ANPR: Code and Rhetorics of Compliance

ANPR: Code and Rhetorics of Compliance

Christopher Parsons, [1] Joseph Savirimuthu, [2] Rob Wipond, [3] and Kevin McArthur [4]

Cite as: Parsons, C., Savirimuthu, J., Wipond, R., McArthur, K., 'ANPR: Code and Rhetorics of Compliance' , European Journal of Law and Technology, Vol. 3, No. 3, 2012


ANPR systems are gradually entering service in Canada's western province of British Columbia and are prolifically deployed in the UK. In this paper, we compare and analyze some of the politics and practices underscoring the technology in these jurisdictions. Drawing from existing and emerging research we identify key actors and examine how authorities marginalize access to information about the systems' operation. Such marginalization is accompanied by the rhetoric of privacy and security that are used to justify novel mass surveillance practices. Authorities justify the public's lack of access to information about ANPR practices and technical characteristics as a key to securing environments and making citizens 'safe'. After analyzing incongruences between authorities' conceptions of privacy and security, we articulate a means of resisting intrusive surveillance practices by reshaping agendas surrounding ANPR.

1. Introduction

Authorities have been invested in tracing the movements of citizens and foreign agents for centuries. Borders between and within states and regions have historically been sites to control and monitor the flow of populations, but only recently have socio-technical and bureaucratic systems 'actually developed the capacities necessary to monopolize the authority to regulate movement' (Torpey 2000: 7). While the passport was one of the earliest means of systematically tracking movement, licensing systems, often tangibly manifest as identity or driving cards, are now widely used to authenticate and identify citizens and foreign travellers circulating within the nation-state's borders (Froomkin 2009). Though passports and other identity authentication tokens function as an 'expression of the attempt by modern nation-states to assert exclusive monopoly over the legal means of movement' (Torpey 1997: 13), they mustn't be read in isolation: to track and trace individuals in a systematic manner presumes a hierarchical state with an interest in collating and disseminating information across state organs in a maximally efficient way using standardized communications mechanisms (Lyon and Bennett 2008: 15-6). [5]

There has been little comparative examination of how one of these 'track and trace' infrastructures, Automatic Number Plate Recognition (ANPR), has evolved. Such infrastructures are increasingly being deployed in Canada and the United Kingdom (UK), often in the face of public complaints or concerns. ANPR systems are in trial phases in Canada's westernmost province, British Columbia (BC), and are already widely deployed in the UK. This technological system is used to monitor vehicular movements. The technology's value is tied to how licensing techniques, such as those linking individuals to specific license plates, policing, insurance, and other third-party databases can be, and are, integrated with ANPR systems. Whereas the track and trace capabilities that were possible at the passport's inception required analogue investigation of individuals' documents, and where the investigation of citizens' vehicular movements previously required significant material and temporal resources on the part of the state, the contemporary linkage of multiple data stores with automated image sensing technologies enables a new ability to massively surveil resident and transient populations. As a result of systems such as ANPR, identity management politics have entered a new phase: while the 'card' remains a physical instantiation of the surveillance apparatus, it has now become the metaphor that weaves together a network of data streams that drive and enable public and private surveillance.

This paper evaluates and critiques this new means of identity management, concentrating on the role(s) of ANPR systems. We focus on BC and the UK to provide findings derived from a brief cross-comparative analysis of ANPR systems. This methodology lets us understand and contrast how privacy compliance narratives can be constructed to justify the institutional logic of predictive policing. More specifically, in the paper we first discuss how ANPR systems function, with particular emphasis on its potentialities and limitations. Subsequently we examine how these systems are deployed in BC and the UK (England and Wales). Here, the focus is on institutional configurations that sustain ANPR systems and on their contemporary dimensions within these respective jurisdictions. Though 'soft law' techniques and privacy management frameworks define the decision-making space within which ANPR operators function, examining the realities of ANPR deployments suggests real challenges in creating transparent and accountable mechanisms. In other words, it is not enough for ANPR users to assert compliance has been achieved, when there is very little basis for assessing how decisions are taken or mediated through curation algorithms. We conclude the paper by formulating measures to resist and mediate the intrusive surveillance capabilities of ANPR systems.

2. What is ANPR?

ANPR systems are public surveillance systems, insofar as they involve 'the focused, systematic and routine attention to personal details for purposes of influence, management, protection or direction' (Lyon 2007: 14). In the case of public authorities, ANPR systems are deployed because they can 'be valuable in preventing or solving many types of crime plaguing society' (Gaumont 2008); in effect, such systems are used to manage public space so as to maintain public order and discipline. However, given that ANPR systems collect large volumes of information that citizens have privacy interests towards - license numbers, photographs, and location - the collection of this information must be explained within the parameters established in privacy regulatory frameworks. Necessarily, then, ANPR systems are implicated within such frameworks on the grounds that they 'extract vehicle license plate information from an image or a sequence of images.' [6] Image extraction entails identifying the characters imprinted on vehicle license plates using infrared cameras and subsequently parsing the characters using optical character recognition processes. Successfully identifying plates involves correcting for plate size, angle of image capture, colour of the plate and its characters, occlusion, illumination, and other variables. The collection, storage and distribution of the data are matters for privacy compliance and management programs. After extracting the characters, the ANPR system can assume multiple functions, principally for freeway monitoring, linkage with electronic payment systems (e.g. toll payment, parking fee payment) (Du, Ibrahum, Shehata, and Badawy 2011), or being interfaced with policing and insurance databases for law enforcement purposes. In the course of this paper we exclusively speak to how ANPR systems are used for policing purposes. [7]

ANPR systems that are currently deployed by police are typically linked to, or use data associated with, databases that are formally outside of the ANPR systems' immediate scope (e.g. RCMP 2009, ACPO NPIA 2009). Memorandums of understanding or other legal arrangements are often established so that data from central policing databases containing license plate information, or insurance databases run by public and private insurers, can be drawn into an ANPR-specific 'hit' database. In this way a new, ANPR, database is initially loaded with information about specific license plates. These 'hit databases' are, in effect, a function-creep consequence of data permeability across databases that were rarely, if ever, designed with ANPR surveillance in mind. Data records from the ANPR hit databases are subsequently made available to ANPR sensing equipment, including fixed cameras along major roadways, cameras permanently affixed to authorities' vehicles, and temporary camera installations attached to either vehicles or built infrastructure. Making data available often entails temporarily downloading information to local data storage equipment (e.g. USB thumb drives, small amounts of memory integrated with the camera sensing equipment) from the ANPR hit database or regional policing databases (RCMP 2009) or, alternately, having an ongoing data link between camera installations and the hit database, where the camera unit possess either live data link or 'fast track' capabilities (ACPO NPIA 2009). ANPR systems will typically have two broad definitional categories for plates that are identified using ANPR: 'hits' and 'non-hits.' Hits correspond to data derived from policing and insurance databases - plates of interest to authorities; non-hits are all other scanned license plates.

Figure 1: An ANPR Data Flow Diagram

When a camera scans a license plate, it evaluates whether the plate is a 'hit' or not. In the case of a hit an alarm will sound and alert the officer that a plate of interest has been identified by the camera. This analysis and alerting functionality is perceived as facilitating 'operational readiness' by providing contemporary technologies to policing organizations (RCMP 2009: 18). Policing practices vary at this point but in many cases officers are instructed to double-check the camera's accuracy before pulling over a vehicle and its driver (RCMP 2009, Lum, Merola, Willis, and Cave, 2010: 2). When license plates are registered by the system they are immediately linked with temporal and geo-locational information (RCMP 2009, ACPO NPIA 2009). This geo-temporal information can subsequently be uploaded to the ANPR collection database and, over time, be used to map movements of persons/vehicles of interest. Some ANPR systems also enable police officers to 'live query' master ANPR databases so that they can see where either hit or non-hit vehicles have been previously sighted (ACPO NPIA 2009, Priest and Arkin, 2011: 141). When integrated with Global Information Systems (GIS) this facilitates profile-building and migration pattern awareness.

2.1 A Non-Neutral Technology

At a superficial level, ANPR systems can be viewed as technology neutral tools. These systems are often framed as having a purely functionalist role in policing, a role that is devoid of ideological imperatives and subjective assessments. This position is often evident in how law enforcement frames the technology as merely another tool meant to remedy public order issues. Law enforcement justifies ANPR-based surveillance by arguing that the system is used to 'improve productivity' of officers or that its utility lies 'in preventing or solving many types of crime plaguing society' (Gaumont 2008). Such statements do not shed light on how to negotiate boundary management issues related to civil rights and privacy issues, specifically those related individuals' autonomous rights to move freely in public spaces without fear of discrimination. Moreover, contractual arrangements such as Memorandum of Understandings (MOU) or other informal data sharing arrangements that provide data for ANPR systems to query against often encompass a number of organizations. The outcome of these institutional arrangements is that identifying violations of privacy rights become time consuming, costly and complex. While to non-experts and the general public, MOU's and Privacy Impact Assessments (PIA) are seen as essential safeguards against arbitrary exercise of power and inconsistent decision-making, our research has found that such documents fail to safeguard the public against broad public surveillance. Indeed, research conducted by the Washington Post concerning the use of ANPR in America found that ANPR systems can 'track observations that may have no criminal connotation alone but which, when correlated, could be suggestive' (Priest and Arkin 2011: 141, see also: Lum, Merola, Willis, and Cave 2010: 70-1). This speaks to a significant problem insofar as failing to pierce institutional arrangements concerning data collection, aggregation, and analysis processes related to ANPR systems can prolong discrimination based on monitoring non-criminal behaviour.

