See Tracy Rosenberg at this year’s event on November 10! She will be on a panel with Lisa Rein and Daniel Rigmaiden on Saturday at this year’s San Francisco hackathon!
TICKETS ($50) – (Can’t afford it? Okay no problem. Just use the code “hackathoner” for 1/2 off! (Perhaps you can buy one at full price and then discount the rest? Or just use the discount for all of them! It’s up to you 🙂 – Yep – It’s on the honor system folks <3
|Saturday Schedule & Evening Event||Projects To Hack On|
By Lisa Rein
These simple letter templates can compel the Police and Sheriff Departments of a given city to provide you with documentation regarding every type of surveillance equipment in existence for a given City (Police) and saCounty (Sheriff).
It’s a roundabout way of determining what surveillance equipment is being used on the public in a given city, but since it’s all we have, at least the #ASDPSP project will make it so much easier for journalists and the public to get their hands on this information.
In this third installment of our series, Tracy will help us understand more about what we found in Sacramento, and how do approach local politicians to put pressure on them to do something about it, by implementing a “surveillance policy framework.”
Here’s are the first two interviews of this series:
Tracy Rosenberg, co-founder of the Aaron Swartz Day Police Surveillance Project, explains #whatwefound in #Sacramento using our project’s letter templates and Muckrock, an online platform for filing public records requests.
The Police Surveillance Project at Aaron Swartz Day aims to empower journalists and citizen researchers with pre-written letters that use just the right language to compel a city’s police or sheriff departments to hand over the relevant documents.
There is much to be done once the evidence is in-hand, but getting that evidence can be half the battle. These letter templates make it easy to use Muckrock and quickly file a large set of public records requests to the Police and Sheriff Departments of a given city.
We recently added two new templates that include the use of facial recognition software, since it came out recently that Amazon has been literally giving away its facial recognition software to law enforcement. I explain how to use the letter templates here. There are 20 templates now; 10 for the Police Department and 10 for the Sheriff’s Department of any given city.
Once you get the information back on a given city, you can begin to determine exactly which types of surveillance equipment a city’s police and a county’s sheriff departments have already purchased. Then, gradually, you can bring attention to the existence of the equipment to the relevant City’s City Council, in order to start the process of implementing a “surveillance policy framework” in that town.
As we learned in an earlier interview with Tracy, Occupy activists learned these techniques in the process of finding out what the City of Oakland was using on its citizens during the #OccupyOakland protests several years ago. Once Oakland’s City Council were given evidence that the surveillance equipment existed, they could (eventually) do the right thing, and put a Surveillance Policy Framework in place regulating how it is allowed to be used.
Your town’s City Council could do the right thing too, but first you will probably have to provide them with proof, direct from the Police and Sheriff Departments themselves, that this kind of surveillance equipment even exists.
However, when you get the documents back, it’s important to make sure you really understand what you think you might have found. That’s what thus week’s interview is all about; understanding the documents you received back, so you can make a list and hand it over, with the supporting documentation, to your City Council members.
LR: Here’s a list of the equipment we recommend asking about with the letter templates for each in .doc & .pdf formats). It’s best to file a separate public records request for each kind of equipment.
The trick is knowing how to write the letters; and you have done that for us already. Thank you so much.
TR: My pleasure. As we discussed earlier, these letters cover most known basic equipment that your local city and county might be using, including: drones and flying over head cameras, license plate readers, policing predictive software, social media monitoring software, stingrays, and most recently, facial recognition software.
LR: Since I asked you to create a template to address what we just learned about Amazon’s Rekognition software, something the ACLU is very concerned about.
TR: Yes. Unfortunate but necessary.
LR: Why these pieces of equipment?
TR: We are asking about these pieces of equipment because we already know that there is a good chance that big police departments will probably have all of it. The smaller ones will at least have some of it. But you have to ask about all of it, because sometimes they are using it in secret, and you never know until you ask.
LR: We have already received word back from Sacramento. Let’s talk what we found in Sacramento, and you can tell us how we might go about getting that information to our Sacramento representatives.
TR: Sure. So, after you send out all of these requests for information, you usually get back quite a lot of documents. You need to download the documents in an organized fashion.
