EFFecting Digital Freedom
by Dave Maass
Defending Privacy on the Roads
I like to imagine that if vehicle license plates hadn't been invented, the public would never stand for them if they were introduced today. With technological advances in character recognition, CCTV networks, data analysis, and geomapping, people would understand that a license plate would be little more than a beacon for the surveillance state to track your movements.
This mental exercise does little to help me sleep better at night. My mind runs circles around the problem of Automated License Plate Recognition (ALPR) systems. How do you fight mass surveillance when the government mandates that you wear the thing they're tracking?
ALPRs are networks of cameras that photograph any license plate that appears within view, extract the plate number into a machine-readable format, and combine it with the time, date, and location of the plate capture. The systems can collect data on thousands of vehicles every hour. It is one of the most pervasive mass surveillance technologies in use by local law enforcement agencies around the country. A 2012 Police Executive Research Forum survey found that 71 percent of agencies surveyed used ALPR. These days, I get several email alerts each week from a government procurement website telling me that an agency - often multiple agencies - have bought ALPR systems or renewed their ALPR contracts.
Law enforcement agencies employ ALPR in three distinct ways: stationary, mobile, and through private database access. In the first scenario, police install cameras on street lights, telephone poles, and other static locations to capture plates as they pass. Police also mount ALPR cameras to patrol vehicles, then drive around areas collecting plates (often of parked cars). These systems often use "hot lists" to ping the police every time a particular vehicle is spotted. Police agencies also subscribe to privately maintained ALPR databases by companies that aggregate data that the companies have either collected themselves or acquired from other agencies.
Proponents will say that ALPR systems are really no different than a police officer back in the day jotting down plates in his notebook. There's nothing private about this information, they say, since the cars are in plain view. Of course, it is very different and the information is very personal: by collecting thousands of plates each day and storing them for significant periods of time, ALPR gives police the ability to discover sensitive information about drivers. In aggregate, these data points can reveal where you work, where you sleep at night, what churches you attend, and what doctors you visit. Ultimately, we're talking about a surveillance system that collects far more information on innocent people than it does genuine suspects.
Police argue that ALPR is an important tool to locate stolen cars or to find kidnapped children, but we've seen these tools proposed for far lesser offenses. The DEA has acknowledged that one of the primary values of ALPR is how it helps them seize currency from drivers. Louisiana police proposed a pilot to install a state-wide ALPR system to scan for uninsured drivers. Meanwhile, police in Florida use ALPR data to identify cars driving through neighborhoods known for prostitution. They then send intimidating "Dear John" letters to the registered vehicle owners warning them about sexually transmitted diseases and warning them that they should refrain from driving into that area.
The companies that sell ALPR systems have their own agendas. Vigilant Solutions, for example, gives police free ALPR cameras in exchange for a cut of the proceeds from collecting on unpaid fines. The benefiting agency has to hit a regular quota to keep the devices.
If you worry about your communication being snooped on, you can use encryption. But there's no simple solution for license plates, since many states have laws forbidding anything that would make it difficult for a police officer to read your plate. In California, the law even bans anything that would make it difficult for ALPR.
That leaves few options. You could go the Steve Jobs route and lease a new car every six months. You could use a full-vehicle cover or attach a bumper protector, but that would only protect your privacy when you're parked. In those wee, sleepless hours, I fantasize about a coordinated citizen effort to paste printouts of license plates around a city so that it produces so many false positives that ALPRs become fatally unreliable. Setting aside that it would be a cast-of-thousands production, the other major hurdle with that idea is that without access to the ALPR devices or raw data, we'd have no way to know if it worked. Chances are the manufacturers would quickly adjust their algorithms anyway.
So far, our battle has been over transparency and accountability. EFF is currently suing the Los Angeles Police Department and Los Angeles County Sheriff's Department to get access to a week's worth of ALPR data under the California Public Records Act. The agencies claim that it's all protected from public disclosure because they are investigative records. Who's under investigation? Everyone, they say. That case is now before the California Supreme Court.
We had better luck with the Oakland Police Department, who did provide us with a week's worth of collected plates. EFF Technologist Jeremy Gillula and I analyzed and mapped out the data. Through time lapse, we were able to see how police vehicles mounted with ALPR cameras wound their way through the city, street-by-street, gobbling up plates, like one of those old "Snake" games on a Nokia phone. It also became clear that Black and Hispanic areas of the city were under far more intense vehicular surveillance because of the naturally higher crime rates and destination of stolen vehicles.
ALPR present another threat to privacy: bad security practices on behalf of the police. Piecing together research from various security engine, EFF Technologist Cooper Quintin and I were able to identify dozens of police ALPR cameras that were insecurely connected to the Internet, mostly in Southeastern Louisiana. In some cases, the control panels and live video streams from the cameras were viewable through a browser - no password required. You could also siphon off the live plate data as it was being transmitted to the central servers.
We did score one major legislative victory in California this year: a new bill - S.B. 34 - classifies ALPR data as sensitive information under the state's data breach law. It also requires agencies that use ALPR to take adequate measures to protect ALPR data and to publish privacy and usage policies. Private citizens can now sue if they are harmed by an ALPR data breach.
As for the people who believe that if you've done nothing wrong, you've got nothing to worry about: just ask Denise Green. San Francisco police pulled the innocent driver over, held her at gunpoint, handcuffed her, forced her to her knees, and then searched both her and her vehicle - all because an ALPR camera misread her plate and the officers didn't bother to verify the number. You can also ask 74-year-old Richann Flynn, who The Sacramento Bee reported received 55 notices from the Bay Area Toll Authority, accusing her of failing to pay tolls for bridges she hadn't crossed in at least 15 years. Again, she was the innocent victim of a flawed automated system.
ALPR is really only the beginning. We're also beginning to see government agencies adopt crossover technologies, such as Xerox's "Automated Vehicle Occupancy Detection," which is supposed to determine whether there are enough people in a vehicle to justify use of the carpool lane. Already, ALPR companies are devising ways to use facial recognition to conduct similar tracking surveillance.
But you can rest assured that we'll be up all night fighting back.
Dave Maass is an investigative researcher at the Electronic Frontier Foundation, working on its Street Level Surveillance project.