Skip Navigation
Resource

Law Enforcement Access to Smart Devices

More and more devices are becoming part of the ‘internet of things.’ Here’s what they are, what they collect, and what police might get.

Published: December 21, 2020

This resource details the potential privacy issues for numerous internet-connected devices. They include connected cameras (doorbells, indoor, and outdoor cameras), smart speakers and digital assistants, physical activity trackers, thermostats, in-car systems, and automated license plate readers.

The summaries include how the devices work and who makes them, what kinds of data are collected and how long it’s retained, possible uses of device data by law enforcement, transparency reports, and relevant legal cases and further reading.

The resource is a companion to our related expert brief, which covers privacy and civil rights concerns, the legal frameworks for data access, how law enforcement access works in practice, and conclusions about how to improve privacy protections.

I. Connected Cameras (Doorbells and Indoor and Outdoor Cameras)

How they work and who makes them

  • Who makes them: Companies selling this technology include Google (Nest), Amazon (Ring), SimpliSafe, eufy, and Arlo.

What kinds of data are collected and how long data is retained

  • Data about the owner: Name, home address, locations where the cameras are placed, and credit card information may be stored by these connected cameras. footnote6_xbm441u 6 See, e.g., “Ring Privacy Notice,” last updated October 9, 2020, https://shop.ring.com/pages/privacy-notice; and “Privacy Statement for Nest Products and Services,” accessed December 16, 2020, https://nest.com/legal/privacy-statement-for-nest-products-and-services/. In some situations, users can also share their social media handles, demographic information, interests, hobbies, gender, and age. footnote7_30bqpkz 7 See, e.g., “eufy Privacy Policy,” accessed December 16, 2020, https://www.eufylife.com/privacy-policy#1 (“We may ask you to submit the following types of Personal Information: first and last name, country, email address, product serial number, date of purchase, telephone number, mailing address, and proof of purchase. We may also collect additional personal information such as your interests or hobbies, your gender or age.”); and “SimpliSafe Privacy Policy,” last updated February 2020, https://simplisafe.com/privacy-policy (“Types of personal information we collect when you become a customer and provide it to us include . . . demographic information about you.”).
  • Data about others: Video and audio recordings of residents, guests, employees, service workers, and others who may enter the camera’s capture radius can be captured and stored. Depending on where a camera is placed, it may also record events that occur on the streets and even in homes surrounding the device — for example, when the camera can see a neighbor’s window.
    • Companies such as Google and eufy offer facial recognition data that captures “face images and underlying face prints,” allowing device owners to track anyone that comes into contact with the camera. footnote8_axyhmug 8 “Learn about familiar face detection,” Google Nest, accessed December 16, 2020, https://support.google.com/googlenest/answer/9268625?co=GENIE.Platform%3DAndroid&hl=en (facial recognition). Google directs owners to notify “guests” that their faces may be captured. See Privacy Statement for Nest Products and Services (“Depending on where you live and how you configure the Products and Services, you may need to get explicit consent to scan the faces of people visiting your home.”).
    • Companies such as SimpliSafe also maintain lists of the number of adults and children living in a home, as well as the name and telephone number of a friend or family member to be alerted in case of an alarm. footnote9_fx525jn 9 See SimpliSafe Privacy Policy, last updated February 2020, https://simplisafe.com/privacy-policy (“Types of personal information we collect when you become a subscriber to monitoring services and you provide it to us include . . . the number of adults and children living at the location where the alarm will be installed . . . name and telephone number for friends or family you would like to be contracted in the event of an alarm”).
    • Companies also capture a running list of motions and alerts, including which camera captured the information; the date and time; environmental data such as the temperature of the device and ambient light sensors; and technical information such as the model and serial number, software version, and Wi-Fi signal strength. footnote10_rti3hdx 10 See, e.g., Leo Kelion, “Amazon’s Ring Logs Every Doorbell Press and App Action,” BBC, March 4, 2020, https://www.bbc.com/news/technology-51709247.
  • Retention: The retention period for footage may depend on the plan obtained by a user. For example, Nest Aware Plus stores 60 days’ worth of “event video” (recordings triggered by activity that a camera detects) history in the cloud, and stores 24/7 recordings for a period of 10 days. footnote11_ipxf13w 11 “Don’t Miss a Thing with the New Nest Aware,” Google Store, accessed December 16, 2020, https://store.google.com/us/product/nest_aware; see also Ring Protect. By comparison, some companies offer local retention using traditional memory cards which can store months’ worth of recordings but would not be directly available to anyone other than those with access to the physical card. footnote12_l21zqbw 12 See, e.g., “eufyCam,” accessed December 16, 2020, https://www.eufylife.com/products/variant/eufycam/T88011D1. “eufyCam doesn’t require any monthly fees to use, and comes with a 16GB microSD card that stores up to one-years’ worth of recordings. Cloud storage service optional.”

