Hacker News new | past | comments | ask | show | jobs | submit login
A California mall operator is sharing license plate tracking data with ICE (techcrunch.com)
313 points by srameshc 8 months ago | hide | past | web | favorite | 171 comments

I wonder where we're supposed to go from here. After 9/11 I worried about having something as convenient as Google Maps. Now we have more real-time surveillance and going outside I know I will be tracked and collected and bought and sold to private companies and the government. There's a psychological cost to knowing you're watched/exploited every time you go outside. In the past this was limited to what people might have seen you do in the public view. Now there are large distributed systems in place to collect an itinerary of your movements - even if you're not the focus of a search. I was born in California, and I don't feel like these systems keep me safer. It makes me want to participate in society less. Maybe I'm just paranoid. I wonder what this at scale, alongside other tracking systems, will do - and how it changes our behavior. I feel harmed by this.

> Maybe I'm just paranoid

This common saying.

I'd rather be paranoid and informed than blissfully ignorant. But a person can only process so much while carrying on with their lives.

The jewel beetle attempts to mate with an amber glass bottle it finds attractive until it dies from exhaustion.


We increasingly manufacture our own deception. Deep fakes, targeted advertising, you name it. We are both the beetle and bottle designers. It is definitely worth thinking about.

It's much easier to design glass bottles than to save beetles from the best and worst time of their lives.

Now, as crafty bottle designer, think of all the stuff you could do, given the necessary resources.

“California malls” is too forgiving a headline. It’s one company, Irvine Company, a group with locations in the Bay Area [1]. They have phone numbers on their websites [2]. Reaching out to their retailers, particularly those with locations in Mexico, couldn’t hurt either.

It might not be a bad idea to also compile a list of their retailers’ investor relations and Twitter accounts and tweet this article to them (here's their store directory [3]). I just started e-mailing the brands I know.

[1] https://www.shopirvinecompany.com/centers/

[2] https://www.shopirvinecompany.com/about/contact/

[3] https://www.shopirvinecompany.com/directory/store-directory/

Irvine Company is not just "one company", it's HUGE... it owns half of Orange County, Newport Beach, etc. From Wikipedia:

> The Irvine Company develops suburban master-planned communities throughout central and southern Orange County, in addition to residential buildings in Santa Monica, Silicon Valley, and San Diego.[6] The company also owns and manages office buildings in Milpitas, San Jose, Sunnyvale, Downtown San Diego, Mission Valley, San Diego, La Jolla Village/University City, Sorrento Mesa, Del Mar Heights, Newport Center, UCI locations, West Los Angeles, Pasadena, Chicago, and New York City.[7]

It's the closest thing I know to the burbclave running megacorporations from Snow Crash.

Donald Bren is essentially a Duke.

I’m now surprised this isn’t a plot point in Arrested Development

Given this news, I'm going to contact some other large mall chains (e.g. Westfield), in the hopes that they'll confirm that they don't give out license plate data to third parties.

I'll be interested to see how they respond.

Westfield uses third party hardware solutions in multiple malls to track in/out, matching against voluntarily-registered parkers so that parking tickets are not needed for smoother customer experience. These solutions track -all- in/out plates because that’s what they’re for. My info is dated but there was no data sharing.

Significantly more creepily, WF uses wide-coverage anonymous device tracking to build customer profiles of visitor paths/time spent in shops across multiple visits to place targeted ads via FB and the like. Don’t walk around in a mall without your Faraday cage.

Westfield recently spin that division off. All of this tracking tech is being built by a new company named OneMarket.

They're not going to reply to you and even if they do it'll be a "we do not comment on our security practices".

Yeah, at least pretend you're an interested buyer...

Better yet, ask them to confirm that they don't track this stuff in the first place.

> ask them to confirm that they don't track this stuff in the first place

I could see a reasonable case being made for collecting these data, storing them for a few weeks, and then deleting them, to protect against thieves.

The problem here is that for the government to collect these data, they would need to follow certain processes. A private actor who isn't following those processes is placing those data with the government, thereby circumventing a critical check on police power.

This seems to be the latest trick. The same thing was happening with the cell phone location data. We should start referring to this as "data laundering".

> "data laundering"

Don't mind if I do start referring to online abuses of privacy as such

Outsourcing detective work has been going on for a long time. When the Marshals or bounty hunters are looking for fugitives, one of the first things they do is pull what is essentially your credit report (with strictly financial details redacted) to get your address history and last known whereabouts from the private sector collective.

All that extraneous data in your credit reports is up for sale to qualifying purchasers-- be it law enforcement, marketing firms, or financial institutions.

> I could see a reasonable case being made for collecting these data, storing them for a few weeks, and then deleting them, to protect against thieves.

I disagree. Everyone shouldn't have to sacrifice everything associated with their license plate info, everywhere they go, because of a few thieves. It's not a reasonable balance; my privacy is worth a lot to me.

The Dutch civil servants collecting census data probably thought it was reasonable to create per-person records that included the tuple {address, religion}, which the Nazis used to create this[1] map of Jews living in Amsterdam (3/4 of the black dots on that map were murdered in the camps).

The problem with storing data that requires "certain processes" to ensure safety is that it might not be your decision. Governments collecting data is one example; others include desperate behavior by companies in bad financial situations or Equifax-style theft.

Someone trying to lose weight is probably able to resist the box of cookies in their pantry most of the time. Unfortunately being human means having occasional bad days where the will isn't necessarily up to the challenge. The responsible person recognizes that weaknesses exist and doesn't keep the box of cookies in the house.

I'm sure data will be handled safely most of the time, when it's easy. The real question is what will happen in difficult, morally problematic situations when the cost of acting ethically might include losing your job (or worse. One of the responsible way to handle that kind of problem is to avoid it entirely by not collecting the data.

