Customs and Border Protection (CBP) purchased access to a commercial database that allows the agency to look up the historical location of vehicles nationwide without a warrant, according to a CBP document.
The news that CBP is using such a system highlights a continuing trend in which law enforcement agencies turn to the commercial sector for access to data rather than collecting it themselves, and shows that little-regulated private surveillance networks are being used by the government.
Earlier this month, CBP published a new Privacy Impact Assessment (PIA) which said that since 2017, the agency had moved beyond using just cameras and license plate reader technology owned and operated by CBP itself and had moved to acquire access to commercial license plate databases.
"Accordingly, CBP is updating this PIA to provide additional notice to the public and assess the unique privacy risks associated with the use of a commercial vendor license plate database," the PIA reads.
Do you work at Vigilant or know anything else about its customers? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The PIA says the purchase is to "provide CBP law enforcement personnel with a broader ability to search license plates of interest nationwide," and that the agency has acquired access to the license plate reader information via an API which CBP users then can use to query the data.
As TechCrunch noted, the document adds “The only way to opt out of such surveillance is to avoid the impacted area, which may pose significant hardships and be generally unrealistic.”
A CBP spokesperson told Motherboard in an email that the agency uses the query-only database for its law enforcement and border security mission, "including assistance in locating and apprehending the subjects of criminal investigations, illicit activity, or aliens who illegally entered the United States." Query-only means the CBP only requests information from the database rather than adding its own data. The spokesperson added that this license plate data can, in some cases, be the only viable way to find a subject, and also said the commercial database may be used to identify terrorist suspects.
"CBP uses [license plate reader] information in conjunction with other law enforcement and/or targeting information to develop leads to further the enforcement matter, including identifying associates of possible concern and eliminating other individuals from further consideration," the spokesperson added. They said that the agency also uses access controls to ensure only authorized users can view the data, and set timeframes on how long results are retained by CBP once a user queries the commercial database.
"DHS and CBP remain committed to safeguarding personally identifiable information, upholding civil liberties, and reducing potential risks posed by this technology," the statement added.
The PIA did not name the specific commercial database. But a source in the private investigator industry, which makes use of commercial license plate databases, suggests the supplier is likely Vigilant Solutions and its sister company DRN which collects the license plate data in the first place.
"DRN is the only one I know that collects the data. The other companies that advertise this service as a search buy from DRN," Igor Ostrovskiy, principal at private investigator firm Ostro Intelligence, who has used the DRN system, told Motherboard. With the consent of the target, a source previously tracked a target for Motherboard using DRN's vast license plate reader system.
One June 2019 public procurement record between CBP and Vigilant is listed for "Law Enforcement Archival Reporting." The Law Enforcement Archival Reporting Network (LEARN) is a Vigilant license plate reader product.
"DRN is the only one I know that collects the data. The other companies that advertise this service as a search buy from DRN."
DRN's database is essentially crowd sourced by hundreds of repo men who have installed the firm's license plate reader cameras in their vehicles. As the repo men drive around the United States looking for vehicles to seize, the DRN cameras also passively record and upload the location, license plate, and other information of every car they drive by to the company's database. DRN claims to have more than 9 billion license plate scans, according to a DRN contract previously obtained by Motherboard.
This data is then also available to Vigilant's customers.
"Vigilant’s law enforcement customers can subscribe to DRN’s billions of nationwide commercial LPR detections to receive well-rounded data that may not be collected from their systems to help further power their investigations," DRN's website reads.
A CBP spokesperson would not confirm or deny which commercially available system it is using. Mary Johnson, senior director of media relations and communications for Vigilant, did not respond to multiple requests for comment.
In April the Massachusetts Supreme Judicial Court ruled that in one particular case, license plate reader data used to track a heroin dealer crossing back and forth across a bridge didn't violate his constitutional rights around search and seizure. But there could be room for other cases to be dealt with differently.
"Where the ALPRs [automated license plate reader] are placed matters," Justice Frank M. Gaziano wrote in the ruling reported by WBUR. "ALPRs near constitutionally sensitive locations—the home, a place of worship, etc.—reveal more of an individual's life and associations than does an ALPR trained on an interstate highway. A network of ALPRs that surveils every residential side street paints a much more nuanced and invasive picture of a driver's life and public movements than one limited to major highways that open into innumerable possible destinations."
Senator Ron Wdyen told Motherboard in a statement, "Customs and Border Protection owes the public an explanation of what it’s using this vast database of Americans’ movements for, whether there are safeguards to prevent sensitive information from being abused and how many Americans have their movements swept up into this dragnet surveillance program. While more information is needed in this specific case, it’s now clear that several government agencies are purchasing data as an end-run around the Fourth Amendment, which is why I am preparing legislation to close that yawning gap in Americans’ Constitutional protections." Wyden's legislation, planned for before the August recess, would stop law enforcement agencies from buying data they would usually need a warrant to obtain, such as smartphone location data.
Subscribe to our cybersecurity podcast, CYBER.