CBP Scandal: Buying License Plate Scans

U.S. Customs and Border Protection is buying access to a huge private database of automatic license-plate recognition records. And it’s legal (at least, nobody’s said it’s not).

It’s thought to be run by two Motorola Solutions businesses, Vigilant Solutions and DRN. The latter firm uses repossession “affiliates” to scan license plates wherever they drive and upload the data to DRN—recording the locations of “around 100 million vehicles each month.”

AWS Builder Community Hub

Did I mention it’s legal? Fourth Amendment be damned. In today’s SB Blogwatch, we tear up the Bill of Rights.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: bwk ftw.

Big Brother Watching

What’s the craic? Kate Cox reports—“CBP does end run around warrants”:

 [CBP] can track everyone’s cars all over the country thanks to massive troves of automated license plate scanner data. [They] straight-up purchase access to commercial databases.

How does “unreasonable search” work when any agency can buy data from anywhere? … The data it purchases … may allow it to track any given license plate.

The US Constitution and decades of case law [set] rules about what data law enforcement agencies can collect directly … Massive, privately owned databases … seem to provide a convenient end run around the warrant process.

And Joseph Cox (no relation) says it “continues the trend of law enforcement buying access to data rather than gathering it themselves”:

 The news that CBP is using such a system highlights a continuing trend in which law enforcement agencies turn to the commercial sector for access to data rather than collecting it themselves. [It] shows that little-regulated private surveillance networks are being used by the government.

[CBP] did not name the specific commercial database. But a source in the private investigator industry … suggests the supplier is likely Vigilant Solutions and its sister company DRN which collects the license plate data in the first place.

DRN’s database is essentially crowdsourced by hundreds of repo men who have installed the firm’s license plate reader cameras in their vehicles. As the repo men drive around … looking for vehicles to seize, the DRN cameras also passively record and upload the location, license plate, and other information of every car they drive by. … Mary Johnson, senior director of media relations and communications for Vigilant, did not respond to multiple requests for comment.

A CBP spokesperson [said] the agency uses [it for] “assistance in locating and apprehending the subjects of criminal investigations, illicit activity, or aliens who illegally entered the United States.” … They said that the agency also uses access controls to ensure only authorized users can view the data, and set timeframes on how long results are retained by CBP.

Time frames? Like how long? Tim Cushing translates CBP’s position—“Opting Out Involves Not Driving”:

 CBP agents will only be able to search the last five years of records. … Five years is a lot of data. That’s not really a mitigation of privacy concerns … posed by the aggregate collection of travel records.

If you don’t want to be on the CBP ALPR radar (which is shared with the DEA and other law enforcement agencies), don’t drive around in a properly licensed vehicle. … There’s really no realistic way to dodge everywhere the CBP operates. And one would think actively dodging CBP-patrolled areas would be treated as suspicious behavior by CBP officers.

[A year ago] CBP’s ALPR vendor was hacked and thousands of plate photos—some of which contained photos of drivers and passengers—were taken from the vendor’s servers. The vendor was never supposed to be storing these locally, but it decided to do so and the end result was a lot of leakage the CBP assured everyone contained “no personal information.”

Stop whining, you’re driving in a public place. This Anonymous Coward’s got news for you:

 The law needs to recognize that scale transforms things.
If you note a license plate and its location, that’s you. Fine.
If you note every location that license plate goes to, it’s now stalking.
If you note every location that every license plate goes to, it’s now a surveillance state.

Even if the singular act is the same, scaling utterly transforms its meaning. So we need to legislate about scale and use.

You can’t ban an individual from noting a license plate. But you can ban or regulate the creation of a large-scale database. You can ban the sale of that data. You can ban the service of searching that data.

Would that work? Riddler876 is an enigma:

 But of course you need to acknowledge the value of the data itself to fix that and in doing so restrict both the public and private entities (who make a large amount of money off it). Good luck.

So That One Guy ponders privacy:

 To call this … ’absurd’ is to do a gross disservice to the word. ‘We promise to respect your privacy, if by that you mean have cameras track your every move on the road that we can access for years after the fact’ is the sort of thing that belongs in dystopian novels and films, not an official government agency.

It would be great if politicians and/or judges started handing out hefty slaps and reminders that no, that’s not what ‘privacy’ means. But between those who’ve bought into the idea that a constantly watched country is a safe country … and those too gutless to actually stand up to such activity lest they be labeled as ‘pro-criminal,’ I sadly don’t see that happening any time soon.

WWGDPRD? JaredOfEuropa invites us over:

 The problem is not that … governments outsource stuff to commercial parties. The problem is that those parties are allowed to use and sell the data in ways that clearly don’t fall under the purposes for which the data was originally collected.

That’s one of the good things of European data privacy laws: your policies for collecting, retention, processing and transmission of data, have to fit the purpose for which the data is being collected. Passing it on to 3rd parties is only allowed in some cases, and usually it has to be in aggregated or anonymized form.

But this is ’Murica. Police be trippin’ now. chipmunkofdoom2 just a barcode, ayy:

 Yet another reason why people should be infinitely more concerned with devices like Ring than they are now. Hopefully this is a wakeup call for those folks who say they don’t care if Amazon has full access to the comings and goings from their houses.

“It’s just Amazon” has never really been that great an argument. It’s even worse now that this kind of behavior is going on.

Meanwhile, it’s like Cyrus Farivar—@cfarivar—always says:

 Leading a totally private life is easy! Just throw all your electronics in the nearest body of water, move to the most remote cabin you can find, and never talk to anyone.

Problem solved.

And Finally:

bwk blows millennials’ minds: A text editor without a screen

(an excerpt from the full interview)

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: ThreeMilesPerHour (via Pixabay)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 516 posts and counting.See all posts by richi