Law enforcement authorities have largely not addressed the tension between the functionalist uses of ANPR and the actual impacts of ANPR-driven surveillance; they have not dealt with how the unobstructed collection and sharing of personal information could lead to discrimination against citizens and, consequently, infringe on citizens' reasonable expectations of privacy (Boa, 2007). As La Forest J stressed in R v Duarte (1990) the rationale for clear frameworks regulating State use of electronic surveillance is needed:

'The reason for this protection is the realization that if the state were free, at its sole discretion, to make permanent electronic recordings of our private communications, there would be no meaningful residuum to our right to live our lives free from surveillance. The very efficacy of electronic surveillance is such that it has the potential, if left unregulated, to annihilate any expectation that our communications will remain private.' [8]

The Supreme Court of Canada has similarly asserted in R v Dyment (1988) that privacy is essential of essential rights and freedoms, writing:

'Grounded in man's physical and moral autonomy, privacy is essential for the well-being of the individual. For this reason alone, it is worthy of constitutional protection, but it also has profound significance for the public order. The restraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state.' [9]

In both Canada and the UK, surveillance must be proportional to the problem at hand and clearly rationalized. Especially in cases of broad-based surveillance the party responsible for deploying and utilizing the surveillance technology must clearly rationalize why they require the technology. Critically, without such a rationale, without defined parameters for using the technology, and without effective regulatory oversight, there is a risk of law enforcement authorities across a country adopting varying approaches and standards for predictive policing strategies related to ANPR.

In what follows we examine the deployment of ANPR in British Columbia and the UK, examining how state institutions negotiate the tradeoffs between expanded policing capacities and privacy protections within the framework of privacy regulations. As will be discussed, a core risk associated with these systems in both BC and the UK is that, over time, poor data confidence rates will lead to inaccurate database polling and evaluation which will, in turn, promote highly questionable suggestions of criminality. Consequently, not only are the institutional arrangements integrated with ANPR technologies challenging to unravel and gain insight into, but the very systems themselves are critically flawed with regards to their basic functionality.

3. State Institutions and ANPR

ANPR systems can facilitate predictive policing, insofar as they collect large amounts of data that can subsequently be used to deploy policing resources prior to a person committing a disorderly action. As police have deployed these systems, often with support of government, they have had their actions scrutinized by individuals who exercise their privacy and access to information rights. In this section we explore how and why ANPR systems have been, and presently are, configured and their relationship with domestic political institutions and conditions. In discussing BC and the UK we first outline the key actors invested in the ANPR policy networks. From there we discuss how law enforcement authorities, in particular, have pursued an 'institutional logic' towards questions of what information can be accessed and by whom. The outcome of this logic has been to impose severe externalities on individuals and organizations trying to learn about the actual practices and uses associated with ANPR surveillance systems.

3.1 British Columbia

Deployments of ANPR in British Columbia have been driven by the federal policing force, the Royal Canadian Mounted Police (RCMP). The RCMP are, in addition to federal authorities, contracted by the province of British Columbia to provide provincial and some regional policing services. ANPR was, and continues to be, an RCMP-driven surveillance process (VicPD 2011). In the course of justifying and deploying ANPR systems they have been in contact with federal and provincial privacy commissioners, and non-RCMP municipal policing forces. The ANPR policy network in BC is thus very small, with only the most limited media awareness of the projects prior to the efforts of locally situated privacy advocates.

3.1.1 The Actors

Whereas ANPR systems were first deployed in Great Britain as a response to security unrest, in Canada the technology was used initially to address administrative demands associated with toll-road applications (Bennett, Raab, and Regan 2003) and for border management processes (Gaumont 2008: 3). The first indication of its expanding role can be seen in 2006 when the RCMP began using the technology for 'traffic and criminal code enforcement' (Gaumont 2008: 3). Issues regarding civil liberties and privacy matters were not prominently opened up to public scrutiny until 2009 when the RCMP was legally compelled to released its Privacy Impact Assessment (PIA) report under Canadian access to information and privacy laws. [10]

The policy narrative justifying the eventual deployment of ANPR systems across the entire country is telling (RCMP 2009: 15). According to the PIA, the rationale for deployment was described as being an integral part of operational policing activity, namely, to address 'road safety issues and stolen vehicles' and not 'as an intelligence gathering tool' (RCMP 2009: 20). The fact that the RCMP felt the need to make this distinction is important as it also highlights law enforcement's awareness of the anxieties surrounding their use of surveillance technologies. Concerns about law enforcement data retention policy were avoided by making clear that hit data was stored for two years whereas non-hit data was kept for no longer than sixty days. In subsequent updates to the ANPR system non-hit data was designed to be purged post-collection, when it was uploaded from sensing devices to an ANPR collection database (RCMP 2010: 2). There is a controversial dimension at play here, which needs to be highlighted. The power vested in law enforcement raises questions about how authorities will use the data that is collected, as well as about the discretions that are taken in establishing which information is - or isn't - retained, processed, and categorized. Specifically, what criterion are used to establish the 'hit' category speaks to how the organization balances the privacy interests of the data subjects with that of the law enforcement's policing goals. We consider some examples below to illustrate the significance of the construction of the ordinary policing/intelligence distinction.

Hit data categories, at the time the PIA was prepared, included the following from the Canadian Police Information Centre (CPIC): Stolen vehicles, Accused Person, Court Action, Missing Person, Parolee, Prohibited Person, Refused Person, Special Interest to Police, Wanted Person. These categories are extensive and effectively create a State surveillance database. Anyone with a criminal code offence but who is not wanted on warrant is included, as are persons who have custody of a child as specified by an order of the court, as are persons who have an order of prohibition against them with regard to liquor, firearms, vehicle driving and boat operation, hunting, or any other court or statute imposed prohibition, as are persons police identify as threats to themselves by reasons of an apparent mental disorder. [11] Furthermore, provincial data is drawn from the Insurance Corporation of British Columbia (ICBC) and includes Unlicensed Drivers, Vehicles with no Insurance, Prohibited Drivers, and Suspended Drivers (RCMP 2009: 37-41). In addition to these database categories, early versions of the RCMP's 2009 PIA noted that other data elements, such as 'race, ethnic origin, gender, blood type, financial transactions etc' were also being, or planned to be, retained in the ANPR database (Office of the Privacy Commissioner of Canada 2009). At some point between the Officer of the Privacy Commissioner of Canada's (OPC) evaluation of the ANPR program and the final PIA released by the RCMP, all mention of these other data elements were purged, though it remains unclear whether the data was ever, actually, integrated into the database. We can now perhaps detect how the construction of the narrative has the potential to lead to highly sensitive issues being integrated into policing databases for policing operations without close regulatory oversight or public scrutiny.

To its credit, the OPC raised a set of concerns regarding the operation of the ANPR program. It noted that, despite RCMP statements to the contrary, the ANPR systems collected Personally Identifiable Information (PII) on the basis that there are links between license plates and identifiable individuals. In effect the link between a number and person in databases - as opposed to between the number and a picture of a person - was sufficient to constitute PII. While the OPC expressed serious concerns about how new ANPR hit and collection databases would be secured, it left no doubt that it was staunchly opposed to the collection of non-hit data; such data, in its words, was to 'be destroyed immediately' upon capturing it 'so as to eliminate the possibility of a breach' (Office of the Privacy Commissioner of Canada 2009: 7). Concerns were also raised about the accuracy and integrity of retained personal information - a topic that will be addressed in a subsequent section - as well as around access to information. Furthermore, the OPC recommended that a process that was independent of formal Access to Information and Privacy (ATIP) requests be established so that citizens could ascertain whether their PII was contained in an ANPR-related database (Office of the Privacy Commissioner of Canada 2009: 3-8). To date, such an alternate means of accessing stored information has not been established.

The RCMP functions as federal and, in BC, provincial authorities. As a result of the RCMP's partnership with the province's sole government insurer (ICBC) and municipal policing authorities, the provincial privacy commissioner was also apprised of the ANPR system. After the Office of the Information and Privacy Commissioner (OIPC) learned about the ANPR system in 2010, it also identified several grounds for concern. A municipal policing force, the Victoria Police Department (VicPD), was told that the ANPR system was capturing personal information, which stood in contradiction to the department's 'suggestion,' in earlier consultations, that no PII was collected. The Office also raised worries about the scope of data collection, because the PIA developed by the RCMP was designed to meet federal, not provincial, privacy law. Consequently the OIPC asked for 'a list of the proposed alerts and an explanation for the rationale for the collection' (OIPC 2010: 2). The OIPC also noted that VicPD would have to appraise the office of data retention plans and rationales, as well as a 'detailed explanation for any proposed secondary use of personal information gathered' along with an 'evaluation of the authorities for such further use or disclosure under FIPPA' [12] in order to demonstrate compliance with BC's provincial privacy legislation (OIPC 2010). From documents received under ATIP and Freedom of Information (FOI), it remains unclear whether local authorities responded to the OIPC's concerns at the time. It is clear, however, that ANPR systems were being purchased before VicPD's information and privacy manager received responses to the Commissioner's questions; in one email thread she was advised not to go on television until 'those privacy issues' were resolved, a point on which she agreed (VicPD 2010: 46-7).

In addition to this small group - RCMP, VicPD, and federal and provincial privacy commissioners - there was a small amount of media coverage on ANPR, typically praising its general effectiveness. Significant media attention to the technology began in early 2012 with the publication of two magazine articles critical of ANPR (Wipond 2012a, 2012b) and an academic presentation on BC deployments of ANPR (Parsons, Wipond, McArthur 2012). With the OIPC's mid-2012 announcement that they would formally investigate ANPR deployments in BC a swathe of provincial and national media coverage arose. This coverage led to privacy advocates and policing bodies being routinely quoted in media about the threats and merits of the technologies. The aforementioned media interest in ANPR is largely the result of ongoing research by three civil rights advocates located in BC. The BC group is composed of an advocate/journalist who has conducted interviews, written articles, and submitted ATIP and FOI requests (Rob Wipond), an advocate/researcher located at the University of Victoria (Christopher Parsons), and an advocate/technologist who is actively invested in digital privacy and security issues (Kevin McArthur). [13] Their efforts have been supplemented by long-standing civil rights groups throughout BC who have provided legal and strategic assistance, though these three have so far been the principals on this issue in the advocacy community in BC.

