Skip Repetitive Navigation Links
California State Auditor Logo COMMITMENT • INTEGRITY • LEADERSHIP

Automated License Plate Readers
To Better Protect Individuals’ Privacy, Law Enforcement Must Increase Its Safeguards for the Data It Collects

Report Number: 2019-118


Use the links below to skip to the specific response you wish to view:


Department of Justice

January 28, 2020

 

Elaine Howle
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Re:       Draft Audit Report - California State Auditor Report 2019-118; Automated License Plate Readers (ALPR)

Dear Ms. Howle,

The Department of Justice (DOJ) appreciates the opportunity to review the above-mentioned draft audit report.  DOJ currently has no program in place to provide policy template and guidance to law enforcement agencies for their ALPR programs. Express authority from the Legislature and funding is needed to implement the recommendations. 

If you have any questions or concerns regarding this matter, you may contact me at the telephone number listed above.

Sincerely,

Joe Dominic, Chief
California Justice Information Services Division

For XAVIER BECERRA
Attorney General

cc:   Sean McCluskie, Chief Deputy to the Attorney General
Edward Medrano, Chief, Division of Law Enforcement
Chris Prasad, CPA, Director, Office of Program Oversight and Accountability




Fresno Police Department

January 27, 2020

Elaine Howle
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA  95814

Dear Ms. Howle:

On behalf of the men and women of the Fresno Police Department, allow me the opportunity to thank you and your team for the time and effort in completing the Automated License Plate Reader (ALPR) audit at the request of the Joint Legislative Audit Committee.  The Fresno Police Department always strives to ensure we maintain excellence and utilize best practices in all facets of service to the community especially concerning personal privacy.  Building trust in the community is paramount to our agency as we continue our on-going efforts to be a model community policing agency.  We will utilize this audit to ensure those goals are achieved.

The following are the Fresno Police Department’s response to the audit recommendations included in the report.

  1.  “To ensure that agency ALPR policies contain all of the required elements as specified in state law, by August 2020 Fresno should review their ALPR policies and draft or revise them as necessary.  Also by August 2020 post their revised policies on their websites in accordance with state law:

    The Fresno Police Department has already began reviewing and updating our ALPR policy.  In fact, it is nearly complete and will be completed well in advance of the August 2020 recommended timeline.

  2. “To protect ALPR data to the appropriate standard, Fresno should do the following:”

    a. By August 2020 identify the types of data in their ALPR systems, and as they review or draft their policies, ensure that they clarify the types of information their officers may upload into their ALPR systems such as, but not limited to information obtained through CLETS.”

    As the audit showed, the Fresno Police Department has not entered personal data into the ALPR system; however we will continue to review data and incorporate into policy the parameters for types of data which can be entered.

    b. By April 2020 perform an assessment of their ALPR systems data security features, and make adjustments to their system configurations where necessary to comply with CJIS policy best practices based on that assessment.

    The Fresno Police Department IT Manager will assess the ALPR system and ensure it is in compliance with CJIS Security Policy best practices.

  3. To ensure that the agreement with their cloud vendor offers the strongest possible data protections, by August 2020 Fresno should enter into new contracts with Vigilant that contain the contract provisions recommended in CJIS policy.”
  4. The Fresno Police Department IT Manager will review the Vigilant contract and ensure the contract is updated and in compliance with CJIS Security policy.

  5. To ensure that ALPR images are being shared appropriately:

    a. By April 2020 Fresno should review the entities with which they currently share images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.

    The Fresno Police Department has suspended most sharing and now only shares images with bordering states.

    b. By August 2020 Fresno should revise its written procedures for ALPR image sharing, as necessary, to ensure that it follows these procedures.

    The Fresno Police Department will incorporate these changes into the updated policy.

  6.  To minimize the privacy risk of retaining ALPR images for long periods of time, Fresno should do the following:

    a. By August 2020 review the age of the ALPR images their personnel are searching for and ensure their retention periods for ALPR images are based on department needs. {REDACTED} reflect in its ALPR policy the updated retention period in its policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

    Based on the results of the audit, the Fresno Police Department will amend our current practice of retaining images for one year to six months which is consistent with the time frame the majority of the searches occur.

    b. Include in their ALPR policies a retention period for data or lists such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from their ALPR systems.

