License Plate Data Isn't 'Personally Identifiable' Until The Public Asks Police For Access To It

from the this-rule-is-for-us-and-this-rule-is-for-the-everyone-else dept

Law enforcement agencies display a deliberate cognitive dissonance when it comes to data they claim has no “expectation of privacy.” As was recently detailed here, license plate scanners are in operation across the United States, most with little to no oversight over the use of the location information obtained. Even worse, disposal of “non-hit” data seems to be an afterthought — in some cases, the information is held onto indefinitely. One law enforcement agency was even quoted as saying the use of the data was “limited only by the officers’ imagination.”

These agencies excuse these efforts by claiming the information they obtain is public. After all, the vehicles are driving on public roads where anybody, even a license plate scanner, can see and record the license plate. They also argue this is no different than an officer writing down a plate number and calling it in. (Although I’d like to see an officer write down 786 plates in one hour, as one plate scanner did in the Motherboard article.)

As Shawn Musgrave points out, this information travels almost exclusively one way.

A report released this week by the ACLU explores the widespread deployment of automatic license plate recognition (ALPR) scanners by law enforcement across the country. As police tout the advantages of ALPR and seek millions in federal funds to the equipment, many departments insist that license plate and vehicle location information don’t require special protection or oversight.

When pressed to put special protections on their massive license plate databases, the law enforcement community writ large argues that license plate numbers are not personally identifiable information (PII), and thus not subject to restricted access or probable cause requirements for detectives to paw through it.

One would think that, for the most part, license plate data is personally identifiable. After all, most of us use the same vehicles for day-to-day travel. If it’s not you, then it’s a close family member. A plate can easily be tied to a small group of individuals, generally located at the same address. But law enforcement members argue that it isn’t — that a license plate is a license plate and nothing more.

In its 2012 guidelines on ALPR, the International Association of Chiefs of Police remind us that a license plate “identifies a particular vehicle, not a particular person.” When the Drug Enforcement Agency wanted to install ALPR along Utah highways in 2012, an official told local legislators, “We’re not trying to capture any personal information–all that this captures is the tag, regardless of who the driver is.”

It’s a terrible argument, especially considering phone numbers and addresses are considered personal information (according to federal guidelines), even if neither specifically identifies a person. Not only that, but plate numbers seem to be “personally identifiable” enough to allow traffic cam tickets to be sent to the person (and address) linked to the plate number. (It should be noted that a few drivers have turned this weak argument against law enforcement — most notably, the driver who wore a monkey mask while racking up traffic cam tickets and then argued the city couldn’t prove who was driving the vehicle.)

So, if license plates aren’t “personally identifiable information,” anyone should be able to access these public records, right?

When one citizen requested anonymized ALPR data from the LA County Sheriff earlier this month via a public records request, his request was denied primarily on confidentiality grounds. Again, he wanted anonymous data, but was denied based on confidentiality.

When I asked for data from the Boston police, the department indicated it was only willing to produce redacted records “without images of license plates and license plate numbers.” (I’m still waiting for this data after three months.)

There’s the one-way street. It’s not “personal” but only authorized law enforcement members are allowed to view the data. It’s not “personal” enough to be subject to the same restrictions addresses and phone numbers are but agencies aren’t interesting in sharing their databases of “vehicles” with the public. (Of course, they will sell it to private corporations…) It’s a shifting definition that serves law enforcement’s desire for massive data and little oversight.

And what happens if a member of the public manages to get ahold of the “private” database full of “public” information?

After a Minneapolis open data advocate paid $5.91 last December for a USB drive packed with 2.1 million ALPR scans complete with license plate numbers and photos, including the mayor’s, the city’s police chief successfully petitioned for a change in the public records law. In the same breath, Chief Harteau asserted that an ALPR scanner “does not record personally identifiable information,” but that its scans “should be private data, available to only the subject and not the general public.” The mayor quickly obliged.

There’s your doublethink. Non-private information given privacy protection by a change in law that only benefits certain (supposedly) public servants. Seems rather possessive for data that anybody with pen and paper could acquire.

Maybe the time has come for the technology to be opened to the public, which can then drive around capturing plate and location data on law enforcement vehicles. Technology has been turned against those deploying it before. After all, if it’s perfectly acceptable to grab location data on the public, law enforcement should be willing to submit to the same sort of data collection.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “License Plate Data Isn't 'Personally Identifiable' Until The Public Asks Police For Access To It”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Citizens need to fight back with the same

Start setting up a realtime license plate scanning network in as many locations as possible, and begin publishing our own location details for every plate scanned.

