Government Surveillance, Privacy & Data
ICE Accesses Commercial License Plate Reader Database—We Want Access to ICE
The United States Immigration and Customs Enforcement (ICE) agency recently issued a contract request for query-based access to a commercial license plate reader (LPR) database. On December 27, 2017, ICE released a Privacy Impact Assessment (PIA) in which ICE confirmed it had procured this service. On Friday, February 2, we filed a Freedom of Information Act (FOIA) request with ICE seeking information on the contract, as well as any internal training materials, policy memos, and documents related to how ICE agents plan to use the commercial database and LPR data. We filed this request because ICE’s access to a commercial LPR database raises multiple concerns: 1) ICE’s policy permits excessive access to and retention of LPR data; 2) The “hotlist” feature provides ICE the ability to monitor ongoing movements of designated license plates indefinitely and without clear restrictions; and 3) This access may undermine limits on racial profiling and surveillance at ‘sensitive locations.’
What is License Plate Reader Data?
License plate readers (LPRs) are devices that are mounted on cars or stationed at specific locations like parking lots, toll bridges, etc., that use high-speed cameras to capture photographs of the license plate of every passing vehicle. These devices also contain software that digitally converts the information in the photograph into a computer readable format. ICE’s PIA states these photographs may include all or some of the following information: the license plate number; digital image of the license plate as well as the vehicle’s make and model; state of registration; camera identification (the camera owner and type); global positioning system (GPS) coordinates or other location information taken at the time the information was captured; date and time of observation; and the image of the driver and passengers.
This data can easily reveal visits to places of worship, trips to medical clinics, and sensitive meetings like alcoholics anonymous…
LPR data is a type of location data, as it provides confirmation of a vehicle’s location at a specific time and place. This location data can reveal sensitive and personal information about individuals associated with the vehicle. Indeed, even ICE recognizes this concern, “[d]ata regarding a vehicle’s location—particularly when collected over an extended period of time and retained—could potentially reveal additional information about an individual that is not necessarily used for a specific law enforcement activity or is sensitive because it reveals activities that might be constitutionally protected or that raise no law enforcement concerns.” For example, this data can easily reveal visits to places of worship, trips to medical clinics, and sensitive meetings like alcoholics anonymous, which in turn can be used to infer one’s religion, medical condition, or dependency on alcohol.
The amount of collected, stored, and shared LPR data is enormous, and evergrowing. Law enforcement has increasingly turned to using this type of data, and law enforcement demand for it has fueled the growth of the private LPR data market. Rather than operate their own LPRs, law enforcement agents can simply purchase a subscription to access a private company’s trove of LPR data. As LPRs become more ubiquitous it’s not hard to imagine a near future in which law enforcement can track any driver’s movements without a warrant simply through a subscription service akin to the one ICE just purchased. This threat matures into reality as some of these private vendors become outsized. ICE confirmed that it is contracting with West Publishing, which is partnering with Vigilant Solutions, one of the most well-known private vendors of LPR data. Vigilant Solutions has as many as 2.2 billion data points stored, and its database continues to grow every month. Furthermore, it retains the data it collects indefinitely. While LPRs are useful to law enforcement, the LPR database is a surveillance tool generally used without independent oversight that poses an enormous privacy risk.
