Georgia License Plate Reader Bill: Bad for the Public, Bad for the Police
Update [March 25, 2016]: Georgia failed to pass H.B. 93 by the end of the day Thursday, which means the bill is now dead.
H.B. 93 began with good intentions. Georgia legislators saw a need to protect privacy by regulating how law enforcement agencies use automated license plate reader (ALPR) technology and limiting how long police can store location data collected on everyday drivers.
Unfortunately, the version of the bill currently on the fast track to passage is rife with problems that would not only harm the public, but threaten security research and hinder law enforcement’s ability to ensure the integrity of ALPR systems. It could be voted upon by the Georgia Senate on Thursday, the last day for the legislature to pass bills.
ALPR are systems of high-speed cameras that collect the license plates of any vehicle that passes, turns those plates into machine readable code, then stores that data along with time and locational information. When this data is collected in aggregate it serves a tracking function and can expose personal information about drivers, such as where they sleep at night, what doctors they see, and where they worship. It can be used to predict a person’s movements and reveal their relationships with other drivers.
Originally, the bill would have limited ALPR storage to 90 days. While EFF would like to see much shorter retention periods, 90 days is significantly better than 2 years or indefinitely, which is the case in many jurisdictions. However, an amendment to the bill extended the retention period to one year.
But that’s not the worst provision in the legislation.
The bill declares that ALPR data may only be accessed for law enforcement purposes, which is defined as an “investigation of an offense or activity attributed to a case number assigned by a law enforcement agency.”
On its face that sounds like a good restriction: police generally shouldn’t be able to access the data for illegitimate reasons. However, this requirement would have terrible implications for system security.
For example: if supervisors want to spot check the ALPR logs to ensure that officers are accessing the system properly, they would not be able to without first opening a criminal case. Similarly, they would need to open a criminal case in order to look at the raw data to correct mistakes, such as erroneous plate reads.
The bill also makes it a criminal offense if someone “knowingly requests, uses, obtains, or attempts to obtain captured license plate data of a law enforcement agency under false pretenses or for any purpose other than for a law enforcement purpose.” The penalty is steep: a maximum fine of $5,000 and up to two years in prison.
This measure would criminalize a whole host of activities. For example: a police agency could not conduct a demonstration of the technology for the media or a city council member. Even asking to see the data for oversight purposes would be a criminal offense.
This also hits close to home. Last year, EFF found that Internet-connected ALPR cameras in Louisiana, California, and Florida had webpages that were completely exposed to the public. Anyone with a browser could access the configuration settings, and in many cases a site visitor could see through the cameras as they collected plate data. Other researchers also discovered that the ALPR data could be easily captured as the camera transferred it to a central hub.
EFF contacted each agency to inform them about the vulnerability. Almost all of the cameras have since been fixed or taken offline. While the law enforcement agencies thanked us for alerting them to the problem, under the Georgia bill, this would have opened us—and other security researchers—to criminal prosecution.
In principle, we like the idea of limiting access to ALPR data to criminal investigations, but there must be exceptions for diagnostics and maintenance, system security, and oversight. Further, there should be some sort of safe harbor for security researchers who disclose vulnerabilities.
Finally, the bill also eliminates any possibility of transparency over ALPR data, since it explicitly states that the data is not subject to Georgia’s Open Records Act. We believe the public should have access to de-identified data—the time, date, and location, but without the actual plate numbers—in order to evaluate the program. For example, access to a week’s worth of ALPR data from Oakland allowed us to see how the technology may be disproportionately deployed in certain neighborhoods.
EFF provided the bill’s author with suggested fixes that would have made room over accessing ALPR data for security and oversight purposes, but none of these recommendations were added to the bill.
We call on the Georgia legislature to reject this bill in its current state, and, if it does pass, Gov. Nathan Deal should not hesitate to veto it.
Recent DeepLinks Posts
Oct 24, 2016
Oct 24, 2016
Oct 24, 2016
Oct 24, 2016
Oct 20, 2016
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Fair Use and Intellectual Property: Defending the Balance
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Free Speech
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Know Your Rights
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Shadow Regulation
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- State-Sponsored Malware
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trade Agreements and Digital Rights
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- UK Investigatory Powers Bill
- Video Games