19 July 2013

ANPR

The ACLU has released You Are Being Tracked: How License Plate Readers Are Being Used To Record Americans’ Movements  [PDF], a 37 page report on what in Australia is characterised as automated number plate recognition (ANPR).

It comments that
implementation of automatic license plate readers poses serious privacy and other civil liberties threats. More and more cameras, longer retention periods, and widespread sharing allow law enforcement agents to assemble the individual puzzle pieces of where we have been over time into a single, high-resolution image of our lives. The knowledge that one is subject to constant monitoring can chill the exercise of our cherished rights to free speech and association. Databases of license plate reader information create opportunities for institutional abuse, such as using them to identify protest attendees merely because these individuals have exercised their First Amendment-protected right to free speech. If not properly secured, license plate reader databases open the door to abusive tracking, enabling anyone with access to pry into the lives of his boss, his exwife, or his romantic, political, or workplace rivals.
In July 2012, American Civil Liberties Union affiliates in 38 states and Washington, D.C., sent 587 public records act requests to local police departments and state agencies to obtain information on how these agencies use license plate readers. We also filed requests with the U.S. Departments of Justice, Homeland Security, and Transportation to learn how the federal government has used grants to encourage the widespread adoption of license plate readers, as well as how it is using the technology itself.
We received over 26,000 pages of documents from the law enforcement agencies that responded to our requests, about their policies, procedures, and practices for using license plate readers.
This report provides an overview of what we have learned about license plate readers: what their capabilities are, how they are being used, and why they raise privacy issues of critical importance. We close by offering specific recommendations designed to allow law enforcement agencies to use license plate readers for legitimate purposes without subjecting Americans to the permanent recording of their every movement.
The potential privacy harms discussed in this report are not merely theoretical. In August 2012, the Minneapolis Star Tribune published a map displaying the location, obtained via a public records request, of the 41 times that Mayor R.T. Rybak’s car had been recorded by a license plate reader in the preceding year. The Star Tribune also reported that of the 805,000 plate scans made in June, less than one percent were hits. Yet for as long as the information was retained, the other 99 percent of scans were also vulnerable to the risk that they might be released, used by the police to track innocent people, or otherwise abused. The alarming fact that a law-abiding citizen’s sensitive location history could be revealed so easily was not lost on this exposed mayor.
The report notes that
License plate readers are used not only by law enforcement agencies but also by private companies. This has led to the emergence of numerous privately owned databases containing the location information of vast numbers of Americans.
License plate readers are used in a variety of non-law enforcement roles. Private companies use license plate readers to monitor airports, control access to gated communities, enforce payment in parking garages, and even help customers find their cars in shopping mall parking lots. While these uses in and of themselves are not objectionable, private companies can scan thousands of plates each day and store information indefinitely, creating huge databases of Americans’ movements.
Perhaps the largest private users of license plate readers are repossession agents who have recognized the value of license plate location information and built enormous private databases with data from all over the country. MVTrac, one of the biggest companies in this industry, claims to have photographs and location data on “a large majority” of registered vehicles in the United States, while the Digital Recognition Network (DRN) boasts of “a national network of more than 550 affiliates.” These affiliates, most of whom are repossession agents, are located in every major metropolitan area of the United States. DRN fuels rapid growth of its database by offering to fully finance up to five automatic license plate readers for affiliates located in major metropolitan areas, such as New York, Los Angeles, Orlando, Boston, and Washington, D.C., which guarantee they will provide DRN with a minimum of 50,000 aggregate plate scans per month. DRN affiliates feed location data on up to 50 million vehicles each month (nearly all of which are not wanted for repossession) into DRN’s national database. This database now contains over 700 million data points on where American drivers have been.
Private companies have partnerships with law enforcement. Police departments can purchase license plate reader data from private corporations. For example, law enforcement agencies can access MVTrac’s database and search through data collected by private repossession agencies. DRN contributes its affiliate-generated data to the National Vehicle Location Service (NVLS), which is run by Vigilant Solutions, a partner of DRN. NVLS aggregates DRN’s data with data received from other private sources, such as access control and parking systems, and from law enforcement agencies.  According to Vigilant, NVLS “is the largest [license plate] data sharing initiative in the United States.” The database holds over 800 million license plate reader records, and is used by over 2,200 law enforcement agencies and 25,000 United States law enforcement investigators. Each month, the system adds roughly 1,000 new users   and grows by 35 to 50 million license plate reader records. Law enforcement agencies that use or have used NVLS include the Milpitas Police Department in California, police in Port Arthur, Texas, and Immigration and Customs Enforcement.
These private databases raise serious privacy concerns. Their massive size suggests that they contain a great deal of information about our movements. These huge databases of plate information are not subject to any data security or privacy regulations governing license plate reader data. These companies decide who can access license plate data and for what purposes.
Last year, California considered a bill that would have required private companies to delete license plate records after 60 days and regulated the sale and sharing of privately held plate data. Due in part to the companies’ vigorous opposition, as well as that of law enforcement agencies, the bill died on the Senate floor. Today, these companies continue to operate with no regulation of how they use the data they are rapidly collecting. 
The report concludes with several recommendations
To ensure that license plate readers can be used by law enforcement agents for legitimate purposes without infringing on Americans’ privacy and other civil liberties, the ACLU calls for the adoption of legislation and law enforcement agency policies adhering to the following principles:
  • License plate readers may be used by law enforcement agencies only to investigate hits and in other circumstances in which law enforcement agents reasonably believe that the plate data are relevant to an ongoing criminal investigation. The police must have reasonable suspicion that a crime has occurred before examining collected license plate reader data; they must not examine license plate reader data in order to generate reasonable suspicion. 
  • Law enforcement agencies must not store data about innocent people for any lengthy period. Unless plate data has been flagged, retention periods should be measured in days or weeks, not months, and certainly not years. 
  • It is legitimate to flag plate data (1) whenever a plate generates a hit that is confirmed by an agent and is being investigated, (2) in other circumstances in which law enforcement agents reasonably believe that the plate data are relevant to a specific criminal investigation or adjudication, (3) when preservation is requested by the registered vehicle owner, or (4) when preservation is requested for criminal defense purposes. 
  • Once plate data has been flagged, a longer retention period commensurate with the reason for flagging is appropriate. 
  • Law enforcement agencies must place access controls on license plate reader databases. Only agents who have been trained in the departments’ policies governing such databases should be permitted access, and departments should log access records pertaining to the databases. 
  • People should be able to find out if plate data of vehicles registered to them are contained in a law enforcement agency’s database. They should also be able to access the data. This policy should also apply to disclosure to a third party if the registered vehicle owner consents, or for criminal defendants seeking relevant evidence. 
  • Law enforcement agencies should not share license plate reader data with third parties that do not conform to the above retention and access principles, and should be transparent regarding with whom license plate reader data are shared. 
  • Hot lists should be updated as often as practicable and, at a minimum, at the beginning of each shift. Whenever a license plate reader alerts on a plate, law enforcement, before taking any action, should be required to confirm visually that a plate matches the number and state identified in the alert, confirm that the alert is still active by calling dispatch and, if the alert pertains to the registrant of the car and not the car itself, for example in a warrant situation, develop a reasonable belief that the vehicle’s occupant(s) match any individual(s) identified in the alert. 
  • Any entity that uses license plate readers should be required to report its usage publicly on at least an annual basis.