Clearly frustrated, Brian Hofer took a breath. His colleagues on the Oakland Privacy Advisory Commission sat quietly as Hofer, who chairs the board, questioned Oakland Police Department representatives attending a commission meeting over Zoom in August.
Months earlier, in May, the City Councils Public Safety Committee had ordered OPD to give the privacy commission reports and audits showing how the departments automated license plate reader technology was being used, and which law enforcement agencies had access to the information.
OPD had, again, failed to produce all the documents the commission wanted to review as part of its assessment of whether or not the technologys benefits outweigh its potential harms. As with other surveillance tools used by various city departments, the privacy commission is tasked with making a recommendation to the City Council about whether or not OPD should be allowed to continue using license plate readers. Hofer had been seeking the records since 2019 to no avail. The department told him that even though he chaired an official city commission, he had to file a public records request; he did, but the OPD never handed over all of the information.
The records the department did provide for the commissions August hearing had clear red flags, Hofer said. For one, the reports showed for the first time that OPD was allowing the FBI unfettered access to license plate reader scans outside the limits established in the departments 2016 policy. Once such data is shared and ends up in a federal database, the police department loses control of the information, privacy advocates have warned.
That came on top of OPDs acknowledgement that it was retaining scan data for two years, in violation of the departments own policy, which says it is supposed to delete data thats older than six months.
But Hofers frustration was mostly over what was not being shared, and that OPD officials appeared to have a different understanding of what the City Council committee had asked them to do.
I think everyone knows we are heading toward litigation, Hofer said at the August meeting. I dont feel comfortable asking some of these questions, which I have to dance around.
Indeed, Hofer sued the city, OPD, and the City Attorneys Office in September. It was an unusual legal move for the chair of a city commission. But a provision of the citys surveillance ordinance allows for anyone to take the city to court. Hofer clarified that he filed the suit as an individual and executive director of the nonprofit civil rights and technology group Secure Justice, not on behalf of the commission he chairs, even though OPD would be forced to hand over records the commission has sought.
The lawsuit alleges the City Attorneys Office and Oakland Police Department have violated the citys surveillance technology vetting ordinance and the state Public Records Act by failing to provide the documents Hofer asked for two years ago, and that the two departments have obstructed, practically thwarting, [privacy commission] from doing its job.
The case is pending before an Alameda County Superior Court judge who will decide whether or not to force OPD to hand over the records. Hofer is also asking that the court compel the police department to destroy license plate scan data thats older than six months, and enforce other portions of the Surveillance Technology Ordinance.
Hofer, who advocated for the creation of the Privacy Advisory Commission and has served on it since it was established, said the conflict between the commission and OPD has revealed some limits of Oaklands model of civilian oversight of police surveillance technologies.
The Oakland Police Departments media relations unit and the Oakland City Attorneys Office, declined to comment for this story, citing the active lawsuit.
Since its inception in 2016, the Oakland Privacy Advisory Commission has served as a national model for civilian oversight of municipal technology and surveillance. Its origins can be traced back to 2013, when Oakland quietly planned to expand a surveillance network from the Port of Oakland and Oakland Airport to city streets.
The federally funded citywide surveillance system, known as the Domain Awareness Center, was proposed to be a central hub for data collected from OPDs automated license plate readers and gunfire detection system, facial recognition software, and more than 700 cameras throughout the city, including at schools and public housing complexes.
The DAC ignited a debate about privacy and data collection on a local level, around the same time Edward Snowden burst on the international scene with revelations of massive illegal data collection by federal spy agencies.
Pushback from activists, residents, and the ACLU of Northern California concerned over threats to civil liberties ultimately resulted in Oakland City Council dramatically scaling back the project and limiting the DAC to the port and airport. City Council also created an ad hoc citizens committee to draft a privacy policy that would set rules for the use of the DAC to prevent its powerful systems from being misused. In January 2016, council members approved an ordinance establishing a permanent nine-member Privacy Advisory Commission.
Today, the Oakland privacy commission remains unique. In most cities, when new technology is obtained and used by city departments like the police or transportation, it is up to the city council or officials like the city manager and police chief to consider privacy implications. But in Oakland, the commission helps shape policy, looking at matters through a privacy lens at the earliest stage possible. No other U.S. city has a civilian advisory board with such broad powers.
At its second ever commission meeting in 2016, an OPD deputy chief publicly presented for the first time how the department uses cell-site simulators, a device that tricks cellphones into thinking its a cellphone tower in order to scoop up data and determine the geographic location of phones. OPD had been using these devices, commonly called Stingrays, since 2006 to track the locations of people suspected of crimes. The privacy commission drafted a new policy that was adopted by the City Council, requiring OPD to obtain warrants for deploying the Stingray, and to compile yearly reports on its use.
The commissions investigation of OPDs assistance in a 2017 West Oakland ICE raid uncovered a little-known agreement with ICE, which the City Council later terminated. And in 2019, Oakland became the third U.S. city to ban facial recognition software, which can be used to conduct mass surveillance and identify people in large crowds or in public areas. Researchers have shown that the software is less accurate when trying to identify people of color, which could lead to greater civil rights abuses.
Tracy Rosenberg of Oakland Privacy, a citizens coalition that advocates for privacy rights and oversight of government surveillance, said Oaklands privacy model is heads and tails above other local jurisdictions.
It is being watched on a national basis, Rosenberg said. The commission has done amazing, back-breaking work. There is no doubt the surveillance impacts on citizens have been greatly mitigated. That said, they occasionally run into some wrinkles. That is because they are doing things that essentially have never been done before.
Perhaps the biggest wrinkle has been in the police departments use of automated license plate readers, which led to Hofers lawsuit.
