‘Giving It Out Like Candy’

Calif. Bill Seeks to Stop Police From Unbridled License-Plate Data Collection

An image from the user guide for the Law Enforcement Archival Reporting Network (LEARN) system, Vigilant Solutions’ platform for law enforcement officers who access license-plate data.

By Fiona Tang

California legislators are considering a bill that would limit law enforcement’s retention of data obtained through automated license plate readers (ALPRs), hoping to quell alarms from privacy advocates after a state agency found widespread abuse among police.

Democratic State Sen. Scott Wiener introduced the License Plate Privacy Act in January after the California State Auditor released a report earlier last year revealing negligent misuse of ALPR data by authorities.

The activities, the report said, marked severe violations of an existing privacy law, S.B. 34, which had been on the books since January 2016.

“What we are seeing is agencies will maintain massive amounts of data in perpetuity — data that has nothing to do with any kind of investigation or suspected crime — and they are giving it out like candy, to basically any agency, even sometimes non-governmental agencies, anywhere in the country,” Wiener said last month in presenting the bill to the Senate Judiciary Committee.

It passed the panel on a 9-1 vote — and its fiscal impact is being analyzed by the Senate Appropriations Committee.

Outrage also grew regarding ALPRs in December, after reports that police in Chula Vista, the second largest city in San Diego County, was sharing license-plate data with hundreds of law enforcement agencies nationwide.

They included U.S. Immigration and Customs Enforcement (ICE) and Customs and Border Patrol (CBP).

The disclosures, occurring as early as 2017, apparently were unbeknownst to Chula Vista Police Chief Roxana Kennedy, according to reports.

“It’s really surprising that it takes a civilian member of the public that files public-records requests to catch something that the law enforcement agency should have found,” Dave Maass, director of investigations for the Electronic Frontier Foundation (EFF), told Digital Privacy News.

“Police agencies aren’t monitoring their own systems well enough to know that they were sharing with all of these agencies.”

“This is basically mass surveillance.” 

California Democratic Sen. Scott Wiener.

ALPR technology captures license-plate images and extracts the number and the date, time and location of the scan — and stores the information in a searchable database.

The software automatically compares plate numbers to a stored “hot list” of “vehicles of interest,” such as those linked to criminal investigations.

If a plate image matches a hot-list entry, the software alerts police officers.

Auditor’s Findings

The auditor’s report, released in February 2020, examined four agencies — the Fresno Police Department, Los Angeles Police Department, Marin County Sheriff’s Office and Sacramento County Sheriff’s Office.

According to the report, “99.9 percent of the 320 million images Los Angeles stores are for vehicles that were not on a hot list when the image was made.”

Further, Los Angeles police had not developed an ALPR policy at all, the auditor found.

Other revelations included that three agencies shared “images with hundreds of entities across the U.S. but could not provide evidence that they had determined whether those entities have a right or a need to access the images.”

None of the four police agencies had audited their ALPR systems, as required by S.B. 34.

That law, passed in October 2015, requires police departments to develop and implement policies guiding ALPR data-retention, authorized purposes for accessing and using the data, for periodic system audits and training requirements for employees.

The police agencies blatantly ran afoul of the law, the auditor found.

Officials from the California State Auditor’s Office did not return calls seeking comment from Digital Privacy News.

“Immediately after the law passed,” EFF’s Maass told Digital Privacy News, “I started filing public-records requests to see how law enforcement was implementing the law.

“Time and time again, they weren’t doing what they were supposed to.

“Most agencies, instead of developing a policy on their own, simply went to a company called Lexipol that makes boilerplate policies — took their policy and put it online,” Maass noted.

Chula Vista Outrage

In December, The San Diego Union-Tribune disclosed that Chula Vista police had been collecting, storing and sharing license-plate data with ICE and CBP as early as 2017.

Local rights advocates said they feared the data would be used for immigration enforcement by the federal agencies. A third of Chula Vista’s population is foreign-born, according to U.S. Census data, and 59% are Hispanic or Latino.

Pedro Rios, a 17-year city resident and director of the American Friends Service Committee’s U.S.-Mexico Border Program, said the Chula Vista Police Department, for years, had not been truly listening to constituent concerns.

“Police agencies aren’t monitoring their own systems well enough to know that they were sharing with all of these agencies.”

Dave Maass, Electronic Frontier Foundation.

“When we talk about the fear that that creates in migrant communities, it’s based on real cases we’ve documented — where people are victims of immigration raids, deported and detained,” Rios told Digital Privacy News.

“There are serious ramifications for families,” he added. “Especially if they are the breadwinner of the family, they have to deal with how to make rent payments and how to put food on the table.

“That also has a real impact on the children that might be involved: their grades plummet.

“It creates a lot of trauma.”

Senator’s Proposal

According to Wiener’s proposal, law enforcement agencies would be required to delete license-plate data 24 hours after it is collected, unless the data is connected to a public-safety interest. 

It also would bar agencies from accessing databases with ALPR information that is more than 24 hours old and not on a hot list — and would require authorities to perform annual audits to ensure that data was deleted in accordance with the 24-hour rule.

“This is basically mass surveillance,” Wiener, 50, who is in his second term and represents San Francisco and parts of San Mateo County, told the Judiciary Committee last month.

“This information can be used to track a person, determine their daily patterns, extrapolate their social circles,” he said.

“Data is capable of turning many facets of a person’s life, shipped off to many different public and private entities — even ICE — which we think is in violation of existing law.”

This law — S.B. 54, the California Values Act — prohibits state and local authorities from using money or personnel to investigate, detain or arrest people for federal immigration enforcement.

Maass, the EFF’s director of investigations, noted that ALPR data was collected in many ways.

“Law enforcement agencies access license-plate data in different ways,” he explained. “One way is by purchasing license-plate readers and collecting the data themselves.

“Another thing they do — there’s a private company called Vigilant Solutions, which collects its own data and sells it as a subscription service to law enforcement.”

Vigilant Solutions, a subsidiary of Motorola Solutions, did not return requests for comment.

Maass said: “We wanted to avoid having a cap on 24-hour license-plate reader data — and then seeing law enforcement going to a private contractor and buying data that is much older.

“It should be under the same time restriction as the data they collect themselves.”

‘Much More Transparency’

In Chula Vista, AFSC’s Rios called on city officials to be more forthcoming about the use of ALPR and similar technology.

“I’d like to see much more transparency in how and when the city is using surveillance technology,” he told Digital Privacy News.

“When we talk about the fear that that creates in migrant communities, it’s based on real cases we’ve documented.”

Pedro Rios, American Friends Service Committee.

“For years, there has been a lack of consultation with the public about the potential long-term implications of having this type of surveillance technology in use around the city.”

The Chula Vista City Council will discuss ALPR technology at a meeting Tuesday.

Fiona Tang is a California writer.