[1] https://www.verzetsmuseum.org/uploads/archive/museum/topstuk...

Even if private actors were not involved, there wouldn’t be any way to verify that the information was destroyed by a governmental department. I suppose that is a possible area where a public blockchain that broadcasts the storage and deletion of data could be useful but now everybody has stopped reading this comment so they can talk about how blockchain tech is useless. Regardless, the indefinite/temporary storage of tracking data needs to be addressed at some point.

How exactly could a blockchain publish deletion of data in a way that can't be cheated?

Through a private key mechanism. If there was a mechanism to automatically remove the private key for a record then it would become effectively unreadable (in our life time, anyway).

But what stops you from copying the private key before it gets removed? Or running a client that just pretends to remove the private key?

Half the point of a blockchain is that once data is out there it can't be removed. You can't leverage that to force the removal of something.

>I could see a reasonable case being made for collecting these data, storing them for a few weeks, and then deleting them, to protect against thieves.

So everyone is guilty to proven innocent?

That’s how security cameras work too - if the data is deleted in a reasonable timeframe I dont have a problem with it.

I could see a reasonable case being made for collecting these data, storing them for a few weeks, and then deleting them, to protect against thieves.

I know some mall companies record license plate data on a daily basis to make sure the employees are parking in the way-way-way out employee designated parking areas.

How long that data is stored and who else gets to see it is anyone's guess.

Unfortunately, it you're on the mall's property, you have no legal right to not being surveilled by the mall.

What reasonable case do they have to track the data? What reasonable case is there tgat requires storing for two weeks?

Westfield valley Fair does, they have a system that will let you know where you parked if you provide it your license plate details. If it doesn't find an exact match you get to train the algorithm for them.

I would also settle for some California legislation that would kill Vigilant’s business model.

It might be time for a group of tech people to write some initiatives to limit these kind of business models. This kind of behavior should be pretty simple to get Californians to vote for.

The hard thing would be getting enough signatures on the ballot, that costs a million bucks usually. Of course that can be powerful, consider the recent surprising rush for privacy policy legislation.

That’s actually pretty solid. Thanks for bringing it to my attention.

How solid is it?

You can easily keep license plate data much longer by simply stating, "we are using it as evidence". For what? "An on-going investigation."

Done. Now you have it for much longer than 60 days.

It’s substantially better than no governance and oversight, and additional reporting of deviations can be mandated (require documentation of what ongoing investigations data retention extension requests are tied to).

You have to start somewhere.


> abolishing your immigration agency

Nobody in this thread has proposed abolishing ICE. It is a non-mainstream political movement entirely unrelated to this thread.

And abolishing ICE (or what ICE has become) actually isn't that radical. It was created as part of the Homeland Security Act in 2002 as part of the (over)reaction to 9/11 .

Before that, customs and immigration concerns were handled perfectly well by the United States Customs Service (in the Treasury Department) and the Immigration and Naturalization Service (Department of Justice.)

What is new with ICE is the militaristic "hunt them down" approach to immigration enforcement while pushing back on due process for offenders (which they mostly get away with because these people are poor non-citizens). Suggesting we do away with that is not that radical -- it's actually quite civilized and a return to much more humane pre-9/11 norms.

a reorganization and less political administration couldn't hurt though. Some checks and balances maybe to ensure all choices they make are ethical, and move in a more humane direction... (though, I think we could deal w/ open borders if we had a national sales tax to capture taxes off their grocery/restaurant/etc use.

Then they'd all be contributing to the bottom line, the only reason people hate them being here in the first place right? Nobody wants a freeloader, so let's make it so anyone living here can't be one.

Reach out and do what?

Here's an excerpt from e-mail I just sent 7 For All Mankind's support e-mail:

"You have a California location at Fashion Island [1]. It has recently become public that the operator of that mall, Irvine Company, is sharing customers' license plate data--due to no legal obligation and en masse--with ICE [2]. Irrespective of political affiliations, I believe we share a mutual respect for customers' privacy. Hoping your brand, currently running a #WeAreMankind campaign, is wiling to speak out about this inconsistency.



[1] https://www.shopirvinecompany.com/directory/store-directory/

[2] https://techcrunch.com/2018/07/10/alpr-license-plate-recogni...

touch someone, presumably.

I read articles like this and I think that one's opinion on this is directly correlated with whether one thinks that immigration laws should be enforced. I don't think most people are calling for immigration laws to be eliminated and anyone who manages to make it here should be allowed to stay indefinitely.

What I don't get is the whole selective enforcement of laws thing. If someone somehow managed to get across the border that gets the person some sort of award for sneaking past the border patrol and thus a right to stay here for being a particularly sneaky lawbreaker? The legal reasoning behind all this just strikes me as ridiculously convoluted.

I feel like there are two types of people, those who respect property rights and those who don't.

You might say that one type of person wants everyone to be like docker containers, not interfering with one-another and another type of person wants to be like a monolithic application where anyone's problem becomes everyone's problem, but free resources are to be shared.

That’s a very bad analogy.

> one's opinion on this is directly correlated with whether one thinks that immigration laws should be enforced.

Oh, absolutely. If someone doesn’t like the surveillance state, this is just another datapoint on an ever-increasing list. Still disappointing, but not uniquely so.

The people so civically unengaged that they actively champion the increased surveillance of modern life right up to the point it’s used against their pet causes disgust me.

To me the issue here is that this data is collected in the first place. It seems wrong to me that private corporations are tracking my every move.

