The Four Law Enforcement Agencies We Reviewed Have Not Consistently Fulfilled Requirements Designed to Protect Individuals’ Privacy
California’s lawmakers drafted current ALPR law to institute reasonable privacy standards for the operation of ALPR systems. As we discuss in the Introduction, technology gives governments the ability to accumulate significant amounts of information about people, raising the question of how individuals’ privacy is to be preserved, and the federal and state governments and courts have issued laws and guidance—including, in the case of California, SB 34—related to the use of such information.
- Authorized purposes for using the ALPR system and collecting the data.
- A description of the job title or other designation of individuals who are authorized to use or access the ALPR system.
- Training requirements for the authorized individuals who will use or access the ALPR system.
- A description of how the agency will monitor the ALPR system to ensure the security of the data and compliance with privacy laws.
- The purpose of, process for, and restrictions on the sale, sharing, or transfer of ALPR data.
- The length of time the ALPR data will be retained and the process used to determine if and when to destroy retained ALPR data.
Agencies may expand on these required elements as needed to ensure that their collection, use, maintenance, sharing, and dissemination of ALPR data are consistent with respect for individuals’ privacy.
None of the four agencies we reviewed have an ALPR policy that contains all of the required information, thereby contributing to the agencies’ failure to implement programs that reflect the privacy principles in SB 34. Los Angeles has not developed an ALPR policy, and the policies of the other three agencies are deficient in various ways, as Figure 2 shows. For example, all have failed to fully address how they will monitor system use to ensure compliance with applicable privacy laws, which likely contributed to their failure to institute regular audits of user searches. The agencies could have avoided concerns such as those shown in Figure 2 , which we describe later in this report if they had developed more thorough policies. Clear policies that define the purposes and procedures for monitoring ALPR systems help agencies meet their goals.
The Agencies’ ALPR Policies Are Missing Required Key Elements for Respecting Individuals’ Privacy
Source: State law and the agencies’ ALPR policies as well as interviews with the agencies’ management.
As a result of our audit, each of the four agencies is making or considering changes to its policies. The ALPR administrators at Fresno, Marin, and Sacramento agreed that their policies did not contain one or more elements required by state law. They also explained that they did not include certain policy requirements they believed did not apply to their use of ALPR data. For example, Sacramento’s ALPR policy does not describe ALPR data‑selling restrictions because, according to the ALPR administrator, Sacramento does not currently sell ALPR data. However, because their policies are incomplete and do not specify what personnel cannot do when interacting with their ALPR systems, these three agencies left out critical guidance to staff and increased the risk that staff would use the ALPR system inappropriately. The program administrators at Fresno, Marin, and Sacramento told us that they will consider changes to their policies subsequent to our audit. Although the lieutenant who serves as Los Angeles’ program administrator initially believed that the agency’s many IT policies covered the ALPR program, when we brought the deficiencies in oversight to his attention, he acknowledged the need for Los Angeles to have an ALPR policy and began drafting one in October 2019.
The Law Enforcement Agencies Have Often Placed Their ALPR Data at Risk
Administering ALPR programs in ways that respect individuals’ privacy requires a thoughtful and considered approach to data management that the agencies we reviewed have not always taken. Specifically, three of the agencies have agreed to share their images widely with little knowledge of the receiving entities and their need for the images. Moreover, the agencies have not based their decisions regarding retention of images on their actual usefulness to investigators and may be retaining the images longer than necessary, increasing the risk to individuals’ privacy.
The Agencies May Not Be Adequately Protecting Their Sensitive ALPR Data
Law enforcement agency personnel can upload or enter sensitive information into their ALPR systems, which may require specific safeguards. As we discuss in the Introduction, this sensitive information could include personal information and criminal justice information. In addition, these data may originate from the California Law Enforcement Telecommunications System (CLETS)—a system that allows law enforcement agencies to obtain information from federal and state databases, such as arrests and fingerprint records from Justice. In reviewing multiple agencies’ ALPR policies, we found several that stated that their ALPR systems may contain information obtained through CLETS. Additionally, in a security and compliance memorandum, Vigilant acknowledged that law enforcement users can upload personal information and criminal justice information into the Vigilant system through hot lists and open text fields.
For example, in addition to license plate images, Sacramento and Los Angeles add data to their systems such as criminal charges and warrant information, in combination with personal information such as names, addresses, dates of birth, and physical descriptions. The added data can be in the form of hot lists that agencies use to search for license plates of interest, as shown in Figure 1 in the Introduction, or they can be data that are entered into open text fields. By running an automated function each day, Sacramento extracts information from several databases and uploads the information as hot lists to its ALPR system. Los Angeles does not create its own hot lists, but it regularly downloads hot lists from Justice and the Los Angeles County Sheriff’s Department, then uploads the hot lists to its ALPR system. Another way that information in addition to license plate images gets into an ALPR system is by users adding it to open text fields. Data entered into open text fields are generally associated with license plate searches. When conducting a search, staff are prompted to enter a case number and the purpose of the search, and they may do so by typing in text. The ALPR systems store this open text in their audit logs, which detail user activity and the reasons for the activity.
In contrast to Sacramento and Los Angeles, Marin and Fresno occasionally upload hot lists into their ALPR systems. With regard to open text fields, we reviewed the audit logs for Marin and Fresno and did not find personal information in combination with other sensitive information in the six months of search records we studied. However, the possibility exists that law enforcement personnel could enter sensitive information into open text fields during ALPR searches.
When an IT system lacks sufficient security, the system is at risk of misuse and data breaches. Systems containing personal information and criminal justice information must have adequate protections to assure individuals’ privacy. However, as discussed in the Introduction, ALPR data can originate from different sources, and the source of the information may drive some of the required IT security protocols. On one hand, CJIS developed a policy that dictates the minimum standards that law enforcement agencies must follow to protect criminal justice information they obtain from the FBI (CJIS policy). On the other hand, users of Justice’s CLETS system must follow the protections outlined in the CLETS Policies, Practices and Procedures document, which describes formal security measures law enforcement agencies must follow to access and protect CLETS information in addition to the CJIS policy requirements.
