Surprise! Audit finds automated license plate reader programs are a privacy nightmare
Automated license plate readers, ALPRs, would be controversial even if they were responsibly employed by the governments that run them. Unfortunately, and to no one’s surprise, the way they actually operate is “deeply disturbing and confirm[s] our worst fears about the misuse of this data,” according to an audit of the programs instigated by a Californian legislator.
“What we’ve learned today is that many law enforcement agencies are violating state law, are retaining personal data for lengthy periods of time, and are disseminating this personal data broadly. This state of affairs is totally unacceptable,” said California State Senator Scott Weiner (D-SF), who called for the audit of these programs. The four agencies audited were the LAPD, Fresno PD, and the Marin and Sacramento County Sheriffs Departments.
The inquiry revealed that the programs can barely justify their existence and not seem to have, let alone follow, best practices for security and privacy:
- Los Angeles alone stores 320 million license plate images, 99.9 percent of which were not being sought by law enforcement at the time of collection.
- Those images were shared with “hundreds” of other agencies but there was no record of how this was justified legally or accomplished properly.
- None of the agencies has a privacy policy in line with requirements established in 2016. Three could not adequately explain access and oversight permissions, or how and when data would or could be destroyed, “and the remaining agency has not developed a policy at all.”
- There were almost no policies or protections regarding account creation and use and have never audited their own systems.
- Three of the agencies store their images and data with a cloud vendor, the contract for which had inadequate if any protections for that data.
In other words, “there is significant cause for alarm,” the press release stated. As the programs appear to violate state law they may be prosecuted, and as existing law appears to be inadequate to the task of regulating them, new ones must be proposed, Wiener said, and he is working on it.
The full report can be read here.
Source: TechCrunch