Longview Police Data Leak (Updated with Response from Longview!)

CitySend

In February 2012, the city of Longview, Texas launched the "CitySend" system, which lets people report non-emergency problems to the city via a mobile app, including photos:

By December, 2012, it was declared a success:

Privacy Guarantees

It is possible to submit a report "anonymously", and there appear to be some limitations on publishing your location:

Server Logs

In fact, the complete server logs for the application are published publicly, from its original location to the present here:

http://police.longviewtexas.gov/node/2947/

This appears to be an intentional form of "advertisement":

The most recent reports are shown above, and the earliest ones are here:

The details of each report are available, including the username, time, User Agent, and IP address. Here's the first report, which appears to be the administrator testing the system on Feb. 15, 2012. (I redacted the last portion of the IP address.)

Here's another report from two weeks later, on another device (also redacted).

Most of the reports are anonymous in the sense that the user's name is not visible, but the other information such as IP, user agent, and time could be used to deduce the user's identity.

Interactive Map

Here's an interactive map of reports:

http://longviewtexas.gov/citysend-track-request

Click an item, and click "Details" to see far too much information about it, including the precise latitude, longitude, and device used to make the report:

I wonder if the people making these reports know that so much information is being published about them.

This may not be illegal, but it seems unwise. I can imagine stalkers, angry neighbors, and other people with ill intentions using this information for harm.

Notification to Police

I sent this message on Oct. 12 to inform the administrators of the system.
from: Sam Bowne <sam.bowne@gmail.com%gt;
to: LPD@longviewtexas.gov, CityManager@longviewtexas.gov, support@citysourced.com, jcure@ci.longview.tx.us
date: Sun, Oct 12, 2014 at 12:17 PM
subject: Security Problem in CitySend System: Exposure of Private Data

Hello:

I am Sam Bowne, an instructor in Computer Networking and Information Techology at City College San Francisco.

I found this page today with Google, and I think you should block it from public access:

http://longviewtexas.gov/node/2947

That page shows every report into the "CitySend" system, reporting issues like illegally parked cars. The details of every report are visible, including the exact time and IP address, like this:

http://longviewtexas.gov/node/2947/details/32592

According to this page, the reports can be made anonymously:

http://www.longviewtexas.gov/citysend-frequently-asked-questions

However, exposing the IP address of the reporter could lead to identifying them, rendering the report non-anonymous.

The "Track a Request" page also leaks information unwisely. The map is here:

http://longviewtexas.gov/citysend-track-request

Clicking a dot leads to this:

http://www.citysourced.com/report/123257/other-not-listed-please-describe

The Address indicates the location accurately enough to resolve the problem. However, the Latitude, Longitude, and Device are also listed, which can be used to invade the privacy of the reporter. Suppose an angry neighbor wants to retaliate, or the person reporting the problem happened to be in an embarrassing location when reporting--why is the exact location of their device published for the world to see?

Also, your site uses Drupal 6.30, which is ten months out of date. The current version is 6.3.3:

https://www.drupal.org/drupal-6.33-release-notes

If you wish to contact me, I am:

Sam Bowne sbowne@ccsf.edu

Conclusion

I got no response from anyone in the Longview government, and I don't expect to. I think they are happy with this system as it is.

But I certainly cannot recommend taking such unnecessary risks with private data, and I imagine that they will be forced to improve this system sooner or later.

Response from Longview!

I was surprised to receive an email from Justin Cure, politely thanking me for my notice, and implementing some changes!

They protected one of the pages that expose IP addresses so that they require a password for access:

http://police.longviewtexas.gov/node/2947/

I did find another problem, and warned them so they can fix it.

But the really big problem is now the Drupal update. The Drupal project published this exceedingly scary statement on Oct. 29, 2014:

Drupal warns unpatched users: Assume your site was hacked

So the Longview police would appear to have an incident response process to perform.

Hopefully they will continue to improve their security, and I'll update this article if I learn more.


Posted 11:48 am 10-19-14 by Sam Bowne
Updated with response by Longview 10:46 am 11-2-14