Further, it can be difficult to know what protections to apply to data from different sources. For example, an individual’s address obtained by searching the Department of Motor Vehicles database through CLETS would be subject to Justice’s data security requirements, but the same information obtained from a local law enforcement agency database would not. Moreover, the personal information Los Angeles and Sacramento have entered into their ALPR search records does not include its origin, making the required level of protection unclear.
Given these issues and the need to identify a standard that can be uniformly applied to ALPR data regardless of their source, we believe that CJIS policy provides reasonable security measures for law enforcement agencies to protect all of their ALPR data. State law requires these agencies to maintain reasonable security procedures and practices to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure. CJIS policy specifies operational, administrative, technical, and physical safeguards for each of these areas. For example, CJIS policy requires agencies to ensure that their sensitive data are encrypted, and it limits physical access to specific personnel authorized to access the data. Nearly all of the 230 agencies that reported using ALPR systems in response to our statewide survey—including Fresno, Los Angeles, Marin, and Sacramento—reported that their ALPR data storage solution complies with CJIS policy.
Nevertheless, we are concerned that the agencies using Vigilant may not be protecting their ALPR data in conformity with CJIS policy standards. Fresno, Marin, and Sacramento store their ALPR data in Vigilant’s cloud database, and CJIS policy requires agencies to ensure that the cloud vendors that store and process their criminal justice information comply with its security requirements. Such requirements include controlling physical access to sensitive data, encrypting the data, and conducting background checks and training for employees with access to criminal justice information. In addition, before providing sensitive data to a vendor, CJIS requires law enforcement agencies to identify necessary authentication and monitoring controls, such as two‑factor authentication and activity logging. Because the Vigilant software is by default accessible via the Internet, an officer may be able to access it using his or her personal device. The ability to access ALPR data in this manner bypasses the agencies’ network security safeguards and violates CJIS policy requiring agencies to monitor and control access to the data.
One way to prevent users from signing in to the Vigilant system using personal devices would be to implement authentication controls, such as two‑factor authentication. Two‑factor authentication involves a second level of verification, such as a passcode sent to a specific device, and allows agencies to require that the passcode be sent only to department‑issued devices. Although Vigilant offers two‑factor authentication, Marin, Fresno, and Sacramento do not use it. CJIS policy requires two‑factor authentication only for systems that directly access federal systems. However, this requirement recognizes that two‑factor authentication is more secure than a basic username and password login for systems like Vigilant that are accessible over the Internet. Thus, two‑factor authentication could serve as a best practice for agencies to prevent inappropriate access to their ALPR systems.
In addition, monitoring the activity logs can alert program administrators to unauthorized access of their ALPR systems. CJIS policy requires agencies to monitor access to systems that contain criminal justice information. Vigilant provides its clients with logs of network addresses that have accessed their ALPR systems, and although Marin’s ALPR program administrator stated that he reviews these logs, administrators from Sacramento and Fresno confirmed that they do not. Reviewing the logs of system access could help the agencies monitor access to their ALPR systems and detect whether someone accesses the ALPR system from an unrecognized network address.
When law enforcement agencies provide sensitive information to ALPR vendors, their contracts should provide assurance that the vendor will adequately protect that information. CJIS policy recommends several provisions that law enforcement agencies should consider including in their contracts to ensure that cloud vendors adequately protect criminal justice information. For example, a contract that protects a law enforcement agency’s data would make clear that the agency owns the data it uploads into the ALPR system, that the agency’s data will not be stored outside of the United States or Canada, and that employees at the cloud vendor who have access to unencrypted criminal justice information will undergo training and background checks. Without these contract provisions, agencies lack guarantees that the cloud vendor will implement appropriate protections of their data.
We found that the three agencies storing ALPR data in Vigilant’s cloud—Fresno, Marin, and Sacramento—do not have sufficient data security safeguards in their contracts. As Figure 3 shows, none of the agencies’ contracts with Vigilant meet all of the CJIS data security requirements. For example, the agencies’ contracts do not state that Vigilant will store their data in the United States or Canada. Marin’s contract does not make clear that Marin owns the data it adds to the ALPR system. It is important to note that Vigilant claims to implement data security measures that comply with CJIS policy. In a security and compliance memorandum, Vigilant lists steps it takes to encrypt data that may contain criminal justice information, as well as physical and network security safeguards it has in place to prevent unauthorized access to its ALPR cloud. We have no basis to dispute Vigilant’s claims, but without strong contract provisions requiring CJIS safeguards, the three agencies have no guarantee that Vigilant will protect their data. As CJIS policy states, ambiguous contract terms can lead to controversy over data privacy and ownership rights, whereas a contract that clearly establishes data ownership acts as a foundation for trust that the cloud vendor will protect the privacy of the agency’s data.
The Agencies’ Existing Agreements With Vigilant Do Not Contain Adequate Data Security Measures
Source: Agencies’ agreements with Vigilant and CJIS policy requirements.
A lack of IT department involvement and outdated contracts likely contributed to the data security weaknesses we observed. Fresno, Marin, and Sacramento have IT units that administer their systems and ensure compliance with Justice’s data security requirements. However, at Fresno and Marin, the IT units are responsible for network security and have little oversight of the ALPR systems’ data security. According to Fresno’s IT manager, Fresno’s main IT unit does not manage user accounts or monitor access to the ALPR system. Fresno has an IT analyst separate from the main IT unit who currently helps administer user accounts and provides technical support for the ALPR system; however, his background is not in network security. A deputy in Marin’s auto theft unit manages Marin’s entire ALPR system—including user accounts and training. This arrangement is not ideal, since individuals outside of an agency’s IT department may lack the expertise necessary to implement adequate data security safeguards. According to Sacramento’s ALPR administrator, Sacramento’s IT unit recently assumed responsibility for the ALPR system, but before about April 2019, an officer outside of the IT unit administered the ALPR system.
In addition, with the exception of Sacramento, the agencies have not updated their contract terms with Vigilant for several years. The agencies’ contracts renew each year when the agencies pay a service fee to Vigilant. As a result, Fresno has not updated its contract for three years, and Marin for nine years. Sacramento updated its contract terms with Vigilant in September 2019, after using its previous agreement for seven years. Agreements that are not kept current may reflect outdated practices or omit needed assurances, increasing the risk that data are not protected.
