Author: Jonathan

  • Public Comment — May 27 Agenda Item #6, Contract No. 2026-0327

    Dear Chair Chang, Vice Chair DeBone, and Commissioner Adair:

    I am writing on behalf of Bend Privacy Alliance regarding Action Item #6 on the May 27, 2026 Board agenda: authorization of Contract No. 2026-0327, a five-year, $2,412,669 agreement with Axon for body-worn cameras, Tasers, and fleet cameras for the Deschutes County Sheriff’s Office.

    I understand that body-worn cameras and fleet cameras can serve legitimate public-safety, evidence, and accountability purposes. My concern is not with cameras in the abstract.

    My concern is that this procurement is not simply an equipment replacement. It is a five-year commitment to a digital-evidence and cloud technology platform that may include, enable, or allow later activation of ALPR, AI tools, analytics, data-sharing functions, and vendor-controlled system settings.

    The Board should not be asked to approve that kind of system without a clear public record of what is included, what is excluded, and what cannot be enabled later without separate public approval.

    The December 2025 audit should be treated as a prerequisite document

    The December 2025 Deschutes County Internal Audit should be treated as a prerequisite document for this vote.

    The audit found that DCSO’s existing body-worn and in-car camera program had a solid foundation, but needed improved oversight and reporting. It found that camera reporting was not published, replicable, or evaluative; supervisors were not consistently reviewing footage according to policy; public-records tracking was incomplete; and information-security controls fell short.

    Most importantly, auditors could not independently verify whether deputies consistently recorded and categorized footage because DCSO did not provide access to footage for audit review.

    The County should not approve a more complex Axon cloud ecosystem unless the contract and implementation plan directly address those audit findings.

    The ALPR question should be answered before approval

    The most urgent issue is ALPR.

    DCSO spokesperson Jason Carr recently told The Source Weekly that the Sheriff’s Office does not currently use ALPR. However, the staff report refers generally to “fleet cameras” and does not identify the specific Axon fleet-camera model, software modules, or activation rights included in the contract.

    Axon’s Fleet 3 system is publicly described as having ALPR capability, and Axon states that Fleet 3 ALPR can be activated as a subscription through Axon Evidence without additional equipment.

    That matters because SB 1516 took effect in Oregon on March 31, 2026.

    If this contract includes ALPR-capable hardware, ALPR software, or the ability to enable ALPR later, the County should demonstrate before approval how the contract complies with SB 1516’s requirements for captured license plate data, vendor restrictions, retention, sharing limits, audits, public reporting, and end-to-end encryption.

    Encryption and vendor access need clarification

    This is not theoretical.

    Oregon’s Chief Information Security Officer testified that under Axon’s cloud architecture, “each law enforcement agency service subscriber does not retain encryption keys to their own data.”

    SB 1516 requires ALPR data to be encrypted using, at minimum, end-to-end encryption, but the practical meaning of that requirement is still developing.

    Before entering a new five-year Axon agreement with any ALPR capability or activation rights, the County should clarify who controls encryption keys, who can decrypt ALPR data, and whether Axon or any subcontractor retains technical access.

    Other jurisdictions show why technical compliance should not be assumed

    Other jurisdictions have already faced this problem.

    In March 2026, the Pierce County, Washington Sheriff’s Office reportedly deactivated approximately 200 Axon Fleet 3 ALPR cameras after concluding that its system could not be operated in compliance with Washington’s new ALPR privacy law.

    Oregon’s law is different, but the lesson is directly relevant: technical compliance with ALPR privacy laws should not be assumed. It should be demonstrated before approval or activation.

    Recent Oregon examples show why defaults and sharing settings matter

    Recent events in Oregon also show why this matters.

    Federal immigration authorities reportedly queried Bend PD’s Flock Safety ALPR database 279 times in three weeks after a vendor default setting was not disabled.

    The Rural Organizing Project has also filed litigation alleging that federal immigration authorities were able to query Oregon State Police systems through LEDS/NLETS; OSP denies the allegations, and the litigation is pending.

    These examples show why vendor defaults, interagency access, and data-sharing settings need to be addressed before surveillance technology is deployed.

    Existing policies do not appear to answer the ALPR question

    DCSO’s existing policies are helpful, but they do not appear to answer the ALPR question.

    • Policy 8.21 governs body-worn and in-vehicle incident recording, not bulk license plate scanning of uninvolved drivers.
    • Policy 4.30 governs LEDS, NCIC, and CCH access, but does not appear to govern automated plate scans or hotlist matching.
    • Policy 4.35 governs generative AI, but does not appear to govern ALPR, vehicle classification, or computer-vision analytics.
    • Policy 4.15 governs digital media as evidence, but does not appear designed for continuous or bulk vehicle-location collection.

