By Dave Maas and Hayley Tsukayama, Electronic Frontier Foundation
California police and sheriffs are failing to protect the privacy of drivers on city streets, the California State Auditor’s office determined after a seven-month investigation into the use of automated license plate readers (ALPRs) by the Los Angeles Police Department and three other local law enforcement agencies. California State Senator Scott Wiener sponsored the State Auditor’s report.
The auditor raised a long list of concerns, including fundamental problems with police ALPR policies, failure to conduct audits, and the risk of ALPR data being abused to surveil political rallies or target immigrant populations. In addition to Los Angeles, the auditor investigated the Fresno Police Department, Sacramento County Sheriff’s Office, and Marin County Sheriff’s Office. The auditor indicated that the problems are likely prevalent across 230 California law enforcement agencies using ALPRs.
The report is a damning assessment of how California law enforcement agencies use this mass-surveillance technology, which employs computer-controlled, high-speed cameras mounted on street lights, on top of police cars, or speed-monitoring trailers that automatically capture images of every vehicle that drives by, without drivers’ knowledge or permission. The cameras capture the exact time and place a license plate was seen, and often compares that data point to hot lists of “people of interest” to police. The cameras are capable of capturing millions of data points, which, taken in the aggregate, can paint an intimate portrait of a driver’s life and even chill First Amendment-protected activity.
Read the State Auditor’s Report.
Among the auditor’s key findings:
- The four agencies’ “[p]oorly developed and incomplete policies contributed to the agencies’ failure to implement ALPR programs that reflect the privacy principles” required by state law.
- “Instead of ensuring that only authorized users access their ALPR data for appropriate purposes, the agencies we reviewed have made abuse possible by neglecting to institute sufficient monitoring.”
- “A member of law enforcement could misuse ALPR images to stalk an individual or observe vehicles at particular locations and events, such as doctors’ offices or clinics and political rallies. Despite these risks, the agencies we reviewed conduct little to no auditing of users’ searches.”
“[A]gencies have not based their decisions regarding how long to retain their ALPR images on the documented usefulness of those images to investigators, and they may be retaining the images longer than necessary, increasing the risk to individuals’ privacy.”
- “We found that the three agencies storing ALPR data in Vigilant’s cloud—Fresno, Marin, and Sacramento—do not have sufficient data security safeguards in their contracts.”
- While the California Department of Justice has guidelines on protecting police data from federal immigration enforcement activities, “agencies were either unaware of these guidelines or had not implemented them for their ALPR systems.”
ALPRs allow police to upload our movements to massive databases.That enables them and others to analyze our travel patterns, identify visitors to specific locations, and receive real-time alerts on specific cars through “hot lists.” For more than eight years, EFF has raised concerns about the technology because it can reveal sensitive information about all drivers, regardless of whether they are suspected of connection to criminal activity. In 2015, EFF supported legislation—S.B. 34—to require agencies to implement policies that protect civil liberties and privacy, and to maintain a detailed log of every time someone accesses ALPR data.
Last summer, EFF worked with Sen. Wiener to request the California State Auditor to conduct an audit of ALPRs used by law enforcement agencies throughout the state and to assess whether agencies are complying with S.B. 34. Based on our own research, we demonstrated to legislators how police, sheriffs, and other agencies were routinely flouting a state law requiring transparency and accountability designed to protect the public’s privacy and civil liberties. This included failure to keep track of system searches and publish their usage policies online. We also drew attention to the fact that agencies are collecting far more information than they need and are sharing the data indiscriminately with hundreds other agencies across the country.
Over the last seven months, the state auditor’s staff spent 2,800 hours surveying every police and sheriff’s department in the state and conducting deep-dives of four agencies.
The auditor made many recommendations. The California legislature should amend state law to require the California Justice Department to draft and publish a template for ALPR policies that local law enforcement agencies can use as a model. The Justice Department should also issue guidelines about security requirements agencies should follow to protect ALPR data. The amended law must establish rules about how long ALPR data can be retained, including data that is used to link persons of interest with license plate images. Periodic evaluations of data retention policies should be conducted to ensure that police are keeping data for the shortest time as practical, the auditor said. The four law enforcement agencies investigated should review and revise their ALPR policies and do an assessment of their data security practices by August.
The auditor found that 230 agencies in California were deploying ALPRs, with the majority using Vigilant Solutions to collect, store, and analyze the data. An additional 36 agencies planned to deploy ALPRs in the near future. This is the first time that a comprehensive list of ALPR users in California has been compiled.
Learn about which agencies are using automated license plate readers here.
Of the agencies that use ALPR systems, 96 percent said that they had ALPR policies. But, as the audit reveals, many of the policies that agencies have in place are insufficient. The agencies audited in Fresno, Marin, and Sacramento did not cover who has access to the system, or how the agency monitors use of the system to comply with privacy laws. The Los Angeles Police Department, which has an ALPR database of 320 million images, had no policy specifically dealing with its ALPR systems at all. The department said that its existing information technology policies adequately covered the system—a belief that the auditor’s office did not share.
The audit also reveals that the four departments it examined closely are sharing data from ALPR systems broadly—between those agencies, ALPR data are shared with entities in 44 out of 50 states. The Sacramento County’s Sheriff’s Office alone shares with more than 1,000 entities.
