Audit criticizes privacy of some California police data

SACRAMENTO - Four police departments in California have compiled massive amounts of data while tracking drivers' movements through their jurisdictions, but a new audit says those agencies aren't following the law when it comes to protecting people's privacy.

California Auditor Elaine Howle on Thursday released a review of the policies and procedures with automated license plate readers at the police departments in Los Angeles and Fresno and sheriff's offices in Marin and Sacramento counties. She found the agencies have not fully implemented a 2016 state law designed to protect privacy.

The readers photograph drivers' license plates at various points throughout a police department's jurisdiction. The department then stores that information and uses it to find stolen cars, people wanted for crimes or to seek out witnesses and missing persons.

The Los Angeles Police Department, one of the largest law enforcement agencies in the country, has accumulated more than 320 million images of vehicle license plates that include dates, locations, times plus names, addresses, birthdays and criminal charges.

Only 400,000 of those images have matched the departments' list of stolen vehicles or vehicles associated with criminal investigations. But the department keeps all of those images for at least five years. Plus, it does not have a policy governing use of its automated license plate readers, despite state law requiring they have one.

Of the four agencies reviewed, Auditor Elaine Howle said the LAPD was the “most lax in its approach” to granting access to the system. She said the department installs the software on all staff computers, regardless of whether the person has had training, noting the American Civil Liberties Union has said that could make it easier for people to abuse the system by possibly tracking ex-spouses, neighbors or other associates.

“The audit findings are deeply disturbing and confirm our worst fears about the misuse of this data,” said state Sen. Scott Wiener, a Democrat from San Francisco and one of the lawmakers who had requested the audit.

In a letter responding to the audit, LAPD Chief Michael R. Moore said the department continuously reviews who has access to the system and deactivates accounts for people who have left the department. He said they allow all employees to access the system if they have had training.

Moore said the department's “day-to-day operations and procedures” account for privacy concerns, but said the agency is developing a policy to govern use of its automated license plate readers. He said the policy will be finished by April and posted on the department's website.

Moore also said the department will assess the systems' security features and will perform periodic audits to make sure the policy is followed.

“The Los Angeles Police Department (LAPD) has the utmost respect for individuals' privacy,” Moore wrote.

The other three agencies covered in the report did have policies governing their automated license plate readers, but Howle said the policies did not fully implement all of the requirements mandated by state law.

The audit found Fresno and Marin share data from their automated license plate readers with hundreds of entities while Sacramento shares its data with more than a thousand entities across the country. Auditors found no evidence the agencies always know who was accessing the data.

“We are concerned that unless an agency conducts verifying research, it will not know who is actually using the ALPR images and for what purpose,” the auditors wrote.

Marin County Deputy Counsel Kerry Gerchow said the sheriff's department uses a third-party vendor to manage its software, and that vendor shares the information with law enforcement agencies that have been approved by the FBI.

In a letter to Howle, Fresno Police Chief Andrew J. Hall said the department is already revising its policy. He said the agency has suspended most of its data sharing and now only shares images with bordering states. He also said the department would change its policy to retain images for six months instead of a year.

“Building trust in our community is paramount to our agency," Hall wrote.

Sacramento County Sheriff Scott Jones wrote that while he cooperated with the audit, he felt “concern that there was a bias toward a particular outcome, intended or otherwise.”

Howle said Jones' “concern about bias is unfounded,” saying the office follows “quality control procedures on every audit that ensure that we have sufficient and appropriate evidence to support our findings and conclusions.”