Problems with ICE’s Access to Commercial License Plate Reader Data
Foundationally problematic is that ICE can access LPR data, aka location data, without a warrant. Knowing that its warrantless access to a massive database of stored location information raises several privacy and civil liberties concerns, ICE has taken some mitigating steps. For example, ICE stated that its agents won’t use the database for data mining. And, the vendor is required to provide ICE with an audit log of queries to ensure agents abide by policy mandates. The 2015 PIA ICE released when first considering commercial LPR data stated that ICE supervisory agents would review this audit log quarterly– the 2017 update is silent on such timing. ICE also requires that personnel undergo training on the non-discriminatory use of the commercial system. While encouraging, it is important to note that these measures are policy decisions that can be altered or revoked anytime at ICE’s discretion. Further, some of the decisions ICE made in the vein of protecting the privacy and civil liberties of the public warrant further justification and clarification:
Actual Restrictions on Access to and Retention of Historical LPR Data are Needed
ICE self-imposed durational limits on how far back its agents can query the database, which is a great step towards protecting privacy, however the limits are hardly restrictive. When agents of the ICE Office of Enforcement and Removal Operations (ERO) query the database for a civil immigration matter, unless they choose to limit the timeframe they want to search, they can receive results five years back. ICE rationalizes this duration by stating that the average length of vehicle ownership is five years. Homeland Security Investigations (HSI) agents can access data as far back as the statute of limitations of the offense they’re investigating. Agents of both entities who query the data can exceed these restrictions simply with approval from their supervisors. This length of time is incredibly excessive, especially for the types of enforcement that ICE uses to justify this contract, like picking up an individual for removal. After ICE accesses the data, its retention policies allow ICE to retain this data for decades. Data that ERO moves to an electronic record system are maintained for 75 years, and data HSI moves to their electronic records are permanently retained. These are not meaningful restrictions and more privacy protective restrictions would do no damage to ICE investigations.
Policy on Placement on the Hotlist Needs Clarification
ICE’s 2017 PIA states that the vendor will provide the ability to put license plates in an alert list, or “hotlist.” That is to say, anytime a new result is found for a designated license plate, the officer who requested the designation will receive a notice. There is no doubt that this is a helpful feature for ICE agents to accomplish their enforcement responsibilities. ICE deserves credit for acquiring a system that prompts removal of license plates from the hotlist after a year. That said, ICE can renew a license plate’s designation on the hotlist every year—indefinitely. It is vital that ICE be clear about the circumstances that warrant placement on this list, because this feature puts individuals under constant surveillance. The 2017 PIA does not begin to provide sufficient clarity, stating only that “ICE users are permitted to add license plates to alert lists only when they pertain to an ongoing criminal or administrative investigation.”
The Policy Could Undermine Efforts to Stop Racial Profiling and Surveillance at Sensitive Locations
DHS and ICE have a policy regarding the role of racial profiling in their investigations. To prevent the placement of LPRs in communities based on race, restrictions need to be imposed on the vendor with which they have contracted. The documents available to the public contain no such explicit restrictions. DHS and ICE also have a policy on “sensitive locations.” In 2011 ICE issued a memo 10029.2 Enforcement Actions at or Focused on Sensitive Locations, stating that ICE would not engage in enforcement actions at ‘sensitive locations’, with some exceptions including exigent circumstances and prior-approval from a supervisor. These enforcement actions include arrests, interviews, searches and, important for our purposes—surveillance. Sensitive locations have been defined to include but not be limited to: schools, hospitals, institutions of worship, the site of a funeral, wedding, or other public religious ceremony, and a site during the occurrence of a public demonstration, such as a march, rally, or parade. In its 2015 PIA, ICE stated that, “[]LPR data will only be collected and used in accordance with ICE Policy 10029.2 and future DHS and ICE policies governing enforcement actions at or focused on sensitive locations.” This policy is undermined if vendors collect data from LPRs placed at sensitive locations. Are there restrictions on where non-ICE owned LPRs will be placed? To what extent can ICE direct a vendor to place LPRs, or to refrain from placing a LPR? We need more information, including the information sought in our FOIA request.
ICE’s PIAs demonstrate that the agency has thoughtfully considered some of the concerns raised by ICE agents’ access to a commercial LPR database, and ICE has taken some deliberate steps to make its use of the data less intrusive. However, more steps should be taken to protect privacy, and more information is needed to ensure that the use of LPR data does not undermine the existing restrictions on ICE’s behavior like the policy guidances on Sensitive Locations and Racial Profiling. Hopefully our FOIA request yields information that alleviates these concerns.