There is a strong possibility that if you drove a vehicle along the freeways sometime in the last year, your whereabouts were documented by law enforcement.

Four years of data detailing the locations of hundreds of thousands of drivers who have passed through San Jose resides in a server somewhere in Costa Mesa. The server belongs to Plate Scan LLC, a now-defunct company that sold License Plate Recognition (LPR) technology to police departments, including San Jose’s.

This technology, with which police patrol cars around Silicon Valley and the country are increasingly being equipped, takes a picture of the front or back of every car it passes and records the license plate number and location of the vehicle. These plates are then automatically run through police databases of stolen cars, which alerts officers if any of the scanned cars are reported stolen or linked to a crime.

Law enforcement officials say this technology is just another tool to combat crime, but there are no legal restrictions on what private companies can do with data collected by law enforcement with LPRs. In some cases, as with the San Jose Police Department, the data is stored indefinitely by a private company, and the amount of oversight on who can access this data is minimal at best.

While Plate Scan—out of business since a year ago—could potentially access its license plate information and even sell it, company president John Dalinsky says he hasn’t touched the data as he liquidates assets. He does, however, have the option to sell it to essentially whomever he wanted.

“There’s no law against it that I know of,” Dalinsky says. “There are really no guidelines for the data in the United States.”

Government watchdog organizations are increasingly raising their concerns about such invasive data collection and potential compromises of privacy.

“The real key issue here is the collecting data, storing it and accessing it later has real potential to create a comprehensive map of how people travel throughout the day,” says Rebecca Jeschke, an analyst with the San Francisco-based digital rights group Electronic Frontier Foundation (EFF).

According to Sgt. Jason Dwyer of SJPD, one LPR-equipped patrol car could scan hundreds of vehicles’ plates each day. During the four years the technology was working—which was paid for by a grant from the Department of Homeland Security—San Jose police collected more data than the department’s servers could handle.

Plate Scan offered computers with drives large enough to store the data but ceased operations last year, leaving the four SJPD LPRs useless. Four years’ worth of data, including the known whereabouts of drivers, has been in limbo ever since, and lawmakers are starting to wonder if there should be some sort of regulation or expiration date on the data.

“It’s sort of like the wild, wild West out there,” says state Senator Joe Simitian (D-Palo Alto). “There is no form of regulation.”

In March, Simitian proposed legislation (SB 1330) that restricted how personal information from LPRs could be stored and collected. Only three groups—EFF, the American Civil Liberties Union of California and Privacy Rights Clearinghouse—supported Simitian’s bill. Nine groups opposed the bill, including the California Fraternal Order of Police, California Police Chiefs Association and California State Sheriffs’ Association. After pushback from law enforcement and private-sector lobbyists, Simitian was forced to abandon the bill.

What concerns Simitian is the unrestricted stockpiling of data by private companies. Specifically, Simitian was concerned with the California-based company Vigilant Video, which has a database of more than 450 million data points.

Vigilant Video acquires data through law enforcement, repossession companies, other private firms and their own scout cars. This information is then made available to law enforcement agencies, but the data acquired by private companies can be made available to other companies, according to Simitian’s office.

“Someone willing to write a check can find all your vehicle location information and know everywhere your 16-year-old daughter was going,” Simitian throws out as an example.

{pagebreak}

This storing and using of data, Simitian says, goes against the privacy rights protected in the state of California’s constitution. SB 1330 would have limited the time law enforcement agencies and private companies can store this data to 60 days.

No law enforcement agency in the state has more LPR scanners than the California Highway Patrol, which purchased a total of 216 plate readers from Vigilant Video last September through a $1.8 million Homeland Security grant.

While all 216 of these LPRs were purchased through Vigilant Video, CHP spokesperson Jaime Coffee says the company does not have access to data because it is only stored on a secure CHP server. Coffee adds that this data is only maintained for 60 calendar days and is purged on a rolling chronological cycle.

Where and how data is stored varies between different law enforcement agencies. The Sunnyvale Department of Public Safety stores information from its two LPRs on a server in its department for a limited time.

According to Sunnyvale Lt. Shawn Ahearn, actual photographs of license plates and vehicles are stored for seven days. The plate number and location of the vehicle is stored for 30 days, unless it is used in an investigation.

Meanwhile, SJPD stored the information indefinitely on the private company’s servers, and no one seems to know what will become of it.

“We’re governed by the Fourth Amendment; in public places there’s no reasonable expectation of privacy,” SJPD’s Sgt. Dwyer says. “The police car can take pictures of your car, but so can anybody else.” Dwyer added that the point of the LPR technology is to solve crimes and not to intrude.

“All the stuff that the LPR does was done manually before, officers would walk down the street and write down plate numbers by hand,” Dwyer said. “Now a computer does it in a microsecond.”

Chris Conley, a technology and civil liberties attorney with Northern California ACLU, disagrees. “Essentially, law and government have no business tracking the location of thousands of innocent drivers,” Conley says. “This information should be deleted immediately.”

Conley cited the Supreme Court case U.S. v. Jones from earlier this year as a similar issue relating to invasions of privacy. Judges split 5-4 in favor of the opinion that warrantless GPS tracking constitutes a search and constitutes a trespass of private property.

The ACLU has recently started looking into the data collection from LPRs, specifically what happens to the information in the hands of private companies that aren’t held responsible. The EFF has also started raising concerns about this issue and has spoken out against LPR tracking and data collection.

“It’s one thing for an officer to look up a license plate and throw the information away if there’s no connection,” says Jeschke. “The potential to keep all this information, that’s creating comprehensive surveillance.”

One of the biggest concerns she and others have is with who has access to this type of information.

“Your physical location is pretty sensitive,” Jeschke says. “Where you go, whether you go to a medical clinic, who your friends are, whether you go to a therapist—knowing your movements could be a physical threat.”