How is anyone in SV going to eat if private corporations can't track our every move? I mean, not everyone takes cab rides or rents private homes when they travel, but almost everyone uses the internet for something. And those people need to be tracked, or there's no money to be made.

> How is anyone in SV going to eat if private corporations can't track our every move?

I work for an ISP and we do not track our customers. At all. We bill them and they receive a reliable service that performs as advertised. Maybe we could go back to the oldschool model of actually selling a product or service, delivering it to the customer, and keeping the customer happy?

Which ISP is this? (interested)

I’m not walrus01 but I know of a few ISPs in the Bay Area that put an emphasis on net neutrality and users’ privacy, on top of running a good service: Wave on the SF/Daly City side, and Sonic’s running fiber in the East Bay. Both have impressed me, especially Sonic which provides their own VPN and runs a public wiki that rivals my company’s internal IT wiki. I’ve also heard good things about LMI but I have no personal experience with them.

I'd rather not mix my sometimes controversial comments on HN with work - everything I write here is very much not in my "official" capacity... But I can say it's west coast, small to medium sized, clueful, and doesn't suck.

"The internet would not exist without advertising"

Utterly wrong. The Internet wouldn't exist without gigantic state funding. The early Internet was completely free of commercial influence.

In case you didn't realize, my comment and the parent's comment are satirical.

I think it's because it's private property, so they can. I mean they can't just install scanners on a public (gov't) freeway, for example. Some jurisdictions, like Tiburon, in CA, scans every vehicle entering and exiting (only one way in and one way out of town.)

It won't solve the license plate issue, but wearing a burka in public is starting to sound like a sensible response to the modern world just so you don't end up with your face scanned and location logged 38 times on your way to work in the morning.

A niqab might do for now, but I'm guessing height, gate and precise location might provide too much fingerprinting information.

Many countries have anti-masking laws now, which make it illegal to cover your face, unless you have a "reasonable need".

Regrettably, the notoriously anti-immigration government here in Denmark has instituted just such a law, apparently because of a couple thousand women who wear niqabs and maybe 20 who wear burqas. They claim it's to "fight social control", which I find extremely ironic since it's the women who'll be getting fined!

And of course, the excuse the government uses is that it's for "public safety during demonstrations and for identification purposes in banks and similar situations".

I'm not actually sure whether it's actually meant to target the niqab/burqa-wearing women, or if it's because of the left-wing protests against the government, where some of the participants wear masks. Either way, banning specific types of clothes usually only happens in totalitation states.

I don't see any difference between tracking cars and guns, except cars kill more people every year in the US.

What are you even talking about? They aren't tracking my car to make sure I don't run some one over, they are tracking it so that they can sell more stuff.

Good point, we should do away with car registration. I’ve never lived in a state with a gun registry.

agreed. this is simply unacceptable... even LEO should have probable cause to pull you over and make your life inconvenient or at worst hell.

Then don't go on to their private property to conduct business?

So hole up in a cave because someone might be tracking you every time you leave the house?

It's perfectly reasonable to require companies to tell us what data they're collecting and how it will be used.


Cat was also out of the bag with child labor. It was out of the bag with DDT.

We have the capability to reverse societal trends when we as a collective find them to be antithetical to our morals. This is no different.

>Cat was also out of the bag with child labor.

It's easy "you can't hire employees" and enforce it, it's a lot harder to go "you can't use the billions and billions of cameras in existence to record or track thing" and realistically hope to enforce it, especially when there is valid application.

I'm quite fine with the government knowing where my government registered, government licensed, government plated car is going. To legally drive a car you have to be licensed by the government, your car has to be registered with the government and you have to have a license plate issued by the government. You're going to be driving on public roads and private parking lots that have security cameras, ticketing cameras, news cameras, rear view cameras, autonomous car sensors, intersection monitoring cameras, internet streaming cameras and not to mention just about every human being you drive by will have at least one camera on their person.

This is a fact of life. Barring the discontinuation of using electricity this isn't going to change.

Do you have a phone? You're leaving records on every tower your phone connects to. Do you use WiFi? You're leaving records. Do you have a car with OnStar? You're leaving records. Do you use something like Automatic, you're giving a company all of your driving paths. Do you use Uber or Lyft, you're leaving a trail of where you go.

Are you an illegal immigrant or a human/drug/weapon trafficker that is under investigation using a specific vehicle to commit your crimes? Yes? Then don't go to the mall.

> It's easy "you can't hire employees" and enforce it

I wouldn't say that's "easy" by any measure. It requires(/d) a large shift of public opinion and awareness, enforcement is in many ways harder because there's less visibility.

> I'm quite fine with the government knowing where my government registered, government licensed, government plated car is going.

You're right. Most of us are. Are you ok with them implanting chips into you as a baby to track your every move? Assuming your response to that is "no" then you realize that the issue at hand is scope. There are limits to what we'll accept.

> Do you have a phone? You're leaving records on every tower your phone connects to. Do you use WiFi? You're leaving records.

Again you're confusing the principle at large and the scope at which it's applied.

> Are you an illegal immigrant or a human/drug/weapon trafficker that is under investigation using a specific vehicle to commit your crimes? Yes? Then don't go to the mall.

This is a reductive argument. When I talk about the scope above I'm talking about the impact it has on everyone.

> Cat's out of the bag.

I don't see a reason to believe this. It would be easy to restrict this behavior.

The headline is completely misleading and actually understated the problem. One California mall developer is sharing their license plate data with one third party company which may or may not be sharing this data with other parties. This is worse because

1) companies have gotten so big that one company can control a huge number of shopping malls

2) huge-scale data collection and transmission is so easy/cheap that one decision by one person can affect the privacy of hundreds of thousands of people

3) the “service” model of software delivery makes it much harder to know what is or isn’t being done with the data that you’re generating by using that software

The fact that private malls are even tracking license plates to begin with is disturbing. Obvious in hindsight, but disturbing.

