New comments:

• ChadB (To provide more cont...)

About SDS

Secure Digital Solutions mission is to be the regional information security management leader for strategic and tactical security services.

Privacy Parking Tickets & Technology

Parking Tickets, Technology and the Driver Privacy Protection Act, 18 U.S.C. §2721 et seq. (“DPPA”)

If you have recently received a parking ticket, the kind where a peace officer, or other public safety official, electronically looks up your vehicle registration, pulls your driver’s license information, combines the two and then prints out all of the results neatly on a piece of paper, places it, unprotected on your windshield and then leaves. From a privacy and security perspective this seems problematic, but may be a good example of technology outpacing standards, the "what can we do?," outpacing the "how should we do it right?" It may also likely be a violation of DPPA, and, as least the goals promulgated when Congress passed it.

Not only does the parking ticket writing official query protected personal information (presumably wirelessly), information which is typically not releasable without explicit consent, but, then, they take the information, print it on a piece of thermal paper, and then place it on the windshield of your car for anyone in the public realm to see. Think of it as a calling card with all your personal information available for anyone with a curious mind.

Ask yourself if you would mind if the below information was queried, printed out and left at a coffee shop unprotected and open for anyone to see:

Complete drivers license number, full name (first name, middle name, last name), home address, date of birth, height, weight, eye color, gender, and your vehicle type, vehicle make, model, color and license plate information.

This type of thing is happening every day, and is likely the result of the fast pace of technology offerings and its adoptions not being properly used and/or configured for the best and most reasonable information. From a security perspective we would ask, inter alia, if the request is made securely, what type of encryption is being used, are the users of the machines tracked by their individual ID or is it a generic ID used by many, is each query tracked. Also, how are we to know if our information was reviewed or not when it is left on a public street? Finally, we would ask, is there a way to print off less information and still meet the need of the parking ticket intent?

The Driver Privacy Protection Act, 18 U.S.C. §2721 et seq. (“DPPA”) of 1993, upheld by the U.S. Supreme Court, and which appears to be even more relevant today given the rise of identity theft etc.., is supposed to protect the information identified above from being publicly available.

The lesson for companies is this, the next time you or your company is presented with great new uses of technology and information mining, database access etc..., a key first question must be, okay great, "how can we do this to help our business, and not cause our business undue problems with handling the data, and privacy or security or other compliance laws as they relate."


Joshua W. Carlson, Esq.

Mr. Carlson is a data security and data privacy attorney and advises companies on security, privacy and compliance in areas such as SOX, GLBA, FISMA, HIPAA, HITECH, PCI-DSS and other areas.

Added by jcarlson January 24, 2012 (2:40PM)

• RSS Articles
• RSS Comments
• RSS Comments for this article

Login