jonathanwestmoreland.com

Tag: Data Governance

  • Why Federal and Third-Party Sharing Matters

    Why Federal and Third-Party Sharing Matters

    Part 7 of the Bend Surveillance Oversight series.

    In the last post, I wrote about why ALPR scans are location records.

    A license plate reader does not just capture a plate number.

    It creates a record that a specific vehicle was seen at a specific place at a specific time.

    But there is a second question that matters just as much:

    Once a city collects surveillance data, does that data stay local?

    That question applies to ALPRs, body cameras, fleet cameras, drone video, real-time information platforms, traffic cameras, evidence systems, and other police technology.

    The concern is not only what Bend collects.

    The concern is who else can access it.

    Local data can become outside-agency data

    A resident may feel differently about local police using a tool for a specific local purpose than they do about that same data becoming available to state agencies, federal agencies, out-of-state agencies, fusion centers, private vendors, or other third parties.

    Public consent for one local use should not be treated as consent for every future use.

    That is why data-sharing rules should be explicit before technology expands.

    Local data should not become outside-agency data by default.

    The policy should be explicit

    Data-sharing rules should not be vague.

    A policy that says information may be shared “for law enforcement purposes” may sound reasonable, but it can be extremely broad.

    A stronger policy should say exactly:

    • who may access the data,
    • for what purpose,
    • under what legal authority,
    • with whose approval,
    • with what documentation,
    • for how long,
    • whether access is logged,
    • whether the public will receive aggregate reporting, and
    • whether the request can be denied.

    If the policy does not clearly prohibit broad sharing, residents cannot know where local surveillance data may eventually go.

    That uncertainty is the problem.

    Federal access requires special caution

    Federal access deserves special attention because federal priorities can change quickly.

    Local residents may support local public safety uses while objecting to unrelated federal uses, especially if those uses involve immigration enforcement, political activity, protests, reproductive health travel, religious activity, or other sensitive areas.

    A strong policy would say:

    Bend surveillance data may not be shared with federal agencies unless there is case-specific legal process, written City authorization, a documented local purpose, and an auditable record.

    That rule would not prevent lawful cooperation in a serious case.

    It would prevent broad, informal, or routine access.

    Vendor access is also third-party access

    Third-party sharing is not only about government agencies.

    Vendors are third parties too.

    If a private company hosts police data, maintains the software, provides analytics, troubleshoots systems, stores video, processes license plate reads, or manages user access, that company may have some level of technical access to the system.

    That access should be limited, logged, and auditable.

    Vendor access should never be a black box.

    Contracts should clearly define when a vendor can access data, what the vendor can do with it, whether subcontractors are involved, whether data can be used for product development or AI training, and how the City verifies compliance.

    Outside sharing can create long-term consequences

    Once data leaves a local system, it may be harder to control.

    It may be copied, retained, searched again, combined with other databases, or used for purposes residents never debated locally.

    That is why sharing limits need to be set before sharing occurs.

    The point is not to block legitimate, case-specific cooperation.

    The point is to prevent broad access, informal access, bulk sharing, or secondary uses that bypass local democratic oversight.

    What a stronger local rule could require

    A stronger Bend policy would require:

    • case-specific legal process for outside-agency access,
    • written City authorization before sharing,
    • a documented purpose for every request,
    • a case number or incident number when applicable,
    • logs showing what was shared and with whom,
    • limits on vendor access and subcontractor access,
    • prohibitions on bulk or informal sharing,
    • clear retention limits after data is shared, and
    • annual public reporting in aggregate form.

    These safeguards would not prevent legitimate public safety work.

    They would make sure powerful data-sharing systems answer to public rules.

    The basic principle

    Local surveillance data should not become outside-agency data by default.

    If Bend collects police technology data, the City should clearly define who can access it, when it can be shared, how sharing is approved, how access is logged, and how the public can verify that the rules are being followed.

    The solution is not complicated:

    No broad sharing. No informal access. No vendor black boxes. No federal access without case-specific process. Public reporting every year.

    That is how local control becomes real.

    Further reading

    Series links

  • ALPR Oversight Is a Democracy Issue

    Signals & Safeguards — A standalone civic-oversight post on license plate readers, public consent, federal access, and the safeguards local governments should require before surveillance networks become hard to unwind.

    ALPR oversight is becoming a democracy issue

    The strongest surveillance story this week is not one camera system by itself. It is the fight over who gets to approve, search, share, and shut down a network once it is already in place.

    Automatic license plate readers, often called ALPRs, are usually introduced as practical public-safety tools. Police agencies point to stolen-vehicle recovery, suspect identification, Amber Alerts, and serious investigations. Those uses can be real. But the democratic problem begins when a system that looks like a set of cameras turns into a searchable movement database shared across agencies, jurisdictions, vendors, and sometimes federal systems.

