Four police departments in California, including the Los Angeles Police Department, have insufficient security and privacy safeguards in place to protect data collected by automated license plate readers, according to an audit released Thursday by California State Auditor Elaine Howle.
The audit examined how the Fresno Police Department, LAPD, the Marin County Sheriff’s Office and Sacramento County Sheriff’s Office regulate and operate ALPR systems, which automatically read and store the license plate numbers of passing vehicles to crosscheck them against “hot lists” of vehicles involved in active investigations.
A 2015 law, Senate Bill 34, was supposed to require local law enforcement agencies that use ALPR systems — 70 percent of all police and sheriffs departments, according to the audit — to adopt privacy policies that would punish and deter misusing the systems or any license-plate data. But the audit found that none of the four agencies had fully complied with all of the usage and privacy requirements. It also found the LAPD lacked any policy directing how its system should be used.
“The statewide survey of law enforcement agencies we conducted found that 70 percent operate or plan to operate an ALPR system, and this raises concerns that these agencies may share the deficiencies we identified at the four agencies we reviewed,” Howle wrote in a letter to California Gov. Gavin Newsom and state lawmakers.
Of the four law enforcement agencies surveyed, three failed to clearly specify who has access or oversight to the ALPR systems and how ALPR data can be destroyed.
Three agencies were also shown to use a cloud storage vendor to hold millions ALPR images and data, but lacked contractual guarantees that the data is sufficiently protected by those vendors.
The top concerns that Howle’s office addressed, however, were how much data the ALPR systems collected and stored on vehicles not involved in any police investigations and how long that data was kept. Just 400,000 of the 320 million images that LAPD’s ALPR system has accumulated, for example, matched vehicles on the agency’s “hot list” — which is only 0.1 percent.
The audit also found that officers tend to search for images that are less than six months old, despite the fact that all four departments retain their images for at least a year.
The audit was commissioned last June with a push from the Electronic Frontier Foundation, a privacy-rights group that used Freedom of Information Act requests to determine that the San Diego Police Department was not complying with SB 34 in 2018. State Sen. Scott Weiner, who formally requested the audit, told the LA Times on Thursday that he was “horrified” by the results.
A larger concern, however, according to Dave Maass, a senior investigative researcher with EFF, is that problems identified with ALPR systems in California over the last several years are likely happening nationwide.
“All of these issues they’re talking about aren’t limited to California,” Maass said. “Every state should take a look at this audit and decide whether they should start reforming [ALPR policies] themselves or whether they need to order their own audit.”
Although 96 percent of California law enforcement agencies using ALPR systems have a usage policy, according to the audit, Maass said its possible that many of those agencies — and agencies nationwide — share the same privacy weaknesses and oversights. That’s because many of the privacy policies law enforcement agencies use are identical, purchased from companies like LexiPol that charge police departments for their use.
“They just write these boilerplate policies that agencies around the country adopt,” Maass said.
LAPD Chief Michel Moore said in a letter that his agency would have a full ALPR policy posted on their website by April, and will complete an audit of the information that the agency’s system captures by June 2021.