The Albuquerque Police Department (APD), with the help of private companies, built a large and sophisticated intelligence gathering operation. One company is slowly building a database of every license plate in the United States. Another has clients that include neo-Nazi and white supremacist websites, and more than a half dozen groups listed as terrorist organizations by the U.S. Department of State. A third sells its surveillance technology to authoritarian regimes that use it as part of investigations that include torture. A fourth is partly owned by the Central Intelligence Agency (CIA). And a fifth, as we previously reported, is linked to a company investigated by the New Mexico Attorney General for hosting child pornography on its servers.
The private companies who sell surveillance hardware and software, and database access to APD store all of APD’s data on their own servers, and aggregate it with the data from police and, in some cases, private-sector clients. The servers of all of these companies have been hacked by both the National Security Agency (NSA) and the group Anonymous.
While this pattern of vendor-based surveillance and police-private sector data sharing is not unusual among U.S. police departments, APD’s surveillance program is more extensive, and its technology more sophisticated, than most departments. It spent nearly half a million dollars to purchase ShotSpotter microphones to listen for gunshots. It has cameras that capture license plates and a subscription to a private database that holds billions of plate numbers. It has held software subscriptions from two companies that let it monitor, analyze, and geo-locate social media posts and users. It uses Stingray devices that mimic cell towers to capture cell phone calls and texts. It deploys Universal Forensic Electronic Data devices from a company called CelleBrite to hack into cell phones or laptops with cables or remotely by Bluetooth. Its nearly 300 city-owned cameras link up with over 1,500 private camera networks throughout the city in a network that provides real-time streaming video of the streets, from hundreds of retail stores, ATMs, private residences, and college campuses. It has two-way data sharing agreements with federal agencies, including the Department of Homeland Security and the Federal Bureau of Investigation, that provide access to federal domestic terror lists and databases for facial recognition and fingerprint analysis. It subscribes to massive privately-owned databases. It coordinates all of this intelligence gathering from a state-of-the-art Real Time Crime Center (RTCC) that cost a million dollars to build and is staffed by analysts working on over a dozen 55-inch video terminals linked to a main data center by a 10-gigabit ethernet connection. As we reported in two recent articles, APD maintains an enormous retail data gathering and intelligence operation known as ARAPA in which thousands of private citizens upload information related to suspected retail or property crime to APD on a secure website. The BlueLeaks documents show that APD provides federal immigration police and other federal agents access to this database, despite public claims that it doesn’t, in a pattern that violates the city’s Sanctuary policy, avoids judicial review, and skirts community oversight.
According to purchase orders, leaked documents, and a source who worked at APD and requested anonymity, APD has built its surveillance network through purchases and contracts, and with vendors investigated for a variety of criminal charges. Despite this, according to our source, APD can’t analyze any of the data it collects with these surveillance devices and tools “unless a vendor does it for them.” The New Mexico Legislative Finance Committee evaluated APD data management practices in 2018 and concluded that “the predictive analytic and hotspot identification [at APD] go unused.” It “found no evidence” APD analyzes any of the data it collects, or even so much as uses “tools available in the RTCC that employ predictive capabilities for crime.”
APD purchases surveillance technology, annual software subscriptions, and data analysis services from a number of private vendors, but APD’s value to these vendors is not found in the money they receive for devices or from subscriptions, but in the data they collect from APD. Private companies sell APD powerful surveillance tools that police use to gather information. In return, these vendors collect and aggregate this intelligence and store it on their own private servers.
Social Media Surveillance
When APD launched the RTCC, it publicized its new subscription-based, social media surveillance and analysis capacity. APD used the software of a company called Snaptrends to monitor and geolocate social media users. The software included the capacity to extract information from individual social media accounts that would have required a warrant to access directly. From 2015-2016, according to financial records we reviewed, APD made $14,300 in two different software subscription payments to Snaptrends. This subscription gave APD the capacity to set up “undercover accounts” to bypass Facebook and Twitter privacy rules. APD ran all the data and intelligence it gathered through the Snaptrends user interface, as required by the subscription. In turn, Snaptrends filtered this data through a cyber security firm called Cloudflare, which provides cybersecurity for APD, and previously did for the neo-Nazi website The Daily Stormer and the white supremacist message board 8chan. The Huffington Post reported that Cloudflare’s clients included seven groups identified as terrorist organizations by the U.S. Department of State.
