CBP Updates Privacy Impact Assessment On License Plate Readers; Says Opting Out Involves Not Driving

from the just-five-years-of-surveillance-at-CBP-fingertips dept

The last time the CBP delivered a Privacy Impact Assessment of its automated license plate readers, it informed Americans as far as 100 miles inland that there's really no privacy being impacted by the deployment of tech capable of capturing millions of plate images every year. If you don't want to be on the CBP ALPR radar (which is shared with the DEA and other law enforcement agencies), don't drive around in a properly licensed vehicle.

This impact assessment was not updated when the CBP's ALPR vendor was hacked and thousands of plate photos -- some of which contained photos of drivers and passengers -- were taken from the vendor's servers. The vendor was never supposed to be storing these locally, but it decided to do so and the end result was a lot of leakage the CBP assured everyone contained "no personal information" about the thousands of people and vehicles contained in the photos.

The CBP's latest Privacy Impact Assessment [PDF] has been turned in and it's more of the same thing. Want to dodge the feds' plate readers, stay off the road. (via Zack Whittaker/TechCrunch)

Privacy Risk: There is a risk that individuals who are not under suspicion or subjects of investigation may be unaware of or able to consent to CBP access to their license plate information through a commercial database.

Mitigation: This risk cannot be fully mitigated. CBP cannot provide timely notice of license plate reads obtained from various sources outside of its control. Many areas of both public and private property have signage that alerts individuals that the area is under surveillance; however, this signage does not consistently include a description of how and with whom such data may be shared. Moreover, the only way to opt out of such surveillance is to avoid the impacted area, which may pose significant hardships and be generally unrealistic.

Keep in mind that "impacted areas" aren't just the places you expect Customs and Border Protection to be. You know… like at the border. It's also up to 100 miles inland from every border. And "border" is also defined as any entry point, which includes international airports. So, that's a lot of "impacted area." There's really no realistic way to dodge everywhere the CBP operates. And one would think actively dodging CBP-patrolled areas would be treated as suspicious behavior by CBP officers, which could result in far more than license plate records being abused.

The CBP says it will keep privacy violations to a minimum, though. It will only access its database if it has "circumstantial evidence." So… feel good about that, I guess.

The CBP also says that it probably isn't actually allowed to perform this collection but it will try its very best not to abuse its ALPR privileges.

There is a risk that CBP does not have the appropriate authority to collect commercially available LPR information from vehicles operating away from the border and outside of CBP’s area of responsibility.

No big deal, says the CBP. It will only retain information about vehicles crossing the border. Or connected to a "person of law enforcement interest." Or connected to potentially illicit activity. Or for "identifying individuals of concern." Just those things. And the data not connected to anything in particular will be held onto for a limited time.

Here's the definition of "limited:"

CBP may access LPR data over an extended period of time in order to establish patterns related to criminal activity; however, CBP has limited its access to LPR data to a five-year period in an effort to minimize this risk.

Really the only thing limited about this is that it isn't forever. The CBP's vendor can hold onto this data forever, but CBP agents will only be able to search the last five years of records. Cached searches will be retained for up to 30 days if they're of interest to the CBP or other law enforcement agencies with access to the database. Uninteresting searches will be dumped within 24 hours.

Five years is a lot of data. That's not really a mitigation of privacy concerns. The CBP's Impact Assessment pretty much says the agency plans to use this to reconstruct people's lives. Its definition of "limited" -- the one that means five years of searchable records -- is its response to the privacy risk posed by the aggregate collection of travel records over a long period of time. Apparently, the CBP feels five years is long enough for it to do its job. But not long enough that the general public should be worried about it.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: alpr, cbp, driving, license plate reader, lpr, privacy impact assessment


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    icon
    BT Mail (profile), 16 Jul 2020 @ 4:02am

    ABOUT-Article BT Mail - BT.com BT Internet Sign In|BT Mail Login

    Hi , Just wanted to say thanks for this fantastic article.
    Website: http://btmaills.com

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jul 2020 @ 8:13am

      Re: ABOUT-Article BT Mail - BT.com BT Internet Sign In|BT Mail L

      Normal spam?!?!

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2020 @ 4:43am

    The US is implementing levels of surveillance that make the STASI look like ineffective amateurs.

    link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    icon
    martin joe (profile), 16 Jul 2020 @ 5:03am

    update

    I hope the new update is good and will benefit everyone thanks for sharing it was a well-detailed article.check out the link if you like leather jackets
    https://shoqz-fashionz.com/ww2-german-leather-luftwaffe-flight-flying-jacket

    link to this | view in chronology ]

  • icon
    That One Guy (profile), 16 Jul 2020 @ 5:55am

    'Unless of course we really want to, then it's fine.'

