<!DOCTYPE html>
Commissioners Chang, DeBone, and Adair:
I write in support of accountability tools for the Deschutes County Sheriff’s Office. Body-worn cameras, governed properly, serve the public interest. This Board knows that. What I am writing about today is what governing them properly actually requires — and what this two-page staff report does not address.
When the BOCC deferred Contract No. 2026-0327 on May 27, I submitted written comment identifying the absence of an ALPR policy as a threshold concern. In the two weeks since that deferral, nothing has changed on DCSO’s end. The agency’s published policy manual — available at sheriff.deschutes.org/about/administration/policies — has not been updated since September 23, 2025. It contains no ALPR-specific policy today.
In that same two-week window, two Oregon statutes have come into force that bear directly on this contract.
Oregon’s ALPR law is not aspirational guidance. It is mandatory statutory law.
Before deploying or using an automated license plate recognition system or captured license plate data, a law enforcement agency shall establish and publish policies and procedures governing that use — including authorized uses, data retention, access controls, audit requirements, and data sharing limitations consistent with the Act.
SB 1516 further provides that after March 31, 2026, a law enforcement agency may not enter into a new contract with an ALPR vendor unless the agency and the contract comply with the Act.
The fleet camera in this contract is the Axon Fleet 3. The contract also includes purchased licenses for Axon Auto-Transcribe (unlimited service, 105 units) and Axon Evidence Auto-Tagging (105 units) — software services that provide AI-powered analytics on footage, including vehicle and license plate recognition functions. These are active purchased line items, not future options. The staff report does not address whether these features will be activated or restricted, and no governing policy exists.
Compounding this: the Service Level Agreement attached to this contract provides that firmware updates to Axon devices “are pushed from Axon Cloud Services” and “customer interaction is not required.” Axon can activate or modify device capabilities — including Auto-Tagging and Auto-Transcribe — through a firmware push at any time after contract execution, without a separate authorization from DCSO or this Board. No policy governing that capability exists today.
Oregon SB 1587, Chapter 96, prohibits public bodies from disclosing personally identifiable information to a data broker unless the data broker provides a written attestation that the information will not be sold or transferred to any entity to enforce federal immigration law. This law took effect today — the same day this contract is scheduled for a vote.
I have reviewed the complete contract, including the Axon Cloud Services Privacy Notice attached as an exhibit. No SB 1587 attestation exists anywhere in this document. The privacy notice authorizes Axon to share data with “subsidiaries, legal entities, third party service providers and other partners” for product development, analytics, and security purposes, with no restriction on federal law enforcement access beyond what applicable law requires. The County should require a written SB 1587-compliant attestation from Axon — binding on Axon and its sub-processors — as a condition of contract execution.
In a February 14, 2026 letter to Senator Prozanski and the Senate Committee on Judiciary, Oregon State Chief Information Security Officer Ben Gherezgiher confirmed that while Axon’s platform is built on FedRAMP-authorized Microsoft Azure Government Cloud and meets CJIS security requirements, Axon does not employ end-to-end encryption architecture. As a SaaS provider, Axon maintains encryption keys on behalf of its law enforcement subscribers — meaning DCSO would not retain encryption keys to its own data.
The contract confirms this in structural terms. The Axon Cloud Services Privacy Notice attached to this contract designates Axon as the Data Controller — not DCSO — for all Non-Content Data generated under the contract. This includes device logs, usage patterns, system configurations, service interaction data, and application logs. For this entire category of data, Axon independently determines the purposes and means of processing. DCSO cannot direct how Axon uses it, restrict its disclosure, or require its deletion. Meeting security standards and controlling your own data are distinct conditions. The Board should acknowledge the latter explicitly and on the record before voting, not by silence.
The Axon Cloud Services Privacy Notice attached to this contract references “the Data Processing Agreement entered into between the parties” as the governing document for Axon’s processing of DCSO footage. That document is referenced twice as controlling. It is not attached to Contract No. 2026-0327. The Board is being asked to approve a $2.4 million contract that incorporates by reference a governing privacy document that is not before them.
The Service Level Agreement provides that firmware updates to Axon devices “are pushed from Axon Cloud Services” and “customer interaction is not required.” The SLA also requires that if remote access to DCSO’s environment is restricted, “Axon mandates the setup of a jump server or any other access solution” permitting Axon remote tools to access DCSO’s servers. Axon has contractual authority to push software changes to body cameras, fleet cameras, and Tasers, and to access DCSO’s network infrastructure, without a separate Board authorization.