APD ended its subscription with Snaptrends after both Twitter and Facebook suspended its data agreement with the company. APD then turned to Geofeedia, a company that started with seed funding from the CIA’s venture capital fund In-Q-Tel. APD paid $11,000 for a Geofeedia subscription about the same time the American Civil Liberties Union released a report showing that Baltimore police, with the help of Geofeedia employees, used Geofeedia to identify and arrest people during the protests that followed the police killing of Freddie Gray. In February 2020, Twitter and Facebook ended its data and programming agreement with Geofeedia after Facebook told The Daily Dot, a tech news website, that it terminated the contract because they were “using its [application programming interface] in ways that exceeded the purposes for which they were provided.”
Snaptrends and Geofeedia are no longer available to APD, but the intelligence and data that APD collected with their software remains in the hands of both companies. In June of this year, Eric Klasson, CEO of Snaptrends, filed papers in Texas to change the name of Snaptrends to Pandemic Insights, a business whose only current asset is the data and intelligence it aggregated from APD and other police clients.
APD Denies its Uses Cell Phone Hacking Devices
APD not only has the capacity to monitor what you do with your phone, but also what you store on it. In June of 2015, APD paid a third-party vendor called Insight Public Sector $9,362.16 to buy a Universal Forensic Extraction Device (UFED), which are brief-case sized phone and computer hacking kits manufactured by a company called CelleBrite. UFEDs let APD hack into nearly every model of phone or computer through a direct cable connection or by Bluetooth and extract SMS messages, call logs, browsing histories, photos, videos, and more, including deleted data. In September 2019, Nyvia Barraza, APD’s documents and records custodian, denied APD used UFEDs in response to a request for information about cell phone hacking at APD, claiming that no documents existed for such a program. A month later, in October of 2019, APD made a $7,700 subscription payment to CelleBrite. The deal gave CelleBrite access to APD data. A recent hack of CelleBrite demonstrates that it collects and aggregates its clients’ data (all of which are law enforcement agencies). A recent hack of CelleBrite revealed that it works with police in Turkey, Russia and the United Arab Emirates, all of which use CelleBrite UFEDs to extract data from the devices of people its officers have tortured and even raped, according to an investigation by Amnesty International.
Police License Plate Readers, Private Databases
APD paid Vigilant Solutions, a company recently purchased by Motorola, $251,420 in two payments in July and August of this year for license plate readers, software, and access to Vigilant’s private database of license plates. APD uses the readers to collect license plates from cameras it mounts on fixed structures, patrol cruisers, and portable trailers. These readers are useless without access also to Vigilant’s vast private database of license plates, which provide the means to make geo-locatable queries for nearly any license plate in the U.S. In 2016, The Atlantic reported that Vigilant’s database included more than two billion license plates, all of which are geocoded by location. It sells access to this database in subscriptions that it markets to private corporations and police agencies. In 2017, the Electronic Frontier Foundation released a report that showed that Vigilant acquires its license plates in multiple ways, including through agreements with private companies. In addition to police uploading information to Vigilant’s privately owned database, a California real estate company, for example, captured license plate numbers for Vigilant at California shopping centers. Each month, according to The Atlantic, Vigilant adds another 80 million license plates to its private database. In 2018, Business Insider reported that Vigilant signed a contract with Immigration and Customs Enforcement (ICE) in 2017, giving the agency access to its entire database. According to The Verge, nearly 10,000 ICE agents have access to these data. Albuquerque police have access to this database and also contribute to it, uploading the license plates that its readers collect directly to Vigilant’s database. The online magazine GovTech confirmed in January of last year that ICE agents use the database “to find undocumented immigrants it is targeting for deportation.” The agreement between APD and Vigilant violates Albuquerque’s Sanctuary policy, which prohibits APD from cooperation with ICE in immigration policing–a policy it already violates through its agreement with another private vendor, Netsential.
Netsential and Albuquerque Police
Every surveillance operation or activity conducted by APD depends on the hardware or software of a private vendor, and every one of these contracts include data sharing agreements. As we wrote last month, the BlueLeaks hack of police documents revealed that APD has paid thousands of dollars in annual subscription payments to a web design and web hosting company called Netsential from 2008 until just this past June. Netsential, a business composed of only three people, built hundreds of police websites, including the one that APD, retailers, and even private citizens use to upload retail and property crime intelligence. APD does this on a website that Netsential built with computer code so old that a cloud architect we talked to described it as the internet’s version of an antique. Hackers from Anonymous took advantage of this and breached its limited security and extracted data from its servers, exposing APD’s data along with the data of 250 other police agencies and operations.