Law enforcement access

  • Access via user: The person purchasing the cameras can choose to share recordings directly with law enforcement.
  • Access via device manufacturer: Law enforcement can request access to data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law. footnote16_yip8zlk 16 See, e.g., “Ring Privacy Notice.” (“We also may disclose personal information about you (1) if we are required to do so by law or legal process (such as a court order or subpoena.”); and “Privacy Statement for Nest Products and Services.” (“We will share personal information with third parties if we have a good faith belief that access, use, preservation or disclosure of the information is reasonably necessary to (i) meet any applicable law, regulation, legal process or enforceable government request.”) However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or when the company believes it is necessary to protect against harm to the rights, property, or safety of the company, its users, or the public, they may voluntarily hand over data to law enforcement. footnote17_o5bi2ui 17 See, e.g., Privacy Statement for Nest Products and Services; Ring Privacy Notice; SimpliSafe Privacy Policy; and “Arlo Terms and Conditions,” last updated August 26, 2020, https://www.arlo.com/en-us/about/terms-and-conditions/. However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device data by law enforcement

  • Review video and audio recording of an incident.
  • Review footage of a person or their car or other mode of transportation.
  • Establish a relationship between people and between a person and a given residence.
  • Evaluate a person’s alibi or version of events.
  • Run still images through police facial recognition systems.

Transparency reports

Relevant legal cases and further reading

End Notes

II. Digital Assistants

How they work and who makes them

  • How they work: Digital assistants are voice-enabled devices that perform a variety of tasks based on preset commands. footnote1_b9j516f 1 See Richard Baguley and Colin McDonald, “Appliance Science: Alexa, How Does Alexa work? The Science of Amazon Echo,” CNET, August 4, 2016, https://www.cnet.com/news/appliance-science-alexa-how-does-alexa-work-the-science-of-amazons-echo/. They can be used to perform internet queries, display connected camera streams, control speakers and television sets, and more. footnote2_d6qz696 2 Stacey Gray, Always On: Privacy Implications of Microphone-Enabled Devices, Future of Privacy Forum, April 2016, https://fpf.org/wp-content/uploads/2016/04/FPF_Always_On_WP.pdf. Amazon allows users to set up their devices to detect sounds such as smoke alarms or glass breaking, and they can be programmed to “deter” unwanted visitors by turning on lights or playing the sound of a dog barking. footnote3_f3ef1lq 3 See “Introducing Alexa Guard Plus,” Amazon, accessed December 16, 2020, https://www.amazon.com/b?ie=UTF8&node=18021383011.
  • Who makes them: Some of the companies selling this technology include Google (Google Assistant), Amazon (Alexa), and Apple (Siri). They integrate this technology into a variety of different hardware devices, such as the Google Nest Hub, Amazon Echo, and Apple HomePod.

