Please ensure Javascript is enabled for purposes of website accessibility
Recent News
Home / All News / When a data breach is not a data breach
Information-access crusader Tony Webster says the Duluth Police Department sent him license-plate-reader data without redacting individual license numbers, which are considered personally identifiable data. This photo shows a license plate reader in use by Maplewood police in 2011. (AP file photo: Star Tribune)

When a data breach is not a data breach

This automated license plate reader log-of-use summary page originally included the license plate numbers (LPNs) of cars photographed by Duluth police. They were blacked out by information-access crusader Tony Webster, not Duluth police. (Staff photo: Kevin Featherly)

This automated license plate reader log-of-use summary page originally included the license plate numbers (LPNs) of cars photographed by Duluth police. They were blacked out by information-access crusader Tony Webster, not Duluth police. (Staff photo: Kevin Featherly)

In early 2016, public-information-access crusader Tony Webster asked every Minnesota police department to turn over data collected by their automated license plate readers. Specifically, he sought their “log-of-use” data collections.

Classified as public, “log-of-use” data includes the specific time of day that a reader’s cameras photograph a license plate. It includes total numbers of plates read and logged into law enforcement databases. It includes arrest warrants issued as a result of the data capture, and a great deal else.

What it doesn’t include is license plate numbers, which are considered personally identifiable data. Yet, as he testified recently to the Legislative Commission on Data Practices, the Duluth Police Department gave Webster 7,000 of them.

“Duluth sent me their entire database without any redactions of license plate numbers,” he told lawmakers. “They just sent this to me in the mail.”

The department was not held accountable for the breach, according to information provided by Webster. In fact, a March 24, 2016, letter to Duluth police officials by state Data Practices Office Director Staci Christensen indicates that it was not considered a breach at all.

“Your response to Mr. Webster’s data request does not trigger the data breach notification section [of the Data Practices Act],” Christensen told police officials. Webster had not intended “to use the data for nongovernmental purposes,” she explained in the letter.

“She is saying it’s not a breach because I am not a bad guy,” Webster said in an interview Wednesday. “I mean, I am a good guy. But they don’t know that.”

Should they ever learn of it, he said, each citizen whose license plate number was released might have a valid legal claim against the city. In documents he shared with legislators, Webster himself blacked out license plate numbers so they wouldn’t leak to the public.

In her March 2016 letter to Duluth police, Christensen said Administration Department Commissioner Matt Massman had denied Webster’s request to make Duluth perform an immediate compliance audit — an option provided for in statute.

“I was really concerned that nobody bothered to look into this more,” Webster said. “They were allowed to just continue on without any oversight.”

 The story continues

Sometime later, Webster reached out to Duluth again asking for the same data. He wanted to see whether, given another chance, police would delete the license plate numbers.

They didn’t, he said. The second log-of-use data spreadsheet arrived with license plate numbers hidden, but not excised. Webster said he could easily discover them. “Anyone can just unhide a column in Excel,” he said.

The story took its final turn in late May 2017, when an independent auditor, Waconia, Minn.-based FRSecure, LLC, issued Duluth’s mandated biennial automated license plate reader (ALPR) audit. It found the city’s ALPR security controls and operations were fully compliant under state law.

But there was yet another glitch. “ALPR data is retained for 90 days,” the summary states. “There have been no requests to retain ALPR data beyond the 90 days.”

That’s wrong. ALPR data not being held for investigations is supposed to be deleted after 60 days under the data practices act, Minn. Stat. sec. 13.824 subd. 3. Yet, on Aug. 9, 2017, Christensen signed off on FRSecure’s audit. “Upon review of the City of Duluth Police Department’s submission,” she wrote, “there are no compliance issues with the city’s use of automated license plate readers.”

“I’m kind of concerned about how something like that could be missed,” Webster said.

So is Sen. Warren Limmer, R-Maple Grove, the Data Practices commission vice chair. “We are not supposed to be in the business of hiding legitimate government data and we are not in the business of causing a potential breach,” he said. “We will be re-examining all of this as Duluth has applied it.”

According to emails provided by Webster and verified by Data Practices Commission Chair Rep. Peggy Scott, R-Andover, Christensen contacted Duluth Police Lt. Mike Ceynowa about the audit letter incorrect retention period shortly after Webster’s Nov. 7 testimony.

Ceynowa emailed back that the city’s auditing firm simply misstated the retention period. Duluth’s ALPR system automatically deletes non-investigative data after 60 days as required, he said. The audit letter would be corrected, he added.

Scott remains skeptical. She notes that Webster showed legislators Duluth data from February 2016 showing Duluth’s ALPR “hot list hits” of license plates flagged for potential illegalities. Some dated to September 2015 — more than four months before the data was pulled. Among offenses listed were suspended drivers’ licenses, revoked plates and cars on a “tow list.”

“I’m not sure they are entitled to do that and I think that could use some clarity,” Webster told commissioners. “Certainly the fact that they are retaining this information indefinitely is a bit of a concern.”

In an interview Wednesday, Scott was more emphatic. “That should all be deleted,” she said. “And audits should reflect that. An audit should not just be some company out there with a rubber stamp.”

In summary

Minnesota law requires police departments to audit the ALPR data compliance practices and submit summaries to the Legislature every two years. This year’s reports have begun trickling in; legislators had received nine as of Nov. 7.

Scott is more impressed with some than others. She points to the Shakopee Police Department’s audit summary as a decent example. Its auditor, LEADS Consulting, is run by former Ramsey County Sheriff Bob Fletcher. Its five-page audit summary includes some enforcement details and is followed by a five-page appendix detailing the city ALPR policy.

Less impressive to Scott is a one-page audit summary submitted for the South St. Paul Police Department by FRSecure—the same company used in Duluth. It states only that ALPR logs are properly maintained, data is appropriately classified and access permissions are in legal order. It supplies no supporting documentation.

Webster calls such reports “attestation letters.”

“That’s basically what it is,” Scott agreed.

A great deal more information is available, Scott said. Bloomington Police Chief Jeff Potts demonstrated that when he ran lawmakers through a detailed summary of his city’s audit at the Nov. 7 hearing.

Potts revealed that Bloomington has purchased 21 license plate readers since 2013. Five are mounted on squad cars; the other 16 are on stationary mounts at the Mall of America, constantly scanning cars as they enter parking ramps. Some are scanned as they leave, he said.

People with access to ALPR data can do a lot with it. In 2012, for instance, the Star Tribune tracked movements of Mayor R.T. Rybak’s car, publishing a map with 41 locations where his car got photographed by mobile license plate readers. The city had only eight automated readers at the time.

Potts said the technology is best for recovering stolen cars. In 2017, he said, 20 stolen cars were recovered at the Mall of America; another four were detected elsewhere by Bloomington’s mobile units. Captured data gets run through several Bureau of Criminal Apprehension databases, Potts said, expanding his department’s investigative capacities and making it easier to “rule out innocent people.”

Such details are not generally included in audit summaries provided to legislators, nor are in the documents given to Data Practices Office reviewers who sign off on compliance, Christensen told lawmakers.

Scott has instructed her staff to reach out to the 34 Minnesota police departments now using ALPRs for more information—preferably their full biennial audits, which she said are public record.Scott also is considering statute changes requiring police to turn over their full audits rather than brief summaries. It is essential for the Legislature to track police use of the technology, Scott said.

“We need to,” she said, “in order to protect the innocent public from law enforcement holding information on them in perpetuity.”

Police surveillance does not discriminate between good and bad guys, she added.

“It’s showing all of the innocent people, too,” Scott said. “And what purpose do they have in holding surveillance information on innocent people?”

Leave a Reply