All too often, police and other government agencies unleash invasive surveillance technologies on the streets of our communities, based on the unilateral and secret decisions of agency executives, after hearing from no one except corporate sales agents. This spy tech causes false arrests, disparately burdens BIPOC and immigrants, invades our privacy, and deters our free speech.

Many communities have found Community Control of Police Surveillance (CCOPS) laws to be an effective step on the path to systemic change. CCOPS laws empower the people of a community, through their legislators, to decide whether or not city agencies may acquire or use surveillance technology. Communities can say “no,” full stop. That will often be the best answer, given the threats posed by many of these technologies, such as face surveillance or predictive policing. If the community chooses to say “yes,” CCOPS laws require the adoption of use policies that secure civil rights and civil liberties, and ongoing transparency over how these technologies are used.

 The CCOPS movement began in 2014 with the development of a model local surveillance ordinance and launch of a statewide surveillance campaign by the ACLU affiliates in California. By 2016, a broad coalition including EFF, ACLU of Northern California, CAIR San Francisco-Bay Area, Electronic Frontier Alliance (EFA) member Oakland Privacy, and many others passed the first ordinance of its kind in Santa Clara County, California.  EFF has worked to enact these laws across the country. So far, 18 communities have done so. You can press the play button below to see a map of where they are.

play
Privacy info. This embed will serve content from google.com

 

These CCOPS laws generally share some common features. If an agency wants to acquire or use surveillance technology (broadly defined), it must publish an impact statement and a proposed use policy. The public must be notified and given an opportunity to comment. The agency cannot use or acquire this spy tech unless the city council grants permission and approves the use policy. The city council can require improvements to the use policy. If a surveillance technology is approved, the agency must publish annual reports regarding their use of the technology and compliance with the approved policies. There are also important differences among these CCOPS laws. This post will identify the best features of the first 18 CCOPS laws, to show authors of the next round how best to protect their communities. Specifically:

  • The city council must not approve a proposed surveillance technology unless it finds that the benefits outweigh the cost, and that the use policy will effectively protect human rights.
  • The city council needs a reviewing body, with expertise regarding surveillance technology, to advise it in making these decisions.
  • Members of the public need ample time, after notice of a proposed surveillance technology, to make their voices heard.
  • The city council must review not just the spy tech proposed by agencies after the CCOPS ordinance is enacted, but also any spy tech previously adopted by agencies. If the council does not approve it, use must cease.
  • The city council must annually review its approvals, and decide whether to modify or withdraw these approvals.
  • Any emergency exemption from ordinary democratic control must be written narrowly, to ensure the exception will not swallow the rule.
  • Members of the public must have a private right of action so they can go to court to enforce both the CCOPS ordinance and any resulting use policies.

Authors of CCOPS legislation would benefit by reviewing the model bill from the ACLU. Also informative are the recent reports on enacted CCOPS laws from Berkeley Law’s Samuelson Clinic, and from EFA member Surveillance Technology Oversight Project, as well Oakland Privacy and the ACLU of Northern California’s toolkit for fighting local surveillance.

Strict Standard of Approval

There is risk that legislative bodies may become mere rubber stamps providing a veneer of democracy over a perpetuation of bureaucratic theater. Like any good legislation, the power or fault is in the details.

Oakland’s ordinance accomplishes this by making it clear that legislative approval should not be the default. It is not the city council’s responsibility, or the community’s, to find a way for agency leaders to live out their sci-fi dreams. Lawmakers must not approve the acquisition or use of a surveillance technology unless, after careful deliberation and community consultation, they find that the benefits outweigh the costs, that the proposal effectively safeguards privacy and civil rights, and that no alternative could accomplish the agency’s goals with lesser costs—economically or to civil liberties.