    Questions the Board should require answers to before voting

    Before voting, I respectfully ask the Board to require clear answers to five questions:

    1. What specific Axon products, fleet-camera model, software modules, cloud services, and activation rights are included in Contract No. 2026-0327?
    2. Does the contract include ALPR-capable hardware, ALPR software, hotlist matching, vehicle analytics, searchable vehicle-location data, or any ability to activate those functions later?
    3. If ALPR capability is included or can be enabled later, how does the contract comply with SB 1516, including encryption, retention, search logs, vendor restrictions, audits, public reporting, and data-sharing limits?
    4. Are any Axon AI tools included, licensed, enabled, or available through this contract, including Draft One, Policy Chat, AI transcription, AI redaction, summarization, report writing, predictive analytics, or any tool that analyzes body-camera, fleet-camera, audio, video, report, or evidence data?
    5. What limits will apply to interagency sharing, federal access, out-of-state access, vendor access, subcontractor access, and default settings that could allow data to be shared beyond DCSO?

    Requested Board action

    I respectfully ask the Board to take one of three actions:

    First

    Defer authorization until these questions are answered, any ALPR-specific policy is developed if ALPR is included or available, and the internal audit referenced in the staff report is made available or publicly summarized.

    Second

    Sever the fleet-camera portion from the body-worn camera and Taser portions and authorize only the latter two while the County resolves the ALPR, AI, SB 1516, and sharing questions.

    Third

    At minimum, condition approval with clear motion language stating that:

    • No ALPR, license-plate recognition, hotlist matching, vehicle analytics, or searchable vehicle-location data may be enabled without separate public notice, policy review, SB 1516 compliance analysis, and Board approval.
    • No Axon AI, AI-assisted report writing, AI transcription, predictive analytics, biometric analytics, facial recognition, or new cloud analytics module may be enabled without separate public notice, policy review, and Board approval.
    • All access, searches, exports, downloads, sharing, retention changes, deletion activity, and vendor-support access must be logged and auditable.
    • Vendor default settings allowing federal, out-of-state, or third-party sharing must be disabled at the contract or administrator level unless separately approved by the Board.
    • The County must publish a plain-language privacy impact summary before deployment and provide annual public reporting on system use, access audits, sharing activity, retention/deletion compliance, complaints, policy violations, and any AI, ALPR, or analytics tools enabled.

    Conclusion

    Body-worn and fleet cameras may improve accountability, but only if the surrounding data system is governed by clear limits, public transparency, enforceable retention rules, strong audit logs, and meaningful restrictions on secondary use.

    The Board should not authorize privacy-sensitive capabilities that have not been clearly disclosed, governed by policy, and shown to comply with Oregon law.

    Thank you for your consideration. I plan to attend the May 27 meeting and am available to discuss any of the above at the Board’s convenience.

    Respectfully,

    Jonathan

  • Comments on Bend Police Department Policy 428 — Automated License Plate Readers

    Councilors,

    Attached are my detailed comments on Bend Police Department Policy 428, dated May 15, 2026, along with a one-page summary of requested amendments and Exhibit A, a section-by-section comparison of SB 1516 and Policy 428.

    My central concern is that Policy 428 has two separate problems.

    First, the policy contains specific operational and textual gaps that should be closed before adoption — places where the policy authorizes uses broader than the statute permits, omits required vendor contract terms, or fails to require audit and logging fields the statute requires the operative documents to contain.

    Second, even where the policy fits within SB 1516, it adopts the broadest uses state law still allows rather than a narrower local standard appropriate for Bend.

    SB 1516 is the statutory floor for ALPR use in Oregon — it is not the ceiling for local privacy protection.

    The clearest example is the parking-use authorization. SB 1516 §4(2)(g) permits ALPR use for “regulating the use of parking facilities” — one bounded purpose. Policy 428.3 expands this to “parking regulation and the management of parking facilities” — two distinct authorizations joined by “and.”

    That is the operative permission on the face of the document and cannot be cured by deference to state law.

    The attached letter identifies similar operational gaps in the policy’s required vendor contract terms, including missing CJIS Security Addendum execution and security-incident notification language; the monthly vendor audit fields, including missing the per-search detail SB 1516 §6(1)(i) requires; and the outside-agency search log, including the missing cameras-accessed field SB 1516 §5(2)(b)(C) requires.

    It also addresses SB 1516 §5(2)(b)’s substantive scope limits on outside-agency sharing — “limited to data relevant” and “no unrestricted or ongoing access” — which are independent of the prohibited-purpose list in Policy 428.6.3 and worth operationalizing through the written request-certification process described in Part II.

    The letter also describes eighteen local strengthenings grouped into seven categories:

    • administrative-use limits,
    • sensitive-location and occupant protections,
    • outside-agency controls,
    • retention and historical-search limits,
    • vendor and cybersecurity controls,
    • public accountability and complaint redress, and
    • Council-approval requirements.

    Each is consistent with SB 1516; none asks the City to use ALPRs in a way state law prohibits.

    I respectfully ask Council not to treat Policy 428 as final until Bend PD closes the operational and textual gaps identified in the letter and Exhibit A, and until Council considers stronger local safeguards.

    I would also encourage Council to advance the broader Bend Surveillance Technology Accountability, Privacy, and Civil Rights Ordinance so future surveillance technologies are not added in piecemeal department-policy form without public notice and Council approval.