LR: Yes, I recommend 10 folders – one for each type of equipment – with a separate “Police” and “Sheriff” folder inside of it. As you download your documents from your Muckrock account, it is useful to keep them in these folders. This way, you can systematically check through the documents and keep track of what you find. We will be making a zip file Sacramento materials, so our readers can download and unzip it and look at the documents while they are reading this story. (**LINK TO ZIP )
TR: Okay so, unzip the file and you will see all the documents we received, in folders sorted by piece of equipment, and then “Police” and “Sheriff.” We got back a lot of stuff, and our job was to look through that stuff and see if there is something we didn’t already know. (For instance, in a different project, a few months ago, Dave Maass from Electronic Frontier Foundation found that Sacramento shares it’s license plate reader data with 792 agencies.)
LR: Good example. Just to clarify our goals here; the point is to determine the new relevant information, so you can inform your representatives, and get a “surveillance policy framework” in place?
TR: Yes. So when you find that thing or things, you can inquire about whether there are any policies regulating the use. In Oakland, for instance, they used a Stingray for 8 years straight before anybody found out about it, and demanded to know more information about it. (This was back in the early 2000s.)
LR: Explain the importance of having “Surveillance Policy Framework” that will cover any types of new surveillance technologies that become available in the future.
TR: By having a framework, new technologies are covered during the yearly check-ins that need to be established between law enforcement and the City Council & the public. The idea is to have 1) Local law enforcement – reporting on itself when it uses this surveillance equipment. and 2) Ideally, for it to only be used during active cases when a warrant has been obtained or a legal standard like probable cause or at least reasonable suspicion, is in place.
LR: So then, you can then take this information to your representative, just as a constituent?
TR: Yes. That is that plan.
LR: Yes, and you believe you will genuinely get farther, faster, if you are polite and you give your representatives the benefit of the doubt at first?
TR: Yes. I always start off the conversation with “Did you know X?” Because the answer is almost always “No. No I didn’t.”
Then you might say “We are suggesting that there is a need for greater regulation and oversight into these kinds of decisions by law enforcement. Essentially, we need to create some privacy policies for the city, specifically we need some kind of ‘rules of the road’ about what we do and how we do it. It would require some kind of community input. Would you be willing to help do that?
And they might say “yes” and they might say “no,” but, in some cases, they say “Yes. Tell me how.”
LR: Got it.
So tell us a bit about “what we found” in Sacramento Tracy. Lets go down this list of” interesting surveillance information about Sacramento:”
SUMMARY OF WHAT WE FOUND
There is a weapon-mounted FLIR (Forward Looking Infrared Camera) and no policy regulating how it’s used.
Shot Spotter Gunshot Detection Microphones are being used and under the municipal contract, the city does not own the municipal data data, and worse yet, the data can be sold to the Feds under their nose.
The county sheriff has Stingray cell phone interception units, but won’t disclose how many and while there is a warrant required policy in place, there’s no reporting on whether the policy is followed. The Department also disclosed there has been some litigation around their stingray equipment.
The predictive algorithmic software public records request came back as “no relevant documents available,” but articles in the press and easily obtained by a Goofle search suggested that such tools have been used by Sacramento law enforcement agencies.
FLIR CAMERA (FORWARD LOOKING INFRARED CAMERA)
The Sacramento County Sheriff’s Department owns and operates 20 thermal cameras that can see through walls to identify the location of living things inside. Four of those cameras are mounted on aircraft.
One is “weapon-mounted” on an unidentified weapon.
The department has no usage policy for any of their thermal cameras detailing permissible and impermissible uses.
The department has been involved in litigation regarding these thermal cameras, but will not release any documentation relating to that litigation to the public.
TR: So the weapon-mounted FLIR is an interesting thing. These are cameras that can see through buildings. I mean they will literally see you through a wall. They can see the outline of your body.
LR: So what do we know exactly?
TR: We know 1) There are FLIR infrared cameras. 2) They are putting them on planes and helicopters 3) They are also mounted on an undisclosed weapon 4) There is no policy in place regarding their use. And 5) litigation has already occurred regarding some kind of activity involving its use.
So that’s good information.
