Skip Navigation
Resource

Law Enforcement Access to Smart Devices

More and more devices are becoming part of the ‘internet of things.’ Here’s what they are, what they collect, and what police might get.

Published: December 21, 2020

This resource details the potential privacy issues for numerous internet-connected devices. They include connected cameras (doorbells, indoor, and outdoor cameras), smart speakers and digital assistants, physical activity trackers, thermostats, in-car systems, and automated license plate readers.

The summaries include how the devices work and who makes them, what kinds of data are collected and how long it’s retained, possible uses of device data by law enforcement, transparency reports, and relevant legal cases and further reading.

The resource is a companion to our related expert brief, which covers privacy and civil rights concerns, the legal frameworks for data access, how law enforcement access works in practice, and conclusions about how to improve privacy protections.

I. Connected Cameras (Doorbells and Indoor and Outdoor Cameras)

How they work and who makes them

  • Who makes them: Companies selling this technology include Google (Nest), Amazon (Ring), SimpliSafe, eufy, and Arlo.

What kinds of data are collected and how long data is retained

  • Data about the owner: Name, home address, locations where the cameras are placed, and credit card information may be stored by these connected cameras.footnote6_KtOLQcXY-SGq1CQXR2FXRZ2WC7YNGy6EN09PPGmMg_pkYf6sh3HHu96See, e.g., “Ring Privacy Notice,” last updated October 9, 2020, https://shop.ring.com/pages/privacy-notice; and “Privacy Statement for Nest Products and Services,” accessed December 16, 2020, https://nest.com/legal/privacy-statement-for-nest-products-and-services/. In some situations, users can also share their social media handles, demographic information, interests, hobbies, gender, and age.footnote7_U4LvrBQRA8jlYn6AFnGrZtcr7O6jKgO6oCimmP7geQ_vH9AKQhN44rX7See, e.g., “eufy Privacy Policy,” accessed December 16, 2020, https://www.eufylife.com/privacy-policy#1 (“We may ask you to submit the following types of Personal Information: first and last name, country, email address, product serial number, date of purchase, telephone number, mailing address, and proof of purchase. We may also collect additional personal information such as your interests or hobbies, your gender or age.”); and “SimpliSafe Privacy Policy,” last updated February 2020, https://simplisafe.com/privacy-policy (“Types of personal information we collect when you become a customer and provide it to us include . . . demographic information about you.”).
  • Data about others: Video and audio recordings of residents, guests, employees, service workers, and others who may enter the camera’s capture radius can be captured and stored. Depending on where a camera is placed, it may also record events that occur on the streets and even in homes surrounding the device — for example, when the camera can see a neighbor’s window.
    • Companies such as Google and eufy offer facial recognition data that captures “face images and underlying face prints,” allowing device owners to track anyone that comes into contact with the camera.footnote8_arABL7mOojB2ui2ilyx00ja3lxauWBcK5xytBrsKadI_zJTwBMGYA1xS8“Learn about familiar face detection,” Google Nest, accessed December 16, 2020, https://support.google.com/googlenest/answer/9268625?co=GENIE.Platform%3DAndroid&hl=en (facial recognition). Google directs owners to notify “guests” that their faces may be captured. See Privacy Statement for Nest Products and Services (“Depending on where you live and how you configure the Products and Services, you may need to get explicit consent to scan the faces of people visiting your home.”).
    • Companies such as SimpliSafe also maintain lists of the number of adults and children living in a home, as well as the name and telephone number of a friend or family member to be alerted in case of an alarm.footnote9_9rHSk5Zh4t2ogymbf54tNVcRSLvfYKLvmy7TPn69K4_gUJaiMGW96L49See SimpliSafe Privacy Policy, last updated February 2020, https://simplisafe.com/privacy-policy (“Types of personal information we collect when you become a subscriber to monitoring services and you provide it to us include . . . the number of adults and children living at the location where the alarm will be installed . . . name and telephone number for friends or family you would like to be contracted in the event of an alarm”).
    • Companies also capture a running list of motions and alerts, including which camera captured the information; the date and time; environmental data such as the temperature of the device and ambient light sensors; and technical information such as the model and serial number, software version, and Wi-Fi signal strength.footnote10_ke26MjjNOELD1YgWkey9tobKUc04SFNSgTzkCOV-GX4_g9Bby3ZIqVVa10See, e.g., Leo Kelion, “Amazon’s Ring Logs Every Doorbell Press and App Action,” BBC, March 4, 2020, https://www.bbc.com/news/technology-51709247.
  • Retention: The retention period for footage may depend on the plan obtained by a user. For example, Nest Aware Plus stores 60 days’ worth of “event video” (recordings triggered by activity that a camera detects) history in the cloud, and stores 24/7 recordings for a period of 10 days.footnote11_xY0xhMkafzn23CkpxavAlB06G3JJcz3GvhKdVL4OloM_fv8Xr9QKOvmP11“Don’t Miss a Thing with the New Nest Aware,” Google Store, accessed December 16, 2020, https://store.google.com/us/product/nest_aware; see also Ring Protect. By comparison, some companies offer local retention using traditional memory cards which can store months’ worth of recordings but would not be directly available to anyone other than those with access to the physical card.footnote12_1qry6Jrpyit7Pnjb1foH5fouf4DL3c4Y4Txxh5kZA_qjTA0zKuURcD12See, e.g., “eufyCam,” accessed December 16, 2020, https://www.eufylife.com/products/variant/eufycam/T88011D1. “eufyCam doesn’t require any monthly fees to use, and comes with a 16GB microSD card that stores up to one-years’ worth of recordings. Cloud storage service optional.”