    Really the only thing limited about this is that it isn't forever. The CBP's vendor can hold onto this data forever, but CBP agents will only be able to search the last five years of records. Cached searches will be retained for up to 30 days if they're of interest to the CBP or other law enforcement agencies with access to the database. Uninteresting searches will be dumped within 24 hours.

    I certainly hope everyone is practicing their 'surprised' faces for when(not if) they violate that already ludicrous 'limit'.

    On a more general note to call this argument 'absurd' is to do a gross disservice to the word. 'We promise to respect your privacy, if by that you mean have cameras track your every move on the road that we can access for years after the fact' is the sort of thing that belongs in dystopian novels and films, not an official government agency.

    With that sort of argument government agencies could demand that telecom companies keep tracking information for every phone in the country for years on end with nothing more than a pinky-promise that they won't access that data unless they have a really important reason to(as defined by themselves of course). Or worse, the companies could offer that 'service' themselves and it would be seen as completely fine because hey, if you don't want to be tracked just don't carry a phone.

    It would be great if politicians and/or judges started handing out hefty slaps and reminders that no, that's not what 'privacy' means, but between those who've bought into the idea that a constantly watched country is a safe country(so long as them and theirs aren't the ones under the microscope of course) and those too gutless to actually stand up to such activity less they be labeled as 'pro-criminal' I sadly don't see that happening any time soon.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2020 @ 6:30am

    Ignores the constitution altogether

    The CBP clearly must be ignoring the actual words of the constitution or they would realize that they have flipped the script and are treating everyone as if they are already in prison and their rights no longer exist. I thought you were considered innocent until proven guilty in a court of law. The only entity clearly guilty here is the CBP who is operating outside of the law.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2020 @ 7:39am

    Mitigation: This risk cannot be fully mitigated.

    Sure it can. Stop collecting the data. Seriously.

    But even beyond that, it can be mitigated. I work in a field where we have PII streaming in and captured from customers constantly. Anything flagged PII gets stored in a separate bin, with locale-specific limitations (data in one area is siloed from other areas), a fixed and automated expiry time, and temporary, task-based access to the silo (only individuals with demonstrated need to access THAT data have access to it, and only for a limited time).

    They're right that even these controls won't fully mitigate, but they can sure mitigate a LOT further than the current setup. Their current privacy stance is like saying "Oh, well thieves can break a window to get into my house, so locks, lights and security cameras are useless and we shouldn't bother with them".

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2020 @ 12:29pm

    Just get one of these license plate frames with concealed infra red LEDs that can prevent cameras from seeing your your plate numbers

    link to this | view in chronology ]

    • icon
      nasch (profile), 17 Jul 2020 @ 10:04am

      Re:

      Just get one of these license plate frames with concealed infra red LEDs that can prevent cameras from seeing your your plate numbers

      Unless police in your area have ALPRs in their cars, in which case they'll probably pull you over every time they see you.

      link to this | view in chronology ]

  • icon
    ECA (profile), 16 Jul 2020 @ 3:43pm

    What is NOT above the law.

    Import of Cigs from canada? Alcohol? https://www.ezbordercrossing.com/the-inspection-experience/clearing-customs/pro hibited-items/ USA Lets see the discrepancies.. Cooked eggs and foods such as breakfast tacos, egg plates and hard boiled eggs are prohibited. You may not import fresh, dried or canned meats or meat products or foods that have been prepared with meat. Beef products are generally ok if there is no known bovine disease in the country of origin. However, like all other food items the meat must be unopened and commercially labeled indicating the country of origin and meat type. The regulations on importing meat and meat products change frequently because they are based on disease outbreaks in different areas of the world. Certain fish and wildlife, and products made from them, are subject to import and export restrictions, prohibitions, and permits. CBP enforces laws relating to the protection of trademarks and copyrights. Counterfeit articles or those that infringe a federally registered trademark or copyright may be seized. CDN Most types weapons such as tasers, brass knuckles, and pepper spray. Certain knives, even those used for hunting or fishing. Obscene material, hate propaganda and child pornography. They can inspect your laptops, cellphones and other computer equipment to see what you have on them. General Issues We have a separate page with information on importing automobiles into both the U.S. and Canada. If there is no packaging label on food, or the border agent cannot read the label because it is not in English, the item will most likely be confiscated. “Kosher” products carry no special exception to any these rules. If you are carrying any of the following items you MUST disclose them to the US border official: Fruits and vegetables Plants and cut flowers Meat and animal products Live animals NOW, does anyone see a problem in this?? Alcohol? Tobacco? Hookers?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.