Liberties Union (“ACLU”) of Southern California to have the LAPD notified of its password leak. In response, the LAPD changed the login and assured the ACLU that it will be educating all LAPD employees with regard to cybersecurity.
This is not the first time the LAPD has exhibited lax password security. In response to California Public Records Act requests sent by the Electronic Frontier Foundation (“EFF”) and the ACLU of Southern California, the LAPD provided two documents containing login instructions for its automatic license plate reader terminals installed in patrol cars. The first document instructs officers to enter a user ID of “LAPD” and a blank password. The second document, dated two years later, instructs officers to enter “LAPD” in both the user ID and password fields. By means of this document disclosure, not only did the LAPD disclose login information, it also revealed a pattern of choosing weak passwords.