Law enforcement access

  • Access via user: The person purchasing the cameras can choose to share recordings directly with law enforcement.
  • Access via device manufacturer: Law enforcement can request access to data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law.footnote16_vF6BhJNjIUd6U0lmrGgmyvcibnfPFQUAhgYMwVCXOw4_eb5i06UMxnJM16See, e.g., “Ring Privacy Notice.” (“We also may disclose personal information about you (1) if we are required to do so by law or legal process (such as a court order or subpoena.”); and “Privacy Statement for Nest Products and Services.” (“We will share personal information with third parties if we have a good faith belief that access, use, preservation or disclosure of the information is reasonably necessary to (i) meet any applicable law, regulation, legal process or enforceable government request.”) However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or when the company believes it is necessary to protect against harm to the rights, property, or safety of the company, its users, or the public, they may voluntarily hand over data to law enforcement.footnote17_NjTo0SGxcdAeNtwv4rx65y2ya1FMHidZsJua8mMqb08_smEyl7X3a15k17See, e.g., Privacy Statement for Nest Products and Services; Ring Privacy Notice; SimpliSafe Privacy Policy; and “Arlo Terms and Conditions,” last updated August 26, 2020, https://www.arlo.com/en-us/about/terms-and-conditions/. However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device data by law enforcement

  • Review video and audio recording of an incident.
  • Review footage of a person or their car or other mode of transportation.
  • Establish a relationship between people and between a person and a given residence.
  • Evaluate a person’s alibi or version of events.
  • Run still images through police facial recognition systems.

Transparency reports

Relevant legal cases and further reading

End Notes

II. Digital Assistants

How they work and who makes them

What kinds of data are collected and how long data is retained

Law enforcement access

  • Access via user: Law enforcement can ask the owner of the device to turn over data voluntarily.
  • Access via device manufacturer: Law enforcement can also request access to data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law.footnote9_kVx3Z7Dhfa4Wy9NzjblF2mGgs0iwQkIYOUu4g3zLMw_g0kR1bPhJLsf9See, e.g., “Amazon Privacy Notice.” (“We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements; or protect the rights, property, or safety of Amazon, our users, or others”); “Google Privacy Policy.” (“We will share personal information outside of Google if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to . . . meet any applicable law, regulation, legal process, or enforceable governmental request”); and “Apple Privacy Policy,” last updated December 31, 2019, https://www.apple.com/legal/privacy/en-ww/. (“It may be necessary − by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence − for Apple to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.”) However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or when the company believes it is necessary to protect the rights, property, or safety of the company, its users, or the public, the company may also voluntarily hand over data to law enforcement.footnote10_5jNecblW-g0Yp7TbG8xfGlWzMW9gk1IyKtnTkCZag_zWKAMk5gOKcR10See, e.g., “Amazon Privacy Notice”; “Google Privacy Policy”; and “Apple Privacy Policy.” However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device data by law enforcement

  • Identify a suspect, victim, or witness through voice recordings.
  • Evaluate a person’s alibi or version of events.
  • Establish a relationship between people and between a person and a given residence.