SHOTSPOTTER GUNSHOT DETECTION MICROPHONES
LR: Okay on to the “shot spotters”
SUMMARY – ShotSpotter
The Sacramento County Sheriff’s Department signed a contract in 2017 for $470,000 for gunshot detection microphones with ShotSpotter, a Newark-based manufacturer. Shotspotter microphones record and geolocate loud sounds that may or may not be gunshots, dispatch police to the location of the sounds and record ambient noise including human conversations in the vicinity of the loud noise for a brief period.
The contract states the following: “All data created, generated, modified, compiled, stored, kept or displayed by SST through the subscription service and related services to customers, remains the sole and exclusive property of SST. SST expressly reserves the right to copy, publish, display, adapt, modify, translate, perform publicly, make works derived from, transfer, sell, offer for sale, and to use any and all data or any purpose, and to authorize, license and sub-license others to do any and all of the same”. pp. 14/31. Note: “SST” is “Shotspotter Technologies Inc.”
ShotSpotter Service Agreement (PDF).
Shotspotter CEO Ralph Clark told Minnesota Public Radio in 2016; “If the data begins to leak out to these organizations en masse and in an electronic form, it devalues the big data that we could otherwise monetize with the FBI and ATF.”
TR: Then we’re going to go on to gunshot detection microphones. (Note that Oakland just spent a bunch of money on gunshot microphones. )
For the sheriff, they sent me the contract. So here’s the Sheriff agreement. They have an agreement with Shot Spotter, and it’s long. 33 pages. So I can read it and see how weird it is. This is for $195,000. What is generally most interesting about Shotspotter contracts is the fact that the data does not belong to the city, and that ShotSpotter can do all kinds of things with the data in terms of monetizing it. It’s in their contract.
LR: Wait. What kind of data are we talking about?
TR: The data that ShotSpotter collects is basically a map of the parts of Oakland (or Sacramento) where ShotSpotter units are placed, and how often there are loud noises that sound like gunshots, exactly where those are located, and a sound file of sounds in the proximity of the loud noise, which can include human conversations.
LR: Human conversations? So human conversations are being recorded in all of these locations where they are recording gunshot fire?
TR: Yes. ShotSpotter will say that is not the case, but scraps of human conversations in the vicinity of the microphones have already been admitted in courts as evidence.
LR: The detective show Elementary already did an episode on this, where there was a company that was claiming there were more shots than there were, so a politician could act like he was cleaning up crime. I mean, there are so many different ways that a system like that could be exploited.
TR: Yes it can be exploited all kinds of different ways. The head of ShotSpotter, a guy named Ralph Clark, has said, that their long term financial plan is to monetize this data and to sell it to Federal Agencies, like DEA and Alcohol Tobacco & Firearms. (They are a local company in Newark.)
LR: Don’t the cities already have access to their own data (that’s being collected)?
TR: No. They are not selling cities the data. They are only selling them the equipment, providing a dispatch service, and the ability to store the data, and then they are going to store it in databases, which Shot Spotter owns. The cities don’t own their own data, so Shot Spotter can package it up and sell it to the Feds. (And the cities don’t have any ability to stop it.)
LR: Wait. Why would cities go along with this? What do the cities even get out of it?
TR: To a degree, they get “Here is what we’re doing for our neighborhoods with crime and violence.” We are doing something!
LR: But they are just recording the sounds of the shots?
TR: They are recording the sounds, and also the time and exact location of the gunshots. So, theoretically, the police will get there faster once shots or loud noises that sound like shots are recorded.
LR: Are there any reports in progress that directly correspond to actual gun shots fired? So they know how accurate the data is? Otherwise, how can they prove the ShotSpotters are doing anything?
TR: They can’t prove it. They don’t know how accurate it is. What they do is they generally point to decreasing incidents of violent crime, and say that people are shooting guns less because they know that they’re being “watched” by the ShotSpotters, and that the police will get there faster because of them. But I don’t think there’s any actual evidence for it.
The crime rate is going down anyway. So, they’re basically taking credit for something that’s already happening. Crime has been going down for ten years. But the amount of technology being applied to the situation has been increasing at the same time, so you get a sort of “it’s going down because of the technology” axiom, even though it isn’t at all a proven one. It’s a problem. In Oakland, for example, they are on their way to a ShotSpotter Expansion.
“If the data begins to leak out to these organizations en masse and in an electronic form, it devalues the big data that we could otherwise monetize with the FBI and ATF,” Clark said.