What kinds of data are collected and how long data is retained

  • Data about the owner: Voice recordings, name, address, email address, nickname, telephone number, credit card information, and more. footnote4_60excs6 4 See, e.g., “Amazon Privacy Notice,” Amazon, last updated January 1, 2020, https://www.amazon.com/gp/help/customer/display.html?nodeId=GX7NJQ4ZB8MHFRNJ. Digital assistants may also access location history, search history, device contacts, website activity, calendar data, and more. footnote5_zx4n99e 5 Anyone within the range of a digital assistant may be able to activate the device and learn information about the person whose account is associated with the device (e.g., calendar, contacts, email, and more). By aggregating one policy for various services, companies like Google make it difficult to fully understand the universe of data collected, stored, and shared by its digital assistant product. See, e.g., “Google Privacy Policy,” last updated September 30, 2020, https://policies.google.com/privacy.
  • Data about others: Voice recordings of individuals who interact with the digital assistant or whose voices are audible in a recording.
  • Retention: Amazon retains voice recordings and transcripts indefinitely, until a user deletes them. footnote6_qswuzwf 6 Brian Huseman (Amazon) to Senator Coons, June 28, 2019, https://www.coons.senate.gov/imo/media/doc/Amazon%20Senator%20Coons__Response%20Letter__6.28.19[3].pdf. (“We retain customers’ voice recordings and transcripts until the customer chooses to delete them.”) Google says that it does not retain audio recordings by default; users can elect to store recordings and can set up automatic deletion. footnote7_dox7b6r 7 “Data Security and Privacy on Devices that Work with Assistant,” Google Nest Help, accessed December 16, 2020, https://support.google.com/googlenest/answer/7072285?hl=en. Apple stores recordings using a random identifier for six months (making it difficult to connect the recordings to a person’s account) and then stores them without any identifier for up to two years. footnote8_z99dj86 8 See “Ask Siri, Dictation & Privacy,” Apple, accessed December 16, 2020, https://support.apple.com/en-us/HT210657. (“Your request history is associated with the random identifier for up to six months. Your request history may include transcripts, audio for users who have opted in to Improve Siri and Dictation, and related request data such as device specifications, device configuration, performance statistics, and the approximate location of your device at the time the request was made. After six months, your request history is dissociated from the random identifier and may be retained for up to two years to help Apple develop and improve Siri, Dictation, and other language processing features like Voice Control. The small subset of requests that have been reviewed may be kept beyond two years, without the random identifier, for ongoing improvement of Siri.”)

Law enforcement access

  • Access via user: Law enforcement can ask the owner of the device to turn over data voluntarily.
  • Access via device manufacturer: Law enforcement can also request access to data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law. footnote9_pp7lrbd 9 See, e.g., “Amazon Privacy Notice.” (“We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements; or protect the rights, property, or safety of Amazon, our users, or others”); “Google Privacy Policy.” (“We will share personal information outside of Google if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to . . . meet any applicable law, regulation, legal process, or enforceable governmental request”); and “Apple Privacy Policy,” last updated December 31, 2019, https://www.apple.com/legal/privacy/en-ww/. (“It may be necessary − by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence − for Apple to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.”) However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or when the company believes it is necessary to protect the rights, property, or safety of the company, its users, or the public, the company may also voluntarily hand over data to law enforcement. footnote10_o49h9du 10 See, e.g., “Amazon Privacy Notice”; “Google Privacy Policy”; and “Apple Privacy Policy.” However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device data by law enforcement

  • Identify a suspect, victim, or witness through voice recordings.
  • Evaluate a person’s alibi or version of events.
  • Establish a relationship between people and between a person and a given residence.

Transparency reports

  • Amazon, Google, and Apple publish summaries incorporating all disclosures of user data into an overall report that gives numbers across each company’s entire suite of products. These documents do not break down the number of law enforcement requests for data from digital assistants or specify the type of data provided. footnote11_jrlywst 11 See “Amazon Transparency Report”; “Google Transparency Report”; and “Apple Transparency Report,” accessed December 16, 2020, https://www.apple.com/legal/transparency/us.html.
    • Transparency reports do not account for situations where users voluntarily turn over data to law enforcement.

Relevant legal cases and further reading

End Notes

III. Activity Trackers

How they work and who makes them

  • How they work: Activity trackers are personal devices that are used to track an individual’s movements and health data. This data can be accessed via a mobile application or other personal device. footnote1_nbotha9 1 See, e.g., Robbie Gonzalez, “Science Says Fitness Trackers Don’t Work Anyway,” Wired, December 25, 2017, https://www.wired.com/story/science-says-fitness-trackers-dont-work-wear-one-anyway/.
  • Who makes them: Companies selling this technology include Fitbit, Garmin, Amazon, and Apple.