I think that most people would be surprised at the scale of LPR deployments by both private ( http://drnrecovery.com/2016-trends-lpr-affiliates/ ) and public sector ( https://www.aclu.org/blog/national-security/dea-recording-am... ) actors.

Can you comment on the scale of VIN reader deployments? They're harder to read because of the smaller size, but I'd guess they're less likely to be intentionally altered or obscured.

I cannot.

I imagine that would require much better cameras and cost more. On my car the tamper prevention measures make it hard to read from many angles as well.

I think the solution for the use case you describe is coming in 2020, where cars will be able to talk to each other and to road sensors. That technology will probably be used to collect mileage taxes and demand pricing as cars shift to electric, so identity will eventually be a component.

No need to wait until 2020. Your car is already being tacked by sensors that detect the unique ID's of the transponders in your tires (used to tell your car the tires' air pressure).

And since most people don't change their tires very often, with enough sensors deployed in various locations (parking lots, drive-throughs, gas stations, etc...) it is very easy to develop patterns of movement and build a profile of an individual person.

It gets even worse when you realize that the tire sensor data can be date/timestamp correlated with your phone's bluetooth radio. So a pattern can be developed for inside movement, as well.

Big retail chains are already doing this (the bluetooth part). No need to have the Radio Shack electric eye bing-bong on the front door to count customers anymore. Now you can just tally the bluetooth IDs and not only tell how many customers you're getting, but how many UNIQUE customers you're getting, which areas of the store they visit most frequently, how long they linger at various displays.

And yes, they know if you're just there to use the bathroom, thanks to the phone you take with you in there.

I wonder if some day this behavior profiling will allow stores to refuse you entry because you've been there 20 times in the last six months and never bought anything, but used the bathroom every time.

I worked for a company doing this in 2015-2016. Bluetooth isn’t the primary mechanism because your phone doesn’t passively transmit its Bluetooth Mac under normal circumstances. It’s primarily Wi-Fi that’s used for that (and no, the Wi-Fi anonymization work done by Apple and others wasn’t enough to block this). We did use beacons too for stores that had a store app (and thus could be setup to receive the beacon probes), but Wi-Fi was the primary triangulation method. We also fused data from stereoscopic vision cameras too to get a more accurate count (since some folks disable Wi-Fi or don’t have phones on them).

It’s a scary space, but that’s part of why I joined. The space needs more smart privacy focused engineers to make sure things are built respecting privacy (I rearchitected systems to where no one person could be tracked and only aggregate data existed).

I’d love to be utopian and say nothing like this should exist, but the reality is if we don’t build it, someone will, and likely do it poorly.

In Santa Monica, the system helps you find your car if you don’t remember where you parked. Call me southern Californian, but it helps.

Many malls are high crime areas. Car theft is often much higher at malls, for example. The owners of these malls have a responsibility to provide a safe environment.

There have been a few malls in our area that closed after gang related activity and violence in their vicinity became known. If you are a mall owner and have this happen, would you not be remiss to take measures to try to know who is visiting your property and using it as a place to conduct illegal activities?

If a car shows up that is registered to someone on a warrant for a violent crime, should the mall owner do nothing? Not their business?

What about a car registered to someone who lost their license due to DUI? What if that person frequents the mall and kills someone with their car?

You need to lay off the FUD! The reason these are installed generally has nothing to do with crime (outside parking enforcement at most). It’s done for marketing and tracking purposes. Brick and mortar stores are desperate for the kind of data that online retailers have access to about customers and the folks making the purchasing decisions generally don’t have the first clue about privacy implications.

Source: I worked for a company doing something vaguely similar (we covered the inside of stores, not the parking lot). I spent my time there working to provide best in class anonymization to only allow aggregate data.

As to your specific fear mongering questions:

> If a car shows up that is registered to someone on a warrant for a violent crime, should the mall owner do nothing? Not their business?

1) that data isn’t generally publicly available to them

2) that’s why you hire security guards

> What about a car registered to someone who lost their license due to DUI? What if that person frequents the mall and kills someone with their car?

1) again, not generally publicly available

2) what makes you think the drivers licenseless person could be the only driver

Yeah let's just continue to surrender freedoms to an increasingly violent police state because someone might steal a car.

This is a good point that resonated with me.

There is a Costco shopping center near me that has had a few cases of straight up wheel theft during the height of their shopping times that were not solved until they tracked plates, but alas, this seems like a case of the blade cutting both ways.

I want to say "Screw ICE", but this does seem like a valid case of tracking who is frequenting their lots.

> A hallmark of Vigilant’s solution, the ability for agencies to share real-time data nationwide amongst over 1,000 agencies and tap into our exclusive commercial LPR database of over 5 billion vehicle detections, sets our platform apart.

5 Billion vehicle detections seems like an awfully high (and possibly made up) number. Even if you allow for the same vehicle to be detected 5 or 10 times, the total number of registered vehicles in US was barely around 300 million.[1]

Or did I mis-interpret that statement / claim ?

[1] https://www.statista.com/statistics/183505/number-of-vehicle...

5 or 10 times seems low if they have sharing agreements with other third party collection companies or the agencies they serve. 30 or even 50 impressions doesn't seem that out of the question, how often do people go to the grocery store? A single collection point on your path to/from work could get ~40 a month.

You could get to that just via chokepoints.

Examples: The RFK/Triboro bridge in NYC gets 60M crossings annually. I95 at the North/Carolina border gets 14M cars a year. State DOTs publish this information for all interstate and many other highways, so it’s easy to piece see where the flows are.