    I am happy to answer questions, provide further clarification, or discuss any of the items in the attached materials at the Council’s convenience. I can be reached at

    Thank you for your time and consideration.

    Sincerely,

    Jonathan

    Attachments

    The documents attached to my email to Council are available below:

  • Oregon Data Centers: Who Benefits, Who Pays?

    Oregon Data Centers: Who Benefits, Who Pays?

    A video discussion about Oregon data centers, public costs, and local accountability.

    This video discusses the rapid expansion of data centers in Oregon and the questions local communities should be asking before these projects move forward.

    Data centers are often presented as economic development projects, but they also raise serious public-interest questions. They can require large amounts of electricity, water, land, infrastructure, and tax support. When those costs are spread across communities, residents deserve to understand who benefits, who pays, and what safeguards are in place.

    The issue is not whether the internet, cloud services, or artificial intelligence require physical infrastructure. They do. The issue is whether Oregon communities are being asked to absorb the costs while private companies receive the long-term benefits.

    Why this matters

    Data centers are not just buildings. They are major infrastructure decisions. They can affect electric grids, water systems, land use, tax revenue, utility planning, climate goals, and local budgets.

    Before Oregon cities and counties approve or subsidize large data center projects, residents should have clear answers about:

    • How much electricity the project will require;
    • Whether residential or small-business utility customers could see higher costs;
    • How much water the facility will use;
    • Whether the project receives tax breaks or public incentives;
    • How many permanent local jobs will actually be created;
    • What environmental impacts have been reviewed;
    • Whether emergency services, roads, substations, or other public infrastructure will need upgrades; and
    • How the public will be able to monitor compliance over time.

    Communities should not have to accept vague promises in place of enforceable protections. If a project requires public resources, public infrastructure, or public subsidies, then the public deserves transparency.

    A local government issue

    These decisions often happen through zoning changes, utility agreements, tax exemptions, enterprise zones, development agreements, and infrastructure planning. That means city councils, county commissions, planning departments, and state lawmakers all have a role to play.

    Oregon residents should be able to ask basic questions before approval, not after the project is already locked in.

    Data centers may be part of the modern economy, but that does not mean every proposal deserves automatic approval. Growth should come with accountability, measurable public benefit, and protections for the communities being asked to host this infrastructure.

    Watch the video here:
    Data Centers: They Win, We Lose

  • Speaking to Bend City Council About Axon and Police Accountability

    Speaking to Bend City Council About Axon and Police Accountability

    A public comment on police technology, public safety, and accountability.

    This video shows my public comment to Bend City Council regarding two connected concerns: the proposed expansion of Axon police technology and the police response after a bullet was fired into my mother’s apartment.

    My concern is not only whether new policing tools are useful. It is whether the City has strong enough oversight, transparency, auditing, data protections, and accountability in place before expanding police technology contracts.

    The same public safety system that asks residents to trust expanded technology must also be able to respond clearly, urgently, and accountably when a bullet enters someone’s home. That experience shaped why I believe Bend should slow down, ask harder questions, and build stronger safeguards before expanding surveillance or police technology systems.

    Why this matters

    Police technology decisions are not just purchasing decisions. They shape how public safety works, how data is collected, how evidence is handled, and how residents are asked to trust government systems.

    Before expanding Axon or any similar system, Bend should have clear answers about:

    • What data will be collected;
    • Who can access it;
    • How long it will be retained;
    • How searches and usage will be audited;
    • How errors, misuse, or weak responses will be reviewed; and
    • How residents will know whether these systems are actually improving safety.

    Technology can support public safety, but it cannot replace accountability. In fact, the more powerful the technology becomes, the stronger the oversight needs to be.

    Watch the public comment here:
    Speaking to Bend City Council about Axon expansion and police accountability

  • Proposed amendment to BC 1.20.015(I) — Exhibit A, Item 5

    Mayor and Councilors,

    Thank you for the opportunity to comment on Exhibit A to Agenda Item 5 from the May 20 Business Meeting. I have one targeted suggestion for BC 1.20.015(I), City Manager Advisory Groups.

    As drafted, subsection (I) creates a category of informal or structured advisory groups, including technical advisory groups, focus groups, task forces, evaluation teams, and steering committees, that may or may not be subject to Oregon Public Meetings Law depending on the group’s role and authority.

    For surveillance-related work, that distinction matters. Vendor evaluation, pilot deployment, policy scoping, and early procurement recommendations often occur before a formal Council vote. If those discussions happen in informal structures that are not treated as public meetings, the public may not have meaningful visibility until the major choices have already been shaped.

    A narrow carve-out would close that gap without disturbing the rest of Chapter 1.20.

    Proposed addition to the end of BC 1.20.015(I):

    «Notwithstanding the foregoing, any group or committee created under this subsection whose scope includes the evaluation, selection, procurement, deployment, oversight, or policy governance of surveillance technology shall comply with the notice, access, minutes, and other open-meeting requirements of Oregon Public Meetings Law, regardless of whether the group or committee makes a recommendation to the City Council or another advisory body.»