    The Fresno Police Department will maintain active hot lists for 90 days.  If an investigator requires a longer period, approval will be obtained from a commander.  This will be incorporated in the revised ALPR policy.

  7. To enable monitoring of user access and user queries of ALPR images, Fresno should do the following:

    a. By April 2020 assess the information their ALPR systems capture when users access them to ensure that the systems’ logs are complete and accurate and that they form a reasonable basis for conducting necessary, periodic audits.

    This is already being done and is part of the quarterly audit process.

    b. Ensure their ALPR policies make clear how frequently they will audit their ALPR systems, who will perform those audits, who will review and approve the audit results, and how long they will retain the audit documents. [REDACTED] have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

    A quarterly audit process has been put in place.  The audit process, methodology and responsibilities will be included in the updated ALPR policy.

    c. By June 2021 implement their audit plans and complete their first audits.

    The audit process is already in place and audits were completed for the last two quarters of 2019.

  8. To ensure that ALPR access is limited to agency staff who have a right and a need to use ALPR data, Fresno [REDACTED] should do the following:

    a. By April 2020 review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

    This has been completed. Separated employees are removed upon notification of their separation.  The ALPR system automatically deactivates accounts for users who have been inactive for 365 days.

    b. Ensure that their ALPR policies specify the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

    This will be incorporated into the revised ALPR Policy. Access will be granted on a need to know and right to know basis for sworn department members and crime specialists who have investigative responsibility.

    c. By August 2020 develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that a supervisor must approve an account for a user, providing training to users before granting an account, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. [REDACTED] ensure that it has procedures in place to deactivate accounts immediately for account holders who separate from the agency or who no longer need a user account.

    The Fresno Police Department will incorporate supervisor approval for new accounts and minimum training requirements for new users in the revised policy.

Sincerely,

Andrew J. Hall, Chief of Police
Fresno Police Department

AJH: rb


Los Angeles Police Department

February 4, 2020

Elaine Howle
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Ms. Howle:

2
1

In response to your draft report titled "Automated License Plate Readers: To Better Protect Individuals' Privacy, Law Enforcement Must Increase Its Safeguards Over the Data It Collects," I would like to inform you that the Los Angeles Police Department (LAPD) has the utmost respect for individuals' privacy and currently has policies and procedures in place to safeguard personal information stored on the Automated License Plate Reader (ALPR) Systems. Personnel who utilize ALPR data have been through extensive training on accessing and using the data on a right to know and need to know basis. The LAPD continuously reviews all user accounts and deactivates accounts for separated employees, while allowing ALPR access to all active employees who have attended the training.

Although our dedication to protecting individuals' privacy is covered in our day to day operations and procedures, the Department is currently working on an ALPR policy to ensure that the protection of those rights is also memorialized in our Department Manual. The aforementioned ALPR policy will be completed by April 2020 and posted on the Department website once it is completed, as required by state law. The policy will address the types of information personnel may upload into the ALPR systems, as well as the retention period for the data or lists (i.e., hot lists used to link persons of interest with license plate images). The LAPD will perform an assessment of the systems' data security features and retention periods for ALPR images to evaluate the need for adjustment, prior to publishing of the ALPR policy. Furthermore, the policy will list the entities the Department shares ALPR images with and the process for handling image-sharing requests.

To ensure the ALPR policy is up to date and our ALPR systems are capturing proper information, the Department will perform periodic audits to assess the information the systems capture when accessed by the Department users. Per the recommendations listed in your audit draft report, the Department will have a plan that describes the periodic audits by February 2021 and will complete the first audit by June 2021.

Should you have any questions concerning this matter, please contact Sergeant Monica Tokoro, at (213) 486-0197.

Very truly yours,

MICHEL R. MOORE
Chief of Police




Comments

CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM
THE LOS ANGELES POLICE DEPARTMENT

To provide clarity and perspective, we are commenting on the response to our audit report from the Los Angeles Police Department. The numbers below correspond with the numbers we have placed in the margin of its response.