Additionally, DMVs sell all sorts of information, and auto repair and dealerships sell whatever DMV does not. It’s definitely pretty easy to gather and correlate data like this.

I’d assume that many players, from billboard companies to the feds to fast food operators are collecting this data. It is too cheap to collect and too valuable to many parties for that to not be happening.

In Chicago you see people collecting this data all the time on Michigan Avenue, Rush Street, State Street, and Oak Street.

But it's Chicago, so they do it the old-fashioned way: A guy sitting in a lawn chair on the sidewalk with a clicker in each hand.

Seriously. Watch for it next time you're on a main shopping drag in that town.

holy crap. what kind of info are the DMVs selling? who are the buyers?

Lots of data re vehicle registration and licenses to different groups. Insurance companies and banks are common but there are many others. Everyone from towing/repo people to Experian.

New York has a good FAQ. https://dmv.ny.gov/dmv-records/permissible-uses-personal-inf...

Some states are not so good at protecting data, or rely on an honor system: https://dfw.cbslocal.com/2013/02/11/cbs-11-investigates-your...

I like that Texas article particularly. The DMV has a db of 22 million car registrations, and they sold the trust of their citizenry for a couple million dollars.

They sell to companies offering warranty extensions. They know exactly when you bought the car, so they extrapolate the best time to harass you about anything service related with your car.

That does explain some of the servicing offers we get from local car dealers.

That's Carfax. Most repair shops sell their records as well. The dealers know your mileage from JiffyLube/etc.

I've been told that if you self-maintain, you'll have a hard time getting a trade-in as dealers expect to get service history.

It's probably instances of vehicle observations. If they observe the same, say, million cars a day for a year that's ~400 million observations right there. If it's multiple times a day you could quickly reach 5 billion.

5 billion is nothing. A busy mall parking lot with many cameras could have 100s of thousands daily, most all of them repeats as cars come and go. Over a year, across multiple malls, it adds up fast.

If they have ten cameras in a mall and catch a car ten times as it circles, they probably count it 10 times.

I'm not sure why all of the furor exists over a group of commercial properties doing this. The reality is that there are so many entities collecting this same information at so many places, and selling it to private parties, and keeping historical records for years - that there's not a good way to unring this bell. We just happened to find out about this one and the media is highlighting that ICE purchases the data.

Scores of police departments and other government agencies run ALPR cameras, and share the results with Vigilant and other companies so that they can have access to all of the results that Vigilant holds. Philadelphia PD even ran unmarked vehicles with ALPR equipment bearing a Google Maps logo a few years back.[1]

Repo companies and others are sending out drivers in vehicles with ALPR cameras who patrol mall parking lots, apartment complexes, etc and then upload all of that data to one of several companies including Vigilant. These folks can scan 15,000 plates a day without a lot of effort.

Homeowner associations and apartment complexes (or their security companies) also frequently have these ALPR cameras along the paths of ingress or egress.

Universities are using ALPR for parking enforcement (and then selling the data to companies.)


That was fast:

“Irvine Company is a customer of Vigilant Solutions. Vigilant employs ALPR technology at our three Orange County regional shopping centers. Vigilant is required by contract, and have assured us, that ALPR data collected at these locations is only shared with local police departments as part of their efforts to keep the local community safe.”


The malls in Southern California also use machine vision to detect your gender, approximate age, sentiment and unique facial structure through unique identifier tracking. If they have you from your license plate, to when you’re in the mall, as well as any information they can glean from your cell phone signal... yikes. Or at least there was an article some time ago how they were testing it.

For comparison: in Sweden there was a chain of gas stations who installed plate recognition cameras to record people who didn't pay for the gas (if you opt to pay cash, you get to fill your car first and pay later, with this system in place the clerks could refuse that you got to fill up your car first if your plate showed up in a search).

The Swedish agency of data regulation was able to challenge the system in court and got the chain to dismantle the system, and with fines added to that. This was a couple of years ago, long before GDPR.

Something like this would absolutely not fly on this side of the pond, and I'm very glad about that.

This data is collected, as well as shared with, the DEA, repo companies, debt collectors, etc.

This has been the case for at least 5+ years, now.

I'm a little confused about the mall operator's incentive to do this.

Are they using ALPR for their own security and voluntarily sharing the reads? Is the provider giving them a discount to do so or paying to place cameras or something?

The government will just ask. Security types crave the opportunity to do a favor for the cops, and voluntary cooperation is not a legal issue.

I served on a jury where the police were able to gather footage covering like 14/24 hours of the defendants time from a variety of camera feeds (up to 40 I think).

After torturing us with introducing dozens of these videos to build the timeline, the case was fucked up (and defendant found not guilty) because they couldn’t explain NTP in the context of a camera used as the primary time reference point.

In some cities, the police departments have programs to allow the cops to tap directly in to people's internet cameras at their homes, or to immediately turn over recordings to the police that their home cameras have made. People willingly join the program.

Here's one called Vegas SafeCam: https://www.lvmpd.com/en-us/Pages/VegasSafeCam.aspx

"You’ve purchased a home surveillance system and have registered your system with the LVMPD. Several weeks later, a Patrol officer comes to your door and informs you of a recent burglary in your neighborhood. The Patrol Officer has used the database for this program in their patrol car, and has gone to your residence for follow-up. The Patrol officer asks you if it would be possible for you to review your video for a suspicious person or vehicle between the listed times of the event."

The Las Vegas one isn't real-time, but I believe Chicago's might be. Then again, about 10 years ago, CPD was bragging about having 3,000 cameras around the city. It must be 300,000 by now.

Max Headroom wasn't campy sci-fi. It was a warning.