LR: You’re saying that Shot Spotter has a contract in Oakland right now?
TR: Yes they do. In many cities. And here they are in Sacramento County too.
STINGRAYS (CELL PHONE INTERCEPTION DEVICES, IMSI-CATCHERS)
LR: OK Next! Stingrays – also called “IMSI Catchers.” What do the documents say?
TR: First let’s look at the Police response: “The city does not have any records that are responsive.”
So let’s look with the county (Sheriff) response. First of all, it says clearly: “The purpose of this order is to memorialize policy and procedures for cell phone simulators.” Note that it says “Simulators” plural, so that tells us they have more than one.
Next, it says: “In all cases, reflect a level of necessity that balances public safety and privacy,” and that they shall delete the information after each use. This is a decent policy for stingrays. This is what you would want if they are in use. So the answer is yes, they have Stingrays. They have more than one. They will loan them out, but only if they get a judicial authorization. So they have a policy in place.
The thing that is interesting and this is where we can sort of tie it to the surveillance ordinance is the disclosure issue. Part of what we try to do with surveillance transparency legislation is make them report back to the community periodically. So we can say, “okay, you say that you won’t use the Stingray without a judicial warrant – when did you actually use it, and did you have a warrant on each one of those occasions, or was the reality different than the policy?
What you find here is a little poison pill: disclosure of permission and records. “No member of a Sacramento law enforcement agency shall disclose the economic capacities of the equipment.” (Even though everybody knows what a Stingray does.) And then, no member shall disclose equipment information or records. So the question is: is everybody following the policy or not? How do we know? We don’t. Because, all you’re doing is telling me you have this policy. So, it’s better than nothing, but not that much better than nothing.
What we achieved in Oakland, which was helpful, is a Stingray policy very similar to Sacramento’s, but it also said they have to give us a report each year telling us how many times they’ve used the Stingray(s), and verifying that they had a warrant each time.
LR: So the policy is half-right – except there’s no check in place for confirming a warrant was issued? But they voluntarily did everything else? Is that what I’m hearing?
TR: Right. But the reporting is how you verify that the policy means something.
SUMMARY – STINGRAYS
The Sacramento County Sheriff’s Department, while correctly imposing a judicial warrant on the use of stingray or cell phone interception equipment, cited no less than 13 different state and federal statutes to avoid telling us exactly how many stingray devices they have.
To quote: Question asked: Number, if any, of IMSI-catcher or cell phone interception devices (commonly called stingrays or hailstorms) owned by this department or agency. Answer: Documents exist, but are exempt from disclosure. Witholdings are made pursuant to Goverment code sections 6254(k), 6254(aa), 6255(a), 5 U.S.C. 552 subsections (b) (4), (b) (7) (a) and (b) (7) (e), 6 U.S.C. 482 subsections (e) and (f) (1), 22 C.F.R. Parts 120-130, 22 U.S.C 2778, Executive Order 13637, and the United States Munitions List category XI: Re: Military Electronics Subpart (b).
Best as we can tell they are claiming that their stingray or stingrays are Department of Defense military equipment. Presumably, although the FBI has formally ended the protocol of making local law enforcement sign nondisclosure agreements about stingrays, the Sacramento County sheriff is still abiding by his. Although it’s been posted on the Internet for three years. https://www.documentcloud.org/documents/2426424-sacramento-co-sheriff-fbi-nda-25mar2014.html
LR: What’s the significance of the non-disclosure?
TR: Well, they won’t tell us how many they have. They are hiding behind Federal codes. We don’t know whether they have two or three or four of them. Although Sacramento taxpayers own them and might well have paid for them.
They’re also not reporting on whether the policy is being adhered to or if it isn’t, and how often the equipment is being used, which is basic stuff, from a transparency point of view. Are they using it 500 times a year. Are they using it 5 times a year? It matters.
LR: And their argument against disclosing the number they have is that by doing so, they are somehow putting someone else in danger? (That is, simply by acknowledging that they exist, it tips off the bad guys.)
TR: The usual language they use is that “it would provide a roadmap for criminals.” But it’s not really a roadmap for them. Criminals are quite aware that cell phone calls can be listened to. We all are. It’s not new information.