If this isn’t private data, and these people are driving around on public roads, let’s see how they feel about publicly accessible data collected by average citizens doing nothing more than law enforcement has done.

So, are there yet any websites and open source software to do this with an average webcam?

aldestrawk says:

Re: Citizens need to fight back with the same

This is already being done and law enforcement is purchasing the data from the private companies that collect it. The ACLU report has a section dealing with private databases containing ALPR scans. The main companies that do this are MVTrac and DRN (Digital Recognition Network) and its’ partner NVLS (National Vehicle Location Service). The NVLS actually gets some of its’ data from law enforcement databases as well as providing aggregated data back to law enforcement agencies.
As of September 2012 they had 800 million records. That number is probably over a billion today.
There are no laws restricting the sale of this information from private databases.

Anonymous Coward says:

Why are the cops collecting all this license plate data in the first place if they aren’t giving out tickets?

What use is it for cops to list all the license plates that drove down a certain road each day? Sounds like looking for a needle in a haystack when you actually have a use for finding one specific license plate.

Anonymous Coward says:

Re: Re:

I’m not sure I read anywhere that they weren’t giving out tickets.

I imagine they’re perfectly happy to send someone a citation, fine, and fixit ticket if their currently unregistered vehicle is spotted driving around town.

As the article suggests, they are clearly looking for certain “hits” from their system – probably for wanted individuals whose location is currently unknown, or vehicles that were reported stolen or facilitated hit-and-run.

It’s the “non-hit” data that is questionable here. I think law enforcement likes to have lots and lots of data so they can go “back in time” and figure out what someone did or was doing up to the point of committing a crime. If they store the data indefinitely, they can use it to predict someone’s activities and actions, and I’m sure while the data is not “personally identifiable”, it’s still circumstantial, and a jury would probably believe a prosecutor that used it as such to prove someone was at a given location at a given time.

Anonymous Coward says:

Re: Re:

I heard one haughty cop in a news report about this issue say something like, “If there isn’t any criminal activity going on, you have nothing to worry about”. So, Mr. Policeman, if there isn’t any criminal activity going on, why are you scanning my license plate and keeping it in a database for 5 years? What business do you have doing that? I mean, after all, since there’s no criminal activity going on, you have nothing to worry about, eh, Mr. Policeman?

John Fenderson (profile) says:

Ahh, for the goood old days

Remember when “personally identifiable information” actually meant information that could be used to identify a specific person? Now, it apparently means much less than that.

This isn’t a new trend — the last big move in redefining PII to mean something less was when Apple was arguing that the iPhone’s unique ID number was not PII.

Larry says:

What is good for the goose, is legislated away by the gander

There are far too many double standards at play even in this one specific area!

It’s bad enough that the police will say that citizens don’t have an expectation of privacy but it appears that the police do. And they use this expectation to break the law to boot!

aldestrawk says:

Re: Re:

Good article. In case you miss my comment on Ars.

You mentioned that the response from the Santa Clara County Sheriffs office was that they did not have any ALPRs. The following is a response letter from the Milpitas Police Department to the ACLU. (Milpitas, for those not living here, is part of Santa Clara County) This letter is contained in a PDF file that comprises the response from Milpitas that were in answer to queries used to create the ACLU report. It is dated August 8, 2012

Over the past two months, the Milpitas Police Department has been working with the Santa Clara
County Sheriffs Office on delivering LPR data to the Sheriffs Office (SO) database. These
efforts have been to attempt to establish a connection with the SO with the intent to share data.
These efforts were a result of a verbal agreement and no Memorandum of Understanding exists.
This data has been shared with the SO information technology staff only for test purposes and is
not being delivered to their sworn field deputies.

So, while they claim not to have any ALPRs they do have a database.

Anonymous Coward says:

Re: public information

The devil is in the details, neighbor. If I’m reading you right, you feel the scanning is equally intrusive as filming your local police.

Two issues with that.
1. The public doesn’t have a system to automatically scan and capture badge numbers and tie them to specifical locations.
2. The public’s use of recording devices serves to attempt to equalize the power between “John Q. Public” and “Officer Copper”

So maybe it’s a double standard, but if the effect is to balance the power between The Public and officers of The State, I’m all for such a standard.

