Like you, I’m a law-abiding citizen.
Well, most laws that I can abide by, anyway. (That was a joke, officer. Honest.)
My emotions, though, still aren’t aligned with former Google chairman Eric Schmidt’s. It was he who insisted that “if you have something you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
I’m therefore a touch perturbed by new information that has drifted my way. My irregular reading of the state of California’s audits has just offered a troubling view of how some police forces apparently look after data. Or, perhaps, don’t.
This audit, you see, concerned automated license plate readers. And, should you live in California, as I do, it may concern you.
The auditors looked at how four law enforcement bodies — Fresno Police Department, Los Angeles Police Department, Marin County Sheriff ‘s Office, and Sacramento County Sheriff ‘s Office — commit themselves to data privacy.
After all, they collect license plate images and follow a vehicle’s movements. What might they do with all that data?
Here’s a fun sentence from the audit report: “None [of these agencies] had audited searches of the ALPR images by their staff and thus had no assurance that the searches were appropriate.”
That seems a touch awkward. Anybody could be taking a peek at your movements — and mine, as I live within a mere electric bike ride from one of these police jurisdictions — and, well, doing what with them? Or about them?
Sadly, the audit report had more joys. Sample: “Three of the four agencies have shared their ALPR images widely, without considering whether the entities receiving them have a right to and need for the image.”
You mean someone — maybe or maybe not a law enforcement officer — in, say, Florida knows where I go to Starbucks?
Please, I understand how this technology allows law enforcement to check whether a known miscreant’s car has been seen in the area. I may not like it, but I do understand it. Although the audit does mention there’s been evidence that individual police officers have used the data to follow their ex-lovers and neighbors around.
The audit says the four agencies kept data for an arbitrary amount of time and that the LAPD has no policy at all for the way such data is handled.
There was a little silver lining: “We found that Sacramento and Los Angeles are adding names, addresses, dates of birth, and criminal charges to their ALPR systems, which are then stored in those systems.”
And how about this: “We did not find evidence that the agencies had always determined whether an entity receiving shared images had a right and a need to access the images or even that the entity was a public agency.” That last part is a touch imperfect, I fear. It seems actually possible that my movements are being sent to, well, anyone.
Three of the agencies kept the data in the cloud. Hark the auditors: “None of the contracts these three agencies have with their cloud storage vendors include all necessary data security safeguards.”
The San Francisco Chronicle reported that the Marin County Sheriff’s Office was sure that its cloud vendor followed secure practices. The Sheriff’s Office did, though, add a more chilling thought: That it couldn’t follow more of a detailed policy because, well, you never know when a particular image might suddenly become useful in a particular legal case.
Naturally, I wanted to climb on my highest mare and wax with indignation. It was, then, though, that I considered how many corporations now follow us with entire abandon and opaque details of whom they might send our intimate information to.
Everyone’s doing it, so why be surprised that the police may do it too?
This is the world we’ve (allowed to be) created.
One in which we never know who might see where we go, with whom, and even what we think.