Belvedere police stop illegal sharing of license-plate data

The department had been allowing more than 200 out-of-state and federal agencies access to local driver-location records captured by the city’s cameras in violation of state law. It ended that practice amid an Ark investigation.

THE BELVEDERE POLICE Department has ceased the illegal sharing of local license-plate-camera data with more than 200 out-of-state and federal agencies following an Ark investigation.

While it’s unclear how long the department had been sharing data of vehicles in Belvedere with authorities located outside California, the law barring such sharing, Senate Bill 34, was passed just three months after the city installed its cameras in July 2015 and took effect Jan. 1, 2016. The six cameras, which make about 2 million geotagged and time-stamped captures of vehicle license plates per year, are placed at the corners of San Rafael Avenue and Lagoon Road, Beach Road and Cove Road, and Cove Road and Tiburon Boulevard.

The Ark’s November inquiry grew from media reports a month prior that three Marin residents — with the help of the American Civil Liberties Union and San Francisco-based digital privacy nonprofit Electronic Frontier Foundation — sued Marin Sheriff Robert Doyle for sharing plate data with 424 out-of-state and 17 federal agencies, including U.S. Immigration and Customs Enforcement and U.S. Customs and Border Protection.

That suit, filed in Marin Superior Court Oct. 14, alleges Doyle was violating SB 34’s out-of-state-sharing prohibition, as well as SB 54, California’s 2017 sanctuary law that bars local law enforcement from participating in federal immigration enforcement or cooperating with most immigration officials.

Neither Belvedere nor the Tiburon Police Department shared local plate data with federal immigration authorities, and both Belvedere Police Chief Jason Wu and Tiburon Police Chief Ryan Monaghan said their departments have never received or cooperated with a request from an immigration-enforcement agency and that they do not enforce or pursue anyone in relation to their immigration status.

Tiburon doesn’t transmit data to any out-of-state or federal agencies, but it does receive data from the San Diego Border Patrol, which is a division of the U.S. Border Patrol, an office of U.S. Customs and Border Protection. In an email to The Ark, Monaghan said that agency voluntarily chose to share its data with the department and reiterated that he’s never received, cooperated or acted upon immigration data received by the agency. He and other legal experts interpret the sharing provision as transmitting data to another agency, not receiving it.

Belvedere’s Nov. 18 sharing report generated by Motorola’s Vigilant Solutions — the company used by Belvedere, Tiburon and thousands of other agencies around the nation — in response to The Ark’s California Public Records Act request revealed sharing to authorities in border areas such as the Yuma and Pima county sheriff’s offices in Arizona and the El Paso and Del Rio police departments in Texas.

Other sharing went to agencies in more than two dozen states — anywhere from a drug task force in Washington state to Caldwell police in New Jersey, from Baton Rouge police in Louisiana to Dickinson police in North Dakota — as well as to federal agencies like the FBI, DEA and the U.S. Forest and Marshals services, which don’t have to follow Calfiornia’s rules for when and how the data is accessed.

After reviewing Belvedere’s sharing report, The Ark on Dec. 14 requested an interview with the police chief to discuss it. At the meeting two days later, Wu provided a new report from Vigilant — time-stamped with the same date as the interview request — showing the 200-plus illegal shares had been removed.

Wu said during the interview that Belvedere Sgt. Tom Sabido had been reviewing the department’s shares ahead of the initial Nov. 18 sharing report and had forgotten to finalize it. That statement appears to indicate the department had attempted to remove the illegal shares after The Ark first made its records request on Nov. 8 but before the responsive report was generated 10 days later, which would have obscured the history of illegal sharing in the provided documents.

Wu, however, said the department stopped sharing due to “recent court challenges across the state” involving the state sharing law and added that “if we, and other agencies, were out of compliance (with SB 34), then it was unintentional.”

How the data is used

Belvedere’s license-plate cameras average more than 5,000 scans per day, according to public records compiled by the Electronic Frontier Foundation in its 2021 report “Data Drive 2: California Dragnet,” which reviewed collection by departments statewide. At roughly 2 million scans per year, that’s still a fraction of the 7.7 million annual scans by the Tiburon department, at about 21,000 per day.