1

Los Angeles is the only one of four agencies we audited that did not have the ALPR policy state law requires. As we describe in the Audit Results, state law requires law enforcement agencies to have written usage and privacy policies and for the policies to include various elements. As we describe in the Audit Results, the program administrator for Los Angeles initially believed that the agency’s many IT  policies cover the ALPR program, but we identified deficiencies in the policies he shared with us. When we brought those deficiencies to the administrator’s attention, he acknowledged the need for Los Angeles to have an ALPR policy.

2

We stand by our conclusion that Los Angeles does not follow best practices for granting users ALPR system access. As we describe in the Audit Results, of the four agencies we reviewed Los Angeles was the most lax in its approach to authorizing user accounts. The protocol its IT division follows is to include its ALPR software on each computer it assigns to staff, regardless of their position. Thus, staff who do not perform functions related to the ALPR system and possibly have not had training, nevertheless have access to the system. Moreover, in the Audit Results we state that the detective who conducts ALPR training confirmed that Los Angeles has not required training before users can access the ALPR system.



Marin County Sheriff’s Office

January 28, 2020

Elaine M. Howle, CPA
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Ms. Howle:

The Marin County Sheriff’s Office appreciates the opportunity to respond to your draft report entitled, Automated License Plate Readers: To Better Protect Individuals’ Privacy, Law Enforcement Must Increase Its Safeguards Over the Data It Collects.

1

The Marin County Sheriff’s Office is pleased to note that although your draft report includes recommendations to the Marin County Sheriff’s Office regarding its use of automated license plate reader (ALPR) cameras, your audit team did not find any evidence of abuse or misuse of ALPR data by the Marin County Sheriff’s Office.

2a

Nevertheless, the Marin County Sheriff’s Office is and remains committed to the need for further improvement and as stated in your draft report, will consider your report’s recommendations. However, based on some of the redactions in the draft report, it is difficult, at times, to determine which findings and conclusions are in reference to the Marin County Sheriff’s Office as opposed to the other confidential law enforcement agencies discussed in your draft report.

2b

Accordingly, in responding to the issues discussed in your draft report with additional details and/or context, the Marin County Sheriff’s Office will address sections which may not apply to it because it is unable to distinguish which law enforcement agency is being implicated.

The following is the Marin County Sheriff’s Office response:

Recommendation No. 1: Improve their ALPR polices.

4
3

Response to Recommendation No. 1: While the Marin County Sheriff’s Office agrees that its current policy regarding the ALPR system does not specifically describe a “process for periodic system audits,” the Marin County Sheriff’s Office’s policy does state that user/data query audits would be performed. Moreover, although the audit team contends that the ALPR data collected by the Marin County Sheriff’s Office qualifies as personal information, this is not the case. The draft report readily admits that there is no personally identifiable information contained in a license plate capture. Further, the audit team’s erroneous belief is based on a free text box in the ALPR system wherein a user could enter a person’s name in this text box and attach personal information to the images of license plates captured by the ALPR system. However, the Marin County Sheriff’s Office does not utilize this free text box and does not enter any other personal information to be associated with the images taken by its ALPR system. In fact, the draft report concedes this fact as it states in regard to the Marin County Sheriff’s Office and open text fields, the audit team “did not find personal information in combination with other sensitive information in the six months of search records [it] studied.”

Recommendation No. 2: Implement needed ALPR data security.

5a

Response to Recommendation No. 2: As noted in the draft report, the Marin County Sheriff’s Office contracts with a third-party vendor Vigilant Solutions (Vigilant) regarding its ALPR system. While the audit team is critical of Vigilant, all access to Vigilant for the Marin County Sheriff’s Office is activity logged and auditable as noted in the draft report, even if the user accesses the system via the internet with a personal device, and those logs are reviewed by the Marin County Sheriff’s Office ALPR program administrator; all data on Vigilant is stored on secure servers in the United States as recommended by the audit team; and Vigilant only permits credentialed law enforcement officers with a valid Originating Agency Identifier (ORI) number issued by the Criminal Justice Information System (CJIS) Division of the Federal Bureau of Investigation (FBI). Additionally, as part of its services, Vigilant maintains it is compliant with all relevant requirements set forth in the FBI-CJIS Security Policy as recommended by the audit team.

Recommendation No. 3: Update vendor contracts with necessary data safeguards.

