The surveillance state is no longer limited to the state.
For years, police departments have been tracking people’s cars with cameras that capture the license plate number of every vehicle that passes by. The Electronic Frontier Foundation, a San Francisco-based digital privacy nonprofit, has described the technology as “a form of mass surveillance .”
Now, a new generation of tech firms has made it possible for private citizens to use the devices, known as automatic license plate readers, or ALPRs—without the strict oversight that governs this type of data collection by law enforcement.
Putting ALPR into civilian hands allows for a broad range of new applications, including customer service and school security. But it also raises untold numbers of new legal and ethical issues, few of which have yet been tested in the courts, experts warn.
A 3,000% increase
Automatic license plate readers, or ALPRs, have long been geared toward local, state, and federal law enforcement users. The systems can be mounted on utility poles, streetlights, overpasses, in police cars, even within traffic cones and digital speed display signs that show drivers how fast they’re going. Once a vehicle’s plate is photographed, and the date, time, and location are recorded, an algorithm checks it against a database of cars that cops are looking for.
ALPRs can capture roughly 2,000 plates a minute, on vehicles traveling up to 120 miles per hour, casting an astonishingly wide net. Police can store and later access this data, enabling investigators to zero in on a suspect’s whereabouts and behavioral patterns.
Unlike traditional ALPR systems, which consist of professional-grade equipment priced beyond the reach of most civilians—and even some smaller police departments—the new setups rely on off-the-shelf security cameras.
According to recently released US federal contracting data, the Drug Enforcement Administration will be expanding the footprint of its nationwide surveillance network with the purchase of “multiple” trailer-mounted speed displays “to be retrofitted as mobile LPR [License Plate Reader] platforms.” The DEA is buying them from RU2 Systems Inc., a private Mesa, Arizona company.
At least one company, OpenALPR, offers software for free, on Github. Anyone who downloads it can turn a single web-connected camera into an automatic license plate reader that can monitor traffic across a four-lane highway with 99% accuracy. (Customers pay between $49 and $995 monthly for optional cloud-based storage and analysis.)
OpenALPR software was used in just 300 cameras two years ago, according to the company. Today, it is being utilized in 9,200 cameras in 70 countries , a 2,960% increase. About half those customers are police, OpenALPR founder Matt Hill says, with private citizens making up the rest.
Private businesses are using these setups in markedly different ways than law enforcement, although the general idea is the same.
OpenALPR competitor PlateSmart Technologies, another company that markets ALPR systems to the general public, advertises various uses in security and “business intelligence,” including analytics packages that allow retailers to analyze customer response to promotional offerings and track the demographics of people who drive into their parking lots.
“What we tend to find is that law enforcement will get sold this technology and see it as a one-time investment, but don’t invest in cybersecurity to protect the information or the devices themselves.” Darius Freamon, a security researcher, was one of the first to find police ALPR cameras in 2014 on Shodan, a search engine for exposed databases and devices.
Schools can also use the systems to control access to their campuses, and hospitals can track staff, visitors, and patients, PlateSmart tells prospective customers. Casinos can connect to law enforcement databases, and create custom hotlists to alert police when criminals, banned people, or “gambling addicts,” have come onto the property, it adds.
Joseph Giacalone, a criminal justice professor at City University of New York, says it was only a matter of time before ALPRs were deployed for civilian use. “Any new technology comes with the promise of making our lives better, and making our jobs simpler,” says the former NYPD commander. “But they also come with a caveat—the potential for abuse: people stalking exes, making targets more accessible to criminals, and keeping tabs on your spouse.”
Unlike police and other law enforcement users of ALPR, private citizens are not beholden to constitutional protections barring unlawful search and seizure, or racial profiling, for example. Civilian users don’t have to worry about departmental review boards or internal affairs units watching over them, either.
At least 16 states have statutes related to ALPR use and data retention, which civilians are required to follow. However, the states that do have rules don’t do a very good job of publicizing them. “It’s possible not a lot of users realize this when trying out the software,” says Dave Maass of the Electronic Frontier Foundation.
Further, unlike law enforcement agencies, which are generally subject to public information laws, there is no way for citizens to know exactly how private companies are using the ALPR data they collect. The amount of information they can gather is unprecedented, and they can do it all in secret.
The ALPR industry itself is not regulated— nothing currently prohibits ALPR companies from marketing their data—so the potential for misuse is high, says Kabrina Chang, a law and ethics professor at Boston University’s Questrom School of Business.
“The money to be made from compiling and selling data will infect decision-making,” adds Chang. “OpenALPR, or any company using the ALPR-gathered data, could have internal policies and rules, and corporate governance processes in place, but we have seen over and over companies violating their own policies.”
OpenALPR insists they do not sell or share their customers’ data with any outside entities.
The more you know
To get a sense of the issues private use of ALPR can raise, consider the kind of information picked up by a typical security camera.
OpenALPR, for example, can provide users with the make, model, and color of the vehicles. In response to privacy concerns, some police departments have purposely restricted the camera settings on their ALPR systems to photograph only the rear of each vehicle, so as to capture the license plate but not a wider shot of the car or its occupants.
It would be far more difficult to take action against a private company for misusing ALPR data than against a government agency, explains Chang. Each state has its own standards and definition for invasion-of-privacy claims. Most won’t consider any cases that don’t involve trespassing. That wouldn’t be particularly helpful for someone who, say, thought their employer had wrongfully wielded ALPR information they had collected on them. (ALPR systems can also be hacked or otherwise exposed online.)
“The public has a right to know how and how often the government is exploiting security holes in our personal devices to access intimate information about us or surveil us, often without our knowledge.” Filed Friday in Buffalo, the 32-page complaint points to a Nov. 26 report titled “The FBI Created a Fake FedEx Website to Unmask a Cybercriminal.” Vice reported in the article that the FBI snared a scammer last year with a booby-trapped Word document that revealed the perpetrator’s IP address when opened.
OpenALPR’s Hill has referred to himself as “a big privacy advocate,” and says ALPR systems can help companies and private individuals. “It’s not just surveillance,” he says. “You can just add it to a product and all of a sudden you have a more streamlined experience.”
EFF’s Maass says that a single person using a system like OpenALPR on their own home cameras is probably not a big threat to the public’s privacy. “If those people link their network together or share it live with law enforcement, then that does create a large surveillance net,” he adds.
In fact, that’s exactly what Hill says he plans to do:
“You talk to [homeowners associations] and you talk to private businesses and one of the things they really find valuable is allowing the police access to their data to proactively catch people,” he says.