All of the sensitive personal and financial information and intelligence uploaded onto Netsential-built websites by thousands of Albuquerque retailers, hotel clerks, apartment managers, bank tellers, and neighborhood associations (names, addresses, photos, descriptions, tips, license plate numbers, and more) was stored by Netsential on the servers of a company called Data Foundry, that was recently investigated by the New Mexico Attorney General for hosting child pornography. Data Foundry held the data of hundreds of Netsential clients, all of which were police departments, Department of Homeland Security Fusion Centers, or interagency criminal justice task forces. And we know from documents Edward Snowden leaked in 2013 that the NSA hacked into Netsential and Data Foundry with a covert data mining tool known as BOUNDLESS INFORMANT. We also know from documents released by Distributed Denial of Secrets, the group that leaked the hacked BlueLeaks police data in June of this year, that the hacking group Anonymous targeted Netsential and Data Foundry. Netsential shut down following the hack, and it now appears not to have been a legitimate web services provider, and instead a front business for the aggregation police data.
Few Legal Limits to Public-Private Policing and Intelligence Sharing
The U.S. The Constitution’s Fourth Amendment limits police surveillance by shielding people from unreasonable searches. The law requires that police seek a court-order by petitioning the court for a warrant to search based on probable cause. But APD’s surveillance tools and data sharing agreements with companies such as Netsential, Snaptrends, Geofeedia, Vigilant, and CelleBrite provide the opportunity for “unconstrained surveillance,” according to Constitutional scholars. There are, in fact, few legal limits to data sharing between police and the private sector. As a result, Albuquerque police have been able to build a large and sophisticated surveillance operation through the use of game-changing surveillance tools. And private vendors have been able to build large databases of sensitive information gathered by police both with and without warrants that they aggregate with the data collected from hundreds of other police departments.
The federal Privacy Act of 1974 requires that databases that include individually identifying information be made available to the public and that people whose information is stored in federal databases have access to the information and have the ability to correct or amend the information within the database. But the law applies only to federal regulatory agencies, not local police or private vendors.
The BlueLeaks hack included documents that show Netsential may have violated New Mexico’s Data Breach Notification Act, NMSA 1978, Sections 57-12C-1to-12 (2017) (DBNA). DBNA authorizes the New Mexico Attorney General to bring civil actions against private companies that expose the personal information of New Mexicans (Section 57-12C-11).
APD’s data agreements with Snaptrends and Geofeedia may violate New Mexico’s Electronic Communications Privacy Act, (ECPA), NMSA 1978, Sections 10-16F-1to-6 (2019, as amended through 2020). ECPA prohibits APD from accessing “electronic device information by means of physical interaction or electronic communication with the electronic device” without a warrant or wiretap order. Section 10-16F-3(C). The Snaptrends and Geofeedia software to which APD subscribed permitted the kind of warrantless remote access that the law prohibits. ECPA also requires that APD destroy any personal information it holds within 90 days unless it obtains a court order. Section 10-16F-3(H). The BlueLeaks documents show that APD has held some clearly prohibited personal information for more than a decade. APD’s user agreements and intelligence storage practices with private vendors may also place APD in violation of data sharing limits defined in the ECPA, which prohibits APD from sharing data with agencies or individuals outside of the purposes identified in a court order. Section 10-16F-3(J). APD does this routinely, as required by the contracts it has with private vendors. APD uploads data it collects in all of its surveillance programs on the websites of private vendors and stores these data on the servers of privately-owned data centers.
No federal or state law places any limit on this data sharing pattern; nor on the ability of private firms to monetize police the police intelligence and information they aggregate. There are no federal or state laws that prohibit APD from purchasing intelligence from private vendors aggregated from other police agencies or from storing personally identifiable data on the servers of private vendors collected without a warrant. And New Mexico is the only state that expressly exempts government agencies from legal liability in data breaches of public information.
David Correia, Matteo MacDermant, and Ernesto Longa work with AbolishAPD, a research collective investigating the Albuquerque Police Department. They can be reached at AbolishAPD@protonmail.com and you can find all of their research at abolishapd.org