5b

Response to Recommendation No. 3: As discussed above, while not explicitly stated in the Marin County Sheriff’s Office’s contract with Vigilant, Vigilant warrants in its services that the data captured by an agency remains the property of the agency; all data is stored on secure servers in the United States; and it conforms with all relevant requirements set forth in the FBI-CJIS Security Policy.

Recommendation No. 4: Ensure that sharing of ALPR images is done appropriately.

6a

Response to Recommendation No. 4: As discussed above, the Marin County Sheriff’s Office has confirmed with Vigilant that it has and continues to verify that it only permits credentialed law enforcement officers with a valid ORI number issued by the CJIS Division of the FBI access to the data on its hosted server. While the audit team was critical of the Marin County Sheriff’s Office sharing information with agencies such as the Honolulu Police Department, such cooperation with this particular law enforcement agency was done properly and with consideration as to the multiple matters which have in the past involved both agencies.

6b

As for ICE access, any prior approval by the Marin County Sheriff’s Office with Vigilant was before any of the relevant state law went into effect. As noted in the draft report, Vigilant confirmed that the recent viewing of ICE accounts in question were not active and that these inactive agencies were not previously visible to the Marin County Sheriff’s Office.

Recommendation No. 5: Evaluate and reestablish data retention policies.

7

Response to Recommendation No. 5: The Marin County Sheriff’s Office’s two-year retention policy is based on the statute of limitations for most crimes in the State of California. The audit team states that it would like the Marin County’s Sheriff’s Office to have a more detailed policy regarding retention based on usefulness of images to investigators and even suggest that the retention of the images should be based on whether the images are for minor crimes versus complex crimes. However, it would be impossible for the Marin County Sheriff’s Office to know whether the captured images would be used in a minor criminal case or a major felony case at the time the images were taken or at any time afterwards. Indeed, as noted in the draft report, there is no statute of limitations for the crime of murder.

Recommendation No. 6: Develop and implement procedures for granting and managing user accounts.

8

Response to Recommendation No. 6: The audit team believes that the Marin County Sheriff’s Office should require supervisory approval for all users of its ALPR system. As noted above and in the draft report, at this time the Marin County Sheriff’s Office does not believe that this particular requirement is appropriate for the following reasons: there is no personal information associated with the images taken by the Marin County Sheriff’s Office; as discussed in the draft report, all users of the ALPR system receive training before they are permitted access to the ALPR system; and the Marin County Sheriff’s Office regularly audits the use of the ALPR system.

Recommendation No. 7: Develop and implement ALPR system oversight.

9

Response to Recommendation No. 7: In the draft report, the audit team identifies an incident in which it claims it brought to the Marin County Sheriff’s Office’s attention an active account for a resigned employee. However, this is not accurate. The system administrator was notified about deactivating the account on the same day the audit team informed him about this account. However, the ALPR administrator had deactivated the account prior to the audit team discussing this particular account with him. Moreover, the ALPR administrator does not solely rely on a department-wide email notification regarding resigned or terminated employees as discussed in the draft report. In addition to the audits he regularly performs, the ALPR administrator also performs periodic spot checks to verify that active accounts match active employees.

Should you have any questions regarding this response, including any comments and clarifications made herein, please do not hesitate to contact us directly.

Sincerely,

Kerry L. Gerchow
Deputy County Counsel




Comments

CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM
THE MARIN COUNTY SHERIFF’S OFFICE

To provide clarity and perspective, we are commenting on the response to our audit report from the Marin County Sheriff’s Office. The numbers below correspond with the numbers we have placed in the margin of its response.

1

Marin’s response correctly notes that our review of its internal affairs investigations records did not identify evidence of abuse or misuse of ALPR data. However, as we state in the Audit Results, we do not consider this absence as proof that no instances of ALPR misuse occurred. There is the possibility that misuse occurred and went unnoticed and unreported, particularly since Marin does not conduct audits of its ALPR system.

2a
2b

During our exit conference, we specifically informed Marin that we would send it only those portions of the draft report that were relevant to it. The text that we redacted pertains to the other entities that were part of the audit and that we are required by law to keep confidential. Further, during its review of the draft report, Marin did not communicate with us to seek clarification regarding the report content we provided, despite our providing multiple opportunities for it to do so.

