Update, February 11: Last night, the Public Safety Committee, led by Councilmember Desley Brooks, "approved in concept the work that has been done so far" by the Ad Hoc Privacy Policy Committee. The Public Safety Committee indicated that it felt small changes were needed, but their response was overall positive. The policy and additional recommendations will be posted online in order to give the public a chance to comment, and will be in front of the Public Safety Committee at the first meeting in April. However, it turns out that the Port of Oakland decided at a Port Commission meeting (without talking to the City Council, apparently) not to fund 24/7 monitoring of the Domain Awareness Center, meaning that although it has already been built, it will not be staffed unless the City of Oakland decides to pay for staff. With such a scaled-down DAC, the public now has an opportunity to indicate that it wants to tackle the bigger issue of surveillance in Oakland. It wasn't entirely clear from the Councilmember's comments where they fall on the recommendation to pass a city-wide policy, so commenting on the policy and attending the next meeting could make a big difference.

It’s been nearly a year since the Oakland City Council, in response to intense community pressure, voted to scale down its original plan for a broad, citywide surveillance system. Oakland’s Domain Awareness Center (DAC) would aggregate information from multiple sources, creating a visual feed that could be easily monitored. In a city that is no stranger to civil liberties violations by the police, it was hotly debated last year. The tension focused on the dangers of a DAC that could aggregate data from sources both at the Port of Oakland and throughout the city. Ultimately, the city council passed a resolution that removed most of the city components—most importantly “shot-spotter” and city cameras—leaving a “port-only” DAC. It also created an ad-hoc "Privacy Policy Committee" tasked with creating a privacy policy for the DAC.

EFF participated as part of the DAC Privacy Policy Committee. (Fellow committee member Phil Wolff did a great job of collecting meeting minutes and notes here.) We played a very cautious role on the committee, understanding that some who criticized the DAC as it was originally proposed were still very concerned that it was moving forward at all.

That being said, we participated in the creation of the privacy policy because we wanted it to be as strong as possible. And when it comes to the Committee’s final product, we think this is a good start. It’s a one-of-a-kind policy that affirmatively seeks to protect privacy, provides people with the ability to sue for damages when the policy is violated, and has detailed data use, retention, and auditing requirements. If the policy passes, it’s likely that it will be used as a model in other cities—hopefully before new technology is ever purchased.

The Good

The proposed policy is 12 pages long, so we won’t go in to every single detail. But overall, the policy now is much improved from the original framework because it:

Specifically lists the “allowable uses” for the DAC and who has access to DAC data;

Defines important terms throughout to try to close loopholes; and

Clearly defines the Domain Awareness Center and its component parts, making it clear that it is restricted to the Port of Oakland.

Part of what makes the policy unique is that it starts off with an affirmative statement about privacy in the “Policy Purpose” section:

This Policy is designed to promote a "presumption of privacy" which simply means that individuals do not relinquish their right to privacy when they leave private spaces and that as a general rule, people do not expect or desire for law enforcement to monitor, record, and/or aggregate their activities without cause or as consequence of participating in modern society.

We think that’s a very strong statement. It’s the opposite of the poisonous idea that if you have nothing to hide, you shouldn’t be concerned about being monitored constantly. Instead, it reinforces that privacy is a right, not a privilege.

When it comes to access to data, the policy is clear: “Only DAC Staff will be used to monitor DAC Data.” When there’s an actual emergency and Oakland’s Emergency Operations Center (where the DAC is housed) is in operation, the policy allows “limited access to the live data produced by the DAC System.”

Access to stored DAC data will be “limited exclusively to City and Port employees with a Need To Know,” and “Need to Know” is narrowly defined. If a law enforcement agency wants DAC data that comes from an outside feeder source, like a Port camera, they’ll have to go directly to that source. Any non-City-of-Oakland agency that wants DAC data will have to get a warrant, unless they already have a written data-sharing agreement—although, of course, the degree to which Oakland shares information with outside agencies is an outstanding issue.

The policy also addresses retention. The DAC has the capability to “bookmark” video—essentially to put a time stamp on it. Under the policy, “[t]he DAC shall not record any data except bookmarks of [the] ‘Allowable Uses’” listed in the policy.

The policy would create Internal Privacy Officer and Compliance Officer positions. The Compliance officer would conduct quarterly internal audits that look at myriad aspects of the DAC: the number of times the DAC was used to monitor protected activity (i.e. demonstrations and protests), who has been accessing data, and more. The audits will also include a number of metrics that are not often considered by city and county governments—but should be—including:

Cost: “Total annual cost of the surveillance technology, including ongoing costs, maintenance costs, and personnel costs.”

Data-sharing: “How many times DAC data was shared with non-City entities,” what kind of data was disclosed and why, to whom it was disclosed, and any “obligations imposed on the recipient of shared information.”