3.1.2 Marginalizing Access

Canada, like most other Western nation-states, has laws to secure citizens' personal data from unjust or non-consensual collection, use, and disclosure. These laws and associated Privacy Commissioners, while somewhat less comprehensive than EU privacy and data protection laws (Newman 2008), are nonetheless regarded as 'reasonably effective' despite some shortcomings (Flaherty 1999). Deeply associated with provincial and federal privacy legislation are access to information laws. Such laws are intended to force the disclosure of information to the public and thus act as a control on government generally (Burkert 2007) though, as documented by Gilbert (2000), secrecy is a pervasive aspect of the Canadian Westminsterian system. Access to information legislation in fact has led to the cessation of some record keeping, primarily of deliberations and meetings, so as to avoid creating document trails that could subsequently be disclosed to the public.

Journalistic interviews were repeatedly conducted with ATIP and FOI officers working for policing forces in Canada, and have regularly been stymied by efforts to mislead or flatly deny the existence of ANPR-related documents. Rather than detailing all of these encounters, a small sample is provided of multiple encounters. At the municipal level, researchers contacted the VicPD and filed a request for all documents of all types pertaining to the ANPR system. The Information and Privacy officer stated that:

'We actually don't have a program … Everything goes through [the RCMP]. We don't have documents per se. Everything, we receive everything from them. It's on a USB stick.' When a follow-up question was asked to confirm that there were no documents, no email, or other correspondence about the program, the officer stated that they would 'do a little more research and hopefully there's some kind of administration [sic] paper trail.' [14]

Days later the officer responded that they had found 'the policy, I have board minutes, I have some emails between the RCMP and myself … I have 2 years of emails here.' [15] In the same interview, the officer insisted that there was 'no bullet here' and that all the communications reflected positively on the program. When all was told, over 700 pages of documents were disclosed. On inspection of the documents, it was evident that the officer was either the recipient or author of a significant portion of the ANPR-based communications. This was just one of many efforts to marginalize information to a system that we know, from their own correspondence, was something that might have 'privacy issues.'

The municipal authorities, however, are not administrators of ANPR programs. Their ANPR-outfitted vehicles are used to identify vehicles and store locational surveillance information, but data is downloaded from an RCMP-controlled hit database and uploaded to other, also RCMP-controlled, collection servers at the end of shifts. Our efforts to access information from the RCMP have largely been stymied; the initial access request was for all documents, memoranda, reports, and correspondence related to the ANPR program. RCMP ATIP officers have routinely sought to force a reduction of the scope of the request while refusing to assist in limiting this scope. As an example, after we asked for email messages, an ATIP officer stated:

'with our system [sic] emails are kept only for 90 days. And unless you give us specific names of employees, we won't be able to search for emails in regards to the ALPR system. Unless they were filed into specific files, or you give us specific names of employees. So we wouldn't be able to search for emails.'

A follow-up question, 'Is that legal?' was met with '[slight laugh] I'm just telling you what happens.' [16] This server-based email retention policy limits access to communications by simply not automatically storing them beyond a 90-day period. The requirement to narrow searches to specific officers when researchers are unlikely to know who is involved in specific projects further undermines their capability to learn about these projects. While some RCMP officers retain records beyond the 90-day policy there is no standard retention policy that we were provided with. Without a clear guide or policy around email record retention it is challenging, at best, for the public to request access to information insofar as the conditions for its very existence are unclear.

Assistance is mandated under Federal Access to Information laws. The RCMP have been reminded of this requirement by the federal Information Commissioner (OICC 2012) in light of formal complaints concerning their intransigence in responding to ANPR-related ATIP requests. RCMP have simply stopped, refused, ignored, or improperly closed access requests related to the ANPR system; the Information Commissioner has noted the impropriety of such actions. [17] At the time of publishing, well over a year after the first ATIP request was sent to the RCMP, only a handful of documents had been received, and only 2 were documents that were not publicly available. No email, memos, or other policy briefings had been disclosed. Most documents pertaining to RCMP involvement in ANPR programs have instead come through third-party sources, such as the VicPD and the OPC.

These are but three of dozens of ATIP challenges that researchers have encountered with authorities, and they speak to a willingness by government ATIP officers to marginalize access to government documents. While some scholars see access and privacy laws as legitimizing surveillance practices (e.g. Lyon 2007, Rule 2007, Haggerty and Ericson 2007) in our experience such legitimization is marginal: these laws have been rhetorically, as opposed to substantively, actualized by BC's provincial, or Canada's federal, policing body. As noted in the preceding paragraphs, it should be apparent that the Canadian experience around ANPR demonstrates not freedom of information: it demonstrates a governmental fear of releasing information to the public. One conclusion drawn from these vignettes is the tendency for law enforcement to make subjective assessments about the use of ANPR systems to further their institutional goals.

3.2 United Kingdom

There is much to learn from BC's civil libertarian spirit and persistent investigative journalism. While the UK media may not have published extensive accounts about law enforcement attempts to be evasive in how they use ANPR systems, this lack of accounting does not mean that we have a healthy culture of compliance. It may be that these agencies have not been exposed to the penetrative strategies adopted in BC. However, in view of the longstanding criticisms of law enforcement and public authority regarding their use of CCTV and databases, it would be reasonable to assume that similar concerns may exist (EDPS, 2010: 4, Travis, 2010, Thames Valley Police, 2010, and S and Marper v UK [2008] ECHR 1581).Notwithstanding the absence of documented arbitrary decision-making, there are nevertheless some accountability issues that have emerged in the UK that reflect the provenance of an 'institutional logic' within the fragmented and sometimes contradictory approach to addressing surveillance concerns (Raab and Goold, 2011, Big Brother Watch, 2012). While beyond the scope of this paper, we note that the piecemeal approach to securing institutional compliance with regard to ANPR systems is challenging at best; not only is PII held by the public sector but there is a fragmented framework regarding organizations' accountability in handling personal information (e.g. Data Protection Act 1998, the Human Rights Act 1990, the Freedom of Information Act 2000 (FOIA) and the Regulation of Investigatory Powers Act 2000 (RIPA) and more recently the Protection of Freedoms Act 2012.) (AG Reference (No.5 2002), 2004: paragraphs 27-28). Commentators, for example, have expressed concern that unlike Article 8 ECHR (which is given effect by s2(1) HRA 1990) RIPA permits visible surveillance which is not intrusive and satisfies the grounds under which PII is obtained (Taylor, 2011). Additionally, the protection of PII is complicated by the lack of coherence, confusing interplay of differing regulatory rationales and limited resources (Raab and Goold, 2011: 13).

ANPR systems have been used in the UK since 1990 by law enforcement. It was initially confined to gathering intelligence with a view to policing serious and organized crime. The rationale underpinning its present value is that all available methods for detecting and investigating crimes should be employed where criminals rely on vehicles to perpetrate criminal activity. During the last decade the Government and private sector have invested heavily in fixed and mobile surveillance technologies (Home Office 1994). ANPR systems are now an integral part of modern operational policing activity (Gill et al. 2005); local police forces use the cameras to track stolen and uninsured vehicles as well as to tackle serious and organized crime and threats posed by terrorism. The ANPR system is part of the Police National Computer (PNC) network. The PNC provides a national intelligence database which, in addition to ANPR generated data, includes search engine functionalities to identify known suspects, provide details of vehicles, and map criminal incidents and patterns (NPIA 2010a). ANPR 'hits' that are transmitted to the National ANPR Data Centre (NADC) are cross-referenced with datasets in the PNC. If a match is generated (e.g. Stolen vehicle or vehicle used in a robbery) an alert is immediately sent to an officer monitoring the system. Data held in the NADC is provided by police forces and it is estimated that the national ANPR network generates, on average, 16 million real time 'reads' each day. The National Policing Improvement Agency (NPIA) has acknowledged that some local forces have arrangements with local authorities and private sector organizations to jointly operate ANPR cameras for criminal detection and investigation purposes only (ACPO NPIA, 2009).

3.2.1 The Actors

The NPIA has primarily responsibility for the Police National ANPR Programme (Programme) in England and Wales (NPIA 2010b). The agency delivers the Association of Chief Police Officers (ACPO) Strategy on ANPR (ACPO 2010). Oversight for implementing the strategy resides with its principal stakeholders, which include the NPIA, ACPO, the Association of Police Authorities, the Serious Organized Crime Agency, and the Ministry of Justice (ACPO NPIA, 2009). Police forces have access to the NADC upon signing the Memorandum of Understanding, which sets out duties and obligations relating to access and use of the information. In addition to overseeing the development and management of the Programme, the NPIA also provides police forces with guidance on managing and using information in the database. The Agency works closely with the ACPO and the Information Commissioner's Office to ensure that privacy concerns are addressed at operational levels. The widespread use of ANPR and CCTV technologies across the public and private sector has raised concerns about potential misuse and discrimination as well as about the lack of a coherent strategy towards the applicable processes for transparency, accountability, and compliance (EVSA, 2011). While all 'data controllers' are bound by the 1998 Data Protection Act (DPA), the lack of a statutory framework regulating ANPR raises concerns about the extent to which ANPR data is being retained, used, and shared across the various operators. [18]

The pattern of limited transparency about ANPR systems that was noted in the BC discussion is evidenced in the UK. The problem of promoting accountability and transparency is exacerbated by the fact that UK citizens have recently had a layer of regulatory and institutional complexities introduced. For example, data collected from an ANPR system is 'owned' by individual police forces. As the identification of the car and individual by the vehicle registration mark (VRM) constitutes PII, data controllers are under an obligation to comply with their responsibilities under the DPA 1998. Subject access requests may, however, be processed through different mechanisms; either by Data Protection or Freedom of Information Offices within local police authorities. Given the extensive use of information captured by ANPR systems, and sharing arrangements between police and other agencies, there is a public perception that retention practices, use of 'reads' for the Driver and Vehicle Licensing Agency (DVLA) auditing, and sharing information for detection and investigation, operate outside the safeguards provided by the DPA 1998. [19] There is some basis for this perception, as the wide exemptions under Part II of FOIA 2000 makes it difficult for data subjects and privacy advocates alike to access meaningful data (see later discussion).