What kinds of data are collected and how long data is retained

 Law enforcement access

  • Access via user: Law enforcement can ask the owner of the device to turn over data voluntarily.
  • Access via device manufacturer: Law enforcement can also request access for data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law. footnote35_rxhn46q 35 See, e.g., “Garmin Privacy Policy”; “Fitbit Privacy Policy.”  However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or where the company believes it is necessary to respond to threats to the security of the services or the physical safety of any person, companies such as Fitbit may also voluntarily hand over data to law enforcement. footnote36_ogiad02 36 See “Fitbit Privacy Policy.”  However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

 Possible uses of device data by law enforcement

  • Approximate a person’s location or movements during a given time frame.
  • Evaluate a person’s alibi or version of events.
  • Approximate a person’s time of death.

Transparency reports

  • No transparency reports identified.

 Relevant legal cases and further reading

End Notes

IV. Connected Thermostats

How they work and who makes them

What kinds of data are collected and how long data is retained

  • Data about the owner:
  • Data about a residence and its inhabitants:
    • These devices can collect indoor and outdoor temperature, smoke and carbon monoxide levels, humidity, ambient light, movement, and more. footnote41_j7xsf95 41 See “Data Protection Notice,” Bosch Thermotechnology.
    • They may also gather usage data, including the status and runtime of heating and air conditioning in the home and the overall home electrical usage. footnote42_9ko50in 42 See LUX Privacy Policy,; “Resideo Connected Home End-User License Agreement and Privacy Statement,” Resideo, last updated June 1, 2020, https://www.resideo.com/us/en/corporate/legal/eula/english-gb/#_PRIVACY_RESIDEO.
    • Some devices store information based on interactions with third party devices, such as home computers. footnote43_axafqoi 43 See “Resideo Connected Home End-User License Agreement and Privacy Statement;” “LUX Privacy Policy.”
  • Retention: The retention period for data varies. For example, Google says it may retain some data indefinitely, whereas other data is deleted after a “predetermined period.” However, there is no specific retention period by each data type. footnote44_9b8f5ny 44 See “Nest Retention Statement,” Nest, accessed December 16, 2020, https://nest.com/data-retention/.

Law enforcement access

  • Access via user: Law enforcement can ask the owner of the device to turn over data voluntarily.
  • Access via device manufacturer: Law enforcement can also request access for data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law. footnote45_kytqjgo 45 See, e.g., “Privacy Statement for Nest Products and Services”; “Amazon Privacy Notice”; and “LUX Privacy Policy.”  However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or when the company believes it is necessary to protect against harm to the rights, property, or safety of the company, its users, or the public, the company may also voluntarily hand over data to law enforcement. footnote46_59zlrzo 46 See, e.g., “Privacy Statement for Nest Products and Services”; “Amazon Privacy Notice”; and “LUX Privacy Policy.”  However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device by law enforcement

  • Verify a person’s alibi or version of events.
  • Evaluate movements that may contradict a person’s statements.
  • Verify whether someone was inside a home.

Transparency reports

  • Google and Amazon publish reports incorporating all disclosures of user data into an overall summary that gives numbers across each company’s entire suite of products. These documents do not break down the number of law enforcement requests for data from connected thermostats or specify the type of data provided. footnote47_3ogkpsb 47 See “Amazon Transparency Report”; “Google Transparency Report.”
    • Transparency reports do not account for situations where users voluntarily turn over data to law enforcement.
  • Honeywell, Lux Kono, and Bosch do not publish transparency reports.

Relevant legal cases and further reading

End Notes

V. Connected Cars

(a) Embedded Technology

How they work and who makes them

  • How they work: Embedded technologies are built-in features that enable cars to perform a variety of tasks. These can include:
  • Who makes them: Companies offering embedded technologies in their vehicles include BMW, Ford, Tesla, Toyota, Subaru, and others.

