The San Diego Police Department doesn’t appear to be following a state law regulating how law enforcement agencies should handle data from automatic license plate readers.
Law enforcement agencies throughout San Diego use license plate readers to track people’s travel throughout the county, kept in a regionwide database that allows agencies to share information. Police departments have cited its value in instances ranging from finding a stolen car, to locating the suspect of a serious crime by entering his license plate into the system and getting alerted in real time if the car passes a license plate-reading camera.
SB 34, the 2015 state bill controlling use of that vast data network, was uncontroversial; there was no registered opposition, even from the law enforcement agencies whose behavior it was regulating.
The law requires agencies that collect license plate reader data to adopt privacy policies, allows individuals whose data has been misused to bring civil suits and forces agencies to create a record of each instance in which someone accesses the system.
That record needs to include the date and time of the access, the license plate number that was searched, the person who accessed it and “the purpose for accessing that information.”
The idea was that it would settle privacy concerns, since there would be a clear record of how often and for what reason law enforcement officers were accessing a massive database that outlines everyone’s travel behavior. And if an instance of misuse came about – an employee checking on his ex-wife, for instance – there’d be a digital record.
But it isn’t clear that the San Diego Police Department is complying with the law, based on a review of periodic reviews conducted by SDPD over the last two years that were produced in a public records request filed by the Electronic Frontier Foundation.
SDPD audited its employees’ use of license plate reader data during roughly six week stretches in the fall of 2016 and the summer of 2017.
During both periods, SDPD staff failed to enter a reason they were accessing the database nearly half of the time.
In 2016, SDPD users didn’t enter a reason for their search in 258 instances out of the 496 times they used the system, or about 51 percent of the time.
In 2017, SDPD staff didn’t enter a reason 238 times out of the 500 times they used the system, or about 47 percent of the time.
That’s a big problem, said Dave Maass, a senior investigative researcher with the Electronic Frontier Foundation, a digital privacy advocacy organization that has issued dozens of records requests to law enforcement agencies to understand how they’re using license plate reader data and systems.
“Not only is that a bad practice, it’s illegal,” Maass said. “It’s also troubling that they ran this report in 2016 and could have looked at the document and seen the problem, but as of 2017 it still exists.”
SDPD has another way of looking at it.
Lt. Brent Williams said SDPD has interpreted SB 34 such that it’s in compliance as long as officers enter an official case number related to their search, even if they don’t enter anything into the “reason” field.
“The case number or incident number would also be a reason,” he said.
By that standard, the department is doing better, but is still not perfect. In 2017, there were 32 times in which someone accessed the system without logging a case number associated with their search, or a reason for the search. In 2016, that happened 149 times.
After being asked about Voice of San Diego’s findings, Williams said SDPD was proposing a change to its procedure outlining license plate reader data use.
The department’s existing procedure does not mention that staff must include a reason for the search. The new procedure is not yet official, but Williams sent over the proposed change.
“LPR operators must input a purpose or reason with each entry when searching any Department LPR system. The reason may include the case number, event number, general information or description,” it reads.
Maass rejected SDPD’s interpretation of the law.
“A case number is not a reason, it’s just a case number and provides no information to the auditor about whether the search of the data was proper,” he said. “If the Legislature thought a case number sufficient, they would have said so in the bill. Instead, they required the police to describe the ‘the purpose for accessing the information.’”
He said the law forces law enforcement officers to answer a simple question each time they use the system: What is the purpose of accessing this information? A case number doesn’t answer the question.
The author of the law, Sen. Jerry Hill, isn’t ready to render a verdict.
In a statement, he said the purpose of the law is to balance the benefits of advanced technology for law enforcement with citizens’ civil liberties. The law calls for agencies to adopt policies, he said, but the act of making the policy and determining how to implement it should remain local.
“That’s why I refrain from passing judgment on any specific action in the circumstances you describe,” he wrote. “That said, I’d like to point out that the interaction and dialog you describe having with SDPD speak to the type of engagement and transparency that SB 34 is meant to encourage. The fact that the department engaged in a conversation about its policy, how the policy is being applied and what it plans to do to clarify it is great.”