A former employer of mine opted to install ALPR cameras at the entrances to/from the office park. It would establish a direct feed to the local police as to who was entering the property at any given time.

I questioned why this was necessary and received a vague hypothetical about domestic abusers/deranged exes harassing employees/kidnapping suspects entering the property, with no clear indication as to how we'd flag such individuals without them having active warrants out.

The only practical use case was perhaps catching vehicles with active Amber Alerts out that might try to hide out on the property.

So the police basically got free intel from us, and we received no incentives to install or maintain such equipment from them.

It's not meant to stop vehicles in real time, but that data can be used to solve break-ins (identify all new vehicles and narrow down), establish proof of harassment / breaking of a restraining order, etc..

So could cell phone records, but ALPR is simpler and fewer legal concerns. As a business owner, there's little downside, and most of the employees would have been caught on ALPR, toll booths, cell phone tracking, and other tracking a dozen times on their way to work already.

I don't really like that location data is near-public information nowadays, but I don't see it getting any better.

This article takes a distinctly negative tone towards this practice. What’s the problem here? License plate data is public information, it’s the same as if a person standing on the street saw your plate and told someone else. There should not be any expectation of privacy in regard to one’s license plate or the location of its sighting.

> There should not be any expectation of privacy in regard to one’s license plate or the location of its sighting

The Supreme Court has continuously recognized the difference between manual and sustained, remote and automated tracking, even in public spaces [1]. The "seismic shifts in digital technology" we are presently undergoing require vigilance to be maintained in respect of the Bill of Rights.

[1] http://www.scotusblog.com/2018/06/opinion-analysis-court-hol...

ALPR is not manual or sustained. It's a one-time photo of a vehicle at a specific location & time.

The DPPA [https://en.wikipedia.org/wiki/Driver%27s_Privacy_Protection_...] already restricts who has the ability to convert from plate to actual personal information.

ALPR vans endlessly trawl public and private parking lots and streets, recording your presence and movements and just waiting for you to show up in their database with an unpaid parking ticket so they can boot or tow your car.

Some of the higher-tier services use ALPR cameras that map plates to GPS coordinates. Property ownership is public information so you can narrow down the owner of a vehicle's plate based on where they're parked overnight. You can deduce where the owner works by tracking where it's parked between 9 and 6. You can deduce who the owner's associates are by tracking who he tends to park near when not at home or work.

The beauty of it is how well it scales. One van can patrol your neighborhood. Another can patrol the mall. Another can drive around and through your office park. Another might catch you simply driving down the road. It's like having spies everywhere, and they're all feeding their observations back to a central database to build a broader profile...which they later sell to law enforcement upon request.

(Or you can make like Vincent Asaro and just give a cop buddy the plate number of the car that cut you off and have your post-roadrage firebomb run expedited. DPPA sure helped that guy!)

If that's not sustained surveillance then please explain your understanding of the concept.

DPPA is toothless. NY residents get billed for toll violations on privately owned Ontario highways. That doesn't happen without the state handing over personal info on US citizens to a foreign company.

The US Supreme Court just made the distinction, when ruling that access to a cellular telephone carrier's location data for a particular subscriber required a warrant (and hence a showing of probable cause):

   The Government’s position fails to contend
   with the seismic shifts in digital technology
   that made possible the tracking of not only
   Carpenter’s location but also everyone else’s,
   not for a short period but for years and years.
   Sprint Corporation and its competitors are not
   your typical witnesses. Unlike the nosy neighbor
   who keeps an eye on comings and goings, they 
   are ever alert, and their memory is nearly
_Carpenter v. United States_, No. 16-402 (June 22, 2018) (Slip Op., at 15)

That's the difference, beyond simple public/private. It's not that the license plate display itself is private but storing the data forever and being nearly infallible amounts to an unreasonable intrusion on privacy when handed over to the government. Notably, the USSC in a 9-0 ruling from 2012 held that attaching a GPS tracker to a car also required a warrant. _United States v. Jones, 132 S.Ct. 945 (2012).

Too bad this didn't come up, when the supreme court was more liberal, now it'd surely be shot down. (applying the similar scenario to the license plates)

That was less than a month ago.

yep. one of the interesting things about Carpenter v. United States was that Chief Justice Roberts (a Bush appointee) joined the more liberal members of the court to form a 5-4 majority.

perhaps even more interesting, Trump appointee Gorsuch seemed to be saying that even more general data privacy could exist under the fourth amendment: ... it seems to me entirely possible a person's cell-site data could qualify as his papers or effects under existing law.

this offers a far better explanation than i can give: http://reason.com/blog/2018/06/22/scotus-rejects-warrantless...

Yeah if one actually pays attention to what Gorsuch wrote this was more like a 6-3 decision. I almost feel like he's reaching out to Thomas with this dissent, so that next time around Thomas will feel comfortable limiting police power. I think Alito is a lost cause, and now Kennedy is gone. If Gorsuch and Thomas are both down for 4A, one could imagine Roberts joining them. At that point one could imagine a 7-2 or even 8-1 decision in favor of restoring the Fourth Amendment over all state activity. That would be great, and one could trace it back to this "concurring" dissent...

It's a bit naive to assume that privacy is a binary "conservative" vs "liberal" issue. Specifically applied to ICE I'm sure a "liberal" court would have been opposed to it, but both parties are very anti-privacy and the courts are so politicized now we may as well start putting Ds and Rs next to judge's names.

   it’s the same as if a person standing on the street saw your plate and told someone else. 
It really isn't though, is it? There is a bunch of policy and law here that remains to be worked out, but large scale ubiquitous surveillance and storage of your public "footprint" is really not the same thing as a person having been able in the past to follow you around and take notes.