    That is why the key question is no longer simply, “Do these cameras help police?” The better question is: who controls the system once it exists?

    When public consent breaks down

    In Troy, New York, a dispute over Flock license plate readers escalated after residents objected to cameras installed without meaningful public input, the City Council voted to end the program, and the mayor declared a state of emergency to keep the cameras operating. The fight became larger than Flock: it became a dispute over emergency authority, public consent, and whether elected bodies can still control surveillance systems once public-safety claims are used to preserve them.

    That should concern any community considering ALPRs or similar systems. If ordinary approval channels can be bypassed, delayed, or overridden after cameras are installed, then the public debate happens too late. The technology gains institutional momentum before the rules are settled.

    The democracy issue: surveillance systems should not go live first and receive public rules later.

    Once a camera network is installed, agencies, vendors, and outside partners may develop expectations around continued access. That makes it politically and operationally harder for elected officials to narrow, pause, or end the system.

    The pattern is spreading

    The pattern is appearing elsewhere. In Cleveland and nearby communities, residents and advocates are challenging Flock deployments over privacy, immigration-enforcement access, and uncertainty about who can search the system. In Bend, The Source Weekly reported that federal immigration officials made 279 queries into Bend’s Flock Safety data in the first three weeks after the cameras went live, and Bend Police reportedly did not authorize those searches.

    That Bend example matters because it shows how quickly the debate can move from “Should we install cameras?” to “Who searched the data, why, under what authority, and what did they see?” A local system may be approved for local purposes, but the practical risk is that local vehicle-location data becomes useful to agencies far beyond the community that generated it.

    The federal layer changes the stakes

    The federal layer makes the issue sharper. Reporting from 404 Media says the FBI wants to buy nationwide access to license plate reader data. If local and private cameras can become part of a national movement-search network, then approving a few cameras is not only a local equipment decision. It is a decision about whether local vehicle-location data can become searchable far beyond the community that generated it.

    That does not mean every ALPR deployment is the same, or that every agency intends to misuse the system. It means the rules must be written for the system’s real capabilities, not only for its best-case sales pitch.

    Public safety and public oversight are not opposites

    The public-safety case should not be dismissed. ALPRs can help find stolen vehicles, locate suspects, and respond to serious threats. But that is exactly why governance has to come first. A system useful enough to solve crimes is also useful enough to misuse, over-share, or repurpose.

    Good oversight does not require pretending the technology has no value. It requires acknowledging that useful tools can still create serious risks when access is broad, retention is long, audit logs are weak, vendor permissions are unclear, or outside-agency sharing is treated as a default instead of an exception.

    Why it matters for Bend

    Why it matters for Bend: Bend has already seen how quickly the question can move from “Should we install cameras?” to “Who searched the data, why, and what did they see?” Bend and Redmond are also working through automated traffic-enforcement systems, which are not the same as ALPRs but raise overlapping questions about vendors, retention, access, audit logs, public notice, error correction, and repurposing.

    Traffic cameras, retail ALPRs, police ALPRs, and connected-vehicle data are not identical systems. But they all point toward the same local-governance challenge: ordinary movement is becoming easier to capture, store, search, and share. Communities need clear rules before those records become too convenient to give up.

    “The liberty of every man is at the mercy of every petty officer.”— James Otis, arguing against writs of assistance (1761)

    Safeguards local officials should require

    Before approving, renewing, expanding, or continuing an ALPR program, public officials should require written rules that answer the basic governance questions up front:

    • Purpose limits: define exactly what the system may and may not be used for.
    • Access limits: identify who can search the system and whether outside agencies can access it.
    • Federal-access rules: state whether federal or immigration-enforcement searches are allowed, blocked, or require a specific legal process.
    • Short retention: automatically delete plate data quickly unless it is tied to a documented investigation.
    • Search documentation: require a case number, purpose, user identity, and timestamp for every search.
    • Exportable audit logs: make logs available for independent review, public reporting, and investigation of misuse.
    • Vendor restrictions: define vendor access, support access, data use, training use, subcontractors, and breach obligations.
    • Public reporting: publish regular transparency reports showing searches, outside-agency access, hits, false positives, retention, and policy violations.
    • Democratic review: require council approval before expansion, new integrations, new sharing relationships, or emergency continuation.

    Bottom line: ALPR oversight is becoming a democracy issue because the most important decision is not only whether cameras exist. It is whether the public, through elected officials and enforceable rules, still controls how movement data is searched, shared, retained, audited, and shut down.

  • Police-Tech Vendors Are Becoming Public-Safety Platforms

    Why platform contracts require ongoing oversight

    Body cameras, TASERs, evidence storage, drones, AI tools, analytics, and report-writing software are increasingly being bundled into long-term public-safety platforms. That changes what local oversight has to look like.

