by Dave Maas, Electronic Frontier Foundation
California law is crystal clear: any entity—including government agencies—that accesses data collected by automated license plate readers (ALPRS) must implement a privacy and usage policy. This policy must ensure all use of this sensitive information “is consistent with respect for individuals’ privacy and civil liberties.” The policy must include a process for periodic audits and every time the data is looked up, a purpose for the search must be recorded.
From June 2016 until July 2018, the Sacramento County Department of Human Assistance (DHA) failed to abide by these basic legal requirements, according to documents obtained by EFF through the California Public Records Act.
The county allowed 22 employees working in the welfare fraud department to search ALPR data collected by other agencies and private companies more than 1,000 times without any of these mandated accountability measures. No policies were written or posted online, as required by law. No audits were conducted. The purposes for the ALPR data searches were not recorded according to logs.
ALPRs are high-speed camera systems that capture images of license plates of vehicles that pass into view. The systems convert the plates into machine-readable numbers and letters, attach the time, date, and GPS coordinates, and upload the information to a searchable database that can be used to establish travel patterns of drivers and visitors to certain locations. ALPR technology collects data on all vehicles, regardless of whether they are connected to criminal activity.
Because DHA handles welfare fraud investigations, it is most likely that the data was used to spy on the travel patterns of food stamps and other benefits recipients—i.e. mostly people below the poverty line and disproportionately African-American. However, certain DHA employees used the “stakeout” feature in the ALPR database, which allows the user to view license plates and other information about every single vehicle that visited a particular location, regardless of whether they were recipients of benefits.
DHA does not operate its own ALPR cameras, and instead accesses data collected by other entities that is shared through a system called LEARN operated by the private company Vigilant Solutions. Since the spring EFF and Muckrock have been filing public records requests around the country with Vigilant Solutions customers—public agencies—to reveal who is sharing data with whom. So far, we have identified 19 agencies sharing data with DHA—mostly in California, but also agencies in other states such as the Cedar Rapids Police Department in Iowa and the Austin Police Department in Texas.
To give a sense of the scale of this data: DHA had access to data collected by the Sacramento County Sheriff’s Office and Sacramento Police Department, a combined 196-million license plate scans in 2016-2017. Vigilant Solutions also offers billions of license plate scans collected by commercial operators, such as tow truck drivers.
Records show that the 22 employees—all criminal investigators or investigative assistants—in the DHA Program Integrity Division accessed ALPR data through Vigilant Solutions’ LEARN system on 1,110 occasions between June 2016 and July 2018. Some employees only ran a single search, while others ran more than 100. One employee ran 214 searches over the course of 20 months.
In emails and phone calls with EFF, DHA officials acknowledged that the agency did not know that as an “end-user” it had any legal obligations regarding the use of ALPR data. After receiving our request, the agency spent a week creating a policy and then uploaded it to its website. The policy now includes a process for monthly audits.
EFF obtained contracts and invoices between DHA and Vigilant Solutions that show the county paid a little more than $10,000 for access to the data, while bypassing the competitive bidding process. DHA also signed an agreement forbidding the agency from talking to the media about the ALPR program without Vigilant Solutions’ written permission. The agency also agreed not to use information about Vigilant Solutions in “any manner that is disparaging.”
The use of powerful ALPR data is disproportionate to the need. As Sacramento DHA officials acknowledged in 2013: “the percentage of fraud cases is statistically low.” In 2012, DHA found fraud found in only .02% of all welfare cases or 500 of the about 8,000 fraud referrals (out of nearly 200,000 people receiving assistance in Sacramento).
EFF calls on Sacramento County to cancel this program immediately and launch an internal investigation to determine the extent that privacy and civil liberties were violated and what disciplinary measures are appropriate for failing to comply with state law.
The Sacramento County Board of Supervisors should further pass an ordinance requiring all surveillance technology acquisitions and associated use policies to come for a full, public vote before being approved. Other local governments in the region have already passed such ordinances, including Santa Clara County and the cities of Oakland, Berkeley, and Davis.
The county may believe it’s a priority to investigate individuals for breaking welfare rules, but it must hold its own department accountable when it breaks the law too.
© 2018 Electronic Frontier Foundation, CC BY 3.0 US