3.2.2 Marginalizing Access

If we view data generated by ANPR as a form of automated surveillance that is driven by contemporary policing goals, it should not come as a surprise to discover that citizen access to information about ANPR depends on clearing a series of procedural and bureaucratic processes (Norris, Moran and Armstrong, 2006: 256-258). [20] ACPO's ANPR strategy and policies for ensuring efficient flow of information not only shapes how police forces view such data, but it also implicates the way law enforcement subsequently frames the scope of legal rules for accountability and access. [21] ANPR data is not seen simply as information meant to alleviate administrative burdens. Law enforcement views such data as 'intelligence'. This usage of this term reflects a narrative that portrays collecting and using ANPR-related data as akin to attaining national security objectives. The association between a national security narrative and ANPR provides authorities with justifications for exercising discretion over how they use this data. By sustaining this narrative, authorities can also justify their decisions to limit transparency concerning the usage of ANPR, insofar as making clear how 'hit' and 'non-hit' data is collected and used could threaten the stability of the State itself (Article 29 Working Party Opinion 168, 2009: 18-21).

In what follows we discuss how authorities exercise discretion and thus limit access to information about ANPR deployments in the UK. Specifically, we examine the case heard by the Information Tribunal in Mathieson v IC & Devon & Cornwall Constabulary (2010) to unpack how access requests are stymied. The complainant in this case requested, under the FOIA 2000, disclosure of the location of ANPR cameras and CCTV cameras with ANPR functionalities operated by the Devon & Cornwall Constabulary. The request was turned down on the grounds of national security (s. 24) and crime prevention (s. 31). What is interesting here is not so much in the way the specific data relating ANPR systems was classified. Rather, operational policing codes of practice were used to restrict awareness of basic facets of the systems, and the codes were effectively exercised to re-define how privacy regulation was interpreted and to limit what information could be disclosed. The challenge raises an important issue regarding the reliability and legitimacy of decision-making processes; it is a leap of faith to suggest that identifying the location of the devices undermined national security and crime prevention intelligence policies. More crucially, the acceptance of this framing of the issue is worrying, as the ICO upheld the refusal notice on the grounds that the public interest justified nondisclosure. The successful appeal to the Information Tribunal may provide a clear pointer for the future; the Tribunal stated that law enforcement employees who are responsible for responding to public requests for data must emphasize the tangible adverse consequences that might follow from disclosing sensitive information whenever refusing to fulfil citizens' requests. The Tribunal remarked that even though ANPR could be utilized as an intelligence tool and thereby engaged ss. 24 and 31, non-disclosure had to be justified and not readily assumed:

'There is also a clear public interest in citizens being able to judge whether the police are using this technology in the most effective way. Thus, there were (and are) legitimate and important issues for public debate (a) as to whether the APNR system should be used at all; (b) if so, as to where cameras should be located and whether (in general) their location should be public knowledge or not; and (c) as to whether 'read' data should be retained at all or, if so, for as long as two years and as to what use should be made of them… .' [22]

In particular, the general debate about whether it is better for the location of fixed ANPR cameras to be completely open and provide a so-called 'ring of steel' or scattered(and relatively covert) is still one that can be pursued without the public knowing the precise location of the cameras; and there is no evidence that the Respondent was in fact using the ANPR system improperly, for example to focus wrongly on a particular community.

The key point here, as the House of Lords Select Committee on the Constitution (HoL SCC) was at pains to stress, is that any use by the State of surveillance technologies and personal information must be preceded by demonstrable evidence that the effects on privacy have been taken into account. Moreover, it must be proven that such privacy-invasive practices 'are proportionate to those objectives' (HoL SCC 2009: para. 69). At present there is an inability to learn where data is collected, thus limiting citizens' awareness of the extent of state surveillance. Such surveillance, and subsequent use of personal information, can undermine privacy and limit the freedom of the individual (OSC 2006: para. 14.2). The potential intrusiveness of ANPR technologies should not be underestimated, particularly as the data generated can be processed, shared and used by a wide range of actors without effective regulatory oversight. Further, the Tribunal's suggestions that not knowing where cameras are located does not detract from public discourse is only academically accurate. As scholars of agenda-setting and public policy literatures have written about, abstracted harms are remarkably harder to capture the public imagination than programs that clearly relate to the public's daily business (e.g. Soroka 2002, Birkland 1997, Cobb and Ross 1997): discussions of ANPR remain largely abstract when the public doesn't know where the cameras are located. Consequently, such abstracted discussions of ANPR have a more limited capacity to capture the public - and media's - attention than a more concretely grounded discussion.

Existing practices - and access conditions - may be mediated in light of the recently passed Protection of Freedoms Act 2012. Specifically, it may lead the newly created office of Surveillance Camera Commissioner and the ICO to create a coherent process that brings public and private ANPR operators within its remit. While the ICO has begun this process and indicated that it has been working with police authorities to ensure that ANPR data is deleted after two years (ICO 2011: 11), truly improved access conditions have yet to be realized; UK citizens are still hindered in their ability to learn about deployed ANPR systems. The ICO's efforts may be assisted by the evolving privacy landscape which regulates the overt and covert use of surveillance technologies; Article 16(1) of Treaty on the Functioning of the European Union (TFEU) and the Code of Practice on CCTV and ANPR, as required to be introduced by section 29 Protection of Freedoms Act 2012 will create a transparent and accountable infrastructure for the collection, processing use of personal information by surveillance technologies. It remains unclear, however, what specific and tangible avenues are, or will be, made available in view of the Surveillance Commissioner's participation in a regulatory space previously assumed by the ICO. [23]

4. State Framing of ANPR

Both Canadian and UK governments have been deeply invested in framing ANPR. In both nations, the management of risks is increasingly understood as a responsibility of law enforcement, and of public and private agencies (McCahill, 2006: 56). ANPR systems provide a 'systematic way of dealing with hazards and insecurities induced and introduced by modernization itself'. (Beck, 1992: 21). The managerial role of the State is notable in its efforts to redefine or articulate what constitutes PII, in its attempts to justify the social sorting of the population, and in the State's overly strong suggestions' over the accuracy of ANPR systems that are deployed. Combined, this framing can be understood within a tactical game meant to justify the technology and set media agendas that are essential to quelling or inciting public interest in state programs.

4.1 Personally Identifiable Information

Under Canadian privacy law, numbers that are correlated with, or proxy for, broader biographical information are considered personally identifiable information and thus deserving of protection (Kerr 2009: 349-351). This means that license plate information, social insurance numbers, and numbers associated with RFID tags have privacy expectations associated with them; that the number is, or isn't, publicly available does not mean that it is non-deserving of protections. In the case of license plate information, however, policing authorities have expressed mixed messages.

The RCMP's PIA varies in its depiction of license plate information: in some cases it is seen as deserving protections and, at other times, it is not (Wipond 2012a). Federal and provincial privacy commissioners have warned authorities that license plate information is, in fact, deserving of privacy protections (e.g. OIPC 2012); however, these warnings have (at best) been minimally integrated into policing discourses. In interviews with RCMP officers who operate the program, we were told that 'you don't own your license plate. Your license plate is owned by the jurisdiction that issues it … that image of the license plate or the image of your car are in there, neither of which are personal, because you're in a public place, and the courts have consistently ruled there's no expectation of privacy in a public place.' [24] It was only after extensive discussions with RCMP staff that we were formally informed via letter that the RCMP does consider license plate information PII, [25] though this has not prevented other officers from publicly stating that the plates are neither private nor personal. Even after receiving official notification from the RCMP declaring license plate data to be PII, Superintendent Denis Boucher, the head of the RCMP's traffic services, stated publicly that 'all we do is identity the hits. There's no personal information in the ALPR system. It's merely the license plates' (CBC 2012a). In discussions with members of Canada's privacy community, we have learned that the RCMP often adopts a contextually situated understanding of PII: when authorities are collecting it the information is not acknowledged as personal, whereas when members of the public or other government agencies request access to the information it is classified as personal to prevent its disclosure.

In the UK, the DPA 1998 is 'technology neutral' insofar as it applies to all forms of technologies that process PII. Accordingly, the DPA 1998 imposes obligations and responsibilities on the data collected via mobile and fixed ANPR cameras (Larkins). [26] As ANPR data constitutes 'personal data' under the 1998 Act it is incumbent on local police authorities to have clearly defined policies that address information collected by ANPR systems (ACPO 2011ab). Additionally, given that ANPR systems collect personal information about individuals engaging in private activity, the collection of this information potentially engages Article 8 European Convention of Human Rights (ECHR). Consequently, obligations are placed on 'data controllers' for two reasons. First, because the free flow of information and pursuit of legitimate goals on the part of the State and its organizations do not invariably trump individuals' privacy rights (Article 29 Working Party 2001: 3). Second, because privacy can be regarded as a public good we must recognize that the trade-off be subject to complex governance processes (i.e. Data Protection Act 1998, Article 8 ECHR, National ACPO ANPR Standards 2011, NPIA Practice Advice on the Management and Use of Automatic Number Plate Recognition) and include a wide range of stakeholders.

In turning to another example we can illustrate how, despite engaging Article 8 ECHR, PII can be collected by ANPR systems to preserve public order. Specifically, the Administrative Court in the High Court of Justice recently held that retaining ANPR-linked PII about an individual participating in public protests for policing purposes might not engage Article 8 ECHR ( Catt v Association of Chief Police Officers and Commissioner of Police of the Metropolis (2012). Lord Justice Gross's position, that the plaintiff did not have a reasonable expectation of privacy and that Article 8 was not engaged, emphasized three features: first, the plaintiff had closely associated himself with a protest groups in public and with a significant history of violence, disorder and criminality; second, the police response was proportionate and consistent with the public duty to maintain public order; and third, the policing activity was overt. [27]

Taken together, we see that the RCMP have a variable conception of whether licensing information constitutes PII and that, in the UK, collection of PII might not engage ECHR protections. In both cases the collected data is used to monitor and take action against specific citizens, citizens who are often frustrated or unable to discern how or why ANPR systems are used to mediate citizens' actions. This is significant, insofar as strong PII protections could (though wouldn't necessarily) restrict the use of ANPR systems and their associated practices where the systems and practices infringe on legally protected rights and actions. To avoid such restrictions the basic operations of ANPR systems have been framed as either not involved in the collection of PII or the collection of PII has been justified despite of prospective ECHR protections.

