this post was submitted on 04 Mar 2025
32 points (100.0% liked)

Privacy

800 readers
40 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
32
A privacy dilemma from a developer: user freedom, or individual privacy? (lemmy.ml)
submitted 1 day ago by cvieira@lemmy.ml to c/privacy@lemmy.ml
28 comments fedilink hide all child comments
 

TL;DR: I'm writing a program that could be used by a malicious user to track people. Do I license it under GPLv3 to guarantee user freedom, or do I use a more restrictive license to prevent abuse?

Introduction

Hello! I'm a software developer with quite a bit of experience in automotive electronics, and I've run into a bit of an ethical dilemma, and I'd like to get some input from people who care about the same issues I do.

ALPR

If you already know what ALPR is, you can skip to the next section.

As a brief background for those who aren't familiar, automated license plate recognition (ALPR) is a rapidly growing technology that detects, records, and logs license plates, typically on public roads. This technology is almost always pushed as a safety measure to protect the populations under surveillance. The argument generally goes that people should be willing to give up some privacy if it means helping police identify stolen vehicles, AMBER alerts, and more. If you're a member of this Lemmy community, I don't think I need to explain why I think this is a terrible idea.

V0LT Predator

Predator is my attempt to take on this industry with a highly private alternative to traditional ALPR. In short, Predator is completely open source, runs entirely locally (with no telemetry/data mining), and uses independent hot-lists to decide what plates to alert to. The idea is that instead of a government agency setting up thousands of cameras to track hundreds of thousands of vehicles, individual users can set up cameras in their own vehicles, and help track down relevant vehicles (like AMBER alerts with associated license plates) indepdently. I figure this bottom-up approach can reduce the severity of mass surveillance and data centralization without entirely giving up the advantages of ALPR.

The danger with ALPR is when someone has access to so much centralized data that they can form a map of everywhere a specific vehicle has been. This is not something that's realistically possible on the scale of an individual user operating independently.

I realize many people will probably be entirely opposed to the idea of building an ALPR platform in the first place, but I hope you can understand my motivation.

Growth

Predator started as a brief personal challenge, but rapidly turned into one of my most advanced products. As far as I can tell, it is currently the only active open source ALPR ecosystem, and is the most popular alternative to SaaS ALPR platforms like Rekor and Flock Safety.

The issue is that this growth came with surging demand for many of the features supported by traditional ALPR services. I've had to walk a very fine line with making Predator valuable enough as a product to replace traditional mass-surveillance without turning it into a mass-surveillance product in itself. My decision making when considering new features has primarily been based on these two features:

  1. Is this feature useful to individual private users? (people with Predator dash-cams, home security systems, etc)
  2. Would this feature make it easier for a state agency or company to conduct mass surveillance?

As I'm sure you can image, this is an extremely gray area, but I think I've managed to walk the line pretty effectively so far.

The Problem

That leads us to the latest problem. There's been a lot of interest in some kind of product to organize and centralize license plate data collected by individual Predator instances. For example, a university police department running parking enforcement might want to identify plates that haven't purchased a parking pass. I think this use-case is fair, since all vehicles being monitored implicitly consent by purchasing a pass, and vehicles are not followed off-campus. That being said, this is one of those products I've been hesitant to add, since it would absolutely make it possible to use Predator as a mass surveillance tool.

The other day, I started developing a system like this internally, and it was a bit terrifying how effectively it worked. With a $80 off-the-shelf camera system, I was able to track dozens of vehicles after driving around for ~15 minutes.

The Dilemma

Here's the dilemma. If I hosted this service as an online-only product (which is the current plan), I could pretty effectively prevent it from being used for mass surveillance. For example, I plan to limit accounts to a few hundred unique vehicles unless they apply for an override. Customers with legitimate use cases can be granted overrides with geofenced areas to fill their use-case (i.e. the university campus from the previous example). However, this significantly compromises user control, since they would have to go through my services to use the product.

Typically, I would prefer to make the software entirely open source and self-hostable under the AGPLv3. However, this would make it trivially easy for a government agency or business to set up a mass scale surveillance system.

I'm struggle to decide how to approach this issue. Have I backed myself into a corner with this one? I'd love to hear everyone's thoughts on this dilemma, and the Predator ecosystem as a whole.

top 28 comments
sorted by: hot top controversial new old
[–] CedarA64@lemm.ee 2 points 16 hours ago* (last edited 16 hours ago)

I think it is naïve to assume that your product and vision would replace the existing commercial products and law enforcement strategies. IMHO, it is more likely this will simply end up existing alongside the stuff the exists today and what that means is that less powerful people and organizations now will also have access to this technology and will now be able to abuse it for a variety of motivations and agendas alongside the powerful organizations that are already abusing it (to some degree) today. In other words, IMO proliferation of this technology is not going to end up being anywhere close to a net positive.