This is one of the areas where scaling really matters, and you can do many things with these sort of databases that were simply intractable before. So I find the conceit that it is "just the same" to be inept.

I don't know where the courts and legislators are eventually going to arrive at on this, but if it is as cut and dried as you suggest then you can look forward to a near future where anyone who cares to can buy a detailed dossier on all of your movements for the last decade, say, with known and inferred contacts, assets, etc. It probably won't be very expensive.

> What’s the problem here? License plate data is public information, it’s the same as if a person standing on the street saw your plate and told someone else.

Cool, so you won't mind if i install a GPS tracker in your car that tells me your vehicle's location 24/7, since the exact same information can be gleaned from "a person on the street seeing your plate"?

The problem with ALPR is that it allows a few, otherwise occupied people -- such as parking lot attendants or repo agents or policemen -- to drive around like they normally do and automatically collect massive amounts of data on vehicles and their location without incurring any cost on their behalf (beyond "slightly decreased fuel efficiency because the ALPR equipment needs power from the alternator").

The same act of "looking at a license plate and noting down the location" becomes an entirely different thing when conducted at massive scale and at negligible cost.

It's government surveillance. The mall can collect and record whatever data they want on their property, who cares. We can compel our government to not accept and blindly process this data en masse. It's the same as taking bulk data from Facebook, or Google, and looking for the .0001% that points to a criminal. Many, myself included, believe that this is wrong.

Do you consider your location data to be private? If you are out in public all day then all it takes is every business everywhere using facial recognition and conglomerating their results together to monitor your position throughout the entire day. Are you comfortable with that?

There are boundaries between reasonable use of nominally public information and the normal expectation of some degree of privacy outside the home.

Let’s say we’re neighbors. I keep a close watch on your house, and every time you come and go I phone the local police and tell them, “OceanKing just got home” or whatever. Would you be ok with that?

I want legal reforms that enhance privacy, but your scenario happens all the time, private surveillance is willingly handed over to police after some incident.

It doesn't have the goofball repeatedly calling the police aspect, but that's the less interesting part to me.

I agree, it does happen all the time.

My question remains: if it were happening to you, would you be ok with it?


Malls are privately owned property, if you don't like it don't go to them.

That doesn’t answer my question.

Just because there shouldn't be an expectation of privacy doesn't mean we have to be happy when it's revealed that a private company is tracking this stuff en masse.

The trigger here is ICE. For many people in this country, anything ICE does is bad now.

The trigger is private companies handing over people’s info to law enforcement en masse without a warrant. s/ICE/FBI/ and people would still be upset. Maybe a bit less just because the FBI occasionally goes after actually dangerous people.

It’s public information. You don’t have an expectation of privacy about your license plate. The exact opposite is true: you’re legally required to display it prominently whenever your vehicle is on the public highway.

ICE goes after human traffickers too.

What’s your point? All sorts of public information is not shared en masse with law enforcement. I’m not trying to argue that this is somehow illegal. This company isn’t committing a crime, they’re just assholes.

I don’t think reporting criminals to the police makes one an asshole.

If you want open borders that’s fine. We have a congress and they can legally pass that policy. Write your representative and senators or something.

They’re not reporting criminals, they’re reporting everyone.

This has nothing to do with open borders. Why would you even bring that up?

When everyone is reported, no one is. When everyone is tracked, no one is.

This may have been true once, but no more. In the age of automation, when everyone is tracked, everyone is.

Opposing datapoint here: I approve of ICE's mission, but think large-scale surveillance is an unethical implementation of it.

Modern criminal law in the West is built on the presumption of innocence. Invading the privacy of many people who are practically guaranteed to be innocent for the sake of finding one criminal that may be hiding among them is directly contrary to that.

It is not wrong for the NSA to try to find terrorists, but it is wrong for them to sift through my text messages "just in case" when they have no reason to believe I'm involved in terrorism. It is not wrong for police to enforce laws, but it is wrong for them to stop you and search your car without any reason to believe you've committed a crime. It is not wrong for ICE to secure our borders, but it is wrong for them to track the movements of millions of everyday people lest they find that one has a pattern of movement that may suggest people smuggling.

Well, when you rip kids from parents seeking asylum, and then can't even get them back to their parents in a timely manner, yeah, people get upset.


First time illegal border crossing is a misdemeanor. Should people have their children forcibly separated from them and shipped to detention centers for a speeding ticket? Jaywalking? Drunk in public?

Inflicting cruelty on innocent children is not a reasonable deterrent in a civilized society that has any intention of being moral or just.

Pretty sure if you’re drunk in public with your kids and get arrested you will in fact be forcibly separated.

Also this is a great example of static thinking, because it completely ignores dynamic effects. Ban family separation, how humane! Second order effect: incentivize bringing children when committing crimes. A sane and compassionate, as well as moral and just, society doesn’t want to encourage bring your kids to crime day either.

I think they were pointing out that you typically get issued a summons in lieu of arrest for misdemeanors.

> Pretty sure if you’re drunk in public with your kids and get arrested you will in fact be forcibly separated.

For a misdemeanor the police are absolutely not going to take someone's children and ship them to detention centers in other states with no clear way of getting them back or even getting in touch with them. Most of the time a misdemeanor means showing up to court and paying a fine.

> Also this is a great example of static thinking, because it completely ignores dynamic effects. Ban family separation, how humane! Second order effect: incentivize bringing children when committing crimes.

That doesn't make any sense. Currently, even someone who is charged with one or more felonies does not have their children taken away from them and shipped elsewhere. The only time that would happen is in cases of neglect or abuse.