Los Angeles was not able to demonstrate that it has an agreement in place to protect its ALPR data from inappropriate access. Los Angeles stores its ALPR data in a city‑controlled data center rather than in a vendor cloud like the agencies that use Vigilant. Nevertheless, Los Angeles contracts with Palantir for IT support, and the FBI’s 2017 audit of Los Angeles’ data security practices identified Palantir as an entity with access to criminal justice information; thus we expected Los Angeles’ agreement with Palantir to meet CJIS policy requirements. CJIS policy requires agencies to enter into agreements with vendors that access their criminal justice information. The agreements are to include an FBI‑drafted security addendum that outlines specific safeguards a vendor agrees to put in place to comply with CJIS policy and an acknowledgment by the vendor of the great harm that may arise from misusing sensitive data. However, in response to our request for its agreement with Palantir, Los Angeles produced two expired contracts and a 2018 commodities agreement extending its licensing and support for Palantir software. None of these documents contained the FBI‑drafted security addendum. Thus Los Angeles was not able to demonstrate that its agreement with Palantir contains appropriate data protections to ensure that Palantir employees with access to Los Angeles’ ALPR data will not use the data for unauthorized purposes.
The Agencies Have Not Made Informed ALPR Image‑Sharing Decisions
A significant feature of ALPR systems is their ability to share information with users across other organizations. A variety of requirements and guidance exist regarding how law enforcement agencies should share ALPR data, including images. ALPR images contain the date, time, and location of the scanned license plate and largely relate to vehicles that are not linked to crimes. The risk that the images will be misused rises as the images are more widely distributed, and there are numerous examples of law enforcement officers misusing their access to various databases. For example, an Associated Press article from 2016 reported a case from the state of Georgia in which an officer accepted a bribe to search for a woman’s license plate number to see whether she was an undercover officer. Although such an example of misconduct is not representative of all law enforcement personnel, it illustrates the need for appropriate safeguards over law enforcement tools. Once a license plate is tied to an individual’s identity, which is easy for a law enforcement officer to do, ALPR images may make it possible to track that individual’s movements.
State law allows local law enforcement agencies to share ALPR images only with public agencies and requires sharing to be consistent with respect for individuals’ privacy. Further, guidance that Justice issued in October 2018 addresses the agencies’ governance of databases in relation to immigration enforcement, and this guidance provides a best practice for sharing in general. In the guidance, Justice encourages law enforcement agencies to inquire regarding the purpose for which an agency seeking access to their database intends to use the information and then, as a condition for accessing the database, to require agreements ensuring appropriate use of the data if its purpose includes immigration enforcement. The chiefs’ association also recommends that law enforcement agencies maintain ALPR image‑sharing records that include information on how the requester intends to use the images. The four agencies we reviewed asserted that they share ALPR images with others on the principle that these entities have a right and need to know the information. Because following state law necessitates establishing an agency’s identity, i.e., the right to know, and Justice’s guidance suggests establishing the purpose, i.e., the need to know, for which an agency intends to use the images, the agencies’ position seems consistent with state law and Justice’s guidance.
However, we had difficulty determining whether the reviewed agencies have actually made informed decisions about sharing their ALPR images. Fresno and Marin have each approved sharing their ALPR images with hundreds of entities, and Sacramento with over a thousand. Many of these entities are within California, but they also span most of the other 49 states. Figure 4 shows the entities’ locations, illustrating how widely distributed access to these ALPR images is. In addition, we could not always ascertain how the agencies determined whether an entity receiving access to images had a right and need to access them or even whether the entity was a public agency. We reviewed the lists of entities and found one that appeared to be a non‑public entity and others that were unidentifiable because they were listed only by initials. For example, Fresno, Marin, and Sacramento all approved an entity listed as the Missouri Police Chiefs Association (Missouri Association); however, this is not a public agency but rather a professional organization that provides training opportunities and advocates for pro‑law enforcement legislation. However, none of the agencies could demonstrate that they had evaluated the Missouri Association before sharing images, nor could they tell us why the Missouri Association had a right to those images. When we inquired with Vigilant, an official explained that despite the name, it is the Missouri State Highway Patrol—a law enforcement agency—that uses the account. The lists contain many other entities whose identities and law enforcement purposes are not immediately evident. Unless a law enforcement agency verifies each entity’s identity and its right to view the ALPR images, the agency cannot know who is actually using them. Although the three agencies reviewed their sharing arrangements to varying degrees during our audit, none could demonstrate that they perform this kind of verification before sharing their ALPR images.
Three Agencies Have Authorized Sharing With Entities Located in States
Across the Nation
Source: Analysis of data‑sharing reports from the Vigilant system.
Similarly, even when an entity is a verified public agency, it is not always evident that agencies are making informed decisions by establishing the entity’s need for the ALPR images. Fresno, Marin, and Sacramento all authorized sharing with the Honolulu Police Department, but given the distance between California and Hawaii and the limited instances of cars traveling between the two states, it is uncertain whether the Honolulu Police Department has a persuasive need for these ALPR images. Fresno’s ALPR administrator agreed that not a great deal of thought went into its decision to share with the Honolulu Police Department, and he believes that it probably authorized the share because the entity was a law enforcement agency. In contrast, Marin’s ALPR administrator believes that sharing ALPR images widely is important because the more information available to law enforcement, the more successful it can be in its mission. However, sharing decisions should also consider the importance of protecting individuals’ privacy. Each authorized share exposes the ALPR images to greater risk of misuse; therefore, the agencies should approach each sharing request individually based on the requester’s actual need for the images.
The three agencies have also relied on features in Vigilant’s software rather than establishing their own practices for sharing their ALPR images. A sound approach to sharing would include establishing each requesting entity’s need to know and right to know and keeping records of the assessment and resulting decision. However, none of these agencies maintain records outside of the Vigilant user interface of when or why they agreed to share with particular entities, and neither Marin nor Sacramento includes a process for approving sharing requests in their ALPR policies as state law requires. Fresno has outlined procedures that incorporate these elements, but it has not followed them. Fresno’s ALPR administrator explained that its procedures require more information than an entity requesting a share provides in the Vigilant user interface, and there has been frequent turnover in the position responsible for approving sharing requests.
