Overcollection

Too much data collection and too little oversight can add up to significant privacy violations for innocent people.

“[The] dragnet collection of millions of Americans’ phone records every day – whether they have any connection to terrorism – goes far beyond what Congress envisioned or intended to authorize....Congress did not enact FISA and the PATRIOT Act to give the government boundless surveillance powers that could sweep in the data of countless innocent Americans. If all of our phone records are relevant to counterterrorism investigations, what else could be?”

Rep. Jim Sensenbrenner (R-WI) and Sen. Patrick Leahy (D-VT), primary authors of the USA PATRIOT ACT

DESCRIPTION

Surveillance technology is evolving quickly. New tools are giving government agencies the ability to collect more data than ever before. Without a thorough and current understanding of these technologies, they may inadvertently collect more than they intend. Without appropriate policies and oversight, overcollection can threaten civil liberties.

Some tools, by their very design, collect data indiscriminately. Automated license plate readers, for example, photograph and scan every passing car. This has the potential to create a government record of where hundreds, even thousands, of innocent individuals are at a given point in time, even when law enforcement agencies are investigating a specific target. These devices can be configured to store only data that matches a specific suspect, which can make the system more efficient and cost-effective while helping to protect civil liberties.

In other cases, the surveillance programs themselves are the cause of data overcollection. Perhaps the most famous example of this is the National Security Administration’s bulk telephone records collection program. For years the agency gathered the phone records of millions of innocent Americans without specifying a target of investigation. They built a haystack to find a needle, and created an immense database of information about private personal communications in the process.

More often than not, surveillance programs are launched without considering data overcollection. This has exposed both agencies and the general public to unnecessary risks to security and privacy.

Examples of Use

Location::
Boston, MA
Government web site leaks three years of vehicle location data
A reporter exposed a security breach in a web server that leaked license plate location data going back to 2012 to the public. The city of Boston was using the server, improperly run by a private company, to store data from police automated license plate scanners. The database contained license plate numbers, locations, and car make and model information not just of suspects’ cars but those of innocent people as well. This data could be searched by both the police and the general public. In 2013, the Boston Police Department agreed to discontinue use of this database, but records show that officers have continued to use it on a regular basis through 2015.
Location::
Seattle, WA
Seattle Police Dither on ALPR Policy
The Seattle Police Department has put together a “pilot program” fleet of at least 12 mobile ALPR units, funded in large part by over $132,000 in grants from the Department of Justice. The SPD claims they follow an informal policy of deleting captured plate data on innocent people after 90 days. However, a public records request by the ACLU-WA in 2012 recovered over three years of plate reads retained during a pilot program. (SPD cameras scanned one car 81 times, painting an intricate picture of one driver’s daily life.) A more recent public records request turned up over 1.7 million individual reads, more than triple the number of registered cars in the city. The SPD still has no formal policy on how long data on innocent people may be stored, nor any rules on how this data may be shared. As long as the data remains unregulated, the sensitive location information of Seattle drivers remains at serious risk. All new surveillance technologies – especially those in the experimental stage – should be accompanied by carefully crafted, formal policies to govern their use and protect private information.

Recommendations

When government agencies consider acquiring and using surveillance systems, communities and their elected officials must both weigh the benefits against the costs to civil liberties and carefully craft policies and procedures that help to limit the negative effects that surveillance will have on fundamental rights. For a useful list of considerations, please visit the recommendations page.