    Recommended companion definition, added to BC 1.20.005 or incorporated by reference:

    «“Surveillance technology” means any electronic device, system, hardware, software, or hosted software solution used, designed, or primarily intended to collect, retain, analyze, process, or share audio, visual, biometric, location, or other data associated with identifiable individuals or groups. The term includes, without limitation, automated license plate readers, facial recognition systems, body-worn and fixed-location cameras with analytic capability, drones and aerial surveillance platforms, cell-site simulators, social media monitoring tools, predictive policing software, and data aggregation or fusion platforms. The term does not include standard office productivity software, routine IT security tools, or city-operated infrastructure cameras used solely for traffic signal operation.»

    The “notwithstanding” construction is intended to make this a narrow exception to the discretionary language earlier in subsection (I), without requiring broader changes to Chapter 1.20. The verb list is intentionally broad enough to cover the full procurement and policy lifecycle. The definition is also modeled on language used in comparable surveillance oversight ordinances adopted in cities such as Oakland, Seattle, and Cambridge.

    Respectfully,

    Jonathan

  • Questions Bend Residents Can Ask Council

    Questions Bend Residents Can Ask Council

    Part 10 of the Bend Surveillance Oversight series.

    You do not need to be a surveillance expert to ask reasonable questions about public technology.

    If a city uses tools that collect, store, search, analyze, or share public data, residents have a right to understand how those tools are governed.

    That applies to body cameras, fleet cameras, automated license plate readers, drones, traffic enforcement cameras, digital evidence systems, AI tools, real-time information platforms, and any other technology that affects public privacy, public records, or public accountability.

    The goal is not to attack City staff or police.

    The goal is simple:

    Public safety technology should answer to public rules.

    1. What systems exist?

    • What surveillance technologies does Bend Police currently use?
    • What systems are being considered for future use?
    • Which systems are active now?
    • Which systems are approved but not yet active?
    • Which systems are optional add-ons or future capabilities?
    • Which vendors are involved?
    • Are there third-party vendors, subcontractors, cloud providers, or software modules the public should know about?
    • Is there a plain-language public inventory residents can read?

    2. What data is collected?

    • Does the system collect video?
    • Does it collect audio?
    • Does it collect license plate data?
    • Does it collect location data?
    • Does it collect metadata?
    • Does it collect biometric data?
    • Does it analyze faces, vehicles, objects, movement, behavior, or patterns?
    • Is any data analyzed by AI or automated tools?
    • Are any features disabled but technically available?

    3. Where does the data go?

    • Where is the data stored?
    • Is it stored on City systems or vendor-controlled cloud systems?
    • Does the City own and control the data?
    • Can vendors access the data?
    • Can vendors process, export, or analyze the data?
    • Are cloud providers or subprocessors involved?
    • Can data be stored outside Oregon?
    • Can data be stored outside the United States?
    • What happens to the data when the contract ends?

    4. How long is the data kept?

    • What is the default retention period for each system?
    • Is non-evidence data automatically deleted?
    • Is non-hit ALPR data deleted quickly?
    • Who can extend retention?
    • What justification is required to extend retention?
    • Are retention changes logged?
    • Are retention settings audited?
    • Does the City publish retention rules publicly?

    5. Who can search the data?

    • Who has access to each system?
    • Are users limited by role?
    • Can every officer search the system?
    • Can supervisors search it?
    • Can dispatch search it?
    • Can prosecutors access it directly?
    • Can vendors access it?
    • Can outside agencies access it?
    • Are searches required to include a case number or incident number?
    • Are searches required to include a purpose?
    • Are all searches logged?
    • Are search logs audited?
    • What happens if someone searches improperly?

    6. Can outside agencies access it?

    • Can federal agencies access Bend surveillance data?
    • Can out-of-state agencies access it?
    • Can regional law enforcement systems access it?
    • Can fusion centers access it?
    • Can private companies access it?
    • Can vendors respond directly to outside requests?
    • Does the City require case-specific legal process before sharing?
    • Does the City require written authorization before sharing?
    • Does the City publish annual data-sharing statistics?
    • Can the City deny outside requests?
    • Can the City audit outside access?

    7. Can vendors activate new features?

    • Can vendors activate new AI features?
    • Can vendors activate analytics features?
    • Can vendors activate biometric tools?
    • Can vendors activate ALPR features?
    • Can vendors activate real-time monitoring?
    • Can vendors change retention settings?
    • Can vendors change data-sharing settings?
    • Does Council approval happen before new capabilities are enabled?
    • Does the public receive notice before major feature changes?
    • Are disabled features independently verified?

    8. What about facial recognition and biometrics?

    • Does Bend use facial recognition?
    • Does Bend plan to use facial recognition?
    • Do any current systems have facial recognition capability?
    • Are biometric features disabled?
    • Who verifies that they are disabled?
    • Would Council approval be required before biometric features are activated?
    • Would the public receive notice?
    • Would there be legal review and technical review first?

    A simple local rule would be:

    No facial recognition or biometric identification without explicit public approval.