Current administrators at the three agencies have difficulty understanding when and how sharing occurred because the information the Vigilant user interface displays has changed over time. The status of a sharing relationship in the Vigilant system depends on whether the involved entities’ accounts are active or inactive. Active entities have a current account with Vigilant while inactive entities do not. An agency may agree to share with an active entity that later becomes inactive. Images cannot be shared between active and inactive entities. However, unless an agency deliberately removes a sharing relationship with an inactive entity, that sharing relationship remains and would become operational if an inactive entity decided to renew its account with Vigilant and become active once more. Previously, Vigilant had structured its user interface so that inactive entities did not appear in the sharing report that shows a list of entities with whom an agency had agreed to share. Recently, Vigilant changed its interface to make inactive entities visible. Whether an entity is active is not apparent from the sharing report alone.
This change in the user interface and the fact that agencies kept no records of the shares they have authorized made it difficult for ALPR administrators at the agencies to know the status of current sharing relationships. For example, in 2014 a prior ALPR administrator for Marin had agreed to share images with three U.S. Immigration and Customs Enforcement (ICE) agencies. In December 2018, Marin’s current ALPR administrator used the Vigilant user interface to review the sharing report and noted that the report included no ICE agencies. However, when he reviewed the report again in August 2019—at our request—three ICE agencies appeared on the list. We discussed this discrepancy with Vigilant, which explained that the three ICE agencies were currently inactive. When Marin’s ALPR administrator reviewed the sharing report in December 2018, inactive agencies did not appear on the report, but Vigilant subsequently changed its user interface so that inactive agencies did appear. Although the ICE agencies could not access Marin’s ALPR images because they were inactive, to effectively end the share, Marin needed to remove the authorization for sharing with the ICE agencies, which Marin has since done.
According to Marin’s ALPR administrator, it is now the department’s position that it will not share images with ICE, but if it had remained unaware that the sharing relationships existed and the ICE agencies had become active again, it would have been sharing its ALPR images with them without knowing it was doing so. Had Marin kept its own records of the sharing to which it had agreed, it would have been aware that it had agreed to share with ICE in the past, and it would have been able to remove those shares promptly. Sacramento had also authorized sharing to ICE agencies in the past. When the current ALPR administrator reviewed the list of entities with which it shared images with in response to our audit, he removed those shares as well. In contrast, Fresno had never authorized any sharing relationship with an ICE agency.
Although none of the agencies using Vigilant currently share with ICE agencies, all three had authorized shares with entities with border patrol duties. Despite not having implemented any agreements related to this sharing since Justice issued its guidance in October 2018, the three agencies were all sharing with the San Diego Sector Border Patrol of U.S. Customs and Border Protection at the start of our audit. During our audit, Sacramento removed the share to this agency. Marin and Sacramento had also authorized sharing with an agency listed as “California Border Patrol,” and although Sacramento removed this share at the same time it removed the shares to ICE, Marin continues to share with this entity. Fresno continues to share with the Customs and Border Protection National Targeting Center. Although Sacramento had also authorized a share to this entity, it removed this share during our audit. All of these entities’ duties could potentially intersect with immigration enforcement. Justice’s guidelines for sharing data are particularly relevant in these cases, yet the agencies were either unaware of these guidelines or had not implemented them for their ALPR systems.
Of the four agencies we reviewed, only Fresno and Sacramento share hot lists they create, and they do so through a more controlled process than for sharing ALPR images. Vigilant’s user interface enables hot‑list sharing in addition to sharing ALPR images. In contrast to its wide sharing of ALPR images, Fresno shares the hot lists it occasionally uploads with only three law enforcement agencies in the nearby region. Sacramento has agreed to share six hot lists with eight law enforcement agencies in California. With each agency, Sacramento took the additional step of developing a memorandum of understanding providing guidelines for sharing the hot lists and the signature of the chief official at each agency. Although the memorandum does not specify which hot lists Sacramento will share, it does provide a record of the entities with which hot‑list sharing occurred, unlike its sharing of ALPR images for which no independent records exist outside the Vigilant user interface.
In contrast with the other reviewed agencies, Los Angeles has limited its sharing of ALPR images to entities within a regional structure established for its ALPR program through a federal grant that helped fund its ALPR program. As Figure 5 shows, Los Angeles shares ALPR images with 58 other law enforcement agencies in the region. It does not have agreements to share its ALPR images with any federal agencies, including ICE. According to the lieutenant who administers the ALPR program, Los Angeles decided to share images only with entities using the same software so that it could maintain greater control over its ALPR images. It has a formal agreement with each agency, which provides a record of its sharing decisions.
Los Angeles Shares Images With 58 Law Enforcement Agencies
Source: Analysis of data‑sharing memorandums of agreement.
The Agencies’ Image Retention Decisions Are Unrelated to How They Use the Images
None of the agencies considered the images’ utility over time when establishing their retention periods. Fresno based its ALPR image retention period on state law, which allows some cities to destroy certain video monitoring records after one year. Marin did not cite state law in its policy; its former ALPR administrator stated that when setting a two‑year retention period, he considered other agencies’ retention periods and the retention requirements for litigation related to investigations. Both Marin’s and Fresno’s ALPR administrators stated that they were not aware of any studies of how useful older images in their ALPR systems were to their personnel. In its ALPR policy, Sacramento cited a general state law that prohibits some cities from destroying records less than two years old. The lieutenant who oversees Sacramento’s ALPR program acknowledged that the agency has not conducted any statistical analysis to determine how long it needs to retain ALPR images. However, he stated that, although he was not involved in drafting the original policy, two years made sense considering federal regulations, which permit retention of criminal intelligence information for no longer than five years. The lieutenant cited those federal regulations as a best practice for retaining sensitive data, connecting the ALPR images to a tenet of federal regulations that law enforcement agencies should keep criminal intelligence information as long as it is useful, even though ALPR data are not criminal intelligence.
