The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Crime

L.A. police must release automated license plate reader data, though in anonymized form

|

Commuters on the westbound 91 Freeway in San Diego. (Glenn Koenig /Los Angeles Times, file)

An interesting decision today from the California Supreme Court (ACLU of So. Cal. v. Superior Court) related to public records requests for automated license plate reader (ALPR) data.

First, the facts:

The ALPR data collection system at issue here utilizes high-speed computer-controlled cameras mounted on fixed structures or on patrol cars. The cameras automatically capture an image of the license plate of each vehicle that passes through their optical range. For each image, the ALPR system uses character recognition software and almost instantly checks the license plate number against a list of license plate numbers that have been associated with crimes, child abduction AMBER alerts, or outstanding warrants.

This list of license plate numbers comprises the investigative "hot list." When a hot list match occurs, the system alerts either officers in a patrol car or a central dispatch unit, depending on whether the ALPR unit that detects a match is mounted on a patrol car or a fixed structure. Most license plate numbers that ALPR units capture do not match the hot list and have no perceived connection to any crimes, AMBER alerts, or outstanding warrants.

The ALPR technology records each scanned license plate number, together with the date, time, and location of the scan, and stores the data on confidential computer networks. The Los Angeles Police Department (LAPD) estimates that it records data from 1.2 million cars per week. It retains license plate scan data for five years. The Los Angeles Sheriff's Department (LASD) estimates that it records between 1.7 and 1.8 million license plates per week. It retains scan data for two years.

In 2012, the ACLU and the Electronic Frontier Foundation demanded - citing the California Public Records Act - that the LAPD and the LASD turn over "records related to those agencies' use of ALPR technology, including 'all ALPR data collected or generated' during a one-week period in August 2012, consisting of, 'at a minimum, the license plate number, date, time, and location information of each license plate recorded.'" (The ACLU and EFF didn't ask for the "hot list.") The law enforcement agencies refused to turn over the records. The agencies did agree to produce "any policies, guidelines, training manuals and/or instructions on the use of ALPR technology and the use and retention of ALPR data, including records on where the data is stored, how long it is stored, who has access to the data, and how long they access the data," which the ACLU and the EFF also requested.

The California Public Records Act is written broadly, and a special provision of the California Constitution instructs courts to read it broadly. But it does have two potentially relevant exceptions, for (1) records of police investigations, and (2) for records as to which "on the facts of the particular case the public interest served by not disclosing the record clearly outweighs the public interest served by disclosure of the record."

The court held that the first exception doesn't apply, "because the scans are not conducted as part of a targeted inquiry into any particular crime or crimes." But the second, catchall exception, did preclude the disclosure of the data:

[D]isclosing unaltered plate scan data to the public threatens individuals' privacy. ALPR data showing where a person was at a certain time could potentially reveal where that person lives, works, or frequently visits. ALPR data could also be used to identify people whom the police frequently encounter, such as witnesses or suspects under investigation …. "Members of the public would be justifiably concerned about LAPD or LASD releasing information regarding the specific locations of their vehicles on specific dates and times to anyone."

Although we acknowledge that revealing raw ALPR data would be helpful in determining the extent to which ALPR technology threatens privacy, the act of revealing the data would itself jeopardize the privacy of everyone associated with a scanned plate. Given that real parties each conduct more than one million scans per week, this threat to privacy is significant.

Nonetheless, the court held, the police might have to turn over the data in anonymized form, unless they could show that this would substantially interfere with law enforcement; and the court remanded to the trial court to gather more facts on whether there would be such interference:

The trial court's concerns about interference with law enforcement were multifaceted. The court initially concluded that even if ALPR data were anonymized before release, "[a] criminal could still use [that] data to follow law enforcement patrol patterns and still could locate a particular randomized plate at a particular location on specific days and times."