    9. What about AI police reports?

    • Does Bend use AI-assisted police reports?
    • Does Bend plan to use AI-assisted police reports?
    • If AI is used, are original AI drafts preserved?
    • Are officer edits logged?
    • Does the final report disclose AI assistance?
    • Are prosecutors notified when AI was used?
    • Can defense attorneys obtain AI drafting records through normal discovery?
    • Can the vendor use Bend data to train AI models?
    • Has the system been independently audited?
    • Are serious incidents excluded or subject to extra safeguards?

    A simple local rule would be:

    No AI-generated police report without an audit trail.

    10. What oversight exists?

    • Has the City conducted an independent technical audit?
    • Does each system have a public use policy?
    • Does each system have a public retention policy?
    • Does each system have a public sharing policy?
    • Are complaints tracked?
    • Are violations reported publicly in aggregate?
    • Does Council review surveillance systems before renewal?
    • Does the City publish annual transparency reports?
    • Are total annual costs publicly reported?
    • Are future renewals and expansions clearly identified?

    11. What safeguards will Bend adopt?

    • Will Bend adopt a surveillance technology ordinance?
    • Will Bend require Council approval before acquisition or expansion?
    • Will Bend publish a public inventory of all surveillance technologies?
    • Will Bend require public use policies before deployment?
    • Will Bend set short retention limits?
    • Will Bend require logged searches with case numbers?
    • Will Bend restrict federal and third-party sharing?
    • Will Bend prohibit facial recognition without explicit public approval?
    • Will Bend require independent technical audits?
    • Will Bend require annual public transparency reports?
    • Will Bend prohibit vendors from activating new capabilities without City approval?
    • Will Bend require public review before contract renewal?

    A short version residents can send

    Residents who want to keep it simple can ask Council this:

    Before Bend expands police surveillance technology, will the City publish a plain-language inventory of all systems, identify what data each system collects, explain where the data is stored, disclose retention periods, require logged searches with case numbers, restrict federal and third-party sharing, prohibit facial recognition without explicit public approval, and require annual public transparency reports?

    These are not anti-police questions.

    They are public governance questions.

    If a technology is powerful enough to collect, search, store, analyze, or share public data, it is powerful enough to deserve public rules.

    Bend residents deserve clear answers before police surveillance systems expand.

    Further reading

    Series links

  • What Reasonable Safeguards Would Look Like in Bend

    What Reasonable Safeguards Would Look Like in Bend

    Part 9 of the Bend Surveillance Oversight series.

    This does not have to be a yes-or-no fight over police technology.

    Bend can support legitimate public safety tools while still requiring strong public oversight.

    The real question is not whether technology should ever be used.

    The real question is whether powerful systems are governed by clear public rules before they expand.

    Body cameras, fleet cameras, ALPRs, drones, traffic enforcement cameras, digital evidence systems, AI tools, and real-time information platforms all raise different questions.

    But they also share a common issue:

    They collect, store, search, analyze, or share public data.

    That means Bend should have a citywide surveillance technology policy.

    Not a vague promise.

    Not vendor assurances.

    Not scattered contract language.

    Not internal rules that residents cannot easily find.

    A clear public framework.

    1. Public inventory of surveillance technologies

    Bend should publish a plain-language inventory of all police surveillance technologies.

    That inventory should identify:

    • the technology name,
    • the vendor,
    • the department using it,
    • the purpose of the system,
    • what data it collects,
    • where the data is stored,
    • how long the data is retained,
    • who can access it,
    • whether outside agencies can access it,
    • whether vendors or subcontractors can access it, and
    • whether any AI, biometric, analytics, or automated decision features are enabled or available.

    Residents should not need to search scattered agendas, contracts, staff reports, and vendor documents to understand what systems exist.

    2. Council approval before acquisition or expansion

    Bend should require Council approval before any department acquires, renews, expands, or materially changes surveillance technology.

    That should include new tools, new vendors, major software modules, AI features, biometric capabilities, data-sharing expansions, and contract amendments that materially change what a system can do.

    Public approval should happen before deployment, not after the system is already operating.

    3. Public use policy before deployment

    Every surveillance technology should have a public use policy before it is deployed.

    That policy should explain:

    • the approved purpose,
    • allowed uses,
    • prohibited uses,
    • data collection rules,
    • retention rules,
    • access rules,
    • sharing rules,
    • audit procedures,
    • disciplinary consequences for misuse, and
    • how residents can find annual reports.

    The public should be able to read the rules before the technology is used.

    4. Short retention for non-evidence data

    Data retention should be limited.

    For non-evidence data, the default should be deletion after a short period unless the data is tied to a specific, documented case.

    For ALPR data, I would support a default rule like this:

    Non-hit ALPR data should automatically delete within 72 hours unless it is tied to a documented case, warrant, stolen vehicle, active investigation, or legally valid evidentiary need.

    Short retention allows legitimate use while reducing the risk that ordinary residents’ movements become long-term searchable records.

    5. Logged searches with case numbers

    If a system can be searched, every search should be logged.

    The log should identify:

    • who searched,
    • when they searched,
    • what they searched,
    • why they searched,
    • the case number or incident number,
    • whether the search produced a result, and
    • whether the result was shared.

    Search logs protect the public from misuse.