To develop a retention policy that better protects individuals’ privacy, an agency might begin by considering the time period during which ALPR data are most useful to law enforcement. To assess the usefulness of these images over time, we reviewed the four agencies’ ALPR searches over a six‑month period—between late January and September 2019, depending on when we visited the agencies—and found that personnel at three of the four agencies typically searched for ALPR images zero to six months old. When searching ALPR systems, investigators can enter search dates to target specific periods of interest. For example, on March 29, 2019, a Sacramento investigator searched for ALPR images from six days earlier—March 23—indicating that images less than one week old were relevant to that search. As Table 2 shows, we found that the searches agency personnel at the three agencies performed infrequently included older images. In fact, when investigators at Fresno, Marin, and Sacramento specified date ranges, most searches were of ALPR images that were less than six months old. In contrast, Los Angeles had a relatively even distribution of searches between those less than one year and those more than one year old. The Vigilant system defaults to showing the 50 most recent records when investigators do not specify a search date range. We analyzed 46,000 records for searches that did not specify a date range and found that investigators for Marin, Fresno, and Sacramento frequently did not seek further than the 50 default records, indicating that they generally were not interested in older ALPR images.
PERCENTAGE OF SEARCHES FOR IMAGES OF A SPECIFIED AGE
|RETENTION PERIOD||TOTAL SEARCHES OVER 6‑MONTH PERIOD ANALYZED||0 TO 6 MONTHS||6+ MONTHS TO
|1+ TO 2 YEARS||MORE THAN 2 YEARS|
|Los Angeles||5 years||28,874||42||8||29||21|
Source: Analysis of search records from the agencies’ ALPR systems between late January and September 2019, depending on when we visited the agency.
* The percentage of searches listed in this table beyond an agency’s retention period are likely from their personnel searching data belonging to other agencies with longer retention periods.
ALPR Image Retention Periods for 13 States
|New Hampshire||3 minutes|
|North Carolina||90 days|
|---------- LONGER THAN SIX MONTHS ----------|
Source: National Conference of State Legislatures, Automated License Plate Readers: State Statutes, March 15, 2019, and review of the listed states’ ALPR laws and guidelines.
Note: These states allow retention for longer periods for specific reasons, such as data used in investigations.
Other states have established retention periods that are generally shorter than the lengths of time California’s local law enforcement agencies are retaining ALPR images. The National Conference of State Legislatures identified at least 13 states that mandate maximum ALPR image retention periods. As the text box shows, these vary widely, from three minutes in New Hampshire to three years in Florida. Nevertheless, the majority of these states have retention periods that do not exceed six months. In contrast, 230 California agencies responding to our survey reported that they use ALPR systems, and nearly 80 percent of these—180 agencies—stated that they retain their ALPR images for more than six months. About 20 of those agencies indicated that they retain ALPR images for more than five years. Figure A.2 in Appendix A summarizes these responses.
The length of time law enforcement agencies need to retain ALPR images will vary depending on how they use the images. Narrow use—for one purpose only, such as locating stolen cars—could dictate a short retention window. Personnel we interviewed at each of the four agencies stated that investigators rely primarily on recent images to investigate some types of crimes, such as auto theft. In contrast, using ALPR images to solve complex crimes could necessitate a longer retention window. For example, first‑degree murder can be prosecuted at any time; therefore, a homicide investigator may be able to use ALPR images of any age to help solve a case. The four agencies we reviewed have access to information they can use to evaluate whether their ALPR retention periods are reasonable. Their systems record each time personnel search ALPR images, and these search records show the date of the search and the parameters used to narrow the search, such as location, date, and time. Agency administrators can analyze these activity logs to understand the images personnel are searching for and their relative ages.
Marin and Sacramento have allowed expired hot lists to remain in their ALPR systems for far longer than their specified retention periods. Unlike ALPR images, hot lists cannot be automatically deleted by the Vigilant system. Instead, the agencies define a period after which the hot list becomes inactive—meaning the ALPR system no longer generates alerts from the list—but the list remains stored in Vigilant’s servers until the agency deletes it. We found that Marin and Sacramento are retaining hot lists longer than necessary because their administrators were unaware of the need to manually delete them. They assumed that their Vigilant system would automatically delete inactive hot lists according to the designated purge schedule, as it does ALPR images. For example, Marin retained an inactive hot list of sex offenders for five years—three years longer than its two‑year retention period for ALPR images. Sacramento has retained multiple hot lists for as long as six years—four years longer than its retention period for ALPR images. The types of lists ranged from a hot list of Sacramento County sex offenders to a warrants hot list. When we brought the inactive hot lists to the agencies’ attention, the administrators at Marin and Sacramento acknowledged that the age of the hot lists exceeded the agency’s retention period, and they were willing to delete the hot lists.
Law enforcement agencies should consider both the usefulness of the ALPR images and individuals’ privacy when deciding how long to retain the images. Cost, however, is not a factor. According to the lieutenant who oversees Los Angeles’ ALPR program, the images are useful to investigators and the cost of storing ALPR images is not a significant factor in determining how long to store them. Nevertheless, two studies by a consultant to the National Institute of Justice and the chiefs’ association concluded that law enforcement agencies must consider the trade‑offs between privacy concerns and the utility of retaining the ALPR images they capture and store.
The Law Enforcement Agencies Have Failed to Monitor Use of Their ALPR Systems and Have Few Safeguards for Creating ALPR User Accounts
Instead of ensuring that only authorized users access their ALPR data for appropriate purposes, the agencies we reviewed have made abuse possible by neglecting to institute sufficient monitoring. ALPR systems should be accessible only to employees who need the data and who have been trained in using the system. However, the agencies often neglected to limit ALPR system access, to provide appropriate training to individuals with access, or to monitor accounts. Similarly, to ensure that individuals with access do not misuse the system, the agencies should audit the license plate searches users perform. Instead, the agencies conduct little to no auditing and thus have no assurance that misuse has not occurred.
Best Practice Safeguards for Establishing and Managing User Accounts
- Supervisor approval is a prerequisite for account access.
- ALPR training is a prerequisite for account access.
- Accounts defined as inactive are suspended.
