Local law enforcement agencies are not adhering with privacy laws, the state auditor reported February 13.
The auditor reviewed four law enforcement agencies’ use of automated license plate readers (ALPR) and found:
The agencies did not always follow practices that adequately consider the individual’s privacy when handling and retaining the ALPR images and associated data.
All four agencies accumulated a large number of images in their ALPR systems, yet most of the images do not relate to their criminal investigations (99.9 percent of the 320 million images Los Angeles stores are for vehicles that were not on a “hot list” when the image was made, the auditor found).
Three agencies did not completely or clearly specify who has system access, who has system oversight, or how to destroy ALPR data, and the remaining agency has not developed a policy at all.
Two of the agencies add and store names, addresses, dates of birth, and criminal charges to their systems – some of the data may be categorized as criminal justice information and may originate from a system maintained and protected by the Department of Justice.
Three agencies use a cloud storage vendor to hold their many images and associated data, yet the agencies lack contract guarantees that the cloud vendor will appropriately protect the data.
Three agencies share their images with hundreds of entities across the United States but could not provide evidence that they had determined whether those entities have a right or a need to access the images.
Agencies may be retaining the images longer than necessary and thus increasing the risk to individuals’ privacy.
The agencies have few safeguards for creating ALPR user accounts and have not audited the use of their systems.
“To further ensure that individuals with access do not misuse the ALPR systems, the agencies should be auditing the license plate searches that users perform, along with conducting other monitoring activities,” the auditor recommended. “Instead, the agencies have conducted little to no auditing and monitoring and thus have no assurance that misuse has not occurred.”