Agencies also retain data for varying periods of time, some very long. The Los Angeles Police Department, for example, keeps information from ALPR systems for five years. Information contained in these systems, the audit found, include not only license plate information but also personal information such as name, address, date of birth, and even some criminal justice data such as arrest record.
All four agencies, the report found, lacked sufficient safeguards for managing which employees can see the data from their systems, such as a policy that requires supervisory approval for establishing an account to access an ALPR system.
Problems likely extend far beyond the four agencies profiled. “We are concerned that the policy deficiencies we found are not limited to the agencies we reviewed, and thus law enforcement agencies of all types may benefit from guidance to improve their policies,” the report said.
Based on the outcome of the audit, EFF asks the state legislature to enact new safeguards to limit how police use this technology.
- Agencies must create and define a clear process for adding and removing vehicles from hot lists, and limit hot lists to only the most serious of crimes.
- Agencies must not retain any data about vehicles that do match a vehicle included on such a hotlist.
- Agencies should not use ALPR data collected or stored by a private company.
- Agencies should follow the state of Maryland’s lead and disclose on an annual basis how many fixed and mobile license plate readers they have, how many license plates they scanned, how many of those scans matched a hot list, how many times agencies outside the state requested and received data, the results of all audits, and any breaches of the system that occurred.
- Forbid the use of predictive algorithms based on ALPR data.
- Place a statewide moratorium on government use of ALPRs, similar to the moratorium on mobile face recognition passed last session.
ALPR technology can be used to target drivers who visit sensitive places such as health centers, immigration clinics, gun shops, union halls, protests, or centers of religious worship—all without drivers’ permission or knowledge. This report clearly demonstrates the ways that these agencies are failing California drivers—and raises serious questions about how entities across the country use and access ALPR data.
This story was originally published by the nonprofit Electronic Frontier Foundation.
Where is the outrage over the California DMV selling our personal information to private companies??
I say as long as Bad Guys are getting caught I don’t care.
What does Metro Fastrack do with my plate(s) information, they keep track of my travel’s.
I read the report. It wasn’t damning at all. ALPRs are a great tool. If you really belive the technology is that good to track everyone’s movements you are dumb. Most ALPRs are mounted on patrol vehicles. There are only so many rolling around cities at one time. Also there are very few fixed cameras. Many cars are parked in private structures where patrol vehicles never go. Therefore the amount of vehicle data captured compared with the amount of vehicles in a city at one time is insanely miniscule. There is no systemic evidence demonstarted of police misuing ALPR data. Further, ALPR data may show you where a vehicle is at during a specific moment in time, but doesnt tell you who is driving or where they were headed. I could park in front of a building with a 100 offices, but the ALPR wont tell you which one I went in. This whole anti-privacy argument is non-sense. The ACLU should just admit they are trying to tie the hands of police at the benefit of criminals.
Very true. There are also tons of private companies collecting ALPR data with their own cameras snd selling it to law enforcement, private investigators, and law firms.
All the whining about ALPR by people who constantly take selfies and tag their location for the world to see. Amazing.
These so-called justice warriors and civil rights activists only care when career criminals are being watched, and worry about their constitutional rights being violated. However, if it is a political rival, or some good working police officers doing their job, and these justice warriors don’t agree with their politics or optics, they throw the book at them, and violate any and all civil rights to get to them. When the dirty cops, employing dirty tactics go after the justice warriors’ enemies, suddenly they become heroes…..Hypocrites…
“To ensure the safety of our roads, a police officer may run a license plate number through a government database to check for any outstanding violations or suspensions on the registration of the vehicle. We hold that such a check, even without any suspicion of wrongdoing, is permissible, and does not constitute a search. We further hold that information [*2]obtained indicating the registration of the vehicle is in violation of the law as a result of this check may provide probable cause for the officer to stop the driver of the vehicle.“
Supreme Court decision on running plates, they feel differently. Don’t see the difference!
Appears to be a whole lot of inductive reasoning and or a lot of SWAGGING (some wild ass guessing)with the aforementioned article.
I didn’t see any real firm, empirical data to substantiate some of the outlandish (i.e., surveil political rallies or target immigrant populations) claims made by some of these”concerned” individuals.
I am sure that some police agencies may not have a pretty, well defined set of procedures as it is stated in this article. However, I do believe that there are general guidelines on the programs usage and or abuse. Further, the company sponsoring / maintaining this program also has disclaimers about its usage and misuse.
ALPRS is one of many tools that assist law enforcement agencies in locating criminals. Further, these programs were created for a specific reason, to apprehend the bad guys. As societies progress, so does the mentality of the criminal and to keep up with these criminals, programs are developed to monitor and or apprehend these criminals.
As “LOL stated, people are complaining about the ALPRS program, yet these same people that are complaining are taking selfies and posting them on social media platforms for the world to see. Irony!
Bottom line, the ACLU and some of these bleeding heart LibTurds will continue to try and deteriorate anything that has to do with law enforcement.
You people that think alpr’s are a good thing are idiots. [WLA edit.] Nobody has a right to record our movements. Furthermore, you people act like 100% of police officers are good, honest, law abiding people. THEY ARE NOT! Not even close to 100%. So when you date some cops ex girlfriend or one gets a wild hair up their ass for no reason or you are a good-looking woman and some cop uses it and stalks you, you will be thinking differently. The police are to be used to uphold the constitution and governing laws, not abuse them and break them, which the more that is looked into , the more it’s proven there are more bad cops that previously thought. This ain’t the land of the free no more. [WLA edit.]