CBP Updates Privacy Impact Assessment On License Plate Readers; Says Opting Out Involves Not Driving
from the just-five-years-of-surveillance-at-CBP-fingertips dept
The last time the CBP delivered a Privacy Impact Assessment of its automated license plate readers, it informed Americans as far as 100 miles inland that there’s really no privacy being impacted by the deployment of tech capable of capturing millions of plate images every year. If you don’t want to be on the CBP ALPR radar (which is shared with the DEA and other law enforcement agencies), don’t drive around in a properly licensed vehicle.
This impact assessment was not updated when the CBP’s ALPR vendor was hacked and thousands of plate photos — some of which contained photos of drivers and passengers — were taken from the vendor’s servers. The vendor was never supposed to be storing these locally, but it decided to do so and the end result was a lot of leakage the CBP assured everyone contained “no personal information” about the thousands of people and vehicles contained in the photos.
Privacy Risk: There is a risk that individuals who are not under suspicion or subjects of investigation may be unaware of or able to consent to CBP access to their license plate information through a commercial database.
Mitigation: This risk cannot be fully mitigated. CBP cannot provide timely notice of license plate reads obtained from various sources outside of its control. Many areas of both public and private property have signage that alerts individuals that the area is under surveillance; however, this signage does not consistently include a description of how and with whom such data may be shared. Moreover, the only way to opt out of such surveillance is to avoid the impacted area, which may pose significant hardships and be generally unrealistic.
Keep in mind that “impacted areas” aren’t just the places you expect Customs and Border Protection to be. You know… like at the border. It’s also up to 100 miles inland from every border. And “border” is also defined as any entry point, which includes international airports. So, that’s a lot of “impacted area.” There’s really no realistic way to dodge everywhere the CBP operates. And one would think actively dodging CBP-patrolled areas would be treated as suspicious behavior by CBP officers, which could result in far more than license plate records being abused.
The CBP says it will keep privacy violations to a minimum, though. It will only access its database if it has “circumstantial evidence.” So… feel good about that, I guess.
The CBP also says that it probably isn’t actually allowed to perform this collection but it will try its very best not to abuse its ALPR privileges.
There is a risk that CBP does not have the appropriate authority to collect commercially available LPR information from vehicles operating away from the border and outside of CBP’s area of responsibility.
No big deal, says the CBP. It will only retain information about vehicles crossing the border. Or connected to a “person of law enforcement interest.” Or connected to potentially illicit activity. Or for “identifying individuals of concern.” Just those things. And the data not connected to anything in particular will be held onto for a limited time.
Here’s the definition of “limited:”
CBP may access LPR data over an extended period of time in order to establish patterns related to criminal activity; however, CBP has limited its access to LPR data to a five-year period in an effort to minimize this risk.
Really the only thing limited about this is that it isn’t forever. The CBP’s vendor can hold onto this data forever, but CBP agents will only be able to search the last five years of records. Cached searches will be retained for up to 30 days if they’re of interest to the CBP or other law enforcement agencies with access to the database. Uninteresting searches will be dumped within 24 hours.
Five years is a lot of data. That’s not really a mitigation of privacy concerns. The CBP’s Impact Assessment pretty much says the agency plans to use this to reconstruct people’s lives. Its definition of “limited” — the one that means five years of searchable records — is its response to the privacy risk posed by the aggregate collection of travel records over a long period of time. Apparently, the CBP feels five years is long enough for it to do its job. But not long enough that the general public should be worried about it.