A Reviewing Body to Assist the City Council

Many elected officials do not have the technological proficiency to make these decisions unassisted.  So the best CCOPS ordinances designate a reviewing body responsible for providing council members the guidance needed to ask the right questions and get the necessary answers. A reviewing body builds upon the core CCOPS safeguards: public notice and comment, and council approval. Agencies that want surveillance technology must first seek a recommendation from the reviewing body, which acts as the city’s informed voice on technology and its privacy and civil rights impacts.

When Oakland passed its ordinance, the city already had a successful model to draw from. Coming out of the battle between police and local advocates who had successfully organized to stop the Port of Oakland’s Domain Awareness Center, the city had a successful Privacy Advisory Commission (PAC). So Oakland’s CCOPS law tasked the PAC with providing advice to the city council on surveillance proposals.

While Oakland’s PAC is made up exclusively of volunteer community members with a demonstrated interest in privacy rights, San Francisco took a different approach. That city already had a forum for city leadership to coordinate and collaborate on technology solutions. Its fifteen-member Committee on Information Technology (COIT) is comprised of thirteen department heads—including the President of the Board of Supervisors—and two members of the public.

There is no clear rule-of-thumb on which model of CCOPS reviewing body is best. Some communities may question whether appointed city leaders might be apprehensive about turning down a request from an allied city agency, instead of centering residents' civil rights and personal freedoms. Other communities may value the perspective and attention that paid officials can offer to carefully consider all proposed surveillance technology and privacy policies before they may be submitted for consideration by the local legislative body. Like the lawmaking body itself, these reviewing bodies’ proceedings should be open to the public, and sufficiently noticed to invite public engagement before the body issues its recommendation to adopt, modify, or deny a proposed policy.

Public Notice and Opportunity to Speak Up

Public notice and engagement are essential. For that participation to be informed and well-considered, residents must first know what is being proposed, and have the time to consult with unbiased experts or otherwise educate themselves about the capabilities and potential undesired consequences of a given technology. This also allows time to organize their neighbors to speak out. Further, residents must have sufficient time to do so. For example, Davis, California, requires a 30-day interval between publication of a proposed privacy policy and impact report, and the city council’s subsequent hearing regarding the proposed surveillance technology.

New York City’s Public Oversight of Surveillance (POST) Act is high on transparency, but wanting on democratic power. On the positive side, it provides residents with a full 45 days to submit comments to the NYPD commissioner. Other cities would do well to provide such meaningful notice. However, due to structural limits on city council control of the NYPD, the POST Act does not accomplish some of the most critical duties of this model of surveillance ordinance—placing the power and responsibility to hear and address public concerns with the local legislative body, and empowering that body to prohibit harmful surveillance technology.

Regular Review of Technology Already in Use

The movement against surveillance equipment is often a response to the concerning ways that invasive surveillance has already harmed our communities. Thus, it is critical that any CCOPS ordinance apply not just to proposals for new surveillance tech, but also to the continued use of existing surveillance tech.

For example, city agencies in Davis that possessed or used surveillance technology when that city’s CCOPS ordinance went into effect had a four-month deadline to submit a proposed privacy policy. If the city council did not approve it within four regular meetings, then the agency had to stop using it. Existing technology must be subject to at least the same level of scrutiny as newer technology. Indeed, the bar should arguably be higher for existing technologies, considering the likely existence of a greater body of data showing their capabilities or lack thereof, and any prior harm to the community.

Moving forward, CCOPS ordinances must also require that each agency using surveillance technology issue reports about it on at least an annual basis. This allows the city council and public to monitor the use and deployment of approved surveillance technologies. Likewise, CCOPS ordinances must require the city council, at least annually, to revisit its decision to approve a surveillance technology. This is an opportunity to modify the use policies, or end the program altogether, when it becomes clear that the adopted protections have not been sufficient to protect rights and liberties.