The trial court appears to have placed significant weight on the possibility that a criminal could use ALPR data to identify law enforcement patrol patterns. The court did so based on the declaration of LAPD Sergeant Daniel Gomez. In pertinent part, Sergeant Gomez claimed that an individual requesting ALPR data "could use the data to try and identify patterns of a particular vehicle." (Italics added.) However, Sergeant Gomez also seemed to cast doubt on the likelihood that an individual could do so successfully, explaining that "[u]nlike law enforcement that uses additional departmental resources to validate captured [A]LPR information, a private person would be basing their assumptions solely on the data created by the [A]LPR system …." Nevertheless, we will assume, as the trial court found, that a person could at least roughly infer patrol patterns from a week's worth of plate scan data.

The problem with this aspect of the trial court's analysis is that, even assuming patrol patterns can be inferred from ALPR data, there is little reason to believe that this possibility points meaningfully toward "a clear overbalance on the side of confidentiality" with respect to all the records sought. For one thing, fixed ALPR scanners are just that - fixed - so concerns about patrol patterns are inapplicable to the data they collect.

For another, the record does not appear to indicate that knowledge of where law enforcement officers were during a particular week is a reliable guide to where they will be at some precise moment in the future. The trial court did not find, for example, that real parties conduct law enforcement in the same way that they might operate a bus service - moving from point to point at particular times on particular days, never deviating to attend to other business or emergencies. We are not aware of substantial evidence that would have supported such a finding. Likewise, the court did not determine how often any such routes change, nor whether the addition of new mobile scanners would make it challenging to infer that the absence of a patrol route in the past meant the absence of a patrol route in the future….

[A] court applying section 6255(a) cannot allow "[v]ague safety concerns" to foreclose the public's right of access…. The trial court appears to have placed significant weight on speculative concerns about possible disclosure of mobile ALPR patrol patterns, without record evidence to support its conclusions. The court erred in doing so.

Notwithstanding our disagreement with the trial court's reasoning, we do not have a sufficient factual record to determine whether section 6255(a)'s catchall exemption applies. We therefore will remand for further proceedings. On remand, the trial court should conduct a new balancing analysis - one that includes consideration of the feasibility of, and interests implicated by, methods of anonymization petitioners have suggested. The trial court is free to explore other methods of anonymization and redaction as well.

Petitioners have described two anonymization procedures. The first is [a] substitution method …: replacing actual license plate numbers with fictional numbers. Presumably, each plate would be assigned its own unique (fictional) number, because assigning a random number to each scan, even if multiple scans concern the same plate, would be no more informative than simply removing the plate numbers altogether. In exploring this possibility, the court should evaluate the risk that a plate number could be inferred from a fictional number. For example, if plate number "1111111" were repeatedly scanned in front of an office building during the day time, and an apartment building at night, it might be possible to infer the true owner of plate "1111111" and to track their other movements. A second method would call for disclosure of two sets of ALPR data: one that discloses the number of times that each license plate has been scanned, and another that contains only the time, date, and location of the scans.

With respect to the concern that patrol patterns might be discerned from the anonymized data, petitioners suggest different ways to redact the exact date and time of the scans, so that disclosed records would show a "heat map" of where scans were taken during the week of data petitioners seek, without revealing as much information about the mobile units that collected the scans or the license plates that were subject to them. We note, however, as discussed above, that the current record provides little, if any, support for the concern that the data would enable private individuals to discern patrol patterns. Without such information, it is difficult to see what public interest in nondisclosure could clearly outweigh the public interest in disclosure of this redacted information, but we leave the issue for the trial court to resolve.

The anonymization and redaction methods we discuss may be more feasible than the trial court appeared to believe. Petitioners contend that, even using real parties' information system, it takes just "two computer clicks to export license plate data onto a spreadsheet or other type of document, which the parties can then modify." Accordingly, the trial court's analysis should go beyond whether a method of removing exempt information is "a native function" of "[t]he system utilized by the LAPD." While real parties may not have designed their system to facilitate CPRA disclosure as a "native function," randomizing license plate numbers or deleting columns from a spreadsheet, for example, would seem to impose little burden.

We leave the precise balance between effective anonymization and redaction and burden to the trial court on remand….