For over a decade, Boston has been keeping track of motor vehicles in the city by implementing automated license plate readers, a form of mass surveillance that uses cameras to scan plates at a 60-per-second pace. Privacy advocates have long been uneasy with this, and it didn’t help when the Boston Globe revealed that the Boston police accidentally let slip 68,000 plate numbers. The police promised to can the program.

Except they didn’t stop using the data. Instead, they’d been borrowing it from the Boston Transportation Department — which, in turn, uses Genetec’s AutoVu system. And, thanks to an investigation by journalist Kenneth Lipp, it turns out the only thing between an interested party and 780,000 motor vehicle records collected from Boston by Genetec was nothing but an internet connection.

A bit of Google search engine sleuthing, and you could find yourself at Genetec’s open file server. It included not just personal data but “hotlists” comprising persons of interest. Here’s Lipp, via Medium:

In Boston, a city of approximately 600,000 people, parking enforcement has one hotlist with 720,000 hits, each of which notes a plate number, location info, and available make and model data. Among the targets listed in August: 19 license numbers classified as “immediate threats,” nearly 4,000 affiliated with “wanted persons,” 25 plates linked to bad checks, 75 tied to payment defaults, and 468,617 flagged for cancelled insurance.

As Lipp points out, there is potential danger in having this information publicly available. It’s an extreme example, but using the parking permit numbers of fancy cars, he writes, would-be thieves could look up your equally fancy address simply knowing the server’s URL.

Boston is not the only town with privacy problems. In 2006, the Chicago Board of Elections left 1.3 million exposed in a security breach.