The DHS Sends Out The Call For A National License Plate Database
from the more-'harmless'-metadata dept
In what reads like bad news all over, the DHS has just requested quotes for national automatic license plate reader (ALPR) database. There are currently several ALPRs in use and law enforcement agencies have been working hard to link systems up in order to better track vehicles as they move around the country. This has been hampered somewhat by multiple vendors, most of which aren’t particularly interested in working with competitors. But even with multiple vendors, there’s still a whole lot of data being stored — a majority of which is entirely unrelated to criminal activity — in easily-accessible databases.
License plate readers are used not only by police but also by private companies, which themselves make their data available to police with little or no oversight or privacy protections. One of these private databases, run by a company called Vigilant Solutions, holds over 800 million license plate location records and is used by over 2,200 law enforcement agencies, including the U.S. Department of Homeland Security.
A nationwide database, with records accessible by law enforcement and investigative agencies with few restrictions is obviously a concern. Tracking vehicles as they move around the country generates a ton of location data that can reveal a great deal about a person. It’s always argued that what you do in public carries no expectation of privacy, but that statement is somewhat meaningless when you consider the number of plates ALPRs scan and store. Most states with ALPRs have gathered millions of records, which are held for as long as 5 years, with little in the way of minimization procedures. ELSAG, another ALPR vendor, brags in its own promotional Powerpoint presentation that it has collected 50 million records in New York City alone, without a single mention of minimization processes or the disposal of non-hit data.
For the government to actively call for a nationwide database is troubling. Since this is a solicitation for bids, there’s no discussion on what, if anything, will be required from the winning contractor in terms of storage, minimization or disposal. Given the track records of the largest vendors, it’s likely these issues will be of lesser concern than other aspects, like scanning speed and database accessibility.
The call for bids may have something to do with Vigilant’s recent efforts, both on the PR front and in the courtroom.
First off, Vigilant (along with Digital Recognition Network) is suing the state of Utah for, believe it or not, violating its First Amendment rights.
It posits that a new Utah law which bans license plate collection by private companies, effectively put it out of business in the state. The law was intended to keep data from falling into police hands without oversight, and is among the first by surveillance technology firms to argue against privacy laws invoking the First Amendment.
The Texas company fired back, arguing that collecting license plate numbers is free speech. The lawsuit draws upon a recent major Supreme Court ruling, Citizens United v. FEC, which overturned a law curbing corporate and union donations to political campaigns. In effect, the Court ruled that money is speech.
“The Texas company says it’s not a police agency – law enforcement already is exempt from the ban under Utah’s new law — nor can it access in bulk federally protected driver data that personally identifies the letters and numbers it collects from license plates in public,” the Associated Press reported Thursday. “The company said it only wants to find cars that have been stolen or repossessed, not to cull large swaths of data and incriminate people from their travel habits.”
DRN’s press release goes into a little more detail on this rationale.
“Taking and distributing a photograph is an act that is fully protected by the first Amendment,” said DRN / Vigilant Outside Counsel Michael Carvin. “The state of Utah cannot claim that photographing a license plate violates privacy. License plates are public by nature and contain no sensitive or private information. Any citizen of Utah can walk outside and photograph anything they please, including a license plate.”
This is an interesting approach. It’s a bit disingenuous to compare scanning license plates at a rate of hundreds per hour to someone walking around taking pictures of license plates (not the least of which is the fact that a private photographer most likely wouldn’t have a searchable database), but underneath it all, the point remains: these are photographs of publicly-available items. It will be tough for a court to find a “bright line” that separates these two without weakening First Amendment protection. Then again, as the ACLU has noted, it’s not really the photography that’s a problem, it’s the handling of the non-hit data, something that won’t be addressed in this suit. That’s Utah’s problem and if it loses this case, then it needs to push for heavy restrictions on how the data is accessed and used, as well as rules on data disposal.
Using an unpopular decision (Citizens United) to argue that losing income equals losing free speech rights is a bit more troublesome. Of course, those opposed to that decision may welcome a court battle on the issue, as it may cast further doubt on the validity of that ruling. But does a company deserve to make money, much in the way it might deserve First Amendment protections? That’s another grey area with no bright line and this two-pronged approach may allow Vigilant and DRN to set up their ALPR systems despite the state of Utah’s opposition. (Of course, Utah would be free to use another vendor, but any decision in the ALPR companies’ favor will help them attack similar laws elsewhere.)
It would appear that Vigilant is trying to knock down state laws that might curtail its national aspirations. Appearing on the same day as this lawsuit announcement was a Vigilant press release touting its ALPR’s crime fighting abilities.
Vigilant Solutions announces today that the Loganville Police Department in Georgia attributes recent and significant arrests to their use of license plate recognition (LPR) technology from Vigilant Solutions.
Assistant Chief M.D. Lowry comments, “On January 7, one of our officers received an alert from his license plate reader (LPR) system on a vehicle which was associated with an active arrest warrant out of Texas. Our officer initiated a traffic stop per policy and identified the driver. Following protocol, the officer used other systems to validate the hit and was able to confirm the driver was wanted out of Del Rio, Texas for Indecent Acts with a Child, 2nd Degree. The suspect was taken into custody without incident and transported to the Walton County Jail to await extradition…”
We have only had our single unit for only a few months, but it is already proving its value by helping us to remove these threats from our community. I can tell you that the capture of a child molester from nearly 1,200 miles away was more than worth the cost of the LPR unit. If we never make another case with it, it was worth the cost.”
Two immediate questions arise. The first is: if you never make another case with it, what’s the point of gathering all that data? Does the arrest of one child molester make the routine harvesting of thousands of plates of non-child molesters “worth it?”
Second: pointing out the ends as justification for the means is a rhetorical dodge. There are any number of things law enforcement could do to bump arrest numbers — like house-to-house searches and eliminating the probable cause requirement for warrants — but neither takes into consideration the constitutional rights of those on the receiving end of these actions. Law enforcement is supposed to work within these limitations, rather than see how hard they can push back against them.
The call for bids on a national ALPR database takes a localized problem and makes it worse. The government (both on local and national levels) has shown repeatedly that it prefers to implement technology before considering the privacy implications. Post facto “repairs” generally only come into play once widespread misuse has already been reported. This is a chilling, but not unexpected, development. If it can be construed as “public,” then it’s the government’s for the taking, apparently.