The foundation, in fact, put Tiburon atop its statewide list for most-surveilled vehicles, with about 54 scans per 100 miles traveled, or 1.85 miles traveled between scans.

To national media attention, Tiburon in 2010 became the first town in the U.S. to install fixed plate-reading cameras, with advocates calling it a common-sense way to thwart criminals while opponents pushed back over privacy, “Big Brother” surveillance and even the peninsula’s reputation for exclusivity. The six cameras — a set of four on Tiburon Boulevard at Blackfield Drive and a set of two on Paradise Drive — were upgraded from the former 3M Co. system to the Vigilant system in 2017, two years after Belvedere added its cameras. The primary purpose of that upgrade, then-Chief Michael Cronin said at the time, was the ability to share data across agencies.

As motorists come and go, the cameras snap photos of any license plates that come into view, along with the location, date and time the car passed through an intersection. That information is stored in Vigilant’s cloud-based database and can be shared with other agencies. The database is bulked up further by Vigilant cameras used elsewhere at, for example, toll booths or paid and permit parking lots, while some police agencies use mobile cameras in police cruisers to scan plates while driving, or in parking-enforcement vehicles for so-called digital chalking in time-limited spaces.

Vigilant’s database contains more than 7 billion scans and adds another 150 million to 200 million per month, according to the Electronic Frontier Foundation.

In addition to sharing capabilities, Vigilant allows for plate, partial plate and vehicle year, make, model and color searches. It can also perform address searches that narrow what vehicles were in a location at the time a crime occurred.

Requests for sharing are approved or rejected on a case-by-case basis, but once an agency is added to the system to be shared with, it can continue to access the data. However, all captured data is automatically purged from Belvedere’s and Tiburon’s local databases after two years.

The database can be useful to aid communication between agencies about serial criminals, Wu said.

“There are some departments that are so big, they don’t even talk to each other,” he said, adding that if one agency captures a plate of someone who is also committing crimes in neighboring cities, other agencies can use that data to locate the suspect if the same plate matches a similar crime in their jurisdiction.

If they don’t have access to that information, Wu said, they might miss the connection.

He noted the most common use for plate data is to locate cars that have been tagged by other agencies as stolen. Agencies can create “hot lists” with these plates, so when a plate is captured by a camera and matches with one already flagged in the system — known as a hit — law enforcement can use the information to try to locate the stolen car.

Belvedere gets about 220-250 hits per year, according to public records, a hit ratio of about 0.01 percent of all plates scanned — about the same ratio as Tiburon, which gets 900-1,200 hits per year. The two towns’ hit-rate ratios are among the lowest in California and mean that for 99.99 percent of captures, the departments are storing the geotagged and time-stamped movements of vehicles coming and going from Tiburon and Belvedere not associated with any crime. When pieced together with plate data from other agencies, that can give police a look into the daily routines of these same drivers.

Wu said that because police departments aren’t centralized, they have to share information like license-plate data to try to stay ahead of crime.

“It’s more of a collaborative effort than a conspiracy,” he said.

To add an agency to its sharing database, Wu said, the system administrator — in Belvedere’s case, it’s Sabido — reviews the request from vetted agencies with “the need and right to know,” and then approves or denies it. Wu added that the department can terminate its sharing with an approved agency at any time.

For sharing with out-of-state agencies, Wu said there was “really no rhyme or reason” about which agencies received Belvedere’s data, saying it was not really intentional.

“It’s just easier to share with everybody and then just delete,” he said. “But in light of the current situation, we wanted to minimize any negative impact to our department, so we made the decision not to share with out-of-state or federal agencies.”

Wu did not clarify, however, why out-of-state or federal agencies were ever marked as eligible to receive Belvedere’s data under its vetting system, as the law barring such shares has been in place for six of the 6½ years since the cameras were installed, saying only that he believes the department is now in compliance and previous sharing was unintentional.

Sabido declined a request for a telephone interview and did not respond by The Ark’s press deadline to emailed questions — including the criteria he uses to vet sharing requests, whether he individually vetted each of the 200 out-of-state data requests before the department began sharing its data with them and whether he was aware of the law banning those shares when they were approved.