    Core issue: Public agencies are no longer just buying individual police tools. They are often entering long-term platform relationships where today’s contract can shape tomorrow’s data access, AI features, evidence workflows, analytics, storage, integrations, and switching costs.

    Axon is no longer just a TASER and body-camera vendor. Its own Q1 2026 financials show a public-safety platform business built around hardware, software, cloud evidence storage, AI tools, analytics, subscriptions, drones, real-time operations, and long-term agency relationships. Axon reported Q1 2026 revenue of $807 million, up 34% year over year.

    That platform model is showing up in public contracts. Baltimore approved a $153 million Axon agreement for body-worn cameras, TASERs, and other public-safety tools, while some city leaders questioned whether the agreement was the best deal for taxpayers. Savannah approved a 10-year, $27 million Axon agreement. Connecticut State Police rolled out upgraded TASERs, body-worn cameras, AI translation capabilities, VR training, drones, and evidence-management tools as part of a broader modernization package.

    Those examples matter because they show how police technology is becoming a bundle: hardware, cloud storage, evidence systems, report workflows, analytics, AI features, training tools, subscriptions, and future upgrades. The public may hear “body cameras” or “TASERs,” but the contract can also shape data access, retention, search tools, audit logs, and the agency’s ability to leave later.

    Investors have noticed the same shift. Business Insider reported that an Axon pitch at the Sohn conference emphasized AI tools such as automated police-report drafting from body-camera footage. That is a market signal: public-safety data, AI workflows, and subscription platforms are becoming part of the growth story.

    Why the platform model changes oversight

    When a city buys a single device, oversight can focus on that device: what it does, who uses it, and how it is maintained. But a platform is different. A platform can expand over time. New features can be added. Workflows can change. Data can be connected across systems. A contract that starts as a body-camera or TASER purchase can become a broader operational environment for evidence management, report writing, analytics, training, records, drones, and real-time response.

    That does not make every feature harmful. Some tools may improve officer safety, evidence handling, language access, disclosure, or administrative efficiency. But the public needs to understand the tradeoff: each added feature can create new questions about data collection, access permissions, audit logs, retention, vendor access, system dependencies, and whether elected officials will be asked to approve meaningful changes before they happen.

    The safeguard question is not simply “Should the agency buy the tool?” It is also: what future capabilities does this platform make possible, who can enable them, and what public process is required before they are used?

    What local officials should ask before approving or renewing a police-tech platform

    • Feature scope: Which tools are included now, which are disabled, and which can be enabled later without a new public vote?
    • AI and analytics: Are report-writing, transcription, translation, facial recognition, object recognition, predictive analytics, or other AI-assisted tools included or available as add-ons?
    • Data storage: What data enters the vendor’s cloud systems, where is it stored, and how long is it retained?
    • Access controls: Who has administrator access, who can search records, and can access be limited by role, case type, unit, or investigation status?
    • Audit logs: Are searches, views, exports, deletions, administrator changes, and vendor-support access logged in a way the agency can export and review?
    • Vendor access: Can vendor employees access agency data for support, product development, testing, demos, analytics, or AI model improvement?
    • Data sharing: Can outside agencies, task forces, prosecutors, federal agencies, or private partners access the platform or receive exports?
    • Exit rights: If the city leaves the platform, can it export complete evidence records, metadata, audit logs, retention schedules, and chain-of-custody information in a usable format?

    Why it matters for Bend

    Axon-style contracts should be reviewed as evolving governance systems, not static equipment purchases. Council and staff should know which features are enabled, who has administrator access, what data moves into vendor cloud systems, and whether new AI or analytics tools can be added without a fresh public discussion.

    That review should not stop at the purchase vote. A police-tech platform can change through software releases, configuration changes, integrations, add-on modules, and new agency workflows. For major public-safety platforms, the better oversight model is continuing review: regular reporting on enabled features, access settings, audit-log exports, retention changes, vendor access, and any new AI or analytics tools.

    Practical safeguard: Require a quarterly platform change log for major police-tech systems. The log should identify major software releases, enabled or deferred features, AI or analytics tools, search changes, evidence-workflow changes, access-control changes, administrator roles, vendor access, audit-log export capability, retention changes, and new sharing relationships.

    Bottom line

    For public officials, procurement is no longer simply “buying a tool.” It can mean entering a long-term platform relationship where today’s contract shapes tomorrow’s data access, integrations, AI features, analytics, storage, and switching costs. That does not mean cities should reject every new public-safety technology. It means the public rules need to be as durable and adaptable as the technology itself.

    Police technology should be judged not only by what it promises on day one, but by what it allows on day 500: who can search, who can share, who can change the settings, who can audit the system, and who can prove whether the public’s limits were actually followed.

    “No man is allowed to be a judge in his own cause, because his interest would certainly bias his judgment, and, not improbably, corrupt his integrity.”— James Madison, Federalist No. 10 (1787)