3

Marin is incorrect in stating that we contend that the license plate images Marin collects qualify as personal information. In the Introduction, we note that a law enforcement agency can enter additional information, such as personal information, into its ALPR system. However, we do not assert that the ALPR image alone contains personal information.

4

Marin has mischaracterized our finding. In its response, Marin states that we based our conclusion on a free‑text box wherein a user could enter an individual’s name and attach it to a license plate image. However, as we describe in the Audit Results, we based our conclusion on information that users enter into open text fields as part of license plate searches, specifically the fields for case numbers and purpose for the searches. in the Audit Results, we note that Marin requires users to enter both case numbers and reasons for the search before allowing such searches. Although we did not find evidence users had entered personal information in combination with other sensitive information in the six months of search records we studied, the fact that these text fields exist means that users could enter such information during ALPR searches, as we point out in the Audit Results. Moreover, Marin’s ALPR policy does not prohibit users from entering personal information in combination with other sensitive information in its ALPR system.

5a
5b

We disagree with the focus of Marin’s response, which implies that the vendor’s security controls are a suitable substitute for specific contract safeguards. As we show in Figure 3, Marin’s contract does not contain any of the safeguards CJIS policy recommends for contracts with cloud vendors. We note in the Audit Results that CJIS policy states that ambiguous contract terms can lead to controversy over data privacy and ownership rights, whereas a contract that clearly establishes data ownership acts as a foundation for trust that the cloud vendor will protect the privacy of the agency’s data.

6a
6b

We disagree with Marin’s belief that it has managed its image sharing appropriately. Although Marin described in its response the type of information that it could maintain to document its image‑sharing decisions, it did not provide such evidence documenting why it made past sharing decisions, and its ALPR policy does not include a process for approving image-sharing requests, as we state in the Audit Results. Moreover, Marin acknowledged in its response the issue we describe in this section regarding ICE and the fact that the status of Marin’s sharing relationship with ICE was not always visible to Marin. This issue underscores the need for Marin to maintain records regarding sharing decisions.

7

Marin appears to miss the point of our recommendation. As we state in the Audit Results, we concluded that Marin did not establish its retention period based on when it uses the ALPR images it captures. Later in this section, we mention minor and complex crimes as examples of ALPR data being used narrowly, such as for the single purpose of locating stolen vehicles, or broadly, such as for investigation of crimes in addition to stolen vehicles. Our recommendation—based on our analysis of Marin’s search activity as referenced in the Audit Results—provides a method for Marin to better align how long it retains ALPR data with whether it actually uses the data as they age.

8

The reasons Marin cites in its response for not adopting our recommendation are not valid. Requiring a supervisor to approve a user for an ALPR account is a meaningful step in establishing that user’s need to access ALPR data and right to know what the data portray in an effort to avoid the ALPR data being misused. In point 4 above, we describe that the existence of text fields in the ALPR system allows for personal information to be linked to license plate images. Further, we note that Marin has no policy prohibiting its users from entering personal information in its ALPR system. In addition, despite Marin’s claim of training all users, we state in the Audit Results that Marin does not require staff to renew their training when reactivating their user accounts following long periods of not using the ALPR system. Finally, we found that contrary to Marin’s assertion, it had not regularly audited its system. As we discuss in the Audit Results, Marin’s ALPR administrator was unaware of the state law requiring audits of ALPR systems, so he had not been conducting them. Despite recent efforts to institute some form of monitoring, as we describe in the Audit Results, the limitations in its approach led us to conclude that Marin does not have sufficient protocols in place to detect the misuse of user accounts.

9

Marin’s assertion is incorrect. As we describe in the Audit Results, we reviewed Marin’s processes for disabling the accounts of separated employees. Although Marin’s ALPR administrator informed us of his approach for deactivating an account when he receives an all‑staff email that an employee is separating from the department, we found such an email dated August 6, 2019, after which one separated employee continued to hold an active account as of October 22, 2019. After we informed the administrator of this employee’s continued access, the administrator acknowledged that the account was still active, and we directly observed him deactivating the account.




Sacramento County Department of Human Assistance

January 27, 2020

Elaine M. Howle
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

SUBJECT: License Plate Readers Audit Response

Dear Ms. Howle:

We are writing in response to the draft findings of your report, titled Automated License Plate Readers: To Better Protect Individuals' Privacy, Law Enforcement Must Increase Its Safeguards Over the Data It Collects.

