Site icon Sophos News

Massive DEA license plate reader program tracks millions of Americans

DEA tracking millions of license plates in "forfeiture" program

Image of license plates courtesy of Shutterstock The US Drug Enforcement Administration (DEA) has been building a massive national license plate reader (LPR) database over several years that it shares with federal and local authorities, with no clarity on whether the network is subject to court oversight.

The program relies on hundreds of cameras that snap images of each vehicle that passes, recording license plate numbers, direction of travel and time. Some cameras also snap a picture of the driver and passengers.

The American Civil Liberties Union (ACLU) has obtained documents about the program through the Freedom of Information Act, but few details have emerged from those heavily redacted pages.

The program was set up in 2008 and opened to other law enforcement agencies in May 2009.

According to the ACLU’s article this week, a 2010 email described the primary goal of the program as forfeiture: the controversial policing practice of seizing cash, cars and other valuables from motorists and others not yet charged with crimes.

From the email [sic]:

...DEA has designed this program to assist with locating, identifying, and seizing bulk currency, guns, and other illicit contraband moving along the southwest border and throughout the United States. With that said, we want to insure we can collect and manage all the data and IT responsibilities that will come with the work to insure the program meets its goals, of which asset forfeiture is primary.

This message also notes the “enormous support” the program’s received from several, non-specified government and law enforcement agencies, with multiple requests being made to link up with the LPR devices from state and local law enforcement.

The amount of cash the program has helped law enforcement to seize is considerable, but the program has aided in seizure of more than that.

According to one internal DEA document, the database has helped to track fugitives; solve a gang-related homicide; identify a car involved in a homicide and used to injure border checkpoint officers; and, in 2010, to seize 2,443 kilograms of cocaine, 87 kg of heroin, 66,941 kg of marijuana, 345 kg of methadone, 31 firearms, and $80,625,073 in cash.

Those familiar with the program told the Wall Street Journal that it’s also been connected to the Amber Alert system, which helps authorities find abducted children.

An undated slideshow cites 100 devices in the network, including those owned by the DEA, others by federal law enforcement, and still others by local and state law enforcement.

At the time the slideshow was put together, LPR devices were covering eight US states: California, Arizona, New Mexico, Texas, Nevada, Florida, Georgia and New Jersey.

While the program began in border states, the DEA has always planned to expand it, according to the documents as well as current and former officials who spoke with the WSJ.

Those officials wouldn’t say how many states are now feeding data into the system, telling the paper that disclosing information could help crooks avoid detection.

Another email, dated July 2012, notes that the data retention period for the LPR repository was at the time being decreased from 2 years down to 6 months.

The ACLU says that 6 months is still “far too long” to hold records on innocent people:

While this is an improvement from previous statements of DEA retention policy, it is still far too long. The government should not collect or retain information revealing the movements of millions of people accused of no crime.

The period of data retention has apparently shrunk further still: A Justice Department spokesman told the WSJ that the DEA has reduced the time it holds data to 3 months.

But beyond retention duration, more important is what’s being done with the data while the government’s got it, the ACLU said:

Even that long retention period is only meaningful if it comes with strict rules limiting data use, sharing, and access. Like its retention policy, the DEA should make these policies public.

The disclosed documents say that any federal, state or local law enforcement agent vetted by the DEA can conduct queries on the database.

The database is enormous.

The ACLU points to the Department of Homeland Security’s Northern border strategy document, which indicates that the Customs and Border Patrol (CBP) – one of the federal agencies that’s shared data with the DEA – collects “nearly 100 percent of land border traffic”.

That amounts to over 793.5 million license plates between May 2009 and May 2013, according to CBP’s response to the ACLU’s FOIA request.

According to the DEA, the program targets roadways it believes are used to transport contraband. It’s not clear what criteria the agency uses to classify a road as such.

With so much information redacted it’s hard to say we’ve got the full picture here, but it’s also easy to understand why this capability is useful for law enforcement.

Furthermore, identifying cars and users based on their license plates is nothing new – it’s what they’re for: license plates are public, unique identifiers.

And of course we have always had the ability to follow a person or a car by spotting the right number plate and watching where it goes.

So in some ways this is nothing new. But in other ways it’s very new indeed.

We could allow the police to follow criminals by asking everyone in the country to place a tracking beacon in their car, but who’d agree to that?

There are properties and capabilities that emerge from large collections of data that don’t exist in the same data at smaller scales (it’s why we had to invent a term – Big Data – to describe it.)

Collecting everything on the assurance that only criminal activity will receive any attention changes the relationship of trust between the public, law enforcement and government.

It’s a debate that’s happening on many fronts about data as different as DNA and phone call meta data.

And even if you’re happy with the premise that the innocent have nothing to fear, we still have to trust that these large, valuable collections of data being amassed are secure, properly disposed of, safe from leaks and safe from prying eyes.


License plates courtesy of 360b / Shutterstock.com

Exit mobile version