License plate recognition (LPR) technology, initially designed for law enforcement and widely adopted by the auto repossession industry, is now becoming increasingly accessible for broader applications. A Florida-based company is offering services that allow clients to monitor the movements of millions of privately owned vehicles, raising significant concerns among privacy advocates about potential misuse of this data.
TLO, an investigative technology firm located in Boca Raton, Florida, launched a search service in late June for its private sector clients. This service leverages a vast database containing over 1 billion records collected by automatic license plate readers (ALPRs).
Earlier reports from organizations like the ACLU have highlighted the extensive use of license plate readers by U.S. law enforcement agencies. These agencies are accumulating massive datasets, where the vast majority of entries—over 99 percent—pertain to innocent individuals.
However, the application of this technology extends beyond law enforcement. Private industries are also utilizing LPR systems, notably for vehicle recovery from delinquent borrowers. The new service offered by TLO exemplifies the rapid expansion of private LPR data usage into various sectors.
The source of the database accessed by TLO remains unclear. However, leading companies in the LPR field report collecting tens of millions of geographically tagged data points monthly. This information originates from thousands of license plate readers mounted on diverse platforms, including tow trucks, security vehicles in shopping malls, police cars, entrances to parking lots, toll booths, and roadside locations.
The collected data typically encompasses vehicle location, date, time of sighting, and often an image. These images can sometimes capture drivers and passengers in addition to the license plates.
Image showing license plate reader capturing image of civilian car in driveway, illustrating civilian license plate scanning concerns.
Catherine Crump, an attorney with the ACLU’s Speech, Privacy and Technology Project, expresses serious reservations about the accessibility of such data to private entities. “The prospect of a private company making such data public to all comers is scary,” she states. “This kind of information is particularly what stalkers would love to get their hands on.”
Crump, who authored the ACLU report but was previously unaware of TLO’s service, voices concerns regarding potential privacy violations in various scenarios. These include corporations monitoring employee movements outside of work hours, political figures tracking opponents, or individuals surveilling babysitters.
Conversely, proponents involved in building license plate databases argue that these fears are exaggerated. They contend that data obtained through platforms like Facebook, Twitter, or cellphones is considerably more intrusive.
Scott A. Jackson, founder and CEO of MVTRAC, a major private LPR database provider based in Illinois, minimizes the privacy risks. “They can figure out who you date,” Jackson says, referring to other data sources. “For us to figure out that information, it would take us billions and billions of license plates to get to that point. We’re at least 10 years away from that.”
Image of license plate scanner mounted on police car trunk, used for automatic vehicle identification.
Jackson emphasizes that companies utilizing MVTRAC’s systems and database undergo stringent vetting processes, including background checks and security evaluations. He asserts that misuse of MVTRAC’s database could result in violations of multiple federal privacy laws.
He acknowledges the onus on companies like MVTRAC to demonstrate responsible data handling. “There’s no illegality whatsoever for me giving you data about a license plate. But as big data becomes exponential, society has a reasonable expectation that companies will handle themselves responsibly,” Jackson explains. “I wouldn’t give this data to someone I don’t know – they might be a stalker.”
Chris Metaxas, CEO of Digital Recognition Network (DRN), another leading private LPR database provider based in Texas, echoes similar sentiments. He maintains that strict protocols govern the collection and application of LPR data. Metaxas argues that the ACLU’s focus on data retention periods by law enforcement misses the crucial point.
“The issue is really not about retention of data. The real issue is one of access control and effective policies” concerning privacy and security, Metaxas clarifies.
Metaxas states that DRN adheres to best practices outlined in federal driver’s privacy laws regarding access control, encryption, and data security. He also emphasizes that DRN’s data does not contain personally identifiable information about vehicle owners. “We do not retain any identifiable information related to owners of those license plates,” he asserts.
Jackson notes that MVTRAC has broadened its data applications beyond law enforcement, repossession, and insurance, but clarifies they have no partnership with TLO or plans for similar services. When questioned about TLO’s potential use of DRN’s database, Metaxas declined to comment on client relationships.