The SLA’s definition of “Axon Cloud Services” explicitly includes “FUSUS services.” Fusus is Axon’s real-time crime center platform — it aggregates surveillance feeds from cameras, sensors, and third-party data sources into a unified dashboard. The privacy notice confirms Fusus collects motion, event, temperature, and ambient light data from device environments, as well as traffic data, location data, and logs from platform users. The staff report makes no mention of Fusus. The Board should understand what it is authorizing.
The December 2025 audit of DCSO’s existing body-worn camera program (Audit Report A0134, published December 1, 2025) is directly relevant to this vote. The Board is being asked to nearly triple the scope and cost of a program the auditor could not fully evaluate — because DCSO refused to provide access to footage.
The auditor’s primary objective was to verify that deputies were recording interactions as required by policy. DCSO denied access, citing County Legal advice that internal audit review does not constitute a “legitimate law enforcement purpose” under ORS 133.741. No supporting documentation — no memo, no case citations — was provided. The County Internal Auditor could draw no conclusion about whether DCSO deputies are actually recording interactions as required. That gap is unresolved today.
The staff report characterizes the audit as having “identified operational, regulatory, and policy improvements which cannot be met by the current vendor” — framing it as a procurement justification. That characterization omits the scope impairment, the refused footage access, and management’s formal written disagreement with the recommendation to publish program statistics publicly. The Board deserves the full picture.
Beyond the scope impairment, the audit identified four substantive findings:
Quarterly reports not published, preserved, or evaluative (Recommendations 1–3). Reports are issued internally but are not public, not preserved as evidence, and not designed to evaluate program effectiveness. Sheriff Rupert’s management response formally disagrees with the recommendation to publish these reports — the only outright disagreement in the entire management response. That is a stated policy position against public transparency, in writing, six months before this Board votes to expand the program significantly.
Supervisor review not occurring consistently (Recommendation 4). In the July–September 2025 period, 42 percent of deputies had fewer than the two supervisor reviews per quarter required by policy added in March 2025.
Information security controls fell short of CJIS standards (Recommendations 6–7). Password requirements, session lockouts, account setup, temporary access, and inventory controls all fell short. No policies and procedures manual exists for the camera information system. Resolution is targeted for June 30, 2027 — contingent on vendor selection. The vendor being selected is the subject of today’s vote.
Public records requests resulted in zero releases (Recommendation 5). In the auditor’s sample of ten requests, no footage was released — primarily because redaction costs ranging from $86 to $2,315 per request led requesters to abandon them. The program is functionally opaque to the public.
This Board is being asked to expand a program whose accountability mechanisms are incomplete, whose security controls are deficient by the auditor’s own findings, and whose management has formally declined to publish program statistics publicly. The audit’s unresolved recommendations are not a reason to reject this contract — but they are a reason to condition it.
-
1
Require on-the-record confirmation, before voting, of whether the Auto-Tagging and Auto-Transcribe licenses included in this contract encompass license plate recognition or vehicle analytics functions, and whether DCSO intends to activate those capabilities. -
2
Condition any activation of fleet camera ALPR or vehicle analytics capability on the prior adoption of a written, published, SB 1516-compliant ALPR policy. This is not a discretionary request — it is what Oregon law requires. -
3
Treat ALPR activation as a Board-level policy decision requiring separate authorization, public notice, and a policy in place before deployment — not an administrative implementation decision. Note that Axon’s SLA permits firmware-based feature activation without customer authorization; the Board should close that gap contractually. -
4
Require Axon to provide a written attestation compliant with Oregon SB 1587 (Chapter 96, 2026) before contract execution, confirming that personally identifiable information stored on the platform — including through Axon’s sub-processors — will not be transferred to any entity for federal immigration enforcement purposes. -
5
Require the missing Data Processing Agreement to be provided, reviewed by County Legal Counsel, and made available to the Board before the contract is executed. The contract references this document twice as governing DCSO’s footage — it is not attached to the packet before you today. -
6
Direct staff to provide the Board with a written status report on all seven recommendations from Audit Report A0134 — specifically which are implemented, which are in progress, and which have been declined — before the expanded contract goes live.
The community showing up today is asking this Board to govern this technology — not just purchase it. These asks are grounded in Oregon law, the contract itself, and the County’s own audit record.
Respectfully submitted,
Leave a Reply