What kinds of data are collected and how long is data retained

  • Data about the owner: Embedded technologies can collect the owner’s name, address, telephone number, date of birth, email address, login information, demographic data, gender, emergency contact information, information about the acquisition and financing of a vehicle, and credit card information. footnote51_fxs1yrx 51 See, e.g. “OnStar Privacy Statement,” last updated January 2020, https://www.onstar.com/us/en/privacy_statement/.
  • Data about the car and people inside the car: These technologies can also record the location data of a car’s movements; audio recordings (such as voice recordings of individuals that interact with a digital assistant); car diagnostics (such as tire pressure, fuel levels, and odometer readings); incident data (such as information about collisions, the direction from which a car was hit, which airbags were deployed, and safety belt usage); communications with third parties and with employees providing support services; and vehicle data such as a car’s location within a lane or its average speed. footnote52_1z1d9mr 52 See, e.g., “OnStar Privacy Statement”; “BMW Assist Terms and Conditions,” BMW, last updated June 14, 2017, https://www.bmwusa.com/content/dam/bmwusa/connected-drive/pdf/BMWAssist_TERMS_and_CONDITIONS_2014_later.pdf; and “Subaru Starlink Privacy Policy,” last updated May 1, 2018, https://www.subaru.com/company/starlink-privacy.html.
  • Retention: Retention periods are unclear; some privacy policies disclose that they retain information as long as necessary to provide services and comply with legal obligations. footnote53_1fpa3zl 53 See, e.g., “Subaru Starlink Privacy Policy”; “OnStar Privacy Statement”; and “BMW Assist Terms and Conditions.” OnStar warns users that it is their responsibility to delete their information from OnStar systems before they sell or otherwise transfer their car to another owner. footnote54_weiu4lb 54 “OnStar Privacy Statement.” (“If you sell or otherwise transfer your vehicle, it is your responsibility to delete all information (such as contacts, address look-ups, saved map addresses) from the vehicle’s system and contact us to transfer or cancel your account. If you do not delete this information, it may remain on the vehicle’s system and may be accessible to future users of the vehicle. For instructions on how to delete information from your vehicle’s system, please refer to your vehicle owner’s manual.”).

Law enforcement access

  • Access via user: Law enforcement can ask the car owner to provide information they can access in the car or through a mobile application connected to the car. The owner may be different from the person who regularly operates the car — for example, where an employer, partner, parent, or other person is the car owner.
  • Access via car manufacturer: Law enforcement can also request data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law. footnote55_nx0c4ep 55 See, e.g., “Subaru Starlink Privacy Policy.” (“We cooperate with government and law enforcement officials and private parties to enforce and comply with the law and may be compelled to disclose your information to government or law enforcement officials or private parties in response to a validly-issued subpoena or court order to . . . satisfy any applicable law, regulation, subpoenas, governmental requests, or legal process . . .”); “OnStar Privacy Statement.” ("As required or permitted by law, such as in conjunction with a subpoena, government inquiry, litigation, dispute resolution, or similar legal process, when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, to detect, investigate and prevent fraud, or to conduct screening to ensure you are not on any government list of restricted parties.”); and “BMW Assist Terms and Conditions.” (“We reserve the right to disclose your personal information to respond to authorized information requests from government authorities, subpoenas or other litigation process or to protect the interests or safety of the Sites’ visitors, customers, employees, or others, to address national security situations, or when otherwise required by law.”). For example, police have been able to request location data and real-time wiretapping of conversations with a warrant. footnote56_uda58pd 56 See, e.g., “Subaru Starlink Privacy Policy”; “OnStar Privacy Statement”; and “BMW Assist Terms and Conditions.” However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or where the company believes it is necessary to protect against harm to the rights, property, or safety of the company, its users, or the public, the company may also voluntarily hand over data to law enforcement. footnote57_rbi0l8y 57 See, e.g., “Subaru Starlink Privacy Policy”; “OnStar Privacy Statement”; and “BMW Assist Terms and Conditions.” However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device data by law enforcement

  • Evaluate a person’s alibi or version of events.
  • Evaluate a person’s location or movements during a given time frame.
  • Evaluate whether someone was inside a car.
  • Analyze voice recordings that identify a suspect, victim, and more.
  • Intercept communications and track location on an ongoing basis.