- ALPR training is required for users linked to inactive accounts to regain active status.
- Accounts are deleted when employees separate from the agency.
Source: CJIS policy and the State Administrative Manual.
The Agencies Need Stronger User‑Access Safeguards
The four agencies we reviewed all failed to follow one or more best practices related to user access. State law requires agencies to maintain reasonable security procedures and practices to protect ALPR data from unauthorized access, and the text box lists five best practices for user access, from initiating an account to disabling it when an employee separates from the agency. Figure 6 shows the four agencies’ status in implementing these best practices. Each ALPR administrator stressed the concept of “need to know, right to know” as a key for data security; however, no agency followed all of the best practices that would help establish the need to know and right to know. For example, no agency had a requirement that supervisors approve staff requests for creating ALPR user accounts. Such a step would provide assurance that the staff member receiving the account had both a need and a right to access the information in the ALPR system. Los Angeles is particularly lax in this area because the protocol of its IT division is to include its ALPR software on each computer it assigns to staff, regardless of their position. Thus, staff who do not perform functions related to the ALPR system nevertheless have access to the system. In contrast, Sacramento follows all but one of the best practices listed in the text box. In doing so, it requires staff to prove their initial and continued need for ALPR data, among other access requirements.
The Agencies Lack Many Best Practice Safeguards for Establishing and Managing User Accounts
Source: Agencies’ policies, applicable procedures and protocols, and interviews with the agencies’ management.
Agencies could reduce instances of unnecessary access by ensuring that only those staff whose current work assignments require access to ALPR data have that access. The ALPR administrators at Marin and Los Angeles believe that supervisory approval is unnecessary because ALPR users are already privy to data they consider more confidential than ALPR data, such as criminal justice information. However, these views do not consider that ALPR systems capture images indiscriminately, irrespective of the criminal history of the individual who is driving the vehicle, and the images allow law enforcement to track individuals. Given that agencies retain these images for several months or years, a user could combine them with personal information from separate data sources to produce a great number of details about someone’s life, such as his or her political or religious affiliation. Without proper safeguards, staff could conduct this form of surveillance on any driver. In fact, the chiefs’ association acknowledged this possibility and warned that increasing ALPR use and data sharing would enhance the potential for surveillance. Thus, as the chiefs’ association concluded, limiting ALPR access to employees with the needs and the rights to access these data is a good step toward protecting the individuals whose privacy would be violated if the data were misused.
Ensuring that ALPR users are properly trained is another weakness among the agencies we reviewed. Three of the agencies do not ensure that all of their ALPR users are properly trained. The chiefs’ association called the training of authorized ALPR users “a critical accountability measure.” However, as Figure 6 shows, neither Fresno nor Los Angeles requires all ALPR users to complete ALPR training before initially obtaining system access. Although Los Angeles offers ALPR training, the detective who conducts this training confirmed that it is not required before users can access the ALPR system. Fresno’s policy encourages such training; however, its ALPR administrator confirmed that the agency does not provide training to all of its users. Further, Marin’s ALPR administrator stated that although Marin provides training when staff first receive access to the ALPR system, it does not require staff to renew their training in order to reactivate their accounts following long periods of not using the system. Without sufficient training, there is little assurance that ALPR users know and understand agency ALPR policies, including recent changes, or are aware of the limits on how they may use ALPR data.
Although the Fresno ALPR administrator agrees that the agency’s safeguards surrounding user access are currently inadequate and plans to improve them, the ALPR administrators at Los Angeles, Marin, and Sacramento believe their current practices are acceptable. The administrators at Marin and Los Angeles are reluctant to alter their agencies’ existing practices because they believe ALPR data are not as sensitive as other law enforcement data. We disagree with these views because, as we mention previously, ALPR data are sensitive and state laws require reasonable security procedures and practices to protect them. A basic protection for data that must be treated as sensitive is to limit who can access them.
In addition, as we mention earlier, the ALPR images law enforcement agencies collect largely involve vehicles that are not associated with crimes, and if the images were analyzed, the data could reveal behavior patterns and preferences that law enforcement could use to conduct surveillance on individuals. For example, according to a 2012 newspaper article, the New York Police Department collected license plate numbers of vehicles parked near a mosque. The department was purportedly trying to identify terrorist activities. Although the department justified this data collection as part of its strategy to identify potential criminal activities, it targeted mosques and collected license plate numbers at times without any leads or proof of terrorist connections. Given the sensitivity of the information collected in this example, access safeguards would ensure that only those staff who have a need and right to access an ALPR system would possess that privilege.
Law enforcement agencies could further improve safeguards by disabling employees’ accounts once they separate or after long periods of nonuse. We reviewed Marin’s and Sacramento’s processes for disabling accounts of separated employees. Both agencies follow a similar approach, relying on one part of the organization providing information to another. Sacramento produces a personnel transfer and separation list every two weeks, and the IT security group uses it to identify accounts to close. Although the IT security group generally disabled accounts promptly after receiving the list, we found that the contents of the list were not always current. For example, in one instance, a separated employee did not appear on the list until 46 days after his separation date in June 2019. According to a human resources specialist, employees submit their resignation paperwork late at times, which causes human resources to not process this paperwork until after an employee has left the department. Marin’s ALPR administrator said that he removes ALPR accounts once he receives a department‑wide email notifying him of an employee’s resignation or termination. He also stated that he checks ALPR accounts every few months to verify that active accounts match active employees. However, for one employee, the administrator did not disable his ALPR access until two months after he resigned in October 2019. In fact, the administrator did not disable this employee’s access until our office pointed out that the account was still active. The fact that Marin and Sacramento did not disable some accounts as necessary is problematic because the former employees could log into their accounts and access ALPR data from the web‑based version of the ALPR systems on any Internet‑capable device, not just office devices.
With regard to Los Angeles and Fresno, Los Angeles’ network manager described an automated process for deleting accounts linked to overall network access, which reasonably aligned with best practices. Conversely, Fresno’s ALPR administrator said that he periodically reviews the names of employees with user accounts but started doing so only in September 2019 when he learned of our audit. We did not test deleted accounts at either agency. Deleting accounts prevents separated employees from continuing to access ALPR data and is thus critical to protecting ALPR data and individuals’ privacy.