Transparency reports

  • Amazon, Google, and Apple publish summaries incorporating all disclosures of user data into an overall report that gives numbers across each company’s entire suite of products. These documents do not break down the number of law enforcement requests for data from digital assistants or specify the type of data provided.footnote11_2G4MPlIXN9grHWad2BZwl2x36Kr7WPAqp9qDz9MeeYg_dckmnSZvduOY11See “Amazon Transparency Report”; “Google Transparency Report”; and “Apple Transparency Report,” accessed December 16, 2020, https://www.apple.com/legal/transparency/us.html.
    • Transparency reports do not account for situations where users voluntarily turn over data to law enforcement.

Relevant legal cases and further reading

End Notes

III. Activity Trackers

How they work and who makes them

What kinds of data are collected and how long data is retained

 Law enforcement access

  • Access via user: Law enforcement can ask the owner of the device to turn over data voluntarily.
  • Access via device manufacturer: Law enforcement can also request access for data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law.footnote35_e6iaQvqhbU5InMR3ZWQeOUoR9wgmCRzpj17wXM0TGOQ_wFDCaQ3P35X135 See, e.g., “Garmin Privacy Policy”; “Fitbit Privacy Policy.” However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or where the company believes it is necessary to respond to threats to the security of the services or the physical safety of any person, companies such as Fitbit may also voluntarily hand over data to law enforcement.footnote36_tHrc1lxdAK7uEitKxL-y2EiOhodCuPPpssNKfWzN8w_cTCPvG2brszH36See “Fitbit Privacy Policy.” However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

 Possible uses of device data by law enforcement

  • Approximate a person’s location or movements during a given time frame.
  • Evaluate a person’s alibi or version of events.
  • Approximate a person’s time of death.

Transparency reports

  • No transparency reports identified.

 Relevant legal cases and further reading

End Notes

IV. Connected Thermostats

How they work and who makes them

What kinds of data are collected and how long data is retained

Law enforcement access

  • Access via user: Law enforcement can ask the owner of the device to turn over data voluntarily.
  • Access via device manufacturer: Law enforcement can also request access for data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law.footnote45_GuPOCQp9GrHWYXJj3bq5hPl8UpMtzpt4SNic3NQ1c_m9oMIwMCkl6J45 See, e.g., “Privacy Statement for Nest Products and Services”; “Amazon Privacy Notice”; and “LUX Privacy Policy.” However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or when the company believes it is necessary to protect against harm to the rights, property, or safety of the company, its users, or the public, the company may also voluntarily hand over data to law enforcement.footnote46_rr31L37UgAJRysc6Vbd3Cwa7ISA4v9u0njf-Abg7Dw8_sv1GfFmURj4q46See, e.g., “Privacy Statement for Nest Products and Services”; “Amazon Privacy Notice”; and “LUX Privacy Policy.” However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device by law enforcement

  • Verify a person’s alibi or version of events.
  • Evaluate movements that may contradict a person’s statements.
  • Verify whether someone was inside a home.

Transparency reports

  • Google and Amazon publish reports incorporating all disclosures of user data into an overall summary that gives numbers across each company’s entire suite of products. These documents do not break down the number of law enforcement requests for data from connected thermostats or specify the type of data provided.footnote47_ALiyaP6XouXDb5zdvAwgyQ9d2LtjPvnwzsQ5W3Pg-BQ_yeUBZeQZY45b47See “Amazon Transparency Report”; “Google Transparency Report.”
    • Transparency reports do not account for situations where users voluntarily turn over data to law enforcement.
  • Honeywell, Lux Kono, and Bosch do not publish transparency reports.