Transparency reports

  • No transparency reports were located.

Relevant legal cases and further reading

  • Cartapping: How Feds Have Spied on Connected Cars For 15 Years (Forbes)
  • Burglary Suspect Arrested in Camden After OnStar Tracks Stolen Vehicle (Philly Voice)
  • 12-Year-Old Faces Felony Charges After High Speed Chase Through Conroe (The Courier)
  • BMW Remotely Locks Alleged Thief In Car He’s Trying to Swipe (CNET)
  • In the Matter of the Application of the United States for an Order Authorizing the Roving Interception of Oral Communications, 2003 in case # 02-15635, the Ninth Circuit allowed the FBI to obtain a court order compelling a car manufacturer to use technology embedded in a car to allow agents to eavesdrop on conversations in the car.
  • People v. Oelerich, 78 N.E.3d 992 (Ill. App. Ct. 2017). Defendant's car had OnStar. One piece of evidence was a 47-second-long recording of the conversation between the OnStar operator and the defendant, where the operator asked the defendant what had just happened and the defendant said, referring to a hallucinogenic drug, “I was driving because I wanted to have the great DMT trip of my life. And I cannot die….” The prosecutor used the OnStar recording to argue that the defendant was deliberate in driving into the other vehicle, while the defense used the recording to show that the defendant had not been rational and was in a psychotic state.
  • State v. Wilson, 2008-Ohio-2863 (Ohio Ct. App. 2008). Defendant purchased a used vehicle equipped with OnStar, but he declined OnStar services. However, the service had not yet been disabled when OnStar received an emergency button key press from the vehicle. After the OnStar operator received no response, they requested local police to provide emergency assistance at the vehicle's location. While monitoring the vehicle, the operator overheard the vehicle occupants discussing a possible illegal drug transaction and permitted the police dispatcher to listen in. The dispatcher notified the officers. The officer who arrived on scene “observed furtive movement” from the driver of the vehicle (the defendant), removed him from the vehicle, and conducted a search, ultimately finding marijuana. The trial court denied the defendant’s motion to suppress, finding there was no Fourth Amendment violation because governmental action did not cause the OnStar employee to monitor the conversation. The court of appeals affirmed.
  • People v. Jacques, 2016 WL 4482930 (Cal. Ct. App. 2016). Following a burglary where the victim reported the license plate number of the defendant, police obtained a warrant to access the location of the defendant’s vehicle through OnStar. After locating the defendant’s vehicle, the police planted their own tracking device on the car to track its location.

(b) Supplemental Technology

How they work and who makes them

What kinds of data are collected and how long data is retained

  • Data about the device owner: These devices may collect the user’s name, mailing address, email address, telephone number, and payment information. footnote63_27ie58y 63 See ““The Rise of the In-car Digital Assistant.”
  • Data about the car and people inside the car: They may also gather location data, video and audio footage of what occurs in and around a car, and diagnostic reports about the condition of a car. footnote64_saw07rn 64 See, e.g., “Garmin Privacy Policy”; “Raven Privacy Policy,” accessed December 16, 2020, https://ravenconnected.com/privacy-policy/; “Vivint Privacy Policy,” last updated December 15, 2019, https://www.vivint.com/company/policies/privacy; “Google Privacy Policy”; and “Amazon Privacy Notice.”
  • Retention: Retention periods are unclear, with some privacy policies disclosing that they retain information as long as necessary to provide services. footnote65_urcu7db 65 See, e.g. “JVCKENWOOD USA Corporation Privacy Policy,” last updated July 1, 2020, https://policy.us.jvckenwood.com/privacy.html. (“JVCKENWOOD USA Corporation will retain your Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by for legal, auditing, or compliance purposes.”); “Raven Privacy Policy.” (“We retain your personal information only as long as necessary to facilitate the use of our products and services. When your cancel your subscription to our services, we will take steps to have your personal information deleted and erased.”)