An anonymous source at TLO clarified that access to the Vehicle Sightings database is restricted. Clients must operate within specific industries, adhere to permissible usage guidelines, and detail their intended data application. TLO’s website indicates its clientele includes legal, financial services, corporate risk, and private investigation sectors, alongside investigative journalists and government agencies.
The source further mentioned that the Vehicle Sightings tool is not offered to the banking and car repossession industries, not due to privacy concerns, but because these sectors are core clients of the database’s primary owner.
TLO’s website advertises the service as providing vehicle and license plate images, timestamps, geographic locations, and vehicle movement mapping capabilities.
License plate recognition technology originated in Britain to combat IRA terrorism. Law enforcement agencies in the United States adopted it in the early 2000s to combat auto theft. The 9/11 attacks further fueled interest from the Department of Homeland Security in LPR’s potential for counter-terrorism efforts.
State and local agencies began equipping patrol cars with LPR cameras capable of capturing significantly more license plates than manual entry. This led to the growth of government-operated LPR databases.
Image showing police officer using license plate scanner in car, highlighting efficiency of automated system.
The private sector adoption of LPR data in the U.S. gained momentum approximately five years prior, primarily within the auto repossession industry. LPR data facilitated the identification of vehicles associated with delinquent loans. DRN and MVTRAC emerged as dominant players in the private LPR database market following industry consolidation during the recession.
Vigilant Solutions, a DRN affiliated company, focuses on law enforcement applications. However, their system is also deployed at locations like the Arden Fair Mall in Sacramento. Security personnel at the mall utilize two LPR-equipped vehicles to patrol the premises, capturing license plates of parked vehicles and cross-referencing them against stolen vehicle databases. Steve Reed, the mall’s security manager, reports a significant reduction in auto thefts since implementing the system in 2008.
Reed acknowledges initial privacy concerns regarding LPR usage for mall customers. However, he considers the system “very non-invasive,” as security officers only receive alerts for vehicles flagged on police hotlists and subsequently involve local law enforcement. The system does not grant mall security access to personal information linked to vehicle registrations. Reed estimates over 8 million license plates have been captured at the mall since the system’s implementation.
The sheer volume of data collected by both law enforcement and private LPR systems raises privacy concerns for individuals like Michael Katz-Lacabe, a network security engineer and school board member in San Leandro, California.
“This sort of constant surveillance makes it very dangerous for us as a society,” Katz-Lacabe warns. He has firsthand experience with LPR data collection, discovering that police cameras in San Leandro captured his vehicles over 100 times in two years via a public records request in 2010. One image even depicted him and his daughters exiting their car in their driveway.
“I’m an adult and can make a decision, but they’re not,” he says, referring to his daughters. “They don’t have a say in this privacy debate.”
He emphasizes the importance of public discourse on control over personal data, contrasting the U.S. approach with Europe, where individuals have greater agency over their data usage. “I think people don’t understand the danger of metadata and the information that can be determined from it,” he concludes.
Katz-Lacabe cites an MIT study demonstrating that as few as four mobility data points can identify an individual with 95 percent accuracy.
In contrast, MVTRAC’s Jackson and DRN’s Metaxas argue against data retention limitations, particularly for private companies. Jackson posits that historical data has enduring value, citing potential research applications. Brian Shockley, VP of marketing at Vigilant Solutions, suggests that data retention policies should align with statutes of limitations for major crimes, emphasizing the value of LPR data in solving serious offenses.
Jennifer Lynch, a lawyer with the Electronic Frontier Foundation (EFF), a privacy and digital rights advocacy group, counters these arguments. She emphasizes the potential for metadata to reveal detailed personal information, especially when combined with other data sources, and highlights the lack of oversight over private companies’ data policies.
Lynch points to the cumulative effect of LPR data, cellphone data, social media activity, and other information sources in creating comprehensive profiles of individuals. “This information gets combined with other information and there’s quite a portrait painted of this person,” she cautions.
Related Story: ACLU: Digital dragnet ensnares millions of innocent drivers