Relevant legal cases and further reading

End Notes

V. Connected Cars

(a) Embedded Technology

How they work and who makes them

What kinds of data are collected and how long is data retained

  • Data about the owner: Embedded technologies can collect the owner’s name, address, telephone number, date of birth, email address, login information, demographic data, gender, emergency contact information, information about the acquisition and financing of a vehicle, and credit card information.footnote51_LiQQH6C-VGmAWuGDw5XVl2wvYdNYa023qNtPHt3Zrg_xDZ5nw8R9iMf51See, e.g. “OnStar Privacy Statement,” last updated January 2020, https://www.onstar.com/us/en/privacy_statement/.
  • Data about the car and people inside the car: These technologies can also record the location data of a car’s movements; audio recordings (such as voice recordings of individuals that interact with a digital assistant); car diagnostics (such as tire pressure, fuel levels, and odometer readings); incident data (such as information about collisions, the direction from which a car was hit, which airbags were deployed, and safety belt usage); communications with third parties and with employees providing support services; and vehicle data such as a car’s location within a lane or its average speed.footnote52_qw6M7DkRbj1iHM9ua7m4g3SUaxcHILNOuoCtiDWkwk_ejIxZLgFTHqJ52See, e.g., “OnStar Privacy Statement”; “BMW Assist Terms and Conditions,” BMW, last updated June 14, 2017, https://www.bmwusa.com/content/dam/bmwusa/connected-drive/pdf/BMWAssist_TERMS_and_CONDITIONS_2014_later.pdf; and “Subaru Starlink Privacy Policy,” last updated May 1, 2018, https://www.subaru.com/company/starlink-privacy.html.
  • Retention: Retention periods are unclear; some privacy policies disclose that they retain information as long as necessary to provide services and comply with legal obligations.footnote53_38i626AtOn73vXDS7M4Vmd6MQcQ3QERnlqlGV4qjIwE_qDxUASEbgVbs53See, e.g., “Subaru Starlink Privacy Policy”; “OnStar Privacy Statement”; and “BMW Assist Terms and Conditions.”OnStar warns users that it is their responsibility to delete their information from OnStar systems before they sell or otherwise transfer their car to another owner.footnote54_oxLiRx8tJQypr-o2OXlqTjT7LlXLtCJmEoBXltNWkcA_rO6WgKMpWrYN54“OnStar Privacy Statement.” (“If you sell or otherwise transfer your vehicle, it is your responsibility to delete all information (such as contacts, address look-ups, saved map addresses) from the vehicle’s system and contact us to transfer or cancel your account. If you do not delete this information, it may remain on the vehicle’s system and may be accessible to future users of the vehicle. For instructions on how to delete information from your vehicle’s system, please refer to your vehicle owner’s manual.”).

Law enforcement access

  • Access via user: Law enforcement can ask the car owner to provide information they can access in the car or through a mobile application connected to the car. The owner may be different from the person who regularly operates the car — for example, where an employer, partner, parent, or other person is the car owner.
  • Access via car manufacturer: Law enforcement can also request data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law.footnote55_KhE4K9Lk-Ujtj0apAfUsWW07OTfp0rmkVH0VZllgLI_bV2YFLcHphXg55 See, e.g., “Subaru Starlink Privacy Policy.” (“We cooperate with government and law enforcement officials and private parties to enforce and comply with the law and may be compelled to disclose your information to government or law enforcement officials or private parties in response to a validly-issued subpoena or court order to . . . satisfy any applicable law, regulation, subpoenas, governmental requests, or legal process . . .”); “OnStar Privacy Statement.” ("As required or permitted by law, such as in conjunction with a subpoena, government inquiry, litigation, dispute resolution, or similar legal process, when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, to detect, investigate and prevent fraud, or to conduct screening to ensure you are not on any government list of restricted parties.”); and “BMW Assist Terms and Conditions.” (“We reserve the right to disclose your personal information to respond to authorized information requests from government authorities, subpoenas or other litigation process or to protect the interests or safety of the Sites’ visitors, customers, employees, or others, to address national security situations, or when otherwise required by law.”). For example, police have been able to request location data and real-time wiretapping of conversations with a warrant.footnote56_VxgUNPAhnnKhcBGM0j7BFX2bBd0eTZX50jIQcubGtpI_iD2fOkQuVfI056See, e.g., “Subaru Starlink Privacy Policy”; “OnStar Privacy Statement”; and “BMW Assist Terms and Conditions.”However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or where the company believes it is necessary to protect against harm to the rights, property, or safety of the company, its users, or the public, the company may also voluntarily hand over data to law enforcement.footnote57_VxgUNPAhnnKhcBGM0j7BFX2bBd0eTZX50jIQcubGtpI_xrsnhuY17Ld957See, e.g., “Subaru Starlink Privacy Policy”; “OnStar Privacy Statement”; and “BMW Assist Terms and Conditions.”However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device data by law enforcement