The Agencies Have Failed to Audit ALPR Users’ Searches to Ensure That Individuals’ Privacy Is Protected
State law requires law enforcement agencies that operate, access, or use ALPR systems to protect their ALPR data—including ALPR images—from unauthorized access, destruction, use, modification, or disclosure. The law specifically requires them to describe and implement a policy detailing how they will monitor their ALPR systems. According to state law, agencies that access or use ALPR systems must also conduct periodic system audits. In its reports on managing ALPR systems, the chiefs’ association stated that conducting audits aids in discouraging unnecessary or inappropriate use of the data; in addition, when agency policies include a strong auditing requirement, this reassures the public that their privacy interests are recognized and respected.
A primary form of auditing to prevent misuse is reviewing the searches users conduct in the ALPR systems. Users conduct searches for specific license plates. Even though law enforcement agencies that use or access ALPR systems can monitor searches simply by reviewing search records for red flags, such as an unknown user account, they should also conduct audits as required by state law. An audit entails a more rigorous approach, including evaluating risk and randomly selecting test items for review. Developing an audit of license plate searches, for example, would involve determining how many searches to review, how to select test items, and how frequently to conduct the audit. Law enforcement agencies have often found evidence of misuse of their databases, showing the need for auditing. For example, a news article reported that CHP investigated 11 cases of database misuse in 2018, including three involving officers improperly looking up information on license plates through CLETS without a need to know the information. The large datasets of ALPR images, dating back at least one year, that the four reviewed agencies maintain can be analyzed to reveal the daily patterns of vehicles that can be linked to individuals and their activities—most of whom have not engaged in criminal activity. A member of law enforcement could misuse ALPR images to stalk an individual or observe vehicles at particular locations and events, such as doctors’ offices or clinics and political rallies. Despite these risks, the agencies we reviewed conduct little to no auditing of users’ searches.
We asked key officials at the three agencies using the Vigilant system why they had not audited the searches users performed and found that either they were unaware of the auditing requirement in state law or the auditing they did conduct did not include user searches. Fresno’s policy states that it should conduct audits on a regular basis, but the ALPR administrator told us he believed audits are the responsibility of the Audits and Inspections Division within the department. However, the sergeant responsible for audits and inspections—who took charge in January 2018—responded that he was not aware of the requirement until our audit. Similarly, the Marin ALPR administrator was unaware of the state law requiring audits of ALPR systems until our audit and thus had not been conducting them. At Sacramento, the policy states that the ALPR administrator will conduct periodic audits of user searches. Even though Sacramento administrators had been monitoring some system functions, they had not audited searches of the older ALPR images. The officer administering the ALPR program until April 2019 said that she did not conduct these audits because her predecessor had not informed her that it was necessary. The ALPR program transferred to a new division in April, and according to the current ALPR administrator, limited staff resources have prevented him from instituting these audits.
Although the agencies have not been conducting audits, we considered the possibility that an agency employee or member of the public may have reported instances of ALPR misuse. We searched each agency’s records of internal affairs investigations from January 1, 2016, to the present for cases involving ALPR misuse and did not find any such cases. However, we do not consider this proof that no instances of ALPR misuse occurred. Given that the agencies were not regularly auditing their systems, ALPR misuse may have occurred and gone unnoticed and unreported.
To engage in meaningful auditing of their system users, all four agencies need to address the quality of the information users enter into the system as part of their searches. Before allowing users to conduct searches, Fresno, Los Angeles, and Marin require users to enter case numbers and reasons for the search; however, this is not happening consistently. We reviewed six months of user queries at the three agencies and found that users entered a wide variety of information in the case number field. For example, users at Los Angeles simply entered “investigation” into this field as well as descriptions of vehicles and actual case numbers. In contrast, Sacramento does not require users to enter either case numbers or reasons. Our review showed that in 66 percent of searches, Sacramento’s users left both fields blank. When users fail to enter any information or fail to include appropriate detail, identifying misuse through audits becomes nearly impossible.
Los Angeles faces additional hurdles in performing meaningful auditing because its ALPR administrators do not have immediate access to data on user searches. Instead, according to the chief data officer, administrators need to request that a software engineer from Los Angeles’ ALPR software contractor build and run a query in the system to obtain these data. In 2015 Los Angeles recognized a need to fix this software limitation to enable administrators to audit user searches. The chief data officer for Los Angeles stated that, although an initial upgrade provided an audit dashboard tool for administrators, subsequent software upgrades made this tool unusable, and the company that provides the software is developing a new one. He said that it is Los Angeles’ goal to have a new audit dashboard tool by the end of the first quarter of 2020, at which point he will work with the appropriate division within the department to develop an audit plan. Although we agree that an audit tool will facilitate audits, we believe it was entirely possible for Los Angeles to obtain the data on user searches, and thus it could have implemented a process for periodic system audits as state law requires, despite the difficulties.
The other three agencies also do not have an adequate policy or process in place for conducting meaningful audits. For example, Fresno’s ALPR policy states that it should conduct periodic audits, but its policy does not specify how frequently it will audit its ALPR system, who will perform those audits, who will review and approve the audit results, and how long it will retain the audit documents. Specifics such as these provide a clear road map for planning, conducting, documenting, and resolving audits. When followed, the agencies will have records demonstrating their necessary oversight. Marin’s latest policy—dated July 2019—also fails to cover these necessary details. Fresno and Marin began reviewing user queries subsequent to the beginning of our audit, but in the absence of an adequate policy or formal plan, their methodologies are lacking. For example, although Fresno began conducting audits that included a random sample of user searches, staff have not developed a formal plan and provided us only with handwritten notes on their methodology. Marin’s ALPR administrator has not instituted audits and is simply monitoring license plate searches by looking for instances in which the user did not enter a reason for the search or entered a reason that does not make sense, such as an investigation that does not exist. In addition, at both Fresno and Marin, the individual conducting the audits or monitoring is also a system user, creating a conflict when acting as a system monitor or auditor. Without sound methodologies, the agencies cannot be confident that they have sufficient protocols in place to detect misuse.