Law enforcement access

  • Access via user: Law enforcement can ask the owner of the device to turn over the data. The device owner may be different from the car owner — for example, where an employer, partner, parent, or other person controls a device attached to a car.
  • Access via device manufacturer: Law enforcement can also request access for data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data or if a request relates to the content of communications, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law. footnote66_498gswd 66 See, e.g., “JVCKENWOOD USA Corporation Privacy Policy.” (“JVCKENWOOD USA Corporation may share information about you for business purposes as follows or as otherwise described in this Privacy Policy . . . in response to a subpoena, legal order or official request, including lawful requests by public authorities to meet national security or law enforcement requirements.”); “Raven Privacy Policy.” (“Raven Connected may be requested or required by law to disclose personal information to proper law enforcement authorities, even though you might have requested that we do not share such personal information. This information may be necessary to identify, contact or bring legal action against anyone who may attempt to cause injury to another’s rights or property. We may also release your personal information when we believe the release is appropriate to comply with the law, enforce our policies, or protect ours or others’ rights, property, or safety.”)  However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request.
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or when the company believes it is necessary to protect their rights and property, they may also voluntarily hand over data to law enforcement. footnote67_m2r9j5w 67 See, e.g., “JVCKENWOOD USA Corporation Privacy Policy”; “Raven Privacy Policy.” However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device data by law enforcement

  • Evaluate a person’s alibi or version of events.
  • Evaluate a person’s location or movements during a given time frame.
  • Verify whether someone was inside a car.
  • Evaluate voice recordings to help identify a suspect, victim, and more.

Transparency reports

  • Apple, Amazon, and Google publish summaries incorporating all disclosures of user data into an overall report that gives numbers across each company’s entire suite of products. These documents do not break down the number of law enforcement requests for data from each product or specify the type of data provided. footnote68_y8pztxn 68 See “Apple Transparency Report”; “Amazon Transparency Report”; and “Google Transparency Report.”
    • Transparency reports do not account for situations where users voluntarily turn over data to law enforcement.
  • Pioneer, Kenwood, OnStar, Garmin, Raven, and Vivint do not publish transparency reports.

Relevant legal cases and further reading

End Notes

VI. License Plate Readers

How they work and who makes them

  • How they work: License plate readers use a combination of cameras and computer software to scan and store the license plates as well as photos of every car passing by the device.
    • Through a user interface, users can set up “hot lists” to alert them whenever a particular car passes by or leaves a neighborhood.
    • Companies also retain license plate information for future uses. These uses may include data sharing with law enforcement and with other customers who have “a legitimate commercial interest,” footnote69_okocaqf 69 See, e.g., “Vigilant Solutions Usage and Privacy Policy,” accessed December 16, 2020, https://www.vigilantsolutions.com/lpr-usage-and-privacy-policy. (“The company authorizes collection of LPR data for the use of the company and its customers consistent with this policy. The authorized uses of the ALPR system are . . . (1) By customers to identify or ascertain the location of a specific vehicle under circumstances when there is a legitimate commercial interest . . . (2) By law enforcement agencies for law enforcement purposes . . . (3) By the company to make LPR data available to customers and law enforcement agencies (LEAs) for the purposes above, and to provide market research information to customers based on aggregated LPR data.”)  such as repossession services on behalf of creditors. footnote70_947t7kt 70 See, e.g., Susan Crandall,“Vigilant Solutions Bolsters Commercial LPR Database through Agreement with Plate Locate,” Digital Recognition Network, April 19, 2018, https://drndata.com/vigilant-solutions-bolsters-commercial-lpr-database-agreement-plate-locate/.
  • Who makes them: Companies selling these devices include Flock Safety, Vigilant Solutions, and Obsidian Integration.

