Two Major Developments Bring New Scrutiny to ALPR Cybersecurity
Automatic License Plate Reader (ALPR) systems continue to expand across the country, including throughout Indiana, but important legal and cybersecurity questions remain unresolved. In November 2025, two major developments raised new concerns about how ALPR data is protected and who can access it: a request for a federal investigation and the release of a new independent cybersecurity whitepaper.
These events are significant because ALPR systems collect sensitive location information that can reveal patterns about daily life, including home addresses, religious attendance, political involvement, medical visits, and personal associations. Without firm rules and cybersecurity standards, this information may be vulnerable to misuse, unauthorized sharing, or access by bad actors.
Federal Lawmakers Request FTC Investigation
On November 3, 2025, Senator Ron Wyden and Representative Raja Krishnamoorthi sent a formal letter to the Federal Trade Commission requesting an investigation into ALPR cybersecurity practices. The letter raises concerns about account security for law-enforcement users and the possibility that large amounts of vehicle-location data could be exposed through compromised credentials or insufficient authentication systems.
The full letter can be read here: Letter to FTC.
The lawmakers note that location information collected by ALPR systems can reveal highly personal and sensitive facts about Americans. They also highlight that unauthorized access is not a theoretical risk. Instances of compromised user accounts and credential sharing have already been documented, raising questions about how these large databases are secured and monitored.
Independent Cybersecurity Whitepaper Details Technical Risks
Alongside the request for an investigation, a new whitepaper published by GainSec outlines risks associated with hardware, software, and network configurations used by major ALPR platforms. The full report is available here: GainSec Whitepaper.
Key findings include:
- Device-level vulnerabilities that could allow unauthorized root-level access.
- Unencrypted data at rest or in transit, exposing license-plate and vehicle-location records to interception.
- Out-of-date operating systems and firmware, increasing exposure surface to known exploits.
- Evidence-integrity weaknesses that raise questions about whether ALPR data can be reliably used in investigations or court proceedings.
For a clear visual walkthrough of the findings, view this video explanation: The Cameras Tracking You = A Security Nightmare.
Why This Matters in Indiana
Indiana currently has no statewide law defining how ALPR data can be retained, what cybersecurity protections must be used, what oversight agencies must follow, or how information may be shared. Every agency sets its own rules or operates without any, which creates inconsistent protections across jurisdictions.
Without statutory retention limits, warrant requirements, independent audits, and transparency reporting, large databases of location information may remain subject to unauthorized access. These recent developments highlight that cybersecurity is not just a technical issue — it is also a policy and accountability issue.
Eyes Off Indiana’s Position
Eyes Off Indiana supports technology that protects communities while respecting constitutional rights. Balanced policy can protect both safety and privacy by requiring:
- Short and clearly defined data retention periods,
- Strong authentication and cybersecurity standards,
- Probable cause warrant requirements for historical data,
- Public reporting and independent audits,
- A ban on commercial sharing or resale of ALPR data,
Take Action
Hoosiers deserve modern privacy protections that match modern technology. You can help by signing our petition and sharing this article:
https://eyesoffindiana.org/petition
Learn more and explore related resources at https://eyesoffindiana.org