License Plate Readers – Will the FBI Ever Address Their Privacy Implications?

The FBI has been testing and using automatic License Plate Readers (LPRs) for years, yet recently received Freedom of Information Act documents indicate that they still haven’t fully addressed LPR’s privacy implications.

As of March 2011, the Federal Bureau of Investigation has at least 1 federal agency, 10 state agencies, and 71 local agencies participating in License Plate Reader (LPR) projects that compare license plates against the National Crime Information Center (NCIC) database, a electronic clearinghouse of crime data run by the FBI. LPRs are often placed on top of law enforcement vehicles or at strategic locations like the entry points of bridges or tunnels.

In some cities, the placement of LPRs are so dense that they can effectively track a cars movement through the city. In DC, for example, there is roughly one LPR per square mile and roughly 1,800 images are captured every minute. The images captured by the LPRs are stored for various lengths of time depending on the agency that captures them. The DC police retain images for three years.

Earlier Freedom of Information Act documents obtained by EPIC show that Custom and Border Protection are using LPRs at the borders. More recent FOIA documents obtained by EPIC from the FBI indicate that despite years of use, the FBI still has not fully addressed the privacy implications.

On June 8, 2012 EPIC filed a FOIA request with the Department of Justice and its subagencies, including the FBI. EPIC’s request asked for, among other things, any privacy impact assessments, privacy impact statements, and protocols performed, both past and present, for the LPR initiative.

EPIC did not receive any Privacy Threshold Analysis (PTA) or Privacy Impact Assessment (PIA)–two types of documents federal agencies use to assess the privacy impact of programs and technology used by the government. The PTA is specifically used to determine whether the privacy implications are great enough to warrant a more thorough assessment, which is done by performing a Privacy Impact Assessment.

The documents EPIC received show the Department of Justice’s Privacy and Civil Liberties Unit considers license plates Personally Identifiable Information and that the FBI needed to do a PIA of the LPRs that would be made public.

Furthermore, the FOIA documents show that the FBI was actually working on a PIA for the LPRs in early 2012.

Nonetheless, EPIC did not receive a PIA regarding the FBI’s LPR Program and none exists online as of this blog entry.

PIAs serve as a check against the encroachment on privacy by the government. They allows the public to see how new programs and technology the government implement affect their privacy and assess whether the government has done enough to mitigate the privacy risks. Despite years of use of LPRs by the FBI, they still have not informed the public how they will mitigate the privacy risks posed by license plate readers. Will they ever?

For more information visit Defend Privacy. Support EPIC.