4.2 Social Sorting

State framing of PII, in combination with intransigence in making information of these systems available to the public, has the effect of limiting citizens' concern or awareness of ANPR surveillance. These efforts do not, however, constitute the full efforts of state framing; the state also attempts to frame its social sorting linked to ANPR so as to make it palatable and acceptable to the publics that are surveilled. Both Canadian and UK authorities have identified ANPR systems as enforcement tools that also are valuable for intelligence processes. While RCMP uses of ANPR are stated as just enforcement-based, that position is contradicted by claims that ANPR could be used to evaluate alibis (Shaw, 2012) and used more generally for investigative practices subsequent to criminal acts having been committed (Graham, 2012). The UK situation has seen ANPR used to limit protests based on broader police surveillance (Evans and Lewis 2012, Parsons, 2009) as well as to conduct more general police enforcement actions (e.g. assigning fines/arresting individuals with outstanding license-linked crimes). In what follows we discuss Canadian and UK definitions and framing of who is monitored by ANPR and how articulations of social categories mask broader civil rights concerns; 'risky' citizens are profiled through the aggregation of information stored in multiple databases. Given the blurring boundaries between public and private authorities as a result of data sharing arrangements, society is being sorted, often without any public deliberative process or scrutiny. The resulting democratic deficit was noted in the report commissioned by the Information Commissioner:

'No one has voted directly for such systems. They come about through drives for greater efficiency and effectiveness in the public services, pressure from technology corporations, the rise of 'risk' as a key theme in society, and the idea that we should spare little effort to pre-empt dangers.' (Wood and Ball, 2006: 11)

An illustration can be provided to illustrate the pernicious process of social sorting in the ANPR context. Information that has been disclosed in BC about ANPR to the public, to municipal policing bodies, and to provincial privacy commissioners show only seven 'hit' categories: stolen plates/license plates associated to stolen vehicles, license plates associated with warrants (Canada Wide), License plates associated to warrants (BC wide), license plates associated to other pointer vehicles, license plates associated to prohibited drivers, license plates associated to unlicensed drivers, and license plates associated to uninsured drivers (RCMP 'E' Division; CBC 2012a). This range of categories stands in variance from the thirteen categories listed in the RCMP's PIA, with many of these categories compressed into the 'other pointer vehicles' category. This category captures individuals such as parents with custody of children, those with prohibitions against firearms and boat operation, and so forth. Officers may not have standing to pull over pointer vehicles; they must first 'ensure there are valid grounds for conducting a vehicle check' (RCMP 'E' Division).

Simply being present in the database is not reason enough for authorities to take action against a vehicle or its occupant(s). This is significant insofar as authorities publicly assert that ANPR systems are used exclusively for enforcement actions: where ANPR systems are used to monitor movements this clearly shifts into intelligence gathering. Municipal police who are embroiled in defending ANPR systems in BC have repeatedly asserted that the technology 'can help officers stop prohibited drivers, drivers without insurance and recover stolen vehicles' (Nuttall 2012) though, when asked to identify the full range of what constitutes a hit in RCMP databases, officers have struggled to fully explicate database categories (e.g. CBC 2012a). The inclusion of a swathe of differing categories within 'pointer vehicles' has the effect of assuaging public concerns by convincing the general public they are not a 'hit' and so not being tracked. One municipal police chief has gone so far as to assert that:

'It's that old adage, if you haven't done anything wrong and there's no issues, what's to be worried about? If you are on the run from the law or wanted in another province, a prohibited driver, a list of things, and you're associated to a motor vehicle, then you should be worried. I say, you've got to deal with it' (Derosa and Shaw 2012).

The washing over of 'a list of things' is problematic because it establishes a misleading frame of ANPR's public appropriateness: while the monitoring for some, such as prohibited drivers, might seem appropriate to the public, the monitoring of others, such as those with legal custody of children, would arguably be less appropriate to the public.

In the UK, a listing of the ANPR database categories are included as part of the NPIA's guidance document for ANPR (ACPO NPIA 2009). The document is not protectively marked; this varies from the RCMP's PIA, which was so marked. According to the guidance document, we learn that ANPR operators will see three markers. Each marker possesses a set of options that are intended to influence how officers interact with a vehicle operator. The first marker addresses actions that officers are to take, and include 'stop', 'silent' (not to stop for routine checks), 'intel' (the vehicle may be stopped if additional grounds exist), and 'do not stop' (for reasons of officer safety or investigative requirements). The second marker can have up to three options set, drawn from the categories of nothing known, firearms, weapons, violent, or fails to stop. The third marker offers reasons for the vehicle's detection by the ANPR system, and includes drugs, crime, disqualified, docs, drink drive, sexual, other, protest, VISOR, no stop, and intel. These markers are linked to the Police National Computer Identifier, which itself profiles individuals of interest as follows: firearms, explosives, fails to stop for police, weapons, violent, suicidal, mental, escaper, drugs, contagious, alleges, ailment, offends against vulnerable persons, sex offender, female impersonator, and male impersonator. Beyond the categorizations of the database there is no information, in the guideline itself, describing how broad (or narrow) these classifications are, or the privacy impact assessments arising from this form of associational profiling. These forms of profiling disengage and undermine public trust and understanding of the way PII are processed and used and, lacking transparency into UK ANPR deployments, it remains unclear as to how these systems contribute to 'function creep' (Wood and Ball, 2006:11).

Similar to the BC case, it is difficult to justify the fact of being in the database as a reason for stopping a vehicle. Moreover, 'storylines' have been developed in the UK to justify the massive expansion of ANPR cameras. Project Champion is a prime example of narratives constructed without concern for overreaching the boundaries of accountability and legitimacy. The activities of the police only came to light after being exposed by a national newspaper on 5 June 2010. Operational policing strategy towards Muslim communities was described to the public as a means of combating police crime and antisocial behaviour but it was subsequently discovered that Champion's covert use was for counter-terror purposes (Walker 2010). The initiative was allegedly funded by resources that originated from the ACPO. Following the public revelation of the project, police themselves acknowledged that the operation 'set relations back a decade' (Thornton 2010: 47). The covert nature of the Project fits within the UK's usage of ANPR for intelligence gathering purposes. The gathering of such information, in tandem with its often secretive or opaque use, raises considerable civil liberties and freedoms concerns, insofar as individuals' privacy is infringed for hidden or unknown reasons. Moreover, many of the categories in both the UK and BC cases speak to a significant broadening of what police might demonstrably need information about: in the Canadian case, is there a demonstrable need for authorities to monitor the whereabouts of parents who have legal custody of their children and, in the UK scenario, must protesters be tracked? In both nations the database schemas, when combined with mass surveillance technologies, facilitate a broad social sorting and surveillance of the population. While, as we discuss shortly, some uses of the technology to address serious crimes might be warranted the use of the technology for monitoring less serious - and sometimes non-criminal - vehicular and personal behaviours is profoundly disturbing (Royal Academy of Engineering, 2007:47-48).

4.3 Accuracy and Security

While the relative obfuscation of 'what constitutes a hit' is significant insofar as it can significantly shape public and media perception of surveillance systems, ANPR discourses rest firmly atop the notion that, overall, the systems are efficient and effective and that 'we should spare little effort to pre-empt dangers' (Wood and Ball, 2006: 11). Data that has been accessed, either through public or access to information regulations, often suggests high degrees of relative accuracy. In what follows, we offer a theoretical model to discuss why what appear to be highly accurate systems are, in fact, grossly imprecise. Some ANPR systems claim to attain up to a 95% accuracy rate in reading license plates. However, a confidence rating is a much more important and relevant measure of system effectiveness for a complex data collection system of this kind. To the best of our knowledge, no actual, functioning ANPR system has ever been audited and evaluated for its confidence rating. The accuracy rating, meanwhile, is fundamentally misleading.

Consider, for example, a 95% accurate ANPR system operating, where there exists a theoretical criminal population of 1% linked to license plates. In the average person's mind, this presents an image where, within any 100 plate reads, there would be 1 accurate hit, 94 accurate non-hits, and 5 inaccurate reads. However, this is already a grossly misleading picture. The key issue is that, in the absence of manual checking of literally every plate read, we do not know which 5% of reads are inaccurate. So here is what our data actually look like:

  • There are an unknown number of instances where a non-hit plate has been misidentified as a different non-hit plate.
  • There are an unknown number of instances where a non-hit plate was misidentified as a hit plate.
  • There are an unknown number of instances where a hit plate was misidentified as a non-hit plate.
  • There are an unknown number of instances where a hit plate was misidentified as a different hit plate (i.e. mixing up a plate linked to a homicide to one linked to an uninsured driver).

When trying to develop a confidence rating, these problems are then compounded and confounded by the types of data storage policies any particular ANPR system is operating under. We need to know, for example, the following:

  • In a hits-only storage system, what percentage of hits were manually checked? (e.g. were all hits on 'other pointer vehicles' checked, or only those hits leading to actionable responses, like prohibited drivers?)
  • In a system that stores both hits and non-hits, what percentage of each were manually checked?
  • In either type of storage system, though some percentage of hits or non-hits may be manually checked, does the officer in the field performing the manual check actually have access to the database to make any corrections? (e.g. in BC, police officers in the field currently have read-only access and thus no ability to correct the automated storage of data even when they identify ANPR system misreads.)