Other Areas We Reviewed
To address all the audit objectives approved by the Joint Legislative Audit Committee (Audit Committee), we reviewed two additional subject areas: whether the agencies offered opportunities for the public to comment on their ALPR programs and whether the Sacramento County Department of Human Assistance (Human Assistance) continues to operate an ALPR program.
Three Agencies Provided Information to the Public on Their ALPR Programs
State law requires that public agencies implementing ALPR programs after January 1, 2016, offer an opportunity for the public to comment about those programs. These opportunities increase public awareness that law enforcement agencies are using electronic means to collect information about vehicles in the community and offer a way for the public to provide feedback about the programs. The four agencies we reviewed began using ALPR before 2016 and consequently were not required to offer an opportunity for public comments. Nonetheless, three of the agencies took some steps to communicate with the public about their ALPR programs. Los Angeles and Sacramento published documents describing their ALPR programs, and at a Fresno City Council meeting, the public had an opportunity to comment on the selected ALPR vendor before the council voted on a new contract. The minutes from that meeting reflect that the public made no comments. This transparency helps foster public trust in law enforcement and government as a whole.
Human Assistance No Longer Operates an ALPR Program
Our audit scope included reviewing the ALPR program of Human Assistance, which provides Sacramento County residents with employment assistance and supportive services. Human Assistance contracted with Vigilant for three years to access ALPR images. Human Assistance did not operate its own cameras, and it used the ALPR images to investigate welfare fraud. According to the administrator of its ALPR program, Human Assistance ended its program in 2018 after determining that investigative staff rarely searched the images, so the program could not justify the cost. On November 1, 2018, Human Assistance deleted its ALPR user accounts, leaving the administrator’s account active for internal review. On May 31, 2019, Human Assistance’s ALPR agreement with Vigilant expired, and the administrator no longer has access to the account. Therefore, we did not perform any additional audit work pertaining to Human Assistance.
- To better protect individual’s privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to do the following:
- Require Justice to draft and make available on its website a policy template that local law enforcement agencies can use as a model for their ALPR policies.
- Require Justice to develop and issue guidance to help local law enforcement agencies identify and evaluate the types of data they are currently storing in their ALPR systems. The guidance should include the necessary security requirements agencies should follow to protect the data in their ALPR systems.
- Establish a maximum data retention period for ALPR images. The Legislature should also establish a maximum data retention period for data or lists, such as hot lists, that are used to link persons of interest with license plate images.
- Require periodic evaluation of a retention period for ALPR images to ensure that the period is as short as practicable.
- Specify how frequently ALPR system use must be audited and that the audits must include assessing user searches.
- Specify that those with access to ALPR systems must receive data privacy and data security training. The Legislature should require law enforcement agencies to include training on the appropriateness of including certain data in an ALPR system, such as data from CLETS.
- Require Justice to draft and make available on its website a policy template that local law enforcement agencies can use as a model for their ALPR policies.
Law Enforcement Agencies
- To ensure that their ALPR policies contain all of the required elements as specified in state law, by August 2020, Fresno, Los Angeles, Marin, and Sacramento should review their policies and draft or revise them as necessary. Also by August 2020 these agencies should post their revised policies on their websites in accordance with state law.
- To protect ALPR data to the appropriate standard, Fresno, Los Angeles, Marin, and Sacramento should do the following:
- By August 2020, identify the types of data in their ALPR systems and, as they review or draft their ALPR policies, ensure that they clarify the types of information their officers may upload into their ALPR systems, such as, but not limited to, information obtained through CLETS.
- By August 2020, perform an assessment of their ALPR systems’ data security features, and make adjustments to their system configurations where necessary to comply with CJIS policy best practices based on that assessment.
- By August 2020, identify the types of data in their ALPR systems and, as they review or draft their ALPR policies, ensure that they clarify the types of information their officers may upload into their ALPR systems, such as, but not limited to, information obtained through CLETS.
- To ensure that the agreements with their cloud vendor offers the strongest possible data protections, by August 2020, Fresno, Marin, and Sacramento should enter into new contracts with Vigilant that contain the contract provisions recommended in CJIS policy.
- To ensure that ALPR images are being shared appropriately, the specific agencies noted should do the following:
- By April 2020, Fresno, Marin, and Sacramento should review the entities with which they currently share images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.
- As Los Angeles develops its ALPR policy, it should be certain to list the entities with which it will share ALPR images and the process for handling image‑sharing requests.
- By August 2020, Marin and Sacramento should each develop a process for handling ALPR image‑sharing requests that includes maintaining records separate from the Vigilant system of when and with whom they share images. The process should verify a requesting agency’s law enforcement purpose for obtaining the images and consider the requesting agency’s need for the images. The process should be documented in the agency’s ALPR policy and/or procedures.
- By August 2020, Fresno should revise its written procedures for ALPR image‑sharing, as necessary, to ensure that it follows those procedures.
- To minimize the privacy risk of retaining ALPR images for long periods of time, Fresno, Los Angeles, Marin, and Sacramento should do the following:
- By August 2020, review the age of the ALPR images their personnel are searching for and ensure that their retention periods for ALPR images are based on department needs. Each agency should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.
- Include in their ALPR policies a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from their ALPR systems.
- To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Fresno, Los Angeles, Marin, and Sacramento should do the following:
- By April 2020, review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.
- Ensure that their ALPR policies specify the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.
- By August 2020, develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Each agency should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.
- To enable auditing of user access and user queries of ALPR images, Fresno, Los Angeles, Marin, and Sacramento should do the following:
- By April 2020, assess the information their ALPR systems capture when users access them to ensure that the systems’ logs are complete and accurate and that they form a reasonable basis for conducting necessary, periodic audits.
- Ensure that their ALPR policies make clear how frequently they will audit their ALPR systems, who will perform those audits, who will review and approve the audit results, and how long they will retain the audit documents. Each agency should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.
- By June 2021, implement their audit plans and complete their first audits.
We conducted this performance audit under the authority vested in the California State Auditor by Government Code 8543 et seq. and in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
ELAINE M. HOWLE, CPA
California State Auditor
February 13, 2020