Most tech-related news these days involve something that would fit a great sci-fi novel from the sixties, like self-driving cars or an artificial womb. However, some of those news look more like something else from the sixties: Cold War spy fiction.

As EFF has recently unveiled, Irvine Company, California’s largest private landowner operating 46 shopping malls throughout California has been using automated license plate readers (ALPRs) to collect information about its customers and everybody else unfortunate enough to come in their sight. Several local malls have been involved in the process since at least 2016.

In this feature, we take a look at everything known about the situation so far: opinions and statements from different sides of the story, the community’s reaction, as well as some arguably obvious and not so pleasant conclusions.

Irvine Company, ICE, and Surveillance State

Irvine Company is quite a large enterprise, to say the least, and owns over 110 million square feet of property, including 46.5 million square feet of office properties, 160 apartment communities, more than 40 retail centers, five marinas and three golf courses, as well as three hotel resorts. At least that’s what the spokesperson for the company told Bloomberg.

The company is run by 85-year old Donald Bren, a former marine with $17 billion net worth and the majority owner of the New York Met Life building. The company also owns the 93,000-acre Irvine Ranch, which amounts for more than ⅕ of Orange County and includes, among other locations, the city of Irvine, parts of Newport Beach, Santa Ana and Costa Mesa, Laguna Beach, Tustin, Orange, Anaheim, as stated on the company’s website.

According to the company’s own ALPR Usage and Privacy Policy, the surveillance began in early 2016. Since then, Irvine has been collecting and storing data on license plates converted to plain machine-readable text bundled with the respective time, date, and GPS coordinates. Notably, said policy doesn’t explicitly list the shopping centres where the technology is being used and only hints that there’s “one or more” of such locations.

“Irvine Company is a customer of Vigilant Solutions. Vigilant employs ALPR technology at our three Orange County regional shopping centers. Vigilant is required by contract, and have assured us, that ALPR data collected at these locations is only shared with local police departments as part of their efforts to keep the local community safe,” Irvine Company spokesperson Scott Starkey told NBC7.

Vigilant Solutions, a surveillance tech company getting the information from the ALPR’s installed at Irvine’s shopping malls, has one of the largest nationwide license plates databases in the country. Apart from the malls in question, the company gets its data from police departments, vehicle repossession agencies, and many other sources.

According to the extensive report by the EFF, Vigilant Solutions feeds its data to around a thousand of law enforcement agencies in the US, as well as to private entities, such as financial lenders, debt collectors and insurance firms through a company called Digital Recognition Network. Reportedly, Vigilant Solutions disagreed with the EFF’s findings, calling the article “inaccurate and rooted in opinion, not fact.” However, there were no specific inaccuracies pointed out.

“The use of legally permissible Automated License Plate Readers is a practice that has helped enhance the safety of our community. We have made numerous arrests thanks to this technology while respecting the privacy rights of the public. The Irvine Police Department uses this information for our own investigations and never shares the information,” said the Irvine Police Department’s spokesperson Kim Mohr in a statement to NBC7.

Also, Vigilant Solutions signed a major deal with The Immigration and Customs Enforcement agency (ICE), allowing the latter to access billions of license plate data pieces with timestamps and geolocation. Not much of surprise, considering the exuberantly close attention the Trump administration is paying to the immigration issues.

“Like most other law enforcement agencies, ICE uses information obtained from license plate readers as one tool in support of its investigations,” the agency’s representative told the Verge. “ICE conducts both criminal investigations and civil immigration enforcement investigations. ICE is not seeking to build a license plate reader database, and will not collect nor contribute any data to a national public or private database.”

Evidently, ICE was looking for such a data source at least since 2012, when it tested Vigilant Solutions’ system for finding illegal immigrants for the first time. By 2014, ICE announced their plans to develop a nationwide license-plate tracking system and turned to third-party companies to compile a relevant database. Shortly afterwards, the initiative was shut down by Homeland Security secretary Jeh Johnson due to substantial privacy concerns.

It is also worth mentioning that earlier in 2018 the California Senate rejected the new bill that would have entitled people to cover the license plates on their cars when parked, avoiding scanning by ALPR’s. While numerous privacy activists supported the bill, it appears that the lobbying by law enforcement agencies eventually took its toll.

Still, those malls that kickstarted this scandal are by no means an exception. It seems there are numerous venues and places of all shapes and sizes involved in such questionable surveillance practices. ALPRs are reported to be in use by LA’s Westfield parking, the Galleria, and many Santa Monica parking garages, public roads and, basically, almost any other place you may think of driving to.



Community Reacts

Unsurprisingly, the public wasn’t much happy about discovering they’re being watched by yet another big brother who cares little about getting a consent or respecting anyone’s privacy.

Some people decided that it was time to run public rallies in front of the involved malls to spread the word against those unaware of the situation.

Time to use Google. Search list of real estate holdings by Irvine Company. Picket all of them. Warn shoppers! — alias ratna (@miaokuancha) July 10, 2018

Others point out that the problem is even bigger than it may seem at first.

important to note that these shopping centers are primarily built around/in/near apartment complexes. Which potentially means even more information about where people live. — Julian Missig (@jmissig) July 11, 2018

One of the biggest problems here, however, seems to have been tackled in a relevant conversation on Reddit.

“What is the Irvine Company receiving in return for informing on their mall patrons? What benefit do they receive in exchange for facilitating the gathering of this information? What role have they played working with ICE outside of gathering this data? Why does a mall need to collect the license plate information of shoppers? What other governmental partnerships has this company forged?” asked Reddit user ElCabezonSpartan.

The same user recalled the relatively recent Equifax leak, one of the biggest privacy breaches in the U.S. Back in September 2017, 17.6 million driver’s license numbers and ID images have been stolen alongside with other sensitive data, like social security numbers.

Another Reddit user xilix2 noted:

Card

So, it seems that it may run deeper than it looks. In fact, any malevolent party, had they had the access, could easily use the surveillance data and the stolen IDs to do almost anything, from stalking a person 24/7 to setting up a surveillance state akin to that described by George Orwell in 1984, depending on the resources they have at their disposal, and of course, their intentions.

Conclusion

The real problem here is that Irvine Company is hardly the only real estate owner to spy on people and then sell or otherwise give away the data to a third party, not necessarily the government. Likewise, Equifax wasn’t even the only company involved in the breach back then. Sensitive data leak from private companies every now and then, as certain reports suggest.

The heart of this issue is that someone having access to the leaked data and the surveillance feed could become an omnipotent entity, a real eye in the sky that sees everyone and everywhere.

And as close as it may seem to a dystopia where governments are able to read people’s thoughts, it might as well be not a government but a criminal syndicate, human traffickers, or even a comic book supervillain.

It appears that the privacy laws enacted in certain parts of the world should merely be the first step towards tackling one of the biggest challenges of the 21st century: personal data breaches and privacy violations.

Follow us on Twitter to stay tuned on the recent developments in regulation of new technologies, and be the first to read expert opinions.