Secretary of Homeland Security Jeh Johnson has cancelled a request for proposals for a contract for the DHS to get access to vehicle location logs compiled by a commercial data aggregator from automated (optical character recognition) license-plate readers. The solicitation for bids was cancelled less than 24 hours after the first reports on the plan by mainstream news media, which prompted immediate public outrage.  The DHS now claims that the RFP was issued without the awareness of agency “leadership”.

We’re pleased to see the DHS forced by public pressure to suspend, at least for now, even this small part of its plans to expand the suspicionless surveillance and logging of of our movements throughout the country.

At the same time, it’s critical for the public to understand that while the DHS has (at least for the time being) withdrawn its proposal to pay a contractor use commercial vehicle location logs for DHS purposes, the DHS itself continues to compile and maintain its own secret database of vehicle location logs compiled from its own license-plate scanners.

In 2012, US Customs and Border Protection (CBP) published a revised System Of Records Notice (SORN) for its Automated Targeting System, adding license-plate records to the categories of data in the system:

ATS maintains the official record … for the combination of license plate, Department of Motor Vehicle (DMV) registration data and biographical data associated with a border crossing.

A SORN published in the Federal Register was required by the Privacy Act because license-plate data in ATS is linked to the identities of individuals, and included in ATS records retrievable by name, passport number, etc.

We don’t yet know whether or not CBP claims that this data in ATS is exempt from the access requirements of the Privacy Act. If you’ve requested and received ATS and/or TECS data that includes records of border crossings by motor vehicle since 2012, please get in touch, or leave a comment, as to whether the license-plate number of the vehicle was included in the records you received from CBP, or was redacted.

But wait — there’s more! The Privacy Act only requires disclosure of government files from which information is retrieved by name or “other personal identifier”.  The DHS claims that a vehicle license-plate number isn’t a “personal identifier”, so that the Privacy Act doesn’t apply to logs of vehicle locations unless they are linked to individuals’ names.  Look-up tables linking license-plate numbers to vehicle owners’ names and other personal identifiers are, of course, maintained by state motor vehicle licensing agencies, and readily and routinely accessible to the DHS. But by separating the state-hosted look-up tables from the DHS-hosted location logs, DHS is able to claim that neither component is subject to the Privacy Act, and thus that vehicle owners have no right to see the timestamped DHS logs of their vehicles’ locations.

Last month, the DHS published a Privacy Impact Assessment giving more information about what it calls, in its usual Orwellian fashion, the Non-Intrusive Inspection (NII) Systems Program.  But that report assesses only the use of license-plate data collected outside of ATS and in conjunction with “inspection” or “screening” of vehicles crossing the border.

CBP checkpoints and license-plate readers aren’t limited to border crossings.   CBP claims the authority to conduct surveillance and operate fixed and mobile checkpoints anywhere within 100 of any US land border or seacoast.  That’s a “border exception” you could drive a truck, car, motorcycle, or any other vehicle with a license plate through.  CBP operates permanent checkpoints, which include license-plate scanners, on transcontinental Interstate highways and other roads that run parallel to, but never cross, US borders.

According to a copy of the CBP Inspector’s Field Manual released in 2007 in response to a FOIA request and successful FOIA appeal:

License Plate Readers (LPRs). License plate readers use optical character recognition to read the license plates displayed on a vehicle as it enters a land border Port of Entry. The LPR automatically enters the information into the Interagency Border Information System (IBIS) for use by the inspecting officer or for later historical use.

No separate Privacy Act SORN has been published for IBIS. To the extent that CBP admits that portions of its content are subject to the Privacy Act, it appears to be considered a part of TECS, most of which CBP has exempted from the access requirements of the Privacy Act.

So far as we know, none of the vehicle location logs compiled by CBP from license-plate readers at CBP checkpoints and border crossings, whether stored in IBIS, TECS, ATS, or other systems, have been made public or released to vehicle owners in response to FOIA or Privacy Act requests.

If anyone makes such a request, please let us know how CBP responds.