[–] acockworkorange@mander.xyz 2 points 1 day ago

Take a look at trusted computing. The issue is someone modifying your software to collect more data than you intend, right? Make it so stock versions can’t talk to modified versions. This involves a fair bit of cryptography that goes way above my head. But for a technical solution, that’s where I’d start to look at.

For the time being, offer it exclusively as SaaS, while you figure out a game plan to solve this conundrum.

[–] IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com 17 points 1 day ago (1 children)

Do I license it under GPLv3 to guarantee user freedom, or do I use a more restrictive license to prevent abuse?

Doesn't matter. Dictators don't obey laws, they won't respect your licensing either.

[–] cvieira@lemmy.ml 1 points 1 day ago

I suppose so, but it certainly couldn't hurt, especially if users have to be approved, and have geofenced restrictions.

I get what you're saying, but I figure someone who's prepared to do that probably wasn't someone who I was going to be able to stop from using Flock ALPR to begin with.

[–] ludrol@bookwormstory.social 11 points 1 day ago (1 children)

Consider this:

  • someone forks the project and doesn't respect the license
  • extends functionality to make the data gathering decentralized/centralized
  • they make a product and rake serious cash
  • you are pennyless
  • privacy is violated even more

I see only too options:

  1. walk away as this is lost battle
  2. make the data open source so anyone can acces it.

there is no moral high ground in this project.

[–] cvieira@lemmy.ml 2 points 1 day ago

Surely someone who wants to centralize ALPR information will simply use a service that already supports that feature. It seems unlikely someone trying to conduct mass surveillance would chose to modify a product specifically designed to make that difficult when there are already dozens of services that support that natively.

[–] ertai@programming.dev 6 points 1 day ago* (last edited 1 day ago) (1 children)

I don't see how using a proprietary license will help your dilema. If I install proprietary software in my car, I have 0 idea what it is doing, I can have no assurance that it is not doing telemetry and sending all the collected license plates to a centralized system. You want a way for users to control their own copy of the software whilst you retain the ability to control other's copies of the software. That's impossible. Either the users control the software or the software controls the users, there's no other way.

You are afraid that if you license your software under a libre license, a government will fork the project and add centralized telemetry which to their version which they will install on their own fleet of vehicles. As you said, "The argument generally goes that people should be willing to give up some privacy if it means helping police identify stolen vehicles, AMBER alerts". The fact is, ALPR monitoring systems are already existent and in use, so people have decided to trade some of their privacy for security, trusting that their government will stick to a balance of privacy/security that is worth the trade.

THE ROOT ISSUE is that, since the software is absolutely proprietary, people have no idea which amount of their privacy is being traded for security so they have no way of holding their governments accountable, they cannot revolt if their governments overstep boundaries because they cannot know/prove if the government did step over the boundaries.

Because the system is a black box, the government can lie and say "we need this and that authorization, we need to use this dangerous tool, we need backdoors, we need to break encryption ect... to guarantee your security". Once people have been coerced into giving up their power, the government uses that power however it wants because the system is secret.

If you license your project under the AGPL, the code is required to be available so people can ensure that their government is not abusing the power they have lent, and that the balance struck between privacy/security is worth it.

[–] cvieira@lemmy.ml 1 points 1 day ago* (last edited 1 day ago)

I don’t see how using a proprietary license will help your dilema

I guess I should clarify: Predator itself is already entirely open source, offline, and self-contained. The issue here is regarding an external service that allows you to import and manage data collected by Predator. By making this external service proprietary, I would be able to host the service and regulate how it is used. By making it open-source and self-hostable, I'm giving up control over how people use it.

If you license your project under the AGPL, the code is required to be available so people can ensure that their government is not abusing the power they have lent

I'm not sure this is how that would work. The AGPL specifically guarantees users of the software the right to use it for whatever purpose they want. Assuming the government doesn't host a public instance of the software for third-party users, they are under no obligation to share the source code. As such, they could continue doing whatever they want with it with zero oversight.

The argument for a proprietary license would be that V0LT maintains control over the only public instance, meaning it could enforce the rules each agency agreed to. For example, a university wanting to do parking enforcement could be given a 7-day license plate retention limit, and have their ALPR geofenced to the perimeter of the campus. This oversight would not be possible with a free license, hence the dilemma.

[–] mox@lemmy.sdf.org 16 points 1 day ago (1 children)

I don't have a specific suggestion, but here is what comes to mind:

  • Violation of human rights and civil liberties in order to gain power over others is always justified with noble-sounding excuses like protecting people and property. The reality does not match the claim.
  • Once violated, privacy of information is almost impossible to restore.
  • Anything that can be abused to someone's gain will be abused eventually, if not immediately.
  • Relying on a benevolent gatekeeper (even yourself) to prevent abuse of your tech will eventually fail.
  • The name V0LT Predator evokes the feeling that it's something the world needs less of, not more.