Does that mean our justice system is incentivizing felonies? No. Bottom line is that the law can be enforced just fine without a barbaric policy that harms children for the sins of their parents.


Show me one instance in the US judicial system where children are forcibly taken from parents and shipped off to detention centers in other states when the parent has been charged with a misdemeanor.

Bottom line is that it is. Not. Done.

And it clearly is appropriate to 'think of the children' when cruelty is being purposefully inflicted on children as official government policy. There's no rational defense for that policy that is compatible with our legal system.

User23 8 months ago [flagged]

Actually it's done to US citizens routinely. https://www.nytimes.com/2018/06/22/us/family-separation-amer.... And before you quibble, recall that jail is for misdemeanors.

Again, your reasoning faculty has been overwhelmed by effective rhetoric. Take a deep breath, step back, and start using your left hemisphere.

Personal attacks will get you banned here. Please don't do that again, and please don't post flamewar-style comments at all.


Edit: we already had to warn you about this recently. If you want to keep posting on HN, please read the guidelines and follow them from now on.

GVIrish 8 months ago [flagged]

You failed to read and/or comprehend what I said. Show me an example where children are forcibly separated and shipped to detention centers in different states when a parent is charged with a misdemeanor.

I already pointed out that children are only taken away in cases of neglect or abuse.

But if you must continue patting yourself on the back for how 'rational' you are while you can't provide any rational basis for your arguments, knock yourself out.

Personal attacks aren't allowed on HN, even if someone else did it first. Please post civilly and substantively, or not at all. And for heaven's sake (or at least HN's), could you please just avoid flamewars?


> don't try to cross the border illegaly then?

I'm an American citizen. I don't like that my visits to and from a mall being automatically collected by private company for a federal agency with domestic policing capabilities. One can construct a Fourth Amendment case critical of this practice that is completely agnostic towards the illegal immigration debate.

Indeed. While we’re at it, let’s institute summary execution for thieves. It’s bound to reduce crime.


Personal attacks will get you banned here, so please don't do this again.



You've been breaking the site guidelines repeatedly lately. We ban accounts that do that, so please stop doing it, regardless of how wrong someone else is or you feel they are.


This happens at every gun show too.

I go to gun shows and I've never seen it. What is your proof?


Please don't do this here.

"Happens at every gun show" is not the same as "happened at California gun shows".

I don't like the scanning at all but this is a far cry from a national gun show surveillance program.

It's at least a far cry from an _advertised_ national gun show surveillance program. The only time I've been able to confidently identify license plate recognition is on the tollway. I don't think all of the setups are as obvious.

Now can you Google the difference between a gun show and a mall for the commenter as well?

I would think this sort of thing would be of interest to gun owners as well. Some of the stores that are in the malls in the article sell sporting goods, including hunting gear.

They are both places to buy goods and services, not really much of a difference tbh.

Once upon a time Hacker News used to be a community for developers and startup/technology news. Political stories were quickly removed...

And one day the community realised that technical innovations had deeper ramifications than something to nerd over or some fancy valuation in a startup with a quirky name.

As an industry, software is still very young. And as it comes of age in the modern era, its impact continues to reach further and further into the fabric of society. We are more than ever before making ethical questions part of the conversation when developing technology.

Politics and policies making their way into HN is therefore an inevitable evolution. Nothing else.

Here-in lies the problem, the assumption that HN readers have to all prescribe to a single political and "social" ideology. I would argue a majority of HN readers would prefer to stay neutral while on HN. If users want that content, there is certainly not a shortage of political focused websites.

I am going to debate the fact that the HN community silences opposing opinions and comments, which won't be popular... But it is evident in the fact that I challenge you to show a conservative viewpoint post making the front page. I have personally seen comments and posts silenced by a minority that had the majority of votes countless times.

Anyway, I digress which is the entire point. In the same vein as I loath sports pundits that try and always get political because it distracts from the essence of sports, the same is true of HN.


Please don't post unsubstantive comments here.

This is the first thing I've read that actually increased my support for the widespread use ALPR technology. Every illegal alien in this country is a criminal, by definition.

Hopefully you've never gotten a speeding ticket, parking or similar. Because most of those are classified at the same misdemeanor level as "entering illegally", which would make you a criminal, too.

Speeding and parking tickets are usually infractions, and are non-criminal. DUIs, reckless driving, fleeing the scene, and the like are criminal misdemeanors or felonies.

Illegally entering is a criminal misdemanor, so they aren't the same thing.

Unlawful presence, which is all anyone at a mall in California could be charged with, is a civil matter, not a crime.

Unless there's some international border in Sunnyvale I missed, I don't think the ALPRs will catch any illegal entry.

I wasn't arguing that. Just that illegal entry is not the same as a speeding ticket was my point. Overstaying on legal entry is civil, and just unlawful presence. I believe that's a bit less than half the population.

Unlawful presence is 100% of the offenses you'll be able to catch in a Sunnyvale mall parking lot, and it disproves the OPs contention that they are all "criminal, by definition."

You can use ALPR to track people who are known to have entered illegally or who have been sentenced to deportation and are avoiding their sentence. Illegal aliens are criminals.

I really don't think you understand the difference between unlawful presence and improper entry. One of these is a crime while the other is not. Restating your false premise at the end doesn't make it more true; unlawful presence in the U.S. is not a crime, that's a simple fact.

Crossing the border without a visa is a crime. You do not understand US law.

You're missing the point. No one will be caught entering the U.S., with or without a visa, in a Sunnyvale mall parking lot. All you will likely be able to catch is unlawful presence, which is a civil matter and not a crime.

You make a good point - we need to significantly increase the penalty for this kind of illegal immigration.

There is a big difference between overstaying a visa for a few weeks and illegal migration.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact