Skip to content
Naked Security Naked Security

Sacramento admits to tracking welfare recipients’ license plates

For 2 years, welfare investigators used a huge database of automated license plate reader images to sniff out fraud, without audit or policy.

As the American Civil Liberties Union (ACLU) found out in 2015 through the Freedom of Information Act, the US Drug Enforcement Administration (DEA) has for years been building a massive national license plate reader (LPR) database that it shares with federal and local authorities, with no clarity on whether courts are overseeing its use.
That blasé approach to mass surveillance of drivers is holding steady, as evidenced by recent revelations about California using an LPR database to track down welfare cheats.
Sacramento seems to have failed to comply with its own regulations on license plate data collection.
The privacy activist group EFF formed the opinion, when it revealed this surveillance two weeks ago, that ‘“California law is crystal clear”‘, and that license plate data mustn’t be collected without a privacy policy that “is consistent with respect for individuals’ privacy and civil liberties.”
ALPRs snap photos of all license plates from street poles and police cars as vehicles drive by. To legally get at those images, the Sacramento County Department of Human Assistance (DHA) should have had a policy that includes periodic audits. Also, each time that LPR data was looked up, a purpose should have been recorded.
But for the two years preceding the EFF’s California Public Records Act request, the DHA didn’t tick off those two basic legal requirements – or if they did, it didn’t show up in the logs seen by the EFF.
In fact, between June 2016 through July 2018, 22 employees working on welfare fraud searched ALPR data more than 1,000 times – all without privacy policies posted online or written anywhere, as required by law. Some employees only dipped a toe into the database, only running a single search, while others ran more than 100 searches. One employee ran 214 searches over the course of 20 months, the EFF found.

There were no audits for any of this data access. The EFF also couldn’t find that the reasons for the ALPR data searches were recorded, although the DHA claims that they were.
DHA Director Ann Edwards told the Sacramento Bee that the county’s welfare fraud investigators use the ALPR data to find suspects and collect evidence to prove cases of fraud. She said that the decision to use such data is determined on a case-by-case basis “depending on the investigative needs of the case.”
It was also done without a clue that the agency needed a policy before employees could legally access that data. The DHA claims that it had no idea that a policy, plus a log of reasons for access, plus monthly audits, are required.
The EFF said that the agency spent a week playing catch-up after the civil liberties group asked about the issue, whipping together a privacy policy and posting it to its website. The new policy includes a monthly audit process.
The data in question wasn’t amassed by the DHA. Rather, it paid for it. According to contracts and invoices obtained by the EFF, Sacramento County paid more than $10,000 – about $5,000 per year – for access to data held by a vendor called Vigilant Solutions. Those contracts were signed without going through the competitive bidding process, the EFF notes.
Vigilant is the leading vendor of LPR data. As of 2016, the Atlantic reported that Vigilant had amassed roughly 2.2 billion license-plate photos and was capturing and permanently storing about 80 million additional geotagged images per month.
Vigilant’s dataset has continued to burgeon. In February 2018, news emerged that the LPR vendor would be providing the Department of Homeland Security’s (DHS’s) Immigration and Customs Enforcement (ICE) arm with agency-wide access to its nationwide database, to enable ICE to track license plates across the country. That gives ICE access to billions of license plate records and new powers of real-time location tracking: a profound source of concern to civil libertarians.
Vigilant doesn’t necessarily collect all the data itself. Rather, it acquires data from partners such as car repo agencies and other private groups. Vigilant also partners with police departments, picking up yet more data from camera-equipped police cars.
At the time of ICE gaining access to the data, Jay Stanley, a senior policy analyst who studies LPRs with the ACLU, said that the biggest concern for civil libertarians is the scale of Vigilant’s network, which it’s put together almost completely outside of public accountability:

If ICE were to propose a system that would do what Vigilant does, there would be a huge privacy uproar, and I don’t think Congress would approve it. But because it’s a private contract, they can sidestep that process.

Besides signing those $10,000+ worth of contracts with Vigilant, Sacramento’s DHA also signed an agreement forbidding it from talking to the media about the ALPR program without Vigilant Solutions’ written permission. It also agreed not to use information about Vigilant Solutions in “any manner that is disparaging.”
Granted, of late, the DHA has noted higher welfare fraud rates, which includes things such as failing to report income or claiming care for a child who doesn’t actually live with the recipient. The DHA told the Sacramento Bee that since June 2016, when the county first started using ALPR data, its investigators discovered fraud in about 13,000 of the 35,412 fraud referrals they investigated: about 37% of the cases.
Edwards told the Sacramento Bee that the DHA’s investigators are using ALPR data about 2.5% of the time: not heavy usage at all, she said:

It doesn’t appear to be overused. I think we use it very judiciously and only when needed to investigate fraud.

She also said that DHA is already following other parts of California’s privacy law (a law that was passed at the beginning of 2016, near the time the agency started using the ALPR data), including employees justifying their use of the data.

Each time a criminal investigator accesses the information, they… must document the reason why the data is being requested from the system.

As far as the monthly audits go, Edwards told the Sacramento Bee that they would start last week and would happen every two months:

We will be doing a random sampling of times [ALPR data] has been used in the past, in order to confirm that it hasn’t been used inappropriately. If we find as a result of our review that it was used inappropriately, disciplinary action could be taken.

Or hey, how about this instead, suggested EFF investigator Dave Maass: stop using the data immediately and do an investigation of the DHA’s past use. That’s the only way to figure out what welfare fraud investigators were really searching for, he told the Sacramento Bee. For all we know DHA employees could have been doing anything from…

Investigating a major fraud case to spying on their ex-spouses. Were they looking up people in Texas, people on the other side of the country? We just don’t know.


I’m sure any policy aimed at combating this type of fraud would be lambasted by the media as an attack on poor, defenseless, people. I applaud any attempt to use technology to stop crime..unlike the people of Houston, Texas who got to vote that they want to be able to run red lights without fear of cameras.


I think you might be missing the point. Using technology to stop crime or catch criminals is good, but those who have access to such personal information (such as a persons whereabouts) should have to jump threw some hoops, and have real accountability.
This isn’t a big thing, but this a correction to how they have been using the data. This is adding accountability to the system, everyone should be happy about the adjustment.


These guys may well be very good at building and maintaining license plate databases. It’s too bad they’re not very good at spelling – they forgot the ‘e’ and the end of “Vigilant”.


500 out of 200,000 is 0.25% not 0.02%


I looked at the original article and it’s just not clear whether the 0.02% figure they state is an order-of-magnitude error (500 divided by 190,000 incorrectly) or is referring to different numbers or a different inference. So I am going to delete that paragraph. It’s not vital to the article.


“To legally get at those images, the Sacramento County Department of Human Assistance (DHA) should have had a policy that includes periodic audits. Also, each time that LPR data was looked up, a purpose should have been recorded.”
Surely those same laws apply to Vigilant obtaining images from 3rd parties, private contracts or no private contracts?


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!