The Fresno Police Department should do more to protect the privacy of drivers whose license plate numbers are captured with its camera system, a new state audit says.

“We determined that the law enforcement agencies we reviewed must better protect individuals’ privacy through ensuring that their policies reflect state law,” California state auditor Elaine Howle wrote. “In addition, we found that these agencies must improve their (Automatic License Plate Reader) data security, make more informed decisions about sharing their ALPR data, and expand their oversight of ALPR users.”

Howle found that the agencies reviewed did not meet state standards for protecting the stored images of license plates. She recommends that the Legislature draft policies on the type of data collected, how long its stored, and monitor who is viewing the information.

Despite the concerns about security and privacy, the audit does not accuse Fresno police of misconduct involving the license plate data.

But Fresno’s top cop said he would reconsider the department’s policies.

“Building trust in the community is paramount to our agency as we continue our on-going efforts to be a model community policing agency.  We will utilize this audit to ensure those goals are achieved,” Fresno Police Chief Andrew Hall wrote in the department’s official response to the audit.

Hall anticipates that the department will implement many of the auditor’s recommendations in advance of the suggested August timeline.

The auditor examined the police departments of Fresno and Los Angeles, as well as the sheriff’s offices in Marin and Sacramento counties.

License Plate Readers

The audit did not take issue with capturing images of license plates in public, either from a fixed camera on a light pole or attached to a police vehicle. It reasoned there is no expectation of privacy when driving in public.

Once the camera captures a license plate number, a database examines whether the number matches a “hot list” based on vehicles associated with criminal investigations.

Fresno PD started using Vigilant Solutions, LLC, to record license plates in 2016 at a cost of $75,000 a year. The firm provides eight mobile cameras. The auditor applauded Fresno for publicly discussing the recording of license plates before it started doing it.

Auditor Review of Fresno

State law (SB 34) requires policies that cover who is allowed to access the system; training to access the system; description of how security and privacy will be ensured; policies on restricting sales, sharing or transfer of data; and how long the data is retained.

The audit found that Fresno PD does not have policies on who has access to ALPR data, how the database is monitored, and selling the data.

Fresno’s policy is to retain ALPR images for a minimum of one year, but could keep it longer if it is “relevant to investigations.”

There is no state law dictating how long images are stored.

Hall said the department would amend its policy to keep records for six months.

When examining records for a six-month period, the auditor did not find personal information of drivers mixed with license plate data.

That did not alleviate the auditor’s concerns.

“However, the possibility exists that law enforcement personnel could enter sensitive information into open text fields during ALPR searches,” the audit says.

Concerns About Accessing Records

The auditor found fault in the way the data is stored in a cloud system, concerned that it could be accessed by officers on their personal computing devices. The audit recommends more security safeguards, such as two-factor authentication.

“Fresno has an IT analyst separate from the main IT unit who currently helps administer user accounts and provides technical support for the ALPR system; however, his background is not in network security,” the audit said.

The audit recommends stronger access safeguards, including mandatory training. Fresno only “encourages such training.”

An audit of who is accessing the system, which department policy says should be done on a regular basis, is not happening. The audit noted that 231 people within the department have access to the system.

“The ALPR administrator told us he believed audits are the responsibility of the Audits and Inspections Division within the department. However, the sergeant responsible for audits and inspections — who took charge in January 2018 — responded that he was not aware of the requirement until our audit,” the report states.

Hall says policies are already in place to audit who has access to the system.

“Access will be granted on a need-to-know and right-to-know basis for sworn department members and crime specialists who have investigative responsibility,” Hall wrote in his response.

Sharing With Other Agencies

The audit also suggests more verification policies for sharing data. Fresno shares data with 982 other law enforcement agencies nationwide.

Fresno, along with Marin and Sacramento, listed one such agency as the Missouri Police Chiefs Association, a trade group and not a law enforcement agency. Vigilant explained to the auditor that the agency was mislabeled, and was actually the Missouri State Highway Patrol.

The auditor also wondered about the value of sharing data with the Honolulu Police Department, given the unlikeliness of cars traveling back and forth.

“Fresno’s ALPR administrator agreed that not a great deal of thought went into its decision to share with the Honolulu Police Department,” the report said.

Privacy Concerns

The audit report cites privacy concerns several times.

“This storage, retention, and searching of the images, although valuable to law enforcement, has the potential to infringe on individuals’ privacy,” the report notes.

The ACLU has long expressed concern about this.

“The ACLU stated that increasing numbers of cameras, long data retention periods, and sharing of ALPR images among law enforcement agencies allow agencies to track individuals’ movements in detail, and it has voiced concerns that such constant monitoring can inhibit the exercise of free speech and association,” the audit says.

Other concerns include inappropriately monitoring movements of ex-spouses or neighbors. Tracking the movements of vehicles not associated with crimes is also problematic, the audit says.

The U.S. Supreme Court has not directly decided a privacy case involving ALPR but it has weighed in on other electronic surveillance cases. In those rulings, the court found using surveillance such as cell phone tower data and GPS “that reveal individuals’ movements over an extended period of time, if gathered, do at some point impinge on privacy.”

Scott Wiener, the San Francisco Democratic state Senator who requested the audit, did not like what he saw.

“The audit findings are deeply disturbing and confirm our worst fears about the misuse of this data,” Wiener said. “ALPR data should be used only in narrow circumstances. What we’ve learned today is that many law enforcement agencies are violating state law, are retaining personal data for lengthy periods of time, and are disseminating this personal data broadly.”

“This state of affairs is totally unacceptable, and I’m drafting legislation to protect people’s privacy and to put an end to these privacy violations,” Wiener said.

Other Agencies

While the audit examined four departments in depth, it also surveyed nearly every law enforcement agency in the state.

Clovis police and the Fresno County Sheriff’s Office utilize ALPR technology. Orange Cove and Selma police are considering using it. Other agencies surveyed do not use such technology.