The Department of Human Assistance (DHA) appreciates the work performed by the California State Auditor. No recommendations were issued in the report, and DHA agrees with the results of the audit.

If you have any questions regarding this matter, please contact Lane Ruddick, Program Integrity Chief, by telephone at (916) 875-1275, or by email at ruddickl@saccounty.net.

Sincerely,

Ann Edwards
Director


Sacramento County Sheriff's Office

January 28, 2020

Elaine M. Howle, CPA
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Ms. Howle:

I am in receipt of the draft report entitled Automated License Plate Readers: To Better Protect Individuals' Privacy, Law Enforcement Must Increase Its Safeguards Over the Data It Collects, which includes recommendations for the Sacramento County Sheriff’s Office to revise and improve some of our Automated License Plate Reader program (ALPR) processes.

1a

While I agree with some of your findings, I disagree with some of the characterizations made. As the Sheriff of Sacramento County, I take seriously the protection of our citizens, including their personal privacy. Within our role as guardians of the data we collect, my staff works diligently to develop and consistently apply security protocols that maintain the integrity of our systems.

1b

The Summary (Results in Brief) section of the report was clearly written separately or prior to the completion of the main body of the report, because it fails to present your teams' actual conclusions. Let me address each point.

Recommendation #1 - Review and revise policies

Before the Audit began, the Sacramento County Sheriff’s Office began reviewing and revising policies governing a wide range of service deliverables. Although the Sacramento County Sheriff’s Office existing policy contains the majority of the requirements outlined in California Civil Code section 1798.90.51, it does not list the restriction on selling ALPR data. As expressed during the interviews, my staff did say that the restriction on selling data is not listed in the policy because the Sacramento Sheriff’s Office does not sell any data. The lack of specifically addressing this fact in the ALPR policy is an oversight.

Recommendation #2 - Identify types of data and perform a security assessment

As you learned during the audit, the Sacramento County Sheriff’s Office began reorganizing ALPR related security over two years ago. The initial step of this process was securing funding to hire a fulltime Information Technology Analyst in hopes of increasing program administration because this employee's primary job will be the continuous development of ALPR related security protocols that either meet or exceed these recommendations.

Recommendation #3 - Ensure the vendor offers the strongest possible data protections

2

The Sacramento County Sheriff’s Office completed extensive research in the use of cloud storage systems and CJIS security. I am aware your team received the latest contract between the Sacramento County Sheriff’s Office and Vigilant Solutions and the Vigilant CJIS Security Policy Guide. Both the contract and comprehensive policy provide a thorough explanation regarding compliance including agreeing to participate in any Technical Security Compliance Audit performed by the FBI-CJIS Division.

Recommendation #4 - Develop a process for handling ALPR image-sharing requests

3

Although the existing policy does provide language on how sharing data can occur, the Sacramento County Sheriff's Office began developing a ticketing system for handling various technology requests over four years ago. As such, the natural progression was to utilize the same request, approval, and record retention system used by the entire organization.

Recommendation #5 - Review the retention periods of ALPR images and data

4

The Sacramento County Sheriff's Office is continually reviewing data retention practices. Although, a simple review of searches provides a small subset of activity, the success of an ALPR program could only come from tracking and identifying which cases provided leads or convictions of data. During the audit, my understanding is your team was told this very fact. As the agency prepares to transition to a new report writing system, I request our crime analysts to conduct a multi-year study that will provide a realistic view of how long ALPR images provide usefulness in the criminal justice system.

Recommendation #6 - Enable monitoring of user access and user queries of ALPR images

Throughout the audit your team requested a substantial number of reports and logs showing when accounts were activated, deactivated, or changes occurred. The ability to provide these reports demonstrated the robust nature of the logging system. Although your team learned the Sacramento County Sheriff’s Office has no reported incidents of ALPR misuse, I have directed my program administrator to make certain fields mandatory to ensure proper documentation of usage. With the addition of a dedicated IT Analyst, the expansion of audits already occurring will surely continue.

