Customs to Expand License Plate Reading Program Nationwide

oksana.perkins/Shutterstock.com

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
Aaron Boyd By Aaron Boyd,
Senior Editor, Nextgov

By Aaron Boyd

|

Customs will have access to commercial datasets including license plate images and data from parking garages, toll booth cameras and financial institutions, as well as local governments and law enforcement.

The Customs and Border Protection agency has been collecting vehicle information at the border using license plate readers for years. Now, the agency will begin incorporating third-party license plate reader data collected from local governments, law enforcement and the private sector and maintained by a commercial vendor.

A privacy impact assessment published July 7 outlines the agency’s plan to incorporate datasets maintained by third-party vendors as part of its investigations. The latest update is the first since December 2017, when CBP authorized the use of license plate readers for data collection.

“To meet its vast mission requirements, CBP relies on a variety of law enforcement tools and techniques for law enforcement and border security,” the PIA states. “One such tool is license plate reader (LPR) technology, which consists of high-speed cameras and related equipment mounted on vehicles or in fixed locations that automatically and without direct human control locate, focus on, and photograph license plates and vehicles that come into range of the device.”

Each data collection—or “read”—gathers the vehicle’s license plate number; an image of the vehicle, including make and model; where it is registered; the location and owner of the camera; and any associated location information, including GPS coordinates. “LPR technology may also capture—within the image—the environment surrounding a vehicle, which may include drivers and passengers,” the impact assessment notes.

In the past, officers—customs officials—and agents—Border Patrol—could only access data from CBP-owned and operated readers.

With the release of the PIA, CBP can also use data from third-party vendors. Those databases contain information collected by “private businesses (e.g., parking garages), local governments (e.g., toll booth cameras), law enforcement agencies, and financial institutions via their contracted repossession companies,” the PIA states.

“The LPR commercial aggregator services store, index, and sell access to the images, along with the time and location of the collection. CBP will only have access to images from U.S. based cameras that are part of the commercial aggregator’s services,” the document adds.

CBP offices may have already obtained data from commercial databases prior to the release of the PIA, the document states, but officers were restricted from making “operational use” of the data before the PIA was published.

Using the new system, CBP agents and officers can enter a license plate number, the make or model of a vehicle or the location of the license plate reader and receive “any responsive records” from the database, “with a primary focus on reads occurring within the last 30 days,” the document states.

According to the PIA, aggregating third-party data with its own resources will enable CBP investigators to:

  • Identify individuals and vehicles that may need additional scrutiny when attempting to cross the border.
  • Enhance both officer and public safety by enabling enforcement actions to occur in locations that minimize the inherent dangers associated with border enforcement encounters.
  • Help resolve matters that might otherwise be closed for lack of viable leads.

Instead of adding the commercial data to its existing databases, CBP is using an API to query the vendors’ database through the Automated Targeting System. CBP updated the ATS privacy documents to include commercial license plate data—along with other additions—at the end of May.

In the privacy document, officials liken the new approach to using other commercial data interfaces like LexisNexis.

“CBP has created a web service through which authorized ATS users may create vehicle displays that present vehicles of possible interest, query historical LPR data, and use advanced analytics for enhanced review and analysis,” the document states.

That said, the results of those searches can be saved in ATS if they are pertinent to ongoing investigations. If not, the queries are deleted within four to 24 hours—cached temporarily to speed up repeat queries within a short time span.

“Location-based commercially aggregated data creates a number of privacy risks,” the PIA notes, including unauthorized access or misuse by CBP employees, as well as from external actors like hackers.

To limit the potential for internal abuses, “access to this sensitive information is strictly limited and auditable,” the document states. “CBP has limited access to the commercial LPR information through a newly created role within ATS that requires a multi-level approval process.”

That process includes only using the capability to “identify locations and movements of already identified subjects and associates believed to be involved in illegal activity,” the document states [original emphasis included].

The privacy document cites several risks to individuals, including that people not under suspicion of a crime might be “unaware of or unable to consent to CBP access to their license plate information.”

“This risk cannot be fully mitigated,” the agency admits, as “CBP cannot provide timely notice of license plate reads obtained from various sources outside of its control.”

The only way for a person to truly protect their privacy from these systems is to opt out by not driving in areas with license plate readers, “which may pose significant hardships and be generally unrealistic,” the document states.

“Although the lack of notice and participation poses a privacy risk, especially to individuals who are not under investigation, CBP helps reduce the impact of this risk by only accessing license plate information when there is circumstantial or supporting evidence to a lead and does not retain any information not associated with a law enforcement event,” according to the PIA.

If all other uses are performed appropriately and risks mitigated, one substantial privacy issue remains: the mosaic effect, in which lots of seemingly unintrusive datapoints reveal sensitive information when aggregated together.

“For example, LPR data from third party sources may, in the aggregate, reveal information about an individual’s travel over time, or provide details about an individual’s private life, leading to privacy concerns or implicating constitutionally-protected freedoms,” the document notes.

CBP officials said this risk has been partially mitigated by limiting how far back investigators can reach to five years and by only retaining search results if the information is pertinent to an investigation.

Additional steps are being taken to limit potential abuse across the board, according to the PIA. These include strict user roles and privileged access controls; comprehensive system and privacy training; visible in-system warnings about valid uses; and regular system and process audits.

In this case, use of a third-party system could decrease the potential for malicious data leaks and theft, as well. In June 2019, CBP reported a “malicious cyberattack” on its license plate database when a subcontractor illegally transferred images to its own database, which was then the target of a breach.

While data maintained by a commercial vendor could be compromised in an attack, under the new framework CBP is only responsible for protecting the saved query results.

NEXT STORY: Surge in Coronavirus Cases Raises New Questions About Agencies' Office Reopenings

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.