(On the topic of "passive", always-on License Plate Reader data collection that is archived without looking at it "in case it's useful later"):
> On these facts I conclude that the need for such data has not been "clearly established in advance,"
so as to conform to the applicable principle of information practice. [12] Its future value to any investigation
of criminal activity is wholly speculative. Therefore, with no exemption applicable to it, the collection of
LPR data in the passive manner does not comport with the Data Act's strictures and prohibitions, and may
not lawfully be done. [13]
To absorb this back into the whole phone records thing, here's the keypoints I gather from that:
1. Need to target specific data that is as constrained as possible given prior knowledge. E.g. If you already know someone spoke on the phone about a crime at X date and never spoke of it at any other date, you are only allowed to obtain and use the records of that date.
2. Need to be able to show reasonable belief _before collection_ that the collected data will be useful for an investigation and/or for intelligence on criminal activity. Knowing that a criminal uses a phone is not sufficient cause to collect phone records - it must be demonstrable before collection that those particular phone records might contain information useful for identifying criminal activity or for ongoing investigations.
3. Data that is mass-collected for purposes of finding a specific information (e.g. searching for a license plate by processing every car that passes through X intersection) may be kept and shared only until the target information is located and the objectives met.
4. Every data collection must have a specific purpose and clear boundaries. Collecting records "to find people who issue death threats"? NOT OKAY. Collecting records "to find this particular issuance of a death threat"? OKAY. In other, techier words, there must be a deliverable. If the goal of a data collection is open-ended, or could take decades, then you must have a specific warrant associated to that data collection, and the data must be discarded once the warrant expires and/or the investigation concludes.
This is pretty much my reading of it given cursory scanning of an abstract of the GDCDPA, prior knowledge on legal interpretations for "criminal intelligence information" (an extremely important phrase), and the A.G. advisory linked in parent.
I think this is all correct. But on my admittedly cursory reading of the Wired article, I didn't see any clear indication that the police departments involved have violated any of these restrictions. Of course, this is mostly for lack of detail. There are lots of areas where a violation could have occurred.
Talk to someone at the ACLU about ALPRs. There are currently no restrictions or policies around their usage or data retention or sharing. We as citizens have absolutely no way of knowing if these are being used in ways we don't approve of. It's a problem.
(On the topic of "passive", always-on License Plate Reader data collection that is archived without looking at it "in case it's useful later"):
> On these facts I conclude that the need for such data has not been "clearly established in advance," so as to conform to the applicable principle of information practice. [12] Its future value to any investigation of criminal activity is wholly speculative. Therefore, with no exemption applicable to it, the collection of LPR data in the passive manner does not comport with the Data Act's strictures and prohibitions, and may not lawfully be done. [13]
To absorb this back into the whole phone records thing, here's the keypoints I gather from that:
1. Need to target specific data that is as constrained as possible given prior knowledge. E.g. If you already know someone spoke on the phone about a crime at X date and never spoke of it at any other date, you are only allowed to obtain and use the records of that date.
2. Need to be able to show reasonable belief _before collection_ that the collected data will be useful for an investigation and/or for intelligence on criminal activity. Knowing that a criminal uses a phone is not sufficient cause to collect phone records - it must be demonstrable before collection that those particular phone records might contain information useful for identifying criminal activity or for ongoing investigations.
3. Data that is mass-collected for purposes of finding a specific information (e.g. searching for a license plate by processing every car that passes through X intersection) may be kept and shared only until the target information is located and the objectives met.
4. Every data collection must have a specific purpose and clear boundaries. Collecting records "to find people who issue death threats"? NOT OKAY. Collecting records "to find this particular issuance of a death threat"? OKAY. In other, techier words, there must be a deliverable. If the goal of a data collection is open-ended, or could take decades, then you must have a specific warrant associated to that data collection, and the data must be discarded once the warrant expires and/or the investigation concludes.
This is pretty much my reading of it given cursory scanning of an abstract of the GDCDPA, prior knowledge on legal interpretations for "criminal intelligence information" (an extremely important phrase), and the A.G. advisory linked in parent.