Public Safety Effectiveness: How often the DAC is used, “the number of times DAC Data [is] shared for potential criminal investigations; lives saved; persons assisted; property saved or preserved; [and] property saved or preserved."

In addition to the internal audits, the policy would also require “annual independent third party audits of DAC performance and security.”

Perhaps the most exciting part of the policy is that it actually prescribes consequences for violations. This part of the policy will be contingent on the city council passing legislation, so it could change or disappear. We’re hoping it won’t. Anywhere that the City of Oakland has jurisdiction, violation of the policy would be a misdemeanor, “punishable upon conviction by a fine of not more than $1,000 or by imprisonment not to exceed six months, or both fine and imprisonment.”

It would also allow any person to go to court and sue for money damages or “equitable relief,” meaning a court order that directs a party to do or not to do something. The damages could include punitive damages, which are damages that are intended to punish the wrongdoer. And, importantly, “reputation” and “mental pain and suffering” are specifically listed as types of damages that could be caused by misuse of the DAC.

We only know of one other city has a private right of action specifically established for privacy violations. That’s the city of Seattle, and the right of action is in the city’s 1979 intelligence ordinance, which was most likely the very first passed.

This piece of the policy is essential because, even if you completely distrust the government to comply with anything else, this allows anyone to take the matter into their own hands and sue. And while the cost of litigation is often prohibitive, the policy also allows for attorney's fees and other costs of litigation. As the success of litigation against the Oakland Police Department in recent years shows, litigation against law enforcement can actually be effective.

The Bad

This policy isn’t perfect, and the bad pieces deserve attention as well.

First, in the policy ultimately presented to the City, the City Attorney added some language to the “policy purpose” to soften it up. The language isn’t necessary, and it appears to exist only to emphasize that the policy is limited.

Throughout the process of working on the privacy policy, EFF critiqued aspects of it that we were concerned would affect free speech. Since the DAC can only be used during the list of "allowable uses" defined by Section VIII of the policy, that list became critical. For a while, the working draft included “riot.” This might sound reasonable, until you learn that the California definition of riot is simply 2 or more people working together to disturb the public peace. Fortunately, that was removed. However, the policy continues to include “Supply Chain Disruption” and “Street Racing/Side Show” in the list.

The former is particularly concerning because the Port of Oakland is no stranger to demonstrations. In fact, the Oakland Police Department’s response to a 2003 Port of Oakland demonstration was the basis for the lawsuit that ultimately required OPD to follow a court-monitored crowd-control policy. These demonstrations could ostensibly be treated as “supply chain disruptions,” which would mean the DAC would be active and used to monitor the demonstrations.

Furthermore, the policy does not (and really, could not) fully address information sharing. To do so would require a full understanding of the relationship between Oakland and other agencies and every possible avenue of information-sharing. Oakland hasn’t made this easy, by claiming exemptions to California’s Public Records Act when people make requests for information about the relationships, such as contracts and training manuals.

Nonetheless, as we noted in our March 4, 2014 letter, we do know that Oakland participates in a Joint Terrorism Task Force with the FBI and “participates in the Bay Area Urban Area Security Initiative (UASI), a Department of Homeland Security program.” That’s why the idea that DAC has no relationship to fusion centers isn’t particularly realistic. UASI is one of the primary funders for the Northern California Regional Intelligence Center (NCRIC), the regional Bay Area fusion center.” What’s more, the Oakland Police Department in the past, and the Oakland Fire Department currently [PDF] staff the Northern California Regional Intelligence Center. We're concerned that these relationships will undermine the policy—but we hope that the reporting requirements will help show whether or not information-sharing is actually happening.

Similarly, the policy didn’t directly address the problems with racial profiling outlined by Black, Arab, and Muslim Oakland residents at last year’s city council meetings—partly because the issue is so big that one policy about one piece of law enforcement technology could hardly begin to do so. Ultimately, though, the limitations on the DAC in the policy will hopefully restrain the ability of OPD to use it for racial profiling.

That being said, the Privacy Policy Committee recognized some of the shortfalls, and made further recommendations to the City Council.

Amend the city’s whistleblower ordinance so that anyone, not just employees, can report abuse, and increase the ways whistleblowers can report.

Pass a new surveillance equipment ordinance, that would require “Informed public debate about any surveillance technology proposal prior to acquisition or pursuing funding,” something EFF and ACLU strongly recommend as law enforcement use of surveillance technology continues to spread.

Create a standing “Privacy Committee” that would draft a citywide privacy policy and look at proposed changes to the DAC before the council.

Oakland’s Public Safety Committee will consider the policy tonight. From there, it will go to the entire city council for approval. If you support it, especially the pieces that require a city ordinance to be enacted to be effective, contacting the Committee, and the ultimately the entire Oakland City Council, is a good idea. We'll also provide an update of what happens at the Public Safety Committee tonight.