Yesterday Andy Greenberg of Forbes published
some shocking information, courtesy of a FOIA project done by our friends over
at the Electronic Privacy Information Center (EPIC): US Customs and Border
Protection is sharing our license plate information with private insurance
companies, without any public debate or even forthright public disclosure.
From Forbes:
The FOIA’d records include memos outlining the
sharing of that license plate data between the Department of Homeland
Security’s Customs and Border Protection, the Drug Enforcement Agency, and most
significantly, the National Insurance Crime Bureau, an Illinois non-profit
composed of hundreds of insurance firms including branches of Allstate, GEICO,
Liberty, Nationwide, Progressive, and State Farm….
According to a 2005 “memorandum of understanding”
included in EPIC’s document release, license-plate reader “information on
vehicles departing from and arriving into the United States will be provided to
the [National Insurance Crime Bureau or] NICB for the purpose of deterring the
export of stolen vehicles, identifying vehicle theft patterns and trends…and
returning vehicles to the rightful parties of interest.” The data can also be
used, according to the document, to identify so-called “owner-give-up”
insurance fraud, in which a vehicle’s owner fakes its theft by giving it to a
friend and claiming it as stolen.
The documents also reveal data sharing arrangements
between the Department of Homeland Security and the Drug Enforcement Agency,
which has been quietly
working to expand its own license plate tracking system throughout the
country on major highways—far from US borders. A memorandum of understanding
between the two agencies says that they will share license plate recognition
data with the other “at regular intervals and in a manner specified in a
separate, service-level agreement between the parties.” The memorandum further
states that this license plate data can be freely shared with “intelligence,
operations, and fusion centers” nationwide.
In other words, our worst fears about license plate
recognition technology appear to be unfolding. The government is creating large
pools of our location information and sharing it widely among law enforcement
agencies nationwide, absent any mention of connections to investigations or
criminal activity.
As of June 2012, the CBP operated 110 license plate
readers at outgoing border checkpoints throughout the United States, according
to the released documents. The documents reveal that the agency retains for two
years the license plate information of millions of drivers who enter or exit
the country via automobile at land borders between the US and Mexico, and the
US and Canada. But as Greenberg points out, the two-year retention period
doesn’t apply if the information is shared outside the agency, so that limit
may not be at all meaningful.
Government
agencies, private companies and our private data
We also don’t know exactly how far our license plate
data is spreading within the private sector. While the agreement between US
Customs and the private insurance industry organization NICB explicitly states
that the latter “may not use the information obtained from CBP for commercial
purposes or sell the information obtained from CBP to any third party,” the
list of companies that have access to the data as a result of membership in
NICB is long. More
troubling still, the agreement says that the NICB “may outsource data entry,
database and telecommunications maintenance, and operation functions relating
to the LPR database(s) to a data processing service (DPS).”
The agreement provides for no external oversight of
these private companies and their management of our license plate data. In
other words, US Customs allows not only the NICB but also the sub-contracted
“data processing service” corporations that manage our license plate data to
self-police when it comes to preventing fraud, abuse or other mis-use of our
information. US Customs says that “NICB will require that any recipient of LPR
information from NICB immediately report misuse of LPR information to NICB who
will then report the misuse to CBP.”
In short, US Customs is granting a private company
access to what it admits is “highly sensitive commercial, financial, and
proprietary information,” and then further allowing the private company to
outsource the management of that “highly sensitive” data to yet another private
company. The only auditing and accountability mechanisms required are
self-policing and self-reporting.
These documents reveal a growing problem that extends
far beyond the management of license plate data. The government is increasingly
collecting vast quantities of information about ordinary people accused of no
crime, and increasingly it is relying on private contractors to manage, sort
and analyze this data looking for crime or even “pre-crime” trends. The sharing
of our license plate data with private companies should be viewed as but one
troubling example of this much larger problem.
No comments:
Post a Comment