In light of all this, an ANPR 'accuracy rating' is often a smokescreen that obfuscates the hard numbers needed to produce a confidence rating. In the final analysis, however, one fact is clear: Given the low percentage of hits and actionable hits relative to non-hits, the instances of accurately identified criminality (1%) in our theoretical scenario will be far lower than the instances of misread plates (5%). This is almost certainly typical of most real-world ANPR scenarios. [28] Therefore, it is expected that the objective confidence rating for any ANPR system will be very weak; only a values-based dismissal of the significance of ever-growing amounts of incorrect and questionable records of personal information can ever make up for these technical weaknesses associated with ANPR systems. In effect, over time these systems will establish volumes of inaccurate data without a clear method for officers to ascertain whether alleged hits or non-hits are valid, undermining the confidence that any reasonable person would have in the data.

Some ANPR systems will upload hit and non-hit data with geo-temporal information to centralized collection databases. Given accuracy and confidence ratings this can, over time, lead to highly 'polluted' databases, insofar as license plates may be massively misidentified over time. The rapidity at which pollution happens - and its automatic nature - speaks to how ANPR systems are radically different from 'analogue' processes to investigate vehicles and their occupants. This difference was noted in Bruce Schneier's analysis of ANPR when he wrote:

'[w]holesale surveillance is not simply a more efficient way for the police to do what they've always done. It's a new police power, one made possible with today's technology and one that will be made easier with tomorrow's. And with any new police power, we as a society need to take an active role in establishing rules governing its use. To do otherwise is to cede ever more authority to the police'. (2004)

Indeed, the power afforded by ANPR systems is used by some officers to increase their capacity to increase intelligence on individuals, even in the case of false negatives. As documented by Priest and Arkin, some officers recognize that '[e]ven if the pullovers were false alarms, at least they provided a chance to enter more data' (Priest and Arkin, 2011, 143). Consequently, the inaccuracy of these devices is understood as simultaneously enhancing security vis-a-vis greater intelligence gathering regardless of whether a vehicle or its presumed occupants have been properly identified by ANPR-based systems.

Hubbard (2008) warns that collected ANPR-data constitutes an appealing target, not just for hackers who are interested in subsequently using or selling the information, but also for law enforcement officers who inappropriately access and utilize collected information. Based on recent reports from the United States, insurers and repossession companies must be added to the list of parties interested in ANPR databases (Greenberg 2012, Roper 2012). These concerns about who can access data records arguably parallel those associated with any large database of PII. Froomkin suggests that western Europeans 'tend to see these pathological uses of identifications systems as just one of many results of a deeper and broader political or social pathology … one gets the sense the western European answer to common-law paranoia about ID card systems would be that if a regime is using ID cards to oppress its people, the problems are much more fundamental' (Froomkin 2009: 257). Though ANPR is distinguishable from a formal ID card, it operates on a similar logic: the tracking and tracing of individuals across large swathes of state-controlled territory by way of surveillance, database integration, and GIS mapping capabilities. While adopting a risk-management solution is typically what is called for in the face of data breach and misuse potentialities, we suggest that, instead, an alternate approach that enables enforcement actions while removing risks of hacking, inappropriate access, and poor ANPR confidence ratings.

5. Resisting and Mediating ANPR

Resisting and mediating the worst elements of ANPR systems is challenging, with challenges linked to the rigidity of the policy networks in question and the deployment states of the technology. New entrants to the policy network must demonstrate 'that there is indeed a problem to which one's solution can be attached' and recognize that 'simply' trying to change settled indicators that register problems constitutes a problem: such modifications challenge the configuration of the regulatory system itself (Kingdon 2003: 92-3). Linking policy events - such as typical policy discussions amongst 'normal' actors - with highly symbolic behaviours - instances of violations of principles that infringe on sacred values or stated and respected principles - can let policy issues and the parties advancing them rise to the agenda by focusing attention on issues that would otherwise be left to languish. Success in focusing attention often depends on whether efforts correlate with a focusing event. Such events are 'sudden, relatively rare, can be reasonably defined as harmful or revealing the possibility of potentially greater future harms, inflicts harms, or suggests potential harms that are or could be concentrated on a definable areas of community of interest, and that is known to policy makers and the public virtually simultaneously' (Birkland 1997: 22 (emphasis italicized)).

Moreover, as soon as an issue is made public new entrants who assume the role of policy entrepreneurs must develop and grow their base. Typically, this kind of work entails connecting 'a problem to cultural assumptions about threats, risk, and humans' ability to control their physical and social environments' (Cobb and Ross 1997: 5). Moreover, these connections must be seen as vibrantly important to regulators, politicians, and the public in a very visceral sense: statistics, nebulous harms, and far-off problems are often insufficient to capture and shape an agenda. As a result, advocates of novel agenda items or processes will tend to more successful if they have 'plausible research results and a highly visible, tangible, and dramatic event on his or her side' in contrast to 'an advocate with only evaluation data' (Birkland 1997: 134). Strategically, then, we can expect non-established actors to search for focusing events or analogies that give resonance to their issues.

In turning to the BC advocacy experience, these theoretical moves were implemented. As relatively new entrants to the policy network associated with ANPR, the advocates demonstrated that there was a problem - a system of mass surveillance that was under-explored - and a solution - authorities could stop collecting data while still using ANPR for enforcement actions. Strategically, the advocacy linked actual surveillance with symbolic upsets: the monitoring of vehicles with the freedom of citizens to anonymously drive through BC without being automatically monitored by authorities. While strong legal cases to preserve such freedoms, the fact that many individuals drive and could plausibly be in the ANPR hit database meant that issues could be linked to policy experts and 'regular citizens' alike. Moreover, given authorities' public statements that they want to retain non-hit data (CBC 2012ab), all drivers regardless of their legal status could be affected by the surveillance regime. While advocates communicated in brief with members of the policy network in the months before publicizing their research, full research findings were made available to the public and members of the policy network simultaneously. This meant that both groups - the public and the network - were forced to react simultaneously. The history of ANPR in BC, as well as potential uses, were important in catalyzing concern around the program and have led to formal investigations of the program by the BC Information and Privacy Commissioner (i.e. OIPC 2012).

In addition to identifying ANPR as a problem and publicizing its long and hidden history, advocates have recently suggested their own solution. This solution would let authorities use ANPR for enforcement practices but not intelligence gathering. This, admittedly, could be challenging to successfully mimic in nations such as the UK that have a long history of using ANPR for enforcement and intelligence gathering. Indeed, the strong linkage of ANPR surveillance to national security has meant that even knowledge of where cameras are located are kept from the British public's knowledge. Unlike the UK experience, intelligence gathering is not ostensibly a core driver of ANPR-adoption by Canadian authorities, thus affording rhetorical space to find (somewhat) common ground between privacy advocates and authorities.

Successful resistance in terms of ANPR has revolved around a set of best practices that, if enacted, would reduce the dangers to citizens, ameliorate surveillance-related concerns, and maximize confidence ratings in retained data. Under the best practices and data flow model below, authorities can continue to use ANPR and citizens can be assured that a database of their movements is not being automatically aggregated nor is data is being used for unknown purposes post-collection.

Figure 2: Enforcement-Based ANPR Data Flow

Under our model, the ANPR system would not retain any data: all collected data would be the result of normal policing records that follow a traffic stop/investigation of a vehicle. Consequently, tertiary databases - such as the ANPR collection database shown in Figure 1 - would not develop or exist. The ideal way for using ANPR for policing enforcement processes, while maximally alleviating civil liberties concerns about ubiquitous surveillance of the motor-vehicle-using population and poor confidence in retained data, would involve following the principles below. These principles are established under the assumption that there is a link between the license plate and personally identifiable information and that the following practices are needed in light of low data confidence.

5.1 Practice One: Don't store captured information

Neither hit nor non-hit data should be stored by the ANPR database systems. Instead, where there is probable cause to pull a vehicle and its occupants over for a traffic stop, relevant information should be kept in existing log books as currently legally required, instead of uploaded to, and retained in, an ANPR database.

5.2 Practice Two: Hit categories should be restrictive

There should be probable cause to investigate a vehicle or the person operating it. The categories that establish a 'hit' should, therefore, be either linked to a suspect vehicle plate number alone (e.g. uninsured or stolen vehicles) or to people believed to be associated with serious crimes (e.g. an Amber Alert for a missing child, or a murder or manslaughter linked to a specific plate number). In effect, the surveillance of the general population must be proportionate to the degree of harm posed to the population/community. Hit categories should only be expanded or added to through an open and public democratic process.

5.3 Practice Three: Redress

When a vehicle is stopped on the basis of ANPR information, the occupant should be informed of the ANPR system's involvement and given an opportunity to correct the record as appropriate (e.g. perhaps the vehicle is still identified as 'stolen' in the ANPR database despite having been returned, or the plate is linked to an unlicensed driver who has subsequently become licensed).

6. Conclusion

This article has shed some light on how state institutions try and justify identity management infrastructures by constructing narratives and processes that frame institutional goals in terms of fulfilling regulatory and privacy requirements. The evidence, particularly those unearthed in investigations in the BC, suggestively support Brin's longstanding concern that:

'[n]o matter how many laws are passed, it will prove quite impossible to legislate away the new surveillance tools and databases. They are here to stay' (Brin, 1998: 8-9).

Brin however insists that procedural mechanisms - that empower citizens to understand the actions and data collection of governments - are essentially the sole means to equalize mass surveillance and data collection power asymmetries, and that surveillance programs and technologies cannot be stopped or prevented from taking root. We disagree with this dystopian framing of surveillance and privacy today.

The article has also highlighted the logic of a novel state surveillance system that is accompanied by a host of associated databases. Efforts to limit transparency into the system while assuring citizens that ANPR is there for good government and public order have had marginal effects in limiting BC advocates' message; despite the efforts of law enforcement and the RCMP, information about the system has emerged into the public eye, and an independent government body, the OIPC, has investigated authorities' use of the technology and ordered the cessation of any retention of non-hit data. The OIPC has also ordered police to reduce the scope of 'hit' categories (OIPC 2012). In the UK, efforts to obfuscate ANPR deployments, as was the case in Project Champion, also reveal the potential to resist mass vehicular surveillance. In essence, the experience of advocates in BC shows that it is possible the challenge and ameliorate the state's creation of novel surveillance-driven databases.