    They also protect officers who use the system properly.

    6. Limits on federal, out-of-state, private, and vendor access

    Local surveillance data should not become outside-agency data by default.

    Bend should limit access by federal agencies, out-of-state agencies, private companies, vendors, subcontractors, fusion centers, and other third parties.

    Access should require a documented purpose, legal authority, written authorization, and an auditable record.

    Broad sharing, informal access, and bulk access should be prohibited unless explicitly approved through a public process and consistent with law.

    7. No facial recognition or biometric identification without explicit approval

    Bend should prohibit facial recognition, biometric identification, biometric analytics, or similar identity-matching tools unless Council explicitly approves them after public notice, public debate, legal review, and technical assessment.

    If a system is technically capable of biometric analysis but the City says the feature is disabled, that should be independently verified.

    Disabled features should not become active through a quiet software update or vendor configuration change.

    8. AI report-writing rules

    If Bend ever uses AI to help draft police reports, the City should require strict auditability.

    The basic rule is simple:

    No AI-generated police report without an audit trail.

    That means preserving original AI drafts, officer edits, source transcripts, timestamps, final reports, supervisor edits, and disclosure that AI was used.

    Prosecutors and defense attorneys should be able to obtain relevant records through normal legal processes.

    9. Independent technical audits

    Bend should not rely only on vendor assurances.

    The City should require independent technical audits of surveillance systems.

    Audits should verify:

    • enabled features,
    • disabled features,
    • retention settings,
    • sharing settings,
    • access controls,
    • security controls,
    • vendor access,
    • subprocessor access, and
    • compliance with City policy.

    Trust is strongest when systems can be independently checked.

    10. Annual public transparency reports

    Bend should publish annual surveillance transparency reports.

    Those reports should include:

    • what systems were used,
    • what new systems were acquired,
    • how many searches occurred,
    • how many outside requests were received,
    • how many requests were approved or denied,
    • how many audits were performed,
    • whether misuse was found,
    • whether any new features were activated,
    • whether policies changed, and
    • what the total annual costs were.

    Transparency reports do not need to reveal sensitive case details.

    They should provide enough aggregate information for residents and elected officials to know whether the rules are working.

    11. Contract terms that match public policy

    Contracts should not undermine policy.

    If Bend adopts public rules, vendor contracts should match those rules.

    Contracts should prohibit vendors from changing settings, enabling features, expanding sharing, using data for product development, or using local public safety data for AI training unless the City explicitly approves it through the required public process.

    Good policy should be backed by enforceable contract language.

    12. Public review before renewal

    Surveillance technology should not renew automatically without public review.

    Before renewal, the City should publish a report explaining how the system was used, whether it met its stated purpose, what it cost, whether misuse occurred, whether audits were completed, and whether stronger safeguards are needed.

    Renewal should be a public decision, not an automatic default.

    The basic framework

    A reasonable Bend surveillance policy could be summarized like this:

    • Tell the public what systems exist.
    • Require approval before expansion.
    • Limit retention.
    • Log searches.
    • Restrict sharing.
    • Control vendor access.
    • Ban biometric use without explicit approval.
    • Audit AI tools.
    • Verify systems independently.
    • Report to the public every year.

    That is not anti-police.

    That is responsible governance.

    Powerful public safety tools should answer to public rules.

    Further reading

    Series links

  • Other Cities Are Already Asking Better Questions

    Other Cities Are Already Asking Better Questions

    Part 8 of the Bend Surveillance Oversight series.

    Bend does not need to invent police surveillance oversight from scratch.

    Other cities are already asking the same basic questions:

    • Who approves surveillance technology before it is used?
    • What data is collected?
    • How long is it kept?
    • Who can search it?
    • Can outside agencies access it?
    • Can vendors change settings or activate new features?
    • Does the public receive annual reports?
    • Can elected officials review the system before it expands?

    That is the important lesson.

    The issue is not whether every city has reached the same conclusion.

    They have not.

    The issue is that communities across the country are realizing that police technology should not expand faster than public oversight.

    Austin: surveillance technology should require public rules

    Austin offers one useful model.

    In February 2026, the Austin City Council passed a resolution called the Transparent and Responsible Use of Surveillance Technology Act, or TRUST Act.

    The resolution directed the City Manager to return with an ordinance regulating the adoption, acquisition, deployment, use, and review of surveillance technology by city departments.

    That matters because it shifts the question from one contract at a time to a broader public framework.

    Bend could take the same approach.

    The public question should not only be whether a single contract sounds reasonable.

    The broader question should be what rules apply before surveillance technology is acquired, expanded, renewed, or materially changed.

    Mountain View: vendor assurances were not enough

    Mountain View, California offers another useful lesson.

    In January 2026, the City publicly stated that it had discovered unauthorized queries and potential access to Mountain View ALPR data.

    The City said Police Department staff had met with Flock Safety leadership about “the security and control of our data,” and said it was “upset and disappointed with how our data was accessed.”

    That example matters because it shows why vendor assurances are not enough.

    The lesson for Bend is simple:

    Do not wait for a data-sharing problem before creating data-sharing rules.