He also did not respond to queries about what prompted him to remove the out-of-state and federal shares in December or when he had last performed a system audit prior to that.

SB 34 requires agencies to implement periodic system audits into their policy manuals, but it doesn’t define how often. Belvedere’s policy says audits should be conducted on a regular basis, but Wu said in the two years he’s been chief, he can only remember it occurring once. He noted, however, that he could amend the policy to include quarterly audits going forward.

Implications of sharing

Wu said sharing data on a wide scale isn’t really a privacy issue because all that’s captured by cameras is the license plate portion of the car, not the people inside it. He noted while there is always a possibility the data could be used to track peoples’ movements around the country, that’s not the way his department uses the data.

But the suit against Doyle, the county sheriff, argues “rampant” sharing “harms the well-being and safety of local community members, needlessly subjecting them to law-enforcement scrutiny and abuse in violation of state law.”

For privacy advocates, the harm may not come locally in how Tiburon and Belvedere police use data to catch actual criminals, but instead in how other agencies across California and the U.S. use the 99.99 percent of plate-capture data for Tiburon and Belvedere drivers who aren’t.

A 2020 report by the California State Auditor found that even within the state, some agencies, including Sacramento and Los Angeles, were adding and storing names, addresses, birth dates, physical descriptions and criminal charges through hot lists and open text fields — personal and potentially sensitive information being uploaded into the system well beyond just plate captures.

In an interview, Dave Maas, the director of investigations at the Electronic Frontier Foundation, said although California has laws barring law-enforcement agencies from using data to track people or monitor immigration status, other states do not. That’s a problem, he said, because the states without regulations can use the information in any way they want.

“Police abuse computer systems on the regular, and (plate) data is often less controlled,” he said. “If people aren’t checking who’s using their data, there can be abuses that go uncaught.”

An Associated Press investigation published in 2016 found nearly 600 documented examples over the prior two years — based on public records of officer disciplinary files — of police abuse of confidential databases, including gathering information on romantic partners and interests, business associates, neighbors, journalists and others. In some cases, those abuses involved stalking of ex-girlfriends or women an officer found attractive, or monitoring the movements of journalists who published unflattering stories. In others, cases involved tampering with and even selling confidential records.

The California State Auditor pointed to Vigilant’s system itself as being potentially problematic; default access via the internet can allow officers to access data from their personal devices, outside an agency’s network-security safeguards, in violation of federal Criminal Justice Information Services security policies, and that most departments don’t use two-factor authentication to prevent unauthorized logins.

Maas’ foundation further scrutinizes Vigilant and the way it works with out-of-state departments that have looser rules, including in Texas, where Belvedere shared with 44 distinct agencies.

In a warrant-redemption pilot program there, Vigilant rolled out mobile readers for police cruisers as well as in-vehicle credit-card machines; police in participating agencies would then use the plate-readers to identify and stop drivers with outstanding court fees, then present them with an option of a trip to jail or immediate payment — with a 25-percent processing fee charged by Vigilant.

In secret counter-terror initiatives, the New York Police Department was found to have used its in-car readers to collect the plates of everyone parked in front of mosques, while Birmingham, Ala., installed more than 200 plate-reading cameras in heavily Muslim suburbs. Even in-state, foundation data obtained from Oakland showed reader-equipped cruisers were disproportionately deployed to low-income neighborhoods and communities of color.

Maas said the foundation has been raising the alarm about illegal data sharing for years and yet, “agencies throughout California are blatantly ignoring the law.” He noted Vigilant teaches officers that sharing plate data is as easy as adding a friend on social media, and a combination of that and negligence has led to many California agencies sharing their data “indiscriminately.”

Moving forward, Maas said, civil-liberties advocates and non-profits like the EFF and ACLU can continue to sue agencies that are violating the law, but maybe the threat of impending legal action will be enough for them to stop.

Maas said he worries if that doesn’t happen, there could be a massive scandal or data breach that would eventually force reform, but it would be too late — the damage would already be done.

Executive Editor Kevin Hessel contributed to this report. Reach Belvedere and public-safety reporter Shayne Jones at 415-944-4627.