Emails Prove ICE Could Access Data from Orange County Shopping Malls, Despite the Companies' Denials

In response to an ACLU report on how law enforcement agencies share information collected by automated license plate readers (ALPRs) with Immigration and Customs Enforcement, officials have been quick to deny and obfuscate despite documentary evidence obtained directly from ICE itself through a Freedom of Information Act lawsuit

Let’s be clear: you can’t trust what ALPR company Vigilant Solutions and its clients say. It’s time for higher authorities to conduct an audit.

Through years of research spanning California (and beyond), EFF has discovered that agencies that access ALPR data are often ignorant or noncompliant when it comes to the transparency and accountability requirements of state law. Furthermore, their agreements with the vendor Vigilant Solutions often include “non-disparagement” and “non-publication” clauses that contractually bind them to Vigilant Solutions’ “media messaging” and prevent agencies from speaking candidly with the press. Meanwhile, training materials created by Vigilant Solutions explicitly recommend that police leave ALPR out of its reports whenever possible.

But documents obtained as part of the ACLU’s lawsuit brings another factor into play: sometimes the claims are just jaw-droppingly inaccurate.

One email in particular shows exactly how ICE could access data collected at shopping malls through a regional fusion center, despite the mall operator and Vigilant Solutions’ repeated denials that it was happening.

For background: ALPR is a technology that allows law enforcement and private companies to track the travel patterns of drivers, through networks of cameras that record license plates, along with time, date and location. That information is uploaded to a database that users can search to find out where a vehicle travelled, reveal what vehicles visited particular locations, and receive real-time alerts on vehicles added to watch lists. It is a mass surveillance technology that captures information on everyone, regardless of whether their vehicle is tied to an investigation.

Last summer, EFF volunteer Zoe Wheatcroft, a high school student in Mesa, Ariz., discovered a curious document on a website belonging to the Irvine Company, a real estate developer based in Orange County. The document showed that private security patrols were using ALPR to gather data on customers at Irvine Company-owned shopping malls . As EFF reported, Irvine Company then transferred that information to Vigilant Solutions, a controversial ALPR vendor well-known for selling data to ICE.

We asked the mall operator, Irvine Company, to explain itself, but it refused to answer questions. However, after EFF published its report, Irvine Company told reporters ALPR data was not shared with ICE, but only three local police departments. Then Vigilant Solutions issued a press release saying “the entire premise of the article is false,” and accused EFF of “creating fake news.” Vigilant Solutions also demanded we retract the post and apologize, saying that it was “evaluating potential legal claims” against EFF.

What they wouldn’t say publicly is that within within two weeks, Irvine Company quietly terminated its whole ALPR program. EFF only learned of this six months later from Irvine Company directly, but the company’s spokesperson refused to tell us the motivation behind ending the surveillance, beyond it being a business decision.

What Really Happened in Orange County

EFF began to investigate Irvine’s Claims that its ALPR data from the shopping malls was tightly controlled and could never be shared with ICE. We filed public records requests with the police department that Irvine Company said were the only agencies allowed to access the data. None of them were able to produce any documentation limiting data sharing—or indeed any limitations at all on data could be used or shared.

Then, earlier this year, the ACLU received more than 1,800 pages of ICE records about the agency’s use of ALPR and Vigilant Solutions’ technology. Buried in the set is an email exchange that shows unequivocally that ICE accessed the Irvine Company’s shopping center data just months before EFF’s report.

According to the records: In October 2017, an official with Homeland Security Investigations, an arm of ICE, sent an email to a detective with the La Habra Police Department, who was working out of the regional “fusion center,” the Orange County Intelligence Assessment Center. The ICE HSI specialist asked the detective to run a license plate for them, with no explanation of the purpose of the search, even though documenting a purpose is required by California law.

A few hours laters, the La Habra detective responded with a PDF attachment exported from Vigilant Solutions’ LEARN software that included the plate scans:

"i attached the report... there are a LOT of scans, most of them from fashion island security.. he spends a lot of time parked there.."

This email wasn’t just the smoking gun: it was the bullet. The document demonstrates that data could be transferred to ICE

What They Claimed: The Irvine Company said the data was only shared with the Irvine, Newport and Tustin police departments. “We have been assured through conversations with Vigilant that only those police departments are receiving information,” a spokesperson told the Orange County Register. Vigilant Solutions backed up the claim, writing “As Irvine Company has stated, it is shared with select law enforcement agencies to ensure the security of mall patrons.”

What the Emails Actually Show: A La Habra Police detective had access to mall data through the fusion center. Neither La Habra nor OCIAC are one of the three agencies the data access was supposed to be limited to. This raises the question, who else had access to the data? As a fusion center, OCIAC exists to facilitate the exchange of information across agencies. “Intelligence processes—through which information is collected, integrated, evaluated, analyzed, and disseminated—are a primary focus” of the fusion center, according to OCIAC’s website.

What They Claimed: In its press release, Vigilant said, “These law enforcement agencies do not have the ability in Vigilant Solutions’ system to electronically copy this data or share this data with other persons or agencies, such as ICE.”

What the Emails Actually Show: Within hours of receiving the request from ICE, the La Habra Detective was easily able to copy the data as a PDF and share it with ICE via email.

EFF reached out both to Irvine Company and Vigilant Solutions prior to publishing this report. Irvine Company would only confirm the date that it stopped the ALPR program, but would provide no further information. Motorola Solutions, which acquired Vigilant Solutions earlier this year sent the following statement:

We are aware of the ACLU of Northern California's recent report on license plate recognition data and assertions regarding data access by the Irvine Company. The referenced incident predates Motorola Solutions' ownership of Vigilant Solutions, and we are currently working with Vigilant to assess the situation in greater detail. Motorola Solutions is committed to the highest standard of integrity and data protection, which includes ensuring that vehicle location data is accessed only by authorized law enforcement agencies in accordance with applicable laws and industry standards. We also are committed to working with our customers and partners to ensure that use of vehicle location data hosted in our database is appropriately safeguarded to minimize the potential for misuse by any person. Motorola Solutions deeply respects individual privacy rights and is committed to mitigating privacy risks associated with data collection, use and storage.

Considering the historic wall of secrecy maintained by Vigilant Solutions and its clients, we believe it is time for a more thorough accounting than just an internal review. We urge the California legislature and the state auditor to investigate Vigilant Solutions and its government clients to find out the truth about how our data is shared with ICE and other agencies and whether these law enforcement agency are violating state laws regulating the use of this mass surveillance technology.