    Pima County: cost and AI concerns can cross political lines

    Pima County, Arizona offers another example.

    Reporting in early 2026 described the Pima County Board of Supervisors rejecting a proposed $45 million contract expansion involving Axon technology and AI tools.

    Reported concerns included cost, AI expansion, and whether the investment made sense for the Sheriff’s Department.

    That example matters because surveillance oversight is not only a privacy issue.

    It is also a budget issue.

    Public safety dollars are limited.

    Every dollar spent on bundled technology, AI tools, cloud subscriptions, hardware refreshes, and add-on features is a dollar not spent somewhere else.

    That does not mean technology is never worth funding.

    It means elected officials should ask hard questions before long-term commitments become automatic.

    Ferndale: public pressure can lead to stronger oversight

    Ferndale, Michigan offers another useful example based on reporting about local ALPR oversight discussions.

    Reporting described residents raising concerns about license plate reader expansion and city officials discussing stronger policies.

    That is important because public oversight often improves when residents ask specific, grounded questions.

    Community engagement does not have to stop technology.

    It can improve the rules that govern technology.

    The pattern is bigger than one vendor

    This is not only about Axon.

    It is not only about Flock.

    It is not only about ALPRs.

    It is not only about body cameras.

    It is not only about AI.

    The larger issue is how cities govern powerful surveillance systems once cameras, cloud storage, software subscriptions, data-sharing, analytics, and vendor platforms become part of public safety operations.

    A city can support public safety and still insist on public oversight.

    Those goals are not opposites.

    What Bend can learn

    Bend can learn at least five things from other cities.

    1. Oversight should happen before deployment or expansion, not after controversy.
    2. Citywide rules are better than one-off contract debates.
    3. Data-sharing limits should be explicit and enforceable.
    4. Vendors should not be the only source of truth about how systems work.
    5. Annual public reporting builds trust without exposing sensitive case details.

    These examples do not prove that Bend has the same problems.

    They show why Bend should adopt safeguards before problems occur.

    Bend can ask better questions now

    Police technology can be useful.

    But useful tools still need rules.

    If other cities are asking stronger questions about surveillance technology, Bend can too.

    The question is not whether Bend should copy another city word for word.

    The question is whether Bend should create its own public framework before future expansions become harder to unwind.

    Better questions today can prevent harder problems tomorrow.

    Further reading

    Series links

  • Why Federal and Third-Party Sharing Matters

    Why Federal and Third-Party Sharing Matters

    Part 7 of the Bend Surveillance Oversight series.

    In the last post, I wrote about why ALPR scans are location records.

    A license plate reader does not just capture a plate number.

    It creates a record that a specific vehicle was seen at a specific place at a specific time.

    But there is a second question that matters just as much:

    Once a city collects surveillance data, does that data stay local?

    That question applies to ALPRs, body cameras, fleet cameras, drone video, real-time information platforms, traffic cameras, evidence systems, and other police technology.

    The concern is not only what Bend collects.

    The concern is who else can access it.

    Local data can become outside-agency data

    A resident may feel differently about local police using a tool for a specific local purpose than they do about that same data becoming available to state agencies, federal agencies, out-of-state agencies, fusion centers, private vendors, or other third parties.

    Public consent for one local use should not be treated as consent for every future use.

    That is why data-sharing rules should be explicit before technology expands.

    Local data should not become outside-agency data by default.

    The policy should be explicit

    Data-sharing rules should not be vague.

    A policy that says information may be shared “for law enforcement purposes” may sound reasonable, but it can be extremely broad.

    A stronger policy should say exactly:

    • who may access the data,
    • for what purpose,
    • under what legal authority,
    • with whose approval,
    • with what documentation,
    • for how long,
    • whether access is logged,
    • whether the public will receive aggregate reporting, and
    • whether the request can be denied.

    If the policy does not clearly prohibit broad sharing, residents cannot know where local surveillance data may eventually go.

    That uncertainty is the problem.

    Federal access requires special caution

    Federal access deserves special attention because federal priorities can change quickly.

    Local residents may support local public safety uses while objecting to unrelated federal uses, especially if those uses involve immigration enforcement, political activity, protests, reproductive health travel, religious activity, or other sensitive areas.

    A strong policy would say:

    Bend surveillance data may not be shared with federal agencies unless there is case-specific legal process, written City authorization, a documented local purpose, and an auditable record.

    That rule would not prevent lawful cooperation in a serious case.

    It would prevent broad, informal, or routine access.

    Vendor access is also third-party access

    Third-party sharing is not only about government agencies.

    Vendors are third parties too.

    If a private company hosts police data, maintains the software, provides analytics, troubleshoots systems, stores video, processes license plate reads, or manages user access, that company may have some level of technical access to the system.

    That access should be limited, logged, and auditable.

    Vendor access should never be a black box.

    Contracts should clearly define when a vendor can access data, what the vendor can do with it, whether subcontractors are involved, whether data can be used for product development or AI training, and how the City verifies compliance.

    Outside sharing can create long-term consequences

    Once data leaves a local system, it may be harder to control.

