From Nadia Kayyali – Electronic Frontier Foundation
The proposed policy is 12 pages long, so we won’t go in to every single detail. But overall, the policy now is much improved from the original framework because it:
- Specifically lists the “allowable uses” for the DAC and who has access to DAC data;
- Defines important terms throughout to try to close loopholes; and
- Clearly defines the Domain Awareness Center and its component parts, making it clear that it is restricted to the Port of Oakland.
Part of what makes the policy unique is that it starts off with an affirmative statement about privacy in the “Policy Purpose” section:
This Policy is designed to promote a “presumption of privacy” which simply means that individuals do not relinquish their right to privacy when they leave private spaces and that as a general rule, people do not expect or desire for law enforcement to monitor, record, and/or aggregate their activities without cause or as consequence of participating in modern society.
We think that’s a very strong statement. It’s the opposite of the poisonous idea that if you have nothing to hide, you shouldn’t be concerned about being monitored constantly. Instead, it reinforces that privacy is a right, not a privilege.
When it comes to access to data, the policy is clear: “Only DAC Staff will be used to monitor DAC Data.” When there’s an actual emergency and Oakland’s Emergency Operations Center (where the DAC is housed) is in operation, the policy allows “limited access to the live data produced by the DAC System.”
Access to stored DAC data will be “limited exclusively to City and Port employees with a Need To Know,” and “Need to Know” is narrowly defined. If a law enforcement agency wants DAC data that comes from an outside feeder source, like a Port camera, they’ll have to go directly to that source. Any non-City-of-Oakland agency that wants DAC data will have to get a warrant, unless they already have a written data-sharing agreement—although, of course, the degree to which Oakland shares information with outside agencies is an outstanding issue.
The policy also addresses retention. The DAC has the capability to “bookmark” video—essentially to put a time stamp on it. Under the policy, “[t]he DAC shall not record any data except bookmarks of [the] ‘Allowable Uses’” listed in the policy.
The policy would create Internal Privacy Officer and Compliance Officer positions. The Compliance officer would conduct quarterly internal audits that look at myriad aspects of the DAC: the number of times the DAC was used to monitor protected activity (i.e. demonstrations and protests), who has been accessing data, and more. The audits will also include a number of metrics that are not often considered by city and county governments—but should be—including:
- Cost: “Total annual cost of the surveillance technology, including ongoing costs, maintenance costs, and personnel costs.”
- Data-sharing: “How many times DAC data was shared with non-City entities,” what kind of data was disclosed and why, to whom it was disclosed, and any “obligations imposed on the recipient of shared information.”
- Public Safety Effectiveness: How often the DAC is used, “the number of times DAC Data [is] shared for potential criminal investigations; lives saved; persons assisted; property saved or preserved; [and] property saved or preserved.”
In addition to the internal audits, the policy would also require “annual independent third party audits of DAC performance and security.”
Perhaps the most exciting part of the policy is that it actually prescribes consequences for violations. This part of the policy will be contingent on the city council passing legislation, so it could change or disappear. We’re hoping it won’t. Anywhere that the City of Oakland has jurisdiction, violation of the policy would be a misdemeanor, “punishable upon conviction by a fine of not more than $1,000 or by imprisonment not to exceed six months, or both fine and imprisonment.”
It would also allow any person to go to court and sue for money damages or “equitable relief,” meaning a court order that directs a party to do or not to do something. The damages could include punitive damages, which are damages that are intended to punish the wrongdoer. And, importantly, “reputation” and “mental pain and suffering” are specifically listed as types of damages that could be caused by misuse of the DAC.
We only know of one other city has a private right of action specifically established for privacy violations. That’s the city of Seattle, and the right of action is in the city’s 1979 intelligence ordinance, which was most likely the very first passed.
This piece of the policy is essential because, even if you completely distrust the government to comply with anything else, this allows anyone to take the matter into their own hands and sue. And while the cost of litigation is often prohibitive, the policy also allows for attorney’s fees and other costs of litigation. As the success of litigation against the Oakland Police Department in recent years shows, litigation against law enforcement can actually be effective.
This policy isn’t perfect, and the bad pieces deserve attention as well.
First, in the policy ultimately presented to the City, the City Attorney added some language to the “policy purpose” to soften it up. The language isn’t necessary, and it appears to exist only to emphasize that the policy is limited.
The former is particularly concerning because the Port of Oakland is no stranger to demonstrations. In fact, the Oakland Police Department’s response to a 2003 Port of Oakland demonstration was the basis for the lawsuit that ultimately required OPD to follow a court-monitored crowd-control policy. These demonstrations could ostensibly be treated as “supply chain disruptions,” which would mean the DAC would be active and used to monitor the demonstrations.
Furthermore, the policy does not (and really, could not) fully address information sharing. To do so would require a full understanding of the relationship between Oakland and other agencies and every possible avenue of information-sharing. Oakland hasn’t made this easy, by claiming exemptions to California’s Public Records Act when people make requests for information about the relationships, such as contracts and training manuals.2
Nonetheless, as we noted in our March 4, 2014 letter, we do know that Oakland participates in a Joint Terrorism Task Force with the FBI and “participates in the Bay Area Urban Area Security Initiative (UASI), a Department of Homeland Security program.” That’s why the idea that DAC has no relationship to fusion centers isn’t particularly realistic. UASI is one of the primary funders for the Northern California Regional Intelligence Center (NCRIC), the regional Bay Area fusion center.” What’s more, the Oakland Police Department in the past, and the Oakland Fire Department currently [PDF] staff the Northern California Regional Intelligence Center. We’re concerned that these relationships will undermine the policy—but we hope that the reporting requirements will help show whether or not information-sharing is actually happening.
Similarly, the policy didn’t directly address the problems with racial profiling outlined by Black, Arab, and Muslim Oakland residents at last year’s city council meetings—partly because the issue is so big that one policy about one piece of law enforcement technology could hardly begin to do so. Ultimately, though, the limitations on the DAC in the policy will hopefully restrain the ability of OPD to use it for racial profiling.
- Amend the city’s whistleblower ordinance so that anyone, not just employees, can report abuse, and increase the ways whistleblowers can report.
- Pass a new surveillance equipment ordinance, that would require “Informed public debate about any surveillance technology proposal prior to acquisition or pursuing funding,” something EFF and ACLU strongly recommend as law enforcement use of surveillance technology continues to spread.
Oakland’s Public Safety Committee will consider the policy tonight. From there, it will go to the entire city council for approval. If you support it, especially the pieces that require a city ordinance to be enacted to be effective, contacting the Committee, and the ultimately the entire Oakland City Council, is a good idea. We’ll also provide an update of what happens at the Public Safety Committee tonight.