An important contribution made by the study is that successes depend on a combination of media savvy, advocacy tactics, the provision of pragmatic solutions and compromises that are amenable to state institutions, and not least good fortune. Privacy advocates, in their role akin to being information archaeologists, have repeatedly demonstrated a capacity to resist and mediate onerous state surveillance. The efforts in resisting ANPR in BC may be seen as a 'success story.' Where Brin is arguably correct is that, absent external pressures from citizens and members of policy networks tied to state-developed or -relied upon databases, institutional pathologies associated with ANPR systems will reflexively sustain their operations and processes. An active and interested citizenry that is willing and able to place pressure on government is required to resist state surveillance. While it is true that the State and its agents may want to increase citizen surveillance there is no necessary technological or political imperative guaranteeing that surveillance must increase over time: in the face of undue political pressure and attention such surveillance can, and will, be turned back.

Works Cited

AG Reference (No.5 2002) [2004] UKHL 40

Association of Chief Police Officers by the National Policing Improvement Agency (ACPO NPIA). (2009). 'Practical Advice on the Management and Use of Automatic Number Plate Recognition.' Last accessed August 9, 2012. Available at:

ACPO (2010). 'ANPR Strategy for the Police Service 2010-2013.' Last accessed August 20, 2012. Available at

ACPO (2011a). 'Memorandum of Understanding To Support the Submission and Access to Data held on the National ANPR Data Centre'. Version 2. Last accessed 25 August 2012. Available at

ACPO (2011b). 'National ACPO ANPR Standards (NAAS)'. Version 4.12. Last accessed 25 August 2012. Available at

Article 29 Data Protection Working Party. (2001). 'Opinion 10/2001 on the need for a balanced approach in the fight against terrorism.' Available at

Bennett, Colin. (2008). The Privacy Advocates: Resisting the Spread of Surveillance. Cambridge, Mass.: The MIT Press.

Bennett, Colin; Raab, Charles, and Priscilla Regan. (2003). 'People and place: patterns of individual identification within intelligence transportation systems,' in David Lyon (ed.). Surveillance as Social Sorting: Privacy, Risk and Digital Discrimination. New York: Routledge. Pp. 153-175.

Big Brother Watch. (2012). 'The DNA Database in 2012'. Available at

Birkland, Thomas A. (1997). After Disaster: Agenda Setting, Public Policy, and Focusing Events. Washington, D.C.: Georgetown University Press.

Boa, Krista. (2007). 'Privacy Outside the Castle: Surveillance Technologies and Reasonable Expectations of Privacy in Canadian Judicial Reasoning'. Surveillance & Society

Special Issue on 'Surveillance and Criminal Justice' Part 2, 4(4): 329-345.

Brin, David. (1998). The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom? New York: Basic Books.

Burket, Herbert. (2007). 'Freedom of Information and Electronic Government,' in Viktor Mayer-Schonberger and David Lazer (eds.). Governance and Information Technology: From Electronic Government to Information Government. Cambridge, Mass.: The MIT Press.

Canadian Broadcasting Corporation (CBC). (2012a). 'RCMP defends license-plate monitoring,' CBC: On The Island. Last accessed August 16, 2012. Available at:

Catt v Association of Chief Police Officers and Commissioner of Police of the Metropolis [2012] EWHC 1471 (Admin).

CBC. (2012b). 'VicPD chief defends license monitoring,' CBC. Published August 3, 2012. Last Accessed September 2, 2012. Available at:

Cobb, Roger W. and Marc Howard Ross. (1997). 'Agenda Setting and the Denial of Agenda Access: Key Concepts,' in Roger W. Cobb and Marc Howard Ross (eds.). Cultural Strategies of Agenda Denial: Avoidance, Attack, and Redefinition. Lawrence, Kansas: University of Kansas Press.

Derosa, Katie and Rob Shaw. (2012). 'Police chief backs licence tracking,' Times Colonist. Published August 2, 2012. Last accessed August 21, 2012. Available at:

Ditton, Jason. (1998). 'Public support for town centre CCTV schemes: myth or reality?' in Clive Norris, Jade Moran, and Gary Armstrong (eds). Surveillance, Closed Circuit Television and Social Control. Aldershot: Ashgate.

Du, Shan; Ibrahim, Mahmoud; Shehata, Mohamed and Wael Badawy. (2011). 'Automatic License Plate Recognition (ALPR): A State of the Art Review,' Circuits and Systems for Video Technology, IEEE Transactions on , vol.PP, no.99, pp.1, 0 doi: 10.1109/TCSVT.2012.2203741. URL:

European Data Protection Supervisors European Data Protection Supervisor (EDPS) issued Video-Surveillance Guidelines. (2010). Available at Guidelines/10-03-17_Video-surveillance_Guidelines_EN.pdf

European Secure Vehicle Alliance (EVSA). (2011) Memorandum submitted by the European Secure Vehicle Alliance (ESVA) (PF 11) to the Public Bill Committee Debates on Protection of Freedoms Bill. Last accessed 25 August, 2012. Available at

Evans, Rob and Paul Lewis. (2012). 'Protester sues police over surveillance database,' The Guardian. Published February 9, 2012. Last accessed August 23, 2012. Available at:

Flaherty, David. (1999). 'Visions of Privacy: Past, Present, and Future,' in Colin J. Bennett and Rebecca Grant (eds). Visions of Privacy: Policy Choices for the Digital Age. Toronto: University of Toronto Press.

Froomkin, A. Michael. (2009). 'Identity Cards and Identity Romanticism,' in Ian Kerr, Valerie Steeves, and Carole Lucock (eds.). Lessons From the Identity Trail: Anonymity, Privacy and Identity in a Networked Society. Toronto: Oxford University Press.

Gaumont, Norm. (2008). 'The Role of Automatic License Plate Recognition Technology in Policing: Results from the Lower Mainland of British Columbia,' The Police Chief Vol. 75(11).

Gilbert, Jay. (2000). 'Access Denied: The Access to Information Act and Its Effects on Public Records Creators,' Archivaria 49 (Spring 2000). Pp. 84-123.

Gill, Martin; Spriggs, Angela; Allen, Jenna; Argomaniz, Javier; Bryan, Jane; Jessiman, Patricia; Kara, Deena; Kilworth, Jonathan; Little, Ross; Swain, Daniel and Sam Waples. (2005). 'The impact of CCTV: fourteen case studies,' Home Office Online Report. Published 2005. Available at:

Graham, Jamie. (2012). 'Your Licence Plate as a Tracking Device,' Panel presentation at 13th Annual Privacy and Security Conference, Victoria BC, February 2012.

Greenberg, Andy. (2012). 'U.S. Customs Tracks Millions of License Plates And Shares Data With Insurance Firms,' Forbes. Published August 21, 2012. Available at:

Haggerty, Kevin D. and Richard V. Ericson. (2007). 'The New Politics of Surveillance and Visibility,' in Kevin D. Haggerty and Richard V. Ericson (eds). The New Politics of Surveillance and Visibility. Toronto: The University of Toronto Press.

Home Office. (1994). CCTV - Looking Out For You. HMSO: London

House of Lords Select Committee on the Constitution (HoL SCC). (2009). Surveillance: Citizens and the State.

Hubbard, Tyson E. (2008). 'Automatic License Plate Recognition: An Exciting New Law Enforcement Tool with Potentially Scary Consequences,' Syracuse Science and Technology Law Reporter. Published March 13, 2008. Last accessed August 21, 2012. Available at:

Information Commissioner's Office (ICO). (2011). 'Information Rights Report, May 2011.' ICO's website. Last accessed August 31, 2012. Available at:

Kerr, Ian. (2009). 'The Internet of People? Reflections on the future Regulation of Human-Implantable Radio Frequency Identification,' in Ian Kerr, Valerie Steeves, and Carole Lucock (eds.). Lessons From The Identity Trail: Anonymity, Privacy and Identity in a Networked Society. Toronto: Oxford University Press. Pp. 335-357.

Kingdon, John W. (2003). Agendas, Alternatives, and Public Policies (Second Edition). Toronto: Longman.

Larkins, Brian. (Date Unknown). 'ANPR Data Protection Act Compliance,' CCTV Information (consultancy website). Last Accessed August 31, 2012. Available at:

Lewis, Paul and Rob Evans. (2009). 'Activists repeatedly stopped and searched as police officers 'mark' cars.' The Guardian, Published 25 October 2009. Last accessed August 31, 2012. Available at

Lum, Cynthia, Merola, Linda, Willis, Julie and Breanne Cave. (2010). 'License Plate Recognition Technology (LPR): Impact Evaluation and Community Assessment,' Center for Evidence-Based Crime Policy, George Mason University. Published September 2010. Last accessed August 9, 2012. Available at:

Lyon, David. (2007). Surveillance Studies: An Overview. Malden, MA: Polity Press.

Lyon, David and Colin J. Bennett. (2008). 'Playing the ID CArd: Understanding the significance of identity card systems,' in C. J. Bennett and D. Lyon (eds.). Playing the Identity Card: Surveillance, security and identification in global perspective. New York: Routledge. Pp. 3-20.

Mathieson v The Information Commissioner and the Chief Constable of Devon and Cornwall (2012) EA/2010/0174. Available at

National Policing Improvement Agency (NPIA). (2010a). 'Police National Computer,' on NPIA website. Last accessed August 31, 2012. Available at:

National Policing Improvement Agency (NPIA). (2010b). 'Automatic Number Plate Recognition,' on NPIA website. Last accessed August 31, 2012. Available at:

Newman, Abraham L. (2008). Protectors of Privacy: Regulating Personal Data in the Global Economy. Ithaca: Cornell University Press.

Norris, Clive, Moran, Jade and Armstrong, Gary. (1998), 'Algorithmic Surveillance: The Future of Automated Visual Surveillance in C. Norris, J. Moran and G. Armstrong (eds.). Surveillance, Closed Circuit Television and Social Control. Aldershot: Ashgate.

