Located on the southeast coast of North Carolina, Wilmington is far from a booming metropolis, with just under 100,000 residents estimated in 2007.  Along with the nearby Wrightsville Beach, the cities want to record license plate numbers for every vehicle that crosses the bridge between the two communities as well as a couple other locations within the area.  The tag details would be compared against the FBI’s National Crime Information Center database.

“A lot of people might say it’s Big Brother at work,” said John Carey, Chief of Police in Wrightsville Beach.  ”There is no expectation of privacy to a license plate number,” as it is essentially a vehicular public record.

Chief Carey suggests the information in the NCIC is there for a reason, and this type of check won’t matter to most citizens.  What Carey doesn’t keep up with surrounds the NCIC database and accuracy reviews.  The NC Police expect to take the database contents as gospel.  Originally, the NCIC was only intended for major criminal offender information.  That was expanded in the late 90′s to include civil cases such as stalking or domestic abuse.  After 9/11, immigration and terrorist data began infiltrating the NCIC.  As the database’s scope expands, so to has the outcry.  Peace Activists found their way into the NCIC.  The New York Immigration Coalition appealed to the local city government to change their arrest policies. the Electronic Privacy Information Center has an online petition drive to allow NCIC citizen redress.  As databases age, they must be deconflicted and purged lest they lose their efficiency.

The most interesting point from a privacy rights standpoint is the persistence of the effort.  The cities expect to maintain the license tag information collected for about a year.  They do not say how frequently they will review the data or how often it will be compared against the NCIC.  From a general privacy policy standpoint, the Wrightsville and Willmington Police Departments are collecting information without specific knowledge of how they plan on using it, how often it will be accessed, or how long they will maintain the records.  It is unknown if they will have access policies or regulations/audits of how the information will actually be used.  These are all points a bank would have to address with their customers prior to embarking on a program with a third party marketing company.

“It’s not a legitimate use of this technology to be storing information on innocent citizens on the off chance that someday law enforcement might want to track this person down for some reason,” said Jennifer Rudinger, executive director of the American Civil Liberties Union of North Carolina.  “This is another example of how technology is getting ahead of our laws.”

Above all else, this is a very slippery slope.  What starts as an automated plate check for criminals could easily become detectives checking a suspects alibi on an open case, Private Investigator access for a divorce proceeding, or even noticing the mayor’s car has an extra passenger and blackmail or other corruption.  The New York City Police Department had problems with their NCIC access – what’s to stop local NC police officers from poking around?

Sergeant Haytham Khalil obtained records for an acquaintance embroiled in a custody dispute. He was charged with a misdemeanor of “accessing a computer and as a result exceeding his authority by obtaining information belonging to a department and agency of the United States.” Sentencing, scheduled for April 14th, could result in a $100,000 fine and one year of supervised probation.

Sergeant Khalil used another officer’s account credentials who did have appropriate access privileges. The fellow officer left the credentials available for any of his co-workers to access the National Crime Information Center database when he wasn’t around. Obviously, there was a violation of the researched individual’s privacy.

The biggest problem with this scenario isn’t the Sergeant,although his actions were well outside of the code of conduct by reviewing the records. No, the biggest problem is the fellow officer’s equivalent of taping his password to the monitor, and the expectation of the co-workers within the department that the sharing of credentials should be normal operating procedure.  This type of user name/password sharing essentially amounts to a Role Based Access Control (RBAC):  every user that needs access to the system uses the same information.  Any time a system utilizes RBAC, administrators lose a great deal of accountability. Was it officer A or B, or the guy who we promoted six months ago, or fired a year ago? Hopefully you see the problem.

By assigning specific rights to individual users, and limiting the overlap and assignment of those rights (resulting in essentially two person controls), the system may not be gamed. Individual users are then responsible for their actions. There is no finger pointing, reviewing the video tapes, etc. Policy should then dictate disciplinary action or even dismissal for sharing credentials. One step further is some sort of biometric access control, which should be easier for the end user’s compliance. Further still RFID badges, where you may either log in or leave the building. These measures don’t completely eliminate a user’s logging in, then letting someone else sit at the controls, but it certainly increases the complexity.