    It may be copied, retained, searched again, combined with other databases, or used for purposes residents never debated locally.

    That is why sharing limits need to be set before sharing occurs.

    The point is not to block legitimate, case-specific cooperation.

    The point is to prevent broad access, informal access, bulk sharing, or secondary uses that bypass local democratic oversight.

    What a stronger local rule could require

    A stronger Bend policy would require:

    • case-specific legal process for outside-agency access,
    • written City authorization before sharing,
    • a documented purpose for every request,
    • a case number or incident number when applicable,
    • logs showing what was shared and with whom,
    • limits on vendor access and subcontractor access,
    • prohibitions on bulk or informal sharing,
    • clear retention limits after data is shared, and
    • annual public reporting in aggregate form.

    These safeguards would not prevent legitimate public safety work.

    They would make sure powerful data-sharing systems answer to public rules.

    The basic principle

    Local surveillance data should not become outside-agency data by default.

    If Bend collects police technology data, the City should clearly define who can access it, when it can be shared, how sharing is approved, how access is logged, and how the public can verify that the rules are being followed.

    The solution is not complicated:

    No broad sharing. No informal access. No vendor black boxes. No federal access without case-specific process. Public reporting every year.

    That is how local control becomes real.

    Further reading

    Series links

  • ALPRs: License Plate Scans Are Location Records

    ALPRs: License Plate Scans Are Location Records

    Part 6 of the Bend Surveillance Oversight series.

    An automated license plate reader does not just capture a plate number.

    It creates a time-and-place record.

    And when many scans are collected over time, those records can reveal patterns about where a vehicle has been, when it was there, and how often it appeared in certain places.

    That is why ALPR data should be treated as location data.

    It is not “just a plate.”

    It is a record of movement.

    What an ALPR scan actually records

    An ALPR system typically captures:

    • the license plate number,
    • the date and time of the scan,
    • the location of the camera,
    • an image of the plate or vehicle, and sometimes
    • additional metadata about the scan.

    One scan by itself may not say much.

    But multiple scans over time can create a much richer picture.

    If a vehicle is scanned near a home, workplace, school, clinic, place of worship, political event, protest, or support meeting, the scans may reveal sensitive patterns about a person’s life.

    That is why ALPR data deserves careful limits.

    Patterns matter more than single scans

    The privacy issue is not only the plate number.

    The privacy issue is the pattern.

    A series of scans can show where a vehicle travels, how often it visits certain places, what route it takes, when it leaves, when it returns, and whether those movements change over time.

    That is a form of location tracking.

    Even if each individual scan appears routine, the system as a whole can become highly revealing.

    That is why retention periods, search rules, and sharing rules matter so much.

    This post does not claim Bend currently uses fixed ALPR technology

    This post does not claim that Bend currently uses fixed automated license plate reader technology.

    The point is broader: if Bend adopts fixed ALPRs in the future, or if related systems create similar location records, the City should have clear rules in place before deployment.

    Oversight should come first, not later.

    Short retention should be the default

    If ALPR data is retained for long periods, it becomes easier to reconstruct a person’s travel history.

    The longer the data is kept, the more it can be searched, shared, or misused later.

    A reasonable rule would be:

    Delete ALPR scans quickly unless they are tied to a legitimate, documented case.

    I would support a default retention period as short as 72 hours unless the scan is associated with a specific investigative need such as a stolen vehicle, warrant hit, active case, or clearly documented law enforcement purpose.

    That kind of rule allows legitimate use while reducing unnecessary long-term accumulation.

    Every search should be logged

    If ALPR data can be searched, every search should leave a record.

    That record should show:

    • who conducted the search,
    • when it was conducted,
    • what plate or data was searched,
    • the case number or incident number,
    • the reason for the search, and
    • whether the results were shared.

    Without logs, the public has to trust that the system is being used properly.

    With logs, the City can verify that the rules are being followed.

    Sharing should be limited and documented

    ALPR data should not flow freely to outside agencies, vendors, private companies, or federal systems without clear public rules.

    A strong policy would require:

    • a specific legal basis for sharing,
    • a documented case-related purpose,
    • written authorization,
    • an auditable record of what was shared and with whom, and
    • clear limits on bulk or informal access.

    The issue is not whether legitimate case-specific sharing can occur.

    The issue is whether local location data becomes broadly accessible by default.

    Public reports build trust

    If Bend ever uses ALPRs, the City should publish annual public reports showing:

    • how many cameras or systems were used,
    • how many scans were collected,
    • how long data was retained,
    • how many searches were conducted,
    • how many shares occurred,
    • how many outside-agency requests were received,
    • how many requests were granted or denied, and
    • whether any misuse or policy violations were found.

    These reports do not need to expose sensitive investigative details.

    They should provide enough information for residents and elected officials to understand how the system is working.

    The basic principle

    An ALPR scan is not just a plate number.

    It is a location record.

    And location records deserve strong safeguards.

    Short retention. Logged searches. Clear sharing limits. Public oversight.

    Those are not extreme demands.

    They are basic rules for a powerful system.

    Further reading

    Series links