In Yellow Springs, Ohio, village agencies must facilitate public engagement by submitting annual reports to the village council, and making them publicly available on their websites. Within 60 days, the village council must hold a public hearing about the report with opportunity for public comment. Then the village council must determine whether each surveillance technology has met its standards for approval. If not, the village council must discontinue the technology, or modify the privacy policy to resolve the failures.

Emergency Exceptions

Many CCOPS ordinances allow police to use surveillance technology without prior democratic approval, in an emergency. Such exceptions can easily swallow the rule, and so they must be tightly drafted.

First, the term “emergency” must be defined narrowly, to cover only imminent danger of death or serious bodily injury to a person. This is the approach, for example, in San Francisco. Unfortunately, some cities extend this exemption to also cover property damage. But police facing large protests can always make ill-considered claims that property is at risk.

Second, the city manager alone must have the power to allow agencies to make emergency use of surveillance technology, as in Berkeley. Suspension of democratic control over surveillance technology is a momentous decision, and thus should come only from the top.

Third, emergency use of surveillance technology must have tight time limits. This means days, not weeks or months. Further, the legislative body must be quickly notified, so it can independently and timely assess the departure from legislative control. Yellow Springs has the best schedule: emergency use must end after four days, and notification must occur within ten days.

Fourth, CCOPS ordinances must strictly limit retention and sharing of personal information collected by surveillance technology on an emergency basis. Such technology can quickly collect massive quantities of personal information, which then can be stolen, abused by staff, or shared with ICE. Thus, Oakland’s staff may not retain such data, unless it is related to the emergency or is relevant to an ongoing investigation. Likewise, San Francisco’s staff cannot share such data, except based on a court’s finding that the data is evidence of a crime, or as otherwise required by law.

Enforcement

It is not enough to enact an ordinance that requires democratic control over surveillance technology. It is also necessary to enforce it. The best way is to empower community members to file their own enforcement lawsuits. These are often called a private right of action. EFF has filed such surveillance regulation enforcement litigation, as have other advocates like Oakland Privacy and the ACLU of Northern California.

The best private rights of action broadly define who can sue. In Boston, for example, “Any violation of this ordinance constitutes an injury and any person may institute proceedings.” It is a mistake to limit enforcement just to a person who can show they have been surveilled. With many surveillance tools capturing information in covert dragnets, it can be exceedingly difficult to identify such people, or prove that you have been personally impacted, despite a brazen violation of the ordinance. In real and immutable ways, the entire community is harmed by unauthorized surveillance technology, including through the chilling of protest in public spaces.

Some ordinances require a would-be plaintiff, before suing, to notify the government of the ordinance violation, and allow the government to avoid a suit by ending the violation. But this incentivizes city agencies to ignore the ordinance, and wait to see whether anyone threatens suit. Oakland’s ordinance properly eschews this kind of notice-and-cure clause.

Private enforcement requires a full arsenal of remedies. First, a judge must have the power to order a city to comply with the ordinance. Second, there should be damages for a person who was unlawfully subjected to surveillance technology. Oakland provides this remedy. Third, a prevailing plaintiff should have their reasonable attorney fees paid by the law-breaking agency. This ensures access to the courts for everyone, and not just wealthy people who can afford to hire a lawyer. Davis properly allows full recovery of all reasonable fees. Unfortunately, some cities cap fee-shifting at far less than the actual cost of litigating an enforcement suit.

Other enforcement tools are also important. Evidence collected in violation of the ordinance must be excluded from court proceedings, as in Somerville, Massachusetts. Also, employees who violate the ordinance should be subject to workplace discipline, as in Lawrence, Massachusetts.

Next Steps

The movement to ensure community control of government surveillance technology is gaining steam. If we can do it in cities across the country, large and small, we can do it in your hometown, too. The CCOPS laws already on the books have much to teach us about how to write the CCOPS laws of the future.

Please join us in the fight to ensure that police cannot decide by themselves to deploy dangerous and invasive spy tech onto our streets. Communities, through their legislative leaders, must have the power to decide—and often they should say “no.”