On Tuesday, we wrote a report about how the Irvine Company, a private real estate development company, has collected automated license plate reader (ALPR) data from patrons of several of its shopping centers, and is providing the collected data to Vigilant Solutions, a contractor notorious for its contracts with state and federal law enforcement agencies across the country.

The Irvine Company initially declined to respond to EFF’s questions, but after we published our report, the company told the media that it only collects information at three malls in Orange County (Irvine Spectrum Center, Fashion Island, and The Marketplace) and that Vigilant Solutions only provides the data to three local police departments (the Irvine, Newport Beach, and Tustin police departments).

The next day, Vigilant Solutions issued a press release claiming that the Irvine Company ALPR data actually had more restricted access (in particular, denying transfers to the U.S. Immigration & Customs Enforcement [ICE] agency), and demanding EFF retract the report and apologize. As we explain below, the EFF report is a fair read of the published ALPR policies of both the Irvine Company and Vigilant Solutions. Those policies continue to permit broad uses of the ALPR data, far beyond the limits that Vigilant now claims exist.

Vigilant Solutions’ press release states that the Irvine Company’s ALPR data "is shared with select law enforcement agencies to ensure the security of mall patrons," and that those agencies "do not have the ability in Vigilant Solutions' system to electronically copy this data or share this data with other persons or agencies, such as ICE."

However, neither Vigilant Solutions nor the Irvine Company have updated their published ALPR policies to reflect these restrictions. Pursuant to California Civil Code § 1798.90.51(d), an ALPR operator "shall" implement and publish a usage and privacy policy that includes the "restrictions on, the sale, sharing, or transfer of ALPR information to other persons."

This is important because the published policies are extremely broad. To begin with, the Irvine Company policy explains that "[t]he automatic license plate readers used by Irvine or its contractors are programmed to transmit the ALPR Information to" "a searchable database of information from multiple sources ('ALPR System') operated by Vigilant Solutions, LLC" "upon collection."

Moreover, the Irvine Company policy still says that Vigilant Solutions "may access and use the ALPR System for any of the following purposes: (i) to provide ALPR Information to law enforcement agencies (e.g., for identifying stolen vehicles, locating suspected criminals or witnesses, etc.); or (ii) to cooperate with law enforcement agencies, government requests, subpoenas, court orders or legal process."

Under this policy, the use of ALPR data is not limited only to uses that "ensure the security of mall patrons," nor even to any particular set of law enforcement agencies, select or otherwise. The policy doesn’t even require legal process; instead it allows access where the "government requests."

Likewise, Vigilant Solutions’ policy states that the "authorized uses of the ALPR system" include the very broad category of "law enforcement agencies for law enforcement purposes," and—unlike the policy it claims to have in their press release—does not state any restriction on access by any particular law enforcement agency or to any particular law enforcement purpose. ICE is a law enforcement agency.

We appreciate that Vigilant Solutions is now saying that the information collected from customers of the Irvine Spectrum Center, Fashion Island, and The Marketplace will never be transited to ICE and will only be used to ensure the security of mall patrons. But if they want to put that issue to rest, they should, at a minimum, update their published ALPR policies.

Better yet, given the inherent risks with maintaining databases of sensitive information, Irvine and Vigilant Solutions should stop collecting information about mall patrons and destroy all the collected information. As a mass-surveillance technology, ALPR can be used to gather information on sensitive populations, such as immigrant drivers, and may be misused. Further, once collected, ALPR may be accessible by other government entities—including ICE—through various legal processes.

In addition, Vigilant Solutions’ press release takes issue with EFF’s statement that "Vigilant Solutions shares data with as many as 1,000 law enforcement agencies nationwide." According to Vigilant Solutions press release, "Vigilant Solutions does not share any law enforcement data. The assertion is simply untrue. Law enforcement agencies own their own ALPR data and if they choose to share it with other jurisdictions, the[y] can elect to do so."

This is a distinction without a difference.

As Vigilant Solutions’ policy section on "Sale, Sharing or Transfer of LPR Data" (emphasis added) states, "the company licenses our commercially collected LPR data to customers," "shares the results of specific queries for use by its customers" and "allows law enforcement agencies to query the system directly for law enforcement purposes." The only restriction is that, for information collected by law enforcement agencies, "we facilitate sharing that data only with other LEAs … if sharing is consistent with the policy of the agency which collected the data." If Vigilant Solutions only meant to dispute "sharing" with respect to information collected by law enforcement, this is a non-sequitur, as the Irvine Company is not a law enforcement agency.

Nevertheless, Vigilant Solutions’ dispute over whether it truly "shares" information puts an Irvine Company letter published yesterday in an interesting light. The Irvine Company reportedly wrote to Vigilant Solutions to confirm that "Vigilant has not shared any LPR Data generated by Irvine with any person or agency other than the Irvine, Newport Beach and Tustin police departments and, more specifically you have not shared any such data with U.S. Immigration and Customs Enforcement (ICE)."

Under the cramped "sharing" definition in the Vigilant Solutions press release, any such "confirmation" would not prevent Vigilant from licensing the Irvine data, sharing results of specific queries, allowing law enforcement to query the system directly, or "facilitate sharing" with ICE if the police department policies allowed it. If Irvine and Vigilant didn’t mean to allow this ambiguity, they should be more clear and transparent about the actual policies and restrictions.

The rest of the press release doesn’t really need much of a response, but we must take issue with one further claim. Vigilant Solutions complains that, while EFF reached out several times to the Irvine Company (with no substantive response), EFF did not reach out to them directly about the story. This assertion is both misleading and ironic.

A year ago, EFF sent a letter to Vigilant Solutions with 31 questions about its policies and practices. To date, Vigilant Solutions has not responded to a single question. In addition, Vigilant Solutions had already told the press, "as policy, Vigilant Solutions is not at liberty to discuss or share any contractual details. This is a standard agreement between our company, our partners, and our clients."

Indeed, Vigilant Solutions has quite a history of fighting EFF’s effort to shine a light on ALPR practices, issuing an open letter to police agencies taking EFF to task for using Freedom of Information Act and Public Records Act requests to uncover information on how public agencies collect and share data. A common Vigilant Solutions contract has provisions where the law enforcement agency "also agrees not to voluntarily provide ANY information, including interviews, related to Vigilant, its products or its services to any member of the media without the express written consent of Vigilant."

Vigilant Solutions has built its business on gathering sensitive information on the private activities of civilians, packaging it, and making it easily available to law enforcement. It’s deeply ironic that Vigilant gets so upset when someone wants to take a closer look at its own practices.