  • Evaluate a person’s alibi or version of events.
  • Evaluate a person’s location or movements during a given time frame.
  • Evaluate whether someone was inside a car.
  • Analyze voice recordings that identify a suspect, victim, and more.
  • Intercept communications and track location on an ongoing basis.

Transparency reports

  • No transparency reports were located.

Relevant legal cases and further reading

  • Cartapping: How Feds Have Spied on Connected Cars For 15 Years (Forbes)
  • Burglary Suspect Arrested in Camden After OnStar Tracks Stolen Vehicle (Philly Voice)
  • 12-Year-Old Faces Felony Charges After High Speed Chase Through Conroe (The Courier)
  • BMW Remotely Locks Alleged Thief In Car He’s Trying to Swipe (CNET)
  • In the Matter of the Application of the United States for an Order Authorizing the Roving Interception of Oral Communications, 2003 in case # 02–15635, the Ninth Circuit allowed the FBI to obtain a court order compelling a car manufacturer to use technology embedded in a car to allow agents to eavesdrop on conversations in the car.
  • People v. Oelerich, 78 N.E.3d 992 (Ill. App. Ct. 2017). Defendant’s car had OnStar. One piece of evidence was a 47-second-long recording of the conversation between the OnStar operator and the defendant, where the operator asked the defendant what had just happened and the defendant said, referring to a hallucinogenic drug, “I was driving because I wanted to have the great DMT trip of my life. And I cannot die….” The prosecutor used the OnStar recording to argue that the defendant was deliberate in driving into the other vehicle, while the defense used the recording to show that the defendant had not been rational and was in a psychotic state.
  • State v. Wilson, 2008-Ohio-2863 (Ohio Ct. App. 2008). Defendant purchased a used vehicle equipped with OnStar, but he declined OnStar services. However, the service had not yet been disabled when OnStar received an emergency button key press from the vehicle. After the OnStar operator received no response, they requested local police to provide emergency assistance at the vehicle’s location. While monitoring the vehicle, the operator overheard the vehicle occupants discussing a possible illegal drug transaction and permitted the police dispatcher to listen in. The dispatcher notified the officers. The officer who arrived on scene “observed furtive movement” from the driver of the vehicle (the defendant), removed him from the vehicle, and conducted a search, ultimately finding marijuana. The trial court denied the defendant’s motion to suppress, finding there was no Fourth Amendment violation because governmental action did not cause the OnStar employee to monitor the conversation. The court of appeals affirmed.
  • People v. Jacques, 2016 WL 4482930 (Cal. Ct. App. 2016). Following a burglary where the victim reported the license plate number of the defendant, police obtained a warrant to access the location of the defendant’s vehicle through OnStar. After locating the defendant’s vehicle, the police planted their own tracking device on the car to track its location.