Nuttall, Jeremy. (2012). 'Do rooftop cameras on cop cars violate privacy? B.C. privacy commissioner,' Times Colonist. Published July 30, 2012. Last accessed August 21, 2012. Available at:

Office of Surveillance Commissioners (OSC). (2006). 'Annual report of the Chief Surveillance Commissioner to the Prime Minister and to Scottish Ministers for 2005-2006,' HC 1298, SE/2006/95. Last accessed August 25, 2012. Available at

Office of the Information Commission of Canada (OICC). (2012). Correspondence about complaint submitted concerning the RCMP's handling of ALPR-based ATIP requests. Dated March 29, 2012.

Office of the Information and Privacy Commissioner of British Columbia (OIPC). (2010). 'Victoria Police Department - Automated License Plate Recognition Program (ALPR) OIPC File F10-42554,' Dated June 24, 2010.

OIPC. (2012). 'Investigation Report F12-04: Use Of Automated Licence Plate Recognition Technology By The Victoria Police Department,' Published November 15, 2012.

Office of the Privacy Commissioner of Canada (OPC). (2009). 'Re: Privacy Impact Assessment (PIA) - Automated Licence Plate Recognition (ALPR) Program,' Dated July 15, 2009.

Parenti, Christian. (2003). Soft Cage: Surveillance in America From Slavery to the War on Terror. New York: Basic Books.

Parsons, Ben. (2009). 'Brighton pensioner slams 'police state' after terror police tag,' The Argus. Published May 24, 2009. Last accessed August 22, 2012. Available at:

Parsons, Christopher; Wipond, Rob, and Kevin McArthur. (2012). 'The Governance of Automatic License Plate Recognition in Canada,' 13th Annual Privacy and Security Conference, Victoria BC, February 2012.

Priest, Dana and William M. Arkin. (2011). Top Secret America: The Rise of the New American Security State. New York: Little Brown and Company.

R v Duarte [1990] 1 S.C.R. 30

R v Dyment

Raab, Charles and Goold Benjamin. (2011). 'Protecting Information Privacy'. Equality and Human Rights Commission. Available at:

Roper, Eric. (2012). 'Dealer uses Mpls. license plate data in car repo,' Star Tribune: Minneapolis. Published August 31, 2012. Last accessed September 2, 2012. Available at:

Royal Canadian Mounted Police, 'E' Division Traffic Services (RCMP 'E' Division). (Date unknown). 'Automatic License Plate Recognition (ALPR) Program's Terms and Conditions For Participation within a Policing Jurisdiction.'

Royal Canadian Mounted Police (RCMP). (2009). 'Privacy Impact Assessment: Automatic License Plate Recognition (ALPR),' available at:

Royal Canadian Mounted Police (RCMP). (2010). 'Automatic License Plate Recognition (ALPR) program,' letter to Assistant Privacy Commissioner Chantal Bernier.

Rule, James (2007). Privacy in Peril. Toronto: Oxford University Press.

S and Marper v UK [ 2008] ECHR 1581

Sarfranz, M. Saquib and M. Haris Khan. (2011). 'A Probabilistic Framework for Patch based Vehicle Type Recognition,' VISAPP 2011, Pp. 358-363.

Schneier, Bruce. (2004). 'City cops' plate scanner is a license to snoop,' New Haven Register. Published September 19, 2004. Available at:

Shaw, Rob. (2012). 'Mounties consider storing surveillance indefinitely on drivers with clean records,' The Vancouver Sun. Published July 31, 2012. Last accessed August 23, 2012. Available at

Soroka, Stuart N. (1997). Agenda-Setting Dynamics in Canada. UBC Press: Vancouver.

Taylor, Nick. (2011). 'A Conceptual Legal Framework for Privacy, Accountability and Transparency in Visual Surveillance Systems'. Surveillance & Society 8(4): 455-470.

Thames Valley Police. (2010). Project Champion Review. Available at

The Royal Academy of Engineering. (2007). Dilemmas of Privacy and Surveillance: Challenges of Technological Change. London, Royal Academy of Engineering

Thorton, Sara. (2010). 'Project Champion Review,' Thames Valley Police. Published September 30, 2010. Last accessed September 1, 2012. Available at:

Torpey, John. (1997). Coming and Going: On the State Monopolization of the Legitimate Means of Movement. Center for the Study of Democracy, UC Irvine. Retrieved December 12, 2011 from;jsessionid=67BB0DE2AAE2C45D590A13ABB7FF2527%23page-1

Torpey, John. (2000). The Invention of the Passport: Surveillance, Citizenship, and the State. Cambridge, Cambridge University Press.

Travis, A. (2010). 'Councils carry out over 8,500 covert surveillance operations'. The Guardian, 24 May.

Victoria Police Department (VicPD). (2010). Email correspondence about ALPR released under ATIP.

Victoria Police Department (VicPD). (2011). Automatic License Plate Readers policy document.

Walker, Jonathan. (2010). 'Police told obey rules over 'anti-terrorism' spy cameras,' Birmingham Post. Published July 6, 2010. Last accessed September 1, 2012. Available at:

Wipond, Rob. (2012a). 'Hidden Surveillance,' Focus Magazine February, 2012. Available at:

Wipond, Rob. (2012b). 'Privacy Commissioner slams provincial surveillance program,' Focus Magazine March 2012. Available at:

Wood, David Murakami and Ball, Kirstie (eds). (2006) A Report on the Surveillance Society. A Public Discussion Document. Available at:

[1] Christopher Parsons is a PhD Candidate in the Department of Political Science at the University of Victoria.

[2] Joseph Savirimuthu is a Senior Lecturer in Law at the Liverpool Law School, University of Liverpool.

[3] Rob Wipond is a freelance researcher-journalist and sessional instructor in journalism and nonfiction at Royal Roads University.

[4] Kevin McArthur is a web architecture developer who specializes in e-commerce and security research on encryption systems.

[5] Throughout this paper we commonly refer to this technology as 'ANPR', despite it being termed 'Automatic License Plate Recognition' (ALPR) in Canada; adopting the sole acronym is meant to assist with readability.

[6] Cutting edge research investigates identifying vehicles' make and model in addition to the license plate (see: Sarfranz and Khan, 2011); in this paper we exclusively focus on current license plate analysis practices.

[7] We recognize that insurance and policing are not always directly linked; for our purposes we will speak to cases where law enforcement is involved in monitoring for uninsured drivers. Recent revelations in the United States touch on other insurance-based uses of ANPR: the collection of driving data by authorities and its subsequent disclosure to insurance companies. For more, see Greenberg (2012).

[8] R v Duarte [1990] 1 S.C.R. 30 at

[9] R v Dyment (1988) at

[10] While there was a 2005 Preliminary Privacy Impact Assessment that was provided to Canada's federal privacy commissioner for review the RCMP has, to date, failed to release this document to the public.

[11] This category concerning Persons of Interest, or those could harm themselves, was entirely redacted in the PIA received by Rob Wipond. Information was supplied during interviews with RCMP staff.

[12] FIPPA stands for 'Freedom of Information and Protection of Privacy Act', and is BC's provincial privacy law.

[13] The description of these advocates - advocate/researcher, advocate/technologist, and advocate/journalist - is taken from Bennett (2008).

[14] Interview with VicPD Information and Privacy Manager, September 2, 2011.

[15] Interview with VicPD Information and Privacy Manager, September 7, 2011.

[16] Interview with RCMP ATIP officer, Nov 10, 2011.

[17] Correspondence with the Office of the Information Commissioner of Canada, March 29, 2012.

[18] The surreptitious use of surveillance technologies must be in accordance with the law and be proportionate: European Court of Human Rights, Kennedy v. The United Kingdom (Application no. 26839/05) (2010), paragraph 124). Note that following the passing of the Treaty of Lisbon, Article 16 of the Treaty on the Functioning of the European Union (TFEU) identifies protecting personal data as a fundamental right. Accordingly, the Treaty covers the processing of personal data by the private and public sectors.

[19] See Annex 1 Sections 4 & 5 of the Memorandum submitted by the European Secure Vehicle Alliance (ESVA) (PF 11). Last accessed 30 August 2012. Available at and paragraphs 4-18 in Memorandum submitted by the Law Society of England and Wales (PF 15). Last accessed 30 August 2012. Available at Also see the email ACPO Programme Support Office to What they Know For the context of policing by distance see ICO Information Rights Report, 7 November 2011 which responded to the Home Office consultation on 'Policing in the 21st Century), available at The Consultation can be found here: http">http

[20] Interestingly the DPA 1998 is concerned with addressing access and use issues, and subjects are given very limited rights: Durant v Financial Services Authority [2003] EWCA Civ 1746.

[21] See as an example Lewis and Evans (2009).

[22] Mathieson v The Information Commissioner and the Chief Constable of Devon and Cornwall (2012) EA/2010/0174, paragraph 12 and 13.

[23] See concerns expressed by Deputy Chief Constable of Northamptonshire Police before the Committee at the Protection of Freedoms Bill hearing. 'Memorandum submitted by the Deputy Chief Constable of Northamptonshire Police (PF 50)' paragraphs 6-11. Last accessed 28 August, 2012. Available at

[24] Interview with RCMP officer, December 22, 2011.

[25] Correspondence with RCMP, July 6, 2012.

[26] More specifically, data controllers are obligated to adhere to principles such as fair and lawful processing; processing for limited purposes; that the data collected is adequate, relevant and not excessive; retained for clearly defined period; processed in accordance with the rights of the individual; accuracy and security. Individuals can make subject access requests for personal information held by the local police force.

[27] Lord Justice Gross at paragraphs 61-64

[28] It has been noted by UK police that certain driving patterns adopted by criminals weaken ANPR read effectiveness; this is one example of how accurately identified criminality might be lower than the actual criminal population. Moreover, in real-world tests ANPR accuracy rates decline to as low as 60%. For more, see Kelly Fiveash (2012). 'Number-plate spycams riddled with flaws, top cop admits,' The Register. Published August 9, 2012. Last accessed September 2, 2012. Available at: