The Oakland Police Department released a data trove with nearly 5 million license plate scans earlier this week to the media, honoring Ars Technica’s public records request. Ars Technica analyzed data from more than 1 million individual license plates that were scanned 4.6 million times over the course of three and half years.
But the disclosure — one the Ars said is likely one of the largest publicly released datasets in the world — has been received by privacy experts with mixed emotions, praising and encouraging government transparency but fretting over the risks not only of police storing the data but it being available to anyone who fills out a Freedom of Information Act request.
Police departments across the country have been using license plate readers (LPRs) — cameras usually attached to the grill of a police cruiser — to locate stolen vehicles and cars involved in past crimes. The biggest issue is that police departments like Oakland are holding onto this data for an extended period of time, which makes it more revealing about people’s everyday lives.
“If you have one plate scan of one car, all you have is this car was at this place at this time — not what the driver was doing,” said Jennifer Lynch, senior staff attorney with Electronic Frontier Foundation in San Francisco. “But over multiple days, you can get a picture of what someone is doing, where they’re going and why. You can start to make pretty broad assumptions of someone’s life with the more data you have.”
LPRs are indiscriminate. They scan the plates that are around them, alerting police officers whether a plate belongs to a stolen car or one linked to a crime. Those plate hits, which account for less than 1 percent of all scanned plates — are stored along with those belonging to passersby.
To best protect privacy, “you don’t want to create unnecessary conglomerations of person information,” said Jay Stanley, American Civil Liberties Union senior policy analyst, privacy and technology in Washington, D.C. “No good can come of that. Whether its abuse from the people who hold the information, hacking, leaks or access by public info requests.”
Location information is particularly sensitive because the accumulation of data points over time show where someone lives (or spends most of their time), where their friends live, or whether someone has a substance abuse problem.
The dataset didn’t include addresses or other personal information found in Department of Motor Vehicles (DMV) records, Ars reported. Only the police have the ability to link DMV records with scanned plate numbers. However, if a person’s plate number is known, their whereabouts can be tracked.
And because the data is publicly available through a records request, there is a potential for stalking or physical harm.
“There might be people involved in abusive relationships where they told their spouse they were somewhere and this data shows they were somewhere else. Of course we haven’t gotten to that point, but as the tech becomes cheaper we could see three of these on every block,” Stanley said.
Stanley believes the data should be stored in the first place but there’s an upside — even if it’s a conflicted one. “The positive of it is at least you’re seeing what the police is storing, but the other side is the sensitivity of the information heightens the security risk.”
One takeaway from Ars Technica’s data analysis is that if over a million plate scans are being collected every year in a small city of about 406,000, the impact in larger municipalities is even greater and needs to be exposed.
“We don’t know how license plate readers are being used by large agencies like LAPD and LA Sheriffs, where they’re collecting 3 million license plate scans a week. It’s important for this information to be released to the public so the public can see how much data is being collected, where the neighborhoods are cops are focusing on, are there certain communities that are being burdened by this kind of surveillance technology more than others,” Lynch said.
But new technologies, especially data-driven tools, have become staples in police departments that want to drive down crime, and hopefully prevent it. Police and new technology have a checkered past that include nuanced and blatant brushes with privacy and civil liberty violations.
In addition to predictive technologies based on crime data, police also rely on social media surveillance, smartphone tracking and drones to deter and reduce crime.
The public often worries when police get new toys without consulting them first, Lynch said, “that’s why the Seattle Police Department no longer has drones and the Domain Awareness Program in Oakland got scaled back so completely.”
For LPRs, several states have passed or are working toward legislation that limits how long police can keep license plate scan data if the plates aren’t linked to criminal activity. Earlier this week, Minnesota legislature reached a deal to purge LPR data after 30 days.
“In holding onto the data, law enforcement is arguing that, ‘if we hold onto the data, then we can use it to solve crimes that happen in the future.’ That’s not how our criminal justice system is set up. Law enforcement should be doing investigations when a crime happens or when there’s ongoing activity at a specific location. They should not just be storing information on everybody when people are completely innocent at the time the data is collected.”
But making sure what police do collect is available for public scrutiny is paramount. “Our open government laws were designed to let the people know what the government is doing,” Lynch said. “Realistically, I don’t think anything will change until law enforcement are forced to release [collected] information like Oakland did.”
That way, police can think about policies and the impact new technology will have on the community it serves.