Whenever I find myself on a fine line like the one you're trying to walk, I consider whether I'll look back on my life and be proud of what projects/causes/changes to the world that I advanced with the time and talents that I have.

[–] cvieira@lemmy.ml 2 points 1 day ago* (last edited 1 day ago) (1 children)

You're bringing up many of the points I regularly consider working on this project. It boils down to the fact that this technology is widespread, and will continue to be widespread regardless of my actions. The catalyst for starting this project was when I learned what Flock ALPR cameras looked like, and noticed how widespread they were. I wanted to build something that could replace them without compromising privacy.

It's difficult, since there's an argument to be made for both sides. I'd argue that the existence of Predator gives an alternative to to invasive products like Flock ALPR. But at the same time, I think it'd be great to live in a world where this technology required warrants, transparency, and other oversight from the start.

Regarding the name, Predator seems to be a bit of a point of contention. As a point of clarification, Predator does way more than just ALPR. It's a fully featured dash-cam with object recognition, deep vehicle integration, and more. In nature, predators often have sharp vision and quick reflexes, which was the main motivation. It also opens up some clever branding options. For example "Predator Apex" is the commercial side of Predator, and each preassembled product is named after a predator (Scorpion, Owl, Falcon, etc.) Additionally, other brands in the automotive/law enforcement space tend to have rather sharp sounding names as well ("Cobra", "Dragon Eye", "Stalker", etc.)

[–] mox@lemmy.sdf.org 5 points 1 day ago

I think it’d be great to live in a world where this technology required warrants, transparency, and other oversight from the start.

Me too.

It boils down to the fact that this technology is widespread, and will continue to be widespread regardless of my actions

That same reasoning has been used innumerable times throughout history. I suppose each of us must decide whether we think it holds water. It reminds me of an old adage: No single drop believes it is responsible for the flood.

Predator does way more than just ALPR.

I know. I looked it up. I mentioned the name not because I think it represents what it does, but rather to point out that it will affect how people feel about you and your work, even if in subtle, imperceptible ways. It's up to you to decide whether you're comfortable with that.

[–] umami_wasbi@lemmy.ml 5 points 1 day ago* (last edited 10 hours ago)

ALPR already exist. The situation won't get better or worst, no matter what license you release under.

[–] reksas@sopuli.xyz 4 points 1 day ago (1 children)

make it so that every user owns their data collected by this and its all encrypted with some key private to that user. Then have only t he user be able to share the data with others. Or rather dont collect it all to some central database but have everyone make their own for private use.

But I dont think this is very good idea in the first place. What use is it to regular people to track others licenceplates? Who do you share the information with, the government? In usa they would just gleefully abuse it, in eu using it would just be horribly difficult for everyone involved due to legal issues and having private database about other peoples information isnt allowed or it requires somekind of registration i think, or was that only in finland.? In fact this might be outright illegal system in eu. Other places likely have superior database already.

And in the end, the whole thing will likely just be taken from you by force if nothing else works. Maybe some corporation will buy you out or maybe government will just seize it. No way they would just ignore something like this if it has any use to them.

So please be really careful how you do this so you dont end up making things worse for everyone by mistake. At least have some safeguards so you can destroy the whole thing if you need to so it cant be abused if anyone trys to take it from you.

Its nice idea, being able to track stuff independently, but i think it might belongs to some different, more friendly world, that is not this awful place we have to live in.

[–] cvieira@lemmy.ml 2 points 1 day ago* (last edited 1 day ago) (1 children)

dont collect it all to some central database but have everyone make their own for private use.

This is how it currently works, and it's why I think Predator is a better alternative (as far as privacy goes) to traditional ALPR services. Everything Predator records is stored locally unless explicitly configured by the user to do something differently.

What use is it to regular people to track others licenceplates?

To be clear using the word "track" is a bit generous here. An individual user won't have nearly enough data to have anything close to a comprehensive location history on any given vehicle. A Predator user might be able to say "I've passed this car 3 times in the past month" but not "This person leaves for work every day at 9am".

Predator is designed primarily to make use of 'hot-lists' where only license plates in a specific list trigger alerts. For example, the US has a program called AMBER alerts, in which emergency alerts can be issued for missing children/kidnappings. These alerts often have license plates associated with them. A Predator user can add a plate from an AMBER alert to their hot-list, and then forget about it. Predator will silently scan license plates as they drive, and alert the driver if they find the vehicle. I think this is a way better alternative to government agencies covering an entire neighborhood in license plate cameras that feed everything to a centralized database.

the whole thing will likely just be taken from you by force if nothing else works

This seems unlikely to me. There are already established companies in the space who have zero issue with violating privacy (i.e. Flock ALPR and Axon). A malicious company or government entity is unlikely to willingly go after Predator, given that it goes out of its way to make mass surveillance difficult.