FM Hilton (profile) says:

This isn't all they collect, either

License plate scanners, only?

Hell, try this out for size: an entire database system dedicated to getting every single piece of information about anyone in it

Of course, it’s cloud based, but I bet you can’t access it-only for those in the “law enforcement profession.”

aldestrawk says:

National ALPR Database

Law enforcement agencies often share their ALPR databases with regional fusion centers. This practice is growing and is enabled by the adoption of a standardized format or back end by the handful of vendors involved. Even if a particular agency has a policy of deleting this information from their own database, the fusion centers will have their own policy which may well be: keep the data indefinitely. It is tempting for any agency to keep the data as it could help in solving some crime later wherein a suspect’s vehicle may be already be tracked within the database.

From an EFF article:
In 2008, LAPD Police Chief Charlie Beck (then the agency?s chief of detectives) told GovTech Magazine that ALPRs have ?unlimited potential? as an investigative tool. ?It?s always going to be great for the black-and-white to be driving down the street and find stolen cars rolling around . . . . But the real value comes from the long-term investigative uses of being able to track vehicles?where they?ve been and what they’ve been doing?and tie that to crimes that have occurred or that will occur.?

One of the reasons for using ALPR is to track vehicles surrounding critical infrastructure. In fact, one of the grants types used to fund purchases comes out of the National Infrastructure Protection Plan as put forth by the Department of Homeland Security. Law enforcement agencies get some of their hot lists of license plates to watch for from the federal government. You can imagine that this is a reciprocal arrangement and those agencies share their databases with either the Department of Homeland Security or agencies under the Department of Justice (e.g. FBI, DEA) or both.
The use of ALPRs has grown rapidly in the last 6 years. In their stationary form they are used for red-light cameras, crime prevention, bridges and toll roads, and traffic condition notifications. Mounted on a vehicle, they can scan parked cars and all the lanes of a highway,including traffic going in the opposite direction. The direction we are heading as a nation is yet another way for government and private companies to track everyone’s movements.

RD says:

“International Association of Chiefs of Police remind us that a license plate ?identifies a particular vehicle, not a particular person.? When the Drug Enforcement Agency wanted to install ALPR along Utah highways in 2012, an official told local legislators, ?We’re not trying to capture any personal information–all that this captures is the tag, regardless of who the driver is.?

And yet, when we point this EXACT same argument out about IP addresses, suddenly the narrative changes to “oh YES it identifies an individual!” Same exact priciple, but of course only if it serves thier ends. The hypocrisy would be astounding if it wasnt so expected and prevalent in every single instance.

FM Hilton (profile) says:

No, you can't access it

That site is for law enforcement only-you see, the program is tied into the hardware in a cop’s car. That’s the computer databank they’re always looking at.

No, you can’t access it unless you’re a cop and you have the computer, the access and the key to the program. That’s why it’s a real challenge.

If you’re a civilian, your privacy is nil with this program when they’re looking up your records, because they’re all accessible with it.

The NSA doesn’t have anything on these people.

Anonymous Coward says:

I’m always paranoid of getting a speed camera ticket for doing 5mph over the limit.

Like that one town in Ohio that fined all the church going people.

Now they want to track us, fine us, tax us and spy on us. We fund state and gov. with tax money so they can spy on us.

It’s just like the George Orwell novel. Only worse…

sheppo says:

this is the problem with privacy rules

The problem with privacy laws is that they try to differentiate between personally identifiable data (PID)and non-personally identifiable data (nPID) and base restrictions or freedoms around those.

This is fine on paper, but in practice it’s not for one very simple reason.

When you hold PID and nPID it’s easy to correlate the two to match. For example with a date of birth (nPid), and a postal (nPID) code you can quite easily match that data to people (PID). With an internet cookie cookie (nPID), and an IP address (nPID) you can easily match against an email address (PID).

The same goes for License Plate (nPID) to People (PID). But the law says it’s okay to do this.

bob (profile) says:

how do you expect

How do you expect the people who have promised to uphold and protect the constitution to do their job, when schools never really taught anything INSIDE the constitution, only when it was created and who signed it. These people have no idea what the 4’th amendment is or why it’s important, same is true for the 1’st amendment. The only thing they know about the amendments is how they interfere with the rest of their job of collecting revenue for their municipality.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...