Breaking News Emails
Editor's note: This story includes a correction.
License plate recognition technology developed for law enforcement and embraced by the auto repossession industry is being opened to wider use through a Florida company that lets its clients track the travels of millions of private vehicles – adding to privacy advocates’ concerns that such data could be used improperly.
TLO, an investigative technology company in Boca Raton, Fla., began offering the search service to its private industry clients in late June, saying it taps into a database of more than 1 billion records collected by automatic license plate readers.
A report earlier this week by the ACLU found that U.S. law enforcement agencies are scooping up droves of data using license plate readers, creating massive databases where more than 99 percent of the entries represent innocent people.
But private industry also has put the technology to work, most prominently in recovering vehicles from deadbeat borrowers. As the new TLO service demonstrates, private use of LPR data for other purposes is expanding rapidly.
It’s unclear who runs the database that TLO taps into, but the two leading companies in the field say that each month their databases collect tens of millions of pieces of geo-located information from thousands of license plate readers, mounted on tow trucks, mall security vehicles, police cars, at the entrances to store parking lots, on toll booths or along city streets and highways.
The data can include the location of the vehicle, the date and time it was spotted, and an image. Sometimes, drivers and passengers appear in the images.
“The prospect of a private company making such data public to all comers is scary,” said Catherine Crump, an attorney with the ACLU’s Speech, Privacy and Technology Project. “This kind of information is particularly what stalkers would love to get their hands on.”
Crump, who wrote the ACLU report but said she had not been aware of TLO’s service, worried about privacy concerns with other possible uses, such as corporations tracking where their employees go after work, politicians scouting rivals or people keeping tabs on babysitters’ travels.
But those involved in amassing license plate databases say such fears are unfounded – and that data obtained via Facebook, Twitter or a person’s cellphone are far more intrusive.
“They can figure out who you date,” said Scott A. Jackson, founder and CEO of Illinois-based MVTRAC, which controls one of the two big private LPR databases in the U.S. “For us to figure out that information, it would take us billions and billions of license plates to get to that point. We’re at least 10 years away from that.”
Jackson also said companies that use MVTRAC’s camera systems and tap into its database go through rigorous background checks and vetting of computer security and personnel. He said that anyone who used MVTRAC’s database improperly could be violating three federal privacy laws.
Still, he said, the impetus is on companies like his to show that they use data properly.
“There’s no illegality whatsoever for me giving you data about a license plate. But as big data becomes exponential, society has a reasonable expectation that companies will handle themselves responsibly,” Jackson said. “I wouldn’t give this data to someone I don’t know – they might be a stalker.”
Similarly, Chris Metaxas, chief executive officer of Texas-based Digital Recognition Network, or DRN, which holds the other big private LPR database, said strict rules govern how such data is collected and used. He said that the ACLU’s concerns about how long LPR data is kept by law enforcement miss the point.
“The issue is really not about retention of data. The real issue is one of access control and effective policies” surrounding privacy and security, Metaxas said.
Metaxas said his company adheres to best practices laid out in federal driver’s privacy laws for access control, encryption and security of its data. DRN's data does not contain private information about individuals, he said.
“We do not retain any identifiable information related to owners of those license plates,” he said.
Jackson said that MVTRAC has expanded the use of its data beyond law enforcement and the repossession and insurance industries but that his company did not contract with TLO or have plans for a service like TLO’s.
When asked whether TLO used DRN’s database, Metaxas said he could not answer questions about possible clients.
A source at TLO with knowledge about how the company markets such information said that not just anyone can get access to the Vehicle Sightings database. Clients must be part of specific industries, follow rules on permissible use of TLO’s databases and describe specifically how they wanted to use the data, the source said.
TLO advertises on its website that it serves clients in the legal, financial services, corporate risk and private investigative industries, along with investigative journalists and law enforcement and government agencies.
The source, who spoke on condition of anonymity, said that the Vehicle Sightings tool is not available to the banking and car repossession industries, but not because of privacy concerns: Those industries are bread and butter for the company that actually owns the database, the source said.
TLO says on its website that the service offers photos of the vehicle and license plate along with time and geographic stamps, and can map where vehicles were seen.