[–] reksas@sopuli.xyz 1 points 1 day ago

I hope it works out as you want

[–] poVoq@slrpnk.net 11 points 1 day ago (1 children)

I could pretty effectively prevent it from being used for mass surveillance.

And a future you might decide differently.

[–] cvieira@lemmy.ml 2 points 1 day ago

Surely if I've made it this many years into the project without having a change of heart, that won't change any time soon.

That being said, I get what you're saying. Relying on human filtering seems prone to error.

[–] catloaf@lemm.ee 6 points 1 day ago (1 children)

Have you considered just not making the product at all?

[–] cvieira@lemmy.ml 2 points 1 day ago (1 children)

The cat is a bit out of the bag on that one.

Predator has been several years in the making at this point, but I've been trying to balance limiting mass surveillance while still having a product that's compelling enough for people to be willing to give up the traditional mass surveillance methods.

As far as the data import utility goes, that component is still private while I figure out how to handle it.

[–] catloaf@lemm.ee 6 points 1 day ago (1 children)

If it's really morally questionable, no amount of sunk cost justifies it. If it hasn't been released, the cat remains in the bag.

[–] cvieira@lemmy.ml 3 points 1 day ago (1 children)

I guess I'll reframe the question a bit: Flock ALPR is the dominant brand in this field, and they have shown zero desire to protect individual liberty and privacy. This latest utility I've been experimenting with tries to replace the functionality of Flock ALPR with decentralized private data sources, rather than massive centralized databases (which I think is vastly better for privacy and reducing government overreach). The question is: would such a product improve privacy/freedom by eliminating the need for Flock (and competitors), or just further contribute to the problem?

[–] catloaf@lemm.ee 5 points 1 day ago

It will absolutely not eliminate Flock. Businesses and governments are barely even going to consider your product.

You can democratize a surveillance tool all you want, but it's still surveillance.

[–] Ebby@lemmy.ssba.com 6 points 1 day ago (1 children)

I'm split on this. On one hand, I don't want to be tracked, but know I am anyways. On the other hand, bringing awareness to these problems is important.

One reason companies get away with horrible invasions or privacy is they limit those privileged to access it. Opening up a system to show how invasive it is could be a good thing. Big tech has become the juggernaut it is by operating in the shadows as much as possible.

[–] cvieira@lemmy.ml 2 points 1 day ago

That's actually something I've noticed working on this project. Some people have have never heard of dash-cams, let alone ones with ALPR capabilities. People who are uncomfortable with that idea are usually pretty shocked when I explain to them what the little cameras all over their neighborhoods are for.

It feels like a bit of an uphill battle trying to eliminate state-sponsored ALPR, so my hope is that providing a less invasive alternative might be beneficial. It's certainly a tough balance.

[–] mspencer712@programming.dev 5 points 1 day ago (1 children)

Yes you will make it easier for kiwifarms to create an ALPR network if you GPL it. Also social change activists, news stations, “news” stations, nosy neighbors, overseas companies interested in obtaining intelligence on US citizens, people who hate racing on public roads, neighborhood watch, people who want to make ALPR bans functionally impossible by making them indistinguishable from dashcams, people who want to make rich people sweat by tracking their movements.

If you don’t GPL it, you’ll demonstrate that a small team can create an ALPR system, so, they might think, why not give it a try?

[–] cvieira@lemmy.ml 2 points 1 day ago (1 children)

I think you might be over-estimating the power of Predator a bit. There are already companies dedicated entirely to high-end vehicle-based ALPR, as well as fixed road-side ALPR networks. Most of the scenarios you've listed are significantly more difficult to accomplish using Predator, since it's inherently self contained. An individual might be able to tell that they've passed a specific vehicle a few times over the past few months, but they won't be able to collect nearly enough data to "track" them.

Here's a scenario: A driver has a Predator dash-cam installed in their vehicle. One day, the local police put out a notice asking if anyone has seen a specific stolen vehicle. The driver goes home, imports the Predator data, and finds that they have records of passing that vehicle twice over the past month. They report that information to police to help with the investigation.

The concern with this is that the ability to import data makes it possible for a coordinated organization (like a police force) to install cameras in a fleet of vehicles, and manually import that data at the end of each shift. With a larger set of information, you could realistically use Predator to track the habits of individual vehicles.

[–] mspencer712@programming.dev 1 points 1 day ago

I was assuming a long delay between event capture and event logging, when brainstorming use cases.

[–] kekmacska@lemmy.zip 1 points 1 day ago

I think making it source-aviable and distributing it for a request after a verification would be the best for very powerful and dangerous software. GPL is also a good license, but if you upload it to a git site, every script kiddie will install it and use it for their funny business