What kinds of data are collected and how long is data retained

  • Data about the owner: These devices may record the name, phone number, email, zip code, footnote71_bc80c4q 71 “Privacy Policy for Flock Safety,” last updated July 10, 2020, https://www.flocksafety.com/legal/privacy-policy.  usernames, affiliated organizations, and IP addresses of anyone who accesses the license plate reader data. footnote72_s0yyaqk 72 “Vigilant Solutions Usage and Privacy Policy.”
    • Vigilant Solutions logs how its customers use their products, and occasionally audits these logs. footnote73_ld81xyi 73 “Vigilant Solutions Usage and Privacy Policy.”
  • Data about cars: Some devices may record video and still images of cars and license plate scans, as well as the date, time, and location associated with this data. footnote74_y2md596 74 See, e.g., “Privacy Policy for Flock Safety”; “Vigilant Solutions Usage and Privacy Policy.”
  • Environmental data and data about the license plate reader: Some devices collect temperature and ambient light information. footnote75_dphyoab 75 See “Privacy Policy for Flock Safety.”  Additionally, companies maintain records on the serial number, software version, cellular signal strength, and geolocation of their license plate readers. footnote76_fs66868 76 See, e.g., “Privacy Policy for Flock Safety.”
  • Retention: Flock Safety retains video and audio information for 30 days, although users can save and retain data indefinitely. footnote77_hxqfdm6 77 Flock Safety ALPR Policy,” accessed December 16, 2020, https://www.flocksafety.com/alpr-policy.  Vigilant Solutions retains data as long as it has “commercial value.” footnote78_rjj5i44 78 See “Vigilant Solutions Usage and Privacy Policy.”

Law enforcement access

  • Access via user: Law enforcement can ask the owner or any user with access to the data to voluntarily disclose it. Companies like Flock Safety create user interfaces that allow users to either share information with police on a case-by-case basis or to allow the police to have direct access to the system. footnote79_3to0cz5 79 See, e.g. “Neighborhoods Stop Crime in Their Community with License Plate Readers,” KCTB5 Kansas City, https://www.youtube.com/watch?v=fXqFj4H6XKg (Uploaded by Flock Safety).
  • Access via device manufacturer: Law enforcement can also request access for data directly from the company.
    • Compelled Disclosure: Depending on factors such as the sensitivity of the data, a warrant or subpoena may be legally required. Company privacy policies typically note that they will disclose user data where required by law. footnote80_988chtp 80 See, e.g., “Vigilant Solutions Usage and Privacy Policy”; “Terms of Service for Flock Safety.”  However, in situations where legal obligations are unclear, it may be up to the company to make individual decisions about whether to push back against an overbroad request. Flock Safety also reserves the right to use and disclose aggregated data the company collects for unspecified “crime prevention efforts.” footnote81_nxsyz5y 81 “Terms of Service for Flock Safety.” (“Customer acknowledges that Flock will be compiling anonymized and/or aggregated data based on Customer Data input into the Services (the ‘Aggregated Data’). Customer hereby grants Flock a non-exclusive, worldwide, perpetual, royalty-free right and license (during and after the term hereof) to use and distribute such Aggregated Data to improve and enhance the Services and for other marketing, development, diagnostic and corrective purposes, other Flock offerings and crime prevention efforts.”)
    • Voluntary Disclosure: Company privacy policies note that in situations such as emergencies or when the company believes it is necessary to protect against harm to the rights, property, or safety of the company, they may also voluntarily hand over data to law enforcement. footnote82_9fchn8w 82 See, e.g., “Terms of Service for Flock Safety.” (“For clarity, Flock may access, use, preserve and/or disclose the Footage to law enforcement authorities, government officials, and/or third parties, if legally required to do so or if Flock has a good faith belief that such access, use, preservation or disclosure is reasonably necessary to: (a) comply with a legal process or request; (b) enforce this Agreement, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Flock, its users, a third party, or the public as required or permitted by law, including respond to an emergency situation.”)  However, depending on the nature of the company and the specific functionality of their product, there may be no legal restrictions that limit a company’s voluntary disclosure of data to law enforcement.

Possible uses of device data by law enforcement

  • Verify cars and people present at the scene of a crime.
  • Establish relationships between people.
  • Track a particular driver’s location and movement over time.
  • Locate cars associated with AMBER alerts for abducted children.
  • Cross-reference state and federal databases with information on gang membership and unpaid fines.

Transparency reports

  • No transparency reports identified.

Relevant legal cases and further reading

End Notes