LAPD's License Plate Reader System Failing To Protect Driver Privacy, Audit Finds
LOS ANGELES (CBSLA) – A state audit this week blasted the Los Angeles Police Department and three other agencies for not doing enough to protect the privacy of the driver data they collect from their license plate readers.
The report released Thursday determined that the LAPD's Automated License Plate Reader (ALPR) system has failed to protect driver privacy regarding how it shares its data and who can access it.
"We found that the agencies have risked individuals' privacy by not making informed decisions about sharing ALPR images with other entities, by not considering how they are using ALPR data when determining how long to keep it, by following poor practices for granting their staff access to the ALPR systems, and by failing to audit system use," the California State Auditor wrote in its report.
The report found that 99.9 percent of the 320 million ALPR images currently stored in the LAPD's system are for vehicles that are not on its hot list. A hot list is for vehicles of interest wanted in crimes or linked to people of interest in criminal investigations. Software will automatically compare a license plate recorded by the ALPR to see if it matches any on the hot list.
The LAPD was the only Southern California agency mentioned in the report, with the other three in Northern California: the Fresno Police Department, Marin County Sheriff's Office and Sacramento County Sheriff's Office.
Under Senate Bill 34, which was signed into law in 2015, California agencies are required to maintain "reasonable security procedures and practices to protect ALPR information."
However, the LAPD is the only agency in California that does not have an ALPR usage and privacy policy, which is required under SB 34, the audit found.
Furthermore, the report found no excuse for the lax ALPR security protocols, stating that all four agencies in question have been using the same ALPR vendors going back as far as 2007.
In a Feb. 4 letter responding to the report, LAPD Chief Michel Moore wrote that his agency "has the utmost respect for individuals' privacy and currently has policies and procedures in place to safeguard personal information stored on the ALPR Systems."
Moore went on to say that the department will put together an ALPR policy which will be released by April.
Here is Moore's full letter below:
"In response to your draft report titled "Automated License Plate Readers: To Better Protect Individuals' Privacy, Law Enforcement Must Increase Its Safeguards Over the Data It Collects," I would like to inform you that the Los Angeles Police Department (LAPD) has the utmost respect for individuals' privacy and currently has policies and procedures in place to safeguard personal information stored on the Automated License Plate Reader (ALPR) Systems. Personnel who utilize ALPR data have been through extensive training on accessing and using the data on a right to know and need to know basis. The LAPD continuously reviews all user accounts and deactivates accounts for separated employees, while allowing ALPR access to all active employees who have attended the training.
"Although our dedication to protecting individuals' privacy is covered in our day to day operations and procedures, the Department is currently working on an ALPR policy to ensure that the protection of those rights is also memorialized in our Department Manual. The aforementioned ALPR policy will be completed by April 2020 and posted on the Department website once it is completed, as required by state law. The policy will address the types of information personnel may upload into the ALPR systems, as well as the retention period for the data or lists (i.e., hot lists used to link persons of interest with license plate images). The LAPD will perform an assessment of the systems' data security features and retention periods for ALPR images to evaluate the need for adjustment, prior to publishing of the ALPR policy. Furthermore, the policy will list the entities the Department shares ALPR images with and the process for handling image-sharing requests.
"To ensure the ALPR policy is up to date and our ALPR systems are capturing proper information, the Department will perform periodic audits to assess the information the systems capture when accessed by the Department users. Per the recommendations listed in your audit draft report, the Department will have a plan that describes the periodic audits by February 2021 and will complete the first audit by June 2021."