DRONES (UNMANNED AERIEL VEHICLES)
TR: Let’s go right on to drones. We only have a response from the Sheriff and it says… “no responsive documentation.” So they are saying they don’t have any drones. Could be. Anything that contradicts that? Let’s ask Google: “Sacramento County Sheriff Drones”
Ok we found an article “What to expect when the Sacramento county sheriff starts using drones.” So they are planning it, but haven’t done it yet.
TR: What to expect from the Sacramento county sheriff’s dept. Both the police and the sheriff declined to say whether they would be interested in deploying drones. They are waiting. This is January 2018.
LR: And finally, the Predictive Policing Software: the thorn in my side that started it all; during last year’s #EthicalAlgorithms track.
SUMMARY – PREDICTIVE POLICING
We asked the Sacramento County Sheriff about their predictive software. They responded that they had none.
But Google disagrees. Sacramento’s use of crime-predicting software from Palantir in their gang division was profiled in in Techwire in 2012 and again in Wired in 2017, where the 2014 approval of a contract by the Sacramento Board of Supervisors is detailed. Did they forget?
Or is it like in New Orleans, when it was found that the New Orleans Police Department was using Palintir’s predictive policing software without the knowledge of their City Council?
LR: That’s what started it all, for me. The discussion of Predictive Policing software during last year’s #EthicalAlgorithms panel.
TR: We have two responses. Police and Sheriff. Police say – we’ll tell you later. Sheriff’s Department is saying they’re not using it. Now, sometimes with predictive softwaee, that’s true, and sometimes, they don’t understand what it being asked or deliberately misunderstand the question. Let’s do a Google check.
Aha: “The sheriff’s department is ‘moving towards their goal of predictive policing’ – October 2016. ‘Using an innovative crime predicting software package – 2012.’ “
“Sacramento officer” – So wait, this is the Sacramento PD, not the Sheriff. “The city has installed 32 police observation devices.” “The launch of a real time crime center…” okay. Well this is not exactly predictive policing, it’s just a real time crime center.
So let’s see what they were using in 2012 – Palantir? Uh oh. Aha! Here we go: “Sacramento County Sheriff. Installed in April 2012. Software is being used by the anti-gang division.
LR: (Lightning strikes) Pa-lan-tir! Oh noooo.
TR: They got a grant and purchased the software from Palantir. Back in 2012. So, they certainly were using it. But that doesn’t necessarily mean they are using it now. But probably…
LR: How do we find out if they are still using it – and therefore lying to us – or if they have stopped using it? Like this? 1) I send them my little request. 2) They write back and say “no.” And then 3) I see from my searches that they are lying to me. What do I do then? Say nicely, “Oh, excuse me, but I believe the Palentir software that you are using qualifies as “Police Predictive Software” as queried in the attached CIPRA Request Letter?”
TR: Yes, you could send a follow up letter. In this case, it could be that they don’t understand exactly what we’re including in the predictive software category.
LR: Do I give them a link to the article and say “hey, what about this software guys?”
TR: Yes. You can do that. The other option is you can Tweet or go to the media and say “I did a public records request. This is what they said and this is what the newspaper says. Hmmm..”
LR: I like giving them a chance to respond first. I’m just that kind of reporter. And sometimes, they will give you a lot more information, if you give them a chance.
TR: Yes. And you can also cite your media connection. And in this case, since I did the public records request and you would be the one calling them, it could even be a question of “I received this information from this person. I write for Mondo 2000, and I’m following up.”
So what do we have here? “Machine Data. The Sacramento Sheriff’s office is harnessing machine data with Splunk. Moving towards goal, with Splunk, they get a view into crime…
Here’s Wired talking about Sacramento and Palantir. Sheriff’s Dept in Sacramento. This is from 2017. ISo it *has* been deployed in Sacramento, as part of some anti-gang thing. So they’re obscuring it – or or they’re not using it anymore. We did ask to go back to 2015.
LR: Wow. In my opinion, it seems likely that they are still using it.
TR: The stopping of using stuff is less usual. So, there is definitely a possibility here that we are being lied to.
LR: This is good for our little project too, because they’ll know, if we get something that doesn’t match up, they’ll be hearing from us about it.
TR: And you can see that Google can actually give you a hand. But it’s better to ask them first.