(b) Supplemental Technology

How they work and who makes them

What kinds of data are collected and how long data is retained

  • Data about the device owner: These devices may collect the user’s name, mailing address, email address, telephone number, and payment information.footnote63_V0vDRL5uDwj9MWZOuEfwTwp3tqlGnMVoTf9x4a764_qlguMFdYma2N63See ““The Rise of the In-car Digital Assistant.”
  • Data about the car and people inside the car: They may also gather location data, video and audio footage of what occurs in and around a car, and diagnostic reports about the condition of a car.footnote64_bC-WzoVzW9r0hiTbIViTnQTuLFsMV3ta6DQO3DmOnE_tgtZN8cmX2ZS64See, e.g., “Garmin Privacy Policy”; “Raven Privacy Policy,” accessed December 16, 2020, https://ravenconnected.com/privacy-policy/; “Vivint Privacy Policy,” last updated December 15, 2019, https://www.vivint.com/company/policies/privacy; “Google Privacy Policy”; and “Amazon Privacy Notice.”
  • Retention: Retention periods are unclear, with some privacy policies disclosing that they retain information as long as necessary to provide services.footnote65_aFkLu7nuyYQ5m1yzwUATotaXPbxtF5KavEgVtv5HIQ_yBmV4kNJXnEV65See, e.g. “JVCKENWOOD USA Corporation Privacy Policy,” last updated July 1, 2020, https://policy.us.jvckenwood.com/privacy.html. (“JVCKENWOOD USA Corporation will retain your Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by for legal, auditing, or compliance purposes.”); “Raven Privacy Policy.” (“We retain your personal information only as long as necessary to facilitate the use of our products and services. When your cancel your subscription to our services, we will take steps to have your personal information deleted and erased.”)

Law enforcement access

  • Access via user: Law enforcement can ask the owner of the device to turn over the data. The device owner may be different from the car owner — for example, where an employer, partner, parent, or other person controls a device attached to a car.
  • Access via device manufacturer: Law enforcement can also request access for data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law.footnote66_NUCvTAnqNzXyyuWX6iXaoMBM1f2XTUIAtYF6YHsw_kfASRNt1jOT366 See, e.g., “JVCKENWOOD USA Corporation Privacy Policy.” (“JVCKENWOOD USA Corporation may share information about you for business purposes as follows or as otherwise described in this Privacy Policy . . . in response to a subpoena, legal order or official request, including lawful requests by public authorities to meet national security or law enforcement requirements.”); “Raven Privacy Policy.” (“Raven Connected may be requested or required by law to disclose personal information to proper law enforcement authorities, even though you might have requested that we do not share such personal information. This information may be necessary to identify, contact or bring legal action against anyone who may attempt to cause injury to another’s rights or property. We may also release your personal information when we believe the release is appropriate to comply with the law, enforce our policies, or protect ours or others’ rights, property, or safety.”) However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or when the company believes it is necessary to protect their rights and property, they may also voluntarily hand over data to law enforcement.footnote67_GJFl5w-gm58Xg25CY9m-vIhSxf9xBDoPOejj04NK94_rRADS2VlI0QV67See, e.g., “JVCKENWOOD USA Corporation Privacy Policy”; “Raven Privacy Policy.”However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device data by law enforcement

  • Evaluate a person’s alibi or version of events.
  • Evaluate a person’s location or movements during a given time frame.
  • Verify whether someone was inside a car.
  • Evaluate voice recordings to help identify a suspect, victim, and more.

Transparency reports

  • Apple, Amazon, and Google publish summaries incorporating all disclosures of user data into an overall report that gives numbers across each company’s entire suite of products. These documents do not break down the number of law enforcement requests for data from each product or specify the type of data provided.footnote68_1nnqeEi-p-H4PtJiUK5P7FJcoElE2XdsMles6rBuTmc_iVb20tQNoz6h68See “Apple Transparency Report”; “Amazon Transparency Report”; and “Google Transparency Report.”
    • Transparency reports do not account for situations where users voluntarily turn over data to law enforcement.
  • Pioneer, Kenwood, OnStar, Garmin, Raven, and Vivint do not publish transparency reports.

Relevant legal cases and further reading

End Notes

VI. License Plate Readers

How they work and who makes them

  • How they work: License plate readers use a combination of cameras and computer software to scan and store the license plates as well as photos of every car passing by the device.
    • Through a user interface, users can set up “hot lists” to alert them whenever a particular car passes by or leaves a neighborhood.
    • Companies also retain license plate information for future uses. These uses may include data sharing with law enforcement and with other customers who have “a legitimate commercial interest,”footnote69_4E1ZOk1jVyl52UhRY-QvtLnthq9dza9gxlzOIH0_iZzw0xEWrFIL69See, e.g., “Vigilant Solutions Usage and Privacy Policy,” accessed December 16, 2020, https://www.vigilantsolutions.com/lpr-usage-and-privacy-policy. (“The company authorizes collection of LPR data for the use of the company and its customers consistent with this policy. The authorized uses of the ALPR system are . . . (1) By customers to identify or ascertain the location of a specific vehicle under circumstances when there is a legitimate commercial interest . . . (2) By law enforcement agencies for law enforcement purposes . . . (3) By the company to make LPR data available to customers and law enforcement agencies (LEAs) for the purposes above, and to provide market research information to customers based on aggregated LPR data.”) such as repossession services on behalf of creditors.footnote70_F05GP0vstLR1DMostw6gNfzu1VqOVw5KLMtlAnCGE_gc6EVppOQsug70See, e.g., Susan Crandall,“Vigilant Solutions Bolsters Commercial LPR Database through Agreement with Plate Locate,” Digital Recognition Network, April 19, 2018, https://drndata.com/vigilant-solutions-bolsters-commercial-lpr-database-agreement-plate-locate/.
  • Who makes them: Companies selling these devices include Flock Safety, Vigilant Solutions, and Obsidian Integration.

What kinds of data are collected and how long is data retained

Law enforcement access

  • Access via user: Law enforcement can ask the owner or any user with access to the data to voluntarily disclose it. Companies like Flock Safety create user interfaces that allow users to either share information with police on a case-by-case basis or to allow the police to have direct access to the system.footnote79_AFuWrvI7L7y8SCfxSxFXyIXklCuXyCXFvUzRNXd9GGk_n96wyJe7YOjg79 See, e.g. “Neighborhoods Stop Crime in Their Community with License Plate Readers,” KCTB5 Kansas City, https://www.youtube.com/watch?v=fXqFj4H6XKg (Uploaded by Flock Safety).
  • Access via device manufacturer: Law enforcement can also request access for data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law.footnote80_y2XCMJ1avokxXClkocrwsn9Cx1VOlhhnow9wFgD8XMc_fg3lFCqqvnjL80See, e.g., “Vigilant Solutions Usage and Privacy Policy”; “Terms of Service for Flock Safety.” However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request. Flock Safety also reserves the right to use and disclose aggregated data the company collects for unspecified “crime prevention efforts.”footnote81_Nrl-8Oe5OHwwPYJkgND4m4gAlHobrRsz7FzuriFU6KY_jFj71R3HtD5w81“Terms of Service for Flock Safety.” (“Customer acknowledges that Flock will be compiling anonymized and/or aggregated data based on Customer Data input into the Services (the ‘Aggregated Data’). Customer hereby grants Flock a non-exclusive, worldwide, perpetual, royalty-free right and license (during and after the term hereof) to use and distribute such Aggregated Data to improve and enhance the Services and for other marketing, development, diagnostic and corrective purposes, other Flock offerings and crime prevention efforts.”)
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or when the company believes it is necessary to protect against harm to the rights, property, or safety of the company, they may also voluntarily hand over data to law enforcement.footnote82_7QZtf1TYGzpJ4NA0-dsHjbL2eEJmdODSgkSazNXad1Y_jdmxhrsnqhdL82See, e.g., “Terms of Service for Flock Safety.” (“For clarity, Flock may access, use, preserve and/or disclose the Footage to law enforcement authorities, government officials, and/or third parties, if legally required to do so or if Flock has a good faith belief that such access, use, preservation or disclosure is reasonably necessary to: (a) comply with a legal process or request; (b) enforce this Agreement, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Flock, its users, a third party, or the public as required or permitted by law, including respond to an emergency situation.”) However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device data by law enforcement

  • Verify cars and people present at the scene of a crime.
  • Establish relationships between people.
  • Track a particular driver’s location and movement over time.
  • Locate cars associated with AMBER alerts for abducted children.
  • Cross-reference state and federal databases with information on gang membership and unpaid fines.

Transparency reports

  • No transparency reports identified.

Relevant legal cases and further reading

End Notes