OPD has 35 license plate readers mounted on police vehicles which constantly scan plates throughout Oakland and feed them into a database that can tell if a car is stolen, or has been flagged because it was associated with crimes. This information is then automatically provided to officers. The department also stores scanned plate numbers in a database that can be accessed by investigators long after a crime has been committed. Using this data, police can track when and where vehicles traveled.
Oakland police say the cameras have been a useful investigative tool. The cameras have helped in human trafficking cases, track down missing persons, including a homicide victim found in the trunk of a car, and led to the arrests of two homicide suspects, according to OPDs reports to the commission.
But in some cases, police have pulled over innocent people due to license plate cameras incorrectly scanning a plate. Two Contra Costa sheriffs deputies in 2019 pulled Hofer and his brother over in San Pablo, drew their guns and detained them after a camera on Interstate 80 erroneously identified their rental car as stolen. Hofer sued Contra Costa over the incident.
A 2015 state law, SB 34, requires police agencies using license plate readers to develop a use policy and track how and when the data is accessed. OPDs 2016 use policy, according to Hofers lawsuit, includes a representation that OPD would perform audits of its surveillance technology use.
Citing failures by OPD to comply with these state and city reporting requirements, the commission in February recommended to the City Council that OPDs use of license plate scanners be suspended for a two-year period. The decision came after commissioners said OPD had not produced the annual audits, and had not fulfilled public records requests Hofer filed in 2019 seeking the information.
Rather than suspend OPDs use of the scanners, the Public Safety Committee in May directed OPD to supply the requested documents to the commission, in hopes the department and privacy commission could sort out the problem. OPD returned to the PACs August meeting with ALPR reports for 2019 and 2020. However, OPD did not produce audits for 2016, 2017 or 2018, and admitted no audits had been completed for those years.
To help settle the issue, Joe Devries, the citys chief privacy officer, suggested at the meeting that the commission form an ad hoc committee to work closely with OPD. Hofer, in response, said he had polled members to see if anyone wanted to serve on such a committee. No hands were raised, he said. Commission members had grown tired of asking repeatedly for records that werent handed over by OPD.
I am getting the impression some folks have checked out a bit, Hofer said at the meeting in August. They didnt think they were going to have to chase people this hard.
While Oaklands privacy commission is perhaps the most robust in the country, Hofers lawsuit argues the oversight model is failing to work because of a growing lack of trust. Unsure theyre getting all of the information they need from city departments like OPD to make decisions, the commissioners also dont have a lot of free time or resources of their own to do their own research.
The amount of work before the volunteer commissioners has taken its toll, and fatigue appeared to set in at the August meeting. Privately, two commissioners asked Hofer whether they should resign in protest.
Its really hard when you cant trust that you are getting the full picture, said Commissioner Reem Suleiman, who was appointed to the commission in 2016 to represent District 1, including North Oakland, Temescal, and Rockridge,.
None of us have the bandwidth to investigate and try and track down the facts. I worry a lot, said Suleiman. What happens when Brian (Hofer) resigns or hes termed out? I just dont know if this body can fulfill its purpose without having some extreme overhaul and rectifying the trust and the harm. In order for us to advise, the information has to be accurate. If we are making judgments on inaccurate or incomplete information, what good is this body at all?
Disputes with city departments have led commissioners to wonder if, in order to continue their work, additional staff for the commission is needed. Like Hofer, most of the nine members of the commission have experience with privacy and technology issues through their day jobs. Heather Patterson, reappointed in 2020, works as Facebooks responsible innovation manager, and Gina Tomlinson was the chief technology officer for San Francisco before becoming an executive at the tech company yondr. But as volunteers, they can only spend so much time studying the issues coming before the commission, and they have to rely on the information city staff are presenting them. Unlike the citys Police Commission, the privacy board does not have an attorney at its disposal, or someone like an inspector general to help review documents and advise commissioners. There is no dedicated city employee other than Devries, who also works in other capacities in the City Administrators Office.
Seattle established its Privacy Program in 2015, following concerns about waterfront surveillance cameras, wireless mesh networks used to track peoples phones, and an increasing amount of drones flying near homes. In one instance, a woman spotted a drone outside the window of her high-rise apartment.
Under Seattles Information Technology Department, Chief Privacy Officer Ginger Armbruster said there is a staff of 18, with three full-time employees working on issues related to the citys surveillance ordinance. Its a slog, Armbruster, a former senior privacy manager for Microsoft, said.
Devries doesnt think OPD or other city departments are purposefully trying to thwart the Privacy Commission.
The frustration for Brian and the commission is real. Any department that needs to use surveillance technology has to come through the commission. Theres an education process for those staff members, Devries said in an interview. There were some missteps and misunderstandings about what needed to come to the commission and when it needed to come. I think it created a level of mistrust. Its really easy to go to intent, but I really dont think thats the case. Everyone is giving their best effort and its a heavy lift.
Oaklands privacy commission has served as an inspiration for other cities. Santa Clara County, Los Angeles, and New York each have their own chief privacy officer. In 2019, the city council in Portland, Oregon unanimously passed a privacy protection principles resolution to ensure non-discriminatory use of data.
Hofer, who has consulted with activists and officials in other cities to help them set up their privacy oversight systems, said that while Oakland has certainly been an inspiration for others, its limits are increasingly clear. The more Ive seen this model in other jurisdictions, I dont think it can work at all without an inspector general. Civilians, he said, should not have access to raw data but need full-time staffers on their side who can access data and information and deal with city officials from the departments the commission is meant to hold accountable.
Im not giving up, he said. Have we had any positive impact? Have we changed the culture at all? Have I wasted six years of my life? I dont think so and I hope not.
Visit link:
Oakland's privacy commission is nationally lauded. But is it working? - The Oaklandside