License plate recognition technology was incubated in Britain during the fight against IRA terrorists. Police agencies brought the technology to the United States in the early 2000s to combat auto theft. The 9/11 attacks also brought interest from the Department of Homeland Security in how LPR could be used to fight terrorism.
State and local agencies began equipping cars with LPR cameras that captured far more plates per minute than patrol officers could enter into the system by hand in a day. And government-run LPR databases began to grow.
But the auto repossession industry is where the private use of LPR data in the United States took off about five years ago.
Companies started using LPR data to identify automobiles driven by delinquent borrowers. After a shakeout during the recent recession, DRN and MVTRAC emerged as the two big players in the private LPR database market.
A DRN sister company, Livermore, Calif.-based Vigilant Solutions, is focused on law enforcement agencies. But its system is also in use at the Arden Fair Mall in Sacramento, where security officers employ two LPR-equipped vehicles to patrol the 77-acre property, across the American River from downtown.
Each vehicle has two cameras that capture license plates of parked cars and feed them into the database, while the system checks to see if any of those have been reported stolen. Steve Reed, the mall’s manager of security and guest services, says the system has been effective: In 2007, there were 77 auto thefts at the mall, but last year there were just 12. Through the first six months of this year, there had been only two.
“We’re getting the word out: Don’t bring your stolen cars here, and don’t steal cars here,” Reed said.
Reed says that his initial concern about LPR use was the privacy of the mall’s customers. But he said the system is “very non-invasive”: The security officer gets an alert when the system spots a car on a police hot list, then calls Sacramento police, who confirm the plate and respond to deal with the vehicle. He said the system doesn’t let his officers access personal information linked to vehicles.
Reed estimates that since his mall got the technology in 2008, it has captured more than 8 million license plates.
The very quantity of data being collected by both law enforcement and private LPR cameras raises privacy worries for some.
“This sort of constant surveillance makes it very dangerous for us as a society,” said Michael Katz-Lacabe, a network security engineer and member of the San Leandro, Calif., school board.
Katz-Lacabe has first-hand experience with the reach of LPR data – police cameras in San Leandro captured his two vehicles more than 100 times over two years, which he discovered from a public records request in 2010. In one of the images, he and his daughters are stepping out of the family’s Toyota Prius in their driveway.
“I’m an adult and can make a decision, but they’re not,” he said. “They don’t have a say in this privacy debate.”
He said that debate should be about who controls information about individuals. He said that in Europe, people have much more say in how data about them is used.
“I think people don’t understand the danger of metadata and the information that can be determined from it,” he said.
As an example, he pointed to an MIT study published in March that showed that having just four points of mobility data about a person was enough to identify that person with 95 percent accuracy.
MVTRAC’s Jackson and DRN’s Metaxas disagree. Jackson said that while it might be appropriate to restrict how long such data can be retained by government agencies, such limits on private companies would be counterproductive.
“That type of information is useful forever,” he said.
Related story: ACLU: Digital dragnet ensnares millions of innocent drivers
He offered an example of a researcher who might be interested in looking at historical patterns in traffic. “What if you didn’t come up with the idea in five years?” he said. If the data is erased, “You can’t go back.”
Brian Shockley, vice president of marketing at Vigilant Solutions, said law enforcement officials look at the major crimes that LPR data have helped solve and worry about losing access to it. If restrictions are imposed, he said, “The thought is the policies on retention of LPR data should mirror the statute of limitations for major crimes.”
Such arguments don’t sway privacy advocates such as Jennifer Lynch, a lawyer with the Electronic Frontier Foundation, a nonprofit focused on free speech, privacy and consumer rights.
She said metadata can be used to learn about specific people, especially as more and more of it is amassed. And she noted there’s no oversight over companies in how they set privacy and retention policies.
Then there’s the multiplying factor of LPR data, cellphone data, Facebook posts, tweets and other sources of information about an individual.
“This information gets combined with other information and there’s quite a portrait painted of this person,” she said.
More from NBC News Investigations:
- Ex-Pentagon official has 'heavy heart' over US teen's drone strike death
- Former CIA agent wanted in Italy 'rendition' case detained in Panama
- Siblings with same life-threatening disease get split decision from insurer