As public scrutiny continues to mount against the use of license plate readers (LPRs) across the country, the Electronic Privacy Information Center (EPIC) has now released government documents showing that such data, which includes precise GPS location, date, and timestamps, in addition to the plate in question, are shared with an auto insurance umbrella organization.

The documents, published on Tuesday as the result of a Freedom of Information Act (FOIA) request, include a six-page memorandum of understanding (MOU) from 2005 between the National Insurance Crime Bureau (NICB) and the United States Customs and Border Protection (CBP) agency.

The NICB is a nonprofit organization funded by hundreds of American auto insurance corporations around the country, which "partners with insurers and law enforcement agencies to facilitate the identification, detection, and prosecution of insurance criminals."

Ars, as part of its recent investigation into the use of LPRs, also has a pending FOIA request with CBP, but has yet to receive a response beyond a perfunctory acknowledgement of the request.

The revelation has certainly raised some eyebrows, but the NICB now says that while insurance companies are members of the organization, they do not automatically gain access to the LPR data.

Roger Morris, the NICB's chief communications officer, clarified by e-mail that only authorized "Special Investigations Units" personnel from NICB member companies have access to such data "for theft prevention activities."

Every 24 hours, the NICB receives an electronic data transfer from all border stations, providing LPR details on all cars that have crossed in and out of the country. Mainly, the NICB says it's looking for cars that have been (possibly fraudulently) reported stolen, but were spotted at a border.

Morris added that the CPB's LPR data—"roughly 15 million reads a month"—is kept for 12 months. That means the CBP makes approximately 500,000 LPR reads at the borders every single day, and passes that data along to the NICB.

"Thousands of vehicles are stolen in the U.S. each year and taken to Mexico," he added. "LPR data helps insurers and law enforcement verify that a vehicle that has been reported stolen has been taken into Mexico and helps NICB and law enforcement in attempts to recover the vehicle and repatriate it back to the U.S. These stolen vehicles represent millions of dollars in insurance losses and recovering as many as possible helps reduce the impact of theft on insurance rates."

Future privacy challenges likely

Ginger McCall, an attorney with EPIC, said that she found it surprising that a government agency was providing LPR data to a private organization.

"People have the right to know what data is being collected, how it’s being shared," she told Ars. "You could imagine a situation where a plate was mis-scanned or what mis-entered into the database. Or perhaps insurance rates may go up? Who knows how industry is going to use this."

McCall also argued that under this year’s Jones v. United States case, where the Supreme Court unanimously found that law enforcement does not have the right to warrantlessly track someone’s car via a GPS device placed on the car, that there may be room for future legal challenges.

"[Justice] Scalia didn’t rule out the possibility that there would be a wider implication here," she said. "If you look at concurrence by [Justice] Sotomayor, there are great implications over privacy data and this sort of signals from the court that it was going to look at these issues more closely."

NICB: It's CPB's data, not ours!

Other legal scholars who have watched the evolution of LPRs have also raised questions about the collection, transmission, and disclosure of LPR data by and from private companies and organizations.

The MOU also allows the NICB to sub-contract management of this data to a "data processing service," and requires that any misuse of the LPR data be reported to the NICB, and then reported on to the CBP.

"In short, US Customs is granting a private company access to what it admits is 'highly sensitive commercial, financial, and proprietary information,' and then further allowing the private company to outsource the management of that 'highly sensitive' data to yet another private company," wrote Kade Crockford, the director of the Technology for Liberty Program at the ACLU Massachusetts, in a Wednesday blog post.

"The only auditing and accountability mechanisms required are self-policing and self-reporting. These documents reveal a growing problem that extends far beyond the management of license plate data. The government is increasingly collecting vast quantities of information about ordinary people accused of no crime, and increasingly it is relying on private contractors to manage, sort, and analyze this data looking for crime or even 'pre-crime' trends. The sharing of our license plate data with private companies should be viewed as but one troubling example of this much larger problem."

But the ACLU isn't the only group raising questions.

"These documents are illustrative of why individuals often feel so helpless with information that is shared with others or in public—it is very difficult for us to police the use of our information ‘downstream,’" wrote Woodrow Hartzog, a law professor at Samford University, in an e-mail sent to Ars.

"Not only does the lack of transparency in such information sharing make the discovery of information misuse difficult, our current legal regime is not well-suited to address the problems arising from our slow but steady creep towards ubiquitous public surveillance."

Frank G. Scafidi, an NICB spokesperson, also told Ars he was not sure if motorists could query the NICB to examine, verify, or edit records that it held.

"That information is coming from CBP," he said. "That’s where it’s coming from. That’s not our data. They share it with us for a specific purpose. I’m not saying it can’t be done, but unless there’s a method for doing that, it’s not for us to decide at this point in time."