Customs will have access to commercial datasets including license plate images and data from parking garages, toll booth cameras and financial institutions, as well as local governments and law enforcement.
|Plan for implementing Vietnam – US Customs mutual assistance agreement|
The Customs and Border Protection agency has been collecting vehicle information at the border using license plate readers for years. Now, the agency will begin incorporating third-party license plate reader data collected from local governments, law enforcement and the private sector and maintained by a commercial vendor.
A privacy impact assessment published July 7 outlines the agency’s plan to incorporate datasets maintained by third-party vendors as part of its investigations. The latest update is the first since December 2017, when CBP authorized the use of license plate readers for data collection.
“To meet its vast mission requirements, CBP relies on a variety of law enforcement tools and techniques for law enforcement and border security,” the PIA states. “One such tool is license plate reader (LPR) technology, which consists of high-speed cameras and related equipment mounted on vehicles or in fixed locations that automatically and without direct human control locate, focus on, and photograph license plates and vehicles that come into range of the device.”
Each data collection—or “read”—gathers the vehicle’s license plate number; an image of the vehicle, including make and model; where it is registered; the location and owner of the camera; and any associated location information, including GPS coordinates. “LPR technology may also capture—within the image—the environment surrounding a vehicle, which may include drivers and passengers,” the impact assessment notes.
In the past, officers—customs officials—and agents—Border Patrol—could only access data from CBP-owned and operated readers.
With the release of the PIA, CBP can also use data from third-party vendors. Those databases contain information collected by “private businesses (e.g., parking garages), local governments (e.g., toll booth cameras), law enforcement agencies, and financial institutions via their contracted repossession companies,” the PIA states.
“The LPR commercial aggregator services store, index, and sell access to the images, along with the time and location of the collection. CBP will only have access to images from U.S. based cameras that are part of the commercial aggregator’s services,” the document adds.
CBP offices may have already obtained data from commercial databases prior to the release of the PIA, the document states, but officers were restricted from making “operational use” of the data before the PIA was published.
Using the new system, CBP agents and officers can enter a license plate number, the make or model of a vehicle or the location of the license plate reader and receive “any responsive records” from the database, “with a primary focus on reads occurring within the last 30 days,” the document states.
According to the PIA, aggregating third-party data with its own resources will enable CBP investigators to:
Instead of adding the commercial data to its existing databases, CBP is using an API to query the vendors’ database through the Automated Targeting System. CBP updated the ATS privacy documents to include commercial license plate data—along with other additions—at the end of May.
In the privacy document, officials liken the new approach to using other commercial data interfaces like LexisNexis.
“CBP has created a web service through which authorized ATS users may create vehicle displays that present vehicles of possible interest, query historical LPR data, and use advanced analytics for enhanced review and analysis,” the document states.
That said, the results of those searches can be saved in ATS if they are pertinent to ongoing investigations. If not, the queries are deleted within four to 24 hours—cached temporarily to speed up repeat queries within a short time span.
“Location-based commercially aggregated data creates a number of privacy risks,” the PIA notes, including unauthorized access or misuse by CBP employees, as well as from external actors like hackers.
To limit the potential for internal abuses, “access to this sensitive information is strictly limited and auditable,” the document states. “CBP has limited access to the commercial LPR information through a newly created role within ATS that requires a multi-level approval process.”
That process includes only using the capability to “identify locations and movements of already identified subjects and associates believed to be involved in illegal activity,” the document states [original emphasis included].
The privacy document cites several risks to individuals, including that people not under suspicion of a crime might be “unaware of or unable to consent to CBP access to their license plate information.”
“This risk cannot be fully mitigated,” the agency admits, as “CBP cannot provide timely notice of license plate reads obtained from various sources outside of its control.”
The only way for a person to truly protect their privacy from these systems is to opt out by not driving in areas with license plate readers, “which may pose significant hardships and be generally unrealistic,” the document states.
“Although the lack of notice and participation poses a privacy risk, especially to individuals who are not under investigation, CBP helps reduce the impact of this risk by only accessing license plate information when there is circumstantial or supporting evidence to a lead and does not retain any information not associated with a law enforcement event,” according to the PIA.
If all other uses are performed appropriately and risks mitigated, one substantial privacy issue remains: the mosaic effect, in which lots of seemingly unintrusive datapoints reveal sensitive information when aggregated together.
“For example, LPR data from third party sources may, in the aggregate, reveal information about an individual’s travel over time, or provide details about an individual’s private life, leading to privacy concerns or implicating constitutionally-protected freedoms,” the document notes.
CBP officials said this risk has been partially mitigated by limiting how far back investigators can reach to five years and by only retaining search results if the information is pertinent to an investigation.
Additional steps are being taken to limit potential abuse across the board, according to the PIA. These include strict user roles and privileged access controls; comprehensive system and privacy training; visible in-system warnings about valid uses; and regular system and process audits.
In this case, use of a third-party system could decrease the potential for malicious data leaks and theft, as well. In June 2019, CBP reported a “malicious cyberattack” on its license plate database when a subcontractor illegally transferred images to its own database, which was then the target of a breach.
While data maintained by a commercial vendor could be compromised in an attack, under the new framework CBP is only responsible for protecting the saved query results.