Update [March 25, 2016]: Georgia failed to pass H.B. 93 by the end of the day Thursday, which means the bill is now dead.
H.B. 93 began with good intentions. Georgia legislators saw a need to protect privacy by regulating how law enforcement agencies use automated license plate reader (ALPR) technology and limiting how long police can store location data collected on everyday drivers.
Unfortunately, the version of the bill currently on the fast track to passage is rife with problems that would not only harm the public, but threaten security research and hinder law enforcement’s ability to ensure the integrity of ALPR systems. It could be voted upon by the Georgia Senate on Thursday, the last day for the legislature to pass bills.
ALPR are systems of high-speed cameras that collect the license plates of any vehicle that passes, turns those plates into machine readable code, then stores that data along with time and locational information. When this data is collected in aggregate it serves a tracking function and can expose personal information about drivers, such as where they sleep at night, what doctors they see, and where they worship. It can be used to predict a person’s movements and reveal their relationships with other drivers.
Originally, the bill would have limited ALPR storage to 90 days. While EFF would like to see much shorter retention periods, 90 days is significantly better than 2 years or indefinitely, which is the case in many jurisdictions. However, an amendment to the bill extended the retention period to one year.
But that’s not the worst provision in the legislation.
The bill declares that ALPR data may only be accessed for law enforcement purposes, which is defined as an “investigation of an offense or activity attributed to a case number assigned by a law enforcement agency.”
On its face that sounds like a good restriction: police generally shouldn’t be able to access the data for illegitimate reasons. However, this requirement would have terrible implications for system security.
For example: if supervisors want to spot check the ALPR logs to ensure that officers are accessing the system properly, they would not be able to without first opening a criminal case. Similarly, they would need to open a criminal case in order to look at the raw data to correct mistakes, such as erroneous plate reads.
The bill also makes it a criminal offense if someone “knowingly requests, uses, obtains, or attempts to obtain captured license plate data of a law enforcement agency under false pretenses or for any purpose other than for a law enforcement purpose.” The penalty is steep: a maximum fine of $5,000 and up to two years in prison.
This measure would criminalize a whole host of activities. For example: a police agency could not conduct a demonstration of the technology for the media or a city council member. Even asking to see the data for oversight purposes would be a criminal offense.
This also hits close to home. Last year, EFF found that Internet-connected ALPR cameras in Louisiana, California, and Florida had webpages that were completely exposed to the public. Anyone with a browser could access the configuration settings, and in many cases a site visitor could see through the cameras as they collected plate data. Other researchers also discovered that the ALPR data could be easily captured as the camera transferred it to a central hub.
EFF contacted each agency to inform them about the vulnerability. Almost all of the cameras have since been fixed or taken offline. While the law enforcement agencies thanked us for alerting them to the problem, under the Georgia bill, this would have opened us—and other security researchers—to criminal prosecution.
In principle, we like the idea of limiting access to ALPR data to criminal investigations, but there must be exceptions for diagnostics and maintenance, system security, and oversight. Further, there should be some sort of safe harbor for security researchers who disclose vulnerabilities.
Finally, the bill also eliminates any possibility of transparency over ALPR data, since it explicitly states that the data is not subject to Georgia’s Open Records Act. We believe the public should have access to de-identified data—the time, date, and location, but without the actual plate numbers—in order to evaluate the program. For example, access to a week’s worth of ALPR data from Oakland allowed us to see how the technology may be disproportionately deployed in certain neighborhoods.
EFF provided the bill’s author with suggested fixes that would have made room over accessing ALPR data for security and oversight purposes, but none of these recommendations were added to the bill.
We call on the Georgia legislature to reject this bill in its current state, and, if it does pass, Gov. Nathan Deal should not hesitate to veto it.