LR: Then, if someone’s trying to do the right thing, you don’t piss them off with a bunch of accusations, when they’re trying to do the right thing.
TR: Sometimes it’s an honest misunderstanding. If they thought you were asking for something that meant something different than what it means. But what we meant by predictive software included Palantir.
LICENSE PLATE READERS (ALPR)
LR: Okay lastly: License plate readers.
TR: Bit of a bore because we know they exist. So we have the city and we have the sheriff. The Sacramento Sheriff owns 63 license plate readers and all data is stored for two years. That’s a long time. And their 2018 Homeland Security Grant and the policy.
LR: Are they on their way to doing it?
TR: They have done it. They have given us this document in Word. This is their policy. License plate readers are one of those things where you have to have a policy under law. So, they do.
LR: Under law, where?
TR: California state law that covers license plate readers – just license plate readers.
LR: Oh they already got that through a while ago?
Okay, so we know what it is. We know how it works. What’s interesting here? They submit reports. LEARN – This is the Vigilant data server. So there is a possibility they are giving all of this to ICE. Vigilant is a private company that provides readers. They are in Livermore. Vigilant signed a contract to open their database to ICE.
LR: Now, why are these companies allowed to collect the personal data of citizens and sell it to anybody?
TR: The courts have held that, essentially when you are driving or parking, you are out in public and it is not personally identifying. So there’s no right to privacy because you are out in public. You are parking your car on the street, or driving down a public road, and therefore you are out in public, and it’s just like a security camera in the lobby of a building – that you are essentially making a choice to be in a public space.
LR: But when they have access to more than one location, they can associate the data.
TR: Yes. They can associate the data. That’s the problem with license plate readers. If you’re talking about two years of data and 63 cameras – and you happen to live in Sacramento and drive a lot – that’s a rather significant pattern. I mean if you happen to drive past license plate readers, you could drive by them three or four times a day, and then they know when you come and go.
LR: These kinds of companies that collect these kinds of data – they don’t have any oversight? If I decide “hey I’m going to become a license plate collection company,” there’s nothing stopping me from doing that and selling the data. From setting up cameras. I don’t have to go through any regulatory anything? I don’t have to talk to any governing body?
TR: There’s not much. For a law enforcement agency, there is this law that there supposed to have a “use policy.”
LR: A use policy that checks out with whom?
TR: No one. They just have to post it publicly to show that it exists.
LR: So they basically say “hey we’re doing this. Come try to stop us.”
TR: More or less. Vigilant says that the data is secure, and that it only gets shared with other law enforcement agencies, however, there are a lot of law enforcement agencies.
LR: But that in itself is a violation of our privacy.
TR: I would say so. Because, without suspicion of wrong doing, why would you be sharing my coming and going with 800 other law enforcement agencies?
LR: So a lot of the policies are way way behind of the capabilities?
TR: Hugely behind. And the courts have not been much help in the particular instance of license plate readers. So Sacramento wrote that Homeland Security is paying for it.
LR: Homeland security is paying for the license plate readers?
TR: Yup. Under an “emergency services” grant. That would explain why ICE, which is part of Homeland Security, would be signing a contract with a vendor to get access to the data, which basically they paid for (by giving Sacramento the grant). Right?
LR: But did they pay for it all over again? I can’t tell.
TR: They gave Sacramento county money to buy license plate readers, and then they gave Vigilant money to share all of the data that came back from the license plate readers with them.
LR: But, in a way, they’re paying for it twice right?
TR: Yes they are. They really want it.
LR: They want it so bad, they’re paying for it twice. But they shouldn’t have access to it at all.
TR: They are redacting the names of some of the officers.
LR: Oh isn’t that nice of them?
LR: Now let’s talk about our new facial recognition templates.
TR: Sure. We didn’t yet have a template for facial recognition systems (beyond their potential use with body cameras or algorithmic software) because at the time we did the templates there was no known use of facial recognition software by local law enforcement agencies. The public records requests unearthed about the trial runs of Rekognition with two police departments changed that, and so we have a template now.
LR: As I explained in a blog post, Rekognition is pretty much our worst fears realized: A huge corporation quietly implementing biased facial recognition software without any oversight from anyone. Needless to say, this situation falls under the territory of our #EthicalAlgorithms mandate.