Some of California’s largest police departments have been collecting millions of images of drivers’ license plates and sharing them with entities around the country—without having necessary security policies in place, in violation of state law, according to a newly released state audit.

The audit, published Thursday, found that 230 police and sheriff’s departments in the state currently use automated license plate readers (ALPRs), which can be fixed cameras or devices mounted on patrol cars. Police have touted the technology as necessary for enforcing parking and basic municipal laws, and as a vital tool in child abduction cases and other high-profile investigations.

But the California State Auditor’s office found that most of the data collected is on innocent people and their car movements.

The Los Angeles Police Department, for example, has collected more than 320 million images over the last several years. Only 400,000 of those generated immediate matches to cars of interest, but the remaining 99.9 percent of the images, which can be used to track peoples’ movement across the city, stay stored in a department database for more than five years, according to the audit.

The LAPD then adds other sensitive information to that database, sometimes tagging the photos with criminal records, names, addresses, and dates of birth. Meanwhile, the department has not established any written policy governing proper use of its ALPR data, in violation of a 2016 state law.

Citing a case in Georgia in which a police officer took a bribe to look up a woman’s license plate to determine if she was an undercover officer, the auditors also determined that many of the departments it examined were not ensuring that only authorized personnel had access to ALPR data, or auditing the database logs to make sure that authorized personnel were using the systems properly.

“This is very troubling. This technology reportedly exists to help with parking enforcement and other basic law enforcement responsibilities, and yet we’re seeing a huge amount of data collected, retained, and shared unnecessarily,” state Sen. Scott Wiener, who requested the audit, told Motherboard.

Wiener said he plans to introduce follow-up legislation to ensure law enforcement agencies are following the laws.

In a brief response published along with the audit, the LAPD said it plans to finalize an ALPR plan by April.

“The LAPD will perform an assessment of the systems' data security features and retention periods for ALPR images to evaluate the need for adjustment, prior to publishing of the ALPR policy,” the department wrote. “Furthermore, the policy will list the entities the department shares ALPR images with and the process for handling image-sharing requests.”

During testimony before the state legislature in August, though, the LAPD lieutenant who oversees the department’s license plate reader program stated, “We continue to ensure that we abide by both the laws that are in place,” directly contradicting what the audit would ultimately find.

Among the most concerning revelations in the audit, privacy advocates said, was the apparent carelessness with which police departments shared the information in their ALPR databases.

In addition to the LAPD, the auditors examined three other agencies in detail: the Fresno Police Department, Marin County Sheriff’s Office, and Sacramento County Sheriff’s Office. The Sacramento sheriff’s office shared its data with 1,119 entities, Fresno with 982, and Marin with 554 around the country. LAPD shared data with 58 departments in California.

The auditors found Sacramento, Fresno, and Marin had apparently taken minimal steps to determine why the entities requesting access to the license plate data needed it, or even if they were public agencies at all, which is a requirement under the state law.

Some of the entities on the share lists were identified only by initials, according to the audit. And the three California departments were all sharing data with an entity listed as the Missouri Police Chiefs Association, which is a private advocacy group, not a law enforcement agency. Vigilant Solutions, the company that provided ALPR technology to those departments later told auditors that the Missouri Police Chiefs Association was actually the Missouri State Highway Patrol, but the California departments had apparently not noted the difference.

Sacramento, Fresno, and Marin were also sharing data with the Honolulu Police Department, which is separated from California by roughly 2,500 miles of ocean, raising questions about why Honolulu police need to know the every movement of California drivers.

“They’re sharing this data indiscriminately across the country without even thinking or doing the justification of why they’re sharing with these agencies,” Dave Maass, a senior investigative researcher for the Electronic Frontier Foundation who has been tracking police use of ALPR technology, told Motherboard.

In its response to the audit, the Marin County Sheriff’s Office defendended its sharing policies, including with Honolulu, saying they were “done properly and with consideration as to the multiple matters which have in the past involved both agencies.”

Maass said the California audit should serve as a larger warning. ALPR technology is widespread not only among police departments, but among private entities who use tools built by companies like Vigilant.