February 19, 2014
Oregon seems to be turning into a bastion of privacy, much to the chagrin of various law enforcement agencies. As we recently covered, a district court ruled that the DEA’s warrantless access of its drug prescription database (achieved through “administrative subpoenas” that require no judicial approval or probable cause) was unconstitutional. In Oregon, at least, it appears our nation’s foremost drug warriors will need to comply with the Fourth Amendment.
Now, there’s a pushback against another warrantless collection of data by local police departments. Techdirt reader zip sends in this Williamette Week story detailing the ID scanners police are actively pushing on bar and club owners, supposedly in an effort to cut down on underage drinking.
Multnomah County and Portland police this week suspended a new program that supplied data-gathering ID scanners to Old Town bars after WW raised questions about whether it was legal.
The state-funded program allowed Portland police to equip downtown bars and clubs in recent weeks with high-tech ID scanners that captured patrons’ names, ages and photos for upload to a central database, which police could then access.
The data collected is stored for 90 days and is compiled from the many scanners being utilized across the city. The scanners themselves are manufactured by Servall Data Systems out of Alberta, Canada. (Servall Data Systems also has access to the data.) Law enforcement agencies are given access to the collected data at any time requested (no subpoena or warrant needed) according to Servall’s spokesperson.
A grant given to a local charity by the state of Oregon helped fund the purchase of these scanners, which were then pushed on local business owners by police departments. Unsurprisingly, some club owners balked at tracking their customers.
A few club owners turned down the free scanners. One owner says he added surveillance cameras when police asked. “I happily installed those. But this was going too far,” the club owner says. “It felt invasive.”
Not that every club owner feels the same. Some have purchased the scanners with their own funds, in part because it’s another step they can take to protect their liquor licenses.
The company cites drops in crime in other cities in defense of the scanners. That the scanners have a deterrent quality and that they make crime investigation easier are hardly disputable. But the problem is the warrantless access to collected data, and more specifically in this case, the fact that this sort of data harvesting by businesses violates Oregon state law.
“It really is an illuminating example of where our privacy laws are, and our disconnect in a modern digital world,” says Becky Straus, lobbyist for ACLU Oregon.
Straus is referring to a 2009 Oregon law that limits companies’ legal ability to collect, store or share information from ID scanners. Straus says she was unaware Portland bars were collecting such data, or that police could grab it.
“We had wondered, when we wandered around Old Town, whether bars were complying with the swiping law,” she says.
That bar owners may have been unaware that their data collection violated state law isn’t all that surprising. It’s not really as much of a day-to-day part of their business as staying within the confines of their liquor licenses and complying with food safety laws. But, as Willamette Week discovered when it began investigating these scanners, many of those who should have been aware of this law had no idea they were actively encouraging business owners to break it.
Neither Portland police nor the city attorney was aware of the 2009 law until WW raised the question. “We‘re glad when someone brings this up. We want to do what’s best to protect public safety and protect people’s rights,” Multnomah County spokesman David Austin tells WW.
Austin said the county is meeting with state and local law enforcement in the coming week to determine how to move forward .
The spokesman for the Portland police department claims it’s not the department’s problem if these laws are violated.
He says the police don’t own the scanners, and so aren’t responsible for how they were used.
“It’s an issue between the bars and the company,” he says. “We recommend a lot of things to people, but it’s up to the individual to make sure it’s compliant.”
I’m not sure what part of that statement is more callously irresponsible, the fact that the PD will “recommend” actions and technology without ensuring it complies with applicable laws, or the fact that the PD recommends a data harvesting device but ultimately doesn’t care how it gets used. The police have carte blanche access to the collected data, so its involvement bears the same weight as the supplier and the businesses utilizing the scanners. Considering it has this access, it would seem its responsibility to ensure compliance with applicable laws would be greater, especially since it’s in the law enforcement business.
This also downplays the department’s active promotion of the scanners, which led some business owners to feel the devices were mandatory, or at the very least, “strongly encouraged” by an entity holding the power to strip them of their liquor licenses. Here are some quotes from the story that show the department’s involvement in pushing the devices its spokesman claims it’s not responsible for.
“We tried to say ‘no’ at the very beginning, and police strongly encouraged that we should do it,” says Mike Reed, general manager of the Boiler Room and Jones Bar…
“If we don’t use it, they know,” a downtown bouncer tells WW…
Some Portland bar employees say the scanners keep police and the Oregon Liquor Control Commission happy…
As it stands right now, the county is going to “look into” the legality of the scanners. The police department seems to have washed its hands of the whole thing, claiming it’s barely involved. The scanner company, which also has access to the data, seems to think there’s nothing wrong with tracking people’s nighttime activities and turning this data over to law enforcement any time they ask. And finally, we have business owners tracking their customers because it’s been heavily implied that failing to do so may become a source of friction between the bar/nightclub and the police department.
Anyone could make the argument that what you do in public has no expectation of privacy. But this isn’t in any way comparable to what police would have to do to achieve the same sort of surveillance level if the scanners weren’t in use — i.e. trailing hundreds of people around all night and noting which businesses they enter.
When technology turns the laborious into the routine, there needs to be checks in place to prevent abuse or, at the very least, provided some sort of friction between what the police can collect and what they can actually access. There also needs to be care taken to prevent collection of data simply because its possible, rather than being actually instrumental to crime prevention and investigation. But most importantly, those deploying these devices (by which I mean the police and the state that provided the grant to purchase the scanners) need to be aware of the laws governing their use, something no one quoted here seemed to know. (And, in the case of the police department, the person quoted not only didn’t know, but didn’t care, either.)
The state of Oregon has taken care to ensure data isn’t collected or misused, but those looking for more data haven’t bothered to perform due diligence before deploying devices that turn business owners into lawbreakers, and all in the name of the one of the most arbitrary of crimes, underage drinking.