###

PREVIOUSLY

• The Humboldt County Sheriff’s Office Appears to be Violating Its Own Policy and State Law on Automated License Plate Readers

###

This morning, shortly after the Outpost published its investigation into the Humboldt County Sheriff’s Office’s automated license plate reader (ALPR) program, Undersheriff Justin Braud came by our office and delivered printed-out responses to the questions we had submitted back on Sept. 26.

He also informed us that the Sheriff’s Office has an updated version of its ALPR policy that differs from the one we referenced in yesterday’s story. The current version of the policy, which starts at page 498 of the Policies and Procedures manual accessible through this link, includes many changes and lists information about Flock Safety, the Atlanta-based company that supplies the Sheriff’s Office’s ALPR equipment and stores and maintains the associated data in its “secure cloud.”

While the updated version of the policy is still not conspicuously posted on the Sheriff’s Office’s website, as required by California Civil Code, Braud informed us that the agency has established an online transparency portal, as Sheriff William Honsal vowed to do last year when the ALPR program was launched. 

That portal lists all 293 of the California law enforcement agencies that have been granted access to the Humboldt County Sheriff’s Office’s ALPR data, but it does not list information about the hundreds of thousands of monthly searches through which those agencies gain access to the data. Instead, it lists information about searches conducted by the Sheriff’s Office own staff. One hundred eighty-eight of them were conducted in the last 30 days, and the agency’s ALPR cameras detected 117,586 vehicles over that period, according to the website.

A recent CalMatters investigation found that roughly a dozen police and sheriff’s departments throughout Southern California shared such data with federal immigration agencies, a violation of Senate Bill 34. Similarly, Attorney General Rob Bonta is suing the City of El Cajon for illegally sharing license plate data with out-of-state law enforcement. We asked Braud what, if anything, the Sheriff’s Office is doing to prevent outside agencies from accessing its ALPR data for illegitimate purposes or from sharing it with federal agencies. 

He said that while the Sheriff’s Office does not inspect and approve each individual search request before granting access to its ALPR databases, it does conduct after-the-fact audits. He also said Flock Safety is working to cut down on misuse of its technology.

“I talked to the sheriff about it today,” Braud said. “Flock realizes this is a big deal, and they’re introducing new protocols that will intercept activity like that and not allow it to go through.”

As for the behavior of outside law enforcement agencies, Braud said, “All agencies are required to follow policy and law. We’re trusting that they’re adhering to that. They promise to do so when requesting permission, and if we find out they’re not, we would discontinue allowing them to access our system.”

The City of El Cajon, which is being sued by the Attorney General for repeatedly violating state law by sharing ALPR data with law enforcement agencies in more than two dozen states, is still listed on the Sheriff’s Office’s transparency portal as one of the external organizations with access to its data. So are the Los Angeles Police Department and sheriff’s departments in San Diego and Orange counties despite a recent CalMatters investigation found that found those agencies searched license plate readings on behalf of ICE.

Braud said the updated ALPR policy has been in place since March, which means it was in effect prior to the searches documented in the data logs reviewed by the Outpost, which covered searches conducted in June and July. Unlike the earlier version of the policy, the updated one says access to the Sheriff’s Office’s ALPR data is given to “any HCSO employees who have reason to access the ALPR system as part of their job duties.”

“This includes, but is not limited to, all ranks of Deputy Sheriff, Dispatchers, Evidence Technicians, and Crime Analysts,” the policy says.

While the new version of the Sheriff’s Office’s policy does negate some of the apparent internal rule violations we reported yesterday — for example, there’s no longer a requirement that requests to access the agency’s ALPR data be submitted in writing — the agency still appears to have violated elements of both its own policy and state law, according to the data logs we obtained through a California Public Records Act request. 

The responses we received from Braud today don’t explicitly acknowledge any violations of law or policy, but they do refer generally to potential “discipline of employees” while adding that information about such measures can’t be shared publicly.

As reported yesterday, the logs we inspected show that the Sheriff’s Office allowed nearly 300 outside law enforcement agencies to conduct hundreds of thousands of searches per month of its ALPR data, often without first obtaining legally required information such as the reason for the search and the identity of the officer conducting it.

The logs also show that outside law enforcement agencies were granted access to the Sheriff’s Office’s ALPR data even when the “Reason” entered to justify the search referred to federal agencies, including the Homeland Security Investigations Unit of the U.S. Department of Immigration and Customs Enforcement (ICE), the FBI, the U.S. Marshals Service and simply “fed.”

In answer to a question about this practice, the printout we received this morning says:

Note that Humboldt County only shares with other agencies in California. There has historically been some disagreement among some agencies about their ability to work with federal agencies on task forces related to specific investigations. Flock Safety has made a number of product enhancements to address the concerns raised by this question. For example, within the state of California, if an agency conducts a license plate reader search and inputs a search reason that indicates it is related to an impermissible purpose in the state (e.g. immigration), those searches are blocked. This fall, the mandatory free text search reason field will become a mandatory offense type drop down list to address concerns about vague search reasons and bolster the system’s ability to block impermissible searches.

The Sheriff’s Office’s updated ALPR policy still says each request to access its ALPR data must include the name of the agency, the name of the person requesting the information and the intended purpose of obtaining it. Many of the searches documented in the logs we reviewed did not include that data, or the information provided was so minimal and/or vague as to appear meaningless. 

The updated policy also says each request to access the Sheriff’s Office’s ALPR data must be “reviewed by the Admins Services Bureau Manager or the authorized designee and approved before the request is fulfilled.”

When asked how Sheriff’s Office staff can ensure that searches are being conducted for legitimate law enforcement purposes, the agency said it audits the search data after the fact, as you’ll read below, where we’ve reproduced more of the questions we submitted to Lt. Conan Moore along with the responses provided by the Sheriff’s Office.

We note, however, that several of the answers appear to not exactly address the questions asked. They seem to be referencing policies in place for when the Sheriff’s Office’s own employees query the ALPR system, not when officers from outside agencies access the agency’s data, which was the intent of many of our questions. Braud said he’s researching further and will get back to us for clarification. 

###

Outpost: How many Flock cameras does HCSO currently have in operation?

Sheriff’s Office: Currently we have eight full time cameras and two flex cameras that can be moved around the county for special events.

HCSO’s Policy 437 makes numerous references to an Administrative Services Bureau Commander. Is that you?

The Administrative Services Bureau Commander is Undersheriff Braud, however, control of the FLOCK system has been delegated to Lieutenant Moore. 

I understand that the access logs provided to me were collected from Flock. Does the HCSO maintain its own records of access?

No, we contract through FLOCK for our ALPR system. Our Records are stored in their system.

The office policy says, “ALPR system audits should be conducted on a monthly basis.” Is that being done? What is the process?

Yes. The administrator in charge reviews our use of the FLOCK system monthly to ensure we are following law, policy, and procedure. That information is then shared with the Sheriff.

HCSO’s policy says each written request must be “reviewed by the Operations Services Bureau Commander or the authorized designee and approved before the request is fulfilled.” Do officers seeking access to Humboldt County’s ALPR data submit access requests for each and every search? Or does the HCSO grant California law enforcement agencies default open access to its Flock camera ALPR data?

HCSO receives requests from California Law enforcement agencies detailing what they would like [us] to share. This can be [done via the] “search” feature, where an agency can put in a license plate and if it was seen on one of our cameras the agency will be notified of the date and time the license plate was hit on the camera,  [or via the] “Hotlist” feature, where a vehicle reported stolen in Humboldt County is placed into the system.

If the license plate hits one of the requested agencies cameras they are notified of the date and time of the hit and that the vehicle is reported to have been stolen out of Humboldt County.

This is basically the same thing as the DMV system that every California Law Enforcement Agency has access to. The only difference is the only thing provided is a license plate, date, time, and location of license plate. To see specific information for the license plate the officer would have to check the DMV database which is recorded by the agency on what officer made the inquiry.

HCSO’s policy also says approved requests must be retained on file. Is the office doing so? Where are these files?

Yes, HCSO retains files of who we share with. This is kept in our Flock system.

The logs released to me thus far document more than 360,000 searches from more than 280 different agencies. [Those numbers increased as more documents were released.] If these requests were not reviewed and approved individually, how can you be sure that the searches were conducted for a legitimate law enforcement purpose rather than, say, to stalk an ex or harass a neighbor, as has happened in other jurisdictions?

HCSO conducts monthly auditing. Flock has continued to enhance audit tools and will be introducing proactive audit alert tools to alert agencies about anomalous activity.

Many of these entries do not have a specific reason listed but rather just a number — apparently criminal codes and case numbers, for the most part. But many [others] entries are unclear or simply left blank. How does your office determine the legitimacy of these searches?

All entries require a cfs [call for service] or case number. Any that don’t, have [been], or will be addressed with the employees to verify they were lawful and to enforce proper documentation. Discipline of employees, if/when warranted, can’t be shared publicly.

Some reasons have been redacted. Who did those redactions and why?

Under California public records law, information related to investigations may be excluded from release. Some agencies are redacting certain information from audits for this reason.

In other cases, the listed reason is quite general, such as “investigation”/”inv”/’invest,” “patrol,” “follow up” and “criminal justice.” Are those considered sufficient justification for access?

No. All entries require a cfs or case number. Any that don’t, have [been], or will be addressed with the employees to verify they were lawful and to enforce proper documentation. Discipline of employees, if/when warranted, can’t be shared publicly.

[Senate Bill] 34 says ALPR operators and end-users must develop a usage and privacy policy, which must be conspicuously posted on their website and must contain provisions designed to “protect ALPR information from unauthorized access, destruction, use, modification, or disclosure.” Has HCSO developed such a policy? If so, where is it posted?

Our policy should be posted, and he refers to it in this inquiry. [The “he” in that sentence apparently refers to this reporter.] We don’t have a separate policy regarding this policy.

HCSO Policy 437 says an ALPR administrator “shall be responsible for developing and maintaining guidelines and procedures” that include training requirements for authorized users, procedures for maintaining records and the name and title of the person overseeing ALPR operations. Has that been done? Where are those guidelines and procedures? (They should be “conspicuously posted on the office’s website,” according to this policy.)

All of that should be included in the policy. Do you have an older version? Updating policies occurs whenever we identify things that should be changed.

Many of HCSO’s own searches of ALPR data only list “investigation” or “suspect vehicle” as the reason. Some such entries have no accompanying case number. How do you know that these searches are tied to legitimate investigations?

Per HCSO policy 437.5(b) “However, there must be a sufficient investigative reason to conduct searches using the Flock Safety ALPR database, and that reason shall be documented in the system with each individual search. A case number or call for service (CFS) number is required to justify any search and shall be entered into the database.”

This was added to the policy several months ago as we noticed the “investigation” being used in the reason. With the case number or CFS number now being mandatory we will be able to confirm the reason for the inquiry. Again, all entries require a cfs or case number. Any that don’t, have [been], or will be addressed with the employees to verify they were lawful and to enforce proper documentation. Discipline of employees, if/when warranted, can’t be shared publicly.

How many crimes has the HCSO helped to solve thanks to these Flock cameras, and how?

The most recent case I know of was the homicide in the Glendale area. This is where a subject was shot and killed near the mad river. Deputies were able to get a description of the vehicle from witnesses. ALPR data was checked with that data and the suspect vehicle was seen leaving the area on the Blue Lake camera. Detectives were able to see the license plate; conduct follow up and the two suspects were arrested and booked into the HCC on murder. There have numerous other cases from missing persons vehicles being located to stolen vehicles being located because of the ALPR hits.

Last year, Sheriff Honsal said there would be a transparency portal for this ALPR program. Is there one? Where can I find it?

https://transparency.flocksafety.com/humboldt-county-ca-so