SACRAMENTO – Solidifying concerns raised by civil liberty groups, California’s state auditor said Thursday that law enforcement agencies including the Los Angeles Police Department have flouted privacy laws meant to ensure that license plate photos captured by automated cameras aren’t abused and are safeguarded from hackers.

Prying into four major local law enforcement agencies’ use of the technology, state auditor Elaine Howle found each is accumulating massive numbers of photos of cars not tied to crimes and that two agencies are building individual profiles by adding names and addresses to the photos. Furthermore, Howle says the agencies haven’t fully complied with a 2015 privacy law and have left Californians’ privacy “open to abuse.”

“Instead, the agencies have conducted little to no auditing and monitoring and thus have no assurance that misuse has not occurred,” the audit states.

Most California law enforcement agencies widely use the technology, including the targets of the audit – LAPD, Sacramento County Sheriff’s Office, Fresno Police Department and Marin County Sheriff’s Office.

Fastened to light poles at busy intersections, bridges and police cars, the network of cameras captures thousands of photographs of license plates per minute that are sent to a searchable database. Agencies view the technology as an important crime-fighting tool that helps them not just recover stolen vehicles but also solve a variety of different crimes.

But in recent years, groups like the American Civil Liberties Union and the Electronic Frontier Foundation have raised concerns about how the license plate photos data is being stored and used, particularly data gathered from people not involved in a crime. The groups have pushed lawmakers around the country to adopt laws regulating the burgeoning technology and helped pass a 2015 California law.

Under Senate Bill 34, public agencies using the technology are required to adopt usage and privacy policies that describe why they are using the data, who is authorized to collect and access the data, how long the data will be stored and how it will be monitored. California has also enacted legislation limiting how law enforcement agencies can share data for immigration enforcement purposes.

But Howle says the four agencies haven’t adopted sufficient plans and worse, LAPD doesn’t even have a policy on its books. According to Howle, LAPD has accumulated 320 million images over the years, 99.9% involving vehicles that weren’t on the department’s stolen list.

“In fact, Los Angeles has not developed [a policy] at all,” Howle said. “The other three agencies did not completely or clearly specify who has system access, who has system oversight, or how to destroy ALPR data. Their poorly developed and incomplete policies contributed to the agencies’ failure to implement ALPR programs that reflect the privacy principles in SB 34.”

Sacramento, Fresno and Marin agencies have adopted some sort of policy, yet Howle found the agencies aren’t monitoring to make sure only authorized users are entering the database.

And as the popularity of the technology has exploded, so has the sharing of data between law enforcement agencies. For example, the audit found Fresno and Marin share their images with hundreds of entities and Sacramento more than a thousand.

California law only allows law enforcement agencies to share license plate data with public agencies, but again Howle says she isn’t convinced they are validating whether an outside agency is a worthy trade partner.

“However, we did not find evidence that the agencies had always determined whether an entity receiving shared images had a right and a need to access the images or even that the entity was a public agency,” the biting audit continues.

The ACLU of Northern California called the audit a “bombshell” and confirmation of its longstanding privacy concerns.

“Police are recklessly using surveillance devices like ALPRs with little to no understanding of the consequences or input from the public,” said ACLU technology attorney Matt Cagle.

While LAPD does not yet have an official policy, it responded that its protocol is to retain images for at least five years. Sacramento and Marin’s policies call for two-year retention and one year for Fresno. State law does not limit or specify retention periods for the license plate data on local agencies, although the California Highway Patrol is limited to 60 days.

The audit also criticized the agencies for not making sure their cloud storage vendors are fit to protect the valuable data pulled from Californians.

“Moreover, none of the contracts these three agencies have with their cloud storage vendors include all necessary data security safeguards. Thus, the agencies lack guarantees that the cloud vendor will provide appropriate protection of their data,” Howle warned.

Howle recommends lawmakers require the state Department of Justice to create a template for local agencies to use when enacting safeguards for license plate photos, and establish a maximum data retention period. They should also codify how and when audits should be performed on the agencies’ license plate reader policies.

Fresno said it will take Howle’s findings and use them to “build trust in its community,” and LAPD said it’s working toward complying with the state law and believes it “has policies in place to safeguard information.” Marin and Sacramento said they disagreed with parts of the audit but have begun considering and implementing others.

The audit was prompted by a request from state Sen. Scott Wiener, D-San Francisco, who was worried about the possibility of the technology being used to help U.S. Immigration and Customs Enforcement. He said the audit proves “significant cause for alarm” and that he is working on new legislation to improve oversight over the technology.

“The audit findings are deeply disturbing and confirm our worst fears about the misuse of this data,” Wiener said in a statement. “What we’ve learned today is that many law enforcement agencies are violating state law, are retaining personal data for lengthy periods of time and are disseminating this personal data broadly.”