Recommendation #7 - Ensure that ALPR access is limited to agency staff who have a right and a need to know

5

Not only is this recommendation listed in the Sacramento County Sheriff’s Office policy, it is the way the organization operates with all data systems. As this directly relates to ALPR, only 561 employees, out of a department of 2,170, have access to the system. While I understand your position that a supervisor should approve each account, there were over 5,880 personnel moves during 2019. The Sacramento County Sheriff’s Office uses Role Based Access Controls. Rather than rely solely on a supervisor to approve a request, the application of Role Based Access Control is how the Security Operations unit of the Sacramento Sheriff’s Office processes access to this and all other law enforcement data systems. Role Based Access Controls are addressed by the National Institute of Standards and Technology as a best practice.

In Conclusion

In the end, we are not opposed to implementing many of your recommendations and in fact, are already in the process of doing so. Throughout the process, which was long and took many staff hours, we made every effort to cooperate with the auditor's requests for information and tried to anticipate the types of problems they would find while trying to understand the actual uses and practices within the ALPR program.

7
6

During interviews and based on some of the requests, we felt concern that there was a bias toward a particular outcome, intended or otherwise. Because this report contains many redacted sections, there is still some concern about what has not been shown to us. Nonetheless, we await your full findings about Sacramento and the other agencies covered in this report.

Very truly yours,

SCOTT R. JONES, SHERIFF




Comments

CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM
THE SACRAMENTO COUNTY SHERIFF’S OFFICE

To provide clarity and perspective, we are commenting on the response to our audit report from the Sacramento County Sheriff's Office. The numbers below correspond with the numbers we have placed in the margin of its response.

1a
1b

We stand by the language we use to describe Sacramento’s ALPR program. Our report provides appropriate context and sufficient evidence to support our findings. Further, the Results in Brief section of the report serves as a summary of the report as a whole and as such it represents the overall conclusions for this report. The details of our findings and conclusions are included in the Audit Results section of the report.

2

We disagree with Sacramento’s contention that the department’s current contract is thorough. In the Audit Results, we acknowledge that Sacramento updated its contract with Vigilant in September 2019. In reviewing that latest version, we determined that it is missing some of the best practices outlined in CJIS policy, as we show in Figure 3. In the Audit Results, we note that CJIS policy states that a contract that clearly establishes data ownership acts as a foundation for trust that the cloud vendor will protect the privacy of the agency’s data.

3

Sacramento’s response implies that a process for approving image‑sharing requests and maintaining records outside of the Vigilant system was already in place. However, although Sacramento states that it began developing a ticketing system for handling technology requests more than four years ago, as we discuss in the Audit Results, Sacramento could not provide any evidence of records outside of the Vigilant user interface demonstrating when or why it agreed to share with particular entities. As we further point out in this section, Sacramento’s ALPR policy currently does not include a process for approving sharing requests.

4

Sacramento’s proposed study of ALPR images may benefit its ALPR program. Our analysis of the search records from the agencies we reviewed—summarized in the Audit Results and in Table 2—presents one method of identifying the age of the data personnel are using. We point out in the Audit Results that the agencies’ existing ALPR systems provide the ability to conduct such an analysis. Nevertheless, our recommendation does not preclude the type of analysis Sacramento describes in its response.

5

We stand by our recommendation that Sacramento should have a policy that clearly states the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on a need to know and a right to know. As we state in the Audit Results, each ALPR administrator, including Sacramento’s, stressed the concept of “need to know, right to know.” Assigning an individual an ALPR account based strictly on his or her classification or role—the practice Sacramento follows—does not ensure that an individual has a need to know because of their specific assigned work.

6

Sacramento’s concern about bias is unfounded. To meet generally accepted government auditing standards, which my office is obligated to comply with, we have and follow policies and procedures for all audits to ensure that we identify and rectify any threats to our independence, including bias. Moreover, we follow quality control procedures on every audit that ensure that we have sufficient and appropriate evidence to support our findings and conclusions. 

7

Sacramento received draft text that was relevant to our findings about it. State law requires us to keep confidential information about an unpublished audit. Consequently, we cannot share with one agency information about another. Sacramento received a draft audit report with redacted information regarding other agencies as necessary to maintain confidentiality. During our exit conference, we stressed that staff should contact us with questions they might have about the draft report during the formal review period; Sacramento did not contact us. We also contacted Sacramento’s ALPR administrator during the formal review period to inquire about questions staff may have, and he did not return our call.




Back to top